MM-12519: simplify autocomplete team id checking (#9577)

This handles clients sending a team id in a direct message or group channel autocomplete, when it necessarily won't match. Just verify that the user has permission for the team in question, whenever it is provided.
parent ef6d7af2
......@@ -532,21 +532,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
return
}
}
// If a teamId is provided, require it to match the channel's team id.
if teamId != "" {
channel, err := c.App.GetChannel(channelId)
if err != nil {
c.Err = err
return
}
if channel.TeamId != teamId {
c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized)
return
}
if len(teamId) > 0 {
if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) {
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
return
}
}
if len(channelId) > 0 {
// Applying the provided teamId here is useful for DMs and GMs which don't belong
// to a team. Applying it when the channel does belong to a team makes less sense,
//t but the permissions are checked above regardless.
result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin())
if err != nil {
c.Err = err
......@@ -556,11 +554,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
autocomplete.Users = result.InChannel
autocomplete.OutOfChannel = result.OutOfChannel
} else if len(teamId) > 0 {
if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) {
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
return
}
result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin())
if err != nil {
c.Err = err
......
......@@ -873,9 +873,9 @@ func TestAutocompleteUsers(t *testing.T) {
t.Fatal("should not show first/last name")
}
t.Run("team id, if provided, must match channel's team id", func(t *testing.T) {
t.Run("user must have access to team id, especially when it does not match channel's team id", func(t *testing.T) {
rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "")
CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id")
CheckErrorMessage(t, resp, "api.context.permissions.app_error")
})
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment