upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-02-18 18:18:23 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
mattermost/server/channels/api4/scheduled_post.go
Pablo Vélez e46bea673d
Some checks are pending
API / build (push) Waiting to run
Details
Server CI / Compute Go Version (push) Waiting to run
Details
Server CI / Check mocks (push) Blocked by required conditions
Details
Server CI / Check go mod tidy (push) Blocked by required conditions
Details
Server CI / check-style (push) Blocked by required conditions
Details
Server CI / Check serialization methods for hot structs (push) Blocked by required conditions
Details
Server CI / Vet API (push) Blocked by required conditions
Details
Server CI / Check migration files (push) Blocked by required conditions
Details
Server CI / Generate email templates (push) Blocked by required conditions
Details
Server CI / Check store layers (push) Blocked by required conditions
Details
Server CI / Check mmctl docs (push) Blocked by required conditions
Details
Server CI / Postgres with binary parameters (push) Blocked by required conditions
Details
Server CI / Postgres (push) Blocked by required conditions
Details
Server CI / Postgres (FIPS) (push) Blocked by required conditions
Details
Server CI / Generate Test Coverage (push) Blocked by required conditions
Details
Server CI / Run mmctl tests (push) Blocked by required conditions
Details
Server CI / Run mmctl tests (FIPS) (push) Blocked by required conditions
Details
Server CI / Build mattermost server app (push) Blocked by required conditions
Details
Web App CI / check-lint (push) Waiting to run
Details
Web App CI / check-i18n (push) Blocked by required conditions
Details
Web App CI / check-types (push) Blocked by required conditions
Details
Web App CI / test (platform) (push) Blocked by required conditions
Details
Web App CI / test (mattermost-redux) (push) Blocked by required conditions
Details
Web App CI / test (channels shard 1/4) (push) Blocked by required conditions
Details
Web App CI / test (channels shard 2/4) (push) Blocked by required conditions
Details
Web App CI / test (channels shard 3/4) (push) Blocked by required conditions
Details
Web App CI / test (channels shard 4/4) (push) Blocked by required conditions
Details
Web App CI / upload-coverage (push) Blocked by required conditions
Details
Web App CI / build (push) Blocked by required conditions
Details
MM-67312: Restrict Burn-on-Read for self DMs and bot users (#35116) 
* MM-67312: Restrict Burn-on-Read for self DMs and bot users

* fix lint issues

* use utility function to make code more reliable

* add test case for deleted user and handle restrictively that scenario

* fix i18n

* Allow bots to send BoR; block only self-DMs & DMs with bots

* Refactor BoR validation to API layer with individual params

* adjust comment

* Fix BoR validation to fail-closed when context unavailable

* Fix variable shadowing in CreatePost burn-on-read validation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* remove translation entry

* fix linter

---------

Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-02-12 14:10:05 -05:00

287 lines
9 KiB
Go
Raw Blame History

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.
package api4
import (
"encoding/json"
"net/http"
"github.com/gorilla/mux"
"github.com/mattermost/mattermost/server/v8/channels/app"
"github.com/mattermost/mattermost/server/public/model"
"github.com/mattermost/mattermost/server/public/shared/mlog"
)
func (api *API) InitScheduledPost() {
api.BaseRoutes.Posts.Handle("/schedule", api.APISessionRequired(createSchedulePost)).Methods(http.MethodPost)
api.BaseRoutes.Posts.Handle("/schedule/{scheduled_post_id:[A-Za-z0-9]+}", api.APISessionRequired(updateScheduledPost)).Methods(http.MethodPut)
api.BaseRoutes.Posts.Handle("/schedule/{scheduled_post_id:[A-Za-z0-9]+}", api.APISessionRequired(deleteScheduledPost)).Methods(http.MethodDelete)
api.BaseRoutes.Posts.Handle("/scheduled/team/{team_id:[A-Za-z0-9]+}", api.APISessionRequired(getTeamScheduledPosts)).Methods(http.MethodGet)
}
func scheduledPostChecks(where string, c *Context, scheduledPost *model.ScheduledPost) {
// ***************************************************************
// NOTE - if you make any change here, please make sure to apply the
// same change for scheduled posts job as well in the `canPostScheduledPost()` function
// in app layer.
// ***************************************************************
userCreatePostPermissionCheckWithContext(c, scheduledPost.ChannelId)
if c.Err != nil {
return
}
postHardenedModeCheckWithContext(where, c, scheduledPost.GetProps())
if c.Err != nil {
return
}
postPriorityCheckWithContext(where, c, scheduledPost.GetPriority(), scheduledPost.RootId)
if c.Err != nil {
return
}
// Validate burn-on-read restrictions for scheduled post
post := &model.Post{
ChannelId: scheduledPost.ChannelId,
UserId: scheduledPost.UserId,
Type: scheduledPost.Type,
}
postBurnOnReadCheckWithContext(where, c, post, nil)
}
func requireScheduledPostsEnabled(c *Context) {
if !*c.App.Srv().Config().ServiceSettings.ScheduledPosts {
c.Err = model.NewAppError("", "api.scheduled_posts.feature_disabled", nil, "", http.StatusBadRequest)
return
}
if c.App.Channels().License() == nil {
c.Err = model.NewAppError("", "api.scheduled_posts.license_error", nil, "", http.StatusBadRequest)
return
}
}
func createSchedulePost(c *Context, w http.ResponseWriter, r *http.Request) {
requireScheduledPostsEnabled(c)
if c.Err != nil {
return
}
connectionID := r.Header.Get(model.ConnectionId)
var scheduledPost model.ScheduledPost
if err := json.NewDecoder(r.Body).Decode(&scheduledPost); err != nil {
c.SetInvalidParamWithErr("schedule_post", err)
return
}
scheduledPost.UserId = c.AppContext.Session().UserId
scheduledPost.SanitizeInput()
auditRec := c.MakeAuditRecord(model.AuditEventCreateSchedulePost, model.AuditStatusFail)
defer c.LogAuditRecWithLevel(auditRec, app.LevelContent)
model.AddEventParameterAuditableToAuditRec(auditRec, "scheduledPost", &scheduledPost)
if len(scheduledPost.FileIds) > 0 {
if ok, _ := c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), scheduledPost.ChannelId, model.PermissionUploadFile); !ok {
c.SetPermissionError(model.PermissionUploadFile)
return
}
}
scheduledPostChecks("Api4.createSchedulePost", c, &scheduledPost)
if c.Err != nil {
return
}
createdScheduledPost, appErr := c.App.SaveScheduledPost(c.AppContext, &scheduledPost, connectionID)
if appErr != nil {
c.Err = appErr
return
}
auditRec.Success()
auditRec.AddEventResultState(createdScheduledPost)
auditRec.AddEventObjectType("scheduledPost")
w.WriteHeader(http.StatusCreated)
if err := json.NewEncoder(w).Encode(createdScheduledPost); err != nil {
mlog.Error("failed to encode scheduled post to return API response", mlog.Err(err))
return
}
}
func getTeamScheduledPosts(c *Context, w http.ResponseWriter, r *http.Request) {
requireScheduledPostsEnabled(c)
if c.Err != nil {
return
}
c.RequireTeamId()
if c.Err != nil {
return
}
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionViewTeam) {
c.SetPermissionError(model.PermissionViewTeam)
return
}
teamId := c.Params.TeamId
userId := c.AppContext.Session().UserId
scheduledPosts, appErr := c.App.GetUserTeamScheduledPosts(c.AppContext, userId, teamId)
if appErr != nil {
c.Err = appErr
return
}
response := map[string][]*model.ScheduledPost{}
response[teamId] = scheduledPosts
if r.URL.Query().Get("includeDirectChannels") == "true" {
directChannelScheduledPosts, appErr := c.App.GetUserTeamScheduledPosts(c.AppContext, userId, "")
if appErr != nil {
c.Err = appErr
return
}
response["directChannels"] = directChannelScheduledPosts
}
if err := json.NewEncoder(w).Encode(response); err != nil {
mlog.Error("failed to encode scheduled posts to return API response", mlog.Err(err))
return
}
}
func updateScheduledPost(c *Context, w http.ResponseWriter, r *http.Request) {
requireScheduledPostsEnabled(c)
if c.Err != nil {
return
}
connectionID := r.Header.Get(model.ConnectionId)
scheduledPostId := mux.Vars(r)["scheduled_post_id"]
if scheduledPostId == "" {
c.SetInvalidURLParam("scheduled_post_id")
return
}
var scheduledPost model.ScheduledPost
if err := json.NewDecoder(r.Body).Decode(&scheduledPost); err != nil {
c.SetInvalidParamWithErr("schedule_post", err)
return
}
if scheduledPost.Id != scheduledPostId {
c.SetInvalidURLParam("scheduled_post_id")
return
}
auditRec := c.MakeAuditRecord(model.AuditEventUpdateScheduledPost, model.AuditStatusFail)
defer c.LogAuditRecWithLevel(auditRec, app.LevelContent)
model.AddEventParameterAuditableToAuditRec(auditRec, "scheduledPost", &scheduledPost)
userId := c.AppContext.Session().UserId
existingScheduledPost, err := c.App.Srv().Store().ScheduledPost().Get(scheduledPost.Id)
if err != nil {
c.Err = model.NewAppError("updateScheduledPost", "app.update_scheduled_post.get_scheduled_post.error", nil, "", http.StatusInternalServerError).Wrap(err)
return
}
if existingScheduledPost == nil {
c.Err = model.NewAppError("updateScheduledPost", "app.update_scheduled_post.existing_scheduled_post.not_exist", nil, "", http.StatusNotFound)
return
}
if existingScheduledPost.UserId != userId {
c.Err = model.NewAppError("updateScheduledPost", "app.update_scheduled_post.update_permission.error", nil, "", http.StatusForbidden)
return
}
if len(scheduledPost.FileIds) > 0 {
originalPost, err := existingScheduledPost.ToPost()
if err != nil {
c.Err = model.NewAppError("updateScheduledPost", "app.update_scheduled_post.convert_to_post.error", nil, "", http.StatusInternalServerError).Wrap(err)
return
}
checkUploadFilePermissionForNewFiles(c, scheduledPost.FileIds, originalPost)
if c.Err != nil {
return
}
}
scheduledPostChecks("Api4.updateScheduledPost", c, &scheduledPost)
if c.Err != nil {
return
}
updatedScheduledPost, appErr := c.App.UpdateScheduledPost(c.AppContext, userId, &scheduledPost, connectionID)
if appErr != nil {
c.Err = appErr
return
}
auditRec.Success()
auditRec.AddEventResultState(updatedScheduledPost)
auditRec.AddEventObjectType("scheduledPost")
w.WriteHeader(http.StatusCreated)
if err := json.NewEncoder(w).Encode(updatedScheduledPost); err != nil {
mlog.Error("failed to encode scheduled post to return API response", mlog.Err(err))
return
}
}
func deleteScheduledPost(c *Context, w http.ResponseWriter, r *http.Request) {
requireScheduledPostsEnabled(c)
if c.Err != nil {
return
}
scheduledPostId := mux.Vars(r)["scheduled_post_id"]
if scheduledPostId == "" {
c.SetInvalidURLParam("scheduled_post_id")
return
}
auditRec := c.MakeAuditRecord(model.AuditEventDeleteScheduledPost, model.AuditStatusFail)
defer c.LogAuditRecWithLevel(auditRec, app.LevelContent)
model.AddEventParameterToAuditRec(auditRec, "scheduledPostId", scheduledPostId)
userId := c.AppContext.Session().UserId
existingScheduledPost, err := c.App.Srv().Store().ScheduledPost().Get(scheduledPostId)
if err != nil {
c.Err = model.NewAppError("deleteScheduledPost", "app.delete_scheduled_post.get_scheduled_post.error", nil, "", http.StatusInternalServerError).Wrap(err)
return
}
if existingScheduledPost == nil {
c.Err = model.NewAppError("deleteScheduledPost", "app.delete_scheduled_post.existing_scheduled_post.not_exist", nil, "", http.StatusNotFound)
return
}
if existingScheduledPost.UserId != userId {
c.Err = model.NewAppError("deleteScheduledPost", "app.delete_scheduled_post.delete_permission.error", nil, "", http.StatusForbidden)
return
}
connectionID := r.Header.Get(model.ConnectionId)
deletedScheduledPost, appErr := c.App.DeleteScheduledPost(c.AppContext, userId, scheduledPostId, connectionID)
if appErr != nil {
c.Err = appErr
return
}
auditRec.Success()
auditRec.AddEventResultState(deletedScheduledPost)
auditRec.AddEventObjectType("scheduledPost")
w.WriteHeader(http.StatusCreated)
if err := json.NewEncoder(w).Encode(deletedScheduledPost); err != nil {
mlog.Error("failed to encode scheduled post to return API response", mlog.Err(err))
return
}
}
Reference in a new issue View git blame Copy permalink