Fixing keywords post (#1962)

* Fixing keywords post * Add test
mattermost · Dec 4, 2024 · 2f2d83e · 2f2d83e
1 parent bf2633d
commit 2f2d83e
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 0 deletions.
diff --git a/server/api/playbook_runs.go b/server/api/playbook_runs.go
@@ -390,6 +390,7 @@ func (h *PlaybookRunHandler) addToTimelineDialog(c *Context, w http.ResponseWrit
 
 	if !h.pluginAPI.User.HasPermissionToChannel(userID, post.ChannelId, model.PermissionReadChannel) {
 		h.HandleErrorWithCode(w, c.logger, http.StatusForbidden, "no permission to post specified", nil)
+		return
 	}
 
 	if err = h.playbookRunService.AddPostToTimeline(playbookRunID, userID, post, summary); err != nil {

diff --git a/server/api/signal.go b/server/api/signal.go
@@ -93,6 +93,7 @@ func (h *SignalHandler) playbookRun(c *Context, w http.ResponseWriter, r *http.R
 
 func (h *SignalHandler) ignoreKeywords(c *Context, w http.ResponseWriter, r *http.Request) {
 	publicErrorMessage := "unable to decode post action integration request"
+	userID := r.Header.Get("Mattermost-User-ID")
 
 	var req *model.PostActionIntegrationRequest
 	err := json.NewDecoder(r.Body).Decode(&req)
@@ -107,6 +108,11 @@ func (h *SignalHandler) ignoreKeywords(c *Context, w http.ResponseWriter, r *htt
 		return
 	}
 
+	if !h.api.User.HasPermissionToChannel(userID, botPost.ChannelId, model.PermissionReadChannel) {
+		h.HandleErrorWithCode(w, c.logger, http.StatusForbidden, "no permission to post specified", nil)
+		return
+	}
+
 	postID, err := getStringField("postID", req.Context)
 	if err != nil {
 		h.returnError(publicErrorMessage, err, c.logger, w)

diff --git a/server/api_runs_test.go b/server/api_runs_test.go
@@ -1281,6 +1281,96 @@ func TestChecklisFailTooLarge(t *testing.T) {
 	})
 }
 
+func TestIgnoreKeywords(t *testing.T) {
+	e := Setup(t)
+	e.CreateBasic()
+	botID := e.Srv.Config().PluginSettings.Plugins[manifest.Id]["BotUserID"].(string)
+
+	t.Run("no permission to channel", func(t *testing.T) {
+		// Create a bot post in the private channel
+		botPost := &model.Post{
+			UserId:    botID,
+			ChannelId: e.BasicPrivateChannel.Id,
+			Message:   "test message",
+			Props: model.StringInterface{
+				"attachments": []*model.SlackAttachment{
+					{
+						Actions: []*model.PostAction{
+							{
+								Id: "ignoreKeywordsButton",
+							},
+						},
+					},
+				},
+			},
+		}
+		botPost, err := e.Srv.Store().Post().Save(botPost)
+		require.NoError(t, err)
+
+		// Create post action request
+		req := &model.PostActionIntegrationRequest{
+			UserId: e.RegularUser.Id,
+			Context: map[string]interface{}{
+				"post_id": botPost.Id,
+			},
+			PostId: botPost.Id,
+		}
+
+		// Convert request to JSON
+		reqBytes, err := json.Marshal(req)
+		require.NoError(t, err)
+
+		// Make the request
+		result, err := e.ServerClient.DoAPIRequestBytes("POST", e.ServerClient.URL+"/plugins/"+manifest.Id+"/api/v0/signal/keywords/ignore-thread", reqBytes, "")
+		require.Error(t, err)
+		require.Equal(t, http.StatusForbidden, result.StatusCode)
+	})
+
+	t.Run("has permission to channel", func(t *testing.T) {
+		// Add user to private channel
+		_, _, err := e.ServerAdminClient.AddChannelMember(e.BasicPrivateChannel.Id, e.RegularUser.Id)
+		require.NoError(t, err)
+
+		// Create a bot post in the private channel
+		botPost := &model.Post{
+			UserId:    botID,
+			ChannelId: e.BasicPrivateChannel.Id,
+			Message:   "test message",
+			Props: model.StringInterface{
+				"attachments": []*model.SlackAttachment{
+					{
+						Actions: []*model.PostAction{
+							{
+								Id: "ignoreKeywordsButton",
+							},
+						},
+					},
+				},
+			},
+		}
+		botPost, err = e.Srv.Store().Post().Save(botPost)
+		require.NoError(t, err)
+
+		// Create post action request
+		req := &model.PostActionIntegrationRequest{
+			UserId: e.RegularUser.Id,
+			Context: map[string]interface{}{
+				"post_id": botPost.Id,
+			},
+			PostId: botPost.Id,
+		}
+
+		// Convert request to JSON
+		reqBytes, err := json.Marshal(req)
+		require.NoError(t, err)
+
+		// Make the request
+		result, err := e.ServerClient.DoAPIRequestBytes("POST", e.ServerClient.URL+"/plugins/"+manifest.Id+"/api/v0/signal/keywords/ignore-thread", reqBytes, "")
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, result.StatusCode)
+	})
+}
+
 func TestRunGetStatusUpdates(t *testing.T) {
 	e := Setup(t)
 	e.CreateBasic()
-Original file line number
+Diff line change
@@ Expand Up @@
     	if !h.pluginAPI.User.HasPermissionToChannel(userID, post.ChannelId, model.PermissionReadChannel) {
     		h.HandleErrorWithCode(w, c.logger, http.StatusForbidden, "no permission to post specified", nil)
+    		return
     	}
     	if err = h.playbookRunService.AddPostToTimeline(playbookRunID, userID, post, summary); err != nil {
@@ Expand Down @@