From f4aebed220667f0022bc902420c62d9841835e80 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Thu, 2 Mar 2017 14:08:00 +0000
Subject: PLT-5355: Fix permalink to private/direct channels. (#5574)

Appropriate permission checks depend on the type of channel this
permalink links to.
---
 api/post.go | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'api/post.go')

diff --git a/api/post.go b/api/post.go
index b6539ed54..9c22dc5ee 100644
--- a/api/post.go
+++ b/api/post.go
@@ -264,11 +264,26 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) {
-		c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS)
+	var channel *model.Channel
+	if result := <-app.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
+		channel = result.Data.(*model.Channel)
+	} else {
+		c.SetInvalidParam("getPermalinkTmp", "postId")
 		return
 	}
 
+	if channel.Type == model.CHANNEL_OPEN {
+		if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) {
+			c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS)
+			return
+		}
+	} else {
+		if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_READ_CHANNEL) {
+			c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+			return
+		}
+	}
+
 	if list, err := app.GetPermalinkPost(postId, c.Session.UserId); err != nil {
 		c.Err = err
 		return
-- 
cgit v1.2.3-1-g7c22