require regenerate invite id to have invite permission (#27427) (#27522)

Automatic Merge
mattermost · Jul 2, 2024 · e6a5d03 · e6a5d03
1 parent 57f9796
commit e6a5d03
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/server/channels/api4/team.go b/server/channels/api4/team.go
@@ -398,6 +398,10 @@ func regenerateTeamInviteId(c *Context, w http.ResponseWriter, r *http.Request)
 		c.SetPermissionError(model.PermissionManageTeam)
 		return
 	}
+	if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionInviteUser) {
+		c.SetPermissionError(model.PermissionInviteUser)
+		return
+	}
 
 	auditRec := c.MakeAuditRecord("regenerateTeamInviteId", audit.Fail)
 	audit.AddEventParameter(auditRec, "team_id", c.Params.TeamId)

diff --git a/server/channels/api4/team_test.go b/server/channels/api4/team_test.go
@@ -956,6 +956,11 @@ func TestRegenerateTeamInviteId(t *testing.T) {
 	assert.NotEqual(t, team.InviteId, rteam.InviteId)
 	assert.NotEqual(t, team.InviteId, "")
 	assert.Equal(t, rteam.Email, "")
+
+	manager := th.SystemManagerClient
+	th.RemovePermissionFromRole(model.PermissionInviteUser.Id, model.SystemManagerRoleId)
+	_, _, err = manager.RegenerateTeamInviteId(context.Background(), team.Id)
+	require.Error(t, err)
 }
 
 func TestSoftDeleteTeam(t *testing.T) {