Skip to content

WPB-16333 Fix: Prevent team creation by guests #4477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 28, 2025
Merged

WPB-16333 Fix: Prevent team creation by guests #4477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
50d702e
reproduce
battermann Feb 27, 2025
f143c2b
fix
battermann Feb 27, 2025
88a9bb0
changelog
battermann Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/3-bug-fixes/WPB-16333
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Prevent guest users from migrating to teams
8 changes: 8 additions & 0 deletions integration/test/SetupHelpers.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@ randomUser domain cu = bindResponse (createUser domain cu) $ \resp -> do
resp.status `shouldMatchInt` 201
resp.json

ephemeralUser :: (HasCallStack, MakesValue domain) => domain -> App Value
ephemeralUser domain = do
name <- randomName
req <- baseRequest domain Brig Versioned "/register"
bindResponse (submit "POST" $ req & addJSONObject ["name" .= name] & addHeader "X-Forwarded-For" "127.0.0.42") $ \resp -> do
resp.status `shouldMatchInt` 201
resp.json

deleteUser :: (HasCallStack, MakesValue user) => user -> App ()
deleteUser user = bindResponse (API.Brig.deleteUser user) $ \resp -> do
resp.status `shouldMatchInt` 200
Expand Down
7 changes: 7 additions & 0 deletions integration/test/Test/Teams.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,3 +456,10 @@ testTeamMemberCsvExport = do
unquote :: String -> String
unquote ('\'' : x) = x
unquote x = x

testUpgradeGuestToTeamShouldFail :: (HasCallStack) => App ()
testUpgradeGuestToTeamShouldFail = do
guest <- ephemeralUser OwnDomain

upgradePersonalToTeam guest "wonderland" `bindResponse` \resp -> do
resp.status `shouldMatchInt` 404
22 changes: 13 additions & 9 deletions services/brig/src/Brig/API/User.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,15 +270,7 @@ upgradePersonalToTeam ::
BindingNewTeamUser ->
ExceptT UpgradePersonalToTeamError (AppT r) CreateUserTeam
upgradePersonalToTeam luid bNewTeam = do
-- check that the user is not part of a team
mSelfProfile <- lift $ liftSem $ getSelfProfile luid
user <-
maybe
(throwE UpgradePersonalToTeamErrorUserNotFound)
(pure . selfUser)
mSelfProfile
when (isJust user.userTeam) $
throwE UpgradePersonalToTeamErrorAlreadyInATeam
user <- guardUser

lift $ do
liftSem $
Expand Down Expand Up @@ -308,6 +300,18 @@ upgradePersonalToTeam luid bNewTeam = do
user.userDisplayName

pure $! createUserTeam
where
isActive :: SelfProfile -> Bool
isActive profile = profile.selfUser.userStatus == Active

guardUser :: ExceptT UpgradePersonalToTeamError (AppT r) User
guardUser = do
-- user must be active (not suspended, deleted, ephemeral etc.)
mSelfProfile <- (find isActive) <$> lift (liftSem $ getSelfProfile luid)
user <- maybe (throwE UpgradePersonalToTeamErrorUserNotFound) (pure . selfUser) mSelfProfile
-- check that the user is not part of a team
when (isJust user.userTeam) $ throwE UpgradePersonalToTeamErrorAlreadyInATeam
pure user

-- docs/reference/user/registration.md {#RefRegistration}
createUser ::
Expand Down