upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-05-28 04:35:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

[MM-62687] Patch permission check to avoid modifying the system admin (#30292)

Browse source 
* [MM-62687] Patch permission check to avoid modifying the system admin

* Check for manage system first

* PR feedback

* Add another test

* Lint

* Fix test
This commit is contained in:
Devin Binnie 2025-02-26 15:25:02 -05:00 committed by GitHub
parent a732962f0a
commit 9f49403d0a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server/channels/api4/user_test.go
View file

@ -4237,6 +4237,14 @@ func TestSetDefaultProfileImage(t *testing.T) {
_, err = th.SystemAdminClient.SetDefaultProfileImage(context.Background(), user.Id)
require.NoError(t, err)
// Check that a system admin can set the default profile image for another system admin
anotherAdmin := th.CreateUser()
_, appErr := th.App.UpdateUserRoles(th.Context, anotherAdmin.Id, model.SystemAdminRoleId+" "+model.SystemUserRoleId, false)
require.Nil(t, appErr)
_, err = th.SystemAdminClient.SetDefaultProfileImage(context.Background(), anotherAdmin.Id)
require.NoError(t, err)
ruser, appErr := th.App.GetUser(user.Id)
require.Nil(t, appErr)
assert.Less(t, ruser.LastPictureUpdate, iuser.LastPictureUpdate, "LastPictureUpdate should be updated to a lower negative number")

17
server/channels/app/authorization.go
View file

@ -202,7 +202,7 @@ func (a *App) SessionHasPermissionToUser(session model.Session, userID string) b
if userID == "" {
return false
}
if session.IsUnrestricted() {
if session.IsUnrestricted() || a.SessionHasPermissionTo(session, model.PermissionManageSystem) {
return true
}
@ -210,11 +210,20 @@ func (a *App) SessionHasPermissionToUser(session model.Session, userID string) b
return true
}
if a.SessionHasPermissionTo(session, model.PermissionEditOtherUsers) {
return true
if !a.SessionHasPermissionTo(session, model.PermissionEditOtherUsers) {
return false
}
return false
user, err := a.GetUser(userID)
if err != nil {
return false
}
if user.IsSystemAdmin() {
return false
}
return true
}
func (a *App) SessionHasPermissionToUserOrBot(rctx request.CTX, session model.Session, userID string) bool {

1
server/channels/app/authorization_test.go
View file

@ -382,6 +382,7 @@ func TestSessionHasPermissionToUser(t *testing.T) {
th.AddPermissionToRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
assert.True(t, th.App.SessionHasPermissionToUser(session, th.BasicUser2.Id))
assert.False(t, th.App.SessionHasPermissionToUser(session, th.SystemAdminUser.Id))
th.RemovePermissionFromRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
bot, err := th.App.CreateBot(th.Context, &model.Bot{