MM-42271: Restrict support packet generation to system admin. (#19726)

mattermost · Mar 9, 2022 · 7f1f360 · 7f1f360
1 parent 81a87c8
commit 7f1f360
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 4 deletions.
diff --git a/api4/system.go b/api4/system.go
@@ -74,10 +74,14 @@ func generateSupportPacket(c *Context, w http.ResponseWriter, r *http.Request) {
 	const FileMime = "application/zip"
 	const OutputDirectory = "support_packet"
 
-	// Checking to see if the user is a admin of any sort or not
-	// If they are a admin, they should theoritcally have access to one or more of the system console read permissions
-	if !c.App.SessionHasPermissionToAny(*c.AppContext.Session(), model.SysconsoleReadPermissions) {
-		c.SetPermissionError(model.SysconsoleReadPermissions...)
+	if *c.App.Config().ExperimentalSettings.RestrictSystemAdmin {
+		c.Err = model.NewAppError("generateSupportPacket", "api.restricted_system_admin", nil, "", http.StatusForbidden)
+		return
+	}
+
+	// Support packet generation is limited to system admins (MM-42271).
+	if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
+		c.SetPermissionError(model.PermissionManageSystem)
 		return
 	}
 

diff --git a/api4/system_test.go b/api4/system_test.go
@@ -207,6 +207,26 @@ func TestGenerateSupportPacket(t *testing.T) {
 		require.NotZero(t, len(file))
 	})
 
+	t.Run("As a System Administrator but with RestrictSystemAdmin true", func(t *testing.T) {
+		originalRestrictSystemAdminVal := *th.App.Config().ExperimentalSettings.RestrictSystemAdmin
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ExperimentalSettings.RestrictSystemAdmin = true })
+		defer func() {
+			th.App.UpdateConfig(func(cfg *model.Config) {
+				*cfg.ExperimentalSettings.RestrictSystemAdmin = originalRestrictSystemAdminVal
+			})
+		}()
+
+		_, resp, err := th.SystemAdminClient.GenerateSupportPacket()
+		require.Error(t, err)
+		CheckForbiddenStatus(t, resp)
+	})
+
+	t.Run("As a system role, not system admin", func(t *testing.T) {
+		_, resp, err := th.SystemManagerClient.GenerateSupportPacket()
+		require.Error(t, err)
+		CheckForbiddenStatus(t, resp)
+	})
+
 	t.Run("As a Regular User", func(t *testing.T) {
 		_, resp, err := th.Client.GenerateSupportPacket()
 		require.Error(t, err)