MM-8827: Add ADD_REACTION, REMOVE_REACTION and REMOVE_OTHERS_REACTIONS permissions (#8300)

author: Jesús Espino <jespinog@gmail.com> 2018-02-19 12:13:29 +0100
committer: George Goldberg <george@gberg.me> 2018-02-19 11:13:29 +0000
commit: 8891fa2a5e9e08eb9fa99ec163c47a6e9761a816 (patch)
tree: 1cb5b375cbedf397d71ad8df3d009e4b5efb1357
parent: 0e718a632a616bcfec4378f512182245b68f4fd8 (diff)
download: chat-8891fa2a5e9e08eb9fa99ec163c47a6e9761a816.tar.gz
chat-8891fa2a5e9e08eb9fa99ec163c47a6e9761a816.tar.bz2
chat-8891fa2a5e9e08eb9fa99ec163c47a6e9761a816.zip
6 files changed, 333 insertions, 188 deletions
diff --git a/api/reaction.go b/api/reaction.go
index 991044cda..812c9f582 100644
--- a/api/reaction.go
+++ b/api/reaction.go
@@ -36,8 +36,8 @@ func saveReaction(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) {
-		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+	if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_ADD_REACTION) {
+		c.SetPermissionError(model.PERMISSION_ADD_REACTION)
 		return
 	}
 
@@ -87,8 +87,8 @@ func deleteReaction(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) {
-		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+	if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_REMOVE_REACTION) {
+		c.SetPermissionError(model.PERMISSION_REMOVE_REACTION)
 		return
 	}
 
diff --git a/api4/reaction.go b/api4/reaction.go
index af637bf91..337b49751 100644
--- a/api4/reaction.go
+++ b/api4/reaction.go
@@ -32,8 +32,8 @@ func saveReaction(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.App.SessionHasPermissionToChannelByPost(c.Session, reaction.PostId, model.PERMISSION_READ_CHANNEL) {
-		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+	if !c.App.SessionHasPermissionToChannelByPost(c.Session, reaction.PostId, model.PERMISSION_ADD_REACTION) {
+		c.SetPermissionError(model.PERMISSION_ADD_REACTION)
 		return
 	}
 
@@ -82,13 +82,13 @@ func deleteReaction(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.App.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_READ_CHANNEL) {
-		c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+	if !c.App.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_REMOVE_REACTION) {
+		c.SetPermissionError(model.PERMISSION_REMOVE_REACTION)
 		return
 	}
 
-	if c.Params.UserId != c.Session.UserId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
-		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+	if c.Params.UserId != c.Session.UserId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REMOVE_OTHERS_REACTIONS) {
+		c.SetPermissionError(model.PERMISSION_REMOVE_OTHERS_REACTIONS)
 		return
 	}
 
diff --git a/api4/reaction_test.go b/api4/reaction_test.go
index 93cd754c9..ac1a49671 100644
--- a/api4/reaction_test.go
+++ b/api4/reaction_test.go
@@ -19,116 +19,159 @@ func TestSaveReaction(t *testing.T) {
 	userId := th.BasicUser.Id
 	postId := th.BasicPost.Id
 
+	// Check the appropriate permissions are enforced.
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
+	defer func() {
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
+	}()
+
 	reaction := &model.Reaction{
 		UserId:    userId,
 		PostId:    postId,
 		EmojiName: "smile",
 	}
 
-	rr, resp := Client.SaveReaction(reaction)
-	CheckNoError(t, resp)
+	t.Run("successful-reaction", func(t *testing.T) {
+		rr, resp := Client.SaveReaction(reaction)
+		CheckNoError(t, resp)
 
-	if rr.UserId != reaction.UserId {
-		t.Fatal("UserId did not match")
-	}
+		if rr.UserId != reaction.UserId {
+			t.Fatal("UserId did not match")
+		}
 
-	if rr.PostId != reaction.PostId {
-		t.Fatal("PostId did not match")
-	}
+		if rr.PostId != reaction.PostId {
+			t.Fatal("PostId did not match")
+		}
 
-	if rr.EmojiName != reaction.EmojiName {
-		t.Fatal("EmojiName did not match")
-	}
+		if rr.EmojiName != reaction.EmojiName {
+			t.Fatal("EmojiName did not match")
+		}
 
-	if rr.CreateAt == 0 {
-		t.Fatal("CreateAt should exist")
-	}
+		if rr.CreateAt == 0 {
+			t.Fatal("CreateAt should exist")
+		}
 
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 1 {
-		t.Fatal("didn't save reaction correctly")
-	}
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 1 {
+			t.Fatal("didn't save reaction correctly")
+		}
+	})
 
-	// saving a duplicate reaction
-	rr, resp = Client.SaveReaction(reaction)
-	CheckNoError(t, resp)
+	t.Run("duplicated-reaction", func(t *testing.T) {
+		_, resp := Client.SaveReaction(reaction)
+		CheckNoError(t, resp)
 
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 1 {
-		t.Fatal("should have not save duplicated reaction")
-	}
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 1 {
+			t.Fatal("should have not save duplicated reaction")
+		}
+	})
 
-	reaction.EmojiName = "sad"
+	t.Run("save-second-reaction", func(t *testing.T) {
+		reaction.EmojiName = "sad"
 
-	rr, resp = Client.SaveReaction(reaction)
-	CheckNoError(t, resp)
+		rr, resp := Client.SaveReaction(reaction)
+		CheckNoError(t, resp)
 
-	if rr.EmojiName != reaction.EmojiName {
-		t.Fatal("EmojiName did not match")
-	}
+		if rr.EmojiName != reaction.EmojiName {
+			t.Fatal("EmojiName did not match")
+		}
 
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 2 {
-		t.Fatal("should have save multiple reactions")
-	}
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 2 {
+			t.Fatal("should have save multiple reactions")
+		}
+	})
 
-	// saving special case
-	reaction.EmojiName = "+1"
+	t.Run("saving-special-case", func(t *testing.T) {
+		reaction.EmojiName = "+1"
 
-	rr, resp = Client.SaveReaction(reaction)
-	CheckNoError(t, resp)
+		rr, resp := Client.SaveReaction(reaction)
+		CheckNoError(t, resp)
 
-	if rr.EmojiName != reaction.EmojiName {
-		t.Fatal("EmojiName did not match")
-	}
+		if rr.EmojiName != reaction.EmojiName {
+			t.Fatal("EmojiName did not match")
+		}
 
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 3 {
-		t.Fatal("should have save multiple reactions")
-	}
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil && len(reactions) != 3 {
+			t.Fatal("should have save multiple reactions")
+		}
+	})
+
+	t.Run("react-to-not-existing-post-id", func(t *testing.T) {
+		reaction.PostId = GenerateTestId()
+
+		_, resp := Client.SaveReaction(reaction)
+		CheckForbiddenStatus(t, resp)
+	})
 
-	reaction.PostId = GenerateTestId()
+	t.Run("react-to-not-valid-post-id", func(t *testing.T) {
+		reaction.PostId = "junk"
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckForbiddenStatus(t, resp)
+		_, resp := Client.SaveReaction(reaction)
+		CheckBadRequestStatus(t, resp)
+	})
 
-	reaction.PostId = "junk"
+	t.Run("react-as-not-existing-user-id", func(t *testing.T) {
+		reaction.PostId = postId
+		reaction.UserId = GenerateTestId()
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckBadRequestStatus(t, resp)
+		_, resp := Client.SaveReaction(reaction)
+		CheckForbiddenStatus(t, resp)
+	})
 
-	reaction.PostId = postId
-	reaction.UserId = GenerateTestId()
+	t.Run("react-as-not-valid-user-id", func(t *testing.T) {
+		reaction.UserId = "junk"
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckForbiddenStatus(t, resp)
+		_, resp := Client.SaveReaction(reaction)
+		CheckBadRequestStatus(t, resp)
+	})
 
-	reaction.UserId = "junk"
+	t.Run("react-as-empty-emoji-name", func(t *testing.T) {
+		reaction.UserId = userId
+		reaction.EmojiName = ""
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckBadRequestStatus(t, resp)
+		_, resp := Client.SaveReaction(reaction)
+		CheckBadRequestStatus(t, resp)
+	})
 
-	reaction.UserId = userId
-	reaction.EmojiName = ""
+	t.Run("react-as-not-valid-emoji-name", func(t *testing.T) {
+		reaction.EmojiName = strings.Repeat("a", 65)
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckBadRequestStatus(t, resp)
+		_, resp := Client.SaveReaction(reaction)
+		CheckBadRequestStatus(t, resp)
+	})
 
-	reaction.EmojiName = strings.Repeat("a", 65)
+	t.Run("react-as-other-user", func(t *testing.T) {
+		reaction.EmojiName = "smile"
+		otherUser := th.CreateUser()
+		Client.Logout()
+		Client.Login(otherUser.Email, otherUser.Password)
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckBadRequestStatus(t, resp)
+		_, resp := Client.SaveReaction(reaction)
+		CheckForbiddenStatus(t, resp)
+	})
 
-	reaction.EmojiName = "smile"
-	otherUser := th.CreateUser()
-	Client.Logout()
-	Client.Login(otherUser.Email, otherUser.Password)
+	t.Run("react-being-not-logged-in", func(t *testing.T) {
+		Client.Logout()
+		_, resp := Client.SaveReaction(reaction)
+		CheckUnauthorizedStatus(t, resp)
+	})
 
-	_, resp = Client.SaveReaction(reaction)
-	CheckForbiddenStatus(t, resp)
+	t.Run("react-as-other-user-being-system-admin", func(t *testing.T) {
+		_, resp := th.SystemAdminClient.SaveReaction(reaction)
+		CheckForbiddenStatus(t, resp)
+	})
 
-	Client.Logout()
-	_, resp = Client.SaveReaction(reaction)
-	CheckUnauthorizedStatus(t, resp)
+	t.Run("unable-to-create-reaction-without-permissions", func(t *testing.T) {
+		th.LoginBasic()
 
-	_, resp = th.SystemAdminClient.SaveReaction(reaction)
-	CheckForbiddenStatus(t, resp)
+		th.RemovePermissionFromRole(model.PERMISSION_ADD_REACTION.Id, model.CHANNEL_USER_ROLE_ID)
+		_, resp := Client.SaveReaction(reaction)
+		CheckForbiddenStatus(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 3 {
+			t.Fatal("should have not created a reactions")
+		}
+		th.AddPermissionToRole(model.PERMISSION_ADD_REACTION.Id, model.CHANNEL_USER_ROLE_ID)
+	})
 }
 
 func TestGetReactions(t *testing.T) {
@@ -177,29 +220,39 @@ func TestGetReactions(t *testing.T) {
 		}
 	}
 
-	rr, resp := Client.GetReactions(postId)
-	CheckNoError(t, resp)
+	t.Run("get-reactions", func(t *testing.T) {
+		rr, resp := Client.GetReactions(postId)
+		CheckNoError(t, resp)
 
-	assert.Len(t, rr, 5)
-	for _, r := range reactions {
-		assert.Contains(t, reactions, r)
-	}
+		assert.Len(t, rr, 5)
+		for _, r := range reactions {
+			assert.Contains(t, reactions, r)
+		}
+	})
 
-	rr, resp = Client.GetReactions("junk")
-	CheckBadRequestStatus(t, resp)
+	t.Run("get-reactions-of-invalid-post-id", func(t *testing.T) {
+		rr, resp := Client.GetReactions("junk")
+		CheckBadRequestStatus(t, resp)
 
-	assert.Empty(t, rr)
+		assert.Empty(t, rr)
+	})
 
-	_, resp = Client.GetReactions(GenerateTestId())
-	CheckForbiddenStatus(t, resp)
+	t.Run("get-reactions-of-not-existing-post-id", func(t *testing.T) {
+		_, resp := Client.GetReactions(GenerateTestId())
+		CheckForbiddenStatus(t, resp)
+	})
 
-	Client.Logout()
+	t.Run("get-reactions-as-anonymous-user", func(t *testing.T) {
+		Client.Logout()
 
-	_, resp = Client.GetReactions(postId)
-	CheckUnauthorizedStatus(t, resp)
+		_, resp := Client.GetReactions(postId)
+		CheckUnauthorizedStatus(t, resp)
+	})
 
-	_, resp = th.SystemAdminClient.GetReactions(postId)
-	CheckNoError(t, resp)
+	t.Run("get-reactions-as-system-admin", func(t *testing.T) {
+		_, resp := th.SystemAdminClient.GetReactions(postId)
+		CheckNoError(t, resp)
+	})
 }
 
 func TestDeleteReaction(t *testing.T) {
@@ -216,131 +269,186 @@ func TestDeleteReaction(t *testing.T) {
 		EmojiName: "smile",
 	}
 
-	th.App.SaveReactionForPost(r1)
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 {
-		t.Fatal("didn't save reaction correctly")
-	}
-
-	ok, resp := Client.DeleteReaction(r1)
-	CheckNoError(t, resp)
-
-	if !ok {
-		t.Fatal("should have returned true")
-	}
-
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 0 {
-		t.Fatal("should have deleted reaction")
-	}
-
-	// deleting one reaction when a post has multiple reactions
 	r2 := &model.Reaction{
 		UserId:    userId,
 		PostId:    postId,
 		EmojiName: "smile-",
 	}
 
-	th.App.SaveReactionForPost(r1)
-	th.App.SaveReactionForPost(r2)
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
-		t.Fatal("didn't save reactions correctly")
-	}
-
-	_, resp = Client.DeleteReaction(r2)
-	CheckNoError(t, resp)
-
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 || *reactions[0] != *r1 {
-		t.Fatal("should have deleted 1 reaction only")
-	}
-
-	// deleting one reaction of name +1
 	r3 := &model.Reaction{
 		UserId:    userId,
 		PostId:    postId,
 		EmojiName: "+1",
 	}
 
-	th.App.SaveReactionForPost(r3)
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
-		t.Fatal("didn't save reactions correctly")
-	}
-
-	_, resp = Client.DeleteReaction(r3)
-	CheckNoError(t, resp)
-
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 || *reactions[0] != *r1 {
-		t.Fatal("should have deleted 1 reaction only")
-	}
-
-	// deleting a reaction made by another user
 	r4 := &model.Reaction{
 		UserId:    user2Id,
 		PostId:    postId,
 		EmojiName: "smile_",
 	}
 
-	th.LoginBasic2()
-	th.App.SaveReactionForPost(r4)
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
-		t.Fatal("didn't save reaction correctly")
-	}
+	// Check the appropriate permissions are enforced.
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
+	defer func() {
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
+	}()
 
-	th.LoginBasic()
+	t.Run("delete-reaction", func(t *testing.T) {
+		th.App.SaveReactionForPost(r1)
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 {
+			t.Fatal("didn't save reaction correctly")
+		}
 
-	ok, resp = Client.DeleteReaction(r4)
-	CheckForbiddenStatus(t, resp)
+		ok, resp := Client.DeleteReaction(r1)
+		CheckNoError(t, resp)
 
-	if ok {
-		t.Fatal("should have returned false")
-	}
+		if !ok {
+			t.Fatal("should have returned true")
+		}
 
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
-		t.Fatal("should have not deleted a reaction")
-	}
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 0 {
+			t.Fatal("should have deleted reaction")
+		}
+	})
 
-	r1.PostId = GenerateTestId()
-	_, resp = Client.DeleteReaction(r1)
-	CheckForbiddenStatus(t, resp)
+	t.Run("delete-reaction-when-post-has-multiple-reactions", func(t *testing.T) {
+		th.App.SaveReactionForPost(r1)
+		th.App.SaveReactionForPost(r2)
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
+			t.Fatal("didn't save reactions correctly")
+		}
+
+		_, resp := Client.DeleteReaction(r2)
+		CheckNoError(t, resp)
 
-	r1.PostId = "junk"
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 || *reactions[0] != *r1 {
+			t.Fatal("should have deleted 1 reaction only")
+		}
+	})
+
+	t.Run("delete-reaction-when-plus-one-reaction-name", func(t *testing.T) {
+		th.App.SaveReactionForPost(r3)
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
+			t.Fatal("didn't save reactions correctly")
+		}
 
-	_, resp = Client.DeleteReaction(r1)
-	CheckBadRequestStatus(t, resp)
+		_, resp := Client.DeleteReaction(r3)
+		CheckNoError(t, resp)
 
-	r1.PostId = postId
-	r1.UserId = GenerateTestId()
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 || *reactions[0] != *r1 {
+			t.Fatal("should have deleted 1 reaction only")
+		}
+	})
 
-	_, resp = Client.DeleteReaction(r1)
-	CheckForbiddenStatus(t, resp)
+	t.Run("delete-reaction-made-by-another-user", func(t *testing.T) {
+		th.LoginBasic2()
+		th.App.SaveReactionForPost(r4)
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
+			t.Fatal("didn't save reaction correctly")
+		}
 
-	r1.UserId = "junk"
+		th.LoginBasic()
 
-	_, resp = Client.DeleteReaction(r1)
-	CheckBadRequestStatus(t, resp)
+		ok, resp := Client.DeleteReaction(r4)
+		CheckForbiddenStatus(t, resp)
 
-	r1.UserId = userId
-	r1.EmojiName = ""
+		if ok {
+			t.Fatal("should have returned false")
+		}
 
-	_, resp = Client.DeleteReaction(r1)
-	CheckNotFoundStatus(t, resp)
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 2 {
+			t.Fatal("should have not deleted a reaction")
+		}
+	})
 
-	r1.EmojiName = strings.Repeat("a", 65)
+	t.Run("delete-reaction-from-not-existing-post-id", func(t *testing.T) {
+		r1.PostId = GenerateTestId()
+		_, resp := Client.DeleteReaction(r1)
+		CheckForbiddenStatus(t, resp)
+	})
 
-	_, resp = Client.DeleteReaction(r1)
-	CheckBadRequestStatus(t, resp)
+	t.Run("delete-reaction-from-not-valid-post-id", func(t *testing.T) {
+		r1.PostId = "junk"
 
-	Client.Logout()
-	r1.EmojiName = "smile"
+		_, resp := Client.DeleteReaction(r1)
+		CheckBadRequestStatus(t, resp)
+	})
 
-	_, resp = Client.DeleteReaction(r1)
-	CheckUnauthorizedStatus(t, resp)
+	t.Run("delete-reaction-from-not-existing-user-id", func(t *testing.T) {
+		r1.PostId = postId
+		r1.UserId = GenerateTestId()
 
-	_, resp = th.SystemAdminClient.DeleteReaction(r1)
-	CheckNoError(t, resp)
+		_, resp := Client.DeleteReaction(r1)
+		CheckForbiddenStatus(t, resp)
+	})
 
-	_, resp = th.SystemAdminClient.DeleteReaction(r4)
-	CheckNoError(t, resp)
+	t.Run("delete-reaction-from-not-valid-user-id", func(t *testing.T) {
+		r1.UserId = "junk"
 
-	if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 0 {
-		t.Fatal("should have deleted both reactions")
-	}
+		_, resp := Client.DeleteReaction(r1)
+		CheckBadRequestStatus(t, resp)
+	})
+
+	t.Run("delete-reaction-with-empty-name", func(t *testing.T) {
+		r1.UserId = userId
+		r1.EmojiName = ""
+
+		_, resp := Client.DeleteReaction(r1)
+		CheckNotFoundStatus(t, resp)
+	})
+
+	t.Run("delete-reaction-with-not-existing-name", func(t *testing.T) {
+		r1.EmojiName = strings.Repeat("a", 65)
+
+		_, resp := Client.DeleteReaction(r1)
+		CheckBadRequestStatus(t, resp)
+	})
+
+	t.Run("delete-reaction-as-anonymous-user", func(t *testing.T) {
+		Client.Logout()
+		r1.EmojiName = "smile"
+
+		_, resp := Client.DeleteReaction(r1)
+		CheckUnauthorizedStatus(t, resp)
+	})
+
+	t.Run("delete-reaction-as-system-admin", func(t *testing.T) {
+		_, resp := th.SystemAdminClient.DeleteReaction(r1)
+		CheckNoError(t, resp)
+
+		_, resp = th.SystemAdminClient.DeleteReaction(r4)
+		CheckNoError(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 0 {
+			t.Fatal("should have deleted both reactions")
+		}
+	})
+
+	t.Run("unable-to-delete-reaction-without-permissions", func(t *testing.T) {
+		th.LoginBasic()
+
+		th.RemovePermissionFromRole(model.PERMISSION_REMOVE_REACTION.Id, model.CHANNEL_USER_ROLE_ID)
+		th.App.SaveReactionForPost(r1)
+
+		_, resp := Client.DeleteReaction(r1)
+		CheckForbiddenStatus(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 {
+			t.Fatal("should have not deleted a reactions")
+		}
+		th.AddPermissionToRole(model.PERMISSION_REMOVE_REACTION.Id, model.CHANNEL_USER_ROLE_ID)
+	})
+
+	t.Run("unable-to-delete-others-reactions-without-permissions", func(t *testing.T) {
+		th.RemovePermissionFromRole(model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id, model.SYSTEM_ADMIN_ROLE_ID)
+		th.App.SaveReactionForPost(r1)
+
+		_, resp := th.SystemAdminClient.DeleteReaction(r1)
+		CheckForbiddenStatus(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 {
+			t.Fatal("should have not deleted a reactions")
+		}
+		th.AddPermissionToRole(model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id, model.SYSTEM_ADMIN_ROLE_ID)
+	})
 }
diff --git a/app/app_test.go b/app/app_test.go
index 3690d916f..c2841ec53 100644
--- a/app/app_test.go
+++ b/app/app_test.go
@@ -106,6 +106,8 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
 	expected1 := map[string][]string{
 		"channel_user": []string{
 			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_ADD_REACTION.Id,
+			model.PERMISSION_REMOVE_REACTION.Id,
 			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
 			model.PERMISSION_UPLOAD_FILE.Id,
 			model.PERMISSION_GET_PUBLIC_LINK.Id,
@@ -196,11 +198,14 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
 			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
 			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
 			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
 			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
 			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
 			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
 			model.PERMISSION_VIEW_TEAM.Id,
 			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_ADD_REACTION.Id,
+			model.PERMISSION_REMOVE_REACTION.Id,
 			model.PERMISSION_UPLOAD_FILE.Id,
 			model.PERMISSION_GET_PUBLIC_LINK.Id,
 			model.PERMISSION_CREATE_POST.Id,
@@ -265,6 +270,8 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
 	expected2 := map[string][]string{
 		"channel_user": []string{
 			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_ADD_REACTION.Id,
+			model.PERMISSION_REMOVE_REACTION.Id,
 			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
 			model.PERMISSION_UPLOAD_FILE.Id,
 			model.PERMISSION_GET_PUBLIC_LINK.Id,
@@ -355,11 +362,14 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
 			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
 			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
 			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
 			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
 			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
 			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
 			model.PERMISSION_VIEW_TEAM.Id,
 			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_ADD_REACTION.Id,
+			model.PERMISSION_REMOVE_REACTION.Id,
 			model.PERMISSION_UPLOAD_FILE.Id,
 			model.PERMISSION_GET_PUBLIC_LINK.Id,
 			model.PERMISSION_CREATE_POST.Id,
diff --git a/model/permission.go b/model/permission.go
index 0dc09f49a..ddbf1030e 100644
--- a/model/permission.go
+++ b/model/permission.go
@@ -40,6 +40,9 @@ var PERMISSION_DELETE_PRIVATE_CHANNEL *Permission
 var PERMISSION_EDIT_OTHER_USERS *Permission
 var PERMISSION_READ_CHANNEL *Permission
 var PERMISSION_READ_PUBLIC_CHANNEL *Permission
+var PERMISSION_ADD_REACTION *Permission
+var PERMISSION_REMOVE_REACTION *Permission
+var PERMISSION_REMOVE_OTHERS_REACTIONS *Permission
 var PERMISSION_PERMANENT_DELETE_USER *Permission
 var PERMISSION_UPLOAD_FILE *Permission
 var PERMISSION_GET_PUBLIC_LINK *Permission
@@ -222,6 +225,24 @@ func initializePermissions() {
 		"authentication.permissions.read_public_channel.description",
 		PERMISSION_SCOPE_TEAM,
 	}
+	PERMISSION_ADD_REACTION = &Permission{
+		"add_reaction",
+		"authentication.permissions.add_reaction.name",
+		"authentication.permissions.add_reaction.description",
+		PERMISSION_SCOPE_CHANNEL,
+	}
+	PERMISSION_REMOVE_REACTION = &Permission{
+		"remove_reaction",
+		"authentication.permissions.remove_reaction.name",
+		"authentication.permissions.remove_reaction.description",
+		PERMISSION_SCOPE_CHANNEL,
+	}
+	PERMISSION_REMOVE_OTHERS_REACTIONS = &Permission{
+		"remove_others_reactions",
+		"authentication.permissions.remove_others_reactions.name",
+		"authentication.permissions.remove_others_reactions.description",
+		PERMISSION_SCOPE_CHANNEL,
+	}
 	PERMISSION_PERMANENT_DELETE_USER = &Permission{
 		"permanent_delete_user",
 		"authentication.permissions.permanent_delete_user.name",
@@ -386,6 +407,9 @@ func initializePermissions() {
 		PERMISSION_EDIT_OTHER_USERS,
 		PERMISSION_READ_CHANNEL,
 		PERMISSION_READ_PUBLIC_CHANNEL,
+		PERMISSION_ADD_REACTION,
+		PERMISSION_REMOVE_REACTION,
+		PERMISSION_REMOVE_OTHERS_REACTIONS,
 		PERMISSION_PERMANENT_DELETE_USER,
 		PERMISSION_UPLOAD_FILE,
 		PERMISSION_GET_PUBLIC_LINK,
diff --git a/model/role.go b/model/role.go
index 5f7352f12..5c2cf8f5b 100644
--- a/model/role.go
+++ b/model/role.go
@@ -178,6 +178,8 @@ func MakeDefaultRoles() map[string]*Role {
 		Description: "authentication.roles.channel_user.description",
 		Permissions: []string{
 			PERMISSION_READ_CHANNEL.Id,
+			PERMISSION_ADD_REACTION.Id,
+			PERMISSION_REMOVE_REACTION.Id,
 			PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
 			PERMISSION_UPLOAD_FILE.Id,
 			PERMISSION_GET_PUBLIC_LINK.Id,
@@ -331,6 +333,7 @@ func MakeDefaultRoles() map[string]*Role {
 							PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
 							PERMISSION_READ_USER_ACCESS_TOKEN.Id,
 							PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+							PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
 						},
 						roles[TEAM_USER_ROLE_ID].Permissions...,
 					),
author	Jesús Espino <jespinog@gmail.com>	2018-02-19 12:13:29 +0100
committer	George Goldberg <george@gberg.me>	2018-02-19 11:13:29 +0000
commit	8891fa2a5e9e08eb9fa99ec163c47a6e9761a816 (patch)
tree	1cb5b375cbedf397d71ad8df3d009e4b5efb1357
parent	0e718a632a616bcfec4378f512182245b68f4fd8 (diff)
download	chat-8891fa2a5e9e08eb9fa99ec163c47a6e9761a816.tar.gz chat-8891fa2a5e9e08eb9fa99ec163c47a6e9761a816.tar.bz2 chat-8891fa2a5e9e08eb9fa99ec163c47a6e9761a816.zip