[MM-57988] Fix move thread logic to not block channel admins #27061
Conversation
mm-cloud-bot
added
the
release-note-none
|
Hello @MattSilvaa, Thanks for your pull request! A Core Committer will review your pull request soon. For code contributions, you can learn more about the review process here. |
|
This PR has been automatically labelled "stale" because it hasn't had recent activity. |
marianunez
added
2: Dev Review
|
E2E test triggered successfully for PR #27061. The corresponding commit's status check will be available shortly. |
|
E2E test run is starting for commit
|
|
/update-branch |
|
@esarafianou is there someone from your team who'd be open to giving this change a quick review? |
|
@nickmisasi I'm good with the change. We'd ideally though have the authorization checks all in one place. Now we check for permitted roles in the API layer and then check for additional permissions on the app layer: mattermost/server/channels/app/post.go Line 2403 in 91741a7 This makes it difficult to follow and audit that all permissions are correctly in place. |
There was a problem hiding this comment.
LGTM other than one small request.
Thanks for the PR @MattSilvaa!
server/channels/api4/post.go
Outdated
| @@ -1267,3 +1272,19 @@ func getPostInfo(c *Context, w http.ResponseWriter, r *http.Request) { | |||
|
|
|||
| w.Write(js) | |||
| } | |||
|
|
|||
| func hasPermittedRole(c *Context, user *model.User, channelMember *model.ChannelMember) bool { | |||
There was a problem hiding this comment.
Can we be a bit more specific on the naming here, since this is specific to Wrangler, something like:
| func hasPermittedRole(c *Context, user *model.User, channelMember *model.ChannelMember) bool { | |
| func hasPermittedWranglerRole(c *Context, user *model.User, channelMember *model.ChannelMember) bool { |
There was a problem hiding this comment.
Good point. Done.
server/channels/api4/post.go
Outdated
| } | ||
|
|
||
| userHasRole := hasPermittedRole(c, user, channelMember) |
There was a problem hiding this comment.
| userHasRole := hasPermittedRole(c, user, channelMember) | |
| userHasRole := hasPermittedWranglerRole(c, user, channelMember) |
|
@esarafianou good call out for sure - this was brought up in initial review as well. The long term goal was initially intended to be to integrate with Mattermost's permission schemes rather than this sort of thing. There's currently no owner for this feature as its experimental and no team has bandwidth to pick it up, so your suggestions would hopefully be addressed in the future. |
devinbinnie
added
Setup Cloud Test Server
|
Creating a new SpinWick test server using Mattermost Cloud. |
|
Enterprise Edition Image not available in the 30 minutes timeframe, checking the Team Edition Image and if available will use that. |
yasserfaraazkhan
removed
the
Setup Cloud Test Server
|
/update-branch |
|
Creating a new SpinWick test server using Mattermost Cloud. |
|
Mattermost test server created! 🎉 Access here: https://mattermost-pr-27061.test.mattermost.cloud
Your Spinwick's installation ID is: |
Summary
This PR concats a user's roles with their channel roles so that we correctly check all current user roles against the permitted roles for move thread. Doing this allows for channel admins to be able to move threads.
For testing, I added a unit test in the api tests as well as doing some manual testing.
Ticket Link
Fixes #26959
Jira https://mattermost.atlassian.net/browse/MM-57988
Demo video
Screencast.from.2024-05-19.09-47-32.webm
Release Note