wireapp · battermann · Oct 26, 2023 · Oct 26, 2023
@@ -0,0 +1 @@
+Only allow team member search with SearchContacts permission
@@ -484,3 +484,9 @@ updateMessageTimer user qcnv update = do
   let path = joinHttpPath ["conversations", cnvDomain, cnvId, "message-timer"]
   req <- baseRequest user Galley Versioned path
   submit "PUT" (addJSONObject ["message_timer" .= updateReq] req)
+
+getTeamMembers :: (HasCallStack, MakesValue user, MakesValue tid) => user -> tid -> App Response
+getTeamMembers user tid = do
+  tidStr <- asString tid
+  req <- baseRequest user Galley Versioned (joinHttpPath ["teams", tidStr, "members"])
+  submit "GET" req
@@ -40,9 +40,17 @@ createTeamMember ::
   inviter ->
   String ->
   App Value
-createTeamMember inviter tid = do
+createTeamMember inviter tid = createTeamMemberWithRole inviter tid "member"
+
+createTeamMemberWithRole ::
+  (HasCallStack, MakesValue inviter) =>
+  inviter ->
+  String ->
+  String ->
+  App Value
+createTeamMemberWithRole inviter tid role = do
   newUserEmail <- randomEmail
-  let invitationJSON = ["role" .= "member", "email" .= newUserEmail]
+  let invitationJSON = ["role" .= role, "email" .= newUserEmail]
   invitationReq <-
     baseRequest inviter Brig Versioned $
       joinHttpPath ["teams", tid, "invitations"]

@@ -3,7 +3,7 @@ module Test.Brig where
 import API.Brig qualified as BrigP
 import API.BrigInternal qualified as BrigI
 import API.Common qualified as API
-import API.GalleyInternal qualified as GalleyI
+import API.Galley qualified as Galley
 import Control.Concurrent (threadDelay)
 import Data.Aeson.Types hiding ((.=))
 import Data.Set qualified as Set
@@ -18,14 +18,27 @@ import Testlib.Prelude
 testSearchContactForExternalUsers :: HasCallStack => App ()
 testSearchContactForExternalUsers = do
   owner <- randomUser OwnDomain def {BrigI.team = True}
-  partner <- randomUser OwnDomain def {BrigI.team = True}
+  tid <- owner %. "team" & asString
 
-  bindResponse (GalleyI.putTeamMember partner (partner %. "team") (API.teamRole "partner")) $ \resp ->
+  partner <- createTeamMemberWithRole owner tid "partner"
+  teamMember <- createTeamMember owner tid
+
+  bindResponse (BrigP.searchContacts teamMember (owner %. "name") OwnDomain) $ \resp ->
     resp.status `shouldMatchInt` 200
 
   bindResponse (BrigP.searchContacts partner (owner %. "name") OwnDomain) $ \resp ->
     resp.status `shouldMatchInt` 403
 
+  bindResponse (Galley.getTeamMembers teamMember tid) $ \resp -> do
+    members <- resp.json %. "members" & asList
+    userIds <- for members (\m -> m %. "user")
+    expected <- for [owner, teamMember, partner] objId
+    userIds `shouldMatchSet` expected
+    resp.status `shouldMatchInt` 200
+
+  bindResponse (Galley.getTeamMembers partner tid) $ \resp -> do
+    resp.status `shouldMatchInt` 403
+
 testCrudFederationRemotes :: HasCallStack => App ()
 testCrudFederationRemotes = do
   otherDomain <- asString OtherDomain

@@ -40,6 +40,7 @@ type TeamMemberAPI =
     "get-team-members"
     ( Summary "Get team members"
         :> CanThrow 'NotATeamMember
+        :> CanThrow 'InvalidPermissions
         :> ZLocalUser
         :> "teams"
         :> Capture "tid" TeamId

@@ -484,6 +484,7 @@ getTeamConversationRoles zusr tid = do
 
 getTeamMembers ::
   ( Member (ErrorS 'NotATeamMember) r,
+    Member (ErrorS 'InvalidPermissions) r,
     Member TeamStore r,
     Member (TeamMemberStore CassandraPaging) r
   ) =>
@@ -494,6 +495,7 @@ getTeamMembers ::
   Sem r TeamMembersPage
 getTeamMembers lzusr tid mbMaxResults mbPagingState = do
   member <- E.getTeamMember tid (tUnqualified lzusr) >>= noteS @'NotATeamMember
+  unless (member `hasPermission` SearchContacts) $ throwS @'InvalidPermissions
   let mState = C.PagingState . LBS.fromStrict <$> (mbPagingState >>= mtpsState)
   let mLimit = fromMaybe (unsafeRange Public.hardTruncationLimit) mbMaxResults
   E.listTeamMembers @CassandraPaging tid mState mLimit <&> toTeamMembersPage member
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Only allow team member search with SearchContacts permission