Add code to disble guest account access (#2690)

* Disabling guest accounts

* Using the plugin api to improve get user queries

* Fix linter errors

Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>

server/api/auth.go

@@ -470,6 +470,18 @@ func (a *API) attachSession(handler func(w http.ResponseWriter, r *http.Request)
 				CreateAt:    now,
 				UpdateAt:    now,
 			}
+
+			user, err := a.app.GetUser(userID)
+			if err != nil {
+				a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
+				return
+			}
+
+			if user.IsGuest {
+				a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "guests not supported", nil)
+				return
+			}
+
 			ctx := context.WithValue(r.Context(), sessionContextKey, session)
 			handler(w, r.WithContext(ctx))
 			return

server/model/user.go

@@ -55,6 +55,10 @@ type User struct {
 	// If the user is a bot or not
 	// required: true
 	IsBot bool `json:"is_bot"`
+
+	// If the user is a guest or not
+	// required: true
+	IsGuest bool `json:"is_guest"`
 }
 
 // UserPropPatch is a user property patch

server/services/store/mattermostauthlayer/mattermostauthlayer.go

@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 
+	mmModel "github.com/mattermost/mattermost-server/v6/model"
 	"github.com/mattermost/mattermost-server/v6/plugin"
 
 	sq "github.com/Masterminds/squirrel"
@@ -12,7 +13,6 @@ import (
 	"github.com/mattermost/focalboard/server/services/store"
 	"github.com/mattermost/focalboard/server/utils"
 
-	mmModel "github.com/mattermost/mattermost-server/v6/model"
 	"github.com/mattermost/mattermost-server/v6/shared/mlog"
 )
 
@@ -55,7 +55,8 @@ func (s *MattermostAuthLayer) GetRegisteredUserCount() (int, error) {
 	query := s.getQueryBuilder().
 		Select("count(*)").
 		From("Users").
-		Where(sq.Eq{"deleteAt": 0})
+		Where(sq.Eq{"deleteAt": 0}).
+		Where(sq.NotEq{"roles": "system_guest"})
 	row := query.QueryRow()
 
 	var count int
@@ -67,67 +68,31 @@ func (s *MattermostAuthLayer) GetRegisteredUserCount() (int, error) {
 	return count, nil
 }
 
-func (s *MattermostAuthLayer) getUserByCondition(condition sq.Eq) (*model.User, error) {
-	users, err := s.getUsersByCondition(condition)
-	if err != nil {
-		return nil, err
-	}
-
-	var user *model.User
-	for _, u := range users {
-		user = u
-		break
-	}
-
-	return user, nil
-}
-
-func (s *MattermostAuthLayer) getUsersByCondition(condition sq.Eq) (map[string]*model.User, error) {
-	query := s.getQueryBuilder().
-		Select("u.id", "u.username", "u.email", "u.password", "u.MFASecret as mfa_secret", "u.AuthService as auth_service", "COALESCE(u.AuthData, '') as auth_data",
-			"u.props", "u.CreateAt as create_at", "u.UpdateAt as update_at", "u.DeleteAt as delete_at", "b.UserId IS NOT NULL AS is_bot").
-		From("Users as u").
-		LeftJoin("Bots b ON ( b.UserId = u.ID )").
-		Where(sq.Eq{"u.deleteAt": 0}).
-		Where(condition)
-	row, err := query.Query()
-	if err != nil {
-		return nil, err
-	}
-
-	users := map[string]*model.User{}
-
-	for row.Next() {
-		user := model.User{}
-
-		var propsBytes []byte
-		err := row.Scan(&user.ID, &user.Username, &user.Email, &user.Password, &user.MfaSecret, &user.AuthService,
-			&user.AuthData, &propsBytes, &user.CreateAt, &user.UpdateAt, &user.DeleteAt, &user.IsBot)
-		if err != nil {
-			return nil, err
-		}
-
-		err = json.Unmarshal(propsBytes, &user.Props)
-		if err != nil {
-			return nil, err
-		}
-
-		users[user.ID] = &user
-	}
-
-	return users, nil
-}
-
 func (s *MattermostAuthLayer) GetUserByID(userID string) (*model.User, error) {
-	return s.getUserByCondition(sq.Eq{"id": userID})
+	mmuser, err := s.pluginAPI.GetUser(userID)
+	if err != nil {
+		return nil, err
+	}
+	user := mmUserToFbUser(mmuser)
+	return &user, nil
 }
 
 func (s *MattermostAuthLayer) GetUserByEmail(email string) (*model.User, error) {
-	return s.getUserByCondition(sq.Eq{"email": email})
+	mmuser, err := s.pluginAPI.GetUserByEmail(email)
+	if err != nil {
+		return nil, err
+	}
+	user := mmUserToFbUser(mmuser)
+	return &user, nil
 }
 
 func (s *MattermostAuthLayer) GetUserByUsername(username string) (*model.User, error) {
-	return s.getUserByCondition(sq.Eq{"username": username})
+	mmuser, err := s.pluginAPI.GetUserByUsername(username)
+	if err != nil {
+		return nil, err
+	}
+	user := mmUserToFbUser(mmuser)
+	return &user, nil
 }
 
 func (s *MattermostAuthLayer) CreateUser(user *model.User) error {
@@ -293,6 +258,7 @@ func (s *MattermostAuthLayer) GetUsersByTeam(teamID string) ([]*model.User, erro
 		Join("TeamMembers as tm ON tm.UserID = u.ID").
 		LeftJoin("Bots b ON ( b.UserId = Users.ID )").
 		Where(sq.Eq{"u.deleteAt": 0}).
+		Where(sq.NotEq{"u.roles": "system_guest"}).
 		Where(sq.Eq{"tm.TeamId": teamID})
 
 	rows, err := query.Query()
@@ -324,6 +290,7 @@ func (s *MattermostAuthLayer) SearchUsersByTeam(teamID string, searchQuery strin
 			sq.Like{"u.lastname": "%" + searchQuery + "%"},
 		}).
 		Where(sq.Eq{"tm.TeamId": teamID}).
+		Where(sq.NotEq{"u.roles": "system_guest"}).
 		OrderBy("u.username").
 		Limit(10)
 
@@ -390,6 +357,32 @@ func (s *MattermostAuthLayer) CreatePrivateWorkspace(userID string) (string, err
 	return channel.Id, nil
 }
 
+func mmUserToFbUser(mmUser *mmModel.User) model.User {
+	props := map[string]interface{}{}
+	for key, value := range mmUser.Props {
+		props[key] = value
+	}
+	authData := ""
+	if mmUser.AuthData != nil {
+		authData = *mmUser.AuthData
+	}
+	return model.User{
+		ID:          mmUser.Id,
+		Username:    mmUser.Username,
+		Email:       mmUser.Email,
+		Password:    mmUser.Password,
+		MfaSecret:   mmUser.MfaSecret,
+		AuthService: mmUser.AuthService,
+		AuthData:    authData,
+		Props:       props,
+		CreateAt:    mmUser.CreateAt,
+		UpdateAt:    mmUser.UpdateAt,
+		DeleteAt:    mmUser.DeleteAt,
+		IsBot:       mmUser.IsBot,
+		IsGuest:     mmUser.IsGuest(),
+	}
+}
+
 func (s *MattermostAuthLayer) GetLicense() *mmModel.License {
 	return s.pluginAPI.GetLicense()
 }