Conversation
Kshitij-Katiyar
added
2: Dev Review
There was a problem hiding this comment.
Pull Request Overview
This PR introduces several security fixes for handling panic situations, improving channel access validations for subscription-related endpoints, and making minor updates to error handling and logging.
- Added a helper method for checking channel access.
- Updated endpoints (save, get, edit, and delete subscription) to validate user access.
- Updated error handling for JSON decoding in Confluence Cloud event processing.
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| server/user.go | Added a helper for channel access validation. |
| server/service/delete_subscription.go | Minor changes to delete subscription handling. |
| server/serializer/confluence_cloud.go | Updated JSON decoding to return an error and fixed error logging message. |
| server/save_subscription.go | Added channel access validation and connection checks. |
| server/get_subscriptions.go | Added channel ID validation via API call. |
| server/get_subscription.go | Added user access validation and connection check. |
| server/edit_subscription.go | Added user access validation and connection check. |
| server/confluence_server.go | Minor code formatting improvements. |
| server/confluence_cloud.go | Updated error handling/logging in webhook payload processing. |
| server/command.go | Updated command handlers to enforce channel access checks. |
Comments suppressed due to low confidence (1)
server/serializer/confluence_cloud.go:66
- The error log message incorrectly refers to 'ConfluenceServerEvent' instead of 'ConfluenceCloudEvent'. Please update the message to reflect the correct event type.
config.Mattermost.LogError("Unable to decode JSON for ConfluenceServerEvent.", "Error", err.Error())
|
@Kshitij-Katiyar please update the Jira ticket statuses for each of these. They should be |
@wiggin77 Sure |
|
I updated the list of Jira issues in the description. The original was extremely confusing. |
There was a problem hiding this comment.
The PR description says MM-64171 was fixed, but I don't see that in this PR.
Feel free to just fix that in another PR and update the description.
In the future please do several things:
- Less tickets per PR (ideally only 1 - or closely related issues)
- Make sure what you are saying is fixed is actually fixed
- Only include the bug ticket in the description (not some bug tickets, some security tickets, and some with both the security ticket and the associated bug ticket).
thanks @enzowritescode |
Sure, will keep that in mind. |
|
@Kshitij-Katiyar I updated the description for you by removing MM-64171. Next time please do that yourself. |
|
@Kshitij-Katiyar are you ready to merge this? |
|
@wiggin77 We are planning ot get this QA tested once testing of MsCalendar RC is done. |
Summary
Fixes
Ticket Link
Fixes