We were allowing new password to be reset without asking
for the old password. This was not advertised but was possible nevertheless
through the API.
Since there is already a separate API to change password, we choose to remove
this functionality.
https://mattermost.atlassian.net/browse/MM-32013
```release-note
The /api/v4/users/me/auth API endpoint cannot be used to change password anymore.
This was a hidden feature that was not documented, but was nevertheless possible.
We are just removing the hidden feature.
```
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
We were incorrectly setting the cache control to public
when it should be rather private.
https://mattermost.atlassian.net/browse/MM-31721
```release-notes
Fix Cache-Control headers to instruct that responses may only be cached
on browsers.
```
* MM-31063: Change constants to use CamelCase
* store package
* change allcaps to camel case (#16615)
* New tools.mod
Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>
* Refactor apply multi role filters and add role filters to get all profiles
* Add some tests
* Fix tests
* Fix lint
* Trigger CI
* Rename param to make more sense
* Tie get filtered user stats to usermanagement read users
* Dont filter out other system roles when searching for team members or team admins only filter out system admins
* add new permissions
* add migration
* fix test
* remove system roles as default permissions
* implement changes discussed with dennis
* add read only and fix i18n
* use model consts instead of strings
* turn the permissions into pseudo constants
* Update read only default permissions
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Hossein Ahmadian-Yazdi <hyazdi1997@gmail.com>
* Adding files, commit of UI in good shape
* Translations added, working with activation and deactivation
* Add check for error
* Fix i18n?
* Push without subscription check so Steve and Matt can look at it
* Fix font-weight in chrome
* Fix font-weight on button
* UX fixes
* Fixes for PR
* Add back subscription stuff
* Fix tests
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* Cloud token login
This PR adds the capability of activate the cloud token login that
will be used in our Cloud installations to let the customer login
for the first time without using credentials.
* Read CSRF from cookie when is not on the header and we're login with CWS
* Create new CWS login endpoint
- New endpoint created
- We're using the cloud feature from the license instead of the
configuration flag
- Removed the CSRF changes
* Reduce amount of work if cws token is not set
* Removed unused config key
* Now we store the token to detect it was used
If the token is in the token store then we are assuming that the
token was used
* Add tests
* Add i18n strings
* Add functionality to update password with password hash
This can be used to update a user's password with a direct password
hash instead of providing the password in plaintext.
* Use test helper for local mode
* MM-23832: Initial set of changes
* MM-23832: further iteration
* MM-23832: further iteration
* MM-23832: further iteration
* MM-23832: Fixes merge.
* create migration for new Roles
* MM-23832: Renames some roles.
* MM-23832: Adds ability to see logs.
* MM-23832: Removes manage roles from restricted admin.
* MM-23832: Make authentication section read-only for restricted admin.
* MM-23832: Allow restricted admin to purge caches.
* MM-23832: Adds ability to recycle DB connections.
* MM-23832: Adds ability to purge indexes.
* MM-23832: Adds ability to test email and S3 config.
* MM-23832: Adds abilituy to read job status.
* MM-23832: Adds ability to read plugin statuses.
* MM-23832: Renames Restricted Admin to System Manager.
* MM-23832: Adds manage team roles to system_user_manager.
* MM-23832: Updates some permissions.
* MM-23832: Allow get all channels and get moderations.
* MM-23832: Adds some permissions to User Manager.
* MM-23832: Remove write users from user manager.
* MM-23832: Changes permissions for the usermanagement > users sysconsole section.
* MM-23832: Removes read_settings and write_settings permissions. Ensures the usermanagement parent permissions encompass the sub-permissions.
* MM-23832: Updates permissions.
* MM-23832: Changes some permissions checks, adds new permissions to roles.
* MM-23832: Adds ability to update a role.
* MM-23832: Permissions updates.
* MM-23832: Removes write access to plugins for system manager.
* MM-23832: Removes read compliance from new roles.
* MM-23832: Adds mock for new roles creation migration.
* MM-23832: Changes to variadic param.
* MM-23832: Removes some duplication in the permissions model. Renames some permissions constants.
* MM-23832: Updates some migrations.
* MM-23832: Removes some unnecessary constants.
* MM-23832: Changes back to old app method name.
* MM-23832: Fixes incorrect permission check.
* MM-23832: Changes write to read permission check.
* MM-23832: Removes the authentication permission from link/unlink group.
* MM-23832: Enable testing LDAP with read permissions.
* MM-23832: Make testing elasticsearch a read permission.
* MM-23832: Warn metrics are associated to any system console read permissions.
* MM-23832: Updates some permissions checks.
* MM-23832: Removes non-systemconsole permissions from roles.
* MM-23832: Update default permission assignment of sysadmin.
* MM-23832: Fixes incorrect permission check. Removes some unused stuff.
* MM-23832: Update permission to check.
* MM-23832: Switches to struct tags.
* MM-23832: Adds some docs for the permissions tag.
* MM-23832: Removes whitespace.
* MM-23832: Combines system admin restricted access with other acess-control tag.
* MM-23832: Fixes some tests.
* MM-23832: Clarifies docs, does not assume prior permission check in '-' access value case.
* MM-23832: Updates to correct access tag value.
* MM-23832: Adds test of the config settings tag access.
* MM-23832: Undoes whitespace change.
* MM-23832: Removes comment.
* MM-23832: Adds the permissions to the new roles rather than using OR conditions on the permissions checks.
* MM-23832: Removes or condition on permission check.
* MM-23832: Updates mapping.
* MM-23832: Typo fix.
* MM-23832: Adds new 'read_jobs' permission.
* MM-23832: Add read_jobs to all roles with manage_jobs.
* MM-23832: Adds new permission read_other_users_teams.
* MM-23832: Adds read filtering of config.
* MM-23932: Change tag value.
* MM-23832: Fixes some tests. Adds test for read config access tag.
* MM-23832: Adds permissions to list teams.
* MM-23832: Removes the '-' tag value. Adds a new permission read_channel_groups. Updates a permission check.
* MM-23832: Removes unnecessary parent permission for user_management. Fixes permission check change error.
* MM-23832: Removes unused parameter to filter/merge function.
* MM-23832: Renames migration name.
* MM-23832: Fix for godoc.
* MM-23832: Fixes tests.
* MM-23832: Only makes a map once rather than every function call. Doesn't require access tag on config field structs. Reverts one test update and fixes another.
* MM-23832: Removes all of the unnecessary uses of (*App).SessionHasPermissionToAny since removing the user_management parent permission.
* MM-23832: Updates constant type.
* MM-23832: Removes unnecessary comment.
* MM-23832: Renames permissions.
* MM-23832: Fix for permission name changes.
* MM-23832: Adds missing config access tags. Adds some requirec ancillary permissions for write_usermanagement_teams.
* MM-23832: Adds local API endpoint for getting config.
* MM-23832: If tag value is blank or restrict_sys_admin_write then don't do the permission check.
* MM-23832: nil check for strings prior to dereferencing.
* MM-23832: Fix for config display logic.
* MM-23832: Updates godoc.
* MM-23832: Delays the unrestricted check for parity with other permissions checks if the channel id does not exist.
* MM-23832: Removes tautology.
* MM-23832: Re-adds status code check.
* MM-23832: Adds new permission to edit brand image.
* MM-23832: Exports variable for use by mmctl.
* MM-23832: Initialize exported map for use by mmctl.
* MM-23832: Accept deprecated permissions as valid.
* MM-23832: Adds missing permissions to archive a channel.
* MM-23832: Adds missing permissions for managing team.
* MM-23832: Properly filters config values in patch and update API responses.
* MM-23832: Fixes license viewing and writing permissions.
* MM-23832: Require license to assign 'new system roles'.
* MM-23832: Adds translation keys.
* MM-23832: Updates translation order.
* MM-27529: Splits read_channel_groups into read_public_channel_groups and read_private_channel_groups.
* MM-23832: Prevent read-only permissions from editing site url test parameter.
* MM-23832: Prevent read permissions from sniffing ports and elastic password.
* MM-23832: Adds missing permission required for write user management channels.
* MM-23832: Allows new roles to search for channels.
* MM-23832: Adds ability for system_manager to manage jobs.
* MM-23832: Cluster status access by sysconsole permission, not manage_system.
* MM-23832: Adds 'add_user_to_team' permission to sysconsole write usermanagement teams.
* MM-23832: Fixes lint.
* MM-23832: Test fix.
* MM-23832: Test fix.
Co-authored-by: Catalin Tomai <catalin.tomai@mattermost.com>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Mobile users were having their sessions unexpectedly expired, despite having ServiceSettings.ExtendSessionLengthWithActivity enabled.
Every time a mobile app is opened it called `/api/v4/sessions/device` which calls attachDeviceId which calls `(*Session)SetExpireInDays`. This code above assumed the expiry should be relative to CreateAt which is incorrect when ExtendSessionLengthWithActivity is enabled. Therefore, every time the mobile app was opened, the maximum expiry was set in memory to CreateAt + session_length, even if the session was extended.
(*Session)SetExpireInDays is now deprecated and replaced with (*App)SetSessionExpireInDays which takes into account the ExtendSessionLengthWithActivity setting.
Summary:
Config option to allow permanent user deletion ServiceSettings.EnableAPIUserDeletion
Expose permanent user deletion through API
Local mode for delete user for use in mmctl
Ticket Link:
Server part of https://mattermost.atlassian.net/browse/MM-25647
* MM-26574 Add role filters to user search and get
* Add ability to get filtered user stats
Add support for include bots
* Add tests for user count with filters
Add tests
* Apply changes from code review
* Fix guest filtering
* Fix up tests related to guests
* Clean role names
* Trigger CI
* Trigger CI
* TokenStore migration to return plain errors
* Fix translations
* Fix: returned error is ignored and http.StatusBadRequest is always returned
* Fix
* Fix translations
* Suggestions
* Changed from BadRequest to NotFound
* Setting the correct http status
* Changed test to expect 404 status
* Fix error
* Extracting email functions into a service
* Fixing two shadowing errors
* Address PR review comments
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* Pass device ID
* dont use device id as way of detecting
* fix spelling mistake
* update layers
* fix test
* fix linting
* save schema
* put columns in correct place
* fix linting
* update
* upgrade go change
* use props
* fix stuff
* update session tests
* address PR comments
* address PR comments
* Refactor of getListOfAllowedChannelsForTeam
Also, I've fixed some problematic scenarios:
- The quick search doesn't provide team id so it was always failing
- When the teamId was empty and view restrictions too we always
return all the channels because if we do "strings.Contains("foo", "")
it always returns true
- There was a case, in quick search with a guest account, where you
get an empty result because teamId is not provided
* Error if team id is not passed when searching for the channel
If we search users passing the channel id, we must pass the team id
too so we avoid returning all the channels if we remove the empty
team id restriction we have in the getListOfAllowedChannelsForTeam
There is no known reason to search for a channel but not filtering
using the team id. Even guest accounts belong to a team
* api4/user: add verify user by id method
* Update api4/user.go
Co-Authored-By: Miguel de la Cruz <miguel@mcrx.me>
* Update model/client4.go
Co-Authored-By: Miguel de la Cruz <miguel@mcrx.me>
* api4/user: reflect review comments
* Update api4/user_test.go
Co-authored-by: Miguel de la Cruz <miguel@mcrx.me>
Co-authored-by: Miguel de la Cruz <miguel@mcrx.me>
Co-authored-by: mattermod <mattermod@users.noreply.github.com>
* Removing some other fake apps
* More FakeApp removed
* Removing entirely FakeApp
* Fixing some tests
* Fixing get Cluster id from get plugin status
* Fixing failing tests
* Fixing tests
* Fixing test initialization for web
* Fixing InitServer for server tests
* Fixing InitServer for server tests
* Reverting go.sum and go.mod
* Removing unneded HTMLTemplates function in App layer
* Moving back some functions to its old place to easy the review
* Moving back some functions to its old place to easy the review
* Using the last struct2interface version
* Generating store layers
* Fixing merge problems
* Addressing PR comments
* Small fix
* Fixing app tests build
* Fixing tests
* fixing tests
* Fix tests
* Fixing tests
* Fixing tests
* Fixing tests
* Moving license to server struct
* Adding some fixes to the test compilation
* Fixing cluster and some jobs initialization
* Fixing some license tests compilation problems
* Fixing recursive cache invalidation
* Regenerating app layers
* Fix test compilation
Co-authored-by: mattermod <mattermod@users.noreply.github.com>
Add auditing to server CLI.
Also:
- simplify auditing in API layer
- reduce number of AddMeta calls
- have models serialize themselves
- more consistent field naming
* New auditing API outputting to syslog via TLS
* New config section for specifying remote syslog server IP, port, and cert.
* Legacy audit API retained for access history feature
