diff options
author | George Goldberg <george@gberg.me> | 2018-02-06 15:34:08 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-06 15:34:08 +0000 |
commit | e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch) | |
tree | ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /api/team_test.go | |
parent | 1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff) | |
download | chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2 chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip |
XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)
* XYZ-13: Update Permission and Role structs to new design.
* XYZ-10: Role store.
* XYZ-9/XYZ-44: Roles API endpoints and WebSocket message.
* XYZ-8: Switch server permissions checks to store backed roles.
* XYZ-58: Proper validation of roles where required.
* XYZ-11/XYZ-55: Migration to store backed roles from policy config.
* XYZ-37: Update unit tests to work with database roles.
* XYZ-56: Remove the "guest" role.
* Changes to SetDefaultRolesFromConfig.
* Short-circuit the store if nothing has changed.
* Address first round of review comments.
* Address second round of review comments.
Diffstat (limited to 'api/team_test.go')
-rw-r--r-- | api/team_test.go | 100 |
1 files changed, 22 insertions, 78 deletions
diff --git a/api/team_test.go b/api/team_test.go index b1c892544..3db454b62 100644 --- a/api/team_test.go +++ b/api/team_test.go @@ -139,32 +139,17 @@ func TestAddUserToTeam(t *testing.T) { t.Fatal(err) } - // Restore config/license at end of test case. - restrictTeamInvite := *th.App.Config().TeamSettings.RestrictTeamInvite - isLicensed := utils.IsLicensed() - license := utils.License() + // Check the appropriate permissions are enforced. + defaultRolePermissions := th.SaveDefaultRolePermissions() defer func() { - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite }) - utils.SetIsLicensed(isLicensed) - utils.SetLicense(license) - th.App.SetDefaultRolesBasedOnConfig() + th.RestoreDefaultRolePermissions(defaultRolePermissions) }() // Set the config so that only team admins can add a user to a team. - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN }) - th.App.SetDefaultRolesBasedOnConfig() - - // Test without the EE license to see that the permission restriction is ignored. - user3 := th.CreateUser(th.BasicClient) - if _, err := th.BasicClient.AddUserToTeam(th.BasicTeam.Id, user3.Id); err != nil { - t.Fatal(err) - } - - // Add an EE license. - utils.SetIsLicensed(true) - utils.SetLicense(&model.License{Features: &model.Features{}}) - utils.License().Features.SetDefaults() - th.App.SetDefaultRolesBasedOnConfig() + th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID) + th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID) + th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID) + th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID) // Check that a regular user can't add someone to the team. user4 := th.CreateUser(th.BasicClient) @@ -175,32 +160,17 @@ func TestAddUserToTeam(t *testing.T) { // Should work as team admin. th.UpdateUserToTeamAdmin(th.BasicUser, th.BasicTeam) th.App.InvalidateAllCaches() - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN }) - utils.SetIsLicensed(true) - utils.SetLicense(&model.License{Features: &model.Features{}}) - utils.License().Features.SetDefaults() - th.App.SetDefaultRolesBasedOnConfig() + + // Change permission level to team user + th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID) + th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID) + th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID) + th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID) user5 := th.CreateUser(th.BasicClient) if _, err := th.BasicClient.AddUserToTeam(th.BasicTeam.Id, user5.Id); err != nil { t.Fatal(err) } - - // Change permission level to System Admin - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_SYSTEM_ADMIN }) - th.App.SetDefaultRolesBasedOnConfig() - - // Should not work as team admin. - user6 := th.CreateUser(th.BasicClient) - if _, err := th.BasicClient.AddUserToTeam(th.BasicTeam.Id, user6.Id); err == nil { - t.Fatal("should have failed due to permissions error") - } - - // Should work as system admin. - user7 := th.CreateUser(th.BasicClient) - if _, err := th.SystemAdminClient.AddUserToTeam(th.BasicTeam.Id, user7.Id); err != nil { - t.Fatal(err) - } } func TestRemoveUserFromTeam(t *testing.T) { @@ -534,7 +504,6 @@ func TestInviteMembers(t *testing.T) { defer th.TearDown() Client := th.BasicClient - SystemAdminClient := th.SystemAdminClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -565,33 +534,21 @@ func TestInviteMembers(t *testing.T) { t.Fatal("Should have errored out on no invites to send") } - restrictTeamInvite := *th.App.Config().TeamSettings.RestrictTeamInvite + // Check the appropriate permissions are enforced. + defaultRolePermissions := th.SaveDefaultRolePermissions() defer func() { - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite }) - th.App.SetDefaultRolesBasedOnConfig() + th.RestoreDefaultRolePermissions(defaultRolePermissions) }() - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN }) - th.App.SetDefaultRolesBasedOnConfig() + + // Set the config so that only team admins can add a user to a team. + th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID) + th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID) + th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID) + th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID) th.LoginBasic2() th.LinkUserToTeam(th.BasicUser2, team) - if _, err := Client.InviteMembers(invites); err != nil { - t.Fatal(err) - } - - isLicensed := utils.IsLicensed() - license := utils.License() - defer func() { - utils.SetIsLicensed(isLicensed) - utils.SetLicense(license) - th.App.SetDefaultRolesBasedOnConfig() - }() - utils.SetIsLicensed(true) - utils.SetLicense(&model.License{Features: &model.Features{}}) - utils.License().Features.SetDefaults() - th.App.SetDefaultRolesBasedOnConfig() - if _, err := Client.InviteMembers(invites); err == nil { t.Fatal("should have errored not team admin and licensed") } @@ -604,19 +561,6 @@ func TestInviteMembers(t *testing.T) { if _, err := Client.InviteMembers(invites); err != nil { t.Fatal(err) } - - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_SYSTEM_ADMIN }) - th.App.SetDefaultRolesBasedOnConfig() - - if _, err := Client.InviteMembers(invites); err == nil { - t.Fatal("should have errored not system admin and licensed") - } - - th.LinkUserToTeam(th.SystemAdminUser, team) - - if _, err := SystemAdminClient.InviteMembers(invites); err != nil { - t.Fatal(err) - } } func TestUpdateTeamDisplayName(t *testing.T) { |