GitHub/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-05-12 20:00:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Defer user_ids audit param join until after size validation

Browse Source 
Addresses a CodeRabbit review comment on PR #36000. Build the joined
user_ids audit parameter only after the empty/max-size validation
passes, so oversized invalid requests don't incur the
strings.Join allocation. The pre-validation audit payload retains the
expression and a cheap user_ids_count for forensic purposes.

Co-authored-by: Ibrahim Serdar Acikgoz <isacikgoz@users.noreply.github.com>
This commit is contained in:
Cursor Agent
2026-05-12 16:14:13 +00:00
parent eb84cca93f
commit 0496a6497a
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/channels/api4/access_control.go
+3 -1
View File
@@ -389,7 +389,7 @@ func evaluateExpression(c *Context, w http.ResponseWriter, r *http.Request) {
auditRec := c.MakeAuditRecord(model.AuditEventEvaluateExpression, model.AuditStatusFail)
defer c.LogAuditRec(auditRec)
model.AddEventParameterToAuditRec(auditRec, "expression", req.Expression)
model.AddEventParameterToAuditRec(auditRec, "user_ids", strings.Join(req.UserIDs, ","))
model.AddEventParameterToAuditRec(auditRec, "user_ids_count", len(req.UserIDs))
if req.Expression == "" {
c.SetInvalidParam("expression")
@@ -406,6 +406,8 @@ func evaluateExpression(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
model.AddEventParameterToAuditRec(auditRec, "user_ids", strings.Join(req.UserIDs, ","))
resp, appErr := c.App.EvaluateExpression(c.AppContext, req)
if appErr != nil {
c.Err = appErr