Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: including public channels should check for compliance settings #102

Merged
merged 10 commits into from
Sep 17, 2024

Conversation

fmartingr
Copy link
Contributor

Summary

  • If the legal hold is created/updated with the exclude public channels disabled (including public channel data) a check is made to ensure that compliance export is enabled
  • Added validation in the API layer
  • Removed validation from the KVStore layer (since it's redundant and is not checking what we think it is)
  • Added a validation for dates (StartDate < EndDate)

Ticket Link

https://mattermost.atlassian.net/browse/MM-59830

@fmartingr fmartingr marked this pull request as ready for review September 16, 2024 09:00
@fmartingr fmartingr added 2: Dev Review Requires review by a core committer 3: Security Review Review requested from Security Team labels Sep 16, 2024
Copy link

@esarafianou esarafianou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor comments and we're good to go! 🚀

btw you've also addressed this ticket with your work: https://mattermost.atlassian.net/browse/MM-59309

server/model/legal_hold.go Outdated Show resolved Hide resolved
server/model/legal_hold.go Outdated Show resolved Hide resolved
server/store/kvstore/legal_hold.go Outdated Show resolved Hide resolved
@esarafianou esarafianou removed the 3: Security Review Review requested from Security Team label Sep 16, 2024
@fmartingr fmartingr self-assigned this Sep 16, 2024
@@ -86,10 +82,6 @@ func (kvs Impl) GetLegalHoldByID(id string) (*model.LegalHold, error) {
}

func (kvs Impl) UpdateLegalHold(lh, oldValue model.LegalHold) (*model.LegalHold, error) {
if err := lh.IsValidForCreate(); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would feel safer if we also kept the store level validation because we call this method from the job layer as well. We only call CreateLegalHold from the api layer but maybe we should also keep that validation in the store layer to protect ourselves from future modifications?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right that we can reach this from the job layer, let me take a look at it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Been checking the code, the job itself only updates one field currently outside of the scope of model.UpdateLegalHold struct, and the code does not follow the same logic path.

https://github.com/mattermost/mattermost-plugin-legal-hold/blob/main/server/jobs/legal_hold_job.go#L221

Do you think it would add value to add this check here considering we are updating the value atomically?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it just future proofs the code even if it doesn't make a difference right now. We do this in mattermost-server for a lot of our create/update store functions. @esarafianou what is our official stance on this? It's not entirely consistent in our server code either

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's create a ticket for this an address for subsequent release. We are in the final stage of releasing this to several customers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created #105

@fmartingr fmartingr removed the 2: Dev Review Requires review by a core committer label Sep 17, 2024
@fmartingr fmartingr merged commit 2744b3d into main Sep 17, 2024
4 checks passed
@fmartingr fmartingr deleted the fix/public-data-and-compliance branch September 17, 2024 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3: QA Review Requires review by a QA tester
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants