self-hosted/focalboard
1
0
Fork 0
mirror of https://github.com/mattermost/focalboard.git synced 2025-01-23 18:34:02 +02:00
Code Issues Releases Activity

MM-54366 Check guest access to other members (#4871)

Browse Source 
* check guest access to other members

* lint fix
This commit is contained in:
Scott Bishel 2023-09-25 08:19:53 -06:00 committed by GitHub
parent 7226ed2cbb
commit 134422df4d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 127 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
server/api/users.go
View File

@ -93,15 +93,25 @@ func (a *API) handleGetUsersList(w http.ResponseWriter, r *http.Request) {
session := ctx.Value(sessionContextKey).(*model.Session) session := ctx.Value(sessionContextKey).(*model.Session)
isSystemAdmin := a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem) isSystemAdmin := a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem)
sanitizedUsers := make([]*model.User, 0)
for _, user := range users { for _, user := range users {
canSeeUser, err2 := a.app.CanSeeUser(session.UserID, user.ID)
if err2 != nil {
a.errorResponse(w, r, err2)
return
}
if !canSeeUser {
continue
}
if user.ID == session.UserID { if user.ID == session.UserID {
user.Sanitize(map[string]bool{}) user.Sanitize(map[string]bool{})
} else { } else {
a.app.SanitizeProfile(user, isSystemAdmin) a.app.SanitizeProfile(user, isSystemAdmin)
} }
sanitizedUsers = append(sanitizedUsers, user)
} }
usersList, err := json.Marshal(users) usersList, err := json.Marshal(sanitizedUsers)
if err != nil { if err != nil {
a.errorResponse(w, r, err) a.errorResponse(w, r, err)
return return

20
server/client/client.go
View File

@ -634,6 +634,26 @@ func (c *Client) GetUser(id string) (*model.User, *Response) {
return user, BuildResponse(r) return user, BuildResponse(r)
} }
func (c *Client) GetUserList(ids []string) ([]model.User, *Response) {
r, err := c.DoAPIPost("/users", toJSON(ids))
if err != nil {
return nil, BuildErrorResponse(r, err)
}
defer closeBody(r)
requestBody, err := io.ReadAll(r.Body)
if err != nil {
return nil, BuildErrorResponse(r, err)
}
var users []model.User
err = json.Unmarshal(requestBody, &users)
if err != nil {
return nil, BuildErrorResponse(r, err)
}
return users, BuildResponse(r)
}
func (c *Client) GetUserChangePasswordRoute(id string) string { func (c *Client) GetUserChangePasswordRoute(id string) string {
return fmt.Sprintf("/users/%s/changepassword", id) return fmt.Sprintf("/users/%s/changepassword", id)
} }

11
server/integrationtests/pluginteststore.go
View File

@ -127,6 +127,17 @@ func (s *PluginTestStore) GetUserByID(userID string) (*model.User, error) {
return user, nil return user, nil
} }
func (s *PluginTestStore) GetUsersList(userIDs []string, showEmail, showName bool) ([]*model.User, error) {
var users []*model.User
for _, id := range userIDs {
user := s.users[id]
if user != nil {
users = append(users, user)
}
}
return users, nil
}
func (s *PluginTestStore) GetUserByEmail(email string) (*model.User, error) { func (s *PluginTestStore) GetUserByEmail(email string) (*model.User, error) {
for _, user := range s.users { for _, user := range s.users {
if user.Email == email { if user.Email == email {

73
server/integrationtests/user_test.go
View File

@ -164,6 +164,79 @@ func TestGetUser(t *testing.T) {
}) })
} }
func TestGetUserList(t *testing.T) {
th := SetupTestHelperPluginMode(t)
defer th.TearDown()
clients := setupClients(th)
th.Client = clients.TeamMember
th.Client2 = clients.Editor
me, resp := th.Client.GetMe()
require.NoError(t, resp.Error)
require.NotNil(t, me)
userID1 := me.ID
userID2 := th.GetUser2().ID
// Admin user should return both
returnUsers, resp := clients.Admin.GetUserList([]string{userID1, userID2})
require.NoError(t, resp.Error)
require.NotNil(t, returnUsers)
require.Equal(t, 2, len(returnUsers))
// Guest user should return none
returnUsers2, resp := clients.Guest.GetUserList([]string{userID1, userID2})
require.NoError(t, resp.Error)
require.NotNil(t, returnUsers2)
require.Equal(t, 0, len(returnUsers2))
newBoard := &model.Board{
Title: "title",
Type: model.BoardTypeOpen,
TeamID: testTeamID,
}
board, err := th.Server.App().CreateBoard(newBoard, userID1, true)
require.NoError(t, err)
// add Guest as board member
newGuestMember := &model.BoardMember{
UserID: userGuestID,
BoardID: board.ID,
SchemeViewer: true,
SchemeCommenter: true,
SchemeEditor: true,
SchemeAdmin: false,
}
guestMember, err := th.Server.App().AddMemberToBoard(newGuestMember)
require.NoError(t, err)
require.NotNil(t, guestMember)
// Guest user should now return one of members
guestUsers, resp := clients.Guest.GetUserList([]string{th.GetUser1().ID, th.GetUser2().ID})
require.NoError(t, resp.Error)
require.NotNil(t, guestUsers)
require.Equal(t, 1, len(guestUsers))
// add other user as board member
newBoardMember := &model.BoardMember{
UserID: userID2,
BoardID: board.ID,
SchemeViewer: true,
SchemeCommenter: true,
SchemeEditor: true,
SchemeAdmin: false,
}
newMember, err := th.Server.App().AddMemberToBoard(newBoardMember)
require.NoError(t, err)
require.NotNil(t, newMember)
// Guest user should now return both
guestUsers, resp = clients.Guest.GetUserList([]string{th.GetUser1().ID, th.GetUser2().ID})
require.NoError(t, resp.Error)
require.NotNil(t, guestUsers)
require.Equal(t, 2, len(guestUsers))
}
func TestUserChangePassword(t *testing.T) { func TestUserChangePassword(t *testing.T) {
th := SetupTestHelper(t).Start() th := SetupTestHelper(t).Start()
defer th.TearDown() defer th.TearDown()

26
server/services/store/mattermostauthlayer/mattermostauthlayer.go
View File

@ -1297,17 +1297,16 @@ func (s *MattermostAuthLayer) CanSeeUser(seerID string, seenID string) (bool, er
query := s.getQueryBuilder(). query := s.getQueryBuilder().
Select("1"). Select("1").
From(s.tablePrefix + "board_members AS BM1"). From(s.tablePrefix + "board_members AS bm1").
Join(s.tablePrefix + "board_members AS BM2 ON BM1.BoardID=BM2.BoardID"). Join(s.tablePrefix + "board_members AS bm2 ON bm1.board_id=bm2.board_id").
LeftJoin("Bots b ON ( b.UserId = u.id )").
Where(sq.Or{ Where(sq.Or{
sq.And{ sq.And{
sq.Eq{"BM1.UserID": seerID}, sq.Eq{"bm1.user_id": seerID},
sq.Eq{"BM2.UserID": seenID}, sq.Eq{"bm2.user_id": seenID},
}, },
sq.And{ sq.And{
sq.Eq{"BM1.UserID": seenID}, sq.Eq{"bm1.user_id": seenID},
sq.Eq{"BM2.UserID": seerID}, sq.Eq{"bm2.user_id": seerID},
}, },
}).Limit(1) }).Limit(1)
@ -1323,17 +1322,16 @@ func (s *MattermostAuthLayer) CanSeeUser(seerID string, seenID string) (bool, er
query = s.getQueryBuilder(). query = s.getQueryBuilder().
Select("1"). Select("1").
From("ChannelMembers AS CM1"). From("channelmembers AS cm1").
Join("ChannelMembers AS CM2 ON CM1.BoardID=CM2.BoardID"). Join("channelmembers AS cm2 ON cm1.channelid=cm2.channelid").
LeftJoin("Bots b ON ( b.UserId = u.id )").
Where(sq.Or{ Where(sq.Or{
sq.And{ sq.And{
sq.Eq{"CM1.UserID": seerID}, sq.Eq{"cm1.userid": seerID},
sq.Eq{"CM2.UserID": seenID}, sq.Eq{"cm2.userid": seenID},
}, },
sq.And{ sq.And{
sq.Eq{"CM1.UserID": seenID}, sq.Eq{"cm1.userid": seenID},
sq.Eq{"CM2.UserID": seerID}, sq.Eq{"cm2.userid": seerID},
}, },
}).Limit(1) }).Limit(1)