Commit ee672a72 authored by Jesse Hallam's avatar Jesse Hallam Committed by Harrison Healey

MM-12192: autocompleteUsers: if a teamId is provided, require it to match the...

MM-12192: autocompleteUsers: if a teamId is provided, require it to match the channel's team id (#9481)

* MM-12192: unit test

* MM-1292: autocompleteUsers: if a teamId is provided, require it to match the channel's team id
parent de5c8622
......@@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// If a teamId is provided, require it to match the channel's team id.
if teamId != "" {
channel, err := c.App.GetChannel(channelId)
if err != nil {
c.Err = err
return
}
if channel.TeamId != teamId {
c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized)
return
}
}
result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin())
if err != nil {
c.Err = err
......
......@@ -872,6 +872,11 @@ func TestAutocompleteUsers(t *testing.T) {
if rusers.Users[0].FirstName != "" || rusers.Users[0].LastName != "" {
t.Fatal("should not show first/last name")
}
t.Run("team id, if provided, must match channel's team id", func(t *testing.T) {
rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "")
CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id")
})
}
func TestGetProfileImage(t *testing.T) {
......
......@@ -2018,6 +2018,10 @@
"id": "api.user.authorize_oauth_user.unsupported.app_error",
"translation": "Unsupported OAuth service provider"
},
{
"id": "api.user.autocomplete_users.invalid_team_id",
"translation": "Invalid team id"
},
{
"id": "api.user.check_user_login_attempts.too_many.app_error",
"translation": "Your account is locked because of too many failed password attempts. Please reset your password."
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment