mirror of
https://github.com/mattermost/mattermost.git
synced 2026-02-03 20:40:00 -05:00
c7f6efdfb0
* Guest cannot add file to post without upload_file permission * Move checks to api layer, addd checks in update patch post scheduled post * Minor * Linter fixes * i18n translations * removed the duplicated check from scheduled_post app layer * Move scheduled post permission test from app layer to API layer The permission check for updating scheduled posts belonging to other users was moved from the app layer to the API layer in the PR. This commit moves the corresponding test to the API layer to match. * Move scheduled post delete permission check to API layer Move the permission check for deleting scheduled posts from the app layer to the API layer, consistent with update permission check. Also enhance API tests to verify posts aren't modified after forbidden operations. * Fix inconsistent status code for non-existent scheduled post Return StatusNotFound instead of StatusInternalServerError when a scheduled post doesn't exist in UpdateScheduledPost, matching the API layer behavior. * Fix flaky TestAddUserToChannelCreatesChannelMemberHistoryRecord test Use ElementsMatch instead of Equal to compare user ID slices since the order returned from GetUsersInChannelDuring is not guaranteed. --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Jesse Hallam <jesse@mattermost.com>
71 lines
2.3 KiB
Go
71 lines
2.3 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package api4
|
|
|
|
import (
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/v8/channels/app"
|
|
)
|
|
|
|
func userCreatePostPermissionCheckWithContext(c *Context, channelId string) {
|
|
hasPermission := false
|
|
if c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionCreatePost) {
|
|
hasPermission = true
|
|
} else if channel, err := c.App.GetChannel(c.AppContext, channelId); err == nil {
|
|
// Temporary permission check method until advanced permissions, please do not copy
|
|
if channel.Type == model.ChannelTypeOpen && c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), channel.TeamId, model.PermissionCreatePostPublic) {
|
|
hasPermission = true
|
|
}
|
|
}
|
|
|
|
if !hasPermission {
|
|
c.SetPermissionError(model.PermissionCreatePost)
|
|
return
|
|
}
|
|
}
|
|
|
|
func postHardenedModeCheckWithContext(where string, c *Context, props model.StringInterface) {
|
|
isIntegration := c.AppContext.Session().IsIntegration()
|
|
|
|
if appErr := app.PostHardenedModeCheckWithApp(c.App, isIntegration, props); appErr != nil {
|
|
appErr.Where = where
|
|
c.Err = appErr
|
|
}
|
|
}
|
|
|
|
func postPriorityCheckWithContext(where string, c *Context, priority *model.PostPriority, rootId string) {
|
|
appErr := app.PostPriorityCheckWithApp(where, c.App, c.AppContext.Session().UserId, priority, rootId)
|
|
if appErr != nil {
|
|
appErr.Where = where
|
|
c.Err = appErr
|
|
}
|
|
}
|
|
|
|
// checkUploadFilePermissionForNewFiles checks upload_file permission only when
|
|
// adding new files to a post, preventing permission bypass via cross-channel file attachments.
|
|
func checkUploadFilePermissionForNewFiles(c *Context, newFileIds []string, originalPost *model.Post) {
|
|
if len(newFileIds) == 0 {
|
|
return
|
|
}
|
|
|
|
originalFileIDsMap := make(map[string]bool, len(originalPost.FileIds))
|
|
for _, fileID := range originalPost.FileIds {
|
|
originalFileIDsMap[fileID] = true
|
|
}
|
|
|
|
hasNewFiles := false
|
|
for _, fileID := range newFileIds {
|
|
if !originalFileIDsMap[fileID] {
|
|
hasNewFiles = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if hasNewFiles {
|
|
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), originalPost.ChannelId, model.PermissionUploadFile) {
|
|
c.SetPermissionError(model.PermissionUploadFile)
|
|
return
|
|
}
|
|
}
|
|
}
|