VYPR
← All advisories
Low severityNVD Advisory· Published Apr 26, 2024· Updated Aug 1, 2024

CVE-2024-4198

CVE-2024-4198

Description

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost-serverGo
>= 9.6.0-rc1, < 9.6.19.6.1
github.com/mattermost/mattermost-serverGo
>= 9.5.0, < 9.5.39.5.3
github.com/mattermost/mattermost-serverGo
>= 8.1.0, < 8.1.128.1.12

Affected products

1

Patches

3
408ce4a82bb5

MM-56929- Dont allow guests to be set via team API (#26286) (#26467)

https://github.com/mattermost/mattermostScott BishelMar 13, 2024via ghsa
commit
4 files changed · +84 61
  • server/channels/api4/team_test.go+33 9 modified
    @@ -2917,6 +2917,28 @@ func TestUpdateTeamMemberRoles(t *testing.T) {
 func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	th := Setup(t).InitBasic()
 	defer th.TearDown()
+	enableGuestAccounts := *th.App.Config().GuestAccountsSettings.Enable
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = enableGuestAccounts })
+		th.App.Srv().RemoveLicense()
+	}()
+	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = true })
+	th.App.Srv().SetLicense(model.NewTestLicense())
+
+	id := model.NewId()
+	guest := &model.User{
+		Email:         th.GenerateTestEmail(),
+		Nickname:      "nn_" + id,
+		FirstName:     "f_" + id,
+		LastName:      "l_" + id,
+		Password:      "Pa$$word11",
+		EmailVerified: true,
+	}
+	guest, appError := th.App.CreateGuest(th.Context, guest)
+	require.Nil(t, appError)
+	_, _, appError = th.App.AddUserToTeam(th.Context, th.BasicTeam.Id, guest.Id, "")
+	require.Nil(t, appError)
+
 	SystemAdminClient := th.SystemAdminClient
 	th.LoginBasic()
 
@@ -2948,6 +2970,11 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	assert.Equal(t, true, tm2.SchemeUser)
 	assert.Equal(t, false, tm2.SchemeAdmin)
 
+	//cannot set Guest to User for single team
+	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s2)
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
+
 	s3 := &model.SchemeRoles{
 		SchemeAdmin: true,
 		SchemeUser:  false,
@@ -2981,21 +3008,18 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 		SchemeUser:  false,
 		SchemeGuest: true,
 	}
-	_, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
-	require.NoError(t, err)
 
-	tm5, _, err := SystemAdminClient.GetTeamMember(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, "")
-	require.NoError(t, err)
-	assert.Equal(t, true, tm5.SchemeGuest)
-	assert.Equal(t, false, tm5.SchemeUser)
-	assert.Equal(t, false, tm5.SchemeAdmin)
+	// cannot set user to guest for a single team
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
 
 	s6 := &model.SchemeRoles{
 		SchemeAdmin: false,
 		SchemeUser:  true,
 		SchemeGuest: true,
 	}
-	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
 	require.Error(t, err)
 	CheckBadRequestStatus(t, resp)
 
@@ -3007,7 +3031,7 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	require.Error(t, err)
 	CheckNotFoundStatus(t, resp)
 
-	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s4)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s4)
 	require.Error(t, err) // user is a guest, cannot be set as member or admin
 	CheckBadRequestStatus(t, resp)
  • server/channels/app/import_functions_test.go+45 42 modified
    @@ -1492,52 +1492,55 @@ func TestImportImportUser(t *testing.T) {
 	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
 	require.Nil(t, appErr, "Failed to get the channel member")
 
-	assert.False(t, teamMember.SchemeAdmin)
+	assert.False(t, channelMember.SchemeAdmin)
 	assert.True(t, channelMember.SchemeUser)
-	assert.False(t, teamMember.SchemeGuest)
+	assert.False(t, channelMember.SchemeGuest)
 	assert.Equal(t, "", channelMember.ExplicitRoles)
 
+	// see https://mattermost.atlassian.net/browse/MM-56986
 	// Test importing deleted guest with a valid team & valid channel name in apply mode.
-	username = model.NewId()
-	deleteAt = model.GetMillis()
-	deletedGuestData := &imports.UserImportData{
-		Username: &username,
-		DeleteAt: &deleteAt,
-		Email:    ptrStr(model.NewId() + "@example.com"),
-		Teams: &[]imports.UserTeamImportData{
-			{
-				Name:  &team.Name,
-				Roles: ptrStr("team_guest"),
-				Channels: &[]imports.UserChannelImportData{
-					{
-						Name:  &channel.Name,
-						Roles: ptrStr("channel_guest"),
-					},
-				},
-			},
-		},
-	}
-	appErr = th.App.importUser(th.Context, deletedGuestData, false)
-	assert.Nil(t, appErr)
-
-	user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
-	require.Nil(t, appErr, "Failed to get user from database.")
-
-	teamMember, appErr = th.App.GetTeamMember(team.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the team member")
-
-	assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, teamMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", teamMember.ExplicitRoles)
-
-	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the channel member")
-
-	assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, channelMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", channelMember.ExplicitRoles)
+	// mlog.Debug("TESTING GUEST")
+	// username = model.NewId()
+	// deleteAt = model.GetMillis()
+	// deletedGuestData := &imports.UserImportData{
+	// 	Username: &username,
+	// 	DeleteAt: &deleteAt,
+	// 	Email:    ptrStr(model.NewId() + "@example.com"),
+	// 	Teams: &[]imports.UserTeamImportData{
+	// 		{
+	// 			Name:  &team.Name,
+	// 			Roles: ptrStr("team_guest"),
+	// 			Channels: &[]imports.UserChannelImportData{
+	// 				{
+	// 					Name:  &channel.Name,
+	// 					Roles: ptrStr("channel_guest"),
+	// 				},
+	// 			},
+	// 		},
+	// 	},
+	// }
+	// appErr = th.App.importUser(th.Context, deletedGuestData, false)
+	// assert.Nil(t, appErr)
+
+	// user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
+	// require.Nil(t, appErr, "Failed to get user from database.")
+	// mlog.Debug(user.Roles)
+
+	// teamMember, appErr = th.App.GetTeamMember(team.Id, user.Id)
+	// require.Nil(t, appErr, "Failed to get the team member")
+
+	// assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, teamMember.SchemeUser)
+	// assert.True(t, teamMember.SchemeGuest)
+	// assert.Equal(t, "", teamMember.ExplicitRoles)
+
+	// channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
+	// require.Nil(t, appErr, "Failed to get the channel member")
+
+	// assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, channelMember.SchemeUser)
+	// assert.True(t, teamMember.SchemeGuest)
+	// assert.Equal(t, "", channelMember.ExplicitRoles)
 }
 
 func TestImportUserTeams(t *testing.T) {
  • server/channels/app/team.go+2 6 modified
    @@ -515,12 +515,8 @@ func (a *App) UpdateTeamMemberSchemeRoles(teamID string, userID string, isScheme
 		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest.app_error", nil, "", http.StatusBadRequest)
 	}
 
-	if isSchemeUser && isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_user.app_error", nil, "", http.StatusBadRequest)
-	}
-
-	if isSchemeAdmin && isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_admin.app_error", nil, "", http.StatusBadRequest)
+	if isSchemeGuest {
+		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.user_and_guest.app_error", nil, "", http.StatusBadRequest)
 	}
 
 	member.SchemeAdmin = isSchemeAdmin
  • server/i18n/en.json+4 4 modified
    @@ -3031,14 +3031,14 @@
     "id": "api.team.update_team_member_roles.guest.app_error",
     "translation": "Invalid team member update: A guest cannot be made team member or team admin, please promote as a user first."
   },
-  {
-    "id": "api.team.update_team_member_roles.guest_and_admin.app_error",
-    "translation": "Invalid team member update: A user must cannot be set as a guest and admin at the same time."
-  },
   {
     "id": "api.team.update_team_member_roles.guest_and_user.app_error",
     "translation": "Invalid team member update: A user must be a guest or a user but not both."
   },
+  {
+    "id": "api.team.update_team_member_roles.user_and_guest.app_error",
+    "translation": "Invalid team member update: A guest cannot be set for a single team, a System Admin must promote or demote users to/from guests."
+  },
   {
     "id": "api.team.update_team_scheme.license.error",
     "translation": "Your license does not support updating a team's scheme"
3d6d8a7c1f71

MM-56929- Dont allow guests to be set via team API (#26286) (#26450)

https://github.com/mattermost/mattermostMattermost BuildMar 12, 2024via ghsa
commit
4 files changed · +84 61
  • server/channels/api4/team_test.go+33 9 modified
    @@ -2913,6 +2913,28 @@ func TestUpdateTeamMemberRoles(t *testing.T) {
 func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	th := Setup(t).InitBasic()
 	defer th.TearDown()
+	enableGuestAccounts := *th.App.Config().GuestAccountsSettings.Enable
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = enableGuestAccounts })
+		th.App.Srv().RemoveLicense()
+	}()
+	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = true })
+	th.App.Srv().SetLicense(model.NewTestLicense())
+
+	id := model.NewId()
+	guest := &model.User{
+		Email:         th.GenerateTestEmail(),
+		Nickname:      "nn_" + id,
+		FirstName:     "f_" + id,
+		LastName:      "l_" + id,
+		Password:      "Pa$$word11",
+		EmailVerified: true,
+	}
+	guest, appError := th.App.CreateGuest(th.Context, guest)
+	require.Nil(t, appError)
+	_, _, appError = th.App.AddUserToTeam(th.Context, th.BasicTeam.Id, guest.Id, "")
+	require.Nil(t, appError)
+
 	SystemAdminClient := th.SystemAdminClient
 	th.LoginBasic()
 
@@ -2944,6 +2966,11 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	assert.Equal(t, true, tm2.SchemeUser)
 	assert.Equal(t, false, tm2.SchemeAdmin)
 
+	//cannot set Guest to User for single team
+	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s2)
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
+
 	s3 := &model.SchemeRoles{
 		SchemeAdmin: true,
 		SchemeUser:  false,
@@ -2977,21 +3004,18 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 		SchemeUser:  false,
 		SchemeGuest: true,
 	}
-	_, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
-	require.NoError(t, err)
 
-	tm5, _, err := SystemAdminClient.GetTeamMember(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, "")
-	require.NoError(t, err)
-	assert.Equal(t, true, tm5.SchemeGuest)
-	assert.Equal(t, false, tm5.SchemeUser)
-	assert.Equal(t, false, tm5.SchemeAdmin)
+	// cannot set user to guest for a single team
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
 
 	s6 := &model.SchemeRoles{
 		SchemeAdmin: false,
 		SchemeUser:  true,
 		SchemeGuest: true,
 	}
-	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
 	require.Error(t, err)
 	CheckBadRequestStatus(t, resp)
 
@@ -3003,7 +3027,7 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	require.Error(t, err)
 	CheckNotFoundStatus(t, resp)
 
-	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s4)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s4)
 	require.Error(t, err) // user is a guest, cannot be set as member or admin
 	CheckBadRequestStatus(t, resp)
  • server/channels/app/import_functions_test.go+45 42 modified
    @@ -1505,52 +1505,55 @@ func TestImportImportUser(t *testing.T) {
 	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
 	require.Nil(t, appErr, "Failed to get the channel member")
 
-	assert.False(t, teamMember.SchemeAdmin)
+	assert.False(t, channelMember.SchemeAdmin)
 	assert.True(t, channelMember.SchemeUser)
-	assert.False(t, teamMember.SchemeGuest)
+	assert.False(t, channelMember.SchemeGuest)
 	assert.Equal(t, "", channelMember.ExplicitRoles)
 
+	// see https://mattermost.atlassian.net/browse/MM-56986
 	// Test importing deleted guest with a valid team & valid channel name in apply mode.
-	username = model.NewId()
-	deleteAt = model.GetMillis()
-	deletedGuestData := &imports.UserImportData{
-		Username: &username,
-		DeleteAt: &deleteAt,
-		Email:    ptrStr(model.NewId() + "@example.com"),
-		Teams: &[]imports.UserTeamImportData{
-			{
-				Name:  &team.Name,
-				Roles: ptrStr("team_guest"),
-				Channels: &[]imports.UserChannelImportData{
-					{
-						Name:  &channel.Name,
-						Roles: ptrStr("channel_guest"),
-					},
-				},
-			},
-		},
-	}
-	appErr = th.App.importUser(th.Context, deletedGuestData, false)
-	assert.Nil(t, appErr)
-
-	user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
-	require.Nil(t, appErr, "Failed to get user from database.")
-
-	teamMember, appErr = th.App.GetTeamMember(th.Context, team.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the team member")
-
-	assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, teamMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", teamMember.ExplicitRoles)
-
-	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the channel member")
-
-	assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, channelMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", channelMember.ExplicitRoles)
+	// mlog.Debug("TESTING GUEST")
+	// username = model.NewId()
+	// deleteAt = model.GetMillis()
+	// deletedGuestData := &imports.UserImportData{
+	// 	Username: &username,
+	// 	DeleteAt: &deleteAt,
+	// 	Email:    ptrStr(model.NewId() + "@example.com"),
+	// 	Teams: &[]imports.UserTeamImportData{
+	// 		{
+	// 			Name:  &team.Name,
+	// 			Roles: ptrStr("team_guest"),
+	// 			Channels: &[]imports.UserChannelImportData{
+	// 				{
+	// 					Name:  &channel.Name,
+	// 					Roles: ptrStr("channel_guest"),
+	// 				},
+	// 			},
+	// 		},
+	// 	},
+	// }
+	// appErr = th.App.importUser(th.Context, deletedGuestData, false)
+	// assert.Nil(t, appErr)
+
+	// user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
+	// require.Nil(t, appErr, "Failed to get user from database.")
+	// mlog.Debug(user.Roles)
+
+	// teamMember, appErr = th.App.GetTeamMember(th.Context, team.Id, user.Id)
+	// require.Nil(t, appErr, "Failed to get the team member")
+
+	// assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, teamMember.SchemeUser)
+	// assert.True(t, teamMember.SchemeGuest)
+	// assert.Equal(t, "", teamMember.ExplicitRoles)
+
+	// channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
+	// require.Nil(t, appErr, "Failed to get the channel member")
+
+	// assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, channelMember.SchemeUser)
+	// assert.True(t, teamMember.SchemeGuest)
+	// assert.Equal(t, "", channelMember.ExplicitRoles)
 }
 
 func TestImportUserTeams(t *testing.T) {
  • server/channels/app/team.go+2 6 modified
    @@ -514,12 +514,8 @@ func (a *App) UpdateTeamMemberSchemeRoles(c request.CTX, teamID string, userID s
 		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest.app_error", nil, "", http.StatusBadRequest)
 	}
 
-	if isSchemeUser && isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_user.app_error", nil, "", http.StatusBadRequest)
-	}
-
-	if isSchemeAdmin && isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_admin.app_error", nil, "", http.StatusBadRequest)
+	if isSchemeGuest {
+		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.user_and_guest.app_error", nil, "", http.StatusBadRequest)
 	}
 
 	member.SchemeAdmin = isSchemeAdmin
  • server/i18n/en.json+4 4 modified
    @@ -3154,14 +3154,14 @@
     "id": "api.team.update_team_member_roles.guest.app_error",
     "translation": "Invalid team member update: A guest cannot be made team member or team admin, please promote as a user first."
   },
-  {
-    "id": "api.team.update_team_member_roles.guest_and_admin.app_error",
-    "translation": "Invalid team member update: A user must cannot be set as a guest and admin at the same time."
-  },
   {
     "id": "api.team.update_team_member_roles.guest_and_user.app_error",
     "translation": "Invalid team member update: A user must be a guest or a user but not both."
   },
+  {
+    "id": "api.team.update_team_member_roles.user_and_guest.app_error",
+    "translation": "Invalid team member update: A guest cannot be set for a single team, a System Admin must promote or demote users to/from guests."
+  },
   {
     "id": "api.team.update_team_scheme.license.error",
     "translation": "Your license does not support updating a team's scheme"
fba5b8e348fe

MM-56929- Dont allow guests to be set via team API (#26286) (#26449)

https://github.com/mattermost/mattermostMattermost BuildMar 12, 2024via ghsa
commit
4 files changed · +84 61
  • server/channels/api4/team_test.go+33 9 modified
    @@ -2913,6 +2913,28 @@ func TestUpdateTeamMemberRoles(t *testing.T) {
 func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	th := Setup(t).InitBasic()
 	defer th.TearDown()
+	enableGuestAccounts := *th.App.Config().GuestAccountsSettings.Enable
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = enableGuestAccounts })
+		th.App.Srv().RemoveLicense()
+	}()
+	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = true })
+	th.App.Srv().SetLicense(model.NewTestLicense())
+
+	id := model.NewId()
+	guest := &model.User{
+		Email:         th.GenerateTestEmail(),
+		Nickname:      "nn_" + id,
+		FirstName:     "f_" + id,
+		LastName:      "l_" + id,
+		Password:      "Pa$$word11",
+		EmailVerified: true,
+	}
+	guest, appError := th.App.CreateGuest(th.Context, guest)
+	require.Nil(t, appError)
+	_, _, appError = th.App.AddUserToTeam(th.Context, th.BasicTeam.Id, guest.Id, "")
+	require.Nil(t, appError)
+
 	SystemAdminClient := th.SystemAdminClient
 	th.LoginBasic()
 
@@ -2944,6 +2966,11 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	assert.Equal(t, true, tm2.SchemeUser)
 	assert.Equal(t, false, tm2.SchemeAdmin)
 
+	//cannot set Guest to User for single team
+	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s2)
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
+
 	s3 := &model.SchemeRoles{
 		SchemeAdmin: true,
 		SchemeUser:  false,
@@ -2977,21 +3004,18 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 		SchemeUser:  false,
 		SchemeGuest: true,
 	}
-	_, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
-	require.NoError(t, err)
 
-	tm5, _, err := SystemAdminClient.GetTeamMember(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, "")
-	require.NoError(t, err)
-	assert.Equal(t, true, tm5.SchemeGuest)
-	assert.Equal(t, false, tm5.SchemeUser)
-	assert.Equal(t, false, tm5.SchemeAdmin)
+	// cannot set user to guest for a single team
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
+	require.Error(t, err)
+	CheckBadRequestStatus(t, resp)
 
 	s6 := &model.SchemeRoles{
 		SchemeAdmin: false,
 		SchemeUser:  true,
 		SchemeGuest: true,
 	}
-	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
 	require.Error(t, err)
 	CheckBadRequestStatus(t, resp)
 
@@ -3003,7 +3027,7 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	require.Error(t, err)
 	CheckNotFoundStatus(t, resp)
 
-	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s4)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s4)
 	require.Error(t, err) // user is a guest, cannot be set as member or admin
 	CheckBadRequestStatus(t, resp)
  • server/channels/app/import_functions_test.go+45 42 modified
    @@ -1505,52 +1505,55 @@ func TestImportImportUser(t *testing.T) {
 	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
 	require.Nil(t, appErr, "Failed to get the channel member")
 
-	assert.False(t, teamMember.SchemeAdmin)
+	assert.False(t, channelMember.SchemeAdmin)
 	assert.True(t, channelMember.SchemeUser)
-	assert.False(t, teamMember.SchemeGuest)
+	assert.False(t, channelMember.SchemeGuest)
 	assert.Equal(t, "", channelMember.ExplicitRoles)
 
+	// see https://mattermost.atlassian.net/browse/MM-56986
 	// Test importing deleted guest with a valid team & valid channel name in apply mode.
-	username = model.NewId()
-	deleteAt = model.GetMillis()
-	deletedGuestData := &imports.UserImportData{
-		Username: &username,
-		DeleteAt: &deleteAt,
-		Email:    ptrStr(model.NewId() + "@example.com"),
-		Teams: &[]imports.UserTeamImportData{
-			{
-				Name:  &team.Name,
-				Roles: ptrStr("team_guest"),
-				Channels: &[]imports.UserChannelImportData{
-					{
-						Name:  &channel.Name,
-						Roles: ptrStr("channel_guest"),
-					},
-				},
-			},
-		},
-	}
-	appErr = th.App.importUser(th.Context, deletedGuestData, false)
-	assert.Nil(t, appErr)
-
-	user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
-	require.Nil(t, appErr, "Failed to get user from database.")
-
-	teamMember, appErr = th.App.GetTeamMember(th.Context, team.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the team member")
-
-	assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, teamMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", teamMember.ExplicitRoles)
-
-	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the channel member")
-
-	assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, channelMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", channelMember.ExplicitRoles)
+	// mlog.Debug("TESTING GUEST")
+	// username = model.NewId()
+	// deleteAt = model.GetMillis()
+	// deletedGuestData := &imports.UserImportData{
+	// 	Username: &username,
+	// 	DeleteAt: &deleteAt,
+	// 	Email:    ptrStr(model.NewId() + "@example.com"),
+	// 	Teams: &[]imports.UserTeamImportData{
+	// 		{
+	// 			Name:  &team.Name,
+	// 			Roles: ptrStr("team_guest"),
+	// 			Channels: &[]imports.UserChannelImportData{
+	// 				{
+	// 					Name:  &channel.Name,
+	// 					Roles: ptrStr("channel_guest"),
+	// 				},
+	// 			},
+	// 		},
+	// 	},
+	// }
+	// appErr = th.App.importUser(th.Context, deletedGuestData, false)
+	// assert.Nil(t, appErr)
+
+	// user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
+	// require.Nil(t, appErr, "Failed to get user from database.")
+	// mlog.Debug(user.Roles)
+
+	// teamMember, appErr = th.App.GetTeamMember(th.Context, team.Id, user.Id)
+	// require.Nil(t, appErr, "Failed to get the team member")
+
+	// assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, teamMember.SchemeUser)
+	// assert.True(t, teamMember.SchemeGuest)
+	// assert.Equal(t, "", teamMember.ExplicitRoles)
+
+	// channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
+	// require.Nil(t, appErr, "Failed to get the channel member")
+
+	// assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, channelMember.SchemeUser)
+	// assert.True(t, teamMember.SchemeGuest)
+	// assert.Equal(t, "", channelMember.ExplicitRoles)
 }
 
 func TestImportUserTeams(t *testing.T) {
  • server/channels/app/team.go+2 6 modified
    @@ -514,12 +514,8 @@ func (a *App) UpdateTeamMemberSchemeRoles(c request.CTX, teamID string, userID s
 		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest.app_error", nil, "", http.StatusBadRequest)
 	}
 
-	if isSchemeUser && isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_user.app_error", nil, "", http.StatusBadRequest)
-	}
-
-	if isSchemeAdmin && isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_admin.app_error", nil, "", http.StatusBadRequest)
+	if isSchemeGuest {
+		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.user_and_guest.app_error", nil, "", http.StatusBadRequest)
 	}
 
 	member.SchemeAdmin = isSchemeAdmin
  • server/i18n/en.json+4 4 modified
    @@ -3126,14 +3126,14 @@
     "id": "api.team.update_team_member_roles.guest.app_error",
     "translation": "Invalid team member update: A guest cannot be made team member or team admin, please promote as a user first."
   },
-  {
-    "id": "api.team.update_team_member_roles.guest_and_admin.app_error",
-    "translation": "Invalid team member update: A user must cannot be set as a guest and admin at the same time."
-  },
   {
     "id": "api.team.update_team_member_roles.guest_and_user.app_error",
     "translation": "Invalid team member update: A user must be a guest or a user but not both."
   },
+  {
+    "id": "api.team.update_team_member_roles.user_and_guest.app_error",
+    "translation": "Invalid team member update: A guest cannot be set for a single team, a System Admin must promote or demote users to/from guests."
+  },
   {
     "id": "api.team.update_team_scheme.license.error",
     "translation": "Your license does not support updating a team's scheme"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.