mirror of
https://github.com/mattermost/mattermost.git
synced 2026-02-03 20:40:00 -05:00
b5a816a657
Some checks are pending
API / build (push) Waiting to run
Server CI / Compute Go Version (push) Waiting to run
Server CI / Check mocks (push) Blocked by required conditions
Server CI / Check go mod tidy (push) Blocked by required conditions
Server CI / check-style (push) Blocked by required conditions
Server CI / Check serialization methods for hot structs (push) Blocked by required conditions
Server CI / Vet API (push) Blocked by required conditions
Server CI / Check migration files (push) Blocked by required conditions
Server CI / Generate email templates (push) Blocked by required conditions
Server CI / Check store layers (push) Blocked by required conditions
Server CI / Check mmctl docs (push) Blocked by required conditions
Server CI / Postgres with binary parameters (push) Blocked by required conditions
Server CI / Postgres (push) Blocked by required conditions
Server CI / Postgres (FIPS) (push) Blocked by required conditions
Server CI / Generate Test Coverage (push) Blocked by required conditions
Server CI / Run mmctl tests (push) Blocked by required conditions
Server CI / Run mmctl tests (FIPS) (push) Blocked by required conditions
Server CI / Build mattermost server app (push) Blocked by required conditions
Web App CI / check-lint (push) Waiting to run
Web App CI / check-i18n (push) Blocked by required conditions
Web App CI / check-types (push) Blocked by required conditions
Web App CI / test (platform) (push) Blocked by required conditions
Web App CI / test (mattermost-redux) (push) Blocked by required conditions
Web App CI / test (channels shard 1/4) (push) Blocked by required conditions
Web App CI / test (channels shard 2/4) (push) Blocked by required conditions
Web App CI / test (channels shard 3/4) (push) Blocked by required conditions
Web App CI / test (channels shard 4/4) (push) Blocked by required conditions
Web App CI / upload-coverage (push) Blocked by required conditions
Web App CI / build (push) Blocked by required conditions
* Add audits for accessing posts without membership * Fix tests * Use correct audit level * Address feedback * Add missing checks all over the app * Fix lint * Fix test * Fix tests * Fix enterprise test * Add missing test and docs * Fix merge * Fix lint * Add audit logs on the web socket hook for permalink posts * Fix lint * Fix merge conflicts * Handle all events with "non_channel_member_access" parameter * Fix lint and tests * Fix merge * Fix tests
553 lines
18 KiB
Go
553 lines
18 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package api4
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/public/shared/mlog"
|
|
)
|
|
|
|
func (api *API) InitCommand() {
|
|
api.BaseRoutes.Commands.Handle("", api.APISessionRequired(createCommand)).Methods(http.MethodPost)
|
|
api.BaseRoutes.Commands.Handle("", api.APISessionRequired(listCommands)).Methods(http.MethodGet)
|
|
api.BaseRoutes.Commands.Handle("/execute", api.APISessionRequired(executeCommand)).Methods(http.MethodPost)
|
|
|
|
api.BaseRoutes.Command.Handle("", api.APISessionRequired(getCommand)).Methods(http.MethodGet)
|
|
api.BaseRoutes.Command.Handle("", api.APISessionRequired(updateCommand)).Methods(http.MethodPut)
|
|
api.BaseRoutes.Command.Handle("/move", api.APISessionRequired(moveCommand)).Methods(http.MethodPut)
|
|
api.BaseRoutes.Command.Handle("", api.APISessionRequired(deleteCommand)).Methods(http.MethodDelete)
|
|
|
|
api.BaseRoutes.Team.Handle("/commands/autocomplete", api.APISessionRequired(listAutocompleteCommands)).Methods(http.MethodGet)
|
|
api.BaseRoutes.Team.Handle("/commands/autocomplete_suggestions", api.APISessionRequired(listCommandAutocompleteSuggestions)).Methods(http.MethodGet)
|
|
api.BaseRoutes.Command.Handle("/regen_token", api.APISessionRequired(regenCommandToken)).Methods(http.MethodPut)
|
|
}
|
|
|
|
func createCommand(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
var cmd model.Command
|
|
if jsonErr := json.NewDecoder(r.Body).Decode(&cmd); jsonErr != nil {
|
|
c.SetInvalidParamWithErr("command", jsonErr)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventCreateCommand, model.AuditStatusFail)
|
|
model.AddEventParameterAuditableToAuditRec(auditRec, "command", &cmd)
|
|
defer c.LogAuditRec(auditRec)
|
|
c.LogAudit("attempt")
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOwnSlashCommands) {
|
|
c.SetPermissionError(model.PermissionManageOwnSlashCommands)
|
|
return
|
|
}
|
|
|
|
userId := c.AppContext.Session().UserId
|
|
if cmd.CreatorId != "" && cmd.CreatorId != userId {
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOthersSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
c.SetPermissionError(model.PermissionManageOthersSlashCommands)
|
|
return
|
|
}
|
|
|
|
if _, err := c.App.GetUser(cmd.CreatorId); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
userId = cmd.CreatorId
|
|
}
|
|
|
|
cmd.CreatorId = userId
|
|
|
|
rcmd, err := c.App.CreateCommand(&cmd)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
c.LogAudit("success")
|
|
auditRec.AddEventResultState(rcmd)
|
|
auditRec.AddEventObjectType("command")
|
|
|
|
w.WriteHeader(http.StatusCreated)
|
|
if err := json.NewEncoder(w).Encode(rcmd); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func updateCommand(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireCommandId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
var cmd model.Command
|
|
if jsonErr := json.NewDecoder(r.Body).Decode(&cmd); jsonErr != nil || cmd.Id != c.Params.CommandId {
|
|
c.SetInvalidParamWithErr("command", jsonErr)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventUpdateCommand, model.AuditStatusFail)
|
|
model.AddEventParameterAuditableToAuditRec(auditRec, "command", &cmd)
|
|
defer c.LogAuditRec(auditRec)
|
|
c.LogAudit("attempt")
|
|
|
|
oldCmd, err := c.App.GetCommand(c.Params.CommandId)
|
|
if err != nil {
|
|
model.AddEventParameterToAuditRec(auditRec, "command_id", c.Params.CommandId)
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
auditRec.AddEventPriorState(oldCmd)
|
|
|
|
if cmd.TeamId != oldCmd.TeamId {
|
|
c.Err = model.NewAppError("updateCommand", "api.command.team_mismatch.app_error", nil, "user_id="+c.AppContext.Session().UserId, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), oldCmd.TeamId, model.PermissionManageOwnSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
// here we return Not_found instead of a permissions error so we don't leak the existence of
|
|
// a command to someone without permissions for the team it belongs to.
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
|
|
if c.AppContext.Session().UserId != oldCmd.CreatorId && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), oldCmd.TeamId, model.PermissionManageOthersSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
c.SetPermissionError(model.PermissionManageOthersSlashCommands)
|
|
return
|
|
}
|
|
|
|
rcmd, err := c.App.UpdateCommand(oldCmd, &cmd)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.AddEventResultState(rcmd)
|
|
auditRec.AddEventObjectType("command")
|
|
auditRec.Success()
|
|
c.LogAudit("success")
|
|
|
|
if err := json.NewEncoder(w).Encode(rcmd); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func moveCommand(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireCommandId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
var cmr model.CommandMoveRequest
|
|
if jsonErr := json.NewDecoder(r.Body).Decode(&cmr); jsonErr != nil {
|
|
c.SetInvalidParamWithErr("team_id", jsonErr)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventMoveCommand, model.AuditStatusFail)
|
|
model.AddEventParameterToAuditRec(auditRec, "command_move_request", cmr.TeamId)
|
|
defer c.LogAuditRec(auditRec)
|
|
c.LogAudit("attempt")
|
|
|
|
newTeam, appErr := c.App.GetTeam(cmr.TeamId)
|
|
if appErr != nil {
|
|
c.Err = appErr
|
|
return
|
|
}
|
|
model.AddEventParameterAuditableToAuditRec(auditRec, "team", newTeam)
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), newTeam.Id, model.PermissionManageOwnSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
c.SetPermissionError(model.PermissionManageOwnSlashCommands)
|
|
return
|
|
}
|
|
|
|
cmd, appErr := c.App.GetCommand(c.Params.CommandId)
|
|
if appErr != nil {
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
auditRec.AddEventPriorState(cmd)
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOwnSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
// here we return Not_found instead of a permissions error so we don't leak the existence of
|
|
// a command to someone without permissions for the team it belongs to.
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
|
|
if c.AppContext.Session().UserId != cmd.CreatorId && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOthersSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
c.SetPermissionError(model.PermissionManageOthersSlashCommands)
|
|
return
|
|
}
|
|
|
|
// Verify that the command creator has permission to the new team
|
|
// This prevents moving a command to a team where its creator doesn't have access
|
|
if !c.App.HasPermissionToTeam(c.AppContext, cmd.CreatorId, newTeam.Id, model.PermissionManageOwnSlashCommands) {
|
|
c.LogAudit("fail - command creator does not have permission to new team")
|
|
c.Err = model.NewAppError("moveCommand", "api.command.move_command.creator_no_permission.app_error", nil, "creator_id="+cmd.CreatorId+" team_id="+newTeam.Id, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if appErr = c.App.MoveCommand(newTeam, cmd); appErr != nil {
|
|
c.Err = appErr
|
|
return
|
|
}
|
|
|
|
auditRec.AddEventResultState(cmd)
|
|
auditRec.AddEventObjectType("command")
|
|
auditRec.Success()
|
|
c.LogAudit("success")
|
|
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func deleteCommand(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireCommandId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventDeleteCommand, model.AuditStatusFail)
|
|
model.AddEventParameterToAuditRec(auditRec, "command_id", c.Params.CommandId)
|
|
defer c.LogAuditRec(auditRec)
|
|
c.LogAudit("attempt")
|
|
|
|
cmd, err := c.App.GetCommand(c.Params.CommandId)
|
|
if err != nil {
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
auditRec.AddEventPriorState(cmd)
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOwnSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
// here we return Not_found instead of a permissions error so we don't leak the existence of
|
|
// a command to someone without permissions for the team it belongs to.
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
|
|
if c.AppContext.Session().UserId != cmd.CreatorId && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOthersSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
c.SetPermissionError(model.PermissionManageOthersSlashCommands)
|
|
return
|
|
}
|
|
|
|
err = c.App.DeleteCommand(cmd.Id)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.AddEventObjectType("command")
|
|
auditRec.Success()
|
|
c.LogAudit("success")
|
|
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func listCommands(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
customOnly, _ := strconv.ParseBool(r.URL.Query().Get("custom_only"))
|
|
|
|
teamId := r.URL.Query().Get("team_id")
|
|
if teamId == "" {
|
|
c.SetInvalidParam("team_id")
|
|
return
|
|
}
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), teamId, model.PermissionViewTeam) {
|
|
c.SetPermissionError(model.PermissionViewTeam)
|
|
return
|
|
}
|
|
|
|
var commands []*model.Command
|
|
var err *model.AppError
|
|
if customOnly {
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), teamId, model.PermissionManageOwnSlashCommands) {
|
|
c.SetPermissionError(model.PermissionManageOwnSlashCommands)
|
|
return
|
|
}
|
|
|
|
// Filter to only commands the user can manage
|
|
userIdFilter := c.AppContext.Session().UserId
|
|
if c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), teamId, model.PermissionManageOthersSlashCommands) {
|
|
userIdFilter = "" // Empty means return all commands
|
|
}
|
|
|
|
commands, err = c.App.ListTeamCommandsByUser(teamId, userIdFilter)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
} else {
|
|
//User with no permission should see only system commands
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), teamId, model.PermissionManageOwnSlashCommands) {
|
|
commands, err = c.App.ListAutocompleteCommands(teamId, c.AppContext.T)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
} else {
|
|
// Filter custom commands to only those the user can manage
|
|
userIdFilter := c.AppContext.Session().UserId
|
|
if c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), teamId, model.PermissionManageOthersSlashCommands) {
|
|
userIdFilter = "" // Empty means return all commands
|
|
}
|
|
|
|
commands, err = c.App.ListAllCommandsByUser(teamId, userIdFilter, c.AppContext.T)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := json.NewEncoder(w).Encode(commands); err != nil {
|
|
c.Logger.Warn("Error writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func getCommand(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireCommandId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
cmd, err := c.App.GetCommand(c.Params.CommandId)
|
|
if err != nil {
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
|
|
// check for permissions to view this command; must have perms to view team and
|
|
// PERMISSION_MANAGE_SLASH_COMMANDS for the team the command belongs to.
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionViewTeam) {
|
|
// here we return Not_found instead of a permissions error so we don't leak the existence of
|
|
// a command to someone without permissions for the team it belongs to.
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOwnSlashCommands) {
|
|
// again, return not_found to ensure id existence does not leak.
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
|
|
if c.AppContext.Session().UserId != cmd.CreatorId && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOthersSlashCommands) {
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
if err := json.NewEncoder(w).Encode(cmd); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
var commandArgs model.CommandArgs
|
|
if jsonErr := json.NewDecoder(r.Body).Decode(&commandArgs); jsonErr != nil {
|
|
c.SetInvalidParamWithErr("command_args", jsonErr)
|
|
return
|
|
}
|
|
|
|
if len(commandArgs.Command) <= 1 || strings.Index(commandArgs.Command, "/") != 0 || !model.IsValidId(commandArgs.ChannelId) {
|
|
c.Err = model.NewAppError("executeCommand", "api.command.execute_command.start.app_error", nil, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventExecuteCommand, model.AuditStatusFail)
|
|
defer c.LogAuditRec(auditRec)
|
|
model.AddEventParameterAuditableToAuditRec(auditRec, "command_args", &commandArgs)
|
|
|
|
// Checks that user is a member of the specified channel, and that they have permission to create a post in it.
|
|
if ok, _ := c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), commandArgs.ChannelId, model.PermissionCreatePost); !ok {
|
|
c.SetPermissionError(model.PermissionCreatePost)
|
|
return
|
|
}
|
|
|
|
channel, err := c.App.GetChannel(c.AppContext, commandArgs.ChannelId)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
if channel.DeleteAt != 0 {
|
|
c.Err = model.NewAppError("createPost", "api.command.execute_command.deleted.error", nil, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if channel.Type != model.ChannelTypeDirect && channel.Type != model.ChannelTypeGroup {
|
|
// if this isn't a DM or GM, the team id is implicitly taken from the channel so that slash commands created on
|
|
// some other team can't be run against this one
|
|
commandArgs.TeamId = channel.TeamId
|
|
} else {
|
|
restrictDM, appErr := c.App.CheckIfChannelIsRestrictedDM(c.AppContext, channel)
|
|
if appErr != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
if restrictDM {
|
|
c.Err = model.NewAppError("createPost", "api.command.execute_command.restricted_dm.error", nil, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// if the slash command was used in a DM or GM, ensure that the user is a member of the specified team, so that
|
|
// they can't just execute slash commands against arbitrary teams
|
|
if c.AppContext.Session().GetTeamByTeamId(commandArgs.TeamId) == nil {
|
|
if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionCreatePost) {
|
|
c.SetPermissionError(model.PermissionCreatePost)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
commandArgs.UserId = c.AppContext.Session().UserId
|
|
commandArgs.T = c.AppContext.T
|
|
commandArgs.SiteURL = c.GetSiteURLHeader()
|
|
|
|
response, err := c.App.ExecuteCommand(c.AppContext, &commandArgs)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
if err := json.NewEncoder(w).Encode(response); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func listAutocompleteCommands(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireTeamId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionViewTeam) {
|
|
c.SetPermissionError(model.PermissionViewTeam)
|
|
return
|
|
}
|
|
|
|
commands, err := c.App.ListAutocompleteCommands(c.Params.TeamId, c.AppContext.T)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
if err := json.NewEncoder(w).Encode(commands); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func listCommandAutocompleteSuggestions(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireTeamId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionViewTeam) {
|
|
c.SetPermissionError(model.PermissionViewTeam)
|
|
return
|
|
}
|
|
|
|
roleId := model.SystemUserRoleId
|
|
if c.IsSystemAdmin() {
|
|
roleId = model.SystemAdminRoleId
|
|
}
|
|
|
|
query := r.URL.Query()
|
|
userInput := query.Get("user_input")
|
|
if userInput == "" {
|
|
c.SetInvalidParam("userInput")
|
|
return
|
|
}
|
|
userInput = strings.TrimPrefix(userInput, "/")
|
|
|
|
commands, appErr := c.App.ListAutocompleteCommands(c.Params.TeamId, c.AppContext.T)
|
|
if appErr != nil {
|
|
c.Err = appErr
|
|
return
|
|
}
|
|
|
|
commandArgs := &model.CommandArgs{
|
|
ChannelId: query.Get("channel_id"),
|
|
TeamId: c.Params.TeamId,
|
|
RootId: query.Get("root_id"),
|
|
UserId: c.AppContext.Session().UserId,
|
|
T: c.AppContext.T,
|
|
SiteURL: c.GetSiteURLHeader(),
|
|
Command: userInput,
|
|
}
|
|
|
|
suggestions := c.App.GetSuggestions(c.AppContext, commandArgs, commands, roleId)
|
|
|
|
js, err := json.Marshal(suggestions)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("listCommandAutocompleteSuggestions", "api.marshal_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
return
|
|
}
|
|
if _, err := w.Write(js); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func regenCommandToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireCommandId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventRegenCommandToken, model.AuditStatusFail)
|
|
defer c.LogAuditRec(auditRec)
|
|
c.LogAudit("attempt")
|
|
|
|
cmd, err := c.App.GetCommand(c.Params.CommandId)
|
|
if err != nil {
|
|
model.AddEventParameterToAuditRec(auditRec, "command_id", c.Params.CommandId)
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
auditRec.AddEventPriorState(cmd)
|
|
model.AddEventParameterToAuditRec(auditRec, "command_id", c.Params.CommandId)
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOwnSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
// here we return Not_found instead of a permissions error so we don't leak the existence of
|
|
// a command to someone without permissions for the team it belongs to.
|
|
c.SetCommandNotFoundError()
|
|
return
|
|
}
|
|
|
|
if c.AppContext.Session().UserId != cmd.CreatorId && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), cmd.TeamId, model.PermissionManageOthersSlashCommands) {
|
|
c.LogAudit("fail - inappropriate permissions")
|
|
c.SetPermissionError(model.PermissionManageOthersSlashCommands)
|
|
return
|
|
}
|
|
|
|
rcmd, err := c.App.RegenCommandToken(cmd)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
auditRec.AddEventResultState(rcmd)
|
|
auditRec.Success()
|
|
c.LogAudit("success")
|
|
|
|
resp := make(map[string]string)
|
|
resp["token"] = rcmd.Token
|
|
|
|
if _, err := w.Write([]byte(model.MapToJSON(resp))); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|