mirror of
https://github.com/mattermost/mattermost.git
synced 2025-02-25 18:55:24 -06:00
Add read_channel_content permission (#24118)
* Add read_channel_content permission * fix tests * update system console default permissions per role * add read_channel_content to e2e defaultRolesPermissions * Migration to include custom roles * change deprecated isNotExactRole for isNotRole --------- Co-authored-by: Mattermost Build <build@mattermost.com>
This commit is contained in:
Elias Nahum
GitHub
parent
047583947f
commit
aa88f8bf59
File diff suppressed because one or more lines are too long
@ -711,8 +711,8 @@ func getPinnedPosts(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), c.Params.ChannelId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), c.Params.ChannelId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@ -463,8 +463,8 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
audit.AddEventParameterAuditable(auditRec, "file", info)
|
||||
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -495,8 +495,8 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -538,8 +538,8 @@ func getFileLink(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
audit.AddEventParameterAuditable(auditRec, "file", info)
|
||||
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -571,8 +571,8 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -605,8 +605,8 @@ func getFileInfo(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if info.CreatorId != c.AppContext.Session().UserId && !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), info.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@ -44,13 +44,13 @@ func doPostAction(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
c.Err = model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
||||
return
|
||||
}
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), cookie.ChannelId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), cookie.ChannelId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
} else {
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
}
|
||||
@ -108,8 +108,8 @@ func submitDialog(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
submit.UserId = c.AppContext.Session().UserId
|
||||
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), submit.ChannelId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), submit.ChannelId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@ -249,8 +249,8 @@ func getPostsForChannel(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -333,8 +333,8 @@ func getPostsForChannelAroundLastUnread(c *Context, w http.ResponseWriter, r *ht
|
||||
}
|
||||
|
||||
channelId := c.Params.ChannelId
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channelId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -424,7 +424,7 @@ func getFlaggedPostsForUser(c *Context, w http.ResponseWriter, r *http.Request)
|
||||
if !ok {
|
||||
allowed = false
|
||||
|
||||
if c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannel) {
|
||||
if c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannelContent) {
|
||||
allowed = true
|
||||
}
|
||||
|
||||
@ -529,7 +529,7 @@ func getPostsByIds(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
channelMap[channel.Id] = channel
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannel) {
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannelContent) {
|
||||
if channel.Type != model.ChannelTypeOpen || (channel.Type == model.ChannelTypeOpen && !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), channel.TeamId, model.PermissionReadPublicChannel)) {
|
||||
continue
|
||||
}
|
||||
@ -942,8 +942,8 @@ func setPostUnread(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
c.SetPermissionError(model.PermissionEditOtherUsers)
|
||||
return
|
||||
}
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -967,8 +967,8 @@ func setPostReminder(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
c.SetPermissionError(model.PermissionEditOtherUsers)
|
||||
return
|
||||
}
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -997,8 +997,8 @@ func saveIsPinnedPost(c *Context, w http.ResponseWriter, isPinned bool) {
|
||||
audit.AddEventParameter(auditRec, "post_id", c.Params.PostId)
|
||||
defer c.LogAuditRecWithLevel(auditRec, app.LevelContent)
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -1049,8 +1049,8 @@ func acknowledgePost(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -1086,8 +1086,8 @@ func unacknowledgePost(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -1112,8 +1112,8 @@ func getFileInfosForPost(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@ -116,8 +116,8 @@ func updatePreferences(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), post.ChannelId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
@ -57,8 +57,8 @@ func getReactions(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.PostId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -121,8 +121,8 @@ func deleteReaction(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
func getBulkReactions(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
postIds := model.ArrayFromJSON(r.Body)
|
||||
for _, postId := range postIds {
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), postId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), postId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
@ -3111,8 +3111,8 @@ func getThreadForUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
c.SetPermissionError(model.PermissionEditOtherUsers)
|
||||
return
|
||||
}
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
extendedStr := r.URL.Query().Get("extended")
|
||||
@ -3226,8 +3226,8 @@ func updateReadStateThreadByUser(c *Context, w http.ResponseWriter, r *http.Requ
|
||||
c.SetPermissionError(model.PermissionEditOtherUsers)
|
||||
return
|
||||
}
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -3262,8 +3262,8 @@ func setUnreadThreadByPostId(c *Context, w http.ResponseWriter, r *http.Request)
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -3296,8 +3296,8 @@ func unfollowThreadByUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
c.SetPermissionError(model.PermissionEditOtherUsers)
|
||||
return
|
||||
}
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -3329,8 +3329,8 @@ func followThreadByUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannel) {
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
if !c.App.SessionHasPermissionToChannelByPost(*c.AppContext.Session(), c.Params.ThreadId, model.PermissionReadChannelContent) {
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@ -51,9 +51,9 @@ func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannel) {
|
||||
if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannelContent) {
|
||||
c.LogAudit("fail - bad channel permissions")
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -155,9 +155,9 @@ func updateIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannel) {
|
||||
if channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionReadChannelContent) {
|
||||
c.LogAudit("fail - bad channel permissions")
|
||||
c.SetPermissionError(model.PermissionReadChannel)
|
||||
c.SetPermissionError(model.PermissionReadChannelContent)
|
||||
return
|
||||
}
|
||||
|
||||
@ -260,7 +260,7 @@ func getIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), hook.TeamId, model.PermissionManageIncomingWebhooks) ||
|
||||
(channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannel)) {
|
||||
(channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannelContent)) {
|
||||
c.LogAudit("fail - bad permissions")
|
||||
c.SetPermissionError(model.PermissionManageIncomingWebhooks)
|
||||
return
|
||||
@ -314,7 +314,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
auditRec.AddMeta("team_id", hook.TeamId)
|
||||
|
||||
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), hook.TeamId, model.PermissionManageIncomingWebhooks) ||
|
||||
(channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannel)) {
|
||||
(channel.Type != model.ChannelTypeOpen && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), hook.ChannelId, model.PermissionReadChannelContent)) {
|
||||
c.LogAudit("fail - bad permissions")
|
||||
c.SetPermissionError(model.PermissionManageIncomingWebhooks)
|
||||
return
|
||||
|
||||
@ -112,6 +112,7 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
|
||||
expected1 := map[string][]string{
|
||||
"channel_user": {
|
||||
model.PermissionReadChannel.Id,
|
||||
model.PermissionReadChannelContent.Id,
|
||||
model.PermissionAddReaction.Id,
|
||||
model.PermissionRemoveReaction.Id,
|
||||
model.PermissionManagePublicChannelMembers.Id,
|
||||
|
||||
@ -404,5 +404,5 @@ func (a *App) SessionHasPermissionToManageBot(session model.Session, botUserId s
|
||||
}
|
||||
|
||||
func (a *App) HasPermissionToReadChannel(c request.CTX, userID string, channel *model.Channel) bool {
|
||||
return a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannel) || (channel.Type == model.ChannelTypeOpen && a.HasPermissionToTeam(userID, channel.TeamId, model.PermissionReadPublicChannel))
|
||||
return a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannelContent) || (channel.Type == model.ChannelTypeOpen && a.HasPermissionToTeam(userID, channel.TeamId, model.PermissionReadPublicChannel))
|
||||
}
|
||||
|
||||
@ -33,11 +33,13 @@ func TestCheckIfRolesGrantPermission(t *testing.T) {
|
||||
{[]string{model.SystemAdminRoleId}, model.PermissionManageSystem.Id, true},
|
||||
{[]string{model.SystemAdminRoleId}, "non-existent-permission", false},
|
||||
{[]string{model.ChannelUserRoleId}, model.PermissionReadChannel.Id, true},
|
||||
{[]string{model.ChannelUserRoleId}, model.PermissionReadChannelContent.Id, true},
|
||||
{[]string{model.ChannelUserRoleId}, model.PermissionManageSystem.Id, false},
|
||||
{[]string{model.SystemAdminRoleId, model.ChannelUserRoleId}, model.PermissionManageSystem.Id, true},
|
||||
{[]string{model.ChannelUserRoleId, model.SystemAdminRoleId}, model.PermissionManageSystem.Id, true},
|
||||
{[]string{model.TeamUserRoleId, model.TeamAdminRoleId}, model.PermissionManageSlashCommands.Id, true},
|
||||
{[]string{model.TeamAdminRoleId, model.TeamUserRoleId}, model.PermissionManageSlashCommands.Id, true},
|
||||
{[]string{model.ChannelGuestRoleId}, model.PermissionReadChannelContent.Id, true},
|
||||
}
|
||||
|
||||
for _, testcase := range cases {
|
||||
|
||||
@ -1092,6 +1092,31 @@ func (a *App) getProductsBoardsPermissions() (permissionsMap, error) {
|
||||
return transformations, nil
|
||||
}
|
||||
|
||||
func (a *App) getAddChannelReadContentPermissions() (permissionsMap, error) {
|
||||
t := []permissionTransformation{}
|
||||
|
||||
readChannelContentPermissions := []string{
|
||||
model.PermissionReadChannelContent.Id,
|
||||
}
|
||||
|
||||
// Migrate all roles including custom roles that have the read_channel permission
|
||||
// but exclude system console roles system_read_only_admin system_user_manager & system_manager
|
||||
// as this system roles are for the admin console use only
|
||||
t = append(t, permissionTransformation{
|
||||
On: permissionAnd(
|
||||
permissionAnd(
|
||||
isNotRole(model.SystemUserManagerRoleId),
|
||||
isNotRole(model.SystemReadOnlyAdminRoleId),
|
||||
isNotRole(model.SystemManagerRoleId),
|
||||
),
|
||||
permissionExists(model.PermissionReadChannel.Id),
|
||||
),
|
||||
Add: readChannelContentPermissions,
|
||||
})
|
||||
|
||||
return t, nil
|
||||
}
|
||||
|
||||
// DoPermissionsMigrations execute all the permissions migrations need by the current version.
|
||||
func (a *App) DoPermissionsMigrations() error {
|
||||
return a.Srv().doPermissionsMigrations()
|
||||
@ -1135,6 +1160,7 @@ func (s *Server) doPermissionsMigrations() error {
|
||||
{Key: model.MigrationKeyAddPlayboosksManageRolesPermissions, Migration: a.getPlaybooksPermissionsAddManageRoles},
|
||||
{Key: model.MigrationKeyAddProductsBoardsPermissions, Migration: a.getProductsBoardsPermissions},
|
||||
{Key: model.MigrationKeyAddCustomUserGroupsPermissionRestore, Migration: a.getAddCustomUserGroupsPermissionRestore},
|
||||
{Key: model.MigrationKeyAddReadChannelContentPermissions, Migration: a.getAddChannelReadContentPermissions},
|
||||
}
|
||||
|
||||
roles, err := s.Store().Role().GetAll()
|
||||
|
||||
@ -1995,13 +1995,13 @@ func (a *App) GetPostIfAuthorized(c request.CTX, postID string, session *model.S
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !a.SessionHasPermissionToChannel(c, *session, channel.Id, model.PermissionReadChannel) {
|
||||
if !a.SessionHasPermissionToChannel(c, *session, channel.Id, model.PermissionReadChannelContent) {
|
||||
if channel.Type == model.ChannelTypeOpen {
|
||||
if !a.SessionHasPermissionToTeam(*session, channel.TeamId, model.PermissionReadPublicChannel) {
|
||||
return nil, a.MakePermissionError(session, []*model.Permission{model.PermissionReadPublicChannel})
|
||||
}
|
||||
} else {
|
||||
return nil, a.MakePermissionError(session, []*model.Permission{model.PermissionReadChannel})
|
||||
return nil, a.MakePermissionError(session, []*model.Permission{model.PermissionReadChannelContent})
|
||||
}
|
||||
}
|
||||
|
||||
@ -2217,7 +2217,7 @@ func (a *App) GetPostInfo(c request.CTX, postID string) (*model.PostInfo, *model
|
||||
} else if channel.Type == model.ChannelTypePrivate {
|
||||
hasPermissionToAccessChannel = a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionManagePrivateChannelMembers)
|
||||
} else if channel.Type == model.ChannelTypeDirect || channel.Type == model.ChannelTypeGroup {
|
||||
hasPermissionToAccessChannel = a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannel)
|
||||
hasPermissionToAccessChannel = a.HasPermissionToChannel(c, userID, channel.Id, model.PermissionReadChannelContent)
|
||||
}
|
||||
|
||||
if !hasPermissionToAccessChannel {
|
||||
|
||||
@ -775,7 +775,7 @@ func (a *App) HandleIncomingWebhook(c *request.Context, hookID string, req *mode
|
||||
return model.NewAppError("HandleIncomingWebhook", "web.incoming_webhook.user.app_error", nil, "", http.StatusForbidden).Wrap(result.NErr)
|
||||
}
|
||||
|
||||
if channel.Type != model.ChannelTypeOpen && !a.HasPermissionToChannel(c, hook.UserId, channel.Id, model.PermissionReadChannel) {
|
||||
if channel.Type != model.ChannelTypeOpen && !a.HasPermissionToChannel(c, hook.UserId, channel.Id, model.PermissionReadChannelContent) {
|
||||
return model.NewAppError("HandleIncomingWebhook", "web.incoming_webhook.permissions.app_error", nil, "", http.StatusForbidden)
|
||||
}
|
||||
|
||||
|
||||
@ -258,6 +258,7 @@ func createDefaultRoles(ss store.Store) {
|
||||
DisplayName: model.ChannelUserRoleId,
|
||||
Permissions: []string{
|
||||
model.PermissionReadChannel.Id,
|
||||
model.PermissionReadChannelContent.Id,
|
||||
model.PermissionCreatePost.Id,
|
||||
},
|
||||
})
|
||||
@ -267,6 +268,7 @@ func createDefaultRoles(ss store.Store) {
|
||||
DisplayName: model.ChannelGuestRoleId,
|
||||
Permissions: []string{
|
||||
model.PermissionReadChannel.Id,
|
||||
model.PermissionReadChannelContent.Id,
|
||||
model.PermissionCreatePost.Id,
|
||||
},
|
||||
})
|
||||
|
||||
@ -67,6 +67,7 @@ func createDefaultRoles(ss store.Store) {
|
||||
DisplayName: model.ChannelUserRoleId,
|
||||
Permissions: []string{
|
||||
model.PermissionReadChannel.Id,
|
||||
model.PermissionReadChannelContent.Id,
|
||||
model.PermissionCreatePost.Id,
|
||||
},
|
||||
})
|
||||
@ -76,6 +77,7 @@ func createDefaultRoles(ss store.Store) {
|
||||
DisplayName: model.ChannelGuestRoleId,
|
||||
Permissions: []string{
|
||||
model.PermissionReadChannel.Id,
|
||||
model.PermissionReadChannelContent.Id,
|
||||
model.PermissionCreatePost.Id,
|
||||
},
|
||||
})
|
||||
@ -158,7 +160,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) {
|
||||
|
||||
role4, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelUserRole)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, role4.Permissions, []string{"read_channel", "create_post"})
|
||||
assert.Equal(t, role4.Permissions, []string{"read_channel", "read_channel_content", "create_post"})
|
||||
assert.True(t, role4.SchemeManaged)
|
||||
|
||||
role5, err := ss.Role().GetByName(context.Background(), d1.DefaultTeamGuestRole)
|
||||
@ -168,7 +170,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) {
|
||||
|
||||
role6, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelGuestRole)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, role6.Permissions, []string{"read_channel", "create_post"})
|
||||
assert.Equal(t, role6.Permissions, []string{"read_channel", "read_channel_content", "create_post"})
|
||||
assert.True(t, role6.SchemeManaged)
|
||||
|
||||
// Change the scheme description and update.
|
||||
@ -386,7 +388,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) {
|
||||
|
||||
role4, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelUserRole)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, role4.Permissions, []string{"read_channel", "create_post"})
|
||||
assert.Equal(t, role4.Permissions, []string{"read_channel", "read_channel_content", "create_post"})
|
||||
assert.True(t, role4.SchemeManaged)
|
||||
|
||||
role5, err := ss.Role().GetByName(context.Background(), d1.DefaultTeamGuestRole)
|
||||
@ -396,7 +398,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) {
|
||||
|
||||
role6, err := ss.Role().GetByName(context.Background(), d1.DefaultChannelGuestRole)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, role6.Permissions, []string{"read_channel", "create_post"})
|
||||
assert.Equal(t, role6.Permissions, []string{"read_channel", "read_channel_content", "create_post"})
|
||||
assert.True(t, role6.SchemeManaged)
|
||||
|
||||
// Delete the scheme.
|
||||
|
||||
@ -70,6 +70,7 @@ func GetMockStoreForSetupFunctions() *mocks.Store {
|
||||
systemStore.On("GetByName", model.MigrationKeyAddCustomUserGroupsPermissions).Return(&model.System{Name: model.MigrationKeyAddCustomUserGroupsPermissions, Value: "true"}, nil)
|
||||
systemStore.On("GetByName", model.MigrationKeyAddPlayboosksManageRolesPermissions).Return(&model.System{Name: model.MigrationKeyAddPlayboosksManageRolesPermissions, Value: "true"}, nil)
|
||||
systemStore.On("GetByName", model.MigrationKeyAddCustomUserGroupsPermissionRestore).Return(&model.System{Name: model.MigrationKeyAddCustomUserGroupsPermissionRestore, Value: "true"}, nil)
|
||||
systemStore.On("GetByName", model.MigrationKeyAddReadChannelContentPermissions).Return(&model.System{Name: model.MigrationKeyAddReadChannelContentPermissions, Value: "true"}, nil)
|
||||
systemStore.On("GetByName", "CustomGroupAdminRoleCreationMigrationComplete").Return(&model.System{Name: model.MigrationKeyAddPlayboosksManageRolesPermissions, Value: "true"}, nil)
|
||||
systemStore.On("GetByName", "products_boards").Return(&model.System{Name: "products_boards", Value: "true"}, nil)
|
||||
systemStore.On("GetByName", "elasticsearch_fix_channel_index_migration").Return(&model.System{Name: "elasticsearch_fix_channel_index_migration", Value: "true"}, nil)
|
||||
|
||||
@ -40,6 +40,7 @@ const (
|
||||
MigrationKeyAddPlayboosksManageRolesPermissions = "playbooks_manage_roles"
|
||||
MigrationKeyAddProductsBoardsPermissions = "products_boards"
|
||||
MigrationKeyAddCustomUserGroupsPermissionRestore = "custom_groups_permission_restore"
|
||||
MigrationKeyAddReadChannelContentPermissions = "read_channel_content_permissions"
|
||||
MigrationKeyElasticsearchFixChannelIndex = "elasticsearch_fix_channel_index_migration"
|
||||
MigrationKeyS3Path = "s3_path_migration"
|
||||
)
|
||||
|
||||
@ -51,6 +51,7 @@ var PermissionDeletePublicChannel *Permission
|
||||
var PermissionDeletePrivateChannel *Permission
|
||||
var PermissionEditOtherUsers *Permission
|
||||
var PermissionReadChannel *Permission
|
||||
var PermissionReadChannelContent *Permission
|
||||
var PermissionReadPublicChannelGroups *Permission
|
||||
var PermissionReadPrivateChannelGroups *Permission
|
||||
var PermissionReadPublicChannel *Permission
|
||||
@ -561,6 +562,12 @@ func initializePermissions() {
|
||||
"authentication.permissions.read_channel.description",
|
||||
PermissionScopeChannel,
|
||||
}
|
||||
PermissionReadChannelContent = &Permission{
|
||||
"read_channel_content",
|
||||
"authentication.permissions.read_channel_content.name",
|
||||
"authentication.permissions.read_channel_content.description",
|
||||
PermissionScopeChannel,
|
||||
}
|
||||
PermissionReadPublicChannelGroups = &Permission{
|
||||
"read_public_channel_groups",
|
||||
"authentication.permissions.read_public_channel_groups.name",
|
||||
@ -2329,6 +2336,7 @@ func initializePermissions() {
|
||||
PermissionDeletePublicChannel,
|
||||
PermissionDeletePrivateChannel,
|
||||
PermissionReadChannel,
|
||||
PermissionReadChannelContent,
|
||||
PermissionReadPublicChannelGroups,
|
||||
PermissionReadPrivateChannelGroups,
|
||||
PermissionAddReaction,
|
||||
|
||||
@ -749,6 +749,7 @@ func MakeDefaultRoles() map[string]*Role {
|
||||
Description: "authentication.roles.channel_guest.description",
|
||||
Permissions: []string{
|
||||
PermissionReadChannel.Id,
|
||||
PermissionReadChannelContent.Id,
|
||||
PermissionAddReaction.Id,
|
||||
PermissionRemoveReaction.Id,
|
||||
PermissionUploadFile.Id,
|
||||
@ -766,6 +767,7 @@ func MakeDefaultRoles() map[string]*Role {
|
||||
Description: "authentication.roles.channel_user.description",
|
||||
Permissions: []string{
|
||||
PermissionReadChannel.Id,
|
||||
PermissionReadChannelContent.Id,
|
||||
PermissionAddReaction.Id,
|
||||
PermissionRemoveReaction.Id,
|
||||
PermissionManagePublicChannelMembers.Id,
|
||||
|
||||
@ -17,6 +17,8 @@ export const GUEST_INCLUDED_PERMISSIONS = [
|
||||
Permissions.DELETE_POST,
|
||||
Permissions.ADD_REACTION,
|
||||
Permissions.REMOVE_REACTION,
|
||||
Permissions.READ_CHANNEL,
|
||||
Permissions.UPLOAD_FILE,
|
||||
Permissions.USE_CHANNEL_MENTIONS,
|
||||
Permissions.USE_GROUP_MENTIONS,
|
||||
Permissions.CREATE_POST,
|
||||
|
||||
@ -33,6 +33,7 @@ const values = {
|
||||
DELETE_PRIVATE_CHANNEL: 'delete_private_channel',
|
||||
EDIT_OTHER_USERS: 'edit_other_users',
|
||||
READ_CHANNEL: 'read_channel',
|
||||
READ_CHANNEL_CONTENT: 'read_channel_content',
|
||||
READ_PUBLIC_CHANNEL: 'read_public_channel',
|
||||
ADD_REACTION: 'add_reaction',
|
||||
REMOVE_REACTION: 'remove_reaction',
|
||||
@ -107,6 +108,7 @@ const values = {
|
||||
CREATE_ELASTICSEARCH_POST_AGGREGATION_JOB: 'create_elasticsearch_post_aggregation_job',
|
||||
READ_ELASTICSEARCH_POST_INDEXING_JOB: 'read_elasticsearch_post_indexing_job',
|
||||
READ_ELASTICSEARCH_POST_AGGREGATION_JOB: 'read_elasticsearch_post_aggregation_job',
|
||||
USE_SLASH_COMMANDS: 'use_slash_commands',
|
||||
|
||||
SYSCONSOLE_READ_ABOUT_EDITION_AND_LICENSE: 'sysconsole_read_about_edition_and_license',
|
||||
SYSCONSOLE_WRITE_ABOUT_EDITION_AND_LICENSE: 'sysconsole_write_about_edition_and_license',
|
||||
|
||||
@ -1184,6 +1184,7 @@ export const PermissionsScope = {
|
||||
[Permissions.DELETE_PRIVATE_CHANNEL]: 'channel_scope',
|
||||
[Permissions.EDIT_OTHER_USERS]: 'system_scope',
|
||||
[Permissions.READ_CHANNEL]: 'channel_scope',
|
||||
[Permissions.READ_CHANNEL_CONTENT]: 'channel_scope',
|
||||
[Permissions.READ_PUBLIC_CHANNEL]: 'team_scope',
|
||||
[Permissions.ADD_REACTION]: 'channel_scope',
|
||||
[Permissions.REMOVE_REACTION]: 'channel_scope',
|
||||
@ -1243,13 +1244,13 @@ export const PermissionsScope = {
|
||||
[Permissions.DELETE_CUSTOM_GROUP]: 'system_scope',
|
||||
[Permissions.RESTORE_CUSTOM_GROUP]: 'system_scope',
|
||||
[Permissions.MANAGE_CUSTOM_GROUP_MEMBERS]: 'system_scope',
|
||||
[Permissions.USE_SLASH_COMMANDS]: 'channel_scope',
|
||||
};
|
||||
|
||||
export const DefaultRolePermissions = {
|
||||
all_users: [
|
||||
Permissions.CREATE_DIRECT_CHANNEL,
|
||||
Permissions.CREATE_GROUP_CHANNEL,
|
||||
Permissions.PERMANENT_DELETE_USER,
|
||||
Permissions.CREATE_TEAM,
|
||||
Permissions.LIST_TEAM_CHANNELS,
|
||||
Permissions.JOIN_PUBLIC_CHANNELS,
|
||||
@ -1264,6 +1265,7 @@ export const DefaultRolePermissions = {
|
||||
Permissions.INVITE_USER,
|
||||
Permissions.ADD_USER_TO_TEAM,
|
||||
Permissions.READ_CHANNEL,
|
||||
Permissions.READ_CHANNEL_CONTENT,
|
||||
Permissions.ADD_REACTION,
|
||||
Permissions.REMOVE_REACTION,
|
||||
Permissions.MANAGE_PUBLIC_CHANNEL_MEMBERS,
|
||||
@ -1275,8 +1277,6 @@ export const DefaultRolePermissions = {
|
||||
Permissions.MANAGE_PRIVATE_CHANNEL_MEMBERS,
|
||||
Permissions.DELETE_POST,
|
||||
Permissions.EDIT_POST,
|
||||
Permissions.LIST_PUBLIC_TEAMS,
|
||||
Permissions.JOIN_PUBLIC_TEAMS,
|
||||
Permissions.USE_CHANNEL_MENTIONS,
|
||||
Permissions.USE_GROUP_MENTIONS,
|
||||
Permissions.CREATE_CUSTOM_GROUP,
|
||||
@ -1289,8 +1289,13 @@ export const DefaultRolePermissions = {
|
||||
Permissions.PLAYBOOK_PRIVATE_MANAGE_MEMBERS,
|
||||
Permissions.PLAYBOOK_PUBLIC_MANAGE_PROPERTIES,
|
||||
Permissions.PLAYBOOK_PRIVATE_MANAGE_PROPERTIES,
|
||||
Permissions.PLAYBOOK_PUBLIC_MAKE_PRIVATE,
|
||||
Permissions.RUN_CREATE,
|
||||
Permissions.USE_SLASH_COMMANDS,
|
||||
Permissions.DELETE_EMOJIS,
|
||||
Permissions.INVITE_GUEST,
|
||||
Permissions.CREATE_EMOJIS,
|
||||
Permissions.RUN_VIEW,
|
||||
Permissions.RESTORE_CUSTOM_GROUP,
|
||||
],
|
||||
channel_admin: [
|
||||
Permissions.MANAGE_CHANNEL_ROLES,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user