Commit cad80670 authored by George Goldberg's avatar George Goldberg Committed by Christopher Speller

MM-12013: Fix post-permission checks to cascade for DM/GM channels. (#9476)

parent 45464234
......@@ -455,6 +455,20 @@ func (me *TestHelper) CreateMessagePostNoClient(channel *model.Channel, message
return post
}
func (me *TestHelper) CreateDmChannel(user *model.User) *model.Channel {
utils.DisableDebugLogForTest()
var err *model.AppError
var channel *model.Channel
if channel, err = me.App.CreateDirectChannel(me.BasicUser.Id, user.Id); err != nil {
mlog.Error(err.Error())
time.Sleep(time.Second)
panic(err)
}
utils.EnableDebugLogForTest()
return channel
}
func (me *TestHelper) LoginBasic() {
me.LoginBasicWithClient(me.Client)
}
......
......@@ -599,6 +599,31 @@ func TestUpdatePost(t *testing.T) {
CheckNoError(t, resp)
}
func TestUpdateOthersPostInDirectMessageChannel(t *testing.T) {
// This test checks that a sysadmin with the "EDIT_OTHERS_POSTS" permission can edit someone else's post in a
// channel without a team (DM/GM). This indirectly checks for the proper cascading all the way to system-wide roles
// on the user object of permissions based on a post in a channel with no team ID.
th := Setup().InitBasic().InitSystemAdmin()
defer th.TearDown()
dmChannel := th.CreateDmChannel(th.SystemAdminUser)
post := &model.Post{
Message: "asd",
ChannelId: dmChannel.Id,
PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()),
UserId: th.BasicUser.Id,
CreateAt: 0,
}
post, resp := th.Client.CreatePost(post)
CheckNoError(t, resp)
post.Message = "changed"
post, resp = th.SystemAdminClient.UpdatePost(post.Id, post)
CheckNoError(t, resp)
}
func TestPatchPost(t *testing.T) {
th := Setup().InitBasic().InitSystemAdmin()
defer th.TearDown()
......
......@@ -74,7 +74,9 @@ func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId
if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
channel := result.Data.(*model.Channel)
return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
if channel.TeamId != "" {
return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
}
}
return a.SessionHasPermissionTo(session, permission)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment