MM-12013: Fix post-permission checks to cascade for DM/GM channels. (#9476)

cad80670 · George Goldberg · Christopher Speller · 45464234 · cad80670 · cad80670
Commit cad80670 authored Sep 27, 2018 by George Goldberg Committed by Christopher Speller Sep 27, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 1 deletion

api4/apitestlib.go api4/apitestlib.go +14 -0

api4/post_test.go api4/post_test.go +25 -0

app/authorization.go app/authorization.go +3 -1

No files found.
--- a/api4/apitestlib.go
+++ b/api4/apitestlib.go
@@ -455,6 +455,20 @@ func (me *TestHelper) CreateMessagePostNoClient(channel *model.Channel, message
 	return post
 }

+func (me *TestHelper) CreateDmChannel(user *model.User) *model.Channel {
+	utils.DisableDebugLogForTest()
+	var err *model.AppError
+	var channel *model.Channel
+	if channel, err = me.App.CreateDirectChannel(me.BasicUser.Id, user.Id); err != nil {
+		mlog.Error(err.Error())
+
+		time.Sleep(time.Second)
+		panic(err)
+	}
+	utils.EnableDebugLogForTest()
+	return channel
+}
+
 func (me *TestHelper) LoginBasic() {
 	me.LoginBasicWithClient(me.Client)
 }

--- a/api4/post_test.go
+++ b/api4/post_test.go
@@ -599,6 +599,31 @@ func TestUpdatePost(t *testing.T) {
 	CheckNoError(t, resp)
 }

+func TestUpdateOthersPostInDirectMessageChannel(t *testing.T) {
+	// This test checks that a sysadmin with the "EDIT_OTHERS_POSTS" permission can edit someone else's post in a
+	// channel without a team (DM/GM). This indirectly checks for the proper cascading all the way to system-wide roles
+	// on the user object of permissions based on a post in a channel with no team ID.
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	dmChannel := th.CreateDmChannel(th.SystemAdminUser)
+
+	post := &model.Post{
+		Message:       "asd",
+		ChannelId:     dmChannel.Id,
+		PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()),
+		UserId:        th.BasicUser.Id,
+		CreateAt:      0,
+	}
+
+	post, resp := th.Client.CreatePost(post)
+	CheckNoError(t, resp)
+
+	post.Message = "changed"
+	post, resp = th.SystemAdminClient.UpdatePost(post.Id, post)
+	CheckNoError(t, resp)
+}
+
 func TestPatchPost(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
 	defer th.TearDown()

--- a/app/authorization.go
+++ b/app/authorization.go
@@ -74,7 +74,9 @@ func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId

 	if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
 		channel := result.Data.(*model.Channel)
-		return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
+		if channel.TeamId != "" {
+			return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
+		}
 	}

 	return a.SessionHasPermissionTo(session, permission)