MM-59540 Ensure user has invite team permission in order to change setting (#28670)

* ensure user has invite team permission in order to change setting * add tests and handle UI * lint fixes * revert changes to invite section input * update tests * revert bad merge --------- Co-authored-by: Mattermost Build <build@mattermost.com>
2026-05-28 04:35:04 -04:00 · 2024-11-20 16:02:32 -07:00 · 2024-11-20 16:02:32 -07:00 · 790103fae0
commit 790103fae0
parent 11b66de686
5 changed files with 78 additions and 3 deletions
--- a/server/channels/api4/team.go
+++ b/server/channels/api4/team.go
@ -251,6 +251,12 @@ func patchTeam(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// if changing "AllowOpenInvite" or "AllowedDomains", user must have InviteUser permission
+	if (team.AllowOpenInvite != nil || team.AllowedDomains != nil) && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionInviteUser) {
+		c.SetPermissionError(model.PermissionInviteUser)
+		return
+	}
+
 	if oldTeam, err := c.App.GetTeam(c.Params.TeamId); err == nil {
 		auditRec.AddEventPriorState(oldTeam)
 		auditRec.AddEventObjectType("team")
--- a/server/channels/api4/team_test.go
+++ b/server/channels/api4/team_test.go
@ -618,6 +618,39 @@ func TestPatchTeam(t *testing.T) {
 		_, _, err = client.PatchTeam(context.Background(), th.BasicTeam.Id, patch)
 		require.NoError(t, err)
 	})
+
+	t.Run("Changing AllowOpenInvite requires InviteUser permission", func(t *testing.T) {
+		th.LoginTeamAdmin()
+		team2 := &model.Team{DisplayName: "Name", Name: GenerateTestTeamName(), Email: th.GenerateTestEmail(), Type: model.TeamOpen, AllowOpenInvite: true}
+		team2, _, _ = th.Client.CreateTeam(context.Background(), team2)
+
+		patch2 := &model.TeamPatch{
+			AllowOpenInvite: model.NewPointer(false),
+			AllowedDomains:  model.NewPointer("test.com"),
+		}
+
+		rteam2, _, err3 := th.Client.PatchTeam(context.Background(), team2.Id, patch2)
+		require.NoError(t, err3)
+		require.Equal(t, team2.Id, rteam2.Id)
+		require.False(t, rteam2.AllowOpenInvite)
+
+		// remove invite user permission from team admin and user roles
+		th.RemovePermissionFromRole(model.PermissionInviteUser.Id, model.TeamAdminRoleId)
+		th.RemovePermissionFromRole(model.PermissionInviteUser.Id, model.TeamUserRoleId)
+
+		patch2 = &model.TeamPatch{
+			AllowOpenInvite: model.NewPointer(true),
+		}
+
+		_, _, err3 = th.Client.PatchTeam(context.Background(), rteam2.Id, patch2)
+		require.Error(t, err3)
+
+		patch2 = &model.TeamPatch{
+			AllowedDomains: model.NewPointer("testDomain.com"),
+		}
+		_, _, err3 = th.Client.PatchTeam(context.Background(), rteam2.Id, patch2)
+		require.Error(t, err3)
+	})
 }

 func TestRestoreTeam(t *testing.T) {
--- a/webapp/channels/src/components/team_settings_modal/index.ts
+++ b/webapp/channels/src/components/team_settings_modal/index.ts
@ -3,6 +3,10 @@

 import {connect} from 'react-redux';

+import {Permissions} from 'mattermost-redux/constants';
+import {haveITeamPermission} from 'mattermost-redux/selectors/entities/roles';
+import {getCurrentTeamId} from 'mattermost-redux/selectors/entities/teams';
+
 import {isModalOpen} from 'selectors/views/modals';

 import {ModalIdentifiers} from 'utils/constants';
@ -12,9 +16,12 @@ import type {GlobalState} from 'types/store';
 import TeamSettingsModal from './team_settings_modal';

 function mapStateToProps(state: GlobalState) {
+    const teamId = getCurrentTeamId(state);
+    const canInviteUsers = haveITeamPermission(state, teamId, Permissions.INVITE_USER);
    const modalId = ModalIdentifiers.TEAM_SETTINGS;
    return {
        show: isModalOpen(state, modalId),
+        canInviteUsers,
    };
 }

--- a/webapp/channels/src/components/team_settings_modal/team_settings_modal.test.tsx
+++ b/webapp/channels/src/components/team_settings_modal/team_settings_modal.test.tsx
@ -10,8 +10,8 @@ import {renderWithContext} from 'tests/react_testing_utils';

 describe('components/team_settings_modal', () => {
    const baseProps = {
-        isCloud: false,
        onExited: jest.fn(),
+        canInviteUsers: true,
    };

    test('should hide the modal when the close button is clicked', async () => {
@ -25,5 +25,31 @@ describe('components/team_settings_modal', () => {
        fireEvent.click(screen.getByText('Close'));
        expect(modal.className).toBe('fade modal');
    });
+
+    test('should display access tab when can invite users', async () => {
+        const props = {...baseProps, canInviteUsers: true};
+        renderWithContext(
+            <TeamSettingsModal
+                {...props}
+            />,
+        );
+        const infoButton = screen.getByRole('tab', {name: 'info'});
+        expect(infoButton).toBeDefined();
+        const accessButton = screen.getByRole('tab', {name: 'access'});
+        expect(accessButton).toBeDefined();
+    });
+
+    test('should not display access tab when can not invite users', async () => {
+        const props = {...baseProps, canInviteUsers: false};
+        renderWithContext(
+            <TeamSettingsModal
+                {...props}
+            />,
+        );
+        const tabs = screen.getAllByRole('tab');
+        expect(tabs.length).toEqual(1);
+        const infoButton = screen.getByRole('tab', {name: 'info'});
+        expect(infoButton).toBeDefined();
+    });
 });

--- a/webapp/channels/src/components/team_settings_modal/team_settings_modal.tsx
+++ b/webapp/channels/src/components/team_settings_modal/team_settings_modal.tsx
@ -12,9 +12,10 @@ const SettingsSidebar = React.lazy(() => import('components/settings_sidebar'));

 type Props = {
    onExited: () => void;
+    canInviteUsers: boolean;
 }

-const TeamSettingsModal = ({onExited}: Props) => {
+const TeamSettingsModal = ({onExited, canInviteUsers}: Props) => {
    const [activeTab, setActiveTab] = useState('info');
    const [show, setShow] = useState<boolean>(true);
    const [hasChanges, setHasChanges] = useState<boolean>(false);
@ -49,8 +50,10 @@ const TeamSettingsModal = ({onExited}: Props) => {

    const tabs = [
        {name: 'info', uiName: formatMessage({id: 'team_settings_modal.infoTab', defaultMessage: 'Info'}), icon: 'icon icon-information-outline', iconTitle: formatMessage({id: 'generic_icons.info', defaultMessage: 'Info Icon'})},
-        {name: 'access', uiName: formatMessage({id: 'team_settings_modal.accessTab', defaultMessage: 'Access'}), icon: 'icon icon-account-multiple-outline', iconTitle: formatMessage({id: 'generic_icons.member', defaultMessage: 'Member Icon'})},
    ];
+    if (canInviteUsers) {
+        tabs.push({name: 'access', uiName: formatMessage({id: 'team_settings_modal.accessTab', defaultMessage: 'Access'}), icon: 'icon icon-account-multiple-outline', iconTitle: formatMessage({id: 'generic_icons.member', defaultMessage: 'Member Icon'})});
+    }

    return (
        <Modal