diff options
| author | George Goldberg <george@gberg.me> | 2017-04-03 18:13:28 +0100 |
|---|---|---|
| committer | Harrison Healey <harrisonmhealey@gmail.com> | 2017-04-03 13:13:28 -0400 |
| commit | e49f5928c55ba57c39efa11c568c66342b962aae (patch) | |
| tree | c3199ea07e1c17aebdd77d53ad1397b469a0f963 | |
| parent | 232a99f0c7b9364cb4386264f9ff7f97549a4378 (diff) | |
| download | chat-e49f5928c55ba57c39efa11c568c66342b962aae.tar.gz chat-e49f5928c55ba57c39efa11c568c66342b962aae.tar.bz2 chat-e49f5928c55ba57c39efa11c568c66342b962aae.zip | |
PLT-6139 (Server): Private Channel member managing (#5941)
Adds an EE policy feature to allow restricting system-wide which level of
Admins can manage the membership of private channels.
| -rw-r--r-- | api/channel_test.go | 222 | ||||
| -rw-r--r-- | api4/channel_test.go | 248 | ||||
| -rw-r--r-- | config/config.json | 1 | ||||
| -rw-r--r-- | model/authorization.go | 1 | ||||
| -rw-r--r-- | model/config.go | 46 | ||||
| -rw-r--r-- | utils/authorization.go | 33 | ||||
| -rw-r--r-- | utils/config.go | 1 |
7 files changed, 529 insertions, 23 deletions
diff --git a/api/channel_test.go b/api/channel_test.go index bace5df5c..23705f172 100644 --- a/api/channel_test.go +++ b/api/channel_test.go @@ -1532,9 +1532,10 @@ func TestGetChannelStats(t *testing.T) { } func TestAddChannelMember(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient team := th.BasicTeam + user1 := th.BasicUser user2 := th.BasicUser2 user3 := th.CreateUser(Client) @@ -1581,12 +1582,118 @@ func TestAddChannelMember(t *testing.T) { if _, err := Client.AddChannelMember(channel1.Id, user3.Id); err == nil { t.Fatal("Should have errored, user not on team") } + + // Test policy does not apply to TE. + restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers + defer func() { + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.SetDefaultRolesBasedOnConfig() + + channel3 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel3 = Client.Must(th.SystemAdminClient.CreateChannel(channel3)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user1.Id)) + if _, err := Client.AddChannelMember(channel3.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Add a license + isLicensed := utils.IsLicensed + license := utils.License + defer func() { + utils.IsLicensed = isLicensed + utils.License = license + utils.SetDefaultRolesBasedOnConfig() + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + // Check that a regular channel user can add other users. + channel4 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel4 = Client.Must(th.SystemAdminClient.CreateChannel(channel4)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user1.Id)) + if _, err := Client.AddChannelMember(channel4.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Test with CHANNEL_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + channel5 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel5 = Client.Must(th.SystemAdminClient.CreateChannel(channel5)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user1.Id)) + if _, err := Client.AddChannelMember(channel5.Id, user2.Id); err == nil { + t.Fatal("Should have failed due to permissions") + } + + MakeUserChannelAdmin(user1, channel5) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + if _, err := Client.AddChannelMember(channel5.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Test with TEAM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + channel6 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel6 = Client.Must(th.SystemAdminClient.CreateChannel(channel6)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user1.Id)) + if _, err := Client.AddChannelMember(channel6.Id, user2.Id); err == nil { + t.Fatal("Should have failed due to permissions") + } + + UpdateUserToTeamAdmin(user1, team) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + if _, err := Client.AddChannelMember(channel6.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Test with SYSTEM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + channel7 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel7 = Client.Must(th.SystemAdminClient.CreateChannel(channel7)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user1.Id)) + if _, err := Client.AddChannelMember(channel7.Id, user2.Id); err == nil { + t.Fatal("Should have failed due to permissions") + } + + if _, err := th.SystemAdminClient.AddChannelMember(channel7.Id, user2.Id); err != nil { + t.Fatal(err) + } } func TestRemoveChannelMember(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient team := th.BasicTeam + user1 := th.BasicUser user2 := th.BasicUser2 UpdateUserToTeamAdmin(user2, team) @@ -1646,6 +1753,117 @@ func TestRemoveChannelMember(t *testing.T) { if _, err := Client.RemoveChannelMember(townSquare.Id, userStd.Id); err == nil { t.Fatal("should have errored, channel is default") } + + th.LoginBasic() + + // Test policy does not apply to TE. + restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers + defer func() { + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.SetDefaultRolesBasedOnConfig() + + channel3 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel3 = Client.Must(th.SystemAdminClient.CreateChannel(channel3)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user1.Id)) + Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user2.Id)) + if _, err := Client.RemoveChannelMember(channel3.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Add a license + isLicensed := utils.IsLicensed + license := utils.License + defer func() { + utils.IsLicensed = isLicensed + utils.License = license + utils.SetDefaultRolesBasedOnConfig() + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + // Check that a regular channel user can remove other users. + channel4 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel4 = Client.Must(th.SystemAdminClient.CreateChannel(channel4)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user1.Id)) + Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user2.Id)) + if _, err := Client.RemoveChannelMember(channel4.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Test with CHANNEL_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + channel5 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel5 = Client.Must(th.SystemAdminClient.CreateChannel(channel5)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user1.Id)) + Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user2.Id)) + if _, err := Client.RemoveChannelMember(channel5.Id, user2.Id); err == nil { + t.Fatal("Should have failed due to permissions") + } + + MakeUserChannelAdmin(user1, channel5) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + + if _, err := Client.RemoveChannelMember(channel5.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Test with TEAM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + channel6 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel6 = Client.Must(th.SystemAdminClient.CreateChannel(channel6)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user1.Id)) + Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user2.Id)) + if _, err := Client.RemoveChannelMember(channel6.Id, user2.Id); err == nil { + t.Fatal("Should have failed due to permissions") + } + + UpdateUserToTeamAdmin(user1, team) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + if _, err := Client.RemoveChannelMember(channel6.Id, user2.Id); err != nil { + t.Fatal(err) + } + + // Test with SYSTEM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + channel7 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel7 = Client.Must(th.SystemAdminClient.CreateChannel(channel7)).Data.(*model.Channel) + Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user1.Id)) + Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user2.Id)) + if _, err := Client.RemoveChannelMember(channel7.Id, user2.Id); err == nil { + t.Fatal("Should have failed due to permissions") + } + + if _, err := th.SystemAdminClient.RemoveChannelMember(channel7.Id, user2.Id); err != nil { + t.Fatal(err) + } } func TestUpdateNotifyProps(t *testing.T) { diff --git a/api4/channel_test.go b/api4/channel_test.go index 1d8053a0a..0496be495 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -1497,9 +1497,14 @@ func TestAddChannelMember(t *testing.T) { Client := th.Client user := th.BasicUser user2 := th.BasicUser2 + team := th.BasicTeam publicChannel := th.CreatePublicChannel() privateChannel := th.CreatePrivateChannel() + user3 := th.CreateUserWithClient(th.SystemAdminClient) + _, resp := th.SystemAdminClient.AddTeamMember(team.Id, user3.Id, "", "", team.InviteId) + CheckNoError(t, resp) + cm, resp := Client.AddChannelMember(publicChannel.Id, user2.Id) CheckNoError(t, resp) CheckCreatedStatus(t, resp) @@ -1582,10 +1587,139 @@ func TestAddChannelMember(t *testing.T) { _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id) CheckNoError(t, resp) + + // Test policy does not apply to TE. + restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers + defer func() { + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.SetDefaultRolesBasedOnConfig() + + Client.Login(user2.Username, user2.Password) + privateChannel = th.CreatePrivateChannel() + _, resp = Client.AddChannelMember(privateChannel.Id, user.Id) + CheckNoError(t, resp) + Client.Logout() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckNoError(t, resp) + Client.Logout() + + // Add a license + isLicensed := utils.IsLicensed + license := utils.License + defer func() { + utils.IsLicensed = isLicensed + utils.License = license + utils.SetDefaultRolesBasedOnConfig() + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + // Check that a regular channel user can add other users. + Client.Login(user2.Username, user2.Password) + privateChannel = th.CreatePrivateChannel() + _, resp = Client.AddChannelMember(privateChannel.Id, user.Id) + CheckNoError(t, resp) + Client.Logout() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckNoError(t, resp) + Client.Logout() + + // Test with CHANNEL_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + Client.Login(user2.Username, user2.Password) + privateChannel = th.CreatePrivateChannel() + _, resp = Client.AddChannelMember(privateChannel.Id, user.Id) + CheckNoError(t, resp) + Client.Logout() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckForbiddenStatus(t, resp) + Client.Logout() + + MakeUserChannelAdmin(user, privateChannel) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckNoError(t, resp) + Client.Logout() + + // Test with TEAM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + Client.Login(user2.Username, user2.Password) + privateChannel = th.CreatePrivateChannel() + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id) + CheckNoError(t, resp) + Client.Logout() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckForbiddenStatus(t, resp) + Client.Logout() + + UpdateUserToTeamAdmin(user, team) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckNoError(t, resp) + Client.Logout() + + // Test with SYSTEM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + Client.Login(user2.Username, user2.Password) + privateChannel = th.CreatePrivateChannel() + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id) + CheckNoError(t, resp) + Client.Logout() + + Client.Login(user.Username, user.Password) + _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id) + CheckForbiddenStatus(t, resp) + Client.Logout() + + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user3.Id) + CheckNoError(t, resp) } func TestRemoveChannelMember(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() + user1 := th.BasicUser + user2 := th.BasicUser2 + team := th.BasicTeam defer TearDown() Client := th.Client @@ -1635,4 +1769,118 @@ func TestRemoveChannelMember(t *testing.T) { _, resp = th.SystemAdminClient.RemoveUserFromChannel(private.Id, th.BasicUser.Id) CheckNoError(t, resp) + + th.LoginBasic() + UpdateUserToNonTeamAdmin(user1, team) + app.InvalidateAllCaches() + + // Test policy does not apply to TE. + restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers + defer func() { + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.SetDefaultRolesBasedOnConfig() + + privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id) + CheckNoError(t, resp) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + // Add a license + isLicensed := utils.IsLicensed + license := utils.License + defer func() { + utils.IsLicensed = isLicensed + utils.License = license + utils.SetDefaultRolesBasedOnConfig() + }() + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + // Check that a regular channel user can remove other users. + privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id) + CheckNoError(t, resp) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + // Test with CHANNEL_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id) + CheckNoError(t, resp) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckForbiddenStatus(t, resp) + + MakeUserChannelAdmin(user1, privateChannel) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + // Test with TEAM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id) + CheckNoError(t, resp) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckForbiddenStatus(t, resp) + + UpdateUserToTeamAdmin(user1, team) + app.InvalidateAllCaches() + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + // Test with SYSTEM_ADMIN level permission. + *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN + utils.IsLicensed = true + utils.License = &model.License{Features: &model.Features{}} + utils.License.Features.SetDefaults() + utils.SetDefaultRolesBasedOnConfig() + + privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id) + CheckNoError(t, resp) + _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckForbiddenStatus(t, resp) + + _, resp = th.SystemAdminClient.RemoveUserFromChannel(privateChannel.Id, user2.Id) + CheckNoError(t, resp) } diff --git a/config/config.json b/config/config.json index 3b28ae917..f1cb04c63 100644 --- a/config/config.json +++ b/config/config.json @@ -61,6 +61,7 @@ "RestrictPrivateChannelManagement": "all", "RestrictPublicChannelDeletion": "all", "RestrictPrivateChannelDeletion": "all", + "RestrictPrivateChannelManageMembers": "all", "UserStatusAwayTimeout": 300, "MaxChannelsPerTeam": 2000, "MaxNotificationsPerChannel": 1000 diff --git a/model/authorization.go b/model/authorization.go index 1f6f34a2a..b27fcaf77 100644 --- a/model/authorization.go +++ b/model/authorization.go @@ -305,7 +305,6 @@ func InitalizeRoles() { []string{ PERMISSION_READ_CHANNEL.Id, PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, - PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, PERMISSION_UPLOAD_FILE.Id, PERMISSION_GET_PUBLIC_LINK.Id, PERMISSION_CREATE_POST.Id, diff --git a/model/config.go b/model/config.go index e26bf90f1..ebd26d85d 100644 --- a/model/config.go +++ b/model/config.go @@ -280,26 +280,27 @@ type SupportSettings struct { } type TeamSettings struct { - SiteName string - MaxUsersPerTeam int - EnableTeamCreation bool - EnableUserCreation bool - EnableOpenServer *bool - RestrictCreationToDomains string - EnableCustomBrand *bool - CustomBrandText *string - CustomDescriptionText *string - RestrictDirectMessage *string - RestrictTeamInvite *string - RestrictPublicChannelManagement *string - RestrictPrivateChannelManagement *string - RestrictPublicChannelCreation *string - RestrictPrivateChannelCreation *string - RestrictPublicChannelDeletion *string - RestrictPrivateChannelDeletion *string - UserStatusAwayTimeout *int64 - MaxChannelsPerTeam *int64 - MaxNotificationsPerChannel *int64 + SiteName string + MaxUsersPerTeam int + EnableTeamCreation bool + EnableUserCreation bool + EnableOpenServer *bool + RestrictCreationToDomains string + EnableCustomBrand *bool + CustomBrandText *string + CustomDescriptionText *string + RestrictDirectMessage *string + RestrictTeamInvite *string + RestrictPublicChannelManagement *string + RestrictPrivateChannelManagement *string + RestrictPublicChannelCreation *string + RestrictPrivateChannelCreation *string + RestrictPublicChannelDeletion *string + RestrictPrivateChannelDeletion *string + RestrictPrivateChannelManageMembers *string + UserStatusAwayTimeout *int64 + MaxChannelsPerTeam *int64 + MaxNotificationsPerChannel *int64 } type LdapSettings struct { @@ -621,6 +622,11 @@ func (o *Config) SetDefaults() { *o.TeamSettings.RestrictPrivateChannelDeletion = *o.TeamSettings.RestrictPrivateChannelManagement } + if o.TeamSettings.RestrictPrivateChannelManageMembers == nil { + o.TeamSettings.RestrictPrivateChannelManageMembers = new(string) + *o.TeamSettings.RestrictPrivateChannelManageMembers = PERMISSIONS_ALL + } + if o.TeamSettings.UserStatusAwayTimeout == nil { o.TeamSettings.UserStatusAwayTimeout = new(int64) *o.TeamSettings.UserStatusAwayTimeout = TEAM_SETTINGS_DEFAULT_USER_STATUS_AWAY_TIMEOUT diff --git a/utils/authorization.go b/utils/authorization.go index 086caa565..8078f4023 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -183,6 +183,39 @@ func SetDefaultRolesBasedOnConfig() { ) } + // Restrict permissions for Private Channel Manage Members + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers { + case model.PERMISSIONS_ALL: + model.ROLE_CHANNEL_USER.Permissions = append( + model.ROLE_CHANNEL_USER.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + ) + break + case model.PERMISSIONS_CHANNEL_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + ) + model.ROLE_CHANNEL_ADMIN.Permissions = append( + model.ROLE_CHANNEL_ADMIN.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + ) + break + } + } else { + model.ROLE_CHANNEL_USER.Permissions = append( + model.ROLE_CHANNEL_USER.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + ) + } + if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, diff --git a/utils/config.go b/utils/config.go index 6f18a48fa..dcc8dd9c0 100644 --- a/utils/config.go +++ b/utils/config.go @@ -288,6 +288,7 @@ func getClientConfig(c *model.Config) map[string]string { props["RestrictPrivateChannelManagement"] = *c.TeamSettings.RestrictPrivateChannelManagement props["RestrictPublicChannelDeletion"] = *c.TeamSettings.RestrictPublicChannelDeletion props["RestrictPrivateChannelDeletion"] = *c.TeamSettings.RestrictPrivateChannelDeletion + props["RestrictPrivateChannelManageMembers"] = *c.TeamSettings.RestrictPrivateChannelManageMembers props["EnableOAuthServiceProvider"] = strconv.FormatBool(c.ServiceSettings.EnableOAuthServiceProvider) props["GoogleDeveloperKey"] = c.ServiceSettings.GoogleDeveloperKey |