diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2017-01-23 08:12:05 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-23 08:12:05 -0500 |
| commit | e9c9688b343049c6d461260bd15fff3486238f92 (patch) | |
| tree | a112e51de0e7f9989b173b7dbc4ad89080cc0e34 | |
| parent | b064457c745ae6bf27e5e6933a0a7406f3f4921d (diff) | |
| download | chat-e9c9688b343049c6d461260bd15fff3486238f92.tar.gz chat-e9c9688b343049c6d461260bd15fff3486238f92.tar.bz2 chat-e9c9688b343049c6d461260bd15fff3486238f92.zip | |
Move permissions code into app package (#5146)
* Move permissions code into app package
* Revert getPosts permission
| -rw-r--r-- | api/apitestlib.go | 25 | ||||
| -rw-r--r-- | api/authorization.go | 188 | ||||
| -rw-r--r-- | api/channel.go | 63 | ||||
| -rw-r--r-- | api/channel_test.go | 3 | ||||
| -rw-r--r-- | api/command.go | 19 | ||||
| -rw-r--r-- | api/context.go | 11 | ||||
| -rw-r--r-- | api/deprecated.go | 3 | ||||
| -rw-r--r-- | api/emoji.go | 2 | ||||
| -rw-r--r-- | api/file.go | 6 | ||||
| -rw-r--r-- | api/license.go | 3 | ||||
| -rw-r--r-- | api/oauth.go | 14 | ||||
| -rw-r--r-- | api/post.go | 34 | ||||
| -rw-r--r-- | api/reaction.go | 9 | ||||
| -rw-r--r-- | api/team.go | 175 | ||||
| -rw-r--r-- | api/team_test.go | 46 | ||||
| -rw-r--r-- | api/user.go | 65 | ||||
| -rw-r--r-- | api/user_test.go | 148 | ||||
| -rw-r--r-- | api/webhook.go | 26 | ||||
| -rw-r--r-- | app/authorization.go | 166 | ||||
| -rw-r--r-- | app/authorization_test.go (renamed from api/authorization_test.go) | 2 | ||||
| -rw-r--r-- | app/team.go | 151 | ||||
| -rw-r--r-- | app/user.go | 2 | ||||
| -rw-r--r-- | i18n/en.json | 16 | ||||
| -rw-r--r-- | model/authorization.go | 16 | ||||
| -rw-r--r-- | model/team.go | 8 | ||||
| -rw-r--r-- | utils/authorization.go | 11 | ||||
| -rw-r--r-- | web/web_test.go | 19 | ||||
| -rw-r--r-- | webapp/tests/client_team.test.jsx | 25 |
28 files changed, 702 insertions, 554 deletions
diff --git a/api/apitestlib.go b/api/apitestlib.go index 09aed0e33..475469a36 100644 --- a/api/apitestlib.go +++ b/api/apitestlib.go @@ -80,13 +80,14 @@ func Setup() *TestHelper { func (me *TestHelper) InitBasic() *TestHelper { me.BasicClient = me.CreateClient() - me.BasicTeam = me.CreateTeam(me.BasicClient) me.BasicUser = me.CreateUser(me.BasicClient) + me.LoginBasic() + me.BasicTeam = me.CreateTeam(me.BasicClient) LinkUserToTeam(me.BasicUser, me.BasicTeam) + UpdateUserToNonTeamAdmin(me.BasicUser, me.BasicTeam) me.BasicUser2 = me.CreateUser(me.BasicClient) LinkUserToTeam(me.BasicUser2, me.BasicTeam) me.BasicClient.SetTeamId(me.BasicTeam.Id) - me.LoginBasic() me.BasicChannel = me.CreateChannel(me.BasicClient, me.BasicTeam) me.BasicPost = me.CreatePost(me.BasicClient, me.BasicChannel) @@ -95,13 +96,13 @@ func (me *TestHelper) InitBasic() *TestHelper { func (me *TestHelper) InitSystemAdmin() *TestHelper { me.SystemAdminClient = me.CreateClient() - me.SystemAdminTeam = me.CreateTeam(me.SystemAdminClient) me.SystemAdminUser = me.CreateUser(me.SystemAdminClient) + me.SystemAdminUser.Password = "Password1" + me.LoginSystemAdmin() + me.SystemAdminTeam = me.CreateTeam(me.SystemAdminClient) LinkUserToTeam(me.SystemAdminUser, me.SystemAdminTeam) me.SystemAdminClient.SetTeamId(me.SystemAdminTeam.Id) app.UpdateUserRoles(me.SystemAdminUser.Id, model.ROLE_SYSTEM_USER.Id+" "+model.ROLE_SYSTEM_ADMIN.Id) - me.SystemAdminUser.Password = "Password1" - me.LoginSystemAdmin() me.SystemAdminChannel = me.CreateChannel(me.SystemAdminClient, me.SystemAdminTeam) return me @@ -176,6 +177,20 @@ func UpdateUserToTeamAdmin(user *model.User, team *model.Team) { utils.EnableDebugLogForTest() } +func UpdateUserToNonTeamAdmin(user *model.User, team *model.Team) { + utils.DisableDebugLogForTest() + + tm := &model.TeamMember{TeamId: team.Id, UserId: user.Id, Roles: model.ROLE_TEAM_USER.Id} + if tmr := <-app.Srv.Store.Team().UpdateMember(tm); tmr.Err != nil { + utils.EnableDebugLogForTest() + l4g.Error(tmr.Err.Error()) + l4g.Close() + time.Sleep(time.Second) + panic(tmr.Err) + } + utils.EnableDebugLogForTest() +} + func MakeUserChannelAdmin(user *model.User, channel *model.Channel) { utils.DisableDebugLogForTest() diff --git a/api/authorization.go b/api/authorization.go deleted file mode 100644 index ac50d45ff..000000000 --- a/api/authorization.go +++ /dev/null @@ -1,188 +0,0 @@ -// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -package api - -import ( - "net/http" - "strings" - - l4g "github.com/alecthomas/log4go" - "github.com/mattermost/platform/app" - "github.com/mattermost/platform/model" -) - -func HasPermissionToContext(c *Context, permission *model.Permission) bool { - userRoles := c.Session.GetUserRoles() - if !CheckIfRolesGrantPermission(userRoles, permission.Id) { - c.Err = model.NewLocAppError("HasPermissionToContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id+" "+model.RoleIdsToString(userRoles)) - c.Err.StatusCode = http.StatusForbidden - return false - } - - return true -} - -func HasPermissionTo(user *model.User, permission *model.Permission) bool { - roles := user.GetRoles() - - return CheckIfRolesGrantPermission(roles, permission.Id) -} - -func HasPermissionToCurrentTeamContext(c *Context, permission *model.Permission) bool { - return HasPermissionToTeamContext(c, c.TeamId, permission) -} - -func HasPermissionToTeamContext(c *Context, teamId string, permission *model.Permission) bool { - teamMember := c.Session.GetTeamByTeamId(teamId) - if teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToTeamContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToTeam(user *model.User, teamMember *model.TeamMember, permission *model.Permission) bool { - if teamMember == nil { - return false - } - - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - - return HasPermissionTo(user, permission) -} - -func HasPermissionToChannelContext(c *Context, channelId string, permission *model.Permission) bool { - cmc := app.Srv.Store.Channel().GetAllChannelMembersForUser(c.Session.UserId, true) - - var channelRoles []string - if cmcresult := <-cmc; cmcresult.Err == nil { - ids := cmcresult.Data.(map[string]string) - if roles, ok := ids[channelId]; ok { - channelRoles = strings.Fields(roles) - if CheckIfRolesGrantPermission(channelRoles, permission.Id) { - return true - } - } - } - - cc := app.Srv.Store.Channel().Get(channelId, true) - if ccresult := <-cc; ccresult.Err == nil { - channel := ccresult.Data.(*model.Channel) - - if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToChannelContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToChannel(user *model.User, teamMember *model.TeamMember, channelMember *model.ChannelMember, permission *model.Permission) bool { - if channelMember == nil { - return false - } - - roles := channelMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - - return HasPermissionToTeam(user, teamMember, permission) -} - -func HasPermissionToChannelByPostContext(c *Context, postId string, permission *model.Permission) bool { - cmc := app.Srv.Store.Channel().GetMemberForPost(postId, c.Session.UserId) - - var channelRoles []string - if cmcresult := <-cmc; cmcresult.Err == nil { - channelMember := cmcresult.Data.(*model.ChannelMember) - channelRoles = channelMember.GetRoles() - - if CheckIfRolesGrantPermission(channelRoles, permission.Id) { - return true - } - } - - cc := app.Srv.Store.Channel().GetForPost(postId) - if ccresult := <-cc; ccresult.Err == nil { - channel := ccresult.Data.(*model.Channel) - - if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToChannelByPostContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToUser(c *Context, userId string) bool { - // You are the user (users autmaticly have permissions to themselves) - if c.Session.UserId == userId { - return true - } - - // You have permission - if HasPermissionToContext(c, model.PERMISSION_EDIT_OTHER_USERS) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToUser", "api.context.permissions.app_error", nil, "userId="+userId) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func CheckIfRolesGrantPermission(roles []string, permissionId string) bool { - for _, roleId := range roles { - if role, ok := model.BuiltInRoles[roleId]; !ok { - l4g.Debug("Bad role in system " + roleId) - return false - } else { - permissions := role.Permissions - for _, permission := range permissions { - if permission == permissionId { - return true - } - } - } - } - - return false -} diff --git a/api/channel.go b/api/channel.go index 4c0c56496..474c41d07 100644 --- a/api/channel.go +++ b/api/channel.go @@ -71,11 +71,13 @@ func createChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_CREATE_PUBLIC_CHANNEL) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_CREATE_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_CREATE_PUBLIC_CHANNEL) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_CREATE_PRIVATE_CHANNEL) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_CREATE_PRIVATE_CHANNEL) { + c.SetPermissionError(model.PERMISSION_CREATE_PRIVATE_CHANNEL) return } @@ -105,7 +107,8 @@ func createChannel(c *Context, w http.ResponseWriter, r *http.Request) { } func createDirectChannel(c *Context, w http.ResponseWriter, r *http.Request) { - if !HasPermissionToContext(c, model.PERMISSION_CREATE_DIRECT_CHANNEL) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_DIRECT_CHANNEL) { + c.SetPermissionError(model.PERMISSION_CREATE_DIRECT_CHANNEL) return } @@ -126,11 +129,13 @@ func createDirectChannel(c *Context, w http.ResponseWriter, r *http.Request) { } func CanManageChannel(c *Context, channel *model.Channel) bool { - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) return false } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) return false } @@ -345,7 +350,8 @@ func getMoreChannelsPage(c *Context, w http.ResponseWriter, r *http.Request) { } // user is already in the team - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + c.SetPermissionError(model.PERMISSION_LIST_TEAM_CHANNELS) return } @@ -396,7 +402,8 @@ func join(c *Context, w http.ResponseWriter, r *http.Request) { } if channel.Type == model.CHANNEL_OPEN { - if !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) return } } @@ -445,11 +452,13 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { // Allow delete if user is the only member left in channel if memberCount > 1 { - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PRIVATE_CHANNEL) return } } @@ -509,7 +518,8 @@ func getChannelByName(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = err return } else { - if !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -544,7 +554,8 @@ func getChannelStats(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -562,7 +573,8 @@ func getChannelMember(c *Context, w http.ResponseWriter, r *http.Request) { channelId := params["channel_id"] userId := params["user_id"] - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -602,11 +614,13 @@ func addMember(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) return } @@ -655,11 +669,13 @@ func removeMember(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) return } @@ -704,7 +720,8 @@ func updateNotifyProps(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToUser(c, userId) { + if !app.SessionHasPermissionToUser(c.Session, userId) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -725,7 +742,8 @@ func searchMoreChannels(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -747,7 +765,8 @@ func autocompleteChannels(c *Context, w http.ResponseWriter, r *http.Request) { term := r.URL.Query().Get("term") if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -792,7 +811,8 @@ func getChannelMembersByIds(c *Context, w http.ResponseWriter, r *http.Request) return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -816,7 +836,8 @@ func updateChannelMemberRoles(c *Context, w http.ResponseWriter, r *http.Request return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_MANAGE_CHANNEL_ROLES) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_MANAGE_CHANNEL_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_CHANNEL_ROLES) return } diff --git a/api/channel_test.go b/api/channel_test.go index 119578e8b..450c5556e 100644 --- a/api/channel_test.go +++ b/api/channel_test.go @@ -20,7 +20,7 @@ func TestCreateChannel(t *testing.T) { Client := th.BasicClient SystemAdminClient := th.SystemAdminClient team := th.BasicTeam - Client.Must(Client.Logout()) + th.LoginBasic2() team2 := th.CreateTeam(th.BasicClient) th.LoginBasic() th.BasicClient.SetTeamId(team.Id) @@ -126,6 +126,7 @@ func TestCreateChannel(t *testing.T) { *utils.Cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_TEAM_ADMIN utils.SetDefaultRolesBasedOnConfig() + th.LoginBasic2() channel2.Name = "a" + model.NewId() + "a" channel3.Name = "a" + model.NewId() + "a" if _, err := Client.CreateChannel(channel2); err == nil { diff --git a/api/command.go b/api/command.go index 376cb1075..7e0a1e232 100644 --- a/api/command.go +++ b/api/command.go @@ -97,7 +97,8 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { } if len(commandArgs.ChannelId) > 0 { - if !HasPermissionToChannelContext(c, commandArgs.ChannelId, model.PERMISSION_USE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToChannel(c.Session, commandArgs.ChannelId, model.PERMISSION_USE_SLASH_COMMANDS) { + c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS) return } } @@ -260,7 +261,7 @@ func createCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("createCommand", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -316,7 +317,7 @@ func updateCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("updateCommand", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -340,7 +341,7 @@ func updateCommand(c *Context, w http.ResponseWriter, r *http.Request) { } else { oldCmd = result.Data.(*model.Command) - if c.Session.UserId != oldCmd.CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS) { + if c.Session.UserId != oldCmd.CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("updateCommand", "api.command.update.app_error", nil, "user_id="+c.Session.UserId) return @@ -375,7 +376,7 @@ func listTeamCommands(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("listTeamCommands", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -397,7 +398,7 @@ func regenCommandToken(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("regenCommandToken", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -420,7 +421,7 @@ func regenCommandToken(c *Context, w http.ResponseWriter, r *http.Request) { } else { cmd = result.Data.(*model.Command) - if c.TeamId != cmd.TeamId || (c.Session.UserId != cmd.CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { + if c.TeamId != cmd.TeamId || (c.Session.UserId != cmd.CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("regenToken", "api.command.regen.app_error", nil, "user_id="+c.Session.UserId) return @@ -444,7 +445,7 @@ func deleteCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("deleteCommand", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -464,7 +465,7 @@ func deleteCommand(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.TeamId != result.Data.(*model.Command).TeamId || (c.Session.UserId != result.Data.(*model.Command).CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { + if c.TeamId != result.Data.(*model.Command).TeamId || (c.Session.UserId != result.Data.(*model.Command).CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteCommand", "api.command.delete.app_error", nil, "user_id="+c.Session.UserId) return diff --git a/api/context.go b/api/context.go index e77f6da24..edee8bb21 100644 --- a/api/context.go +++ b/api/context.go @@ -345,7 +345,7 @@ func (c *Context) SystemAdminRequired() { c.Err = model.NewLocAppError("", "api.context.session_expired.app_error", nil, "SystemAdminRequired") c.Err.StatusCode = http.StatusUnauthorized return - } else if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + } else if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { c.Err = model.NewLocAppError("", "api.context.permissions.app_error", nil, "AdminRequired") c.Err.StatusCode = http.StatusForbidden return @@ -378,6 +378,11 @@ func (c *Context) SetUnknownError(where string, details string) { c.Err = model.NewLocAppError(where, "api.context.unknown.app_error", nil, details) } +func (c *Context) SetPermissionError(permission *model.Permission) { + c.Err = model.NewLocAppError("Permissions", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id) + c.Err.StatusCode = http.StatusForbidden +} + func (c *Context) setTeamURL(url string, valid bool) { c.teamURL = url c.teamURLValid = valid @@ -462,14 +467,14 @@ func Handle404(w http.ResponseWriter, r *http.Request) { func (c *Context) CheckTeamId() { if c.TeamId != "" && c.Session.GetTeamByTeamId(c.TeamId) == nil { - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { if result := <-app.Srv.Store.Team().Get(c.TeamId); result.Err != nil { c.Err = result.Err c.Err.StatusCode = http.StatusBadRequest return } } else { - // HasPermissionToContext automatically fills the Context error + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } diff --git a/api/deprecated.go b/api/deprecated.go index 765c3aac1..9c1d2a4ce 100644 --- a/api/deprecated.go +++ b/api/deprecated.go @@ -32,7 +32,8 @@ func InitDeprecated() { func getMoreChannels(c *Context, w http.ResponseWriter, r *http.Request) { // user is already in the team - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + c.SetPermissionError(model.PERMISSION_LIST_TEAM_CHANNELS) return } diff --git a/api/emoji.go b/api/emoji.go index fb511cd03..8f665fbc1 100644 --- a/api/emoji.go +++ b/api/emoji.go @@ -217,7 +217,7 @@ func deleteEmoji(c *Context, w http.ResponseWriter, r *http.Request) { } else { emoji = result.Data.(*model.Emoji) - if c.Session.UserId != emoji.CreatorId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if c.Session.UserId != emoji.CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { c.Err = model.NewLocAppError("deleteEmoji", "api.emoji.delete.permissions.app_error", nil, "user_id="+c.Session.UserId) c.Err.StatusCode = http.StatusUnauthorized return diff --git a/api/file.go b/api/file.go index 9fda76d8f..bbe06f2da 100644 --- a/api/file.go +++ b/api/file.go @@ -65,7 +65,8 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_UPLOAD_FILE) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_UPLOAD_FILE) { + c.SetPermissionError(model.PERMISSION_UPLOAD_FILE) return } @@ -254,7 +255,8 @@ func getFileInfoForRequest(c *Context, r *http.Request, requireFileVisible bool) } if requireFileVisible { - if !HasPermissionToChannelByPostContext(c, info.PostId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannelByPost(c.Session, info.PostId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return nil, c.Err } } diff --git a/api/license.go b/api/license.go index 8a6ee7385..41cba914d 100644 --- a/api/license.go +++ b/api/license.go @@ -174,8 +174,7 @@ func RemoveLicense() *model.AppError { } func getClientLicenceConfig(c *Context, w http.ResponseWriter, r *http.Request) { - useSanitizedLicense := !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) - c.Err = nil + useSanitizedLicense := !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) etag := utils.GetClientLicenseEtag(useSanitizedLicense) if HandleEtag(etag, "Get Client License Config", w, r) { diff --git a/api/oauth.go b/api/oauth.go index 538831ee0..abb216414 100644 --- a/api/oauth.go +++ b/api/oauth.go @@ -54,7 +54,7 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -93,14 +93,14 @@ func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewLocAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return } var ochan store.StoreChannel - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { ochan = app.Srv.Store.OAuth().GetApps() } else { c.Err = nil @@ -297,7 +297,7 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { case model.OAUTH_ACTION_LOGIN: user := LoginByOAuth(c, w, r, service, body) if len(teamId) > 0 { - c.Err = app.JoinUserToTeamById(teamId, user) + c.Err = app.AddUserToTeamByTeamId(teamId, user) } if c.Err == nil { if val, ok := props["redirect_to"]; ok { @@ -855,7 +855,7 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewLocAppError("deleteOAuthApp", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -875,7 +875,7 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteOAuthApp", "api.oauth.delete.permissions.app_error", nil, "user_id="+c.Session.UserId) return @@ -958,7 +958,7 @@ func regenerateOAuthSecret(c *Context, w http.ResponseWriter, r *http.Request) { } else { oauthApp = result.Data.(*model.OAuthApp) - if oauthApp.CreatorId != c.Session.UserId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return diff --git a/api/post.go b/api/post.go index ba089ec4f..9121adb92 100644 --- a/api/post.go +++ b/api/post.go @@ -48,7 +48,8 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { cchan := app.Srv.Store.Channel().Get(post.ChannelId, true) - if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_CREATE_POST) { + if !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_CREATE_POST) { + c.SetPermissionError(model.PERMISSION_CREATE_POST) return } @@ -67,7 +68,7 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if post.CreateAt != 0 && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if post.CreateAt != 0 && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { post.CreateAt = 0 } @@ -113,7 +114,8 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(post.Id) - if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_EDIT_POST) { + if !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_EDIT_POST) { + c.SetPermissionError(model.PERMISSION_EDIT_POST) return } @@ -233,7 +235,8 @@ func getPosts(c *Context, w http.ResponseWriter, r *http.Request) { etagChan := app.Srv.Store.Post().GetEtag(id, true) - if !HasPermissionToChannelContext(c, id, model.PERMISSION_CREATE_POST) { + if !app.SessionHasPermissionToChannel(c.Session, id, model.PERMISSION_CREATE_POST) { + c.SetPermissionError(model.PERMISSION_CREATE_POST) return } @@ -274,7 +277,8 @@ func getPostsSince(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().GetPostsSince(id, time, true) - if !HasPermissionToChannelContext(c, id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -306,7 +310,8 @@ func getPost(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(postId) - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -350,7 +355,8 @@ func getPostById(c *Context, w http.ResponseWriter, r *http.Request) { } post := list.Posts[list.Order[0]] - if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -391,7 +397,8 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) return } @@ -424,7 +431,8 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_DELETE_POST) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_DELETE_POST) { + c.SetPermissionError(model.PERMISSION_DELETE_POST) return } @@ -448,7 +456,7 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if post.UserId != c.Session.UserId && !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) { + if post.UserId != c.Session.UserId && !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) { c.Err = model.NewLocAppError("deletePost", "api.post.delete_post.permissions.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -529,7 +537,8 @@ func getPostsBeforeOrAfter(c *Context, w http.ResponseWriter, r *http.Request, b // We can do better than this etag in this situation etagChan := app.Srv.Store.Post().GetEtag(id, true) - if !HasPermissionToChannelContext(c, id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -614,7 +623,8 @@ func getFileInfosForPost(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(postId) fchan := app.Srv.Store.FileInfo().GetForPost(postId) - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } diff --git a/api/reaction.go b/api/reaction.go index ac5df4516..fd9a05779 100644 --- a/api/reaction.go +++ b/api/reaction.go @@ -41,7 +41,8 @@ func saveReaction(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -99,7 +100,8 @@ func deleteReaction(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -179,7 +181,8 @@ func listReactions(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(postId) - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } diff --git a/api/team.go b/api/team.go index 096e0a49f..2c5a25a3f 100644 --- a/api/team.go +++ b/api/team.go @@ -21,7 +21,7 @@ import ( func InitTeam() { l4g.Debug(utils.T("api.team.init.debug")) - BaseRoutes.Teams.Handle("/create", ApiAppHandler(createTeam)).Methods("POST") + BaseRoutes.Teams.Handle("/create", ApiUserRequired(createTeam)).Methods("POST") BaseRoutes.Teams.Handle("/all", ApiAppHandler(getAll)).Methods("GET") BaseRoutes.Teams.Handle("/all_team_listings", ApiUserRequired(GetAllTeamListings)).Methods("GET") BaseRoutes.Teams.Handle("/get_invite_info", ApiAppHandler(getInviteInfo)).Methods("POST") @@ -56,74 +56,20 @@ func createTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var user *model.User - var err *model.AppError - if len(c.Session.UserId) > 0 { - if user, err = app.GetUser(c.Session.UserId); err != nil { - c.Err = err - return - } else { - team.Email = user.Email - } - } - - if !isTeamCreationAllowed(c, team.Email) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_TEAM) { + c.Err = model.NewLocAppError("createTeam", "api.team.is_team_creation_allowed.disabled.app_error", nil, "") return } - rteam, err := app.CreateTeam(team) + rteam, err := app.CreateTeamWithUser(team, c.Session.UserId) if err != nil { c.Err = err return } - if user != nil { - err := app.JoinUserToTeam(team, user) - if err != nil { - c.Err = err - return - } - } - w.Write([]byte(rteam.ToJson())) } -func isTeamCreationAllowed(c *Context, email string) bool { - - email = strings.ToLower(email) - - if !utils.Cfg.TeamSettings.EnableTeamCreation && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { - c.Err = model.NewLocAppError("isTeamCreationAllowed", "api.team.is_team_creation_allowed.disabled.app_error", nil, "") - return false - } - c.Err = nil - - if user, err := app.GetUserByEmail(email); err == nil { - if len(user.AuthService) > 0 && len(*user.AuthData) > 0 { - return true - } - } - - // commas and @ signs are optional - // can be in the form of "@corp.mattermost.com, mattermost.com mattermost.org" -> corp.mattermost.com mattermost.com mattermost.org - domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(utils.Cfg.TeamSettings.RestrictCreationToDomains, "@", " ", -1), ",", " ", -1)))) - - matched := false - for _, d := range domains { - if strings.HasSuffix(email, "@"+d) { - matched = true - break - } - } - - if len(utils.Cfg.TeamSettings.RestrictCreationToDomains) > 0 && !matched { - c.Err = model.NewLocAppError("isTeamCreationAllowed", "api.team.is_team_creation_allowed.domain.app_error", nil, "") - return false - } - - return true -} - func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { var teams []*model.Team var err *model.AppError @@ -136,10 +82,9 @@ func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { m := make(map[string]*model.Team) for _, v := range teams { m[v.Id] = v - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.HasPermissionTo(c.Session.UserId, model.PERMISSION_MANAGE_SYSTEM) { m[v.Id].Sanitize() } - c.Err = nil } w.Write([]byte(model.TeamMapToJson(m))) @@ -151,10 +96,9 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { var teams []*model.Team var err *model.AppError - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.HasPermissionTo(c.Session.UserId, model.PERMISSION_MANAGE_SYSTEM) { teams, err = app.GetAllTeams() } else { - c.Err = nil teams, err = app.GetTeamsForUser(c.Session.UserId) } @@ -173,31 +117,21 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { func inviteMembers(c *Context, w http.ResponseWriter, r *http.Request) { invites := model.InvitesFromJson(r.Body) - if len(invites.Invites) == 0 { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.no_one.app_error", nil, "") - c.Err.StatusCode = http.StatusBadRequest - return - } - if utils.IsLicensed { - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_INVITE_USER) { - if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_SYSTEM_ADMIN { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_system_admin.app_error", nil, "") - } - if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_team_admin.app_error", nil, "") - } - c.Err.StatusCode = http.StatusForbidden - return + if utils.IsLicensed && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_INVITE_USER) { + errorId := "" + if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_SYSTEM_ADMIN { + errorId = "api.team.invite_members.restricted_system_admin.app_error" + } else if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { + errorId = "api.team.invite_members.restricted_team_admin.app_error" } - } - emailList := make([]string, len(invites.Invites)) - for _, invite := range invites.Invites { - emailList = append(emailList, invite["email"]) + c.Err = model.NewLocAppError("inviteMembers", errorId, nil, "") + c.Err.StatusCode = http.StatusForbidden + return } - if err := app.InviteNewUsersToTeam(emailList, c.TeamId, c.Session.UserId, c.GetSiteURL()); err != nil { + if err := app.InviteNewUsersToTeam(invites.ToEmailList(), c.TeamId, c.Session.UserId, c.GetSiteURL()); err != nil { c.Err = err return } @@ -214,24 +148,12 @@ func addUserToTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var team *model.Team - var err *model.AppError - if team, err = app.GetTeam(c.TeamId); err != nil { - c.Err = err - return - } - - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_ADD_USER_TO_TEAM) { - return - } - - var user *model.User - if user, err = app.GetUser(userId); err != nil { - c.Err = err + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_ADD_USER_TO_TEAM) { + c.SetPermissionError(model.PERMISSION_ADD_USER_TO_TEAM) return } - if err := app.JoinUserToTeam(team, user); err != nil { + if _, err := app.AddUserToTeam(c.TeamId, c.Session.UserId); err != nil { c.Err = err return } @@ -248,26 +170,14 @@ func removeUserFromTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var team *model.Team - var err *model.AppError - if team, err = app.GetTeam(c.TeamId); err != nil { - c.Err = err - return - } - - var user *model.User - if user, err = app.GetUser(userId); err != nil { - c.Err = err - return - } - - if c.Session.UserId != user.Id { - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_REMOVE_USER_FROM_TEAM) { + if c.Session.UserId != userId { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_REMOVE_USER_FROM_TEAM) { + c.SetPermissionError(model.PERMISSION_REMOVE_USER_FROM_TEAM) return } } - if err := app.LeaveTeam(team, user); err != nil { + if err := app.RemoveUserFromTeam(c.TeamId, userId); err != nil { c.Err = err return } @@ -285,9 +195,9 @@ func addUserToTeamFromInvite(c *Context, w http.ResponseWriter, r *http.Request) var err *model.AppError if len(hash) > 0 { - team, err = app.JoinUserToTeamByHash(c.Session.UserId, hash, data) + team, err = app.AddUserToTeamByHash(c.Session.UserId, hash, data) } else if len(inviteId) > 0 { - team, err = app.JoinUserToTeamByInviteId(inviteId, c.Session.UserId) + team, err = app.AddUserToTeamByInviteId(inviteId, c.Session.UserId) } else { c.Err = model.NewLocAppError("addUserToTeamFromInvite", "api.user.create_user.signup_link_invalid.app_error", nil, "") return @@ -326,7 +236,8 @@ func getTeamByName(c *Context, w http.ResponseWriter, r *http.Request) { return } else { if team.Type != model.TEAM_OPEN && c.Session.GetTeamByTeamId(team.Id) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -363,7 +274,6 @@ func getMyTeamsUnread(c *Context, w http.ResponseWriter, r *http.Request) { func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { team := model.TeamFromJson(r.Body) - if team == nil { c.SetInvalidParam("updateTeam", "team") return @@ -371,9 +281,8 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { team.Id = c.TeamId - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_MANAGE_TEAM) { - c.Err = model.NewLocAppError("updateTeam", "api.team.update_team.permissions.app_error", nil, "userId="+c.Session.UserId) - c.Err.StatusCode = http.StatusForbidden + if !app.SessionHasPermissionToTeam(c.Session, team.Id, model.PERMISSION_MANAGE_TEAM) { + c.SetPermissionError(model.PERMISSION_MANAGE_TEAM) return } @@ -386,12 +295,6 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - updatedTeam.Sanitize() - - message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_UPDATE_TEAM, "", "", "", nil) - message.Add("team", updatedTeam.ToJson()) - go app.Publish(message) - w.Write([]byte(updatedTeam.ToJson())) } @@ -412,7 +315,8 @@ func updateMemberRoles(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToTeamContext(c, teamId, model.PERMISSION_MANAGE_ROLES) { + if !app.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_MANAGE_TEAM_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_TEAM_ROLES) return } @@ -446,7 +350,8 @@ func getMyTeam(c *Context, w http.ResponseWriter, r *http.Request) { func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) { if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -461,9 +366,8 @@ func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) { } func importTeam(c *Context, w http.ResponseWriter, r *http.Request) { - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_IMPORT_TEAM) { - c.Err = model.NewLocAppError("importTeam", "api.team.import_team.admin.app_error", nil, "userId="+c.Session.UserId) - c.Err.StatusCode = http.StatusForbidden + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_IMPORT_TEAM) { + c.SetPermissionError(model.PERMISSION_IMPORT_TEAM) return } @@ -569,7 +473,8 @@ func getTeamMembers(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -593,7 +498,8 @@ func getTeamMember(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -615,7 +521,8 @@ func getTeamMembersByIds(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } diff --git a/api/team_test.go b/api/team_test.go index fdc7e334b..1b1b555fe 100644 --- a/api/team_test.go +++ b/api/team_test.go @@ -14,7 +14,6 @@ import ( func TestCreateTeam(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} @@ -58,6 +57,8 @@ func TestCreateTeam(t *testing.T) { func TestAddUserToTeam(t *testing.T) { th := Setup().InitSystemAdmin().InitBasic() + th.BasicClient.Logout() + th.LoginBasic2() user2 := th.CreateUser(th.BasicClient) @@ -66,7 +67,7 @@ func TestAddUserToTeam(t *testing.T) { } th.SystemAdminClient.SetTeamId(th.BasicTeam.Id) - if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser.Id, "team_user team_admin"); err != nil { + if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser2.Id, "team_user team_admin"); err != nil { t.Fatal(err) } @@ -132,12 +133,13 @@ func TestAddUserToTeamFromInvite(t *testing.T) { func TestGetAllTeams(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -165,12 +167,13 @@ func TestGetAllTeams(t *testing.T) { func TestGetAllTeamListings(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN, AllowOpenInvite: true} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -211,12 +214,13 @@ func TestGetAllTeamListings(t *testing.T) { func TestTeamPermDelete(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user1 := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user1 = Client.Must(Client.CreateUser(user1, "")).Data.(*model.User) LinkUserToTeam(user1, team) @@ -254,13 +258,14 @@ func TestTeamPermDelete(t *testing.T) { func TestInviteMembers(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() - th.BasicClient.Logout() Client := th.BasicClient SystemAdminClient := th.SystemAdminClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -339,16 +344,12 @@ func TestInviteMembers(t *testing.T) { func TestUpdateTeamDisplayName(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) - user := &model.User{Email: team.Email, Nickname: "Corey Hulen", Password: "passwd1"} - user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) - LinkUserToTeam(user, team) - store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + Client.Logout() user2 := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User) @@ -364,7 +365,7 @@ func TestUpdateTeamDisplayName(t *testing.T) { t.Fatal("Should have errored, not admin") } - Client.Login(user.Email, "passwd1") + th.LoginBasic() vteam.DisplayName = "" if _, err := Client.UpdateTeam(vteam); err == nil { @@ -379,7 +380,6 @@ func TestUpdateTeamDisplayName(t *testing.T) { func TestFuzzyTeamCreate(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient for i := 0; i < len(utils.FUZZY_STRINGS_NAMES) || i < len(utils.FUZZY_STRINGS_EMAILS); i++ { @@ -404,13 +404,14 @@ func TestFuzzyTeamCreate(t *testing.T) { func TestGetMyTeam(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(team) team = rteam.Data.(*model.Team) + Client.Logout() + user := model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -670,16 +671,12 @@ func TestGetTeamStats(t *testing.T) { func TestUpdateTeamDescription(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) - user := &model.User{Email: team.Email, Nickname: "My Testing", Password: "passwd1"} - user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) - LinkUserToTeam(user, team) - store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + Client.Logout() user2 := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Jabba the Hutt", Password: "passwd1"} user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User) @@ -695,7 +692,7 @@ func TestUpdateTeamDescription(t *testing.T) { t.Fatal("Should have errored, not admin") } - Client.Login(user.Email, "passwd1") + th.LoginBasic() vteam.Description = "" if _, err := Client.UpdateTeam(vteam); err != nil { @@ -710,7 +707,6 @@ func TestUpdateTeamDescription(t *testing.T) { func TestGetTeamByName(t *testing.T) { th := Setup().InitSystemAdmin().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_INVITE} @@ -719,12 +715,6 @@ func TestGetTeamByName(t *testing.T) { team2 := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_OPEN} team2 = Client.Must(Client.CreateTeam(team2)).Data.(*model.Team) - user := &model.User{Email: team.Email, Nickname: "My Testing", Password: "passwd1"} - user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) - LinkUserToTeam(user, team) - store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) - - Client.Login(user.Email, "passwd1") if _, err := Client.GetTeamByName(team.Name); err != nil { t.Fatal("Failed to get team") } @@ -747,7 +737,7 @@ func TestGetTeamByName(t *testing.T) { // TEAM_INVITE and user is not part of the team if _, err := Client.GetTeamByName(team.Name); err == nil { - t.Fatal("Should not fail dont have permissions to get the team") + t.Fatal("Should fail dont have permissions to get the team") } if _, err := Client.GetTeamByName("InvalidTeamName"); err == nil { diff --git a/api/user.go b/api/user.go index 37c9948ed..789e10f5e 100644 --- a/api/user.go +++ b/api/user.go @@ -443,7 +443,8 @@ func getSessions(c *Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) id := params["user_id"] - if !HasPermissionToUser(c, id) { + if !app.SessionHasPermissionToUser(c.Session, id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -538,12 +539,11 @@ func getInitialLoad(c *Context, w http.ResponseWriter, r *http.Request) { } il.ClientCfg = utils.ClientCfg - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { il.LicenseCfg = utils.ClientLicense } else { il.LicenseCfg = utils.GetSanitizedClientLicense() } - c.Err = nil w.Write([]byte(il.ToJson())) } @@ -652,7 +652,7 @@ func getProfilesInTeam(c *Context, w http.ResponseWriter, r *http.Request) { teamId := params["team_id"] if c.Session.GetTeamByTeamId(teamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return } } @@ -695,12 +695,14 @@ func getProfilesInChannel(c *Context, w http.ResponseWriter, r *http.Request) { channelId := params["channel_id"] if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -736,12 +738,14 @@ func getProfilesNotInChannel(c *Context, w http.ResponseWriter, r *http.Request) channelId := params["channel_id"] if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -776,7 +780,8 @@ func getAudits(c *Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) id := params["user_id"] - if !HasPermissionToUser(c, id) { + if !app.SessionHasPermissionToUser(c.Session, id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -887,7 +892,8 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToUser(c, user.Id) { + if !app.SessionHasPermissionToUser(c.Session, user.Id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -1006,7 +1012,8 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_ROLES) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_ROLES) return } @@ -1042,7 +1049,7 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) { // true when you're trying to de-activate yourself isSelfDeactive := !active && userId == c.Session.UserId - if !isSelfDeactive && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !isSelfDeactive && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { c.Err = model.NewLocAppError("updateActive", "api.user.update_active.permissions.app_error", nil, "userId="+userId) c.Err.StatusCode = http.StatusForbidden return @@ -1166,7 +1173,7 @@ func ResetPassword(c *Context, userId, newPassword string) *model.AppError { return err } - if user.AuthData != nil && len(*user.AuthData) != 0 && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if user.AuthData != nil && len(*user.AuthData) != 0 && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return model.NewLocAppError("ResetPassword", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id) } @@ -1187,7 +1194,8 @@ func updateUserNotify(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToUser(c, userId) { + if !app.SessionHasPermissionToUser(c.Session, userId) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -1828,12 +1836,11 @@ func userTyping(req *model.WebSocketRequest) (map[string]interface{}, *model.App func sanitizeProfile(c *Context, user *model.User) *model.User { options := utils.Cfg.GetSanitizeOptions() - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { options["email"] = true options["fullname"] = true options["authservice"] = true } - c.Err = nil user.SanitizeProfile(options) @@ -1852,18 +1859,20 @@ func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { return } - if props.InChannelId != "" && !HasPermissionToChannelContext(c, props.InChannelId, model.PERMISSION_READ_CHANNEL) { + if props.InChannelId != "" && !app.SessionHasPermissionToChannel(c.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } - if props.NotInChannelId != "" && !HasPermissionToChannelContext(c, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { + if props.NotInChannelId != "" && !app.SessionHasPermissionToChannel(c.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } searchOptions := map[string]bool{} searchOptions[store.USER_SEARCH_OPTION_ALLOW_INACTIVE] = props.AllowInactive - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { hideFullName := !utils.Cfg.PrivacySettings.ShowFullName hideEmail := !utils.Cfg.PrivacySettings.ShowEmailAddress @@ -1874,8 +1883,6 @@ func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { } else if hideEmail { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } - - c.Err = nil } var profiles []*model.User @@ -1928,21 +1935,21 @@ func autocompleteUsersInChannel(c *Context, w http.ResponseWriter, r *http.Reque term := r.URL.Query().Get("term") if c.Session.GetTeamByTeamId(teamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return } } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } searchOptions := map[string]bool{} hideFullName := !utils.Cfg.PrivacySettings.ShowFullName - if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if hideFullName && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - c.Err = nil } else { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } @@ -1971,7 +1978,7 @@ func autocompleteUsersInTeam(c *Context, w http.ResponseWriter, r *http.Request) term := r.URL.Query().Get("term") if c.Session.GetTeamByTeamId(teamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return } } @@ -1979,9 +1986,8 @@ func autocompleteUsersInTeam(c *Context, w http.ResponseWriter, r *http.Request) searchOptions := map[string]bool{} hideFullName := !utils.Cfg.PrivacySettings.ShowFullName - if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if hideFullName && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - c.Err = nil } else { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } @@ -2005,9 +2011,8 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { searchOptions := map[string]bool{} hideFullName := !utils.Cfg.PrivacySettings.ShowFullName - if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if hideFullName && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - c.Err = nil } else { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } diff --git a/api/user_test.go b/api/user_test.go index 96d1fd3d0..a7d6224ea 100644 --- a/api/user_test.go +++ b/api/user_test.go @@ -28,9 +28,6 @@ func TestCreateUser(t *testing.T) { th := Setup() Client := th.CreateClient() - team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - rteam, _ := Client.CreateTeam(&team) - user := model.User{Email: strings.ToLower("success+"+model.NewId()) + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "hello1", Username: "n" + model.NewId()} ruser, err := Client.CreateUser(&user, "") @@ -38,6 +35,11 @@ func TestCreateUser(t *testing.T) { t.Fatal(err) } + Client.Login(user.Email, user.Password) + + team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + rteam, _ := Client.CreateTeam(&team) + LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) if ruser.Data.(*model.User).Nickname != user.Nickname { @@ -108,8 +110,8 @@ func TestCheckUserDomain(t *testing.T) { } func TestLogin(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient enableSignInWithEmail := *utils.Cfg.EmailSettings.EnableSignInWithEmail enableSignInWithUsername := *utils.Cfg.EmailSettings.EnableSignInWithUsername @@ -127,6 +129,11 @@ func TestLogin(t *testing.T) { team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_INVITE} + rteam2 := Client.Must(Client.CreateTeam(&team2)) + + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Username: "corey" + model.NewId(), Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -191,9 +198,6 @@ func TestLogin(t *testing.T) { Client.AuthToken = "" - team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_INVITE} - rteam2 := Client.Must(Client.CreateTeam(&team2)) - user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} if _, err := Client.CreateUserFromSignup(&user2, "junk", "1231312"); err == nil { @@ -235,12 +239,14 @@ func TestLogin(t *testing.T) { } func TestLoginByLdap(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Username: "corey" + model.NewId(), Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -363,12 +369,17 @@ func TestSessions(t *testing.T) { } func TestGetUser(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + rteam2, _ := Client.CreateTeam(&team2) + + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -379,9 +390,6 @@ func TestGetUser(t *testing.T) { LinkUserToTeam(ruser2.Data.(*model.User), rteam.Data.(*model.Team)) store.Must(app.Srv.Store.User().VerifyEmail(ruser2.Data.(*model.User).Id)) - team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - rteam2, _ := Client.CreateTeam(&team2) - user3 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser3, _ := Client.CreateUser(&user3, "") LinkUserToTeam(ruser3.Data.(*model.User), rteam2.Data.(*model.Team)) @@ -466,8 +474,8 @@ func TestGetUser(t *testing.T) { if userMap, err := Client.GetProfilesInTeam(rteam.Data.(*model.Team).Id, 0, 100, ""); err != nil { t.Fatal(err) - } else if len(userMap.Data.(map[string]*model.User)) != 2 { - t.Fatal("should have been 2") + } else if len(userMap.Data.(map[string]*model.User)) != 3 { + t.Fatal("should have been 3") } else if userMap.Data.(map[string]*model.User)[rId].Id != rId { t.Fatal("should have been valid") } else { @@ -629,12 +637,14 @@ func TestGetProfilesByIds(t *testing.T) { } func TestGetAudits(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -667,8 +677,8 @@ func TestGetAudits(t *testing.T) { } func TestUserCreateImage(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient b, err := app.CreateProfileImage("Corey Hulen", "eo1zkdr96pdj98pjmq8zy35wba") if err != nil { @@ -729,12 +739,14 @@ func TestUserCreateImage(t *testing.T) { } func TestUserUploadProfileImage(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -838,12 +850,14 @@ func TestUserUploadProfileImage(t *testing.T) { } func TestUserUpdate(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", Roles: ""} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -890,11 +904,13 @@ func TestUserUpdate(t *testing.T) { } func TestUserUpdatePassword(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + + Client.Logout() Client.SetTeamId(team.Id) user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} @@ -973,12 +989,14 @@ func TestUserUpdatePassword(t *testing.T) { } func TestUserUpdateRoles(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -1092,8 +1110,8 @@ func TestUserUpdateRolesMoreCases(t *testing.T) { } func TestUserUpdateDeviceId(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -1123,13 +1141,18 @@ func TestUserUpdateDeviceId(t *testing.T) { } func TestUserUpdateActive(t *testing.T) { - th := Setup().InitSystemAdmin() - Client := th.CreateClient() + th := Setup().InitBasic().InitSystemAdmin() + Client := th.BasicClient SystemAdminClient := th.SystemAdminClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + team2 := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + team2 = Client.Must(Client.CreateTeam(team2)).Data.(*model.Team) + + Client.Logout() + user := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -1153,9 +1176,6 @@ func TestUserUpdateActive(t *testing.T) { Client.Must(Client.Logout()) - team2 := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - team2 = Client.Must(Client.CreateTeam(team2)).Data.(*model.Team) - user3 := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user3 = Client.Must(Client.CreateUser(user3, "")).Data.(*model.User) LinkUserToTeam(user2, team2) @@ -1193,8 +1213,8 @@ func TestUserUpdateActive(t *testing.T) { } func TestUserPermDelete(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -1235,8 +1255,8 @@ func TestUserPermDelete(t *testing.T) { } func TestSendPasswordReset(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -1246,6 +1266,8 @@ func TestSendPasswordReset(t *testing.T) { LinkUserToTeam(user, team) store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + Client.Logout() + if result, err := Client.SendPasswordReset(user.Email); err != nil { t.Fatal(err) } else { @@ -1360,12 +1382,14 @@ func TestResetPassword(t *testing.T) { } func TestUserUpdateNotify(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", Roles: ""} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -1442,12 +1466,14 @@ func TestUserUpdateNotify(t *testing.T) { } func TestFuzzyUserCreate(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + for i := 0; i < len(utils.FUZZY_STRINGS_NAMES) || i < len(utils.FUZZY_STRINGS_EMAILS); i++ { testName := "Name" testEmail := "test@nowhere.com" @@ -1471,12 +1497,14 @@ func TestFuzzyUserCreate(t *testing.T) { } func TestEmailToOAuth(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser := Client.Must(Client.CreateUser(&user, "")).Data.(*model.User) LinkUserToTeam(ruser, rteam.Data.(*model.Team)) @@ -1522,12 +1550,14 @@ func TestEmailToOAuth(t *testing.T) { } func TestOAuthToEmail(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser := Client.Must(Client.CreateUser(&user, "")).Data.(*model.User) LinkUserToTeam(ruser, rteam.Data.(*model.Team)) @@ -1573,8 +1603,8 @@ func TestOAuthToEmail(t *testing.T) { } func TestLDAPToEmail(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) @@ -1626,8 +1656,8 @@ func TestLDAPToEmail(t *testing.T) { } func TestEmailToLDAP(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) @@ -1757,8 +1787,8 @@ func TestMeInitialLoad(t *testing.T) { } func TestGenerateMfaSecret(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) @@ -1784,8 +1814,8 @@ func TestGenerateMfaSecret(t *testing.T) { } func TestUpdateMfa(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient if utils.License.Features.MFA == nil { utils.License.Features.MFA = new(bool) @@ -1834,12 +1864,14 @@ func TestUpdateMfa(t *testing.T) { } func TestCheckMfa(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) diff --git a/api/webhook.go b/api/webhook.go index 32c6d80b9..5d36409eb 100644 --- a/api/webhook.go +++ b/api/webhook.go @@ -43,7 +43,8 @@ func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { + c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) return } @@ -69,8 +70,9 @@ func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { channel = result.Data.(*model.Channel) } - if channel.Type != model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if channel.Type != model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { c.LogAudit("fail - bad channel permissions") + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -91,7 +93,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("deleteIncomingHook", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -111,7 +113,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.Session.UserId != result.Data.(*model.IncomingWebhook).UserId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + if c.Session.UserId != result.Data.(*model.IncomingWebhook).UserId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteIncomingHook", "api.webhook.delete_incoming.permissions.app_errror", nil, "user_id="+c.Session.UserId) return @@ -134,7 +136,7 @@ func getIncomingHooks(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("getIncomingHooks", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -156,7 +158,7 @@ func createOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("createOutgoingHook", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -235,7 +237,7 @@ func getOutgoingHooks(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("getOutgoingHooks", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -257,7 +259,7 @@ func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("deleteOutgoingHook", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -277,7 +279,7 @@ func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.Session.UserId != result.Data.(*model.OutgoingWebhook).CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + if c.Session.UserId != result.Data.(*model.OutgoingWebhook).CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteOutgoingHook", "api.webhook.delete_outgoing.permissions.app_error", nil, "user_id="+c.Session.UserId) return @@ -300,7 +302,7 @@ func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request) return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("regenOutgoingHookToken", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -323,7 +325,7 @@ func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request) } else { hook = result.Data.(*model.OutgoingWebhook) - if c.TeamId != hook.TeamId && c.Session.UserId != hook.CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + if c.TeamId != hook.TeamId && c.Session.UserId != hook.CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("regenOutgoingHookToken", "api.webhook.regen_outgoing_token.permissions.app_error", nil, "user_id="+c.Session.UserId) return @@ -485,7 +487,7 @@ func incomingWebhook(c *Context, w http.ResponseWriter, r *http.Request) { c.TeamId = hook.TeamId - if channel.Type != model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if channel.Type != model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { c.Err = model.NewLocAppError("incomingWebhook", "web.incoming_webhook.permissions.app_error", nil, "") return } diff --git a/app/authorization.go b/app/authorization.go new file mode 100644 index 000000000..0f48b3c9d --- /dev/null +++ b/app/authorization.go @@ -0,0 +1,166 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package app + +import ( + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/model" +) + +func SessionHasPermissionTo(session model.Session, permission *model.Permission) bool { + return CheckIfRolesGrantPermission(session.GetUserRoles(), permission.Id) +} + +func SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool { + if teamId == "" { + return false + } + + teamMember := session.GetTeamByTeamId(teamId) + if teamMember != nil { + if CheckIfRolesGrantPermission(teamMember.GetRoles(), permission.Id) { + return true + } + } + + return SessionHasPermissionTo(session, permission) +} + +func SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool { + if channelId == "" { + return false + } + + channelMember, err := GetChannelMember(channelId, session.UserId) + if err == nil { + roles := channelMember.GetRoles() + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + } + + var channel *model.Channel + channel, err = GetChannel(channelId) + if err == nil { + return SessionHasPermissionToTeam(session, channel.TeamId, permission) + } + + return SessionHasPermissionTo(session, permission) +} + +func SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool { + var channelMember *model.ChannelMember + if result := <-Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil { + channelMember = result.Data.(*model.ChannelMember) + + if CheckIfRolesGrantPermission(channelMember.GetRoles(), permission.Id) { + return true + } + } + + if result := <-Srv.Store.Channel().GetForPost(postId); result.Err == nil { + channel := result.Data.(*model.Channel) + return SessionHasPermissionToTeam(session, channel.TeamId, permission) + } + + return SessionHasPermissionTo(session, permission) +} + +func SessionHasPermissionToUser(session model.Session, userId string) bool { + if userId == "" { + return false + } + + if session.UserId == userId { + return true + } + + if SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) { + return true + } + + return false +} + +func HasPermissionTo(askingUserId string, permission *model.Permission) bool { + user, err := GetUser(askingUserId) + if err != nil { + return false + } + + roles := user.GetRoles() + + return CheckIfRolesGrantPermission(roles, permission.Id) +} + +func HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool { + if teamId == "" || askingUserId == "" { + return false + } + + teamMember, err := GetTeamMember(teamId, askingUserId) + if err != nil { + return false + } + + roles := teamMember.GetRoles() + + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + + return HasPermissionTo(askingUserId, permission) +} + +func HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool { + if channelId == "" || askingUserId == "" { + return false + } + + channelMember, err := GetChannelMember(channelId, askingUserId) + if err == nil { + roles := channelMember.GetRoles() + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + } + + var channel *model.Channel + channel, err = GetChannel(channelId) + if err == nil { + return HasPermissionToTeam(askingUserId, channel.TeamId, permission) + } + + return HasPermissionTo(askingUserId, permission) +} + +func HasPermissionToUser(askingUserId string, userId string) bool { + if askingUserId == userId { + return true + } + + if HasPermissionTo(askingUserId, model.PERMISSION_EDIT_OTHER_USERS) { + return true + } + + return false +} + +func CheckIfRolesGrantPermission(roles []string, permissionId string) bool { + for _, roleId := range roles { + if role, ok := model.BuiltInRoles[roleId]; !ok { + l4g.Debug("Bad role in system " + roleId) + return false + } else { + permissions := role.Permissions + for _, permission := range permissions { + if permission == permissionId { + return true + } + } + } + } + + return false +} diff --git a/api/authorization_test.go b/app/authorization_test.go index 5613751c2..049567483 100644 --- a/api/authorization_test.go +++ b/app/authorization_test.go @@ -1,7 +1,7 @@ // Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. // See License.txt for license information. -package api +package app import ( "testing" diff --git a/app/team.go b/app/team.go index 28d667268..aabdc0bfd 100644 --- a/app/team.go +++ b/app/team.go @@ -29,6 +29,57 @@ func CreateTeam(team *model.Team) (*model.Team, *model.AppError) { } } +func CreateTeamWithUser(team *model.Team, userId string) (*model.Team, *model.AppError) { + var user *model.User + var err *model.AppError + if user, err = GetUser(userId); err != nil { + return nil, err + } else { + team.Email = user.Email + } + + if !isTeamEmailAllowed(user) { + return nil, model.NewLocAppError("isTeamEmailAllowed", "api.team.is_team_creation_allowed.domain.app_error", nil, "") + } + + var rteam *model.Team + if rteam, err = CreateTeam(team); err != nil { + return nil, err + } + + if err = JoinUserToTeam(rteam, user); err != nil { + return nil, err + } + + return rteam, nil +} + +func isTeamEmailAllowed(user *model.User) bool { + email := strings.ToLower(user.Email) + + if len(user.AuthService) > 0 && len(*user.AuthData) > 0 { + return true + } + + // commas and @ signs are optional + // can be in the form of "@corp.mattermost.com, mattermost.com mattermost.org" -> corp.mattermost.com mattermost.com mattermost.org + domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(utils.Cfg.TeamSettings.RestrictCreationToDomains, "@", " ", -1), ",", " ", -1)))) + + matched := false + for _, d := range domains { + if strings.HasSuffix(email, "@"+d) { + matched = true + break + } + } + + if len(utils.Cfg.TeamSettings.RestrictCreationToDomains) > 0 && !matched { + return false + } + + return true +} + func UpdateTeam(team *model.Team) (*model.Team, *model.AppError) { var oldTeam *model.Team var err *model.AppError @@ -47,6 +98,12 @@ func UpdateTeam(team *model.Team) (*model.Team, *model.AppError) { return nil, result.Err } + oldTeam.Sanitize() + + message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_UPDATE_TEAM, "", "", "", nil) + message.Add("team", oldTeam.ToJson()) + go Publish(message) + return oldTeam, nil } @@ -80,7 +137,32 @@ func UpdateTeamMemberRoles(teamId string, userId string, newRoles string) (*mode return member, nil } -func JoinUserToTeamById(teamId string, user *model.User) *model.AppError { +func AddUserToTeam(teamId string, userId string) (*model.Team, *model.AppError) { + tchan := Srv.Store.Team().Get(teamId) + uchan := Srv.Store.User().Get(userId) + + var team *model.Team + if result := <-tchan; result.Err != nil { + return nil, result.Err + } else { + team = result.Data.(*model.Team) + } + + var user *model.User + if result := <-uchan; result.Err != nil { + return nil, result.Err + } else { + user = result.Data.(*model.User) + } + + if err := JoinUserToTeam(team, user); err != nil { + return nil, err + } + + return team, nil +} + +func AddUserToTeamByTeamId(teamId string, user *model.User) *model.AppError { if result := <-Srv.Store.Team().Get(teamId); result.Err != nil { return result.Err } else { @@ -88,7 +170,7 @@ func JoinUserToTeamById(teamId string, user *model.User) *model.AppError { } } -func JoinUserToTeamByHash(userId string, hash string, data string) (*model.Team, *model.AppError) { +func AddUserToTeamByHash(userId string, hash string, data string) (*model.Team, *model.AppError) { props := model.MapFromJson(strings.NewReader(data)) if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { @@ -100,15 +182,21 @@ func JoinUserToTeamByHash(userId string, hash string, data string) (*model.Team, return nil, model.NewLocAppError("JoinUserToTeamByHash", "api.user.create_user.signup_link_expired.app_error", nil, "") } + tchan := Srv.Store.Team().Get(props["id"]) + uchan := Srv.Store.User().Get(userId) + var team *model.Team - var err *model.AppError - if team, err = GetTeam(props["id"]); err != nil { - return nil, err + if result := <-tchan; result.Err != nil { + return nil, result.Err + } else { + team = result.Data.(*model.Team) } var user *model.User - if user, err = GetUser(userId); err != nil { - return nil, err + if result := <-uchan; result.Err != nil { + return nil, result.Err + } else { + user = result.Data.(*model.User) } if err := JoinUserToTeam(team, user); err != nil { @@ -118,16 +206,22 @@ func JoinUserToTeamByHash(userId string, hash string, data string) (*model.Team, return team, nil } -func JoinUserToTeamByInviteId(inviteId string, userId string) (*model.Team, *model.AppError) { +func AddUserToTeamByInviteId(inviteId string, userId string) (*model.Team, *model.AppError) { + tchan := Srv.Store.Team().GetByInviteId(inviteId) + uchan := Srv.Store.User().Get(userId) + var team *model.Team - var err *model.AppError - if team, err = GetTeamByInviteId(inviteId); err != nil { - return nil, err + if result := <-tchan; result.Err != nil { + return nil, result.Err + } else { + team = result.Data.(*model.Team) } var user *model.User - if user, err = GetUser(userId); err != nil { - return nil, err + if result := <-uchan; result.Err != nil { + return nil, result.Err + } else { + user = result.Data.(*model.User) } if err := JoinUserToTeam(team, user); err != nil { @@ -266,6 +360,31 @@ func GetTeamMembersByIds(teamId string, userIds []string) ([]*model.TeamMember, } } +func RemoveUserFromTeam(teamId string, userId string) *model.AppError { + tchan := Srv.Store.Team().Get(teamId) + uchan := Srv.Store.User().Get(userId) + + var team *model.Team + if result := <-tchan; result.Err != nil { + return result.Err + } else { + team = result.Data.(*model.Team) + } + + var user *model.User + if result := <-uchan; result.Err != nil { + return result.Err + } else { + user = result.Data.(*model.User) + } + + if err := LeaveTeam(team, user); err != nil { + return err + } + + return nil +} + func LeaveTeam(team *model.Team, user *model.User) *model.AppError { var teamMember *model.TeamMember var err *model.AppError @@ -325,6 +444,12 @@ func LeaveTeam(team *model.Team, user *model.User) *model.AppError { } func InviteNewUsersToTeam(emailList []string, teamId, senderId, siteURL string) *model.AppError { + if len(emailList) == 0 { + err := model.NewLocAppError("InviteNewUsersToTeam", "api.team.invite_members.no_one.app_error", nil, "") + err.StatusCode = http.StatusBadRequest + return err + } + tchan := Srv.Store.Team().Get(teamId) uchan := Srv.Store.User().Get(senderId) diff --git a/app/user.go b/app/user.go index 8324417e8..dbff914d9 100644 --- a/app/user.go +++ b/app/user.go @@ -203,7 +203,7 @@ func CreateOAuthUser(service string, userData io.Reader, teamId string) (*model. } if len(teamId) > 0 { - err = JoinUserToTeamById(teamId, user) + err = AddUserToTeamByTeamId(teamId, user) if err != nil { return nil, err } diff --git a/i18n/en.json b/i18n/en.json index 40d1c78f7..24a59161c 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -2788,6 +2788,22 @@ "translation": "Invite User" }, { + "id": "authentication.permissions.create_team_roles.description", + "translation": "Ability to create new teams" + }, + { + "id": "authentication.permissions.create_team_roles.name", + "translation": "Create Teams" + }, + { + "id": "authentication.permissions.manage_team_roles.description", + "translation": "Ability to change the roles of a team member" + }, + { + "id": "authentication.permissions.manage_team_roles.name", + "translation": "Manage Team Roles" + }, + { "id": "authentication.permissions.team_use_slash_commands.description", "translation": "Ability to use slash commands" }, diff --git a/model/authorization.go b/model/authorization.go index 78d7d3960..56bb58913 100644 --- a/model/authorization.go +++ b/model/authorization.go @@ -27,6 +27,7 @@ var PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS *Permission var PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS *Permission var PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE *Permission var PERMISSION_MANAGE_ROLES *Permission +var PERMISSION_MANAGE_TEAM_ROLES *Permission var PERMISSION_MANAGE_CHANNEL_ROLES *Permission var PERMISSION_CREATE_DIRECT_CHANNEL *Permission var PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES *Permission @@ -50,6 +51,7 @@ var PERMISSION_EDIT_OTHERS_POSTS *Permission var PERMISSION_DELETE_POST *Permission var PERMISSION_DELETE_OTHERS_POSTS *Permission var PERMISSION_REMOVE_USER_FROM_TEAM *Permission +var PERMISSION_CREATE_TEAM *Permission var PERMISSION_MANAGE_TEAM *Permission var PERMISSION_IMPORT_TEAM *Permission @@ -126,6 +128,11 @@ func InitalizePermissions() { "authentication.permissions.manage_roles.name", "authentication.permissions.manage_roles.description", } + PERMISSION_MANAGE_TEAM_ROLES = &Permission{ + "manage_team_roles", + "authentication.permissions.manage_team_roles.name", + "authentication.permissions.manage_team_roles.description", + } PERMISSION_MANAGE_CHANNEL_ROLES = &Permission{ "manage_channel_roles", "authentication.permissions.manage_channel_roles.name", @@ -246,6 +253,11 @@ func InitalizePermissions() { "authentication.permissions.remove_user_from_team.name", "authentication.permissions.remove_user_from_team.description", } + PERMISSION_CREATE_TEAM = &Permission{ + "create_team", + "authentication.permissions.create_team.name", + "authentication.permissions.create_team.description", + } PERMISSION_MANAGE_TEAM = &Permission{ "manage_team", "authentication.permissions.manage_team.name", @@ -315,7 +327,7 @@ func InitalizeRoles() { PERMISSION_REMOVE_USER_FROM_TEAM.Id, PERMISSION_MANAGE_TEAM.Id, PERMISSION_IMPORT_TEAM.Id, - PERMISSION_MANAGE_ROLES.Id, + PERMISSION_MANAGE_TEAM_ROLES.Id, PERMISSION_MANAGE_CHANNEL_ROLES.Id, PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, PERMISSION_MANAGE_SLASH_COMMANDS.Id, @@ -350,6 +362,7 @@ func InitalizeRoles() { []string{ PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, PERMISSION_MANAGE_SYSTEM.Id, + PERMISSION_MANAGE_ROLES.Id, PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, PERMISSION_DELETE_PUBLIC_CHANNEL.Id, PERMISSION_CREATE_PUBLIC_CHANNEL.Id, @@ -363,6 +376,7 @@ func InitalizeRoles() { PERMISSION_INVITE_USER.Id, PERMISSION_DELETE_POST.Id, PERMISSION_DELETE_OTHERS_POSTS.Id, + PERMISSION_CREATE_TEAM.Id, }, ROLE_TEAM_USER.Permissions..., ), diff --git a/model/team.go b/model/team.go index 3f05ce83a..195bac571 100644 --- a/model/team.go +++ b/model/team.go @@ -48,6 +48,14 @@ func InvitesFromJson(data io.Reader) *Invites { } } +func (o *Invites) ToEmailList() []string { + emailList := make([]string, len(o.Invites)) + for _, invite := range o.Invites { + emailList = append(emailList, invite["email"]) + } + return emailList +} + func (o *Invites) ToJson() string { b, err := json.Marshal(o) if err != nil { diff --git a/utils/authorization.go b/utils/authorization.go index ba4768140..de288fc81 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -3,7 +3,9 @@ package utils -import "github.com/mattermost/platform/model" +import ( + "github.com/mattermost/platform/model" +) func SetDefaultRolesBasedOnConfig() { // Reset the roles to default to make this logic easier @@ -170,4 +172,11 @@ func SetDefaultRolesBasedOnConfig() { break } + if Cfg.TeamSettings.EnableTeamCreation { + model.ROLE_SYSTEM_USER.Permissions = append( + model.ROLE_SYSTEM_USER.Permissions, + model.PERMISSION_CREATE_TEAM.Id, + ) + } + } diff --git a/web/web_test.go b/web/web_test.go index 11273c5dd..dd1dcf19c 100644 --- a/web/web_test.go +++ b/web/web_test.go @@ -65,14 +65,15 @@ func TestStatic(t *testing.T) { func TestGetAccessToken(t *testing.T) { Setup() - team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - rteam, _ := ApiClient.CreateTeam(&team) - user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Password: "passwd1"} ruser := ApiClient.Must(ApiClient.CreateUser(&user, "")).Data.(*model.User) - app.JoinUserToTeam(rteam.Data.(*model.Team), ruser) store.Must(app.Srv.Store.User().VerifyEmail(ruser.Id)) + ApiClient.Must(ApiClient.LoginById(ruser.Id, "passwd1")) + + team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + rteam, _ := ApiClient.CreateTeam(&team) + oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false @@ -201,16 +202,18 @@ func TestGetAccessToken(t *testing.T) { func TestIncomingWebhook(t *testing.T) { Setup() - team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - team = ApiClient.Must(ApiClient.CreateTeam(team)).Data.(*model.Team) - user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = ApiClient.Must(ApiClient.CreateUser(user, "")).Data.(*model.User) store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + + ApiClient.Login(user.Email, "passwd1") + + team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + team = ApiClient.Must(ApiClient.CreateTeam(team)).Data.(*model.Team) + app.JoinUserToTeam(team, user) app.UpdateUserRoles(user.Id, model.ROLE_SYSTEM_ADMIN.Id) - ApiClient.Login(user.Email, "passwd1") ApiClient.SetTeamId(team.Id) channel1 := &model.Channel{DisplayName: "Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_OPEN, TeamId: team.Id} diff --git a/webapp/tests/client_team.test.jsx b/webapp/tests/client_team.test.jsx index 5fac2da6d..20610f676 100644 --- a/webapp/tests/client_team.test.jsx +++ b/webapp/tests/client_team.test.jsx @@ -23,19 +23,20 @@ describe('Client.Team', function() { }); it('createTeam', function(done) { - var client = TestHelper.createClient(); var team = TestHelper.fakeTeam(); - client.createTeam( - team, - function(data) { - assert.equal(data.id.length > 0, true); - assert.equal(data.name, team.name); - done(); - }, - function(err) { - done(new Error(err.message)); - } - ); + TestHelper.initBasic(() => { + TestHelper.basicClient().createTeam( + team, + function(data) { + assert.equal(data.id.length > 0, true); + assert.equal(data.name, team.name); + done(); + }, + function(err) { + done(new Error(err.message)); + } + ); + }); }); it('getAllTeams', function(done) { |