fix: Unknown Slack users should be able to search team accessible docs (#1049)

* fix: Unknown Slack users should be able to search team accessible docs * test: fix flaky test * test: remove obsolete snapshot * lint * flow * fix: Spelling mistake
2019-09-22 11:52:15 -07:00
parent d46530a4a0
commit b1a1d24f9c
6 changed files with 179 additions and 111 deletions
--- a/server/api/hooks.js
+++ b/server/api/hooks.js
@ -58,15 +58,18 @@ router.post('hooks.interactive', async ctx => {
  ctx.assertPresent(token, 'token is required');
  ctx.assertPresent(callback_id, 'callback_id is required');

-  if (token !== process.env.SLACK_VERIFICATION_TOKEN)
+  if (token !== process.env.SLACK_VERIFICATION_TOKEN) {
    throw new AuthenticationError('Invalid verification token');
+  }

-  const user = await User.findOne({
-    where: { service: 'slack', serviceId: data.user.id },
+  const team = await Team.findOne({
+    where: { slackId: data.team.id },
  });
-  if (!user) {
+
+  if (!team) {
    ctx.body = {
-      text: 'Sorry, we couldn’t find your user on this team in Outline.',
+      text:
+        'Sorry, we couldn’t find an integration for your team. Head to your Outline settings to set one up.',
      response_type: 'ephemeral',
      replace_original: false,
    };
@ -75,12 +78,13 @@ router.post('hooks.interactive', async ctx => {

  // we find the document based on the users teamId to ensure access
  const document = await Document.findOne({
-    where: { id: data.callback_id, teamId: user.teamId },
+    where: {
+      id: data.callback_id,
+      teamId: team.id,
+    },
  });
  if (!document) throw new InvalidRequestError('Invalid document');

-  const team = await Team.findByPk(user.teamId);
-
  // respond with a public message that will be posted in the original channel
  ctx.body = {
    response_type: 'in_channel',
@ -93,8 +97,9 @@ router.post('hooks.interactive', async ctx => {

 // triggered by the /outline command in Slack
 router.post('hooks.slack', async ctx => {
-  const { token, user_id, text } = ctx.body;
+  const { token, team_id, user_id, text } = ctx.body;
  ctx.assertPresent(token, 'token is required');
+  ctx.assertPresent(team_id, 'team_id is required');
  ctx.assertPresent(user_id, 'user_id is required');

  if (token !== process.env.SLACK_VERIFICATION_TOKEN) {
@ -116,25 +121,33 @@ router.post('hooks.slack', async ctx => {
    return;
  }

-  const user = await User.findOne({
-    where: {
-      service: 'slack',
-      serviceId: user_id,
-    },
+  const team = await Team.findOne({
+    where: { slackId: team_id },
  });
-  if (!user) {
+  if (!team) {
    ctx.body = {
      response_type: 'ephemeral',
-      text: 'Sorry, we couldn’t find your user – have you signed into Outline?',
+      text:
+        'Sorry, we couldn’t find an integration for your team. Head to your Outline settings to set one up.',
    };
    return;
  }

-  const team = await Team.findByPk(user.teamId);
-  const results = await Document.searchForUser(user, text, {
-    limit: 5,
+  const user = await User.findOne({
+    where: {
+      teamId: team.id,
+      service: 'slack',
+      serviceId: user_id,
+    },
  });

+  const options = {
+    limit: 5,
+  };
+  const results = user
+    ? await Document.searchForUser(user, text, options)
+    : await Document.searchForTeam(team, text, options);
+
  if (results.length) {
    const attachments = [];
    for (const result of results) {