Unverified Commit 5c560db8 authored by Joram Wilander's avatar Joram Wilander Committed by GitHub
Browse files

ABC-176 Prevent changing PluginSettings.EnableUploads through the API (#8249)

* Prevent changing PluginSettings.EnableUploads through the API

* Contain api4 test case in it's own test
parent d88d2bc2
......@@ -108,6 +108,9 @@ func saveConfig(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// Do not allow plugin uploads to be toggled through the API
cfg.PluginSettings.EnableUploads = c.App.GetConfig().PluginSettings.EnableUploads
err := c.App.SaveConfig(cfg, true)
if err != nil {
c.Err = err
......
......@@ -10,6 +10,7 @@ import (
"github.com/mattermost/mattermost-server/model"
"github.com/mattermost/mattermost-server/store"
"github.com/stretchr/testify/assert"
)
func TestGetLogs(t *testing.T) {
......@@ -149,6 +150,18 @@ func TestSaveConfig(t *testing.T) {
}
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.EnableOpenServer = true })
// Should not be able to modify PluginSettings.EnableUploads
oldEnableUploads := *th.App.GetConfig().PluginSettings.EnableUploads
cfg := &model.Config{}
cfg.SetDefaults()
*cfg.PluginSettings.EnableUploads = !oldEnableUploads
if _, err := th.SystemAdminClient.SaveConfig(cfg); err != nil {
t.Fatal(err)
}
assert.Equal(t, oldEnableUploads, *th.App.Config().PluginSettings.EnableUploads)
}
func TestRecycleDatabaseConnection(t *testing.T) {
......
......@@ -121,6 +121,9 @@ func updateConfig(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// Do not allow plugin uploads to be toggled through the API
cfg.PluginSettings.EnableUploads = c.App.GetConfig().PluginSettings.EnableUploads
err := c.App.SaveConfig(cfg, true)
if err != nil {
c.Err = err
......
......@@ -7,6 +7,7 @@ import (
l4g "github.com/alecthomas/log4go"
"github.com/mattermost/mattermost-server/model"
"github.com/stretchr/testify/assert"
)
func TestGetPing(t *testing.T) {
......@@ -106,9 +107,10 @@ func TestUpdateConfig(t *testing.T) {
defer th.TearDown()
Client := th.Client
cfg := th.App.GetConfig()
cfg, resp := th.SystemAdminClient.GetConfig()
CheckNoError(t, resp)
_, resp := Client.UpdateConfig(cfg)
_, resp = Client.UpdateConfig(cfg)
CheckForbiddenStatus(t, resp)
SiteName := th.App.Config().TeamSettings.SiteName
......@@ -139,6 +141,22 @@ func TestUpdateConfig(t *testing.T) {
t.Fatal()
}
}
t.Run("Should not be able to modify PluginSettings.EnableUploads", func(t *testing.T) {
oldEnableUploads := *th.App.GetConfig().PluginSettings.EnableUploads
*cfg.PluginSettings.EnableUploads = !oldEnableUploads
cfg, resp = th.SystemAdminClient.UpdateConfig(cfg)
CheckNoError(t, resp)
assert.Equal(t, oldEnableUploads, *cfg.PluginSettings.EnableUploads)
assert.Equal(t, oldEnableUploads, *th.App.GetConfig().PluginSettings.EnableUploads)
cfg.PluginSettings.EnableUploads = nil
cfg, resp = th.SystemAdminClient.UpdateConfig(cfg)
CheckNoError(t, resp)
assert.Equal(t, oldEnableUploads, *cfg.PluginSettings.EnableUploads)
assert.Equal(t, oldEnableUploads, *th.App.GetConfig().PluginSettings.EnableUploads)
})
}
func TestGetOldClientConfig(t *testing.T) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment