mirror of
https://github.com/mattermost/mattermost.git
synced 2025-02-25 18:55:24 -06:00
8354206e5c
* MM-23832: Initial set of changes * MM-23832: further iteration * MM-23832: further iteration * MM-23832: further iteration * MM-23832: Fixes merge. * create migration for new Roles * MM-23832: Renames some roles. * MM-23832: Adds ability to see logs. * MM-23832: Removes manage roles from restricted admin. * MM-23832: Make authentication section read-only for restricted admin. * MM-23832: Allow restricted admin to purge caches. * MM-23832: Adds ability to recycle DB connections. * MM-23832: Adds ability to purge indexes. * MM-23832: Adds ability to test email and S3 config. * MM-23832: Adds abilituy to read job status. * MM-23832: Adds ability to read plugin statuses. * MM-23832: Renames Restricted Admin to System Manager. * MM-23832: Adds manage team roles to system_user_manager. * MM-23832: Updates some permissions. * MM-23832: Allow get all channels and get moderations. * MM-23832: Adds some permissions to User Manager. * MM-23832: Remove write users from user manager. * MM-23832: Changes permissions for the usermanagement > users sysconsole section. * MM-23832: Removes read_settings and write_settings permissions. Ensures the usermanagement parent permissions encompass the sub-permissions. * MM-23832: Updates permissions. * MM-23832: Changes some permissions checks, adds new permissions to roles. * MM-23832: Adds ability to update a role. * MM-23832: Permissions updates. * MM-23832: Removes write access to plugins for system manager. * MM-23832: Removes read compliance from new roles. * MM-23832: Adds mock for new roles creation migration. * MM-23832: Changes to variadic param. * MM-23832: Removes some duplication in the permissions model. Renames some permissions constants. * MM-23832: Updates some migrations. * MM-23832: Removes some unnecessary constants. * MM-23832: Changes back to old app method name. * MM-23832: Fixes incorrect permission check. * MM-23832: Changes write to read permission check. * MM-23832: Removes the authentication permission from link/unlink group. * MM-23832: Enable testing LDAP with read permissions. * MM-23832: Make testing elasticsearch a read permission. * MM-23832: Warn metrics are associated to any system console read permissions. * MM-23832: Updates some permissions checks. * MM-23832: Removes non-systemconsole permissions from roles. * MM-23832: Update default permission assignment of sysadmin. * MM-23832: Fixes incorrect permission check. Removes some unused stuff. * MM-23832: Update permission to check. * MM-23832: Switches to struct tags. * MM-23832: Adds some docs for the permissions tag. * MM-23832: Removes whitespace. * MM-23832: Combines system admin restricted access with other acess-control tag. * MM-23832: Fixes some tests. * MM-23832: Clarifies docs, does not assume prior permission check in '-' access value case. * MM-23832: Updates to correct access tag value. * MM-23832: Adds test of the config settings tag access. * MM-23832: Undoes whitespace change. * MM-23832: Removes comment. * MM-23832: Adds the permissions to the new roles rather than using OR conditions on the permissions checks. * MM-23832: Removes or condition on permission check. * MM-23832: Updates mapping. * MM-23832: Typo fix. * MM-23832: Adds new 'read_jobs' permission. * MM-23832: Add read_jobs to all roles with manage_jobs. * MM-23832: Adds new permission read_other_users_teams. * MM-23832: Adds read filtering of config. * MM-23932: Change tag value. * MM-23832: Fixes some tests. Adds test for read config access tag. * MM-23832: Adds permissions to list teams. * MM-23832: Removes the '-' tag value. Adds a new permission read_channel_groups. Updates a permission check. * MM-23832: Removes unnecessary parent permission for user_management. Fixes permission check change error. * MM-23832: Removes unused parameter to filter/merge function. * MM-23832: Renames migration name. * MM-23832: Fix for godoc. * MM-23832: Fixes tests. * MM-23832: Only makes a map once rather than every function call. Doesn't require access tag on config field structs. Reverts one test update and fixes another. * MM-23832: Removes all of the unnecessary uses of (*App).SessionHasPermissionToAny since removing the user_management parent permission. * MM-23832: Updates constant type. * MM-23832: Removes unnecessary comment. * MM-23832: Renames permissions. * MM-23832: Fix for permission name changes. * MM-23832: Adds missing config access tags. Adds some requirec ancillary permissions for write_usermanagement_teams. * MM-23832: Adds local API endpoint for getting config. * MM-23832: If tag value is blank or restrict_sys_admin_write then don't do the permission check. * MM-23832: nil check for strings prior to dereferencing. * MM-23832: Fix for config display logic. * MM-23832: Updates godoc. * MM-23832: Delays the unrestricted check for parity with other permissions checks if the channel id does not exist. * MM-23832: Removes tautology. * MM-23832: Re-adds status code check. * MM-23832: Adds new permission to edit brand image. * MM-23832: Exports variable for use by mmctl. * MM-23832: Initialize exported map for use by mmctl. * MM-23832: Accept deprecated permissions as valid. * MM-23832: Adds missing permissions to archive a channel. * MM-23832: Adds missing permissions for managing team. * MM-23832: Properly filters config values in patch and update API responses. * MM-23832: Fixes license viewing and writing permissions. * MM-23832: Require license to assign 'new system roles'. * MM-23832: Adds translation keys. * MM-23832: Updates translation order. * MM-27529: Splits read_channel_groups into read_public_channel_groups and read_private_channel_groups. * MM-23832: Prevent read-only permissions from editing site url test parameter. * MM-23832: Prevent read permissions from sniffing ports and elastic password. * MM-23832: Adds missing permission required for write user management channels. * MM-23832: Allows new roles to search for channels. * MM-23832: Adds ability for system_manager to manage jobs. * MM-23832: Cluster status access by sysconsole permission, not manage_system. * MM-23832: Adds 'add_user_to_team' permission to sysconsole write usermanagement teams. * MM-23832: Fixes lint. * MM-23832: Test fix. * MM-23832: Test fix. Co-authored-by: Catalin Tomai <catalin.tomai@mattermost.com> Co-authored-by: Scott Bishel <scott.bishel@mattermost.com> Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
470 lines
16 KiB
Go
470 lines
16 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package app
|
|
|
|
import (
|
|
"fmt"
|
|
"sort"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/mock"
|
|
|
|
"github.com/mattermost/mattermost-server/v5/model"
|
|
"github.com/mattermost/mattermost-server/v5/services/searchengine/bleveengine"
|
|
"github.com/mattermost/mattermost-server/v5/store/storetest/mocks"
|
|
)
|
|
|
|
/* Temporarily comment out until MM-11108
|
|
func TestAppRace(t *testing.T) {
|
|
for i := 0; i < 10; i++ {
|
|
a, err := New()
|
|
require.NoError(t, err)
|
|
a.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = ":0" })
|
|
serverErr := a.StartServer()
|
|
require.NoError(t, serverErr)
|
|
a.Srv().Shutdown()
|
|
}
|
|
}
|
|
*/
|
|
|
|
var allPermissionIDs []string
|
|
|
|
func init() {
|
|
for _, perm := range model.AllPermissions {
|
|
allPermissionIDs = append(allPermissionIDs, perm.Id)
|
|
}
|
|
}
|
|
|
|
func TestUnitUpdateConfig(t *testing.T) {
|
|
th := SetupWithStoreMock(t)
|
|
defer th.TearDown()
|
|
bleveEngine := bleveengine.NewBleveEngine(th.App.Config(), th.App.Srv().Jobs)
|
|
_ = bleveEngine.Start()
|
|
th.App.Srv().SearchEngine.RegisterBleveEngine(bleveEngine)
|
|
|
|
mockStore := th.App.Srv().Store.(*mocks.Store)
|
|
mockUserStore := mocks.UserStore{}
|
|
mockUserStore.On("Count", mock.Anything).Return(int64(10), nil)
|
|
mockPostStore := mocks.PostStore{}
|
|
mockPostStore.On("GetMaxPostSize").Return(65535, nil)
|
|
mockSystemStore := mocks.SystemStore{}
|
|
mockSystemStore.On("GetByName", "UpgradedFromTE").Return(&model.System{Name: "UpgradedFromTE", Value: "false"}, nil)
|
|
mockSystemStore.On("GetByName", "InstallationDate").Return(&model.System{Name: "InstallationDate", Value: "10"}, nil)
|
|
mockSystemStore.On("GetByName", "FirstServerRunTimestamp").Return(&model.System{Name: "FirstServerRunTimestamp", Value: "10"}, nil)
|
|
mockSystemStore.On("Get").Return(make(model.StringMap), nil)
|
|
mockLicenseStore := mocks.LicenseStore{}
|
|
mockLicenseStore.On("Get", "").Return(&model.LicenseRecord{}, nil)
|
|
mockStore.On("User").Return(&mockUserStore)
|
|
mockStore.On("Post").Return(&mockPostStore)
|
|
mockStore.On("System").Return(&mockSystemStore)
|
|
mockStore.On("License").Return(&mockLicenseStore)
|
|
|
|
prev := *th.App.Config().ServiceSettings.SiteURL
|
|
|
|
th.App.AddConfigListener(func(old, current *model.Config) {
|
|
assert.Equal(t, prev, *old.ServiceSettings.SiteURL)
|
|
assert.Equal(t, "http://foo.com", *current.ServiceSettings.SiteURL)
|
|
})
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.SiteURL = "http://foo.com"
|
|
})
|
|
}
|
|
|
|
func TestDoAdvancedPermissionsMigration(t *testing.T) {
|
|
th := Setup(t)
|
|
defer th.TearDown()
|
|
|
|
th.ResetRoleMigration()
|
|
|
|
th.App.DoAdvancedPermissionsMigration()
|
|
|
|
roleNames := []string{
|
|
"system_user",
|
|
"system_admin",
|
|
"team_user",
|
|
"team_admin",
|
|
"channel_user",
|
|
"channel_admin",
|
|
"system_post_all",
|
|
"system_post_all_public",
|
|
"system_user_access_token",
|
|
"team_post_all",
|
|
"team_post_all_public",
|
|
}
|
|
|
|
roles1, err1 := th.App.GetRolesByNames(roleNames)
|
|
assert.Nil(t, err1)
|
|
assert.Equal(t, len(roles1), len(roleNames))
|
|
|
|
expected1 := map[string][]string{
|
|
"channel_user": {
|
|
model.PERMISSION_READ_CHANNEL.Id,
|
|
model.PERMISSION_ADD_REACTION.Id,
|
|
model.PERMISSION_REMOVE_REACTION.Id,
|
|
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
|
|
model.PERMISSION_UPLOAD_FILE.Id,
|
|
model.PERMISSION_GET_PUBLIC_LINK.Id,
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
model.PERMISSION_USE_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
|
|
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
|
|
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
|
|
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
|
|
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
|
|
model.PERMISSION_DELETE_POST.Id,
|
|
model.PERMISSION_EDIT_POST.Id,
|
|
},
|
|
"channel_admin": {
|
|
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
model.PERMISSION_USE_GROUP_MENTIONS.Id,
|
|
},
|
|
"team_user": {
|
|
model.PERMISSION_LIST_TEAM_CHANNELS.Id,
|
|
model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
|
|
model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
|
|
model.PERMISSION_VIEW_TEAM.Id,
|
|
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
|
|
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
|
|
model.PERMISSION_INVITE_USER.Id,
|
|
model.PERMISSION_ADD_USER_TO_TEAM.Id,
|
|
},
|
|
"team_post_all": {
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"team_post_all_public": {
|
|
model.PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"team_admin": {
|
|
model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
|
|
model.PERMISSION_MANAGE_TEAM.Id,
|
|
model.PERMISSION_IMPORT_TEAM.Id,
|
|
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
|
|
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
|
|
model.PERMISSION_DELETE_POST.Id,
|
|
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
|
|
},
|
|
"system_user": {
|
|
model.PERMISSION_LIST_PUBLIC_TEAMS.Id,
|
|
model.PERMISSION_JOIN_PUBLIC_TEAMS.Id,
|
|
model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
|
|
model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
|
|
model.PERMISSION_VIEW_MEMBERS.Id,
|
|
model.PERMISSION_CREATE_TEAM.Id,
|
|
},
|
|
"system_post_all": {
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"system_post_all_public": {
|
|
model.PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"system_user_access_token": {
|
|
model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
|
|
model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
|
|
model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
|
|
},
|
|
"system_admin": allPermissionIDs,
|
|
}
|
|
|
|
// Check the migration matches what's expected.
|
|
for name, permissions := range expected1 {
|
|
role, err := th.App.GetRoleByName(name)
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, role.Permissions, permissions, fmt.Sprintf("role %q didn't match", name))
|
|
}
|
|
// Add a license and change the policy config.
|
|
restrictPublicChannel := *th.App.Config().TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPublicChannelManagement
|
|
restrictPrivateChannel := *th.App.Config().TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelManagement
|
|
|
|
defer func() {
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPublicChannelManagement = restrictPublicChannel
|
|
})
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelManagement = restrictPrivateChannel
|
|
})
|
|
}()
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPublicChannelManagement = model.PERMISSIONS_TEAM_ADMIN
|
|
})
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelManagement = model.PERMISSIONS_TEAM_ADMIN
|
|
})
|
|
th.App.Srv().SetLicense(model.NewTestLicense())
|
|
|
|
// Check the migration doesn't change anything if run again.
|
|
th.App.DoAdvancedPermissionsMigration()
|
|
|
|
roles2, err2 := th.App.GetRolesByNames(roleNames)
|
|
assert.Nil(t, err2)
|
|
assert.Equal(t, len(roles2), len(roleNames))
|
|
|
|
for name, permissions := range expected1 {
|
|
role, err := th.App.GetRoleByName(name)
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, permissions, role.Permissions)
|
|
}
|
|
|
|
// Reset the database
|
|
th.ResetRoleMigration()
|
|
|
|
// Do the migration again with different policy config settings and a license.
|
|
th.App.DoAdvancedPermissionsMigration()
|
|
|
|
// Check the role permissions.
|
|
expected2 := map[string][]string{
|
|
"channel_user": {
|
|
model.PERMISSION_READ_CHANNEL.Id,
|
|
model.PERMISSION_ADD_REACTION.Id,
|
|
model.PERMISSION_REMOVE_REACTION.Id,
|
|
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
|
|
model.PERMISSION_UPLOAD_FILE.Id,
|
|
model.PERMISSION_GET_PUBLIC_LINK.Id,
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
model.PERMISSION_USE_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
|
|
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
|
|
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
|
|
model.PERMISSION_DELETE_POST.Id,
|
|
model.PERMISSION_EDIT_POST.Id,
|
|
},
|
|
"channel_admin": {
|
|
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
model.PERMISSION_USE_GROUP_MENTIONS.Id,
|
|
},
|
|
"team_user": {
|
|
model.PERMISSION_LIST_TEAM_CHANNELS.Id,
|
|
model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
|
|
model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
|
|
model.PERMISSION_VIEW_TEAM.Id,
|
|
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
|
|
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
|
|
model.PERMISSION_INVITE_USER.Id,
|
|
model.PERMISSION_ADD_USER_TO_TEAM.Id,
|
|
},
|
|
"team_post_all": {
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"team_post_all_public": {
|
|
model.PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"team_admin": {
|
|
model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
|
|
model.PERMISSION_MANAGE_TEAM.Id,
|
|
model.PERMISSION_IMPORT_TEAM.Id,
|
|
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
|
|
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
|
|
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
|
|
model.PERMISSION_DELETE_POST.Id,
|
|
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
|
|
},
|
|
"system_user": {
|
|
model.PERMISSION_LIST_PUBLIC_TEAMS.Id,
|
|
model.PERMISSION_JOIN_PUBLIC_TEAMS.Id,
|
|
model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
|
|
model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
|
|
model.PERMISSION_VIEW_MEMBERS.Id,
|
|
model.PERMISSION_CREATE_TEAM.Id,
|
|
},
|
|
"system_post_all": {
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"system_post_all_public": {
|
|
model.PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
},
|
|
"system_user_access_token": {
|
|
model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
|
|
model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
|
|
model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
|
|
},
|
|
"system_admin": allPermissionIDs,
|
|
}
|
|
|
|
roles3, err3 := th.App.GetRolesByNames(roleNames)
|
|
assert.Nil(t, err3)
|
|
assert.Equal(t, len(roles3), len(roleNames))
|
|
|
|
for name, permissions := range expected2 {
|
|
role, err := th.App.GetRoleByName(name)
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, permissions, role.Permissions, fmt.Sprintf("'%v' did not have expected permissions", name))
|
|
}
|
|
|
|
// Remove the license.
|
|
th.App.Srv().SetLicense(nil)
|
|
|
|
// Do the migration again.
|
|
th.ResetRoleMigration()
|
|
th.App.DoAdvancedPermissionsMigration()
|
|
|
|
// Check the role permissions.
|
|
roles4, err4 := th.App.GetRolesByNames(roleNames)
|
|
assert.Nil(t, err4)
|
|
assert.Equal(t, len(roles4), len(roleNames))
|
|
|
|
for name, permissions := range expected1 {
|
|
role, err := th.App.GetRoleByName(name)
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, permissions, role.Permissions)
|
|
}
|
|
|
|
// Check that the config setting for "always" and "time_limit" edit posts is updated correctly.
|
|
th.ResetRoleMigration()
|
|
|
|
allowEditPost := *th.App.Config().ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost
|
|
postEditTimeLimit := *th.App.Config().ServiceSettings.PostEditTimeLimit
|
|
|
|
defer func() {
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost = allowEditPost })
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.PostEditTimeLimit = postEditTimeLimit })
|
|
}()
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost = "always"
|
|
*cfg.ServiceSettings.PostEditTimeLimit = 300
|
|
})
|
|
|
|
th.App.DoAdvancedPermissionsMigration()
|
|
|
|
config := th.App.Config()
|
|
assert.Equal(t, -1, *config.ServiceSettings.PostEditTimeLimit)
|
|
|
|
th.ResetRoleMigration()
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost = "time_limit"
|
|
*cfg.ServiceSettings.PostEditTimeLimit = 300
|
|
})
|
|
|
|
th.App.DoAdvancedPermissionsMigration()
|
|
config = th.App.Config()
|
|
assert.Equal(t, 300, *config.ServiceSettings.PostEditTimeLimit)
|
|
}
|
|
|
|
func TestDoEmojisPermissionsMigration(t *testing.T) {
|
|
th := Setup(t)
|
|
defer th.TearDown()
|
|
|
|
// Add a license and change the policy config.
|
|
restrictCustomEmojiCreation := *th.App.Config().ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictCustomEmojiCreation
|
|
|
|
defer func() {
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictCustomEmojiCreation = restrictCustomEmojiCreation
|
|
})
|
|
}()
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN
|
|
})
|
|
|
|
th.ResetEmojisMigration()
|
|
th.App.DoEmojisPermissionsMigration()
|
|
|
|
expectedSystemAdmin := allPermissionIDs
|
|
sort.Strings(expectedSystemAdmin)
|
|
|
|
role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
|
|
assert.Nil(t, err1)
|
|
sort.Strings(role1.Permissions)
|
|
assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ADMIN
|
|
})
|
|
|
|
th.ResetEmojisMigration()
|
|
th.App.DoEmojisPermissionsMigration()
|
|
|
|
role2, err2 := th.App.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
|
|
assert.Nil(t, err2)
|
|
expected2 := []string{
|
|
model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
|
|
model.PERMISSION_MANAGE_TEAM.Id,
|
|
model.PERMISSION_IMPORT_TEAM.Id,
|
|
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
|
|
model.PERMISSION_READ_PUBLIC_CHANNEL_GROUPS.Id,
|
|
model.PERMISSION_READ_PRIVATE_CHANNEL_GROUPS.Id,
|
|
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
|
|
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
|
|
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
|
|
model.PERMISSION_DELETE_POST.Id,
|
|
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
|
|
model.PERMISSION_CREATE_EMOJIS.Id,
|
|
model.PERMISSION_DELETE_EMOJIS.Id,
|
|
model.PERMISSION_ADD_REACTION.Id,
|
|
model.PERMISSION_CREATE_POST.Id,
|
|
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
|
|
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
|
|
model.PERMISSION_REMOVE_REACTION.Id,
|
|
model.PERMISSION_USE_CHANNEL_MENTIONS.Id,
|
|
model.PERMISSION_USE_GROUP_MENTIONS.Id,
|
|
}
|
|
sort.Strings(expected2)
|
|
sort.Strings(role2.Permissions)
|
|
assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID))
|
|
|
|
systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
|
|
assert.Nil(t, systemAdminErr1)
|
|
sort.Strings(systemAdmin1.Permissions)
|
|
assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) {
|
|
*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ALL
|
|
})
|
|
|
|
th.ResetEmojisMigration()
|
|
th.App.DoEmojisPermissionsMigration()
|
|
|
|
role3, err3 := th.App.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
|
|
assert.Nil(t, err3)
|
|
expected3 := []string{
|
|
model.PERMISSION_LIST_PUBLIC_TEAMS.Id,
|
|
model.PERMISSION_JOIN_PUBLIC_TEAMS.Id,
|
|
model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
|
|
model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
|
|
model.PERMISSION_CREATE_TEAM.Id,
|
|
model.PERMISSION_CREATE_EMOJIS.Id,
|
|
model.PERMISSION_DELETE_EMOJIS.Id,
|
|
model.PERMISSION_VIEW_MEMBERS.Id,
|
|
}
|
|
sort.Strings(expected3)
|
|
sort.Strings(role3.Permissions)
|
|
assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID))
|
|
|
|
systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
|
|
assert.Nil(t, systemAdminErr2)
|
|
sort.Strings(systemAdmin2.Permissions)
|
|
assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
|
|
}
|