MM-58776 - Change Ancillary Permissions API to POST (#27504)

* make /ancillary a post * remove get from client, fix tests * Update permissions.yaml
mattermost · Jul 10, 2024 · 5d7027a · 5d7027a
1 parent 7c2a461
commit 5d7027a
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 4 deletions.
diff --git a/api/v4/source/permissions.yaml b/api/v4/source/permissions.yaml
@@ -30,3 +30,32 @@
                   type: string
         "400":
           $ref: '#/components/responses/BadRequest'
+    post:
+      tags:
+        - permissions
+      summary: Return all system console subsection ancillary permissions
+      description: >
+        Returns all the ancillary permissions for the corresponding system console
+        subsection permissions appended to the requested permission subsections.
+        __Minimum server version__: 9.10
+      operationId: GetAncillaryPermissionsPost
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: array
+              items:
+                type: string
+        description: List of subsection permissions
+        required: true
+      responses:
+        "200":
+          description: Successfully returned all ancillary and requested permissions
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: string
+        "400":
+          $ref: '#/components/responses/BadRequest'
diff --git a/server/channels/api4/permission.go b/server/channels/api4/permission.go
@@ -12,7 +12,9 @@ import (
 )
 
 func (api *API) InitPermissions() {
+	// to be deprecated - kept for backward compatibility
 	api.BaseRoutes.Permissions.Handle("/ancillary", api.APISessionRequired(appendAncillaryPermissions)).Methods("GET")
+	api.BaseRoutes.Permissions.Handle("/ancillary", api.APISessionRequired(appendAncillaryPermissionsPost)).Methods("POST")
 }
 
 func appendAncillaryPermissions(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -32,3 +34,17 @@ func appendAncillaryPermissions(c *Context, w http.ResponseWriter, r *http.Reque
 
 	w.Write(b)
 }
+
+func appendAncillaryPermissionsPost(c *Context, w http.ResponseWriter, r *http.Request) {
+	permissions, err := model.NonSortedArrayFromJSON(r.Body)
+	if err != nil || len(permissions) < 1 {
+		c.Err = model.NewAppError("appendAncillaryPermissionsPost", model.PayloadParseError, nil, "", http.StatusBadRequest).Wrap(err)
+		return
+	}
+	b, err := json.Marshal(model.AddAncillaryPermissions(permissions))
+	if err != nil {
+		c.SetJSONEncodingError(err)
+		return
+	}
+	w.Write(b)
+}
diff --git a/server/public/model/client4.go b/server/public/model/client4.go
@@ -8852,8 +8852,8 @@ func (c *Client4) DeleteRemoteCluster(ctx context.Context, remoteClusterId strin
 
 func (c *Client4) GetAncillaryPermissions(ctx context.Context, subsectionPermissions []string) ([]string, *Response, error) {
 	var returnedPermissions []string
-	url := fmt.Sprintf("%s/ancillary?subsection_permissions=%s", c.permissionsRoute(), strings.Join(subsectionPermissions, ","))
-	r, err := c.DoAPIGet(ctx, url, "")
+	url := fmt.Sprintf("%s/ancillary", c.permissionsRoute())
+	r, err := c.DoAPIPost(ctx, url, ArrayToJSON(subsectionPermissions))
 	if err != nil {
 		return returnedPermissions, BuildResponse(r), err
 	}

diff --git a/webapp/platform/client/src/client4.ts b/webapp/platform/client/src/client4.ts
@@ -4130,8 +4130,8 @@ export default class Client4 {
 
     getAncillaryPermissions = (subsectionPermissions: string[]) => {
         return this.doFetch<string[]>(
-            `${this.getPermissionsRoute()}/ancillary?subsection_permissions=${subsectionPermissions.join(',')}`,
-            {method: 'get'},
+            `${this.getPermissionsRoute()}/ancillary`,
+            {method: 'post', body: JSON.stringify(subsectionPermissions)},
         );
     };