[MM-223] Fixing Post Permissions Access

server/http.go

@@ -303,6 +303,10 @@ func (p *Plugin) postMeeting(creator *model.User, meetingID int, channelID strin
 		topic = defaultMeetingTopic
 	}
 
+	if !p.API.HasPermissionToChannel(creator.Id, channelID, model.PERMISSION_CREATE_POST) {
+		return errors.New("this channel is not accessible, you might not have permissions to write in this channel. Contact the administrator of this channel to find out if you have access permissions")
+	}
+
 	slackAttachment := model.SlackAttachment{
 		Fallback: fmt.Sprintf("Video Meeting started at [%d](%s).\n\n[Join Meeting](%s)", meetingID, meetingURL, meetingURL),
 		Title:    topic,

server/plugin_test.go

@@ -53,29 +53,43 @@ func TestPlugin(t *testing.T) {
 
 	noSecretWebhookRequest := httptest.NewRequest("POST", "/webhook", strings.NewReader(endedPayload))
 
+	unauthorizedUserRequest := httptest.NewRequest("POST", "/api/v1/meetings", strings.NewReader("{\"channel_id\": \"thechannelid\", \"personal\": true}"))
+	unauthorizedUserRequest.Header.Add("Mattermost-User-Id", "theuserid")
+
 	for name, tc := range map[string]struct {
-		Request            *http.Request
-		ExpectedStatusCode int
+		Request                *http.Request
+		ExpectedStatusCode     int
+		HasPermissionToChannel bool
 	}{
 		"UnauthorizedMeetingRequest": {
-			Request:            noAuthMeetingRequest,
-			ExpectedStatusCode: http.StatusUnauthorized,
+			Request:                noAuthMeetingRequest,
+			ExpectedStatusCode:     http.StatusUnauthorized,
+			HasPermissionToChannel: true,
 		},
 		"ValidPersonalMeetingRequest": {
-			Request:            personalMeetingRequest,
-			ExpectedStatusCode: http.StatusOK,
+			Request:                personalMeetingRequest,
+			ExpectedStatusCode:     http.StatusOK,
+			HasPermissionToChannel: true,
 		},
 		"ValidStoppedWebhookRequest": {
-			Request:            validStoppedWebhookRequest,
-			ExpectedStatusCode: http.StatusOK,
+			Request:                validStoppedWebhookRequest,
+			ExpectedStatusCode:     http.StatusOK,
+			HasPermissionToChannel: true,
 		},
 		"ValidStartedWebhookRequest": {
-			Request:            validStartedWebhookRequest,
-			ExpectedStatusCode: http.StatusNotImplemented,
+			Request:                validStartedWebhookRequest,
+			ExpectedStatusCode:     http.StatusNotImplemented,
+			HasPermissionToChannel: true,
 		},
 		"NoSecretWebhookRequest": {
-			Request:            noSecretWebhookRequest,
-			ExpectedStatusCode: http.StatusUnauthorized,
+			Request:                noSecretWebhookRequest,
+			ExpectedStatusCode:     http.StatusUnauthorized,
+			HasPermissionToChannel: true,
+		},
+		"UnauthorizedChannelPermissions": {
+			Request:                unauthorizedUserRequest,
+			ExpectedStatusCode:     http.StatusInternalServerError,
+			HasPermissionToChannel: false,
 		},
 	} {
 		t.Run(name, func(t *testing.T) {
@@ -88,6 +102,8 @@ func TestPlugin(t *testing.T) {
 				Email: "theuseremail",
 			}, nil)
 
+			api.On("HasPermissionToChannel", "theuserid", "thechannelid", model.PERMISSION_CREATE_POST).Return(tc.HasPermissionToChannel)
+
 			api.On("GetChannelMember", "thechannelid", "theuserid").Return(&model.ChannelMember{}, nil)
 
 			api.On("GetPost", "thepostid").Return(&model.Post{Props: map[string]interface{}{}}, nil)