-
Notifications
You must be signed in to change notification settings - Fork 333
WPB-5695 Enforce group conversation permission for external partner role #3788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 12 commits
6263a5b
40a491c
e998a90
de9bc6d
f4f6fb9
7b88634
c823c1d
f52f1a6
8dc090d
3dd8d6c
899f2ec
9fa990e
4cac27e
f638a76
c2e99be
e299332
dfe65c8
d203365
073d758
aba9ad1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Enforce external partner permissions on the backend |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| {-# OPTIONS_GHC -Wno-ambiguous-fields #-} | ||
|
|
||
| -- This file is part of the Wire Server implementation. | ||
| -- | ||
| -- Copyright (C) 2023 Wire Swiss GmbH <opensource@wire.com> | ||
| -- | ||
| -- This program is free software: you can redistribute it and/or modify it under | ||
| -- the terms of the GNU Affero General Public License as published by the Free | ||
| -- Software Foundation, either version 3 of the License, or (at your option) any | ||
| -- later version. | ||
| -- | ||
| -- This program is distributed in the hope that it will be useful, but WITHOUT | ||
| -- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
| -- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more | ||
| -- details. | ||
| -- | ||
| -- You should have received a copy of the GNU Affero General Public License along | ||
| -- with this program. If not, see <https://www.gnu.org/licenses/>. | ||
|
|
||
| module Test.ExternalPartner where | ||
|
|
||
| import API.Galley | ||
| import GHC.Stack | ||
| import MLS.Util | ||
| import SetupHelpers | ||
| import Testlib.Prelude | ||
|
|
||
| testExternalPartnerPermissions :: HasCallStack => App () | ||
| testExternalPartnerPermissions = do | ||
| (owner, tid, u1 : u2 : u3 : _) <- createTeam OwnDomain 6 | ||
|
battermann marked this conversation as resolved.
Outdated
|
||
|
|
||
| partner <- createTeamMemberWithRole owner tid "partner" | ||
|
|
||
| -- a partner should not be able to create conversation with more than 2 users | ||
|
battermann marked this conversation as resolved.
Outdated
|
||
| void $ postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1, u2]}) >>= getJSON 403 | ||
|
|
||
| do | ||
| -- a partner can create a one to one conversation with a user from the same team | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Isn't this creating a group conversation? I understand the idea of the team 1:1 conversation, but here we're not really creating a 1:1 conversation, are we? That it is a 1:1 conversation is a concept in Wire clients.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, exactly. |
||
| conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 | ||
|
|
||
| -- they should not be able to add another team member to the one to one conversation | ||
| bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do | ||
| resp.status `shouldMatchInt` 403 | ||
|
|
||
| -- the other member in the conversation gets deleted | ||
| deleteUser u1 | ||
|
|
||
| -- now they still should not be able to add another member | ||
| bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do | ||
| resp.status `shouldMatchInt` 403 | ||
|
|
||
| do | ||
| -- also an external partner cannot add someone to a conversation, even if it is empty | ||
| conv <- postConversation partner (defProteus {team = Just tid}) >>= getJSON 201 | ||
| bindResponse (addMembers partner conv def {users = [u3]}) $ \resp -> do | ||
| resp.status `shouldMatchInt` 403 | ||
|
|
||
| testExternalPartnerPermissionsMls :: HasCallStack => App () | ||
| testExternalPartnerPermissionsMls = do | ||
| -- external partners should not be able to create (MLS) conversations | ||
| (owner, tid, _) <- createTeam OwnDomain 2 | ||
| bobExt <- createTeamMemberWithRole owner tid "partner" | ||
| bobExtClient <- createMLSClient def bobExt | ||
| bindResponse (postConversation bobExtClient defMLS) $ \resp -> do | ||
| resp.status `shouldMatchInt` 403 | ||
|
|
||
| testExternalPartnerPermissionMlsOne2One :: HasCallStack => App () | ||
| testExternalPartnerPermissionMlsOne2One = do | ||
| (owner, tid, alice : _) <- createTeam OwnDomain 2 | ||
| bobExternal <- createTeamMemberWithRole owner tid "partner" | ||
| void $ getMLSOne2OneConversation alice bobExternal >>= getJSON 200 | ||
|
|
||
| testExternalPartnerPermissionsConvName :: HasCallStack => App () | ||
| testExternalPartnerPermissionsConvName = do | ||
| (owner, tid, u1 : _) <- createTeam OwnDomain 2 | ||
|
|
||
| partner <- createTeamMemberWithRole owner tid "partner" | ||
|
|
||
| conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 | ||
|
|
||
| bindResponse (changeConversationName partner conv "new name") $ \resp -> do | ||
| resp.status `shouldMatchInt` 403 | ||
Uh oh!
There was an error while loading. Please reload this page.