Commit ee672a72 authored by Jesse Hallam's avatar Jesse Hallam Committed by Harrison Healey

MM-12192: autocompleteUsers: if a teamId is provided, require it to match the...

MM-12192: autocompleteUsers: if a teamId is provided, require it to match the channel's team id (#9481)

* MM-12192: unit test

* MM-1292: autocompleteUsers: if a teamId is provided, require it to match the channel's team id
parent de5c8622
...@@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { ...@@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
return return
} }
// If a teamId is provided, require it to match the channel's team id.
if teamId != "" {
channel, err := c.App.GetChannel(channelId)
if err != nil {
c.Err = err
return
}
if channel.TeamId != teamId {
c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized)
return
}
}
result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin())
if err != nil { if err != nil {
c.Err = err c.Err = err
......
...@@ -872,6 +872,11 @@ func TestAutocompleteUsers(t *testing.T) { ...@@ -872,6 +872,11 @@ func TestAutocompleteUsers(t *testing.T) {
if rusers.Users[0].FirstName != "" || rusers.Users[0].LastName != "" { if rusers.Users[0].FirstName != "" || rusers.Users[0].LastName != "" {
t.Fatal("should not show first/last name") t.Fatal("should not show first/last name")
} }
t.Run("team id, if provided, must match channel's team id", func(t *testing.T) {
rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "")
CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id")
})
} }
func TestGetProfileImage(t *testing.T) { func TestGetProfileImage(t *testing.T) {
......
...@@ -2018,6 +2018,10 @@ ...@@ -2018,6 +2018,10 @@
"id": "api.user.authorize_oauth_user.unsupported.app_error", "id": "api.user.authorize_oauth_user.unsupported.app_error",
"translation": "Unsupported OAuth service provider" "translation": "Unsupported OAuth service provider"
}, },
{
"id": "api.user.autocomplete_users.invalid_team_id",
"translation": "Invalid team id"
},
{ {
"id": "api.user.check_user_login_attempts.too_many.app_error", "id": "api.user.check_user_login_attempts.too_many.app_error",
"translation": "Your account is locked because of too many failed password attempts. Please reset your password." "translation": "Your account is locked because of too many failed password attempts. Please reset your password."
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment