Improve response on team restore (#32118)

Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es> Co-authored-by: Mattermost Build <build@mattermost.com>
2026-05-28 04:35:04 -04:00 · 2025-07-01 18:54:30 +02:00 · 2025-07-01 18:54:30 +02:00 · d8758f8984
commit d8758f8984
parent 0832bf8fd4
2 changed files with 54 additions and 0 deletions
--- a/server/channels/api4/team.go
+++ b/server/channels/api4/team.go
@ -347,6 +347,8 @@ func restoreTeam(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	c.App.SanitizeTeam(*c.AppContext.Session(), team)
+
 	auditRec.AddEventResultState(team)
 	auditRec.AddEventObjectType("team")
 	auditRec.Success()
@ -407,6 +409,8 @@ func updateTeamPrivacy(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	c.App.SanitizeTeam(*c.AppContext.Session(), team)
+
 	auditRec.AddEventResultState(team)
 	auditRec.AddEventObjectType("team")
 	auditRec.Success()
--- a/server/channels/api4/team_test.go
+++ b/server/channels/api4/team_test.go
@ -949,6 +949,56 @@ func TestRestoreTeam(t *testing.T) {
 		require.Equal(t, model.TeamOpen, team.Type)
 	}, "restore active public team")

+	t.Run("sanitization", func(t *testing.T) {
+		t.Run("team admin without invite permission gets sanitized invite id", func(t *testing.T) {
+			team := createTeam(t, true, model.TeamOpen)
+			th.LinkUserToTeam(th.BasicUser2, team)
+
+			client2 := th.CreateClient()
+			th.LoginBasic2WithClient(client2)
+
+			// Make BasicUser2 a team admin
+			resp, err := th.SystemAdminClient.UpdateTeamMemberRoles(context.Background(), team.Id, th.BasicUser2.Id, "team_user team_admin")
+			require.NoError(t, err)
+			CheckOKStatus(t, resp)
+
+			defaultRolePermissions := th.SaveDefaultRolePermissions()
+			defer th.RestoreDefaultRolePermissions(defaultRolePermissions)
+
+			// Remove invite permission from both team user and team admin roles
+			th.RemovePermissionFromRole(model.PermissionInviteUser.Id, model.TeamUserRoleId)
+			th.RemovePermissionFromRole(model.PermissionInviteUser.Id, model.TeamAdminRoleId)
+
+			restoredTeam, _, err := client2.RestoreTeam(context.Background(), team.Id)
+			require.NoError(t, err)
+			require.Empty(t, restoredTeam.InviteId, "InviteId should be sanitized for team admins without invite permission")
+		})
+
+		t.Run("team admin with invite permission gets unsanitized invite id", func(t *testing.T) {
+			team := createTeam(t, true, model.TeamOpen)
+			th.LinkUserToTeam(th.BasicUser2, team)
+
+			client2 := th.CreateClient()
+			th.LoginBasic2WithClient(client2)
+
+			// Make BasicUser2 a team admin
+			resp, err := th.SystemAdminClient.UpdateTeamMemberRoles(context.Background(), team.Id, th.BasicUser2.Id, "team_user team_admin")
+			require.NoError(t, err)
+			CheckOKStatus(t, resp)
+
+			defaultRolePermissions := th.SaveDefaultRolePermissions()
+			defer th.RestoreDefaultRolePermissions(defaultRolePermissions)
+
+			// Ensure team admin role has invite permission
+			th.AddPermissionToRole(model.PermissionInviteUser.Id, model.TeamAdminRoleId)
+
+			restoredTeam, _, err := client2.RestoreTeam(context.Background(), team.Id)
+			require.NoError(t, err)
+			require.NotEmpty(t, restoredTeam.InviteId, "InviteId should be present for team admins with invite permission")
+			require.Equal(t, team.InviteId, restoredTeam.InviteId)
+		})
+	})
+
 	t.Run("not logged in", func(t *testing.T) {
 		_, err := client.Logout(context.Background())
 		require.NoError(t, err)