mirror of
https://github.com/mattermost/mattermost.git
synced 2026-04-13 13:08:56 -04:00
b5a816a657
Some checks are pending
API / build (push) Waiting to run
Server CI / Compute Go Version (push) Waiting to run
Server CI / Check mocks (push) Blocked by required conditions
Server CI / Check go mod tidy (push) Blocked by required conditions
Server CI / check-style (push) Blocked by required conditions
Server CI / Check serialization methods for hot structs (push) Blocked by required conditions
Server CI / Vet API (push) Blocked by required conditions
Server CI / Check migration files (push) Blocked by required conditions
Server CI / Generate email templates (push) Blocked by required conditions
Server CI / Check store layers (push) Blocked by required conditions
Server CI / Check mmctl docs (push) Blocked by required conditions
Server CI / Postgres with binary parameters (push) Blocked by required conditions
Server CI / Postgres (push) Blocked by required conditions
Server CI / Postgres (FIPS) (push) Blocked by required conditions
Server CI / Generate Test Coverage (push) Blocked by required conditions
Server CI / Run mmctl tests (push) Blocked by required conditions
Server CI / Run mmctl tests (FIPS) (push) Blocked by required conditions
Server CI / Build mattermost server app (push) Blocked by required conditions
Web App CI / check-lint (push) Waiting to run
Web App CI / check-i18n (push) Blocked by required conditions
Web App CI / check-types (push) Blocked by required conditions
Web App CI / test (platform) (push) Blocked by required conditions
Web App CI / test (mattermost-redux) (push) Blocked by required conditions
Web App CI / test (channels shard 1/4) (push) Blocked by required conditions
Web App CI / test (channels shard 2/4) (push) Blocked by required conditions
Web App CI / test (channels shard 3/4) (push) Blocked by required conditions
Web App CI / test (channels shard 4/4) (push) Blocked by required conditions
Web App CI / upload-coverage (push) Blocked by required conditions
Web App CI / build (push) Blocked by required conditions
* Add audits for accessing posts without membership * Fix tests * Use correct audit level * Address feedback * Add missing checks all over the app * Fix lint * Fix test * Fix tests * Fix enterprise test * Add missing test and docs * Fix merge * Fix lint * Add audit logs on the web socket hook for permalink posts * Fix lint * Fix merge conflicts * Handle all events with "non_channel_member_access" parameter * Fix lint and tests * Fix merge * Fix tests
223 lines
6.4 KiB
Go
223 lines
6.4 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package api4
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/public/shared/mlog"
|
|
)
|
|
|
|
func (api *API) InitAction() {
|
|
api.BaseRoutes.Post.Handle("/actions/{action_id:[A-Za-z0-9]+}", api.APISessionRequired(doPostAction)).Methods(http.MethodPost)
|
|
|
|
api.BaseRoutes.APIRoot.Handle("/actions/dialogs/open", api.APIHandler(openDialog)).Methods(http.MethodPost)
|
|
api.BaseRoutes.APIRoot.Handle("/actions/dialogs/submit", api.APISessionRequired(submitDialog)).Methods(http.MethodPost)
|
|
api.BaseRoutes.APIRoot.Handle("/actions/dialogs/lookup", api.APISessionRequired(lookupDialog)).Methods(http.MethodPost)
|
|
}
|
|
|
|
// getStringValue safely converts an interface{} value to a string with logging for failures.
|
|
// It handles nil values gracefully and logs warnings when conversion fails.
|
|
func getStringValue(val any, fieldName string, logger *mlog.Logger) string {
|
|
if val == nil {
|
|
return ""
|
|
}
|
|
if str, ok := val.(string); ok {
|
|
return str
|
|
}
|
|
logger.Warn("Failed to convert field to string",
|
|
mlog.String("field", fieldName),
|
|
mlog.String("type", fmt.Sprintf("%T", val)),
|
|
mlog.Any("value", val))
|
|
return ""
|
|
}
|
|
|
|
func doPostAction(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequirePostId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
var actionRequest model.DoPostActionRequest
|
|
err := json.NewDecoder(r.Body).Decode(&actionRequest)
|
|
if err != nil {
|
|
c.Logger.Warn("Error decoding the action request", mlog.Err(err))
|
|
}
|
|
|
|
var cookie *model.PostActionCookie
|
|
if actionRequest.Cookie != "" {
|
|
cookie = &model.PostActionCookie{}
|
|
cookieStr := ""
|
|
cookieStr, err = model.DecryptPostActionCookie(actionRequest.Cookie, c.App.PostActionCookieSecret())
|
|
if err != nil {
|
|
c.Err = model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
|
return
|
|
}
|
|
err = json.Unmarshal([]byte(cookieStr), &cookie)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
|
return
|
|
}
|
|
channel, err := c.App.GetChannel(c.AppContext, cookie.ChannelId)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
if ok, _ := c.App.SessionHasPermissionToReadChannel(c.AppContext, *c.AppContext.Session(), channel); !ok {
|
|
c.SetPermissionError(model.PermissionReadChannelContent)
|
|
return
|
|
}
|
|
} else {
|
|
if ok, _ := c.App.SessionHasPermissionToReadPost(c.AppContext, *c.AppContext.Session(), c.Params.PostId); !ok {
|
|
c.SetPermissionError(model.PermissionReadChannelContent)
|
|
return
|
|
}
|
|
}
|
|
|
|
var appErr *model.AppError
|
|
resp := &model.PostActionAPIResponse{Status: "OK"}
|
|
|
|
resp.TriggerId, appErr = c.App.DoPostActionWithCookie(c.AppContext, c.Params.PostId, c.Params.ActionId, c.AppContext.Session().UserId,
|
|
actionRequest.SelectedOption, cookie)
|
|
if appErr != nil {
|
|
c.Err = appErr
|
|
return
|
|
}
|
|
|
|
err = json.NewEncoder(w).Encode(resp)
|
|
if err != nil {
|
|
c.Logger.Warn("Error writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
func openDialog(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
var dialog model.OpenDialogRequest
|
|
err := json.NewDecoder(r.Body).Decode(&dialog)
|
|
if err != nil {
|
|
c.SetInvalidParamWithErr("dialog", err)
|
|
return
|
|
}
|
|
|
|
if dialog.URL == "" {
|
|
c.SetInvalidParam("url")
|
|
return
|
|
}
|
|
|
|
if appErr := c.App.OpenInteractiveDialog(c.AppContext, dialog); appErr != nil {
|
|
c.Err = appErr
|
|
return
|
|
}
|
|
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func submitDialog(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
var submit model.SubmitDialogRequest
|
|
|
|
jsonErr := json.NewDecoder(r.Body).Decode(&submit)
|
|
if jsonErr != nil {
|
|
c.SetInvalidParamWithErr("dialog", jsonErr)
|
|
return
|
|
}
|
|
|
|
if submit.URL == "" {
|
|
c.SetInvalidParam("url")
|
|
return
|
|
}
|
|
|
|
submit.UserId = c.AppContext.Session().UserId
|
|
|
|
channel, err := c.App.GetChannel(c.AppContext, submit.ChannelId)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
if ok, _ := c.App.SessionHasPermissionToReadChannel(c.AppContext, *c.AppContext.Session(), channel); !ok {
|
|
c.SetPermissionError(model.PermissionReadChannelContent)
|
|
return
|
|
}
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), submit.TeamId, model.PermissionViewTeam) {
|
|
c.SetPermissionError(model.PermissionViewTeam)
|
|
return
|
|
}
|
|
|
|
resp, err := c.App.SubmitInteractiveDialog(c.AppContext, submit)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
b, _ := json.Marshal(resp)
|
|
|
|
if _, err := w.Write(b); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|
|
|
|
// lookupDialog handles API requests for dynamic dialog element lookups.
|
|
// It validates the request URL for security, checks user permissions, and
|
|
// delegates to the app layer for the actual lookup operation.
|
|
func lookupDialog(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
var lookup model.SubmitDialogRequest
|
|
|
|
jsonErr := json.NewDecoder(r.Body).Decode(&lookup)
|
|
if jsonErr != nil {
|
|
c.SetInvalidParamWithErr("dialog", jsonErr)
|
|
return
|
|
}
|
|
|
|
if lookup.URL == "" {
|
|
c.SetInvalidParam("url")
|
|
return
|
|
}
|
|
|
|
// Validate URL for security
|
|
if !model.IsValidLookupURL(lookup.URL) {
|
|
c.SetInvalidParam("url")
|
|
return
|
|
}
|
|
|
|
lookup.UserId = c.AppContext.Session().UserId
|
|
|
|
channel, err := c.App.GetChannel(c.AppContext, lookup.ChannelId)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
if ok, _ := c.App.SessionHasPermissionToReadChannel(c.AppContext, *c.AppContext.Session(), channel); !ok {
|
|
c.SetPermissionError(model.PermissionReadChannelContent)
|
|
return
|
|
}
|
|
|
|
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), lookup.TeamId, model.PermissionViewTeam) {
|
|
c.SetPermissionError(model.PermissionViewTeam)
|
|
return
|
|
}
|
|
|
|
c.Logger.Debug("Performing lookup dialog request",
|
|
mlog.String("url", lookup.URL),
|
|
mlog.String("user_id", lookup.UserId),
|
|
mlog.String("channel_id", lookup.ChannelId),
|
|
mlog.String("team_id", lookup.TeamId),
|
|
mlog.String("selected_field", getStringValue(lookup.Submission["selected_field"], "selected_field", c.Logger)),
|
|
mlog.String("query", getStringValue(lookup.Submission["query"], "query", c.Logger)),
|
|
)
|
|
|
|
resp, err := c.App.LookupInteractiveDialog(c.AppContext, lookup)
|
|
if err != nil {
|
|
c.Logger.Error("Error performing lookup dialog", mlog.Err(err))
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
b, _ := json.Marshal(resp)
|
|
|
|
if _, err := w.Write(b); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|