From aa88f8bf59b8e43b6fd1aea35b8c4c81a6636738 Mon Sep 17 00:00:00 2001 From: Elias Nahum Date: Mon, 31 Jul 2023 09:12:53 -0400 Subject: [PATCH] Add read_channel_content permission (#24118) * Add read_channel_content permission * fix tests * update system console default permissions per role * add read_channel_content to e2e defaultRolesPermissions * Migration to include custom roles * change deprecated isNotExactRole for isNotRole --------- Co-authored-by: Mattermost Build --- e2e-tests/cypress/tests/support/api/role.js | 6 ++-- server/channels/api4/channel.go | 4 +-- server/channels/api4/file.go | 20 +++++------ server/channels/api4/integration_action.go | 12 +++---- server/channels/api4/post.go | 36 +++++++++---------- server/channels/api4/preference.go | 4 +-- server/channels/api4/reaction.go | 8 ++--- server/channels/api4/user.go | 20 +++++------ server/channels/api4/webhook.go | 12 +++---- server/channels/app/app_test.go | 1 + server/channels/app/authorization.go | 2 +- server/channels/app/authorization_test.go | 2 ++ server/channels/app/permissions_migrations.go | 26 ++++++++++++++ server/channels/app/post.go | 6 ++-- server/channels/app/webhook.go | 2 +- .../channels/store/sqlstore/integrity_test.go | 2 ++ .../channels/store/storetest/scheme_store.go | 10 +++--- server/channels/testlib/store.go | 1 + server/public/model/migration.go | 1 + server/public/model/permission.go | 8 +++++ server/public/model/role.go | 2 ++ .../guest_permissions_tree/index.tsx | 2 ++ .../src/constants/permissions.ts | 2 ++ webapp/channels/src/utils/constants.tsx | 13 ++++--- 24 files changed, 128 insertions(+), 74 deletions(-) diff --git a/e2e-tests/cypress/tests/support/api/role.js b/e2e-tests/cypress/tests/support/api/role.js index d53862b72d..16f6f47f3b 100644 --- a/e2e-tests/cypress/tests/support/api/role.js +++ b/e2e-tests/cypress/tests/support/api/role.js @@ -10,14 +10,14 @@ import xor from 'lodash.xor'; export const defaultRolesPermissions = { channel_admin: 'use_channel_mentions remove_reaction manage_public_channel_members use_group_mentions manage_channel_roles manage_private_channel_members add_reaction read_public_channel_groups create_post read_private_channel_groups', - channel_guest: 'upload_file edit_post create_post use_channel_mentions read_channel add_reaction remove_reaction', - channel_user: 'manage_private_channel_members read_public_channel_groups delete_post read_private_channel_groups use_group_mentions manage_private_channel_properties delete_public_channel add_reaction manage_public_channel_properties edit_post upload_file use_channel_mentions get_public_link read_channel delete_private_channel manage_public_channel_members create_post remove_reaction', + channel_guest: 'upload_file edit_post create_post use_channel_mentions read_channel read_channel_content add_reaction remove_reaction', + channel_user: 'manage_private_channel_members read_public_channel_groups delete_post read_private_channel_groups use_group_mentions manage_private_channel_properties delete_public_channel add_reaction manage_public_channel_properties edit_post upload_file use_channel_mentions get_public_link read_channel read_channel_content delete_private_channel manage_public_channel_members create_post remove_reaction', custom_group_user: '', playbook_admin: 'playbook_private_manage_properties playbook_public_make_private playbook_public_manage_members playbook_public_manage_roles playbook_public_manage_properties playbook_private_manage_members playbook_private_manage_roles', playbook_member: 'playbook_public_view playbook_public_manage_members playbook_public_manage_properties playbook_private_view playbook_private_manage_members playbook_private_manage_properties run_create', run_admin: 'run_manage_properties run_manage_members', run_member: 'run_view', - system_admin: 'sysconsole_write_environment_elasticsearch playbook_public_manage_properties sysconsole_write_authentication_ldap run_view manage_jobs manage_roles playbook_public_create manage_public_channel_properties sysconsole_read_plugins delete_post purge_elasticsearch_indexes sysconsole_read_integrations_bot_accounts read_data_retention_job manage_private_channel_members create_elasticsearch_post_indexing_job sysconsole_read_authentication_guest_access create_elasticsearch_post_aggregation_job join_public_teams sysconsole_read_site_public_links add_saml_idp_cert sysconsole_write_site_announcement_banner sysconsole_write_site_notices sysconsole_read_experimental_feature_flags sysconsole_read_site_users_and_teams manage_slash_commands sysconsole_read_authentication_ldap read_channel sysconsole_write_authentication_password list_users_without_team sysconsole_read_authentication_email add_saml_public_cert playbook_private_create promote_guest sysconsole_read_user_management_system_roles manage_public_channel_members create_data_retention_job add_saml_private_cert sysconsole_write_user_management_users sysconsole_read_compliance_compliance_monitoring playbook_public_manage_members sysconsole_write_environment_database sysconsole_write_user_management_teams playbook_private_manage_roles read_public_channel sysconsole_write_plugins sysconsole_read_authentication_openid sysconsole_write_user_management_groups sysconsole_write_site_file_sharing_and_downloads playbook_private_manage_properties sysconsole_read_site_customization join_public_channels add_user_to_team restore_custom_group download_compliance_export_result sysconsole_write_user_management_system_roles sysconsole_write_environment_session_lengths create_custom_group manage_private_channel_properties create_post_public remove_ldap_private_cert sysconsole_write_site_public_links import_team sysconsole_read_environment_developer sysconsole_read_environment_database sysconsole_read_environment_web_server use_channel_mentions view_team remove_others_reactions sysconsole_read_environment_session_lengths sysconsole_write_integrations_bot_accounts playbook_public_view use_group_mentions sysconsole_write_environment_web_server add_ldap_private_cert read_public_channel_groups invite_guest sysconsole_read_environment_smtp create_post sysconsole_read_about_edition_and_license sysconsole_read_authentication_signup sysconsole_read_authentication_saml sysconsole_read_environment_file_storage sysconsole_write_experimental_feature_flags sysconsole_write_site_localization sysconsole_write_environment_rate_limiting sysconsole_read_environment_rate_limiting sysconsole_read_products_boards get_saml_cert_status sysconsole_read_environment_high_availability manage_secure_connections read_compliance_export_job sysconsole_write_compliance_custom_terms_of_service read_user_access_token edit_post sysconsole_write_environment_logging sysconsole_read_environment_push_notification_server sysconsole_write_site_customization read_other_users_teams read_elasticsearch_post_aggregation_job sysconsole_write_compliance_data_retention_policy sysconsole_read_user_management_permissions sysconsole_read_site_emoji sysconsole_read_compliance_data_retention_policy read_license_information sysconsole_read_experimental_features read_deleted_posts sysconsole_read_environment_logging sysconsole_read_reporting_site_statistics test_elasticsearch sysconsole_read_site_posts add_reaction sysconsole_write_authentication_signup manage_outgoing_webhooks create_post_ephemeral sysconsole_read_environment_image_proxy invite_user manage_others_outgoing_webhooks create_user_access_token sysconsole_write_environment_image_proxy sysconsole_write_products_boards read_elasticsearch_post_indexing_job purge_bleve_indexes sysconsole_write_environment_performance_monitoring sysconsole_write_authentication_guest_access sysconsole_read_compliance_custom_terms_of_service edit_others_posts sysconsole_write_billing get_saml_metadata_from_idp sysconsole_write_authentication_saml create_post_bleve_indexes_job invalidate_caches sysconsole_write_experimental_bleve view_members manage_others_bots run_create join_private_teams convert_private_channel_to_public read_audits assign_bot read_jobs remove_user_from_team revoke_user_access_token manage_team sysconsole_read_reporting_server_logs get_public_link manage_others_slash_commands manage_system delete_public_channel read_private_channel_groups sysconsole_read_authentication_mfa delete_emojis list_private_teams create_emojis sysconsole_read_billing sysconsole_write_site_emoji invalidate_email_invite sysconsole_write_environment_file_storage sysconsole_write_compliance_compliance_monitoring remove_saml_public_cert sysconsole_read_compliance_compliance_export sysconsole_read_site_localization manage_team_roles list_public_teams get_logs sysconsole_write_integrations_integration_management sysconsole_read_integrations_cors manage_oauth delete_others_emojis sysconsole_write_integrations_gif manage_incoming_webhooks sysconsole_write_authentication_email create_private_channel playbook_private_make_public manage_bots add_ldap_public_cert remove_ldap_public_cert sysconsole_write_site_notifications sysconsole_write_environment_developer playbook_private_manage_members sysconsole_read_user_management_teams edit_custom_group remove_reaction playbook_public_manage_roles sysconsole_write_reporting_server_logs read_others_bots sysconsole_write_site_posts sysconsole_read_site_notifications sysconsole_read_authentication_password playbook_private_view manage_system_wide_oauth get_analytics list_team_channels sysconsole_write_user_management_channels delete_private_channel manage_custom_group_members test_s3 create_ldap_sync_job sysconsole_read_integrations_integration_management test_site_url recycle_database_connections sysconsole_read_site_announcement_banner test_email manage_shared_channels read_bots sysconsole_write_environment_smtp sysconsole_read_experimental_bleve sysconsole_write_environment_push_notification_server sysconsole_write_user_management_permissions sysconsole_read_environment_elasticsearch sysconsole_write_reporting_site_statistics sysconsole_write_site_users_and_teams demote_to_guest create_team test_ldap remove_saml_idp_cert delete_others_posts edit_other_users sysconsole_write_reporting_team_statistics sysconsole_read_integrations_gif sysconsole_read_site_notices sysconsole_write_about_edition_and_license manage_others_incoming_webhooks run_manage_members create_bot sysconsole_write_authentication_mfa sysconsole_read_user_management_users assign_system_admin_role sysconsole_write_experimental_features edit_brand create_group_channel sysconsole_write_authentication_openid create_direct_channel manage_license_information reload_config manage_channel_roles sysconsole_read_user_management_groups create_compliance_export_job read_ldap_sync_job upload_file sysconsole_read_site_file_sharing_and_downloads delete_custom_group sysconsole_read_user_management_channels sysconsole_write_compliance_compliance_export remove_saml_private_cert sysconsole_read_environment_performance_monitoring create_public_channel sysconsole_write_integrations_cors sysconsole_write_environment_high_availability playbook_public_make_private run_manage_properties sysconsole_read_reporting_team_statistics convert_public_channel_to_private', + system_admin: 'sysconsole_write_environment_elasticsearch playbook_public_manage_properties sysconsole_write_authentication_ldap run_view manage_jobs manage_roles playbook_public_create manage_public_channel_properties sysconsole_read_plugins delete_post purge_elasticsearch_indexes sysconsole_read_integrations_bot_accounts read_data_retention_job manage_private_channel_members create_elasticsearch_post_indexing_job sysconsole_read_authentication_guest_access create_elasticsearch_post_aggregation_job join_public_teams sysconsole_read_site_public_links add_saml_idp_cert sysconsole_write_site_announcement_banner sysconsole_write_site_notices sysconsole_read_experimental_feature_flags sysconsole_read_site_users_and_teams manage_slash_commands sysconsole_read_authentication_ldap read_channel read_channel_content sysconsole_write_authentication_password list_users_without_team sysconsole_read_authentication_email add_saml_public_cert playbook_private_create promote_guest sysconsole_read_user_management_system_roles manage_public_channel_members create_data_retention_job add_saml_private_cert sysconsole_write_user_management_users sysconsole_read_compliance_compliance_monitoring playbook_public_manage_members sysconsole_write_environment_database sysconsole_write_user_management_teams playbook_private_manage_roles read_public_channel sysconsole_write_plugins sysconsole_read_authentication_openid sysconsole_write_user_management_groups sysconsole_write_site_file_sharing_and_downloads playbook_private_manage_properties sysconsole_read_site_customization join_public_channels add_user_to_team restore_custom_group download_compliance_export_result sysconsole_write_user_management_system_roles sysconsole_write_environment_session_lengths create_custom_group manage_private_channel_properties create_post_public remove_ldap_private_cert sysconsole_write_site_public_links import_team sysconsole_read_environment_developer sysconsole_read_environment_database sysconsole_read_environment_web_server use_channel_mentions view_team remove_others_reactions sysconsole_read_environment_session_lengths sysconsole_write_integrations_bot_accounts playbook_public_view use_group_mentions sysconsole_write_environment_web_server add_ldap_private_cert read_public_channel_groups invite_guest sysconsole_read_environment_smtp create_post sysconsole_read_about_edition_and_license sysconsole_read_authentication_signup sysconsole_read_authentication_saml sysconsole_read_environment_file_storage sysconsole_write_experimental_feature_flags sysconsole_write_site_localization sysconsole_write_environment_rate_limiting sysconsole_read_environment_rate_limiting sysconsole_read_products_boards get_saml_cert_status sysconsole_read_environment_high_availability manage_secure_connections read_compliance_export_job sysconsole_write_compliance_custom_terms_of_service read_user_access_token edit_post sysconsole_write_environment_logging sysconsole_read_environment_push_notification_server sysconsole_write_site_customization read_other_users_teams read_elasticsearch_post_aggregation_job sysconsole_write_compliance_data_retention_policy sysconsole_read_user_management_permissions sysconsole_read_site_emoji sysconsole_read_compliance_data_retention_policy read_license_information sysconsole_read_experimental_features read_deleted_posts sysconsole_read_environment_logging sysconsole_read_reporting_site_statistics test_elasticsearch sysconsole_read_site_posts add_reaction sysconsole_write_authentication_signup manage_outgoing_webhooks create_post_ephemeral sysconsole_read_environment_image_proxy invite_user manage_others_outgoing_webhooks create_user_access_token sysconsole_write_environment_image_proxy sysconsole_write_products_boards read_elasticsearch_post_indexing_job purge_bleve_indexes sysconsole_write_environment_performance_monitoring sysconsole_write_authentication_guest_access sysconsole_read_compliance_custom_terms_of_service edit_others_posts sysconsole_write_billing get_saml_metadata_from_idp sysconsole_write_authentication_saml create_post_bleve_indexes_job invalidate_caches sysconsole_write_experimental_bleve view_members manage_others_bots run_create join_private_teams convert_private_channel_to_public read_audits assign_bot read_jobs remove_user_from_team revoke_user_access_token manage_team sysconsole_read_reporting_server_logs get_public_link manage_others_slash_commands manage_system delete_public_channel read_private_channel_groups sysconsole_read_authentication_mfa delete_emojis list_private_teams create_emojis sysconsole_read_billing sysconsole_write_site_emoji invalidate_email_invite sysconsole_write_environment_file_storage sysconsole_write_compliance_compliance_monitoring remove_saml_public_cert sysconsole_read_compliance_compliance_export sysconsole_read_site_localization manage_team_roles list_public_teams get_logs sysconsole_write_integrations_integration_management sysconsole_read_integrations_cors manage_oauth delete_others_emojis sysconsole_write_integrations_gif manage_incoming_webhooks sysconsole_write_authentication_email create_private_channel playbook_private_make_public manage_bots add_ldap_public_cert remove_ldap_public_cert sysconsole_write_site_notifications sysconsole_write_environment_developer playbook_private_manage_members sysconsole_read_user_management_teams edit_custom_group remove_reaction playbook_public_manage_roles sysconsole_write_reporting_server_logs read_others_bots sysconsole_write_site_posts sysconsole_read_site_notifications sysconsole_read_authentication_password playbook_private_view manage_system_wide_oauth get_analytics list_team_channels sysconsole_write_user_management_channels delete_private_channel manage_custom_group_members test_s3 create_ldap_sync_job sysconsole_read_integrations_integration_management test_site_url recycle_database_connections sysconsole_read_site_announcement_banner test_email manage_shared_channels read_bots sysconsole_write_environment_smtp sysconsole_read_experimental_bleve sysconsole_write_environment_push_notification_server sysconsole_write_user_management_permissions sysconsole_read_environment_elasticsearch sysconsole_write_reporting_site_statistics sysconsole_write_site_users_and_teams demote_to_guest create_team test_ldap remove_saml_idp_cert delete_others_posts edit_other_users sysconsole_write_reporting_team_statistics sysconsole_read_integrations_gif sysconsole_read_site_notices sysconsole_write_about_edition_and_license manage_others_incoming_webhooks run_manage_members create_bot sysconsole_write_authentication_mfa sysconsole_read_user_management_users assign_system_admin_role sysconsole_write_experimental_features edit_brand create_group_channel sysconsole_write_authentication_openid create_direct_channel manage_license_information reload_config manage_channel_roles sysconsole_read_user_management_groups create_compliance_export_job read_ldap_sync_job upload_file sysconsole_read_site_file_sharing_and_downloads delete_custom_group sysconsole_read_user_management_channels sysconsole_write_compliance_compliance_export remove_saml_private_cert sysconsole_read_environment_performance_monitoring create_public_channel sysconsole_write_integrations_cors sysconsole_write_environment_high_availability playbook_public_make_private run_manage_properties sysconsole_read_reporting_team_statistics convert_public_channel_to_private', system_custom_group_admin: 'create_custom_group edit_custom_group delete_custom_group restore_custom_group manage_custom_group_members', system_guest: 'create_group_channel create_direct_channel', system_manager: ' sysconsole_read_site_announcement_banner manage_private_channel_properties edit_brand read_private_channel_groups manage_private_channel_members manage_team_roles sysconsole_write_environment_session_lengths sysconsole_read_site_emoji sysconsole_write_environment_developer sysconsole_read_user_management_groups sysconsole_write_user_management_groups sysconsole_write_environment_rate_limiting delete_private_channel sysconsole_read_environment_performance_monitoring sysconsole_read_environment_rate_limiting sysconsole_write_user_management_teams sysconsole_write_integrations_integration_management sysconsole_write_site_public_links sysconsole_read_authentication_ldap sysconsole_write_integrations_cors reload_config sysconsole_write_user_management_channels sysconsole_read_environment_high_availability sysconsole_read_site_users_and_teams sysconsole_read_user_management_teams sysconsole_write_site_users_and_teams sysconsole_read_site_customization sysconsole_write_environment_high_availability sysconsole_read_integrations_bot_accounts sysconsole_read_authentication_guest_access sysconsole_read_site_public_links read_elasticsearch_post_indexing_job sysconsole_read_user_management_channels sysconsole_read_reporting_team_statistics invalidate_caches sysconsole_read_authentication_signup read_elasticsearch_post_aggregation_job sysconsole_write_environment_smtp manage_public_channel_members list_public_teams add_user_to_team sysconsole_read_environment_web_server sysconsole_read_site_localization get_logs sysconsole_write_site_posts sysconsole_write_integrations_bot_accounts sysconsole_write_user_management_permissions sysconsole_read_environment_elasticsearch sysconsole_read_environment_smtp list_private_teams read_public_channel_groups sysconsole_write_environment_file_storage sysconsole_write_integrations_gif manage_public_channel_properties sysconsole_write_environment_performance_monitoring sysconsole_write_site_notifications sysconsole_read_site_notifications sysconsole_read_environment_image_proxy sysconsole_write_site_announcement_banner sysconsole_write_site_emoji test_site_url sysconsole_read_integrations_gif sysconsole_write_environment_logging convert_public_channel_to_private get_analytics sysconsole_read_user_management_permissions sysconsole_write_environment_image_proxy test_elasticsearch recycle_database_connections sysconsole_write_site_localization sysconsole_read_reporting_server_logs create_elasticsearch_post_indexing_job sysconsole_read_reporting_site_statistics test_ldap delete_public_channel sysconsole_write_environment_push_notification_server read_license_information sysconsole_write_products_boards sysconsole_read_about_edition_and_license convert_private_channel_to_public sysconsole_read_integrations_integration_management create_elasticsearch_post_aggregation_job purge_elasticsearch_indexes sysconsole_read_environment_database join_public_teams sysconsole_read_authentication_email sysconsole_read_environment_push_notification_server view_team read_channel sysconsole_read_authentication_password read_ldap_sync_job sysconsole_read_integrations_cors sysconsole_read_environment_logging manage_team sysconsole_read_authentication_openid read_public_channel sysconsole_write_environment_elasticsearch sysconsole_read_plugins manage_channel_roles remove_user_from_team test_email sysconsole_write_site_file_sharing_and_downloads test_s3 sysconsole_read_site_file_sharing_and_downloads sysconsole_read_site_notices sysconsole_read_environment_file_storage join_private_teams sysconsole_read_products_boards sysconsole_read_environment_session_lengths sysconsole_write_environment_database sysconsole_read_authentication_saml sysconsole_read_authentication_mfa sysconsole_write_site_notices sysconsole_write_environment_web_server sysconsole_read_site_posts sysconsole_read_environment_developer sysconsole_write_site_customization', diff --git a/server/channels/api4/channel.go b/server/channels/api4/channel.go index ba433e73a0..9b2e32d1c4 100644 --- a/server/channels/api4/channel.go +++ b/server/channels/api4/channel.go @@ -711,8 +711,8 @@ func getPinnedPosts(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), c.Params.ChannelId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), c.Params.ChannelId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } diff --git a/server/channels/api4/file.go b/server/channels/api4/file.go index a070c10193..2df9a110fc 100644 --- a/server/channels/api4/file.go +++ b/server/channels/api4/file.go @@ -463,8 +463,8 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { } audit.AddEventParameterAuditable(auditRec, "file", info) - if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -495,8 +495,8 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { return } - if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -538,8 +538,8 @@ func getFileLink(c *Context, w http.ResponseWriter, r *http.Request) { } audit.AddEventParameterAuditable(auditRec, "file", info) - if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -571,8 +571,8 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { return } - if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -605,8 +605,8 @@ func getFileInfo(c *Context, w http.ResponseWriter, r *http.Request) { return } - if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } diff --git a/server/channels/api4/integration_action.go b/server/channels/api4/integration_action.go index 7b7addb88a..75b9cc5253 100644 --- a/server/channels/api4/integration_action.go +++ b/server/channels/api4/integration_action.go @@ -44,13 +44,13 @@ func doPostAction(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "", http.StatusBadRequest).Wrap(err) return } - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), cookie.ChannelId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), cookie.ChannelId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } } else { - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } } @@ -108,8 +108,8 @@ func submitDialog(c *Context, w http.ResponseWriter, r *http.Request) { submit.UserId = c.AppContext.Session().UserId - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), submit.ChannelId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), submit.ChannelId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } diff --git a/server/channels/api4/post.go b/server/channels/api4/post.go index 6e60a82f26..fe2b553583 100644 --- a/server/channels/api4/post.go +++ b/server/channels/api4/post.go @@ -249,8 +249,8 @@ func getPostsForChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -333,8 +333,8 @@ func getPostsForChannelAroundLastUnread(c *Context, w http.ResponseWriter, r *ht } channelId := c.Params.ChannelId - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -424,7 +424,7 @@ func getFlaggedPostsForUser(c *Context, w http.ResponseWriter, r *http.Request) if !ok { allowed = false - if c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannel) { + if c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannelContent) { allowed = true } @@ -529,7 +529,7 @@ func getPostsByIds(c *Context, w http.ResponseWriter, r *http.Request) { channelMap[channel.Id] = channel } - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannel) { + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannelContent) { if channel.Type != model.ChannelTypeOpen || (channel.Type == model.ChannelTypeOpen && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), channel.TeamId, model.PermissionReadPublicChannel)) { continue } @@ -942,8 +942,8 @@ func setPostUnread(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PermissionEditOtherUsers) return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -967,8 +967,8 @@ func setPostReminder(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PermissionEditOtherUsers) return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -997,8 +997,8 @@ func saveIsPinnedPost(c *Context, w http.ResponseWriter, isPinned bool) { audit.AddEventParameter(auditRec, "post_id", c.Params.PostId) defer c.LogAuditRecWithLevel(auditRec, app.LevelContent) - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -1049,8 +1049,8 @@ func acknowledgePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -1086,8 +1086,8 @@ func unacknowledgePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -1112,8 +1112,8 @@ func getFileInfosForPost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } diff --git a/server/channels/api4/preference.go b/server/channels/api4/preference.go index e3a71b487d..c9e61b50c0 100644 --- a/server/channels/api4/preference.go +++ b/server/channels/api4/preference.go @@ -116,8 +116,8 @@ func updatePreferences(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } } diff --git a/server/channels/api4/reaction.go b/server/channels/api4/reaction.go index d6adc0f687..e0cf409a3d 100644 --- a/server/channels/api4/reaction.go +++ b/server/channels/api4/reaction.go @@ -57,8 +57,8 @@ func getReactions(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -121,8 +121,8 @@ func deleteReaction(c *Context, w http.ResponseWriter, r *http.Request) { func getBulkReactions(c *Context, w http.ResponseWriter, r *http.Request) { postIds := model.ArrayFromJSON(r.Body) for _, postId := range postIds { - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), postId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), postId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } } diff --git a/server/channels/api4/user.go b/server/channels/api4/user.go index b3f2a459a3..30204b9076 100644 --- a/server/channels/api4/user.go +++ b/server/channels/api4/user.go @@ -3111,8 +3111,8 @@ func getThreadForUser(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PermissionEditOtherUsers) return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } extendedStr := r.URL.Query().Get("extended") @@ -3226,8 +3226,8 @@ func updateReadStateThreadByUser(c *Context, w http.ResponseWriter, r *http.Requ c.SetPermissionError(model.PermissionEditOtherUsers) return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -3262,8 +3262,8 @@ func setUnreadThreadByPostId(c *Context, w http.ResponseWriter, r *http.Request) return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -3296,8 +3296,8 @@ func unfollowThreadByUser(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PermissionEditOtherUsers) return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -3329,8 +3329,8 @@ func followThreadByUser(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) { - c.SetPermissionError(model.PermissionReadChannel) + if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) { + c.SetPermissionError(model.PermissionReadChannelContent) return } diff --git a/server/channels/api4/webhook.go b/server/channels/api4/webhook.go index 037624f5c6..47e11fe490 100644 --- a/server/channels/api4/webhook.go +++ b/server/channels/api4/webhook.go @@ -51,9 +51,9 @@ func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannel) { + if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannelContent) { c.LogAudit("fail - bad channel permissions") - c.SetPermissionError(model.PermissionReadChannel) + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -155,9 +155,9 @@ func updateIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannel) { + if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannelContent) { c.LogAudit("fail - bad channel permissions") - c.SetPermissionError(model.PermissionReadChannel) + c.SetPermissionError(model.PermissionReadChannelContent) return } @@ -260,7 +260,7 @@ func getIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { } if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), hook.TeamId, model.PermissionManageIncomingWebhooks) || - (channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannel)) { + (channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannelContent)) { c.LogAudit("fail - bad permissions") c.SetPermissionError(model.PermissionManageIncomingWebhooks) return @@ -314,7 +314,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { auditRec.AddMeta("team_id", hook.TeamId) if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), hook.TeamId, model.PermissionManageIncomingWebhooks) || - (channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannel)) { + (channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannelContent)) { c.LogAudit("fail - bad permissions") c.SetPermissionError(model.PermissionManageIncomingWebhooks) return diff --git a/server/channels/app/app_test.go b/server/channels/app/app_test.go index 4cdeacb28e..0a3237a365 100644 --- a/server/channels/app/app_test.go +++ b/server/channels/app/app_test.go @@ -112,6 +112,7 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) { expected1 := map[string][]string{ "channel_user": { model.PermissionReadChannel.Id, + model.PermissionReadChannelContent.Id, model.PermissionAddReaction.Id, model.PermissionRemoveReaction.Id, model.PermissionManagePublicChannelMembers.Id, diff --git a/server/channels/app/authorization.go b/server/channels/app/authorization.go index 5ef7b80833..de20eb869f 100644 --- a/server/channels/app/authorization.go +++ b/server/channels/app/authorization.go @@ -404,5 +404,5 @@ func (a *App) SessionHasPermissionToManageBot(session model.Session, botUserId s } func (a *App) HasPermissionToReadChannel(c request.CTX, userID string, channel *model.Channel) bool { - return a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannel) || (channel.Type == model.ChannelTypeOpen && a.HasPermissionToTeam(userID, channel.TeamId, model.PermissionReadPublicChannel)) + return a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannelContent) || (channel.Type == model.ChannelTypeOpen && a.HasPermissionToTeam(userID, channel.TeamId, model.PermissionReadPublicChannel)) } diff --git a/server/channels/app/authorization_test.go b/server/channels/app/authorization_test.go index 7b36e6e90d..7ed67118a5 100644 --- a/server/channels/app/authorization_test.go +++ b/server/channels/app/authorization_test.go @@ -33,11 +33,13 @@ func TestCheckIfRolesGrantPermission(t *testing.T) { {[]string{model.SystemAdminRoleId}, model.PermissionManageSystem.Id, true}, {[]string{model.SystemAdminRoleId}, "non-existent-permission", false}, {[]string{model.ChannelUserRoleId}, model.PermissionReadChannel.Id, true}, + {[]string{model.ChannelUserRoleId}, model.PermissionReadChannelContent.Id, true}, {[]string{model.ChannelUserRoleId}, model.PermissionManageSystem.Id, false}, {[]string{model.SystemAdminRoleId, model.ChannelUserRoleId}, model.PermissionManageSystem.Id, true}, {[]string{model.ChannelUserRoleId, model.SystemAdminRoleId}, model.PermissionManageSystem.Id, true}, {[]string{model.TeamUserRoleId, model.TeamAdminRoleId}, model.PermissionManageSlashCommands.Id, true}, {[]string{model.TeamAdminRoleId, model.TeamUserRoleId}, model.PermissionManageSlashCommands.Id, true}, + {[]string{model.ChannelGuestRoleId}, model.PermissionReadChannelContent.Id, true}, } for _, testcase := range cases { diff --git a/server/channels/app/permissions_migrations.go b/server/channels/app/permissions_migrations.go index e0fefa0b1f..57e13e9217 100644 --- a/server/channels/app/permissions_migrations.go +++ b/server/channels/app/permissions_migrations.go @@ -1092,6 +1092,31 @@ func (a *App) getProductsBoardsPermissions() (permissionsMap, error) { return transformations, nil } +func (a *App) getAddChannelReadContentPermissions() (permissionsMap, error) { + t := []permissionTransformation{} + + readChannelContentPermissions := []string{ + model.PermissionReadChannelContent.Id, + } + + // Migrate all roles including custom roles that have the read_channel permission + // but exclude system console roles system_read_only_admin system_user_manager & system_manager + // as this system roles are for the admin console use only + t = append(t, permissionTransformation{ + On: permissionAnd( + permissionAnd( + isNotRole(model.SystemUserManagerRoleId), + isNotRole(model.SystemReadOnlyAdminRoleId), + isNotRole(model.SystemManagerRoleId), + ), + permissionExists(model.PermissionReadChannel.Id), + ), + Add: readChannelContentPermissions, + }) + + return t, nil +} + // DoPermissionsMigrations execute all the permissions migrations need by the current version. func (a *App) DoPermissionsMigrations() error { return a.Srv().doPermissionsMigrations() @@ -1135,6 +1160,7 @@ func (s *Server) doPermissionsMigrations() error { {Key: model.MigrationKeyAddPlayboosksManageRolesPermissions, Migration: a.getPlaybooksPermissionsAddManageRoles}, {Key: model.MigrationKeyAddProductsBoardsPermissions, Migration: a.getProductsBoardsPermissions}, {Key: model.MigrationKeyAddCustomUserGroupsPermissionRestore, Migration: a.getAddCustomUserGroupsPermissionRestore}, + {Key: model.MigrationKeyAddReadChannelContentPermissions, Migration: a.getAddChannelReadContentPermissions}, } roles, err := s.Store().Role().GetAll() diff --git a/server/channels/app/post.go b/server/channels/app/post.go index 05ec078bb9..48651dc8e8 100644 --- a/server/channels/app/post.go +++ b/server/channels/app/post.go @@ -1995,13 +1995,13 @@ func (a *App) GetPostIfAuthorized(c request.CTX, postID string, session *model.S return nil, err } - if !a.SessionHasPermissionToChannel(c, *session, channel.Id, model.PermissionReadChannel) { + if !a.SessionHasPermissionToChannel(c, *session, channel.Id, model.PermissionReadChannelContent) { if channel.Type == model.ChannelTypeOpen { if !a.SessionHasPermissionToTeam(*session, channel.TeamId, model.PermissionReadPublicChannel) { return nil, a.MakePermissionError(session, []*model.Permission{model.PermissionReadPublicChannel}) } } else { - return nil, a.MakePermissionError(session, []*model.Permission{model.PermissionReadChannel}) + return nil, a.MakePermissionError(session, []*model.Permission{model.PermissionReadChannelContent}) } } @@ -2217,7 +2217,7 @@ func (a *App) GetPostInfo(c request.CTX, postID string) (*model.PostInfo, *model } else if channel.Type == model.ChannelTypePrivate { hasPermissionToAccessChannel = a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionManagePrivateChannelMembers) } else if channel.Type == model.ChannelTypeDirect || channel.Type == model.ChannelTypeGroup { - hasPermissionToAccessChannel = a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannel) + hasPermissionToAccessChannel = a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannelContent) } if !hasPermissionToAccessChannel { diff --git a/server/channels/app/webhook.go b/server/channels/app/webhook.go index 9f98d22ca7..e5600ef373 100644 --- a/server/channels/app/webhook.go +++ b/server/channels/app/webhook.go @@ -775,7 +775,7 @@ func (a *App) HandleIncomingWebhook(c *request.Context, hookID string, req *mode return model.NewAppError("HandleIncomingWebhook", "web.incoming_webhook.user.app_error", nil, "", http.StatusForbidden).Wrap(result.NErr) } - if channel.Type != model.ChannelTypeOpen && !a.HasPermissionToChannel(c, hook.UserId, channel.Id, model.PermissionReadChannel) { + if channel.Type != model.ChannelTypeOpen && !a.HasPermissionToChannel(c, hook.UserId, channel.Id, model.PermissionReadChannelContent) { return model.NewAppError("HandleIncomingWebhook", "web.incoming_webhook.permissions.app_error", nil, "", http.StatusForbidden) } diff --git a/server/channels/store/sqlstore/integrity_test.go b/server/channels/store/sqlstore/integrity_test.go index a10c8ddaa4..76b61ad2cc 100644 --- a/server/channels/store/sqlstore/integrity_test.go +++ b/server/channels/store/sqlstore/integrity_test.go @@ -258,6 +258,7 @@ func createDefaultRoles(ss store.Store) { DisplayName: model.ChannelUserRoleId, Permissions: []string{ model.PermissionReadChannel.Id, + model.PermissionReadChannelContent.Id, model.PermissionCreatePost.Id, }, }) @@ -267,6 +268,7 @@ func createDefaultRoles(ss store.Store) { DisplayName: model.ChannelGuestRoleId, Permissions: []string{ model.PermissionReadChannel.Id, + model.PermissionReadChannelContent.Id, model.PermissionCreatePost.Id, }, }) diff --git a/server/channels/store/storetest/scheme_store.go b/server/channels/store/storetest/scheme_store.go index 5423015a79..fb7de168a9 100644 --- a/server/channels/store/storetest/scheme_store.go +++ b/server/channels/store/storetest/scheme_store.go @@ -67,6 +67,7 @@ func createDefaultRoles(ss store.Store) { DisplayName: model.ChannelUserRoleId, Permissions: []string{ model.PermissionReadChannel.Id, + model.PermissionReadChannelContent.Id, model.PermissionCreatePost.Id, }, }) @@ -76,6 +77,7 @@ func createDefaultRoles(ss store.Store) { DisplayName: model.ChannelGuestRoleId, Permissions: []string{ model.PermissionReadChannel.Id, + model.PermissionReadChannelContent.Id, model.PermissionCreatePost.Id, }, }) @@ -158,7 +160,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) { role4, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelUserRole) assert.NoError(t, err) - assert.Equal(t, role4.Permissions, []string{"read_channel", "create_post"}) + assert.Equal(t, role4.Permissions, []string{"read_channel", "read_channel_content", "create_post"}) assert.True(t, role4.SchemeManaged) role5, err := ss.Role().GetByName(context.Background(), d1.DefaultTeamGuestRole) @@ -168,7 +170,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) { role6, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelGuestRole) assert.NoError(t, err) - assert.Equal(t, role6.Permissions, []string{"read_channel", "create_post"}) + assert.Equal(t, role6.Permissions, []string{"read_channel", "read_channel_content", "create_post"}) assert.True(t, role6.SchemeManaged) // Change the scheme description and update. @@ -386,7 +388,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) { role4, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelUserRole) assert.NoError(t, err) - assert.Equal(t, role4.Permissions, []string{"read_channel", "create_post"}) + assert.Equal(t, role4.Permissions, []string{"read_channel", "read_channel_content", "create_post"}) assert.True(t, role4.SchemeManaged) role5, err := ss.Role().GetByName(context.Background(), d1.DefaultTeamGuestRole) @@ -396,7 +398,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) { role6, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelGuestRole) assert.NoError(t, err) - assert.Equal(t, role6.Permissions, []string{"read_channel", "create_post"}) + assert.Equal(t, role6.Permissions, []string{"read_channel", "read_channel_content", "create_post"}) assert.True(t, role6.SchemeManaged) // Delete the scheme. diff --git a/server/channels/testlib/store.go b/server/channels/testlib/store.go index 05af2385b4..6937f0456b 100644 --- a/server/channels/testlib/store.go +++ b/server/channels/testlib/store.go @@ -70,6 +70,7 @@ func GetMockStoreForSetupFunctions() *mocks.Store { systemStore.On("GetByName", model.MigrationKeyAddCustomUserGroupsPermissions).Return(&model.System{Name: model.MigrationKeyAddCustomUserGroupsPermissions, Value: "true"}, nil) systemStore.On("GetByName", model.MigrationKeyAddPlayboosksManageRolesPermissions).Return(&model.System{Name: model.MigrationKeyAddPlayboosksManageRolesPermissions, Value: "true"}, nil) systemStore.On("GetByName", model.MigrationKeyAddCustomUserGroupsPermissionRestore).Return(&model.System{Name: model.MigrationKeyAddCustomUserGroupsPermissionRestore, Value: "true"}, nil) + systemStore.On("GetByName", model.MigrationKeyAddReadChannelContentPermissions).Return(&model.System{Name: model.MigrationKeyAddReadChannelContentPermissions, Value: "true"}, nil) systemStore.On("GetByName", "CustomGroupAdminRoleCreationMigrationComplete").Return(&model.System{Name: model.MigrationKeyAddPlayboosksManageRolesPermissions, Value: "true"}, nil) systemStore.On("GetByName", "products_boards").Return(&model.System{Name: "products_boards", Value: "true"}, nil) systemStore.On("GetByName", "elasticsearch_fix_channel_index_migration").Return(&model.System{Name: "elasticsearch_fix_channel_index_migration", Value: "true"}, nil) diff --git a/server/public/model/migration.go b/server/public/model/migration.go index 159bf53f1e..480080b872 100644 --- a/server/public/model/migration.go +++ b/server/public/model/migration.go @@ -40,6 +40,7 @@ const ( MigrationKeyAddPlayboosksManageRolesPermissions = "playbooks_manage_roles" MigrationKeyAddProductsBoardsPermissions = "products_boards" MigrationKeyAddCustomUserGroupsPermissionRestore = "custom_groups_permission_restore" + MigrationKeyAddReadChannelContentPermissions = "read_channel_content_permissions" MigrationKeyElasticsearchFixChannelIndex = "elasticsearch_fix_channel_index_migration" MigrationKeyS3Path = "s3_path_migration" ) diff --git a/server/public/model/permission.go b/server/public/model/permission.go index 43c48b74a7..88c35798fb 100644 --- a/server/public/model/permission.go +++ b/server/public/model/permission.go @@ -51,6 +51,7 @@ var PermissionDeletePublicChannel *Permission var PermissionDeletePrivateChannel *Permission var PermissionEditOtherUsers *Permission var PermissionReadChannel *Permission +var PermissionReadChannelContent *Permission var PermissionReadPublicChannelGroups *Permission var PermissionReadPrivateChannelGroups *Permission var PermissionReadPublicChannel *Permission @@ -561,6 +562,12 @@ func initializePermissions() { "authentication.permissions.read_channel.description", PermissionScopeChannel, } + PermissionReadChannelContent = &Permission{ + "read_channel_content", + "authentication.permissions.read_channel_content.name", + "authentication.permissions.read_channel_content.description", + PermissionScopeChannel, + } PermissionReadPublicChannelGroups = &Permission{ "read_public_channel_groups", "authentication.permissions.read_public_channel_groups.name", @@ -2329,6 +2336,7 @@ func initializePermissions() { PermissionDeletePublicChannel, PermissionDeletePrivateChannel, PermissionReadChannel, + PermissionReadChannelContent, PermissionReadPublicChannelGroups, PermissionReadPrivateChannelGroups, PermissionAddReaction, diff --git a/server/public/model/role.go b/server/public/model/role.go index 4fba0c64f7..d79a561937 100644 --- a/server/public/model/role.go +++ b/server/public/model/role.go @@ -749,6 +749,7 @@ func MakeDefaultRoles() map[string]*Role { Description: "authentication.roles.channel_guest.description", Permissions: []string{ PermissionReadChannel.Id, + PermissionReadChannelContent.Id, PermissionAddReaction.Id, PermissionRemoveReaction.Id, PermissionUploadFile.Id, @@ -766,6 +767,7 @@ func MakeDefaultRoles() map[string]*Role { Description: "authentication.roles.channel_user.description", Permissions: []string{ PermissionReadChannel.Id, + PermissionReadChannelContent.Id, PermissionAddReaction.Id, PermissionRemoveReaction.Id, PermissionManagePublicChannelMembers.Id, diff --git a/webapp/channels/src/components/admin_console/permission_schemes_settings/guest_permissions_tree/index.tsx b/webapp/channels/src/components/admin_console/permission_schemes_settings/guest_permissions_tree/index.tsx index 52255c2a57..79f79eb537 100644 --- a/webapp/channels/src/components/admin_console/permission_schemes_settings/guest_permissions_tree/index.tsx +++ b/webapp/channels/src/components/admin_console/permission_schemes_settings/guest_permissions_tree/index.tsx @@ -17,6 +17,8 @@ export const GUEST_INCLUDED_PERMISSIONS = [ Permissions.DELETE_POST, Permissions.ADD_REACTION, Permissions.REMOVE_REACTION, + Permissions.READ_CHANNEL, + Permissions.UPLOAD_FILE, Permissions.USE_CHANNEL_MENTIONS, Permissions.USE_GROUP_MENTIONS, Permissions.CREATE_POST, diff --git a/webapp/channels/src/packages/mattermost-redux/src/constants/permissions.ts b/webapp/channels/src/packages/mattermost-redux/src/constants/permissions.ts index 19ff5a3ccb..1054aadd96 100644 --- a/webapp/channels/src/packages/mattermost-redux/src/constants/permissions.ts +++ b/webapp/channels/src/packages/mattermost-redux/src/constants/permissions.ts @@ -33,6 +33,7 @@ const values = { DELETE_PRIVATE_CHANNEL: 'delete_private_channel', EDIT_OTHER_USERS: 'edit_other_users', READ_CHANNEL: 'read_channel', + READ_CHANNEL_CONTENT: 'read_channel_content', READ_PUBLIC_CHANNEL: 'read_public_channel', ADD_REACTION: 'add_reaction', REMOVE_REACTION: 'remove_reaction', @@ -107,6 +108,7 @@ const values = { CREATE_ELASTICSEARCH_POST_AGGREGATION_JOB: 'create_elasticsearch_post_aggregation_job', READ_ELASTICSEARCH_POST_INDEXING_JOB: 'read_elasticsearch_post_indexing_job', READ_ELASTICSEARCH_POST_AGGREGATION_JOB: 'read_elasticsearch_post_aggregation_job', + USE_SLASH_COMMANDS: 'use_slash_commands', SYSCONSOLE_READ_ABOUT_EDITION_AND_LICENSE: 'sysconsole_read_about_edition_and_license', SYSCONSOLE_WRITE_ABOUT_EDITION_AND_LICENSE: 'sysconsole_write_about_edition_and_license', diff --git a/webapp/channels/src/utils/constants.tsx b/webapp/channels/src/utils/constants.tsx index 5ad1eaef27..fb19606eca 100644 --- a/webapp/channels/src/utils/constants.tsx +++ b/webapp/channels/src/utils/constants.tsx @@ -1184,6 +1184,7 @@ export const PermissionsScope = { [Permissions.DELETE_PRIVATE_CHANNEL]: 'channel_scope', [Permissions.EDIT_OTHER_USERS]: 'system_scope', [Permissions.READ_CHANNEL]: 'channel_scope', + [Permissions.READ_CHANNEL_CONTENT]: 'channel_scope', [Permissions.READ_PUBLIC_CHANNEL]: 'team_scope', [Permissions.ADD_REACTION]: 'channel_scope', [Permissions.REMOVE_REACTION]: 'channel_scope', @@ -1243,13 +1244,13 @@ export const PermissionsScope = { [Permissions.DELETE_CUSTOM_GROUP]: 'system_scope', [Permissions.RESTORE_CUSTOM_GROUP]: 'system_scope', [Permissions.MANAGE_CUSTOM_GROUP_MEMBERS]: 'system_scope', + [Permissions.USE_SLASH_COMMANDS]: 'channel_scope', }; export const DefaultRolePermissions = { all_users: [ Permissions.CREATE_DIRECT_CHANNEL, Permissions.CREATE_GROUP_CHANNEL, - Permissions.PERMANENT_DELETE_USER, Permissions.CREATE_TEAM, Permissions.LIST_TEAM_CHANNELS, Permissions.JOIN_PUBLIC_CHANNELS, @@ -1264,6 +1265,7 @@ export const DefaultRolePermissions = { Permissions.INVITE_USER, Permissions.ADD_USER_TO_TEAM, Permissions.READ_CHANNEL, + Permissions.READ_CHANNEL_CONTENT, Permissions.ADD_REACTION, Permissions.REMOVE_REACTION, Permissions.MANAGE_PUBLIC_CHANNEL_MEMBERS, @@ -1275,8 +1277,6 @@ export const DefaultRolePermissions = { Permissions.MANAGE_PRIVATE_CHANNEL_MEMBERS, Permissions.DELETE_POST, Permissions.EDIT_POST, - Permissions.LIST_PUBLIC_TEAMS, - Permissions.JOIN_PUBLIC_TEAMS, Permissions.USE_CHANNEL_MENTIONS, Permissions.USE_GROUP_MENTIONS, Permissions.CREATE_CUSTOM_GROUP, @@ -1289,8 +1289,13 @@ export const DefaultRolePermissions = { Permissions.PLAYBOOK_PRIVATE_MANAGE_MEMBERS, Permissions.PLAYBOOK_PUBLIC_MANAGE_PROPERTIES, Permissions.PLAYBOOK_PRIVATE_MANAGE_PROPERTIES, - Permissions.PLAYBOOK_PUBLIC_MAKE_PRIVATE, Permissions.RUN_CREATE, + Permissions.USE_SLASH_COMMANDS, + Permissions.DELETE_EMOJIS, + Permissions.INVITE_GUEST, + Permissions.CREATE_EMOJIS, + Permissions.RUN_VIEW, + Permissions.RESTORE_CUSTOM_GROUP, ], channel_admin: [ Permissions.MANAGE_CHANNEL_ROLES,