PLT-6139 (Server): Private Channel member managing (#5941)

Adds an EE policy feature to allow restricting system-wide which level of
Admins can manage the membership of private channels.

api/channel_test.go

@@ -1532,9 +1532,10 @@ func TestGetChannelStats(t *testing.T) {
 }
 
 func TestAddChannelMember(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 	team := th.BasicTeam
+	user1 := th.BasicUser
 	user2 := th.BasicUser2
 	user3 := th.CreateUser(Client)
 
@@ -1581,12 +1582,118 @@ func TestAddChannelMember(t *testing.T) {
 	if _, err := Client.AddChannelMember(channel1.Id, user3.Id); err == nil {
 		t.Fatal("Should have errored, user not on team")
 	}
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel3 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel3 = Client.Must(th.SystemAdminClient.CreateChannel(channel3)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel3.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can add other users.
+	channel4 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel4 = Client.Must(th.SystemAdminClient.CreateChannel(channel4)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel4.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel5 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel5 = Client.Must(th.SystemAdminClient.CreateChannel(channel5)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel5.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	MakeUserChannelAdmin(user1, channel5)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	if _, err := Client.AddChannelMember(channel5.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel6 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel6 = Client.Must(th.SystemAdminClient.CreateChannel(channel6)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel6.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	UpdateUserToTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	if _, err := Client.AddChannelMember(channel6.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel7 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel7 = Client.Must(th.SystemAdminClient.CreateChannel(channel7)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel7.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	if _, err := th.SystemAdminClient.AddChannelMember(channel7.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestRemoveChannelMember(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 	team := th.BasicTeam
+	user1 := th.BasicUser
 	user2 := th.BasicUser2
 	UpdateUserToTeamAdmin(user2, team)
 
@@ -1646,6 +1753,117 @@ func TestRemoveChannelMember(t *testing.T) {
 	if _, err := Client.RemoveChannelMember(townSquare.Id, userStd.Id); err == nil {
 		t.Fatal("should have errored, channel is default")
 	}
+
+	th.LoginBasic()
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel3 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel3 = Client.Must(th.SystemAdminClient.CreateChannel(channel3)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel3.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can remove other users.
+	channel4 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel4 = Client.Must(th.SystemAdminClient.CreateChannel(channel4)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel4.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel5 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel5 = Client.Must(th.SystemAdminClient.CreateChannel(channel5)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel5.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	MakeUserChannelAdmin(user1, channel5)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+
+	if _, err := Client.RemoveChannelMember(channel5.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel6 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel6 = Client.Must(th.SystemAdminClient.CreateChannel(channel6)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel6.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	UpdateUserToTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	if _, err := Client.RemoveChannelMember(channel6.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel7 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel7 = Client.Must(th.SystemAdminClient.CreateChannel(channel7)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel7.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	if _, err := th.SystemAdminClient.RemoveChannelMember(channel7.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestUpdateNotifyProps(t *testing.T) {

api4/channel_test.go

@@ -1497,9 +1497,14 @@ func TestAddChannelMember(t *testing.T) {
 	Client := th.Client
 	user := th.BasicUser
 	user2 := th.BasicUser2
+	team := th.BasicTeam
 	publicChannel := th.CreatePublicChannel()
 	privateChannel := th.CreatePrivateChannel()
 
+	user3 := th.CreateUserWithClient(th.SystemAdminClient)
+	_, resp := th.SystemAdminClient.AddTeamMember(team.Id, user3.Id, "", "", team.InviteId)
+	CheckNoError(t, resp)
+
 	cm, resp := Client.AddChannelMember(publicChannel.Id, user2.Id)
 	CheckNoError(t, resp)
 	CheckCreatedStatus(t, resp)
@@ -1582,10 +1587,139 @@ func TestAddChannelMember(t *testing.T) {
 
 	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
 	CheckNoError(t, resp)
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can add other users.
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	MakeUserChannelAdmin(user, privateChannel)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	UpdateUserToTeamAdmin(user, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
 }
 
 func TestRemoveChannelMember(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
+	user1 := th.BasicUser
+	user2 := th.BasicUser2
+	team := th.BasicTeam
 	defer TearDown()
 	Client := th.Client
 
@@ -1635,4 +1769,118 @@ func TestRemoveChannelMember(t *testing.T) {
 
 	_, resp = th.SystemAdminClient.RemoveUserFromChannel(private.Id, th.BasicUser.Id)
 	CheckNoError(t, resp)
+
+	th.LoginBasic()
+	UpdateUserToNonTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can remove other users.
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckForbiddenStatus(t, resp)
+
+	MakeUserChannelAdmin(user1, privateChannel)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckForbiddenStatus(t, resp)
+
+	UpdateUserToTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
 }

config/config.json

@@ -61,6 +61,7 @@
         "RestrictPrivateChannelManagement": "all",
         "RestrictPublicChannelDeletion": "all",
         "RestrictPrivateChannelDeletion": "all",
+        "RestrictPrivateChannelManageMembers": "all",
         "UserStatusAwayTimeout": 300,
         "MaxChannelsPerTeam": 2000,
         "MaxNotificationsPerChannel": 1000

model/authorization.go

@@ -305,7 +305,6 @@ func InitalizeRoles() {
 		[]string{
 			PERMISSION_READ_CHANNEL.Id,
 			PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
-			PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
 			PERMISSION_UPLOAD_FILE.Id,
 			PERMISSION_GET_PUBLIC_LINK.Id,
 			PERMISSION_CREATE_POST.Id,

model/config.go

@@ -280,26 +280,27 @@ type SupportSettings struct {
 }
 
 type TeamSettings struct {
-	SiteName                         string
-	MaxUsersPerTeam                  int
-	EnableTeamCreation               bool
-	EnableUserCreation               bool
-	EnableOpenServer                 *bool
-	RestrictCreationToDomains        string
-	EnableCustomBrand                *bool
-	CustomBrandText                  *string
-	CustomDescriptionText            *string
-	RestrictDirectMessage            *string
-	RestrictTeamInvite               *string
-	RestrictPublicChannelManagement  *string
-	RestrictPrivateChannelManagement *string
-	RestrictPublicChannelCreation    *string
-	RestrictPrivateChannelCreation   *string
-	RestrictPublicChannelDeletion    *string
-	RestrictPrivateChannelDeletion   *string
-	UserStatusAwayTimeout            *int64
-	MaxChannelsPerTeam               *int64
-	MaxNotificationsPerChannel       *int64
+	SiteName                            string
+	MaxUsersPerTeam                     int
+	EnableTeamCreation                  bool
+	EnableUserCreation                  bool
+	EnableOpenServer                    *bool
+	RestrictCreationToDomains           string
+	EnableCustomBrand                   *bool
+	CustomBrandText                     *string
+	CustomDescriptionText               *string
+	RestrictDirectMessage               *string
+	RestrictTeamInvite                  *string
+	RestrictPublicChannelManagement     *string
+	RestrictPrivateChannelManagement    *string
+	RestrictPublicChannelCreation       *string
+	RestrictPrivateChannelCreation      *string
+	RestrictPublicChannelDeletion       *string
+	RestrictPrivateChannelDeletion      *string
+	RestrictPrivateChannelManageMembers *string
+	UserStatusAwayTimeout               *int64
+	MaxChannelsPerTeam                  *int64
+	MaxNotificationsPerChannel          *int64
 }
 
 type LdapSettings struct {
@@ -621,6 +622,11 @@ func (o *Config) SetDefaults() {
 		*o.TeamSettings.RestrictPrivateChannelDeletion = *o.TeamSettings.RestrictPrivateChannelManagement
 	}
 
+	if o.TeamSettings.RestrictPrivateChannelManageMembers == nil {
+		o.TeamSettings.RestrictPrivateChannelManageMembers = new(string)
+		*o.TeamSettings.RestrictPrivateChannelManageMembers = PERMISSIONS_ALL
+	}
+
 	if o.TeamSettings.UserStatusAwayTimeout == nil {
 		o.TeamSettings.UserStatusAwayTimeout = new(int64)
 		*o.TeamSettings.UserStatusAwayTimeout = TEAM_SETTINGS_DEFAULT_USER_STATUS_AWAY_TIMEOUT

utils/authorization.go

@@ -183,6 +183,39 @@ func SetDefaultRolesBasedOnConfig() {
 		)
 	}
 
+	// Restrict permissions for Private Channel Manage Members
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_CHANNEL_USER.Permissions = append(
+				model.ROLE_CHANNEL_USER.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			break
+		case model.PERMISSIONS_CHANNEL_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			model.ROLE_CHANNEL_ADMIN.Permissions = append(
+				model.ROLE_CHANNEL_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			break
+		}
+	} else {
+		model.ROLE_CHANNEL_USER.Permissions = append(
+			model.ROLE_CHANNEL_USER.Permissions,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+		)
+	}
+
 	if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,

utils/config.go

@@ -288,6 +288,7 @@ func getClientConfig(c *model.Config) map[string]string {
 	props["RestrictPrivateChannelManagement"] = *c.TeamSettings.RestrictPrivateChannelManagement
 	props["RestrictPublicChannelDeletion"] = *c.TeamSettings.RestrictPublicChannelDeletion
 	props["RestrictPrivateChannelDeletion"] = *c.TeamSettings.RestrictPrivateChannelDeletion
+	props["RestrictPrivateChannelManageMembers"] = *c.TeamSettings.RestrictPrivateChannelManageMembers
 
 	props["EnableOAuthServiceProvider"] = strconv.FormatBool(c.ServiceSettings.EnableOAuthServiceProvider)
 	props["GoogleDeveloperKey"] = c.ServiceSettings.GoogleDeveloperKey