ec1f89217a
Full Mattermost server source with integrated Community Enterprise features. Includes vendor directory for offline/air-gapped builds. Structure: - enterprise-impl/: Enterprise feature implementations - enterprise-community/: Init files that register implementations - enterprise/: Bridge imports (community_imports.go) - vendor/: All dependencies for offline builds Build (online): go build ./cmd/mattermost Build (offline/air-gapped): go build -mod=vendor ./cmd/mattermost 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
270 lines
10 KiB
Go
270 lines
10 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package api4
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/public/shared/mlog"
|
|
"github.com/mattermost/mattermost/server/v8/channels/app/email"
|
|
"github.com/mattermost/mattermost/server/v8/channels/store"
|
|
)
|
|
|
|
func (api *API) InitTeamLocal() {
|
|
api.BaseRoutes.Teams.Handle("", api.APILocal(localCreateTeam)).Methods(http.MethodPost)
|
|
api.BaseRoutes.Teams.Handle("", api.APILocal(getAllTeams)).Methods(http.MethodGet)
|
|
api.BaseRoutes.Teams.Handle("/search", api.APILocal(searchTeams)).Methods(http.MethodPost)
|
|
|
|
api.BaseRoutes.Team.Handle("", api.APILocal(getTeam)).Methods(http.MethodGet)
|
|
api.BaseRoutes.Team.Handle("", api.APILocal(updateTeam)).Methods(http.MethodPut)
|
|
api.BaseRoutes.Team.Handle("", api.APILocal(localDeleteTeam)).Methods(http.MethodDelete)
|
|
api.BaseRoutes.Team.Handle("/invite/email", api.APILocal(localInviteUsersToTeam)).Methods(http.MethodPost)
|
|
api.BaseRoutes.Team.Handle("/patch", api.APILocal(patchTeam)).Methods(http.MethodPut)
|
|
api.BaseRoutes.Team.Handle("/privacy", api.APILocal(updateTeamPrivacy)).Methods(http.MethodPut)
|
|
api.BaseRoutes.Team.Handle("/restore", api.APILocal(restoreTeam)).Methods(http.MethodPost)
|
|
|
|
api.BaseRoutes.TeamByName.Handle("", api.APILocal(getTeamByName)).Methods(http.MethodGet)
|
|
api.BaseRoutes.TeamMembers.Handle("", api.APILocal(addTeamMember)).Methods(http.MethodPost)
|
|
api.BaseRoutes.TeamMember.Handle("", api.APILocal(removeTeamMember)).Methods(http.MethodDelete)
|
|
}
|
|
|
|
func localDeleteTeam(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireTeamId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventLocalDeleteTeam, model.AuditStatusFail)
|
|
model.AddEventParameterToAuditRec(auditRec, "team_id", c.Params.TeamId)
|
|
defer c.LogAuditRec(auditRec)
|
|
|
|
if team, err := c.App.GetTeam(c.Params.TeamId); err == nil {
|
|
auditRec.AddEventPriorState(team)
|
|
auditRec.AddEventObjectType("team")
|
|
}
|
|
|
|
var err *model.AppError
|
|
if c.Params.Permanent {
|
|
err = c.App.PermanentDeleteTeamId(c.AppContext, c.Params.TeamId)
|
|
} else {
|
|
err = c.App.SoftDeleteTeam(c.Params.TeamId)
|
|
}
|
|
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func localInviteUsersToTeam(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
c.RequireTeamId()
|
|
if c.Err != nil {
|
|
return
|
|
}
|
|
|
|
if !*c.App.Config().ServiceSettings.EnableEmailInvitations {
|
|
c.Err = model.NewAppError("localInviteUsersToTeam", "api.team.invite_members.disabled.app_error", nil, "", http.StatusNotImplemented)
|
|
return
|
|
}
|
|
|
|
memberInvite := &model.MemberInvite{}
|
|
err := model.StructFromJSONLimited(r.Body, memberInvite)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("Api4.localInviteUsersToTeam", "api.team.invite_members_to_team_and_channels.invalid_body.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
|
return
|
|
}
|
|
|
|
emailList := memberInvite.Emails
|
|
|
|
if len(emailList) == 0 {
|
|
c.SetInvalidParam("user_email")
|
|
return
|
|
}
|
|
for i := range emailList {
|
|
email := strings.ToLower(emailList[i])
|
|
if !model.IsValidEmail(email) {
|
|
c.Err = model.NewAppError("localInviteUsersToTeam", "api.team.invite_members.invalid_email.app_error", map[string]any{"Address": email}, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
emailList[i] = email
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventLocalInviteUsersToTeam, model.AuditStatusFail)
|
|
model.AddEventParameterAuditableToAuditRec(auditRec, "member_invite", memberInvite)
|
|
defer c.LogAuditRec(auditRec)
|
|
model.AddEventParameterToAuditRec(auditRec, "team_id", c.Params.TeamId)
|
|
auditRec.AddMeta("count", len(emailList))
|
|
auditRec.AddMeta("emails", emailList)
|
|
|
|
if len(memberInvite.ChannelIds) > 0 {
|
|
auditRec.AddMeta("channel_count", len(memberInvite.ChannelIds))
|
|
auditRec.AddMeta("channels", memberInvite.ChannelIds)
|
|
}
|
|
|
|
team, err := c.App.Srv().Store().Team().Get(c.Params.TeamId)
|
|
if err != nil {
|
|
var nfErr *store.ErrNotFound
|
|
switch {
|
|
case errors.As(err, &nfErr):
|
|
c.Err = model.NewAppError("localInviteUsersToTeam", "app.team.get.find.app_error", nil, "", http.StatusNotFound).Wrap(err)
|
|
default:
|
|
c.Err = model.NewAppError("localInviteUsersToTeam", "app.team.get.finding.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
return
|
|
}
|
|
|
|
allowedDomains := []string{team.AllowedDomains, *c.App.Config().TeamSettings.RestrictCreationToDomains}
|
|
|
|
var channels []*model.Channel
|
|
if len(memberInvite.ChannelIds) > 0 {
|
|
channels, err = c.App.Srv().Store().Channel().GetChannelsByIds(memberInvite.ChannelIds, false)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("prepareLocalInviteNewUsersToTeam", "app.channel.get_channels_by_ids.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
}
|
|
|
|
if r.URL.Query().Get("graceful") != "" {
|
|
var invitesWithErrors []*model.EmailInviteWithError
|
|
var goodEmails, errList []string
|
|
for _, email := range emailList {
|
|
invite := &model.EmailInviteWithError{
|
|
Email: email,
|
|
Error: nil,
|
|
}
|
|
if !isEmailAddressAllowed(email, allowedDomains) {
|
|
invite.Error = model.NewAppError("localInviteUsersToTeam", "api.team.invite_members.invalid_email.app_error", map[string]any{"Addresses": email}, "", http.StatusBadRequest)
|
|
errList = append(errList, model.EmailInviteWithErrorToString(invite))
|
|
} else {
|
|
goodEmails = append(goodEmails, email)
|
|
}
|
|
invitesWithErrors = append(invitesWithErrors, invite)
|
|
}
|
|
auditRec.AddMeta("errors", errList)
|
|
if len(goodEmails) > 0 {
|
|
var invitesWithErrors2 []*model.EmailInviteWithError
|
|
if len(channels) > 0 {
|
|
invitesWithErrors2, err = c.App.Srv().EmailService.SendInviteEmailsToTeamAndChannels(team, channels, "Administrator", "mmctl "+model.NewId(), nil, goodEmails, *c.App.Config().ServiceSettings.SiteURL, nil, memberInvite.Message, true, true, false)
|
|
invitesWithErrors = append(invitesWithErrors, invitesWithErrors2...)
|
|
} else {
|
|
err = c.App.Srv().EmailService.SendInviteEmails(team, "Administrator", "mmctl "+model.NewId(), goodEmails, *c.App.Config().ServiceSettings.SiteURL, nil, false, true, false)
|
|
}
|
|
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, email.NoRateLimiterError):
|
|
c.Err = model.NewAppError("SendInviteEmails", "app.email.no_rate_limiter.app_error", nil, fmt.Sprintf("team_id=%s", team.Id), http.StatusInternalServerError).Wrap(err)
|
|
case errors.Is(err, email.SetupRateLimiterError):
|
|
c.Err = model.NewAppError("SendInviteEmails", "app.email.setup_rate_limiter.app_error", nil, fmt.Sprintf("team_id=%s, error=%v", team.Id, err), http.StatusInternalServerError).Wrap(err)
|
|
default:
|
|
c.Err = model.NewAppError("SendInviteEmails", "app.email.rate_limit_exceeded.app_error", nil, fmt.Sprintf("team_id=%s, error=%v", team.Id, err), http.StatusRequestEntityTooLarge).Wrap(err)
|
|
}
|
|
return
|
|
}
|
|
}
|
|
|
|
// in graceful mode we return both the successful ones and the failed ones
|
|
js, err := json.Marshal(invitesWithErrors)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("localInviteUsersToTeam", "api.marshal_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
return
|
|
}
|
|
|
|
if _, err := w.Write(js); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
} else {
|
|
var invalidEmailList []string
|
|
|
|
for _, email := range emailList {
|
|
if !isEmailAddressAllowed(email, allowedDomains) {
|
|
invalidEmailList = append(invalidEmailList, email)
|
|
}
|
|
}
|
|
if len(invalidEmailList) > 0 {
|
|
s := strings.Join(invalidEmailList, ", ")
|
|
c.Err = model.NewAppError("localInviteUsersToTeam", "api.team.invite_members.invalid_email.app_error", map[string]any{"Addresses": s}, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
err := c.App.Srv().EmailService.SendInviteEmails(team, "Administrator", "mmctl "+model.NewId(), emailList, *c.App.Config().ServiceSettings.SiteURL, nil, false, true, false)
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, email.NoRateLimiterError):
|
|
c.Err = model.NewAppError("SendInviteEmails", "app.email.no_rate_limiter.app_error", nil, fmt.Sprintf("team_id=%s", team.Id), http.StatusInternalServerError).Wrap(err)
|
|
case errors.Is(err, email.SetupRateLimiterError):
|
|
c.Err = model.NewAppError("SendInviteEmails", "app.email.setup_rate_limiter.app_error", nil, fmt.Sprintf("team_id=%s, error=%v", team.Id, err), http.StatusInternalServerError).Wrap(err)
|
|
default:
|
|
c.Err = model.NewAppError("SendInviteEmails", "app.email.rate_limit_exceeded.app_error", nil, fmt.Sprintf("team_id=%s, error=%v", team.Id, err), http.StatusRequestEntityTooLarge).Wrap(err)
|
|
}
|
|
return
|
|
}
|
|
ReturnStatusOK(w)
|
|
}
|
|
auditRec.Success()
|
|
}
|
|
|
|
func isEmailAddressAllowed(email string, allowedDomains []string) bool {
|
|
for _, restriction := range allowedDomains {
|
|
domains := normalizeDomains(restriction)
|
|
if len(domains) <= 0 {
|
|
continue
|
|
}
|
|
matched := false
|
|
for _, d := range domains {
|
|
if strings.HasSuffix(email, "@"+d) {
|
|
matched = true
|
|
break
|
|
}
|
|
}
|
|
if !matched {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func normalizeDomains(domains string) []string {
|
|
// commas and @ signs are optional
|
|
// can be in the form of "@corp.mattermost.com, mattermost.com mattermost.org" -> corp.mattermost.com mattermost.com mattermost.org
|
|
return strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(domains, "@", " ", -1), ",", " ", -1))))
|
|
}
|
|
|
|
func localCreateTeam(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
var team model.Team
|
|
if jsonErr := json.NewDecoder(r.Body).Decode(&team); jsonErr != nil {
|
|
c.SetInvalidParamWithErr("team", jsonErr)
|
|
return
|
|
}
|
|
|
|
team.Email = strings.ToLower(team.Email)
|
|
|
|
auditRec := c.MakeAuditRecord(model.AuditEventLocalCreateTeam, model.AuditStatusFail)
|
|
defer c.LogAuditRec(auditRec)
|
|
model.AddEventParameterAuditableToAuditRec(auditRec, "team", &team)
|
|
|
|
rteam, err := c.App.CreateTeam(c.AppContext, &team)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
// Don't sanitize the team here since the user will be a team admin and their session won't reflect that yet
|
|
|
|
auditRec.AddEventResultState(rteam)
|
|
auditRec.AddEventObjectType("type")
|
|
auditRec.Success()
|
|
|
|
w.WriteHeader(http.StatusCreated)
|
|
if err := json.NewEncoder(w).Encode(rteam); err != nil {
|
|
c.Logger.Warn("Error while writing response", mlog.Err(err))
|
|
}
|
|
}
|