From ce239287459838ca220c4c35a15d365ba5c66778 Mon Sep 17 00:00:00 2001 From: Mattermost Build Date: Tue, 13 Jun 2023 19:29:22 +0300 Subject: [PATCH] Fix public boards setting not applying properly (#4739) (#4777) (cherry picked from commit d10e4070ba2bea4326b06b815bf4a6bdf01257d2) Co-authored-by: Scott Bishel --- server/auth/auth.go | 4 +++ server/integrationtests/permissions_test.go | 29 +++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/server/auth/auth.go b/server/auth/auth.go index 5572a3d19..1a1e29cb6 100644 --- a/server/auth/auth.go +++ b/server/auth/auth.go @@ -54,6 +54,10 @@ func (a *Auth) IsValidReadToken(boardID string, readToken string) (bool, error) return false, err } + if !a.config.EnablePublicSharedBoards { + return false, errors.New("public shared boards disabled") + } + if sharing != nil && (sharing.ID == boardID && sharing.Enabled && sharing.Token == readToken) { return true, nil } diff --git a/server/integrationtests/permissions_test.go b/server/integrationtests/permissions_test.go index 6cea0e1d8..323ed7a3a 100644 --- a/server/integrationtests/permissions_test.go +++ b/server/integrationtests/permissions_test.go @@ -581,6 +581,35 @@ func TestPermissionsGetBoard(t *testing.T) { }) } +func TestPermissionsGetBoardPublic(t *testing.T) { + ttCases := []TestCase{ + {"/boards/{PRIVATE_BOARD_ID}?read_token=invalid", methodGet, "", userAnon, http.StatusUnauthorized, 0}, + {"/boards/{PRIVATE_BOARD_ID}?read_token=valid", methodGet, "", userAnon, http.StatusUnauthorized, 1}, + {"/boards/{PRIVATE_BOARD_ID}?read_token=invalid", methodGet, "", userNoTeamMember, http.StatusForbidden, 0}, + {"/boards/{PRIVATE_BOARD_ID}?read_token=valid", methodGet, "", userTeamMember, http.StatusForbidden, 1}, + } + t.Run("plugin", func(t *testing.T) { + th := SetupTestHelperPluginMode(t) + defer th.TearDown() + cfg := th.Server.Config() + cfg.EnablePublicSharedBoards = false + th.Server.UpdateAppConfig() + clients := setupClients(th) + testData := setupData(t, th) + runTestCases(t, ttCases, testData, clients) + }) + t.Run("local", func(t *testing.T) { + th := SetupTestHelperLocalMode(t) + defer th.TearDown() + cfg := th.Server.Config() + cfg.EnablePublicSharedBoards = false + th.Server.UpdateAppConfig() + clients := setupLocalClients(th) + testData := setupData(t, th) + runTestCases(t, ttCases, testData, clients) + }) +} + func TestPermissionsPatchBoard(t *testing.T) { ttCases := []TestCase{ {"/boards/{PRIVATE_BOARD_ID}", methodPatch, "{\"title\": \"test\"}", userAnon, http.StatusUnauthorized, 0},