MM-10570: Make permissions reset command clear custom role assignments. (#8976)

12 files changed, 489 insertions, 1 deletions

diff --git a/app/permissions.go b/app/permissions.go
index d86ceab5d..8b4df7c56 100644
--- a/app/permissions.go
+++ b/app/permissions.go
@@ -27,6 +27,21 @@ func (a *App) ResetPermissionsSystem() *model.AppError {
 		return result.Err
 	}
 
+	// Reset all Custom Role assignments to Users.
+	if result := <-a.Srv.Store.User().ClearAllCustomRoleAssignments(); result.Err != nil {
+		return result.Err
+	}
+
+	// Reset all Custom Role assignments to TeamMembers.
+	if result := <-a.Srv.Store.Team().ClearAllCustomRoleAssignments(); result.Err != nil {
+		return result.Err
+	}
+
+	// Reset all Custom Role assignments to ChannelMembers.
+	if result := <-a.Srv.Store.Channel().ClearAllCustomRoleAssignments(); result.Err != nil {
+		return result.Err
+	}
+
 	// Purge all schemes from the database.
 	if result := <-a.Srv.Store.Scheme().PermanentDeleteAll(); result.Err != nil {
 		return result.Err
diff --git a/i18n/en.json b/i18n/en.json
index b4daa6f58..190aa4cea 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -1535,6 +1535,66 @@
     "translation": "Unable to open the Slack export zip file.\r\n"
   },
   {
+    "id": "store.sql_user.clear_all_custom_role_assignments.open_transaction.app_error",
+    "translation": "Failed to begin the database transaction"
+  },
+  {
+    "id": "store.sql_user.clear_all_custom_role_assignments.rollback_transaction.app_error",
+    "translation": "Failed to rollback the database transaction"
+  },
+  {
+    "id": "store.sql_user.clear_all_custom_role_assignments.select.app_error",
+    "translation": "Failed to retrieve the users"
+  },
+  {
+    "id": "store.sql_user.clear_all_custom_role_assignments.update.app_error",
+    "translation": "Failed to update the user"
+  },
+  {
+    "id": "store.sql_user.clear_all_custom_role_assignments.commit_transaction.app_error",
+    "translation": "Failed to commit the database transaction"
+  },
+  {
+    "id": "store.sql_team.clear_all_custom_role_assignments.open_transaction.app_error",
+    "translation": "Failed to begin the database transaction"
+  },
+  {
+    "id": "store.sql_team.clear_all_custom_role_assignments.rollback_transaction.app_error",
+    "translation": "Failed to rollback the database transaction"
+  },
+  {
+    "id": "store.sql_team.clear_all_custom_role_assignments.select.app_error",
+    "translation": "Failed to retrieve the team members"
+  },
+  {
+    "id": "store.sql_team.clear_all_custom_role_assignments.update.app_error",
+    "translation": "Failed to update the team member"
+  },
+  {
+    "id": "store.sql_team.clear_all_custom_role_assignments.commit_transaction.app_error",
+    "translation": "Failed to commit the database transaction"
+  },
+  {
+    "id": "store.sql_channel.clear_all_custom_role_assignments.open_transaction.app_error",
+    "translation": "Failed to begin the database transaction"
+  },
+  {
+    "id": "store.sql_channel.clear_all_custom_role_assignments.rollback_transaction.app_error",
+    "translation": "Failed to rollback the database transaction"
+  },
+  {
+    "id": "store.sql_channel.clear_all_custom_role_assignments.select.app_error",
+    "translation": "Failed to retrieve the channel members"
+  },
+  {
+    "id": "store.sql_channel.clear_all_custom_role_assignments.update.app_error",
+    "translation": "Failed to update the channel member"
+  },
+  {
+    "id": "store.sql_channel.clear_all_custom_role_assignments.commit_transaction.app_error",
+    "translation": "Failed to commit the database transaction"
+  },
+  {
     "id": "api.status.user_not_found.app_error",
     "translation": "User not found"
   },
diff --git a/store/sqlstore/channel_store.go b/store/sqlstore/channel_store.go
index 476665514..eb88bc42a 100644
--- a/store/sqlstore/channel_store.go
+++ b/store/sqlstore/channel_store.go
@@ -1784,3 +1784,72 @@ func (s SqlChannelStore) ResetAllChannelSchemes() store.StoreChannel {
 		}
 	})
 }
+
+func (s SqlChannelStore) ClearAllCustomRoleAssignments() store.StoreChannel {
+	return store.Do(func(result *store.StoreResult) {
+		builtInRoles := model.MakeDefaultRoles()
+		lastUserId := strings.Repeat("0", 26)
+		lastChannelId := strings.Repeat("0", 26)
+
+		for true {
+			var transaction *gorp.Transaction
+			var err error
+
+			if transaction, err = s.GetMaster().Begin(); err != nil {
+				result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.open_transaction.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			var channelMembers []*channelMember
+			if _, err := transaction.Select(&channelMembers, "SELECT * from ChannelMembers WHERE (ChannelId, UserId) > (:ChannelId, :UserId) ORDER BY ChannelId, UserId LIMIT 1000", map[string]interface{}{"ChannelId": lastChannelId, "UserId": lastUserId}); err != nil {
+				if err2 := transaction.Rollback(); err2 != nil {
+					result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+					return
+				}
+				result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.select.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			if len(channelMembers) == 0 {
+				break
+			}
+
+			for _, member := range channelMembers {
+				lastUserId = member.UserId
+				lastChannelId = member.ChannelId
+
+				var newRoles []string
+
+				for _, role := range strings.Fields(member.Roles) {
+					for name := range builtInRoles {
+						if name == role {
+							newRoles = append(newRoles, role)
+							break
+						}
+					}
+				}
+
+				newRolesString := strings.Join(newRoles, " ")
+				if newRolesString != member.Roles {
+					if _, err := transaction.Exec("UPDATE ChannelMembers SET Roles = :Roles WHERE UserId = :UserId AND ChannelId = :ChannelId", map[string]interface{}{"Roles": newRolesString, "ChannelId": member.ChannelId, "UserId": member.UserId}); err != nil {
+						if err2 := transaction.Rollback(); err2 != nil {
+							result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+							return
+						}
+						result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.update.app_error", nil, err.Error(), http.StatusInternalServerError)
+						return
+					}
+				}
+			}
+
+			if err := transaction.Commit(); err != nil {
+				if err2 := transaction.Rollback(); err2 != nil {
+					result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+					return
+				}
+				result.Err = model.NewAppError("SqlChannelStore.ClearAllCustomRoleAssignments", "store.sql_channel.clear_all_custom_role_assignments.commit_transaction.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		}
+	})
+}
diff --git a/store/sqlstore/team_store.go b/store/sqlstore/team_store.go
index 95b73e542..65b767430 100644
--- a/store/sqlstore/team_store.go
+++ b/store/sqlstore/team_store.go
@@ -806,3 +806,72 @@ func (s SqlTeamStore) ResetAllTeamSchemes() store.StoreChannel {
 		}
 	})
 }
+
+func (s SqlTeamStore) ClearAllCustomRoleAssignments() store.StoreChannel {
+	return store.Do(func(result *store.StoreResult) {
+		builtInRoles := model.MakeDefaultRoles()
+		lastUserId := strings.Repeat("0", 26)
+		lastTeamId := strings.Repeat("0", 26)
+
+		for true {
+			var transaction *gorp.Transaction
+			var err error
+
+			if transaction, err = s.GetMaster().Begin(); err != nil {
+				result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.open_transaction.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			var teamMembers []*teamMember
+			if _, err := transaction.Select(&teamMembers, "SELECT * from TeamMembers WHERE (TeamId, UserId) > (:TeamId, :UserId) ORDER BY TeamId, UserId LIMIT 1000", map[string]interface{}{"TeamId": lastTeamId, "UserId": lastUserId}); err != nil {
+				if err2 := transaction.Rollback(); err2 != nil {
+					result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+					return
+				}
+				result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.select.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			if len(teamMembers) == 0 {
+				break
+			}
+
+			for _, member := range teamMembers {
+				lastUserId = member.UserId
+				lastTeamId = member.TeamId
+
+				var newRoles []string
+
+				for _, role := range strings.Fields(member.Roles) {
+					for name := range builtInRoles {
+						if name == role {
+							newRoles = append(newRoles, role)
+							break
+						}
+					}
+				}
+
+				newRolesString := strings.Join(newRoles, " ")
+				if newRolesString != member.Roles {
+					if _, err := transaction.Exec("UPDATE TeamMembers SET Roles = :Roles WHERE UserId = :UserId AND TeamId = :TeamId", map[string]interface{}{"Roles": newRolesString, "TeamId": member.TeamId, "UserId": member.UserId}); err != nil {
+						if err2 := transaction.Rollback(); err2 != nil {
+							result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+							return
+						}
+						result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.update.app_error", nil, err.Error(), http.StatusInternalServerError)
+						return
+					}
+				}
+			}
+
+			if err := transaction.Commit(); err != nil {
+				if err2 := transaction.Rollback(); err2 != nil {
+					result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+					return
+				}
+				result.Err = model.NewAppError("SqlTeamStore.ClearAllCustomRoleAssignments", "store.sql_team.clear_all_custom_role_assignments.commit_transaction.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		}
+	})
+}
diff --git a/store/sqlstore/user_store.go b/store/sqlstore/user_store.go
index a695e4aa8..203ad4c26 100644
--- a/store/sqlstore/user_store.go
+++ b/store/sqlstore/user_store.go
@@ -10,6 +10,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/mattermost/gorp"
+
 	"github.com/mattermost/mattermost-server/einterfaces"
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/store"
@@ -1247,3 +1249,70 @@ func (us SqlUserStore) GetEtagForProfilesNotInTeam(teamId string) store.StoreCha
 		}
 	})
 }
+
+func (us SqlUserStore) ClearAllCustomRoleAssignments() store.StoreChannel {
+	return store.Do(func(result *store.StoreResult) {
+		builtInRoles := model.MakeDefaultRoles()
+		lastUserId := strings.Repeat("0", 26)
+
+		for true {
+			var transaction *gorp.Transaction
+			var err error
+
+			if transaction, err = us.GetMaster().Begin(); err != nil {
+				result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.open_transaction.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			var users []*model.User
+			if _, err := transaction.Select(&users, "SELECT * from Users WHERE Id > :Id ORDER BY Id LIMIT 1000", map[string]interface{}{"Id": lastUserId}); err != nil {
+				if err2 := transaction.Rollback(); err2 != nil {
+					result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+					return
+				}
+				result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.select.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			if len(users) == 0 {
+				break
+			}
+
+			for _, user := range users {
+				lastUserId = user.Id
+
+				var newRoles []string
+
+				for _, role := range strings.Fields(user.Roles) {
+					for name := range builtInRoles {
+						if name == role {
+							newRoles = append(newRoles, role)
+							break
+						}
+					}
+				}
+
+				newRolesString := strings.Join(newRoles, " ")
+				if newRolesString != user.Roles {
+					if _, err := transaction.Exec("UPDATE Users SET Roles = :Roles WHERE Id = :Id", map[string]interface{}{"Roles": newRolesString, "Id": user.Id}); err != nil {
+						if err2 := transaction.Rollback(); err2 != nil {
+							result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+							return
+						}
+						result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.update.app_error", nil, err.Error(), http.StatusInternalServerError)
+						return
+					}
+				}
+			}
+
+			if err := transaction.Commit(); err != nil {
+				if err2 := transaction.Rollback(); err2 != nil {
+					result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.rollback_transaction.app_error", nil, err2.Error(), http.StatusInternalServerError)
+					return
+				}
+				result.Err = model.NewAppError("SqlUserStore.ClearAllCustomRoleAssignments", "store.sql_user.clear_all_custom_role_assignments.commit_transaction.app_error", nil, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		}
+	})
+}
diff --git a/store/store.go b/store/store.go
index ce5213572..3ec136f0b 100644
--- a/store/store.go
+++ b/store/store.go
@@ -107,6 +107,7 @@ type TeamStore interface {
 	GetTeamsByScheme(schemeId string, offset int, limit int) StoreChannel
 	MigrateTeamMembers(fromTeamId string, fromUserId string) StoreChannel
 	ResetAllTeamSchemes() StoreChannel
+	ClearAllCustomRoleAssignments() StoreChannel
 }
 
 type ChannelStore interface {
@@ -167,6 +168,7 @@ type ChannelStore interface {
 	GetChannelsByScheme(schemeId string, offset int, limit int) StoreChannel
 	MigrateChannelMembers(fromChannelId string, fromUserId string) StoreChannel
 	ResetAllChannelSchemes() StoreChannel
+	ClearAllCustomRoleAssignments() StoreChannel
 }
 
 type ChannelMemberHistoryStore interface {
@@ -258,6 +260,7 @@ type UserStore interface {
 	AnalyticsGetSystemAdminCount() StoreChannel
 	GetProfilesNotInTeam(teamId string, offset int, limit int) StoreChannel
 	GetEtagForProfilesNotInTeam(teamId string) StoreChannel
+	ClearAllCustomRoleAssignments() StoreChannel
 }
 
 type SessionStore interface {
diff --git a/store/storetest/channel_store.go b/store/storetest/channel_store.go
index eea79d42f..ecec7fab9 100644
--- a/store/storetest/channel_store.go
+++ b/store/storetest/channel_store.go
@@ -55,6 +55,7 @@ func TestChannelStore(t *testing.T, ss store.Store) {
 	t.Run("GetChannelsByScheme", func(t *testing.T) { testChannelStoreGetChannelsByScheme(t, ss) })
 	t.Run("MigrateChannelMembers", func(t *testing.T) { testChannelStoreMigrateChannelMembers(t, ss) })
 	t.Run("ResetAllChannelSchemes", func(t *testing.T) { testResetAllChannelSchemes(t, ss) })
+	t.Run("ClearAllCustomRoleAssignments", func(t *testing.T) { testChannelStoreClearAllCustomRoleAssignments(t, ss) })
 
 }
 
@@ -2358,3 +2359,62 @@ func testResetAllChannelSchemes(t *testing.T, ss store.Store) {
 	assert.Equal(t, "", *c1.SchemeId)
 	assert.Equal(t, "", *c2.SchemeId)
 }
+
+func testChannelStoreClearAllCustomRoleAssignments(t *testing.T, ss store.Store) {
+	c := &model.Channel{
+		TeamId:      model.NewId(),
+		DisplayName: "Name",
+		Name:        model.NewId(),
+		Type:        model.CHANNEL_OPEN,
+	}
+
+	c = (<-ss.Channel().Save(c, 100)).Data.(*model.Channel)
+
+	m1 := &model.ChannelMember{
+		ChannelId:     c.Id,
+		UserId:        model.NewId(),
+		NotifyProps:   model.GetDefaultChannelNotifyProps(),
+		ExplicitRoles: "channel_user channel_admin system_user_access_token",
+	}
+	m2 := &model.ChannelMember{
+		ChannelId:     c.Id,
+		UserId:        model.NewId(),
+		NotifyProps:   model.GetDefaultChannelNotifyProps(),
+		ExplicitRoles: "channel_user custom_role channel_admin another_custom_role",
+	}
+	m3 := &model.ChannelMember{
+		ChannelId:     c.Id,
+		UserId:        model.NewId(),
+		NotifyProps:   model.GetDefaultChannelNotifyProps(),
+		ExplicitRoles: "channel_user",
+	}
+	m4 := &model.ChannelMember{
+		ChannelId:     c.Id,
+		UserId:        model.NewId(),
+		NotifyProps:   model.GetDefaultChannelNotifyProps(),
+		ExplicitRoles: "custom_only",
+	}
+
+	store.Must(ss.Channel().SaveMember(m1))
+	store.Must(ss.Channel().SaveMember(m2))
+	store.Must(ss.Channel().SaveMember(m3))
+	store.Must(ss.Channel().SaveMember(m4))
+
+	require.Nil(t, (<-ss.Channel().ClearAllCustomRoleAssignments()).Err)
+
+	r1 := <-ss.Channel().GetMember(m1.ChannelId, m1.UserId)
+	require.Nil(t, r1.Err)
+	assert.Equal(t, m1.ExplicitRoles, r1.Data.(*model.ChannelMember).Roles)
+
+	r2 := <-ss.Channel().GetMember(m2.ChannelId, m2.UserId)
+	require.Nil(t, r2.Err)
+	assert.Equal(t, "channel_user channel_admin", r2.Data.(*model.ChannelMember).Roles)
+
+	r3 := <-ss.Channel().GetMember(m3.ChannelId, m3.UserId)
+	require.Nil(t, r3.Err)
+	assert.Equal(t, m3.ExplicitRoles, r3.Data.(*model.ChannelMember).Roles)
+
+	r4 := <-ss.Channel().GetMember(m4.ChannelId, m4.UserId)
+	require.Nil(t, r4.Err)
+	assert.Equal(t, "", r4.Data.(*model.ChannelMember).Roles)
+}
diff --git a/store/storetest/mocks/ChannelStore.go b/store/storetest/mocks/ChannelStore.go
index 114914bb8..4929557ea 100644
--- a/store/storetest/mocks/ChannelStore.go
+++ b/store/storetest/mocks/ChannelStore.go
@@ -61,6 +61,22 @@ func (_m *ChannelStore) AutocompleteInTeam(teamId string, term string) store.Sto
 	return r0
 }
 
+// ClearAllCustomRoleAssignments provides a mock function with given fields:
+func (_m *ChannelStore) ClearAllCustomRoleAssignments() store.StoreChannel {
+	ret := _m.Called()
+
+	var r0 store.StoreChannel
+	if rf, ok := ret.Get(0).(func() store.StoreChannel); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(store.StoreChannel)
+		}
+	}
+
+	return r0
+}
+
 // ClearCaches provides a mock function with given fields:
 func (_m *ChannelStore) ClearCaches() {
 	_m.Called()
diff --git a/store/storetest/mocks/TeamStore.go b/store/storetest/mocks/TeamStore.go
index ee9999bad..47ea6587b 100644
--- a/store/storetest/mocks/TeamStore.go
+++ b/store/storetest/mocks/TeamStore.go
@@ -29,6 +29,22 @@ func (_m *TeamStore) AnalyticsTeamCount() store.StoreChannel {
 	return r0
 }
 
+// ClearAllCustomRoleAssignments provides a mock function with given fields:
+func (_m *TeamStore) ClearAllCustomRoleAssignments() store.StoreChannel {
+	ret := _m.Called()
+
+	var r0 store.StoreChannel
+	if rf, ok := ret.Get(0).(func() store.StoreChannel); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(store.StoreChannel)
+		}
+	}
+
+	return r0
+}
+
 // Get provides a mock function with given fields: id
 func (_m *TeamStore) Get(id string) store.StoreChannel {
 	ret := _m.Called(id)
diff --git a/store/storetest/mocks/UserStore.go b/store/storetest/mocks/UserStore.go
index 6fc787de7..760b6e934 100644
--- a/store/storetest/mocks/UserStore.go
+++ b/store/storetest/mocks/UserStore.go
@@ -77,6 +77,22 @@ func (_m *UserStore) AnalyticsUniqueUserCount(teamId string) store.StoreChannel
 	return r0
 }
 
+// ClearAllCustomRoleAssignments provides a mock function with given fields:
+func (_m *UserStore) ClearAllCustomRoleAssignments() store.StoreChannel {
+	ret := _m.Called()
+
+	var r0 store.StoreChannel
+	if rf, ok := ret.Get(0).(func() store.StoreChannel); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(store.StoreChannel)
+		}
+	}
+
+	return r0
+}
+
 // ClearCaches provides a mock function with given fields:
 func (_m *UserStore) ClearCaches() {
 	_m.Called()
diff --git a/store/storetest/team_store.go b/store/storetest/team_store.go
index 346b55c18..f21583cd1 100644
--- a/store/storetest/team_store.go
+++ b/store/storetest/team_store.go
@@ -9,10 +9,10 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/store"
-	"github.com/stretchr/testify/require"
 )
 
 func TestTeamStore(t *testing.T, ss store.Store) {
@@ -43,6 +43,7 @@ func TestTeamStore(t *testing.T, ss store.Store) {
 	t.Run("GetTeamsByScheme", func(t *testing.T) { testGetTeamsByScheme(t, ss) })
 	t.Run("MigrateTeamMembers", func(t *testing.T) { testTeamStoreMigrateTeamMembers(t, ss) })
 	t.Run("ResetAllTeamSchemes", func(t *testing.T) { testResetAllTeamSchemes(t, ss) })
+	t.Run("ClearAllCustomRoleAssignments", func(t *testing.T) { testTeamStoreClearAllCustomRoleAssignments(t, ss) })
 }
 
 func testTeamStoreSave(t *testing.T, ss store.Store) {
@@ -1245,3 +1246,49 @@ func testResetAllTeamSchemes(t *testing.T, ss store.Store) {
 	assert.Equal(t, "", *t1.SchemeId)
 	assert.Equal(t, "", *t2.SchemeId)
 }
+
+func testTeamStoreClearAllCustomRoleAssignments(t *testing.T, ss store.Store) {
+	m1 := &model.TeamMember{
+		TeamId:        model.NewId(),
+		UserId:        model.NewId(),
+		ExplicitRoles: "team_user team_admin team_post_all_public",
+	}
+	m2 := &model.TeamMember{
+		TeamId:        model.NewId(),
+		UserId:        model.NewId(),
+		ExplicitRoles: "team_user custom_role team_admin another_custom_role",
+	}
+	m3 := &model.TeamMember{
+		TeamId:        model.NewId(),
+		UserId:        model.NewId(),
+		ExplicitRoles: "team_user",
+	}
+	m4 := &model.TeamMember{
+		TeamId:        model.NewId(),
+		UserId:        model.NewId(),
+		ExplicitRoles: "custom_only",
+	}
+
+	store.Must(ss.Team().SaveMember(m1, -1))
+	store.Must(ss.Team().SaveMember(m2, -1))
+	store.Must(ss.Team().SaveMember(m3, -1))
+	store.Must(ss.Team().SaveMember(m4, -1))
+
+	require.Nil(t, (<-ss.Team().ClearAllCustomRoleAssignments()).Err)
+
+	r1 := <-ss.Team().GetMember(m1.TeamId, m1.UserId)
+	require.Nil(t, r1.Err)
+	assert.Equal(t, m1.ExplicitRoles, r1.Data.(*model.TeamMember).Roles)
+
+	r2 := <-ss.Team().GetMember(m2.TeamId, m2.UserId)
+	require.Nil(t, r2.Err)
+	assert.Equal(t, "team_user team_admin", r2.Data.(*model.TeamMember).Roles)
+
+	r3 := <-ss.Team().GetMember(m3.TeamId, m3.UserId)
+	require.Nil(t, r3.Err)
+	assert.Equal(t, m3.ExplicitRoles, r3.Data.(*model.TeamMember).Roles)
+
+	r4 := <-ss.Team().GetMember(m4.TeamId, m4.UserId)
+	require.Nil(t, r4.Err)
+	assert.Equal(t, "", r4.Data.(*model.TeamMember).Roles)
+}
diff --git a/store/storetest/user_store.go b/store/storetest/user_store.go
index 66f54df39..2c5e3b0bf 100644
--- a/store/storetest/user_store.go
+++ b/store/storetest/user_store.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/store"
@@ -49,6 +50,7 @@ func TestUserStore(t *testing.T, ss store.Store) {
 	t.Run("AnalyticsGetInactiveUsersCount", func(t *testing.T) { testUserStoreAnalyticsGetInactiveUsersCount(t, ss) })
 	t.Run("AnalyticsGetSystemAdminCount", func(t *testing.T) { testUserStoreAnalyticsGetSystemAdminCount(t, ss) })
 	t.Run("GetProfilesNotInTeam", func(t *testing.T) { testUserStoreGetProfilesNotInTeam(t, ss) })
+	t.Run("ClearAllCustomRoleAssignments", func(t *testing.T) { testUserStoreClearAllCustomRoleAssignments(t, ss) })
 }
 
 func testUserStoreSave(t *testing.T, ss store.Store) {
@@ -2118,3 +2120,49 @@ func testUserStoreGetProfilesNotInTeam(t *testing.T, ss store.Store) {
 		}
 	}
 }
+
+func testUserStoreClearAllCustomRoleAssignments(t *testing.T, ss store.Store) {
+	u1 := model.User{
+		Email:    model.NewId(),
+		Username: model.NewId(),
+		Roles:    "system_user system_admin system_post_all",
+	}
+	u2 := model.User{
+		Email:    model.NewId(),
+		Username: model.NewId(),
+		Roles:    "system_user custom_role system_admin another_custom_role",
+	}
+	u3 := model.User{
+		Email:    model.NewId(),
+		Username: model.NewId(),
+		Roles:    "system_user",
+	}
+	u4 := model.User{
+		Email:    model.NewId(),
+		Username: model.NewId(),
+		Roles:    "custom_only",
+	}
+
+	store.Must(ss.User().Save(&u1))
+	store.Must(ss.User().Save(&u2))
+	store.Must(ss.User().Save(&u3))
+	store.Must(ss.User().Save(&u4))
+
+	require.Nil(t, (<-ss.User().ClearAllCustomRoleAssignments()).Err)
+
+	r1 := <-ss.User().GetByUsername(u1.Username)
+	require.Nil(t, r1.Err)
+	assert.Equal(t, u1.Roles, r1.Data.(*model.User).Roles)
+
+	r2 := <-ss.User().GetByUsername(u2.Username)
+	require.Nil(t, r2.Err)
+	assert.Equal(t, "system_user system_admin", r2.Data.(*model.User).Roles)
+
+	r3 := <-ss.User().GetByUsername(u3.Username)
+	require.Nil(t, r3.Err)
+	assert.Equal(t, u3.Roles, r3.Data.(*model.User).Roles)
+
+	r4 := <-ss.User().GetByUsername(u4.Username)
+	require.Nil(t, r4.Err)
+	assert.Equal(t, "", r4.Data.(*model.User).Roles)
+}