From f0c672e3ad64f0daf023d9ef70de940b3354e133 Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Mon, 22 Aug 2016 20:08:09 -0400 Subject: Changed /teams/all api to only return teams the current user is a member of if they're not an admin (#3853) --- api/team.go | 15 +++++++++++---- api/team_test.go | 36 ++++++++++-------------------------- 2 files changed, 21 insertions(+), 30 deletions(-) diff --git a/api/team.go b/api/team.go index 7f84f8263..834d722ce 100644 --- a/api/team.go +++ b/api/team.go @@ -17,6 +17,7 @@ import ( "github.com/gorilla/mux" "github.com/mattermost/platform/model" + "github.com/mattermost/platform/store" "github.com/mattermost/platform/utils" ) @@ -410,8 +411,17 @@ func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { } } +// Gets all teams which the current user can has access to. If the user is a System Admin, this will be all teams +// on the server. Otherwise, it will only be the teams of which the user is a member. func getAll(c *Context, w http.ResponseWriter, r *http.Request) { - if result := <-Srv.Store.Team().GetAll(); result.Err != nil { + var tchan store.StoreChannel + if c.IsSystemAdmin() { + tchan = Srv.Store.Team().GetAll() + } else { + tchan = Srv.Store.Team().GetTeamsByUserId(c.Session.UserId) + } + + if result := <-tchan; result.Err != nil { c.Err = result.Err return } else { @@ -419,9 +429,6 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { m := make(map[string]*model.Team) for _, v := range teams { m[v.Id] = v - if !c.IsSystemAdmin() { - m[v.Id].SanitizeForNotLoggedIn() - } } w.Write([]byte(model.TeamMapToJson(m))) diff --git a/api/team_test.go b/api/team_test.go index 0d82e4e64..ade65edcd 100644 --- a/api/team_test.go +++ b/api/team_test.go @@ -255,7 +255,7 @@ func TestAddUserToTeamFromInvite(t *testing.T) { } func TestGetAllTeams(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() th.BasicClient.Logout() Client := th.BasicClient @@ -272,34 +272,18 @@ func TestGetAllTeams(t *testing.T) { if r1, err := Client.GetAllTeams(); err != nil { t.Fatal(err) - } else { - teams := r1.Data.(map[string]*model.Team) - if teams[team.Id].Name != team.Name { - t.Fatal() - } - if teams[team.Id].Email != "" { - t.Fatal("Non admin users shoudn't get full listings") - } + } else if teams := r1.Data.(map[string]*model.Team); len(teams) != 1 { + t.Fatal("non admin users only get the teams that they're a member of") + } else if receivedTeam, ok := teams[team.Id]; !ok || receivedTeam.Id != team.Id { + t.Fatal("should've received team that the user is a member of") } - c := &Context{} - c.RequestId = model.NewId() - c.IpAddress = "cmd_line" - UpdateUserRoles(c, user, model.ROLE_SYSTEM_ADMIN) - - Client.Login(user.Email, "passwd1") - Client.SetTeamId(team.Id) - - if r1, err := Client.GetAllTeams(); err != nil { + if r1, err := th.SystemAdminClient.GetAllTeams(); err != nil { t.Fatal(err) - } else { - teams := r1.Data.(map[string]*model.Team) - if teams[team.Id].Name != team.Name { - t.Fatal() - } - if teams[team.Id].Email != team.Email { - t.Fatal() - } + } else if teams := r1.Data.(map[string]*model.Team); len(teams) == 1 { + t.Fatal("admin users should receive all teams") + } else if receivedTeam, ok := teams[team.Id]; !ok || receivedTeam.Id != team.Id { + t.Fatal("admin should've received team that they aren't a member of") } } -- cgit v1.2.3-1-g7c22