IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

EE: Add the ability to restrict the user roles that can send team invites (#3442)

Browse Source
This commit is contained in:
Joram Wilander
2016-06-29 14:16:17 -04:00
committed by GitHub
parent 4c9b48da8f
commit b97b3ae617
16 changed files with 259 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/team.go
View File

@@ -394,11 +394,23 @@ func revokeAllSessions(c *Context, w http.ResponseWriter, r *http.Request) {
func inviteMembers(c *Context, w http.ResponseWriter, r *http.Request) {
invites := model.InvitesFromJson(r.Body)
if len(invites.Invites) == 0 {
c.Err = model.NewLocAppError("Team.InviteMembers", "api.team.invite_members.no_one.app_error", nil, "")
c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.no_one.app_error", nil, "")
c.Err.StatusCode = http.StatusBadRequest
return
}
if utils.IsLicensed {
if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.TEAM_INVITE_SYSTEM_ADMIN && !c.IsSystemAdmin() {
c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_system_admin.app_error", nil, "")
return
}
if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.TEAM_INVITE_TEAM_ADMIN && !c.IsTeamAdmin() {
c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_team_admin.app_error", nil, "")
return
}
}
tchan := Srv.Store.Team().Get(c.TeamId)
uchan := Srv.Store.User().Get(c.Session.UserId)

51
api/team_test.go
View File

@@ -363,9 +363,10 @@ func TestTeamPermDelete(t *testing.T) {
}
func TestInviteMembers(t *testing.T) {
th := Setup().InitBasic()
th := Setup().InitBasic().InitSystemAdmin()
th.BasicClient.Logout()
Client := th.BasicClient
SystemAdminClient := th.SystemAdminClient
team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN}
team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team)
@@ -389,10 +390,54 @@ func TestInviteMembers(t *testing.T) {
t.Fatal(err)
}
invites = &model.Invites{Invites: []map[string]string{}}
if _, err := Client.InviteMembers(invites); err == nil {
invites2 := &model.Invites{Invites: []map[string]string{}}
if _, err := Client.InviteMembers(invites2); err == nil {
t.Fatal("Should have errored out on no invites to send")
}
restrictTeamInvite := *utils.Cfg.TeamSettings.RestrictTeamInvite
defer func() {
*utils.Cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite
}()
*utils.Cfg.TeamSettings.RestrictTeamInvite = model.TEAM_INVITE_TEAM_ADMIN
th.LoginBasic2()
LinkUserToTeam(th.BasicUser2, team)
if _, err := Client.InviteMembers(invites); err != nil {
t.Fatal(err)
}
isLicensed := utils.IsLicensed
defer func() {
utils.IsLicensed = isLicensed
}()
utils.IsLicensed = true
if _, err := Client.InviteMembers(invites); err == nil {
t.Fatal("should have errored not team admin and licensed")
}
UpdateUserToTeamAdmin(th.BasicUser2, team)
Client.Logout()
th.LoginBasic2()
Client.SetTeamId(team.Id)
if _, err := Client.InviteMembers(invites); err != nil {
t.Fatal(err)
}
*utils.Cfg.TeamSettings.RestrictTeamInvite = model.TEAM_INVITE_SYSTEM_ADMIN
if _, err := Client.InviteMembers(invites); err == nil {
t.Fatal("should have errored not system admin and licensed")
}
LinkUserToTeam(th.SystemAdminUser, team)
if _, err := SystemAdminClient.InviteMembers(invites); err != nil {
t.Fatal(err)
}
}
func TestUpdateTeamDisplayName(t *testing.T) {

3
config/config.json
View File

@@ -37,7 +37,8 @@
"RestrictTeamNames": true,
"EnableCustomBrand": false,
"CustomBrandText": "",
"RestrictDirectMessage": "any"
"RestrictDirectMessage": "any",
"RestrictTeamInvite": "system_admin"
},
"SqlSettings": {
"DriverName": "mysql",

8
i18n/en.json
View File

@@ -1299,6 +1299,14 @@
"id": "api.team.invite_members.no_one.app_error",
"translation": "No one to invite."
},
{
"id": "api.team.invite_members.restricted_system_admin.app_error",
"translation": "Inviting new users to a team is restricted to System Administrators."
},
{
"id": "api.team.invite_members.restricted_team_admin.app_error",
"translation": "Inviting new users to a team is restricted to Team and System Administrators."
},
{
"id": "api.team.invite_members.send.error",
"translation": "Failed to send invite email successfully err=%v"

10
model/config.go
View File

@@ -32,6 +32,10 @@ const (
DIRECT_MESSAGE_ANY = "any"
DIRECT_MESSAGE_TEAM = "team"
TEAM_INVITE_ALL = "all"
TEAM_INVITE_TEAM_ADMIN = "team_admin"
TEAM_INVITE_SYSTEM_ADMIN = "system_admin"
FAKE_SETTING = "********************************"
RESTRICT_EMOJI_CREATION_ALL = "all"
@@ -174,6 +178,7 @@ type TeamSettings struct {
EnableCustomBrand *bool
CustomBrandText *string
RestrictDirectMessage *string
RestrictTeamInvite *string
}
type LdapSettings struct {
@@ -346,6 +351,11 @@ func (o *Config) SetDefaults() {
*o.TeamSettings.RestrictDirectMessage = DIRECT_MESSAGE_ANY
}
if o.TeamSettings.RestrictTeamInvite == nil {
o.TeamSettings.RestrictTeamInvite = new(string)
*o.TeamSettings.RestrictTeamInvite = TEAM_INVITE_ALL
}
if o.EmailSettings.EnableSignInWithEmail == nil {
o.EmailSettings.EnableSignInWithEmail = new(bool)

1
utils/config.go
View File

@@ -210,6 +210,7 @@ func getClientConfig(c *model.Config) map[string]string {
props["EnableOpenServer"] = strconv.FormatBool(*c.TeamSettings.EnableOpenServer)
props["RestrictTeamNames"] = strconv.FormatBool(*c.TeamSettings.RestrictTeamNames)
props["RestrictDirectMessage"] = *c.TeamSettings.RestrictDirectMessage
props["RestrictTeamInvite"] = *c.TeamSettings.RestrictTeamInvite
props["EnableOAuthServiceProvider"] = strconv.FormatBool(c.ServiceSettings.EnableOAuthServiceProvider)
props["SegmentDeveloperKey"] = c.ServiceSettings.SegmentDeveloperKey

14
webapp/components/admin_console/admin_sidebar.jsx
View File

@@ -180,6 +180,7 @@ export default class AdminSidebar extends React.Component {
let license = null;
let audits = null;
let policy = null;
if (window.mm_config.BuildEnterpriseReady === 'true') {
if (window.mm_license.IsLicensed === 'true') {
@@ -210,6 +211,18 @@ export default class AdminSidebar extends React.Component {
/>
);
}
policy = (
<AdminSidebarSection
name='policy'
title={
<FormattedMessage
id='admin.sidebar.policy'
defaultMessage='Policy'
/>
}
/>
);
}
license = (
@@ -328,6 +341,7 @@ export default class AdminSidebar extends React.Component {
/>
}
/>
{policy}
<AdminSidebarSection
name='privacy'
title={

13
webapp/components/admin_console/localization_settings.jsx
View File

@@ -49,8 +49,8 @@ export default class LocalizationSettings extends AdminSettings {
return (
<h3>
<FormattedMessage
id='admin.general.title'
defaultMessage='General Settings'
id='admin.general.localization'
defaultMessage='Localization'
/>
</h3>
);
@@ -58,14 +58,7 @@ export default class LocalizationSettings extends AdminSettings {
renderSettings() {
return (
<SettingsGroup
header={
<FormattedMessage
id='admin.general.localization'
defaultMessage='Localization'
/>
}
>
<SettingsGroup>
<DropdownSetting
id='defaultServerLocale'
values={this.state.languages}

73
webapp/components/admin_console/policy_settings.jsx Normal file
View File

@@ -0,0 +1,73 @@
// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
import React from 'react';
import AdminSettings from './admin_settings.jsx';
import SettingsGroup from './settings_group.jsx';
import DropdownSetting from './dropdown_setting.jsx';
import Constants from 'utils/constants.jsx';
import * as Utils from 'utils/utils.jsx';
import {FormattedMessage, FormattedHTMLMessage} from 'react-intl';
export default class PolicySettings extends AdminSettings {
constructor(props) {
super(props);
this.getConfigFromState = this.getConfigFromState.bind(this);
this.renderSettings = this.renderSettings.bind(this);
this.state = Object.assign(this.state, {
restrictTeamInvite: props.config.TeamSettings.RestrictTeamInvite
});
}
getConfigFromState(config) {
config.TeamSettings.RestrictTeamInvite = this.state.restrictTeamInvite;
return config;
}
renderTitle() {
return (
<h3>
<FormattedMessage
id='admin.general.policy'
defaultMessage='Policy'
/>
</h3>
);
}
renderSettings() {
return (
<SettingsGroup>
<DropdownSetting
id='restrictTeamInvite'
values={[
{value: Constants.TEAM_INVITE_ALL, text: Utils.localizeMessage('admin.general.policy.teamInviteAll', 'All team members')},
{value: Constants.TEAM_INVITE_TEAM_ADMIN, text: Utils.localizeMessage('admin.general.policy.teamInviteAdmin', 'Team and System Admins')},
{value: Constants.TEAM_INVITE_SYSTEM_ADMIN, text: Utils.localizeMessage('admin.general.policy.teamInviteSystemAdmin', 'System Admins')}
]}
label={
<FormattedMessage
id='admin.general.policy.teamInviteTitle'
defaultMessage='Enable sending team invites from:'
/>
}
value={this.state.restrictTeamInvite}
onChange={this.handleChange}
helpText={
<FormattedHTMLMessage
id='admin.general.policy.teamInviteDescription'
defaultMessage='Selecting "All team members" allows any team member to invite others using an email invitation or team invite link.<br/><br/>Selecting "Team and System Admins" hides the email invitation and team invite link in the Main Menu from users who are not Team or System Admins. Note: If "Get Team Invite Link" is used to share a link, it will need to be regenerated after the desired users joined the team.<br/><br/>Selecting "System Admins" hides the email invitation and team invite link in the Main Menu from users who are not System Admins. Note: If "Get Team Invite Link" is used to share a link, it will need to be regenerated after the desired users joined the team.'
/>
}
/>
</SettingsGroup>
);
}
}

10
webapp/components/navbar_dropdown.jsx
View File

@@ -119,6 +119,16 @@ export default class NavbarDropdown extends React.Component {
</li>
);
}
if (global.window.mm_license.IsLicensed === 'true') {
if (global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_SYSTEM_ADMIN && !isSystemAdmin) {
teamLink = null;
inviteLink = null;
} else if (global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_TEAM_ADMIN && !isAdmin) {
teamLink = null;
inviteLink = null;
}
}
}
if (isAdmin) {

10
webapp/components/sidebar_right_menu.jsx
View File

@@ -184,6 +184,16 @@ export default class SidebarRightMenu extends React.Component {
</li>
);
}
if (global.window.mm_license.IsLicensed === 'true') {
if (global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_SYSTEM_ADMIN && !isSystemAdmin) {
teamLink = null;
inviteLink = null;
} else if (global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_TEAM_ADMIN && !isAdmin) {
teamLink = null;
inviteLink = null;
}
}
}
if (isAdmin) {

67
webapp/components/tutorial/tutorial_intro_screens.jsx
View File

@@ -106,32 +106,45 @@ export default class TutorialIntroScreens extends React.Component {
createScreenThree() {
const team = TeamStore.getCurrent();
let inviteModalLink;
let inviteText;
if (team.type === Constants.INVITE_TEAM) {
inviteModalLink = (
<a
className='intro-links'
href='#'
onClick={GlobalActions.showInviteMemberModal}
>
if (global.window.mm_license.IsLicensed !== 'true' || global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_ALL) {
if (team.type === Constants.INVITE_TEAM) {
inviteModalLink = (
<a
className='intro-links'
href='#'
onClick={GlobalActions.showInviteMemberModal}
>
<FormattedMessage
id='tutorial_intro.invite'
defaultMessage='Invite teammates'
/>
</a>
);
} else {
inviteModalLink = (
<a
className='intro-links'
href='#'
onClick={GlobalActions.showGetTeamInviteLinkModal}
>
<FormattedMessage
id='tutorial_intro.teamInvite'
defaultMessage='Invite teammates'
/>
</a>
);
}
inviteText = (
<p>
{inviteModalLink}
<FormattedMessage
id='tutorial_intro.invite'
defaultMessage='Invite teammates'
id='tutorial_intro.whenReady'
defaultMessage=' when youre ready.'
/>
</a>
);
} else {
inviteModalLink = (
<a
className='intro-links'
href='#'
onClick={GlobalActions.showGetTeamInviteLinkModal}
>
<FormattedMessage
id='tutorial_intro.teamInvite'
defaultMessage='Invite teammates'
/>
</a>
</p>
);
}
@@ -170,13 +183,7 @@ export default class TutorialIntroScreens extends React.Component {
defaultMessage='Youre all set'
/>
</h3>
<p>
{inviteModalLink}
<FormattedMessage
id='tutorial_intro.whenReady'
defaultMessage=' when youre ready.'
/>
</p>
{inviteText}
{supportInfo}
<FormattedMessage
id='tutorial_intro.end'

8
webapp/i18n/en.json
View File

@@ -213,8 +213,13 @@
"admin.general.localization.serverLocaleDescription": "Default language for system messages and logs. Changing this will require a server restart before taking effect.",
"admin.general.localization.serverLocaleTitle": "Default Server Language:",
"admin.general.log": "Logging",
"admin.general.policy": "Policy",
"admin.general.policy.teamInviteAll": "All team members",
"admin.general.policy.teamInviteAdmin": "Team and System Admins",
"admin.general.policy.teamInviteSystemAdmin": "System Admins",
"admin.general.policy.teamInviteTitle": "Enable sending team invites from:",
"admin.general.policy.teamInviteDescription": "Selecting \"All team members\" allows any team member to invite others using an email invitation or team invite link.<br/><br/>Selecting \"Team and System Admins\" hides the email invitation and team invite link in the Main Menu from users who are not Team or System Admins. Note: If \"Get Team Invite Link\" is used to share a link, it will need to be regenerated after the desired users joined the team.<br/><br/>Selecting \"System Admins\" hides the email invitation and team invite link in the Main Menu from users who are not System Admins. Note: If \"Get Team Invite Link\" is used to share a link, it will need to be regenerated after the desired users joined the team.",
"admin.general.privacy": "Privacy",
"admin.general.title": "General Settings",
"admin.general.usersAndTeams": "Users and Teams",
"admin.gitab.clientSecretDescription": "Obtain this value via the instructions above for logging into GitLab.",
"admin.gitlab.EnableHtmlDesc": "<ol><li>Log in to your GitLab account and go to Profile Settings -> Applications.</li><li>Enter Redirect URIs \"<your-mattermost-url>/login/gitlab/complete\" (example: http://localhost:8065/login/gitlab/complete) and \"<your-mattermost-url>/signup/gitlab/complete\". </li><li>Then use \"Secret\" and \"Id\" fields from GitLab to complete the options below.</li><li>Complete the Endpoint URLs below. </li></ol>",
@@ -488,6 +493,7 @@
"admin.sidebar.logs": "Logs",
"admin.sidebar.notifications": "Notifications",
"admin.sidebar.other": "OTHER",
"admin.sidebar.policy": "Policy",
"admin.sidebar.privacy": "Privacy",
"admin.sidebar.publicLinks": "Public Links",
"admin.sidebar.push": "Mobile Push",

5
webapp/routes/route_admin_console.jsx
View File

@@ -10,6 +10,7 @@ import ConfigurationSettings from 'components/admin_console/configuration_settin
import LocalizationSettings from 'components/admin_console/localization_settings.jsx';
import UsersAndTeamsSettings from 'components/admin_console/users_and_teams_settings.jsx';
import PrivacySettings from 'components/admin_console/privacy_settings.jsx';
import PolicySettings from 'components/admin_console/policy_settings.jsx';
import LogSettings from 'components/admin_console/log_settings.jsx';
import EmailAuthenticationSettings from 'components/admin_console/email_authentication_settings.jsx';
import GitLabSettings from 'components/admin_console/gitlab_settings.jsx';
@@ -62,6 +63,10 @@ export default (
path='privacy'
component={PrivacySettings}
/>
<Route
path='policy'
component={PolicySettings}
/>
<Route
path='compliance'
component={ComplianceSettings}

15
webapp/utils/channel_intro_messages.jsx
View File

@@ -7,6 +7,8 @@ import EditChannelHeaderModal from 'components/edit_channel_header_modal.jsx';
import ToggleModalButton from 'components/toggle_modal_button.jsx';
import UserProfile from 'components/user_profile.jsx';
import ChannelStore from 'stores/channel_store.jsx';
import UserStore from 'stores/user_store.jsx';
import TeamStore from 'stores/team_store.jsx';
import Constants from 'utils/constants.jsx';
import * as GlobalActions from 'actions/global_actions.jsx';
import Client from 'utils/web_client.jsx';
@@ -94,7 +96,7 @@ export function createOffTopicIntroMessage(channel) {
}
export function createDefaultIntroMessage(channel) {
const inviteModalLink = (
let inviteModalLink = (
<a
className='intro-links'
href='#'
@@ -108,6 +110,17 @@ export function createDefaultIntroMessage(channel) {
</a>
);
const isAdmin = TeamStore.isTeamAdminForCurrentTeam() || UserStore.isSystemAdminForCurrentUser();
const isSystemAdmin = UserStore.isSystemAdminForCurrentUser();
if (global.window.mm_license.IsLicensed === 'true') {
if (global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_SYSTEM_ADMIN && !isSystemAdmin) {
inviteModalLink = null;
} else if (global.window.mm_config.RestrictTeamInvite === Constants.TEAM_INVITE_TEAM_ADMIN && !isAdmin) {
inviteModalLink = null;
}
}
return (
<div className='channel-intro'>
<FormattedHTMLMessage

5
webapp/utils/constants.jsx
View File

@@ -755,5 +755,8 @@ export default {
MAX_PREV_MSGS: 100,
POST_COLLAPSE_TIMEOUT: 1000 * 60 * 5, // five minutes
LICENSE_EXPIRY_NOTIFICATION: 1000 * 60 * 60 * 24 * 15, // 15 days
LICENSE_GRACE_PERIOD: 1000 * 60 * 60 * 24 * 15 // 15 days
LICENSE_GRACE_PERIOD: 1000 * 60 * 60 * 24 * 15, // 15 days
TEAM_INVITE_ALL: 'all',
TEAM_INVITE_TEAM_ADMIN: 'team_admin',
TEAM_INVITE_SYSTEM_ADMIN: 'system_admin'
};