diff options
author | Joram Wilander <jwawilander@gmail.com> | 2017-01-23 08:12:05 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-01-23 08:12:05 -0500 |
commit | e9c9688b343049c6d461260bd15fff3486238f92 (patch) | |
tree | a112e51de0e7f9989b173b7dbc4ad89080cc0e34 /api/team.go | |
parent | b064457c745ae6bf27e5e6933a0a7406f3f4921d (diff) | |
download | chat-e9c9688b343049c6d461260bd15fff3486238f92.tar.gz chat-e9c9688b343049c6d461260bd15fff3486238f92.tar.bz2 chat-e9c9688b343049c6d461260bd15fff3486238f92.zip |
Move permissions code into app package (#5146)
* Move permissions code into app package
* Revert getPosts permission
Diffstat (limited to 'api/team.go')
-rw-r--r-- | api/team.go | 175 |
1 files changed, 41 insertions, 134 deletions
diff --git a/api/team.go b/api/team.go index 096e0a49f..2c5a25a3f 100644 --- a/api/team.go +++ b/api/team.go @@ -21,7 +21,7 @@ import ( func InitTeam() { l4g.Debug(utils.T("api.team.init.debug")) - BaseRoutes.Teams.Handle("/create", ApiAppHandler(createTeam)).Methods("POST") + BaseRoutes.Teams.Handle("/create", ApiUserRequired(createTeam)).Methods("POST") BaseRoutes.Teams.Handle("/all", ApiAppHandler(getAll)).Methods("GET") BaseRoutes.Teams.Handle("/all_team_listings", ApiUserRequired(GetAllTeamListings)).Methods("GET") BaseRoutes.Teams.Handle("/get_invite_info", ApiAppHandler(getInviteInfo)).Methods("POST") @@ -56,74 +56,20 @@ func createTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var user *model.User - var err *model.AppError - if len(c.Session.UserId) > 0 { - if user, err = app.GetUser(c.Session.UserId); err != nil { - c.Err = err - return - } else { - team.Email = user.Email - } - } - - if !isTeamCreationAllowed(c, team.Email) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_TEAM) { + c.Err = model.NewLocAppError("createTeam", "api.team.is_team_creation_allowed.disabled.app_error", nil, "") return } - rteam, err := app.CreateTeam(team) + rteam, err := app.CreateTeamWithUser(team, c.Session.UserId) if err != nil { c.Err = err return } - if user != nil { - err := app.JoinUserToTeam(team, user) - if err != nil { - c.Err = err - return - } - } - w.Write([]byte(rteam.ToJson())) } -func isTeamCreationAllowed(c *Context, email string) bool { - - email = strings.ToLower(email) - - if !utils.Cfg.TeamSettings.EnableTeamCreation && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { - c.Err = model.NewLocAppError("isTeamCreationAllowed", "api.team.is_team_creation_allowed.disabled.app_error", nil, "") - return false - } - c.Err = nil - - if user, err := app.GetUserByEmail(email); err == nil { - if len(user.AuthService) > 0 && len(*user.AuthData) > 0 { - return true - } - } - - // commas and @ signs are optional - // can be in the form of "@corp.mattermost.com, mattermost.com mattermost.org" -> corp.mattermost.com mattermost.com mattermost.org - domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(utils.Cfg.TeamSettings.RestrictCreationToDomains, "@", " ", -1), ",", " ", -1)))) - - matched := false - for _, d := range domains { - if strings.HasSuffix(email, "@"+d) { - matched = true - break - } - } - - if len(utils.Cfg.TeamSettings.RestrictCreationToDomains) > 0 && !matched { - c.Err = model.NewLocAppError("isTeamCreationAllowed", "api.team.is_team_creation_allowed.domain.app_error", nil, "") - return false - } - - return true -} - func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { var teams []*model.Team var err *model.AppError @@ -136,10 +82,9 @@ func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { m := make(map[string]*model.Team) for _, v := range teams { m[v.Id] = v - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.HasPermissionTo(c.Session.UserId, model.PERMISSION_MANAGE_SYSTEM) { m[v.Id].Sanitize() } - c.Err = nil } w.Write([]byte(model.TeamMapToJson(m))) @@ -151,10 +96,9 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { var teams []*model.Team var err *model.AppError - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.HasPermissionTo(c.Session.UserId, model.PERMISSION_MANAGE_SYSTEM) { teams, err = app.GetAllTeams() } else { - c.Err = nil teams, err = app.GetTeamsForUser(c.Session.UserId) } @@ -173,31 +117,21 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { func inviteMembers(c *Context, w http.ResponseWriter, r *http.Request) { invites := model.InvitesFromJson(r.Body) - if len(invites.Invites) == 0 { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.no_one.app_error", nil, "") - c.Err.StatusCode = http.StatusBadRequest - return - } - if utils.IsLicensed { - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_INVITE_USER) { - if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_SYSTEM_ADMIN { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_system_admin.app_error", nil, "") - } - if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_team_admin.app_error", nil, "") - } - c.Err.StatusCode = http.StatusForbidden - return + if utils.IsLicensed && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_INVITE_USER) { + errorId := "" + if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_SYSTEM_ADMIN { + errorId = "api.team.invite_members.restricted_system_admin.app_error" + } else if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { + errorId = "api.team.invite_members.restricted_team_admin.app_error" } - } - emailList := make([]string, len(invites.Invites)) - for _, invite := range invites.Invites { - emailList = append(emailList, invite["email"]) + c.Err = model.NewLocAppError("inviteMembers", errorId, nil, "") + c.Err.StatusCode = http.StatusForbidden + return } - if err := app.InviteNewUsersToTeam(emailList, c.TeamId, c.Session.UserId, c.GetSiteURL()); err != nil { + if err := app.InviteNewUsersToTeam(invites.ToEmailList(), c.TeamId, c.Session.UserId, c.GetSiteURL()); err != nil { c.Err = err return } @@ -214,24 +148,12 @@ func addUserToTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var team *model.Team - var err *model.AppError - if team, err = app.GetTeam(c.TeamId); err != nil { - c.Err = err - return - } - - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_ADD_USER_TO_TEAM) { - return - } - - var user *model.User - if user, err = app.GetUser(userId); err != nil { - c.Err = err + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_ADD_USER_TO_TEAM) { + c.SetPermissionError(model.PERMISSION_ADD_USER_TO_TEAM) return } - if err := app.JoinUserToTeam(team, user); err != nil { + if _, err := app.AddUserToTeam(c.TeamId, c.Session.UserId); err != nil { c.Err = err return } @@ -248,26 +170,14 @@ func removeUserFromTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var team *model.Team - var err *model.AppError - if team, err = app.GetTeam(c.TeamId); err != nil { - c.Err = err - return - } - - var user *model.User - if user, err = app.GetUser(userId); err != nil { - c.Err = err - return - } - - if c.Session.UserId != user.Id { - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_REMOVE_USER_FROM_TEAM) { + if c.Session.UserId != userId { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_REMOVE_USER_FROM_TEAM) { + c.SetPermissionError(model.PERMISSION_REMOVE_USER_FROM_TEAM) return } } - if err := app.LeaveTeam(team, user); err != nil { + if err := app.RemoveUserFromTeam(c.TeamId, userId); err != nil { c.Err = err return } @@ -285,9 +195,9 @@ func addUserToTeamFromInvite(c *Context, w http.ResponseWriter, r *http.Request) var err *model.AppError if len(hash) > 0 { - team, err = app.JoinUserToTeamByHash(c.Session.UserId, hash, data) + team, err = app.AddUserToTeamByHash(c.Session.UserId, hash, data) } else if len(inviteId) > 0 { - team, err = app.JoinUserToTeamByInviteId(inviteId, c.Session.UserId) + team, err = app.AddUserToTeamByInviteId(inviteId, c.Session.UserId) } else { c.Err = model.NewLocAppError("addUserToTeamFromInvite", "api.user.create_user.signup_link_invalid.app_error", nil, "") return @@ -326,7 +236,8 @@ func getTeamByName(c *Context, w http.ResponseWriter, r *http.Request) { return } else { if team.Type != model.TEAM_OPEN && c.Session.GetTeamByTeamId(team.Id) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -363,7 +274,6 @@ func getMyTeamsUnread(c *Context, w http.ResponseWriter, r *http.Request) { func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { team := model.TeamFromJson(r.Body) - if team == nil { c.SetInvalidParam("updateTeam", "team") return @@ -371,9 +281,8 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { team.Id = c.TeamId - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_MANAGE_TEAM) { - c.Err = model.NewLocAppError("updateTeam", "api.team.update_team.permissions.app_error", nil, "userId="+c.Session.UserId) - c.Err.StatusCode = http.StatusForbidden + if !app.SessionHasPermissionToTeam(c.Session, team.Id, model.PERMISSION_MANAGE_TEAM) { + c.SetPermissionError(model.PERMISSION_MANAGE_TEAM) return } @@ -386,12 +295,6 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - updatedTeam.Sanitize() - - message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_UPDATE_TEAM, "", "", "", nil) - message.Add("team", updatedTeam.ToJson()) - go app.Publish(message) - w.Write([]byte(updatedTeam.ToJson())) } @@ -412,7 +315,8 @@ func updateMemberRoles(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToTeamContext(c, teamId, model.PERMISSION_MANAGE_ROLES) { + if !app.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_MANAGE_TEAM_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_TEAM_ROLES) return } @@ -446,7 +350,8 @@ func getMyTeam(c *Context, w http.ResponseWriter, r *http.Request) { func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) { if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -461,9 +366,8 @@ func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) { } func importTeam(c *Context, w http.ResponseWriter, r *http.Request) { - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_IMPORT_TEAM) { - c.Err = model.NewLocAppError("importTeam", "api.team.import_team.admin.app_error", nil, "userId="+c.Session.UserId) - c.Err.StatusCode = http.StatusForbidden + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_IMPORT_TEAM) { + c.SetPermissionError(model.PERMISSION_IMPORT_TEAM) return } @@ -569,7 +473,8 @@ func getTeamMembers(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -593,7 +498,8 @@ func getTeamMember(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -615,7 +521,8 @@ func getTeamMembersByIds(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } |