-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MM-57988] Fix move thread logic to not block channel admins #27061
base: master
Are you sure you want to change the base?
Conversation
Hello @MattSilvaa, Thanks for your pull request! A Core Committer will review your pull request soon. For code contributions, you can learn more about the review process here. |
This PR has been automatically labelled "stale" because it hasn't had recent activity. |
E2E test triggered successfully for PR #27061. The corresponding commit's status check will be available shortly. |
E2E test run is starting for commit
|
/update-branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks @MattSilvaa!
@esarafianou is there someone from your team who'd be open to giving this change a quick review? |
@nickmisasi I'm good with the change. We'd ideally though have the authorization checks all in one place. Now we check for permitted roles in the API layer and then check for additional permissions on the app layer: mattermost/server/channels/app/post.go Line 2403 in 91741a7
This makes it difficult to follow and audit that all permissions are correctly in place. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM other than one small request.
Thanks for the PR @MattSilvaa!
server/channels/api4/post.go
Outdated
@@ -1267,3 +1272,19 @@ func getPostInfo(c *Context, w http.ResponseWriter, r *http.Request) { | |||
|
|||
w.Write(js) | |||
} | |||
|
|||
func hasPermittedRole(c *Context, user *model.User, channelMember *model.ChannelMember) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we be a bit more specific on the naming here, since this is specific to Wrangler, something like:
func hasPermittedRole(c *Context, user *model.User, channelMember *model.ChannelMember) bool { | |
func hasPermittedWranglerRole(c *Context, user *model.User, channelMember *model.ChannelMember) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Done.
server/channels/api4/post.go
Outdated
} | ||
|
||
userHasRole := hasPermittedRole(c, user, channelMember) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
userHasRole := hasPermittedRole(c, user, channelMember) | |
userHasRole := hasPermittedWranglerRole(c, user, channelMember) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@esarafianou good call out for sure - this was brought up in initial review as well. The long term goal was initially intended to be to integrate with Mattermost's permission schemes rather than this sort of thing. There's currently no owner for this feature as its experimental and no team has bandwidth to pick it up, so your suggestions would hopefully be addressed in the future. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @MattSilvaa, this looks good now :)
Creating a new SpinWick test server using Mattermost Cloud. |
Enterprise Edition Image not available in the 30 minutes timeframe, checking the Team Edition Image and if available will use that. |
/update-branch |
Creating a new SpinWick test server using Mattermost Cloud. |
Mattermost test server created! 🎉 Access here: https://mattermost-pr-27061.test.mattermost.cloud
Your Spinwick's installation ID is: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verified that when permitted role to move thread is set to Channel_admin,
the channel_admins get option to move thread. if User is demoted, the option is not shown.
Summary
This PR concats a user's roles with their channel roles so that we correctly check all current user roles against the permitted roles for move thread. Doing this allows for channel admins to be able to move threads.
For testing, I added a unit test in the api tests as well as doing some manual testing.
Ticket Link
Fixes #26959
Jira https://mattermost.atlassian.net/browse/MM-57988
Demo video
Screencast.from.2024-05-19.09-47-32.webm
Release Note