From 2f2d83e0a508325e3a502501ec473e2e39a88bde Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Wed, 4 Dec 2024 10:16:06 -0800 Subject: [PATCH] Fixing keywords post (#1962) * Fixing keywords post * Add test --- server/api/playbook_runs.go | 1 + server/api/signal.go | 6 +++ server/api_runs_test.go | 90 +++++++++++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+) diff --git a/server/api/playbook_runs.go b/server/api/playbook_runs.go index 4e93fb8819..f55228dcee 100644 --- a/server/api/playbook_runs.go +++ b/server/api/playbook_runs.go @@ -390,6 +390,7 @@ func (h *PlaybookRunHandler) addToTimelineDialog(c *Context, w http.ResponseWrit if !h.pluginAPI.User.HasPermissionToChannel(userID, post.ChannelId, model.PermissionReadChannel) { h.HandleErrorWithCode(w, c.logger, http.StatusForbidden, "no permission to post specified", nil) + return } if err = h.playbookRunService.AddPostToTimeline(playbookRunID, userID, post, summary); err != nil { diff --git a/server/api/signal.go b/server/api/signal.go index 634bb0c6c1..c84705dbb0 100644 --- a/server/api/signal.go +++ b/server/api/signal.go @@ -93,6 +93,7 @@ func (h *SignalHandler) playbookRun(c *Context, w http.ResponseWriter, r *http.R func (h *SignalHandler) ignoreKeywords(c *Context, w http.ResponseWriter, r *http.Request) { publicErrorMessage := "unable to decode post action integration request" + userID := r.Header.Get("Mattermost-User-ID") var req *model.PostActionIntegrationRequest err := json.NewDecoder(r.Body).Decode(&req) @@ -107,6 +108,11 @@ func (h *SignalHandler) ignoreKeywords(c *Context, w http.ResponseWriter, r *htt return } + if !h.api.User.HasPermissionToChannel(userID, botPost.ChannelId, model.PermissionReadChannel) { + h.HandleErrorWithCode(w, c.logger, http.StatusForbidden, "no permission to post specified", nil) + return + } + postID, err := getStringField("postID", req.Context) if err != nil { h.returnError(publicErrorMessage, err, c.logger, w) diff --git a/server/api_runs_test.go b/server/api_runs_test.go index bfaca6a04c..e518675195 100644 --- a/server/api_runs_test.go +++ b/server/api_runs_test.go @@ -1281,6 +1281,96 @@ func TestChecklisFailTooLarge(t *testing.T) { }) } +func TestIgnoreKeywords(t *testing.T) { + e := Setup(t) + e.CreateBasic() + botID := e.Srv.Config().PluginSettings.Plugins[manifest.Id]["BotUserID"].(string) + + t.Run("no permission to channel", func(t *testing.T) { + // Create a bot post in the private channel + botPost := &model.Post{ + UserId: botID, + ChannelId: e.BasicPrivateChannel.Id, + Message: "test message", + Props: model.StringInterface{ + "attachments": []*model.SlackAttachment{ + { + Actions: []*model.PostAction{ + { + Id: "ignoreKeywordsButton", + }, + }, + }, + }, + }, + } + botPost, err := e.Srv.Store().Post().Save(botPost) + require.NoError(t, err) + + // Create post action request + req := &model.PostActionIntegrationRequest{ + UserId: e.RegularUser.Id, + Context: map[string]interface{}{ + "post_id": botPost.Id, + }, + PostId: botPost.Id, + } + + // Convert request to JSON + reqBytes, err := json.Marshal(req) + require.NoError(t, err) + + // Make the request + result, err := e.ServerClient.DoAPIRequestBytes("POST", e.ServerClient.URL+"/plugins/"+manifest.Id+"/api/v0/signal/keywords/ignore-thread", reqBytes, "") + require.Error(t, err) + require.Equal(t, http.StatusForbidden, result.StatusCode) + }) + + t.Run("has permission to channel", func(t *testing.T) { + // Add user to private channel + _, _, err := e.ServerAdminClient.AddChannelMember(e.BasicPrivateChannel.Id, e.RegularUser.Id) + require.NoError(t, err) + + // Create a bot post in the private channel + botPost := &model.Post{ + UserId: botID, + ChannelId: e.BasicPrivateChannel.Id, + Message: "test message", + Props: model.StringInterface{ + "attachments": []*model.SlackAttachment{ + { + Actions: []*model.PostAction{ + { + Id: "ignoreKeywordsButton", + }, + }, + }, + }, + }, + } + botPost, err = e.Srv.Store().Post().Save(botPost) + require.NoError(t, err) + + // Create post action request + req := &model.PostActionIntegrationRequest{ + UserId: e.RegularUser.Id, + Context: map[string]interface{}{ + "post_id": botPost.Id, + }, + PostId: botPost.Id, + } + + // Convert request to JSON + reqBytes, err := json.Marshal(req) + require.NoError(t, err) + + // Make the request + result, err := e.ServerClient.DoAPIRequestBytes("POST", e.ServerClient.URL+"/plugins/"+manifest.Id+"/api/v0/signal/keywords/ignore-thread", reqBytes, "") + require.NoError(t, err) + require.Equal(t, http.StatusOK, result.StatusCode) + }) +} + func TestRunGetStatusUpdates(t *testing.T) { e := Setup(t) e.CreateBasic()