Modifying permissions system. (#3897)

1 files changed, 17 insertions, 37 deletions

diff --git a/api/oauth.go b/api/oauth.go
index b1c7675ff..18a9979f6 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -53,12 +53,10 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
-		if !c.IsSystemAdmin() {
-			c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "")
-			c.Err.StatusCode = http.StatusForbidden
-			return
-		}
+	if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) {
+		c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "")
+		c.Err.StatusCode = http.StatusForbidden
+		return
 	}
 
 	app := model.OAuthAppFromJson(r.Body)
@@ -94,18 +92,14 @@ func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	isSystemAdmin := c.IsSystemAdmin()
-
-	if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
-		if !isSystemAdmin {
-			c.Err = model.NewLocAppError("getOAuthAppsByUser", "api.command.admin_only.app_error", nil, "")
-			c.Err.StatusCode = http.StatusForbidden
-			return
-		}
+	if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) {
+		c.Err = model.NewLocAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "")
+		c.Err.StatusCode = http.StatusForbidden
+		return
 	}
 
 	var ochan store.StoreChannel
-	if isSystemAdmin {
+	if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
 		ochan = Srv.Store.OAuth().GetApps()
 	} else {
 		ochan = Srv.Store.OAuth().GetAppByUser(c.Session.UserId)
@@ -872,14 +866,10 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	isSystemAdmin := c.IsSystemAdmin()
-
-	if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
-		if !isSystemAdmin {
-			c.Err = model.NewLocAppError("deleteOAuthApp", "api.command.admin_only.app_error", nil, "")
-			c.Err.StatusCode = http.StatusForbidden
-			return
-		}
+	if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) {
+		c.Err = model.NewLocAppError("deleteOAuthApp", "api.command.admin_only.app_error", nil, "")
+		c.Err.StatusCode = http.StatusForbidden
+		return
 	}
 
 	c.LogAudit("attempt")
@@ -896,7 +886,7 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		c.Err = result.Err
 		return
 	} else {
-		if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !isSystemAdmin {
+		if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
 			c.LogAudit("fail - inappropriate permissions")
 			c.Err = model.NewLocAppError("deleteOAuthApp", "api.oauth.delete.permissions.app_error", nil, "user_id="+c.Session.UserId)
 			return
@@ -964,16 +954,6 @@ func regenerateOAuthSecret(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	isSystemAdmin := c.IsSystemAdmin()
-
-	if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
-		if !isSystemAdmin {
-			c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "")
-			c.Err.StatusCode = http.StatusForbidden
-			return
-		}
-	}
-
 	params := mux.Vars(r)
 	id := params["id"]
 
@@ -989,9 +969,9 @@ func regenerateOAuthSecret(c *Context, w http.ResponseWriter, r *http.Request) {
 	} else {
 		app = result.Data.(*model.OAuthApp)
 
-		//validate that is a System Admin or the same user that registered the app
-		if !isSystemAdmin && app.CreatorId != c.Session.UserId {
-			c.Err = model.NewLocAppError("regenerateOAuthSecret", "api.oauth.regenerate_secret.app_error", nil, "")
+		if app.CreatorId != c.Session.UserId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
+			c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "")
+			c.Err.StatusCode = http.StatusForbidden
 			return
 		}