Prevent call post from being modified (#608)

mattermost · Jan 9, 2024 · f19420b · f19420b
1 parent d11cf38
commit f19420b
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/e2e/tests/start_call.spec.ts b/e2e/tests/start_call.spec.ts
@@ -1,4 +1,4 @@
-import {expect, test} from '@playwright/test';
+import {expect, Response, test} from '@playwright/test';
 import {readFile} from 'fs/promises';
 
 import {adminState} from '../constants';
@@ -480,3 +480,37 @@ test.describe('ux', () => {
         await devPage.leaveCall();
     });
 });
+
+test.describe('call post', () => {
+    const userIdx = getUserIdxForTest();
+    test.use({storageState: userStorages[0]});
+
+    test('user starting call should not be allowed to edit the call post', async ({page}) => {
+        const devPage = new PlaywrightDevPage(page);
+        await devPage.startCall();
+
+        const postEl = page.locator('.post__body').last();
+        await postEl.hover();
+        const postID = (await postEl.getAttribute('id'))?.substr(0, 26);
+
+        await page.getByTestId('PostDotMenu-Button-' + postID).click();
+
+        await page.locator('#CENTER_dropdown_' + postID).locator('li', {hasText: 'Edit'}).click();
+
+        await page.keyboard.type('Edited');
+
+        const postPatch: Promise<Response> = new Promise((resolve) => {
+            page.on('response', (response) => {
+                if (response.url().endsWith(`/api/v4/posts/${postID}/patch`)) {
+                    resolve(response);
+                }
+            });
+        });
+
+        await page.keyboard.press('Enter');
+
+        expect((await postPatch).ok()).toBe(false);
+
+        await devPage.leaveCall();
+    });
+});
diff --git a/server/plugin.go b/server/plugin.go
@@ -377,3 +377,16 @@ func (p *Plugin) updateCallPostEnded(postID string, participants []string) (floa
 func (p *Plugin) ServeMetrics(_ *plugin.Context, w http.ResponseWriter, r *http.Request) {
 	p.metrics.Handler().ServeHTTP(w, r)
 }
+
+// We want to prevent call posts from being modified by the user starting the
+// call to avoid potentially messing with metadata (e.g. job ids).
+// Both Plugin and Calls bot should still be able to do it though.
+func (p *Plugin) MessageWillBeUpdated(c *plugin.Context, newPost, oldPost *model.Post) (*model.Post, string) {
+	if oldPost != nil && oldPost.Type == callStartPostType && c != nil && c.SessionId != "" {
+		if p.botSession == nil || c.SessionId != p.botSession.Id {
+			return nil, "you are not allowed to edit a call post"
+		}
+	}
+
+	return newPost, ""
+}