IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
e1cd64613591cf5a990442a69ebf188258bd0cb5
mattermost/utils/authorization.go
George Goldberg e1cd646135 XYZ-37: Advanced Permissions Phase 1 Backend. (#8159) 
* XYZ-13: Update Permission and Role structs to new design.

* XYZ-10: Role store.

* XYZ-9/XYZ-44: Roles API endpoints and WebSocket message.

* XYZ-8: Switch server permissions checks to store backed roles.

* XYZ-58: Proper validation of roles where required.

* XYZ-11/XYZ-55: Migration to store backed roles from policy config.

* XYZ-37: Update unit tests to work with database roles.

* XYZ-56: Remove the "guest" role.

* Changes to SetDefaultRolesFromConfig.

* Short-circuit the store if nothing has changed.

* Address first round of review comments.

* Address second round of review comments.
2018-02-06 15:34:08 +00:00

272 lines
9.0 KiB
Go
Raw Blame History

// Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package utils
import (
"github.com/mattermost/mattermost-server/model"
)
func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config) map[string]*model.Role {
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPublicChannelCreation {
case model.PERMISSIONS_ALL:
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
)
}
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPublicChannelManagement {
case model.PERMISSIONS_ALL:
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
)
}
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPublicChannelDeletion {
case model.PERMISSIONS_ALL:
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
)
}
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPrivateChannelCreation {
case model.PERMISSIONS_ALL:
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
)
}
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPrivateChannelManagement {
case model.PERMISSIONS_ALL:
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
)
}
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPrivateChannelDeletion {
case model.PERMISSIONS_ALL:
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
)
}
// Restrict permissions for Private Channel Manage Members
if IsLicensed() {
switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers {
case model.PERMISSIONS_ALL:
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
case model.PERMISSIONS_CHANNEL_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
case model.PERMISSIONS_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
}
} else {
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
)
}
if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
)
roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
roles[model.SYSTEM_USER_ROLE_ID].Permissions,
model.PERMISSION_MANAGE_OAUTH.Id,
)
}
// Grant permissions for inviting and adding users to a team.
if IsLicensed() {
if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN {
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
} else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
}
} else {
roles[model.TEAM_USER_ROLE_ID].Permissions = append(
roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
}
if IsLicensed() {
switch *cfg.ServiceSettings.RestrictPostDelete {
case model.PERMISSIONS_DELETE_POST_ALL:
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
)
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN:
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
}
} else {
roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
)
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
)
}
if cfg.TeamSettings.EnableTeamCreation {
roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
roles[model.SYSTEM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_TEAM.Id,
)
}
return roles
}
Reference in New Issue View Git Blame Copy Permalink