[MM-51724] (#22740)

* createUserAccessToken updates * lint
mattermost · Apr 5, 2023 · dcab64f · dcab64f
1 parent 0659fce
commit dcab64f
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 3 deletions.
diff --git a/api4/user.go b/api4/user.go
@@ -2366,10 +2366,14 @@ func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
 	audit.AddEventParameter(auditRec, "user_id", c.Params.UserId)
 	defer c.LogAuditRec(auditRec)
 
-	if user, err := c.App.GetUser(c.Params.UserId); err == nil {
-		audit.AddEventParameterAuditable(auditRec, "user", user)
+	user, err := c.App.GetUser(c.Params.UserId)
+	if err != nil {
+		c.Err = err
+		return
 	}
 
+	audit.AddEventParameterAuditable(auditRec, "user", user)
+
 	if c.AppContext.Session().IsOAuth {
 		c.SetPermissionError(model.PermissionCreateUserAccessToken)
 		c.Err.DetailedError += ", attempted access by oauth app"
@@ -2399,6 +2403,11 @@ func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if user.IsSystemAdmin() && !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
+		c.SetPermissionError(model.PermissionManageSystem)
+		return
+	}
+
 	accessToken.UserId = c.Params.UserId
 	accessToken.Token = ""
 

diff --git a/api4/user_test.go b/api4/user_test.go
@@ -4339,7 +4339,38 @@ func TestCreateUserAccessToken(t *testing.T) {
 		CheckForbiddenStatus(t, resp)
 	})
 
-	t.Run("create user access token for basic user as as system admin", func(t *testing.T) {
+	t.Run("create user access token for another user, with permission", func(t *testing.T) {
+		th := Setup(t).InitBasic()
+		defer th.TearDown()
+
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableUserAccessTokens = true })
+		th.AddPermissionToRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
+		th.App.UpdateUserRoles(th.Context, th.BasicUser.Id, model.SystemUserManagerRoleId+" "+model.SystemUserAccessTokenRoleId, false)
+
+		rtoken, _, err := th.Client.CreateUserAccessToken(th.BasicUser2.Id, "test token")
+		require.NoError(t, err)
+		assert.Equal(t, th.BasicUser2.Id, rtoken.UserId)
+
+		oldSessionToken := th.Client.AuthToken
+		defer func() { th.Client.AuthToken = oldSessionToken }()
+
+		assertToken(t, th, rtoken, th.BasicUser2.Id)
+	})
+
+	t.Run("create user access token for system admin, as system user manager", func(t *testing.T) {
+		th := Setup(t).InitBasic()
+		defer th.TearDown()
+
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableUserAccessTokens = true })
+		th.AddPermissionToRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
+		th.App.UpdateUserRoles(th.Context, th.BasicUser.Id, model.SystemUserManagerRoleId+" "+model.SystemUserAccessTokenRoleId, false)
+
+		_, resp, err := th.Client.CreateUserAccessToken(th.SystemAdminUser.Id, "test token")
+		require.Error(t, err)
+		CheckForbiddenStatus(t, resp)
+	})
+
+	t.Run("create user access token for basic user as a system admin", func(t *testing.T) {
 		th := Setup(t).InitBasic()
 		defer th.TearDown()