PLT-4990 - Server: Split out channel permissions to Create/Manage/Delete (#4864)

* Server side changes. * Fix unit tests and default config.
author: George Goldberg <george@gberg.me> 2016-12-21 19:18:41 +0000
committer: Corey Hulen <corey@hulen.com> 2016-12-21 11:18:41 -0800
commit: dce4205699bed68046f9dc6ed371ad959d93ee59 (patch)
tree: 7bd2d857ee9786ec59b782c52ffc5f59c0853728
parent: f0f53260984a210f44458d86ed5ac9e3afb3f363 (diff)
download: chat-dce4205699bed68046f9dc6ed371ad959d93ee59.tar.gz
chat-dce4205699bed68046f9dc6ed371ad959d93ee59.tar.bz2
chat-dce4205699bed68046f9dc6ed371ad959d93ee59.zip
5 files changed, 108 insertions, 18 deletions
diff --git a/api/channel_test.go b/api/channel_test.go
index c916a27cf..ae4573c9c 100644
--- a/api/channel_test.go
+++ b/api/channel_test.go
@@ -121,8 +121,8 @@ func TestCreateChannel(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	*utils.Cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_TEAM_ADMIN
-	*utils.Cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_TEAM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_TEAM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_TEAM_ADMIN
 	utils.SetDefaultRolesBasedOnConfig()
 
 	channel2.Name = "a" + model.NewId() + "a"
@@ -146,8 +146,8 @@ func TestCreateChannel(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	*utils.Cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_SYSTEM_ADMIN
-	*utils.Cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_SYSTEM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_SYSTEM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_SYSTEM_ADMIN
 	utils.SetDefaultRolesBasedOnConfig()
 
 	channel2.Name = "a" + model.NewId() + "a"
@@ -167,6 +167,10 @@ func TestCreateChannel(t *testing.T) {
 	if _, err := SystemAdminClient.CreateChannel(channel3); err != nil {
 		t.Fatal(err)
 	}
+
+	*utils.Cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_ALL
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_ALL
+	utils.SetDefaultRolesBasedOnConfig()
 }
 
 func TestCreateDirectChannel(t *testing.T) {
@@ -1161,8 +1165,8 @@ func TestDeleteChannel(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	*utils.Cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_TEAM_ADMIN
-	*utils.Cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_TEAM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_TEAM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_TEAM_ADMIN
 	utils.SetDefaultRolesBasedOnConfig()
 
 	th.LoginSystemAdmin()
@@ -1193,8 +1197,8 @@ func TestDeleteChannel(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	*utils.Cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_SYSTEM_ADMIN
-	*utils.Cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_SYSTEM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_SYSTEM_ADMIN
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_SYSTEM_ADMIN
 	utils.SetDefaultRolesBasedOnConfig()
 
 	th.LoginSystemAdmin()
@@ -1226,6 +1230,10 @@ func TestDeleteChannel(t *testing.T) {
 	if _, err := Client.DeleteChannel(channel3.Id); err != nil {
 		t.Fatal(err)
 	}
+
+	*utils.Cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_ALL
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_ALL
+	utils.SetDefaultRolesBasedOnConfig()
 }
 
 func TestGetChannelStats(t *testing.T) {
diff --git a/config/config.json b/config/config.json
index 2209a9656..649081597 100644
--- a/config/config.json
+++ b/config/config.json
@@ -49,8 +49,12 @@
         "CustomDescriptionText": "",
         "RestrictDirectMessage": "any",
         "RestrictTeamInvite": "all",
+        "RestrictPublicChannelCreation": "all",
+        "RestrictPrivateChannelCreation": "all",
         "RestrictPublicChannelManagement": "all",
         "RestrictPrivateChannelManagement": "all",
+        "RestrictPublicChannelDeletion": "all",
+        "RestrictPrivateChannelDeletion": "all",
         "UserStatusAwayTimeout": 300,
         "MaxChannelsPerTeam": 2000,
         "MaxNotificationsPerChannel": 1000
diff --git a/model/config.go b/model/config.go
index 0a3fcb33e..29fa995fd 100644
--- a/model/config.go
+++ b/model/config.go
@@ -226,6 +226,10 @@ type TeamSettings struct {
 	RestrictTeamInvite               *string
 	RestrictPublicChannelManagement  *string
 	RestrictPrivateChannelManagement *string
+	RestrictPublicChannelCreation    *string
+	RestrictPrivateChannelCreation   *string
+	RestrictPublicChannelDeletion    *string
+	RestrictPrivateChannelDeletion   *string
 	UserStatusAwayTimeout            *int64
 	MaxChannelsPerTeam               *int64
 	MaxNotificationsPerChannel       *int64
@@ -507,6 +511,30 @@ func (o *Config) SetDefaults() {
 		*o.TeamSettings.RestrictPrivateChannelManagement = PERMISSIONS_ALL
 	}
 
+	if o.TeamSettings.RestrictPublicChannelCreation == nil {
+		o.TeamSettings.RestrictPublicChannelCreation = new(string)
+		// If this setting does not exist, assume migration from <3.6, so use management setting as default.
+		*o.TeamSettings.RestrictPublicChannelCreation = *o.TeamSettings.RestrictPublicChannelManagement
+	}
+
+	if o.TeamSettings.RestrictPrivateChannelCreation == nil {
+		o.TeamSettings.RestrictPrivateChannelCreation = new(string)
+		// If this setting does not exist, assume migration from <3.6, so use management setting as default.
+		*o.TeamSettings.RestrictPrivateChannelCreation = *o.TeamSettings.RestrictPrivateChannelManagement
+	}
+
+	if o.TeamSettings.RestrictPublicChannelDeletion == nil {
+		o.TeamSettings.RestrictPublicChannelDeletion = new(string)
+		// If this setting does not exist, assume migration from <3.6, so use management setting as default.
+		*o.TeamSettings.RestrictPublicChannelDeletion = *o.TeamSettings.RestrictPublicChannelManagement
+	}
+
+	if o.TeamSettings.RestrictPrivateChannelDeletion == nil {
+		o.TeamSettings.RestrictPrivateChannelDeletion = new(string)
+		// If this setting does not exist, assume migration from <3.6, so use management setting as default.
+		*o.TeamSettings.RestrictPrivateChannelDeletion = *o.TeamSettings.RestrictPrivateChannelManagement
+	}
+
 	if o.TeamSettings.UserStatusAwayTimeout == nil {
 		o.TeamSettings.UserStatusAwayTimeout = new(int64)
 		*o.TeamSettings.UserStatusAwayTimeout = 300
diff --git a/utils/authorization.go b/utils/authorization.go
index 23a7673fe..75f92062d 100644
--- a/utils/authorization.go
+++ b/utils/authorization.go
@@ -9,46 +9,92 @@ func SetDefaultRolesBasedOnConfig() {
 	// Reset the roles to default to make this logic easier
 	model.InitalizeRoles()
 
+	switch *Cfg.TeamSettings.RestrictPublicChannelCreation {
+	case model.PERMISSIONS_ALL:
+		model.ROLE_TEAM_USER.Permissions = append(
+			model.ROLE_TEAM_USER.Permissions,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+		)
+		break
+	case model.PERMISSIONS_TEAM_ADMIN:
+		model.ROLE_TEAM_ADMIN.Permissions = append(
+			model.ROLE_TEAM_ADMIN.Permissions,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+		)
+		break
+	}
+
 	switch *Cfg.TeamSettings.RestrictPublicChannelManagement {
 	case model.PERMISSIONS_ALL:
-		model.ROLE_CHANNEL_USER.Permissions = append(
-			model.ROLE_CHANNEL_USER.Permissions,
+		model.ROLE_TEAM_USER.Permissions = append(
+			model.ROLE_TEAM_USER.Permissions,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+		)
+		break
+	case model.PERMISSIONS_TEAM_ADMIN:
+		model.ROLE_TEAM_ADMIN.Permissions = append(
+			model.ROLE_TEAM_ADMIN.Permissions,
 			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
 		)
+		break
+	}
+
+	switch *Cfg.TeamSettings.RestrictPublicChannelDeletion {
+	case model.PERMISSIONS_ALL:
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
-			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
 		)
 		break
 	case model.PERMISSIONS_TEAM_ADMIN:
 		model.ROLE_TEAM_ADMIN.Permissions = append(
 			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
 			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
-			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+		)
+		break
+	}
+
+	switch *Cfg.TeamSettings.RestrictPrivateChannelCreation {
+	case model.PERMISSIONS_ALL:
+		model.ROLE_TEAM_USER.Permissions = append(
+			model.ROLE_TEAM_USER.Permissions,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+		)
+		break
+	case model.PERMISSIONS_TEAM_ADMIN:
+		model.ROLE_TEAM_ADMIN.Permissions = append(
+			model.ROLE_TEAM_ADMIN.Permissions,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
 		)
 		break
 	}
 
 	switch *Cfg.TeamSettings.RestrictPrivateChannelManagement {
 	case model.PERMISSIONS_ALL:
-		model.ROLE_CHANNEL_USER.Permissions = append(
-			model.ROLE_CHANNEL_USER.Permissions,
+		model.ROLE_TEAM_USER.Permissions = append(
+			model.ROLE_TEAM_USER.Permissions,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+		)
+		break
+	case model.PERMISSIONS_TEAM_ADMIN:
+		model.ROLE_TEAM_ADMIN.Permissions = append(
+			model.ROLE_TEAM_ADMIN.Permissions,
 			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
 		)
+		break
+	}
+
+	switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion {
+	case model.PERMISSIONS_ALL:
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
-			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
 		)
 		break
 	case model.PERMISSIONS_TEAM_ADMIN:
 		model.ROLE_TEAM_ADMIN.Permissions = append(
 			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
 			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
-			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
 		)
 		break
 	}
diff --git a/utils/config.go b/utils/config.go
index c06223e6c..ab149d55f 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -238,8 +238,12 @@ func getClientConfig(c *model.Config) map[string]string {
 	props["EnableOpenServer"] = strconv.FormatBool(*c.TeamSettings.EnableOpenServer)
 	props["RestrictDirectMessage"] = *c.TeamSettings.RestrictDirectMessage
 	props["RestrictTeamInvite"] = *c.TeamSettings.RestrictTeamInvite
+	props["RestrictPublicChannelCreation"] = *c.TeamSettings.RestrictPublicChannelCreation
+	props["RestrictPrivateChannelCreation"] = *c.TeamSettings.RestrictPrivateChannelCreation
 	props["RestrictPublicChannelManagement"] = *c.TeamSettings.RestrictPublicChannelManagement
 	props["RestrictPrivateChannelManagement"] = *c.TeamSettings.RestrictPrivateChannelManagement
+	props["RestrictPublicChannelDeletion"] = *c.TeamSettings.RestrictPublicChannelDeletion
+	props["RestrictPrivateChannelDeletion"] = *c.TeamSettings.RestrictPrivateChannelDeletion
 
 	props["EnableOAuthServiceProvider"] = strconv.FormatBool(c.ServiceSettings.EnableOAuthServiceProvider)
 	props["SegmentDeveloperKey"] = c.ServiceSettings.SegmentDeveloperKey
author	George Goldberg <george@gberg.me>	2016-12-21 19:18:41 +0000
committer	Corey Hulen <corey@hulen.com>	2016-12-21 11:18:41 -0800
commit	dce4205699bed68046f9dc6ed371ad959d93ee59 (patch)
tree	7bd2d857ee9786ec59b782c52ffc5f59c0853728
parent	f0f53260984a210f44458d86ed5ac9e3afb3f363 (diff)
download	chat-dce4205699bed68046f9dc6ed371ad959d93ee59.tar.gz chat-dce4205699bed68046f9dc6ed371ad959d93ee59.tar.bz2 chat-dce4205699bed68046f9dc6ed371ad959d93ee59.zip