github.com/mad-app/mattermost-server@v5.11.1+incompatible/api4/post.go (about)

     1  // Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
     2  // See License.txt for license information.
     3  
     4  package api4
     5  
     6  import (
     7  	"encoding/json"
     8  	"net/http"
     9  	"strconv"
    10  	"time"
    11  
    12  	"github.com/mattermost/mattermost-server/model"
    13  )
    14  
    15  func (api *API) InitPost() {
    16  	api.BaseRoutes.Posts.Handle("", api.ApiSessionRequired(createPost)).Methods("POST")
    17  	api.BaseRoutes.Post.Handle("", api.ApiSessionRequired(getPost)).Methods("GET")
    18  	api.BaseRoutes.Post.Handle("", api.ApiSessionRequired(deletePost)).Methods("DELETE")
    19  	api.BaseRoutes.Posts.Handle("/ephemeral", api.ApiSessionRequired(createEphemeralPost)).Methods("POST")
    20  	api.BaseRoutes.Post.Handle("/thread", api.ApiSessionRequired(getPostThread)).Methods("GET")
    21  	api.BaseRoutes.Post.Handle("/files/info", api.ApiSessionRequired(getFileInfosForPost)).Methods("GET")
    22  	api.BaseRoutes.PostsForChannel.Handle("", api.ApiSessionRequired(getPostsForChannel)).Methods("GET")
    23  	api.BaseRoutes.PostsForUser.Handle("/flagged", api.ApiSessionRequired(getFlaggedPostsForUser)).Methods("GET")
    24  
    25  	api.BaseRoutes.Team.Handle("/posts/search", api.ApiSessionRequired(searchPosts)).Methods("POST")
    26  	api.BaseRoutes.Post.Handle("", api.ApiSessionRequired(updatePost)).Methods("PUT")
    27  	api.BaseRoutes.Post.Handle("/patch", api.ApiSessionRequired(patchPost)).Methods("PUT")
    28  	api.BaseRoutes.Post.Handle("/pin", api.ApiSessionRequired(pinPost)).Methods("POST")
    29  	api.BaseRoutes.Post.Handle("/unpin", api.ApiSessionRequired(unpinPost)).Methods("POST")
    30  }
    31  
    32  func createPost(c *Context, w http.ResponseWriter, r *http.Request) {
    33  	post := model.PostFromJson(r.Body)
    34  	if post == nil {
    35  		c.SetInvalidParam("post")
    36  		return
    37  	}
    38  
    39  	post.UserId = c.App.Session.UserId
    40  
    41  	hasPermission := false
    42  	if c.App.SessionHasPermissionToChannel(c.App.Session, post.ChannelId, model.PERMISSION_CREATE_POST) {
    43  		hasPermission = true
    44  	} else if channel, err := c.App.GetChannel(post.ChannelId); err == nil {
    45  		// Temporary permission check method until advanced permissions, please do not copy
    46  		if channel.Type == model.CHANNEL_OPEN && c.App.SessionHasPermissionToTeam(c.App.Session, channel.TeamId, model.PERMISSION_CREATE_POST_PUBLIC) {
    47  			hasPermission = true
    48  		}
    49  	}
    50  
    51  	if !hasPermission {
    52  		c.SetPermissionError(model.PERMISSION_CREATE_POST)
    53  		return
    54  	}
    55  
    56  	if post.CreateAt != 0 && !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
    57  		post.CreateAt = 0
    58  	}
    59  
    60  	rp, err := c.App.CreatePostAsUser(c.App.PostWithProxyRemovedFromImageURLs(post), c.App.Session.Id)
    61  	if err != nil {
    62  		c.Err = err
    63  		return
    64  	}
    65  
    66  	c.App.SetStatusOnline(c.App.Session.UserId, false)
    67  	c.App.UpdateLastActivityAtIfNeeded(c.App.Session)
    68  
    69  	w.WriteHeader(http.StatusCreated)
    70  
    71  	// Note that rp has already had PreparePostForClient called on it by App.CreatePost
    72  	w.Write([]byte(rp.ToJson()))
    73  }
    74  
    75  func createEphemeralPost(c *Context, w http.ResponseWriter, r *http.Request) {
    76  	ephRequest := model.PostEphemeral{}
    77  
    78  	json.NewDecoder(r.Body).Decode(&ephRequest)
    79  	if ephRequest.UserID == "" {
    80  		c.SetInvalidParam("user_id")
    81  		return
    82  	}
    83  
    84  	if ephRequest.Post == nil {
    85  		c.SetInvalidParam("post")
    86  		return
    87  	}
    88  
    89  	ephRequest.Post.UserId = c.App.Session.UserId
    90  	ephRequest.Post.CreateAt = model.GetMillis()
    91  
    92  	if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_CREATE_POST_EPHEMERAL) {
    93  		c.SetPermissionError(model.PERMISSION_CREATE_POST_EPHEMERAL)
    94  		return
    95  	}
    96  
    97  	rp := c.App.SendEphemeralPost(ephRequest.UserID, c.App.PostWithProxyRemovedFromImageURLs(ephRequest.Post))
    98  
    99  	w.WriteHeader(http.StatusCreated)
   100  	rp = model.AddPostActionCookies(rp, c.App.PostActionCookieSecret())
   101  	rp = c.App.PreparePostForClient(rp, true)
   102  	w.Write([]byte(rp.ToJson()))
   103  }
   104  
   105  func getPostsForChannel(c *Context, w http.ResponseWriter, r *http.Request) {
   106  	c.RequireChannelId()
   107  	if c.Err != nil {
   108  		return
   109  	}
   110  
   111  	afterPost := r.URL.Query().Get("after")
   112  	beforePost := r.URL.Query().Get("before")
   113  	sinceString := r.URL.Query().Get("since")
   114  
   115  	var since int64
   116  	var parseError error
   117  
   118  	if len(sinceString) > 0 {
   119  		since, parseError = strconv.ParseInt(sinceString, 10, 64)
   120  		if parseError != nil {
   121  			c.SetInvalidParam("since")
   122  			return
   123  		}
   124  	}
   125  
   126  	if !c.App.SessionHasPermissionToChannel(c.App.Session, c.Params.ChannelId, model.PERMISSION_READ_CHANNEL) {
   127  		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
   128  		return
   129  	}
   130  
   131  	var list *model.PostList
   132  	var err *model.AppError
   133  	etag := ""
   134  
   135  	if since > 0 {
   136  		list, err = c.App.GetPostsSince(c.Params.ChannelId, since)
   137  	} else if len(afterPost) > 0 {
   138  		etag = c.App.GetPostsEtag(c.Params.ChannelId)
   139  
   140  		if c.HandleEtag(etag, "Get Posts After", w, r) {
   141  			return
   142  		}
   143  
   144  		list, err = c.App.GetPostsAfterPost(c.Params.ChannelId, afterPost, c.Params.Page, c.Params.PerPage)
   145  	} else if len(beforePost) > 0 {
   146  		etag = c.App.GetPostsEtag(c.Params.ChannelId)
   147  
   148  		if c.HandleEtag(etag, "Get Posts Before", w, r) {
   149  			return
   150  		}
   151  
   152  		list, err = c.App.GetPostsBeforePost(c.Params.ChannelId, beforePost, c.Params.Page, c.Params.PerPage)
   153  	} else {
   154  		etag = c.App.GetPostsEtag(c.Params.ChannelId)
   155  
   156  		if c.HandleEtag(etag, "Get Posts", w, r) {
   157  			return
   158  		}
   159  
   160  		list, err = c.App.GetPostsPage(c.Params.ChannelId, c.Params.Page, c.Params.PerPage)
   161  	}
   162  
   163  	if err != nil {
   164  		c.Err = err
   165  		return
   166  	}
   167  
   168  	if len(etag) > 0 {
   169  		w.Header().Set(model.HEADER_ETAG_SERVER, etag)
   170  	}
   171  
   172  	w.Write([]byte(c.App.PreparePostListForClient(list).ToJson()))
   173  }
   174  
   175  func getFlaggedPostsForUser(c *Context, w http.ResponseWriter, r *http.Request) {
   176  	c.RequireUserId()
   177  	if c.Err != nil {
   178  		return
   179  	}
   180  
   181  	if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
   182  		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
   183  		return
   184  	}
   185  
   186  	channelId := r.URL.Query().Get("channel_id")
   187  	teamId := r.URL.Query().Get("team_id")
   188  
   189  	var posts *model.PostList
   190  	var err *model.AppError
   191  
   192  	if len(channelId) > 0 {
   193  		posts, err = c.App.GetFlaggedPostsForChannel(c.Params.UserId, channelId, c.Params.Page, c.Params.PerPage)
   194  	} else if len(teamId) > 0 {
   195  		posts, err = c.App.GetFlaggedPostsForTeam(c.Params.UserId, teamId, c.Params.Page, c.Params.PerPage)
   196  	} else {
   197  		posts, err = c.App.GetFlaggedPosts(c.Params.UserId, c.Params.Page, c.Params.PerPage)
   198  	}
   199  
   200  	pl := model.NewPostList()
   201  	channelReadPermission := make(map[string]bool)
   202  
   203  	for _, post := range posts.Posts {
   204  		allowed, ok := channelReadPermission[post.ChannelId]
   205  
   206  		if !ok {
   207  			allowed = false
   208  
   209  			if c.App.SessionHasPermissionToChannel(c.App.Session, post.ChannelId, model.PERMISSION_READ_CHANNEL) {
   210  				allowed = true
   211  			}
   212  
   213  			channelReadPermission[post.ChannelId] = allowed
   214  		}
   215  
   216  		if !allowed {
   217  			continue
   218  		}
   219  
   220  		pl.AddPost(post)
   221  		pl.AddOrder(post.Id)
   222  	}
   223  
   224  	pl.SortByCreateAt()
   225  
   226  	if err != nil {
   227  		c.Err = err
   228  		return
   229  	}
   230  
   231  	w.Write([]byte(c.App.PreparePostListForClient(pl).ToJson()))
   232  }
   233  
   234  func getPost(c *Context, w http.ResponseWriter, r *http.Request) {
   235  	c.RequirePostId()
   236  	if c.Err != nil {
   237  		return
   238  	}
   239  
   240  	post, err := c.App.GetSinglePost(c.Params.PostId)
   241  	if err != nil {
   242  		c.Err = err
   243  		return
   244  	}
   245  
   246  	channel, err := c.App.GetChannel(post.ChannelId)
   247  	if err != nil {
   248  		c.Err = err
   249  		return
   250  	}
   251  
   252  	if !c.App.SessionHasPermissionToChannel(c.App.Session, channel.Id, model.PERMISSION_READ_CHANNEL) {
   253  		if channel.Type == model.CHANNEL_OPEN {
   254  			if !c.App.SessionHasPermissionToTeam(c.App.Session, channel.TeamId, model.PERMISSION_READ_PUBLIC_CHANNEL) {
   255  				c.SetPermissionError(model.PERMISSION_READ_PUBLIC_CHANNEL)
   256  				return
   257  			}
   258  		} else {
   259  			c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
   260  			return
   261  		}
   262  	}
   263  
   264  	post = c.App.PreparePostForClient(post, false)
   265  
   266  	if c.HandleEtag(post.Etag(), "Get Post", w, r) {
   267  		return
   268  	}
   269  
   270  	w.Header().Set(model.HEADER_ETAG_SERVER, post.Etag())
   271  	w.Write([]byte(post.ToJson()))
   272  }
   273  
   274  func deletePost(c *Context, w http.ResponseWriter, r *http.Request) {
   275  	c.RequirePostId()
   276  	if c.Err != nil {
   277  		return
   278  	}
   279  
   280  	post, err := c.App.GetSinglePost(c.Params.PostId)
   281  	if err != nil {
   282  		c.SetPermissionError(model.PERMISSION_DELETE_POST)
   283  		return
   284  	}
   285  
   286  	if c.App.Session.UserId == post.UserId {
   287  		if !c.App.SessionHasPermissionToChannel(c.App.Session, post.ChannelId, model.PERMISSION_DELETE_POST) {
   288  			c.SetPermissionError(model.PERMISSION_DELETE_POST)
   289  			return
   290  		}
   291  	} else {
   292  		if !c.App.SessionHasPermissionToChannel(c.App.Session, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) {
   293  			c.SetPermissionError(model.PERMISSION_DELETE_OTHERS_POSTS)
   294  			return
   295  		}
   296  	}
   297  
   298  	if _, err := c.App.DeletePost(c.Params.PostId, c.App.Session.UserId); err != nil {
   299  		c.Err = err
   300  		return
   301  	}
   302  
   303  	ReturnStatusOK(w)
   304  }
   305  
   306  func getPostThread(c *Context, w http.ResponseWriter, r *http.Request) {
   307  	c.RequirePostId()
   308  	if c.Err != nil {
   309  		return
   310  	}
   311  
   312  	list, err := c.App.GetPostThread(c.Params.PostId)
   313  	if err != nil {
   314  		c.Err = err
   315  		return
   316  	}
   317  
   318  	post, ok := list.Posts[c.Params.PostId]
   319  	if !ok {
   320  		c.SetInvalidUrlParam("post_id")
   321  		return
   322  	}
   323  
   324  	channel, err := c.App.GetChannel(post.ChannelId)
   325  	if err != nil {
   326  		c.Err = err
   327  		return
   328  	}
   329  
   330  	if !c.App.SessionHasPermissionToChannel(c.App.Session, channel.Id, model.PERMISSION_READ_CHANNEL) {
   331  		if channel.Type == model.CHANNEL_OPEN {
   332  			if !c.App.SessionHasPermissionToTeam(c.App.Session, channel.TeamId, model.PERMISSION_READ_PUBLIC_CHANNEL) {
   333  				c.SetPermissionError(model.PERMISSION_READ_PUBLIC_CHANNEL)
   334  				return
   335  			}
   336  		} else {
   337  			c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
   338  			return
   339  		}
   340  	}
   341  
   342  	if c.HandleEtag(list.Etag(), "Get Post Thread", w, r) {
   343  		return
   344  	}
   345  
   346  	clientPostList := c.App.PreparePostListForClient(list)
   347  
   348  	w.Header().Set(model.HEADER_ETAG_SERVER, clientPostList.Etag())
   349  
   350  	w.Write([]byte(clientPostList.ToJson()))
   351  }
   352  
   353  func searchPosts(c *Context, w http.ResponseWriter, r *http.Request) {
   354  	c.RequireTeamId()
   355  	if c.Err != nil {
   356  		return
   357  	}
   358  
   359  	if !c.App.SessionHasPermissionToTeam(c.App.Session, c.Params.TeamId, model.PERMISSION_VIEW_TEAM) {
   360  		c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
   361  		return
   362  	}
   363  
   364  	params := model.SearchParameterFromJson(r.Body)
   365  
   366  	if params.Terms == nil || len(*params.Terms) == 0 {
   367  		c.SetInvalidParam("terms")
   368  		return
   369  	}
   370  	terms := *params.Terms
   371  
   372  	timeZoneOffset := 0
   373  	if params.TimeZoneOffset != nil {
   374  		timeZoneOffset = *params.TimeZoneOffset
   375  	}
   376  
   377  	isOrSearch := false
   378  	if params.IsOrSearch != nil {
   379  		isOrSearch = *params.IsOrSearch
   380  	}
   381  
   382  	page := 0
   383  	if params.Page != nil {
   384  		page = *params.Page
   385  	}
   386  
   387  	perPage := 60
   388  	if params.PerPage != nil {
   389  		perPage = *params.PerPage
   390  	}
   391  
   392  	includeDeletedChannels := false
   393  	if params.IncludeDeletedChannels != nil {
   394  		includeDeletedChannels = *params.IncludeDeletedChannels
   395  	}
   396  
   397  	startTime := time.Now()
   398  
   399  	results, err := c.App.SearchPostsInTeamForUser(terms, c.App.Session.UserId, c.Params.TeamId, isOrSearch, includeDeletedChannels, int(timeZoneOffset), page, perPage)
   400  
   401  	elapsedTime := float64(time.Since(startTime)) / float64(time.Second)
   402  	metrics := c.App.Metrics
   403  	if metrics != nil {
   404  		metrics.IncrementPostsSearchCounter()
   405  		metrics.ObservePostsSearchDuration(elapsedTime)
   406  	}
   407  
   408  	if err != nil {
   409  		c.Err = err
   410  		return
   411  	}
   412  
   413  	clientPostList := c.App.PreparePostListForClient(results.PostList)
   414  
   415  	results = model.MakePostSearchResults(clientPostList, results.Matches)
   416  
   417  	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
   418  	w.Write([]byte(results.ToJson()))
   419  }
   420  
   421  func updatePost(c *Context, w http.ResponseWriter, r *http.Request) {
   422  	c.RequirePostId()
   423  	if c.Err != nil {
   424  		return
   425  	}
   426  
   427  	post := model.PostFromJson(r.Body)
   428  
   429  	if post == nil {
   430  		c.SetInvalidParam("post")
   431  		return
   432  	}
   433  
   434  	// The post being updated in the payload must be the same one as indicated in the URL.
   435  	if post.Id != c.Params.PostId {
   436  		c.SetInvalidParam("id")
   437  		return
   438  	}
   439  
   440  	// Updating the file_ids of a post is not a supported operation and will be ignored
   441  	post.FileIds = nil
   442  
   443  	if !c.App.SessionHasPermissionToChannelByPost(c.App.Session, c.Params.PostId, model.PERMISSION_EDIT_POST) {
   444  		c.SetPermissionError(model.PERMISSION_EDIT_POST)
   445  		return
   446  	}
   447  
   448  	originalPost, err := c.App.GetSinglePost(c.Params.PostId)
   449  	if err != nil {
   450  		c.SetPermissionError(model.PERMISSION_EDIT_POST)
   451  		return
   452  	}
   453  
   454  	if c.App.Session.UserId != originalPost.UserId {
   455  		if !c.App.SessionHasPermissionToChannelByPost(c.App.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
   456  			c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
   457  			return
   458  		}
   459  	}
   460  
   461  	post.Id = c.Params.PostId
   462  
   463  	rpost, err := c.App.UpdatePost(c.App.PostWithProxyRemovedFromImageURLs(post), false)
   464  	if err != nil {
   465  		c.Err = err
   466  		return
   467  	}
   468  
   469  	w.Write([]byte(rpost.ToJson()))
   470  }
   471  
   472  func patchPost(c *Context, w http.ResponseWriter, r *http.Request) {
   473  	c.RequirePostId()
   474  	if c.Err != nil {
   475  		return
   476  	}
   477  
   478  	post := model.PostPatchFromJson(r.Body)
   479  
   480  	if post == nil {
   481  		c.SetInvalidParam("post")
   482  		return
   483  	}
   484  
   485  	// Updating the file_ids of a post is not a supported operation and will be ignored
   486  	post.FileIds = nil
   487  
   488  	if !c.App.SessionHasPermissionToChannelByPost(c.App.Session, c.Params.PostId, model.PERMISSION_EDIT_POST) {
   489  		c.SetPermissionError(model.PERMISSION_EDIT_POST)
   490  		return
   491  	}
   492  
   493  	originalPost, err := c.App.GetSinglePost(c.Params.PostId)
   494  	if err != nil {
   495  		c.SetPermissionError(model.PERMISSION_EDIT_POST)
   496  		return
   497  	}
   498  
   499  	if c.App.Session.UserId != originalPost.UserId {
   500  		if !c.App.SessionHasPermissionToChannelByPost(c.App.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
   501  			c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
   502  			return
   503  		}
   504  	}
   505  
   506  	patchedPost, err := c.App.PatchPost(c.Params.PostId, c.App.PostPatchWithProxyRemovedFromImageURLs(post))
   507  	if err != nil {
   508  		c.Err = err
   509  		return
   510  	}
   511  
   512  	w.Write([]byte(patchedPost.ToJson()))
   513  }
   514  
   515  func saveIsPinnedPost(c *Context, w http.ResponseWriter, r *http.Request, isPinned bool) {
   516  	c.RequirePostId()
   517  	if c.Err != nil {
   518  		return
   519  	}
   520  
   521  	if !c.App.SessionHasPermissionToChannelByPost(c.App.Session, c.Params.PostId, model.PERMISSION_READ_CHANNEL) {
   522  		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
   523  		return
   524  	}
   525  
   526  	// Restrict pinning if the experimental read-only-town-square setting is on.
   527  	user, err := c.App.GetUser(c.App.Session.UserId)
   528  	if err != nil {
   529  		c.Err = err
   530  		return
   531  	}
   532  
   533  	post, err := c.App.GetSinglePost(c.Params.PostId)
   534  	if err != nil {
   535  		c.Err = err
   536  		return
   537  	}
   538  
   539  	channel, err := c.App.GetChannel(post.ChannelId)
   540  	if err != nil {
   541  		c.Err = err
   542  		return
   543  	}
   544  
   545  	if c.App.License() != nil &&
   546  		*c.App.Config().TeamSettings.ExperimentalTownSquareIsReadOnly &&
   547  		channel.Name == model.DEFAULT_CHANNEL &&
   548  		!c.App.RolesGrantPermission(user.GetRoles(), model.PERMISSION_MANAGE_SYSTEM.Id) {
   549  		c.Err = model.NewAppError("saveIsPinnedPost", "api.post.save_is_pinned_post.town_square_read_only", nil, "", http.StatusForbidden)
   550  		return
   551  	}
   552  
   553  	patch := &model.PostPatch{}
   554  	patch.IsPinned = model.NewBool(isPinned)
   555  
   556  	_, err = c.App.PatchPost(c.Params.PostId, patch)
   557  	if err != nil {
   558  		c.Err = err
   559  		return
   560  	}
   561  
   562  	ReturnStatusOK(w)
   563  }
   564  
   565  func pinPost(c *Context, w http.ResponseWriter, r *http.Request) {
   566  	saveIsPinnedPost(c, w, r, true)
   567  }
   568  
   569  func unpinPost(c *Context, w http.ResponseWriter, r *http.Request) {
   570  	saveIsPinnedPost(c, w, r, false)
   571  }
   572  
   573  func getFileInfosForPost(c *Context, w http.ResponseWriter, r *http.Request) {
   574  	c.RequirePostId()
   575  	if c.Err != nil {
   576  		return
   577  	}
   578  
   579  	if !c.App.SessionHasPermissionToChannelByPost(c.App.Session, c.Params.PostId, model.PERMISSION_READ_CHANNEL) {
   580  		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
   581  		return
   582  	}
   583  
   584  	infos, err := c.App.GetFileInfosForPostWithMigration(c.Params.PostId)
   585  	if err != nil {
   586  		c.Err = err
   587  		return
   588  	}
   589  
   590  	if c.HandleEtag(model.GetEtagForFileInfos(infos), "Get File Infos For Post", w, r) {
   591  		return
   592  	}
   593  
   594  	w.Header().Set("Cache-Control", "max-age=2592000, public")
   595  	w.Header().Set(model.HEADER_ETAG_SERVER, model.GetEtagForFileInfos(infos))
   596  	w.Write([]byte(model.FileInfosToJson(infos)))
   597  }