Skip to content

Commit

Permalink
MM-56822 Update logic around permissions and sanitization (#26227) (#…
Browse files Browse the repository at this point in the history
…26344)

Automatic Merge
  • Loading branch information
mattermost-build authored Feb 29, 2024
1 parent 362b7d2 commit 0dc03fb
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 10 deletions.
30 changes: 28 additions & 2 deletions server/channels/api4/team_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,19 @@ func TestGetTeamSanitization(t *testing.T) {
require.Empty(t, rteam.InviteId, "should have sanitized inviteid")
})

t.Run("team admin", func(t *testing.T) {
t.Run("team admin default removed", func(t *testing.T) {
// the above test removes PermissionInviteUser from TeamUser,
// which also removes it from TeamAdmin. By default, TeamAdmin
// permission is inherited from TeamUser.
rteam, _, err := th.Client.GetTeam(context.Background(), team.Id, "")
require.NoError(t, err)

require.NotEmpty(t, rteam.Email, "should not have sanitized email")
require.Empty(t, rteam.InviteId, "should have sanitized inviteid")
})

t.Run("team admin permission re-added", func(t *testing.T) {
th.AddPermissionToRole(model.PermissionInviteUser.Id, model.TeamAdminRoleId)
rteam, _, err := th.Client.GetTeam(context.Background(), team.Id, "")
require.NoError(t, err)

Expand Down Expand Up @@ -1454,7 +1466,19 @@ func TestGetTeamByNameSanitization(t *testing.T) {
require.Empty(t, rteam.InviteId, "should have sanitized inviteid")
})

t.Run("team admin/non-admin", func(t *testing.T) {
t.Run("team admin/non-admin without invite permission", func(t *testing.T) {
// the above test removes PermissionInviteUser from TeamUser,
// which also removes it from TeamAdmin. By default, TeamAdmin
// permission is inherited from TeamUser.
rteam, _, err := th.Client.GetTeamByName(context.Background(), team.Name, "")
require.NoError(t, err)

require.NotEmpty(t, rteam.Email, "should not have sanitized email")
require.Empty(t, rteam.InviteId, "should have sanitized inviteid")
})

t.Run("team admin/non-admin with invite permission", func(t *testing.T) {
th.AddPermissionToRole(model.PermissionInviteUser.Id, model.TeamAdminRoleId)
rteam, _, err := th.Client.GetTeamByName(context.Background(), team.Name, "")
require.NoError(t, err)

Expand Down Expand Up @@ -1863,6 +1887,8 @@ func TestGetTeamsForUserSanitization(t *testing.T) {

client := th.CreateClient()
th.RemovePermissionFromRole(model.PermissionInviteUser.Id, model.TeamUserRoleId)
defer th.AddPermissionToRole(model.PermissionInviteUser.Id, model.TeamUserRoleId)

th.LoginBasic2WithClient(client)

rteams, _, err := client.GetTeamsForUser(context.Background(), th.BasicUser2.Id, "")
Expand Down
19 changes: 11 additions & 8 deletions server/channels/app/team.go
Original file line number Diff line number Diff line change
Expand Up @@ -1930,19 +1930,22 @@ func (a *App) GetTeamIdFromQuery(query url.Values) (string, *model.AppError) {
}

func (a *App) SanitizeTeam(session model.Session, team *model.Team) *model.Team {
if a.SessionHasPermissionToTeam(session, team.Id, model.PermissionManageTeam) {
return team
}
manageTeamPermission := a.SessionHasPermissionToTeam(session, team.Id, model.PermissionManageTeam)
inviteUserPermission := a.SessionHasPermissionToTeam(session, team.Id, model.PermissionInviteUser)

if a.SessionHasPermissionToTeam(session, team.Id, model.PermissionInviteUser) {
inviteId := team.InviteId
team.Sanitize()
team.InviteId = inviteId
if manageTeamPermission && inviteUserPermission {
return team
}

email := team.Email
inviteId := team.InviteId
team.Sanitize()

if manageTeamPermission {
team.Email = email
}
if inviteUserPermission {
team.InviteId = inviteId
}
return team
}

Expand Down

0 comments on commit 0dc03fb

Please sign in to comment.