MM-62500 - Apply Delete check on commands (#29896)

* apply delete check on commands, add tests * combine tests --------- Co-authored-by: Mattermost Build <build@mattermost.com>
2026-05-28 04:35:04 -04:00 · 2025-01-30 08:20:36 -07:00 · 2025-01-30 08:20:36 -07:00 · f2af360401
commit f2af360401
parent 1f34d784dd
3 changed files with 26 additions and 0 deletions
--- a/server/channels/api4/command.go
+++ b/server/channels/api4/command.go
@ -335,6 +335,11 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if channel.DeleteAt != 0 {
+		c.Err = model.NewAppError("createPost", "api.command.execute_command.deleted.error", nil, "", http.StatusBadRequest)
+		return
+	}
+
 	if channel.Type != model.ChannelTypeDirect && channel.Type != model.ChannelTypeGroup {
 		// if this isn't a DM or GM, the team id is implicitly taken from the channel so that slash commands created on
 		// some other team can't be run against this one
--- a/server/channels/api4/command_test.go
+++ b/server/channels/api4/command_test.go
@ -1140,4 +1140,21 @@ func TestExecuteCommandReadOnly(t *testing.T) {
 	_, resp, err = client.ExecuteCommandWithTeam(context.Background(), th.BasicChannel.Id, th.BasicChannel.TeamId, "/postcommand")
 	require.Error(t, err)
 	CheckForbiddenStatus(t, resp)
+
+	// Confirm that the command works when the channel is not read only - use different channel
+	_, resp, err = client.ExecuteCommandWithTeam(context.Background(), th.BasicChannel2.Id, th.BasicChannel2.TeamId, "/postcommand")
+	require.NoError(t, err)
+	CheckOKStatus(t, resp)
+
+	appErr = th.App.DeleteChannel(
+		th.Context,
+		th.BasicChannel2,
+		th.SystemAdminUser.Id,
+	)
+	require.Nil(t, appErr, "failed to delete channel")
+
+	// Confirm that the command fails when the channel is archived
+	_, resp, err = client.ExecuteCommandWithTeam(context.Background(), th.BasicChannel2.Id, th.BasicChannel2.TeamId, "/postcommand")
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
 }
--- a/server/i18n/en.json
+++ b/server/i18n/en.json
@ -603,6 +603,10 @@
    "id": "api.command.execute_command.create_post_failed.app_error",
    "translation": "Command '{{.Trigger}}' failed to post response. Please contact your System Administrator."
  },
+  {
+    "id": "api.command.execute_command.deleted.error",
+    "translation": "Can not run command in deleted channel."
+  },
  {
    "id": "api.command.execute_command.failed.app_error",
    "translation": "Command with a trigger of '{{.Trigger}}' failed."