From 64af4d51625fd2fc257ad57f0ab2f5e4eaad6357 Mon Sep 17 00:00:00 2001
From: Rajat Dabade <a-rajat.dabade@mattermost.com>
Date: Fri, 5 Jul 2024 10:16:07 +0530
Subject: [PATCH] revert: isGuestUser check

---
 server/api/api.go               |  4 ++++
 server/api/archive.go           | 18 ++++++++++++++-
 server/api/blocks.go            | 13 +++++++++++
 server/api/boards.go            | 40 ++++++++++++++++++++++++++++++++-
 server/api/boards_and_blocks.go | 10 +++++++++
 server/api/members.go           | 20 +++++++++++++++++
 server/api/onboarding.go        | 10 +++++++++
 server/api/search.go            | 16 +++++++++++--
 server/api/teams.go             |  9 ++++++++
 server/api/templates.go         | 10 +++++++++
 10 files changed, 146 insertions(+), 4 deletions(-)

diff --git a/server/api/api.go b/server/api/api.go
index 830f57ff..4cb0290d 100644
--- a/server/api/api.go
+++ b/server/api/api.go
@@ -158,6 +158,10 @@ func (a *API) hasValidReadTokenForBoard(r *http.Request, boardID string) bool {
 	return isValid
 }
 
+func (a *API) userIsGuest(userID string) (bool, error) {
+	return a.app.UserIsGuest(userID)
+}
+
 // Response helpers
 
 func (a *API) errorResponse(w http.ResponseWriter, r *http.Request, err error) {
diff --git a/server/api/archive.go b/server/api/archive.go
index 11590f42..a8bb5543 100644
--- a/server/api/archive.go
+++ b/server/api/archive.go
@@ -137,6 +137,16 @@ func (a *API) handleArchiveImport(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("access denied to create board"))
+		return
+	}
+
 	file, handle, err := r.FormFile(UploadFormFileKey)
 	if err != nil {
 		fmt.Fprintf(w, "%v", err)
@@ -210,7 +220,13 @@ func (a *API) handleArchiveExportTeam(w http.ResponseWriter, r *http.Request) {
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 	auditRec.AddMeta("TeamID", teamID)
 
-	boards, err := a.app.GetBoardsForUserAndTeam(userID, teamID, false)
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+
+	boards, err := a.app.GetBoardsForUserAndTeam(userID, teamID, !isGuest)
 	if err != nil {
 		a.errorResponse(w, r, err)
 		return
diff --git a/server/api/blocks.go b/server/api/blocks.go
index 93db90ec..36732244 100644
--- a/server/api/blocks.go
+++ b/server/api/blocks.go
@@ -98,6 +98,19 @@ func (a *API) handleGetBlocks(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 		}
+		if board.IsTemplate {
+			var isGuest bool
+			isGuest, err = a.userIsGuest(userID)
+			if err != nil {
+				a.errorResponse(w, r, err)
+				return
+			}
+
+			if isGuest {
+				a.errorResponse(w, r, model.NewErrPermission("guest are not allowed to get board templates"))
+				return
+			}
+		}
 	}
 
 	auditRec := a.makeAuditRecord(r, "getBlocks", audit.Fail)
diff --git a/server/api/boards.go b/server/api/boards.go
index 8548f123..d89cff62 100644
--- a/server/api/boards.go
+++ b/server/api/boards.go
@@ -63,8 +63,14 @@ func (a *API) handleGetBoards(w http.ResponseWriter, r *http.Request) {
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 	auditRec.AddMeta("teamID", teamID)
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+
 	// retrieve boards list
-	boards, err := a.app.GetBoardsForUserAndTeam(userID, teamID, false)
+	boards, err := a.app.GetBoardsForUserAndTeam(userID, teamID, !isGuest)
 	if err != nil {
 		a.errorResponse(w, r, err)
 		return
@@ -141,6 +147,16 @@ func (a *API) handleCreateBoard(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("access denied to create board"))
+		return
+	}
+
 	if err = newBoard.IsValid(); err != nil {
 		a.errorResponse(w, r, model.NewErrBadRequest(err.Error()))
 		return
@@ -227,6 +243,18 @@ func (a *API) handleGetBoard(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 		} else {
+			var isGuest bool
+			isGuest, err = a.userIsGuest(userID)
+			if err != nil {
+				a.errorResponse(w, r, err)
+				return
+			}
+			if isGuest {
+				if !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionViewBoard) {
+					a.errorResponse(w, r, model.NewErrPermission("access denied to board"))
+					return
+				}
+			}
 			if !a.permissions.HasPermissionToTeam(userID, board.TeamID, model.PermissionViewTeam) {
 				a.errorResponse(w, r, model.NewErrPermission("access denied to board"))
 				return
@@ -486,6 +514,16 @@ func (a *API) handleDuplicateBoard(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("access denied to create board"))
+		return
+	}
+
 	auditRec := a.makeAuditRecord(r, "duplicateBoard", audit.Fail)
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 	auditRec.AddMeta("boardID", boardID)
diff --git a/server/api/boards_and_blocks.go b/server/api/boards_and_blocks.go
index 19cdd7a3..8bb57d99 100644
--- a/server/api/boards_and_blocks.go
+++ b/server/api/boards_and_blocks.go
@@ -92,6 +92,16 @@ func (a *API) handleCreateBoardsAndBlocks(w http.ResponseWriter, r *http.Request
 		return
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("access denied to create board"))
+		return
+	}
+
 	for _, block := range newBab.Blocks {
 		// Error checking
 		if len(block.Type) < 1 {
diff --git a/server/api/members.go b/server/api/members.go
index ddde1f7e..1a5d644d 100644
--- a/server/api/members.go
+++ b/server/api/members.go
@@ -257,6 +257,16 @@ func (a *API) handleJoinBoard(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("guests not allowed to join boards"))
+		return
+	}
+
 	newBoardMember := &model.BoardMember{
 		UserID:          userID,
 		BoardID:         boardID,
@@ -424,6 +434,16 @@ func (a *API) handleUpdateMember(w http.ResponseWriter, r *http.Request) {
 		SchemeViewer:    reqBoardMember.SchemeViewer,
 	}
 
+	isGuest, err := a.userIsGuest(paramsUserID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+
+	if isGuest {
+		newBoardMember.SchemeAdmin = false
+	}
+
 	if !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionManageBoardRoles) {
 		a.errorResponse(w, r, model.NewErrPermission("access denied to modify board members"))
 		return
diff --git a/server/api/onboarding.go b/server/api/onboarding.go
index 7a9922a3..bca6e201 100644
--- a/server/api/onboarding.go
+++ b/server/api/onboarding.go
@@ -53,6 +53,16 @@ func (a *API) handleOnboard(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("access denied to create board"))
+		return
+	}
+
 	teamID, boardID, err := a.app.PrepareOnboardingTour(userID, teamID)
 	if err != nil {
 		a.errorResponse(w, r, err)
diff --git a/server/api/search.go b/server/api/search.go
index 86dd16e1..d6ba4560 100644
--- a/server/api/search.go
+++ b/server/api/search.go
@@ -161,8 +161,14 @@ func (a *API) handleSearchBoards(w http.ResponseWriter, r *http.Request) {
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 	auditRec.AddMeta("teamID", teamID)
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+
 	// retrieve boards list
-	boards, err := a.app.SearchBoardsForUser(term, searchField, userID, false)
+	boards, err := a.app.SearchBoardsForUser(term, searchField, userID, !isGuest)
 	if err != nil {
 		a.errorResponse(w, r, err)
 		return
@@ -314,8 +320,14 @@ func (a *API) handleSearchAllBoards(w http.ResponseWriter, r *http.Request) {
 	auditRec := a.makeAuditRecord(r, "searchAllBoards", audit.Fail)
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+
 	// retrieve boards list
-	boards, err := a.app.SearchBoardsForUser(term, model.BoardSearchFieldTitle, userID, false)
+	boards, err := a.app.SearchBoardsForUser(term, model.BoardSearchFieldTitle, userID, !isGuest)
 	if err != nil {
 		a.errorResponse(w, r, err)
 		return
diff --git a/server/api/teams.go b/server/api/teams.go
index 81d1179b..f722221e 100644
--- a/server/api/teams.go
+++ b/server/api/teams.go
@@ -183,7 +183,16 @@ func (a *API) handleGetTeamUsers(w http.ResponseWriter, r *http.Request) {
 	auditRec := a.makeAuditRecord(r, "getUsers", audit.Fail)
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
 	asGuestUser := ""
+	if isGuest {
+		asGuestUser = userID
+	}
+
 	users, err := a.app.SearchTeamUsers(teamID, searchQuery, asGuestUser, excludeBots)
 	if err != nil {
 		a.errorResponse(w, r, err)
diff --git a/server/api/templates.go b/server/api/templates.go
index 2ae1734f..7a1b9d6e 100644
--- a/server/api/templates.go
+++ b/server/api/templates.go
@@ -51,6 +51,16 @@ func (a *API) handleGetTemplates(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	isGuest, err := a.userIsGuest(userID)
+	if err != nil {
+		a.errorResponse(w, r, err)
+		return
+	}
+	if isGuest {
+		a.errorResponse(w, r, model.NewErrPermission("access denied to templates"))
+		return
+	}
+
 	auditRec := a.makeAuditRecord(r, "getTemplates", audit.Fail)
 	defer a.audit.LogRecord(audit.LevelRead, auditRec)
 	auditRec.AddMeta("teamID", teamID)