mirror of
https://github.com/mattermost/mattermost.git
synced 2025-02-25 18:55:24 -06:00
19e5afd607
* [MM-24146] Add unix socket listener for mmctl local mode (#14296) * add unix socket listener for mmctl local mode * add a constant for local-mode socket path * reflect review comments * [MM-24401] Base approach for Local Mode (#14333) * add unix socket listener for mmctl local mode * First working PoC * Adds the channel list endpoint * Add team list endpoint * Add a LocalClient to the api test helper and start local mode * Add helper to test with both SystemAdmin and Local clients * Add some docs * Adds TestForAllClients test helper * Incorporating @ashishbhate's proposal for adding test names to the helpers * Fix init errors after merge * Adds create channel tests * Always init local mode to allow for enabling-disabling it via config * Check the RemoteAddr of the request before marking session as local * Mark the request as errored if it's local and the origin is remote * Set the socket permissions to read/write when initialising * Fix linter * Replace RemoteAddr check to ditch connections with the IP:PORT shape Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com> * Fix translations order * [MM-24832] Migrate plugin endpoints to local mode (#14543) * [MM-24832] Migrate plugin endpoints to local mode * Fix client reference in helper * api4/team: add local endpoints * [MM-24776] Migrate config endpoints to local mode (#14544) * [MM-24776] Migrate get config endpoint to local mode * [MM-24777] Migrate update config endpoint to local mode * Fix update config to bypass RestrictSystemAdmin flag * Add patchConfig endpoint * MM-24774/MM-24755: local mode for addLicense and removeLicense (#14491) Automatic Merge * api4/team: reflect review comments * api4/team: add to permissions * fix post conflict issues * fix formatting Co-authored-by: Miguel de la Cruz <miguel@mcrx.me> Co-authored-by: Ashish Bhate <bhate.ashish@gmail.com>
258 lines
7.0 KiB
Go
258 lines
7.0 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package app
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/mattermost/mattermost-server/v5/mlog"
|
|
"github.com/mattermost/mattermost-server/v5/model"
|
|
)
|
|
|
|
func (a *App) MakePermissionError(permission *model.Permission) *model.AppError {
|
|
return model.NewAppError("Permissions", "api.context.permissions.app_error", nil, "userId="+a.Session().UserId+", "+"permission="+permission.Id, http.StatusForbidden)
|
|
}
|
|
|
|
func (a *App) SessionHasPermissionTo(session model.Session, permission *model.Permission) bool {
|
|
if session.IsUnrestricted() {
|
|
return true
|
|
}
|
|
return a.RolesGrantPermission(session.GetUserRoles(), permission.Id)
|
|
}
|
|
|
|
func (a *App) SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool {
|
|
if teamId == "" {
|
|
return false
|
|
}
|
|
if session.IsUnrestricted() {
|
|
return true
|
|
}
|
|
|
|
teamMember := session.GetTeamByTeamId(teamId)
|
|
if teamMember != nil {
|
|
if a.RolesGrantPermission(teamMember.GetRoles(), permission.Id) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return a.RolesGrantPermission(session.GetUserRoles(), permission.Id)
|
|
}
|
|
|
|
func (a *App) SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool {
|
|
if channelId == "" {
|
|
return false
|
|
}
|
|
if session.IsUnrestricted() {
|
|
return true
|
|
}
|
|
ids, err := a.Srv().Store.Channel().GetAllChannelMembersForUser(session.UserId, true, true)
|
|
|
|
var channelRoles []string
|
|
if err == nil {
|
|
if roles, ok := ids[channelId]; ok {
|
|
channelRoles = strings.Fields(roles)
|
|
if a.RolesGrantPermission(channelRoles, permission.Id) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
channel, err := a.GetChannel(channelId)
|
|
if err == nil && channel.TeamId != "" {
|
|
return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
|
|
}
|
|
|
|
if err != nil && err.StatusCode == http.StatusNotFound {
|
|
return false
|
|
}
|
|
|
|
return a.SessionHasPermissionTo(session, permission)
|
|
}
|
|
|
|
func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool {
|
|
if channelMember, err := a.Srv().Store.Channel().GetMemberForPost(postId, session.UserId); err == nil {
|
|
|
|
if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
if channel, err := a.Srv().Store.Channel().GetForPost(postId); err == nil {
|
|
if channel.TeamId != "" {
|
|
return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
|
|
}
|
|
}
|
|
|
|
return a.SessionHasPermissionTo(session, permission)
|
|
}
|
|
|
|
func (a *App) SessionHasPermissionToUser(session model.Session, userId string) bool {
|
|
if userId == "" {
|
|
return false
|
|
}
|
|
|
|
if session.UserId == userId {
|
|
return true
|
|
}
|
|
|
|
if a.SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (a *App) SessionHasPermissionToUserOrBot(session model.Session, userId string) bool {
|
|
if a.SessionHasPermissionToUser(session, userId) {
|
|
return true
|
|
}
|
|
|
|
if err := a.SessionHasPermissionToManageBot(session, userId); err == nil {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool {
|
|
user, err := a.GetUser(askingUserId)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
roles := user.GetRoles()
|
|
|
|
return a.RolesGrantPermission(roles, permission.Id)
|
|
}
|
|
|
|
func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool {
|
|
if teamId == "" || askingUserId == "" {
|
|
return false
|
|
}
|
|
|
|
teamMember, err := a.GetTeamMember(teamId, askingUserId)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
// If the team member has been deleted, they don't have permission.
|
|
if teamMember.DeleteAt != 0 {
|
|
return false
|
|
}
|
|
|
|
roles := teamMember.GetRoles()
|
|
|
|
if a.RolesGrantPermission(roles, permission.Id) {
|
|
return true
|
|
}
|
|
|
|
return a.HasPermissionTo(askingUserId, permission)
|
|
}
|
|
|
|
func (a *App) HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool {
|
|
if channelId == "" || askingUserId == "" {
|
|
return false
|
|
}
|
|
|
|
channelMember, err := a.GetChannelMember(channelId, askingUserId)
|
|
if err == nil {
|
|
roles := channelMember.GetRoles()
|
|
if a.RolesGrantPermission(roles, permission.Id) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
var channel *model.Channel
|
|
channel, err = a.GetChannel(channelId)
|
|
if err == nil {
|
|
return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission)
|
|
}
|
|
|
|
return a.HasPermissionTo(askingUserId, permission)
|
|
}
|
|
|
|
func (a *App) HasPermissionToChannelByPost(askingUserId string, postId string, permission *model.Permission) bool {
|
|
if channelMember, err := a.Srv().Store.Channel().GetMemberForPost(postId, askingUserId); err == nil {
|
|
if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
if channel, err := a.Srv().Store.Channel().GetForPost(postId); err == nil {
|
|
return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission)
|
|
}
|
|
|
|
return a.HasPermissionTo(askingUserId, permission)
|
|
}
|
|
|
|
func (a *App) HasPermissionToUser(askingUserId string, userId string) bool {
|
|
if askingUserId == userId {
|
|
return true
|
|
}
|
|
|
|
if a.HasPermissionTo(askingUserId, model.PERMISSION_EDIT_OTHER_USERS) {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool {
|
|
roles, err := a.GetRolesByNames(roleNames)
|
|
if err != nil {
|
|
// This should only happen if something is very broken. We can't realistically
|
|
// recover the situation, so deny permission and log an error.
|
|
mlog.Error("Failed to get roles from database with role names: "+strings.Join(roleNames, ",")+" ", mlog.Err(err))
|
|
return false
|
|
}
|
|
|
|
for _, role := range roles {
|
|
if role.DeleteAt != 0 {
|
|
continue
|
|
}
|
|
|
|
permissions := role.Permissions
|
|
for _, permission := range permissions {
|
|
if permission == permissionId {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// SessionHasPermissionToManageBot returns nil if the session has access to manage the given bot.
|
|
// This function deviates from other authorization checks in returning an error instead of just
|
|
// a boolean, allowing the permission failure to be exposed with more granularity.
|
|
func (a *App) SessionHasPermissionToManageBot(session model.Session, botUserId string) *model.AppError {
|
|
existingBot, err := a.GetBot(botUserId, true)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if existingBot.OwnerId == session.UserId {
|
|
if !a.SessionHasPermissionTo(session, model.PERMISSION_MANAGE_BOTS) {
|
|
if !a.SessionHasPermissionTo(session, model.PERMISSION_READ_BOTS) {
|
|
// If the user doesn't have permission to read bots, pretend as if
|
|
// the bot doesn't exist at all.
|
|
return model.MakeBotNotFoundError(botUserId)
|
|
}
|
|
return a.MakePermissionError(model.PERMISSION_MANAGE_BOTS)
|
|
}
|
|
} else {
|
|
if !a.SessionHasPermissionTo(session, model.PERMISSION_MANAGE_OTHERS_BOTS) {
|
|
if !a.SessionHasPermissionTo(session, model.PERMISSION_READ_OTHERS_BOTS) {
|
|
// If the user doesn't have permission to read others' bots,
|
|
// pretend as if the bot doesn't exist at all.
|
|
return model.MakeBotNotFoundError(botUserId)
|
|
}
|
|
return a.MakePermissionError(model.PERMISSION_MANAGE_OTHERS_BOTS)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|