Modifying permissions system. (#3897)

author: Christopher Speller <crspeller@gmail.com> 2016-09-13 12:42:48 -0400
committer: Joram Wilander <jwawilander@gmail.com> 2016-09-13 12:42:48 -0400
commit: 1e7985a87a72bea9a308cf1506dacc828c6e2e1c (patch)
tree: d4251391dc74a9ff4628dd1bed551c34d806a1b6 /api/authorization.go
parent: 05af5d14b8d07b010c70750ae1ac5ddf22c120a7 (diff)
download: chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.tar.gz
chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.tar.bz2
chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.zip
1 files changed, 149 insertions, 0 deletions
diff --git a/api/authorization.go b/api/authorization.go
new file mode 100644
index 000000000..fb04b069b
--- /dev/null
+++ b/api/authorization.go
@@ -0,0 +1,149 @@
+// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api
+
+import (
+	"net/http"
+
+	l4g "github.com/alecthomas/log4go"
+	"github.com/mattermost/platform/model"
+)
+
+func HasPermissionToContext(c *Context, permission *model.Permission) bool {
+	userRoles := c.Session.GetUserRoles()
+	if !CheckIfRolesGrantPermission(userRoles, permission.Id) {
+		c.Err = model.NewLocAppError("HasPermissionToContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id+" "+model.RoleIdsToString(userRoles))
+		c.Err.StatusCode = http.StatusForbidden
+		return false
+	}
+
+	return true
+}
+
+func HasPermissionTo(user *model.User, permission *model.Permission) bool {
+	roles := user.GetRoles()
+
+	return CheckIfRolesGrantPermission(roles, permission.Id)
+}
+
+func HasPermissionToCurrentTeamContext(c *Context, permission *model.Permission) bool {
+	return HasPermissionToTeamContext(c, c.TeamId, permission)
+}
+
+func HasPermissionToTeamContext(c *Context, teamId string, permission *model.Permission) bool {
+	teamMember := c.Session.GetTeamByTeamId(teamId)
+	if teamMember != nil {
+		roles := teamMember.GetRoles()
+
+		if CheckIfRolesGrantPermission(roles, permission.Id) {
+			return true
+		}
+	}
+
+	if HasPermissionToContext(c, permission) {
+		return true
+	}
+
+	c.Err = model.NewLocAppError("HasPermissionToTeamContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id)
+	c.Err.StatusCode = http.StatusForbidden
+	return false
+}
+
+func HasPermissionToTeam(user *model.User, teamMember *model.TeamMember, permission *model.Permission) bool {
+	if teamMember == nil {
+		return false
+	}
+
+	roles := teamMember.GetRoles()
+
+	if CheckIfRolesGrantPermission(roles, permission.Id) {
+		return true
+	}
+
+	return HasPermissionTo(user, permission)
+}
+
+func HasPermissionToChannelContext(c *Context, channelId string, permission *model.Permission) bool {
+	cmc := Srv.Store.Channel().GetMember(channelId, c.Session.UserId)
+
+	var channelRoles []string
+	if cmcresult := <-cmc; cmcresult.Err == nil {
+		channelMember := cmcresult.Data.(model.ChannelMember)
+		channelRoles = channelMember.GetRoles()
+
+		if CheckIfRolesGrantPermission(channelRoles, permission.Id) {
+			return true
+		}
+	}
+
+	cc := Srv.Store.Channel().Get(channelId)
+	if ccresult := <-cc; ccresult.Err == nil {
+		channel := ccresult.Data.(*model.Channel)
+
+		if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil {
+			roles := teamMember.GetRoles()
+
+			if CheckIfRolesGrantPermission(roles, permission.Id) {
+				return true
+			}
+		}
+
+	}
+
+	if HasPermissionToContext(c, permission) {
+		return true
+	}
+
+	c.Err = model.NewLocAppError("HasPermissionToChannelContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles))
+	c.Err.StatusCode = http.StatusForbidden
+	return false
+}
+
+func HasPermissionToChannel(user *model.User, teamMember *model.TeamMember, channelMember *model.ChannelMember, permission *model.Permission) bool {
+	if channelMember == nil {
+		return false
+	}
+
+	roles := channelMember.GetRoles()
+
+	if CheckIfRolesGrantPermission(roles, permission.Id) {
+		return true
+	}
+
+	return HasPermissionToTeam(user, teamMember, permission)
+}
+
+func HasPermissionToUser(c *Context, userId string) bool {
+	// You are the user (users autmaticly have permissions to themselves)
+	if c.Session.UserId == userId {
+		return true
+	}
+
+	// You have permission
+	if HasPermissionToContext(c, model.PERMISSION_EDIT_OTHER_USERS) {
+		return true
+	}
+
+	c.Err = model.NewLocAppError("HasPermissionToUser", "api.context.permissions.app_error", nil, "userId="+userId)
+	c.Err.StatusCode = http.StatusForbidden
+	return false
+}
+
+func CheckIfRolesGrantPermission(roles []string, permissionId string) bool {
+	for _, roleId := range roles {
+		if role, ok := model.BuiltInRoles[roleId]; !ok {
+			l4g.Debug("Bad role in system " + roleId)
+			return false
+		} else {
+			permissions := role.Permissions
+			for _, permission := range permissions {
+				if permission == permissionId {
+					return true
+				}
+			}
+		}
+	}
+
+	return false
+}
author	Christopher Speller <crspeller@gmail.com>	2016-09-13 12:42:48 -0400
committer	Joram Wilander <jwawilander@gmail.com>	2016-09-13 12:42:48 -0400
commit	1e7985a87a72bea9a308cf1506dacc828c6e2e1c (patch)
tree	d4251391dc74a9ff4628dd1bed551c34d806a1b6 /api/authorization.go
parent	05af5d14b8d07b010c70750ae1ac5ddf22c120a7 (diff)
download	chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.tar.gz chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.tar.bz2 chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.zip