IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Role refactor (#7867)

Browse Source 
* role refactor

* add missing file

* fix web test
This commit is contained in:
Chris
2017-11-21 13:08:32 -06:00
committed by Christopher Speller
parent 01e652ed48
commit 816a30397d
38 changed files with 466 additions and 499 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
utils/authorization.go
View File

@@ -7,271 +7,277 @@ import (
"github.com/mattermost/mattermost-server/model"
)
func SetDefaultRolesBasedOnConfig() {
// Reset the roles to default to make this logic easier
model.InitalizeRoles()
func DefaultRolesBasedOnConfig(cfg *model.Config) map[string]*model.Role {
roles := make(map[string]*model.Role)
for id, role := range model.DefaultRoles {
copy := &model.Role{}
*copy = *role
roles[id] = copy
}
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPublicChannelCreation {
switch *cfg.TeamSettings.RestrictPublicChannelCreation {
case model.PERMISSIONS_ALL:
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
)
}
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPublicChannelManagement {
switch *cfg.TeamSettings.RestrictPublicChannelManagement {
case model.PERMISSIONS_ALL:
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
model.ROLE_CHANNEL_ADMIN.Permissions = append(
model.ROLE_CHANNEL_ADMIN.Permissions,
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
}
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPublicChannelDeletion {
switch *cfg.TeamSettings.RestrictPublicChannelDeletion {
case model.PERMISSIONS_ALL:
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
model.ROLE_CHANNEL_ADMIN.Permissions = append(
model.ROLE_CHANNEL_ADMIN.Permissions,
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
}
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPrivateChannelCreation {
switch *cfg.TeamSettings.RestrictPrivateChannelCreation {
case model.PERMISSIONS_ALL:
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
)
}
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPrivateChannelManagement {
switch *cfg.TeamSettings.RestrictPrivateChannelManagement {
case model.PERMISSIONS_ALL:
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
model.ROLE_CHANNEL_ADMIN.Permissions = append(
model.ROLE_CHANNEL_ADMIN.Permissions,
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
}
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion {
switch *cfg.TeamSettings.RestrictPrivateChannelDeletion {
case model.PERMISSIONS_ALL:
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
model.ROLE_CHANNEL_ADMIN.Permissions = append(
model.ROLE_CHANNEL_ADMIN.Permissions,
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
}
// Restrict permissions for Private Channel Manage Members
if IsLicensed() {
switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers {
switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers {
case model.PERMISSIONS_ALL:
model.ROLE_CHANNEL_USER.Permissions = append(
model.ROLE_CHANNEL_USER.Permissions,
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
model.ROLE_CHANNEL_ADMIN.Permissions = append(
model.ROLE_CHANNEL_ADMIN.Permissions,
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
}
} else {
model.ROLE_CHANNEL_USER.Permissions = append(
model.ROLE_CHANNEL_USER.Permissions,
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
}
if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
)
model.ROLE_SYSTEM_USER.Permissions = append(
model.ROLE_SYSTEM_USER.Permissions,
roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
roles[model.SYSTEM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_OAUTH.Id,
)
}
// Grant permissions for inviting and adding users to a team.
if IsLicensed() {
if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN {
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN {
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
} else if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL {
model.ROLE_SYSTEM_USER.Permissions = append(
model.ROLE_SYSTEM_USER.Permissions,
} else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL {
roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
roles[model.SYSTEM_USER_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
}
} else {
model.ROLE_TEAM_USER.Permissions = append(
model.ROLE_TEAM_USER.Permissions,
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
}
if IsLicensed() {
switch *Cfg.ServiceSettings.RestrictPostDelete {
switch *cfg.ServiceSettings.RestrictPostDelete {
case model.PERMISSIONS_DELETE_POST_ALL:
model.ROLE_CHANNEL_USER.Permissions = append(
model.ROLE_CHANNEL_USER.Permissions,
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
)
model.ROLE_CHANNEL_ADMIN.Permissions = append(
model.ROLE_CHANNEL_ADMIN.Permissions,
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN:
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
}
} else {
model.ROLE_CHANNEL_USER.Permissions = append(
model.ROLE_CHANNEL_USER.Permissions,
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
)
model.ROLE_TEAM_ADMIN.Permissions = append(
model.ROLE_TEAM_ADMIN.Permissions,
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
}
if Cfg.TeamSettings.EnableTeamCreation {
model.ROLE_SYSTEM_USER.Permissions = append(
model.ROLE_SYSTEM_USER.Permissions,
if cfg.TeamSettings.EnableTeamCreation {
roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
roles[model.SYSTEM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_TEAM.Id,
)
}
return roles
}

1
utils/config.go
View File

@@ -420,7 +420,6 @@ func LoadGlobalConfig(fileName string) *model.Config {
clientCfgJson, _ := json.Marshal(ClientCfg)
ClientCfgHash = fmt.Sprintf("%x", md5.Sum(clientCfgJson))
SetDefaultRolesBasedOnConfig()
SetSiteURL(*Cfg.ServiceSettings.SiteURL)
InvokeGlobalConfigListeners(&oldConfig, config)