XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design.

* XYZ-10: Role store.

* XYZ-9/XYZ-44: Roles API endpoints and WebSocket message.

* XYZ-8: Switch server permissions checks to store backed roles.

* XYZ-58: Proper validation of roles where required.

* XYZ-11/XYZ-55: Migration to store backed roles from policy config.

* XYZ-37: Update unit tests to work with database roles.

* XYZ-56: Remove the "guest" role.

* Changes to SetDefaultRolesFromConfig.

* Short-circuit the store if nothing has changed.

* Address first round of review comments.

* Address second round of review comments.

1 files changed, 44 insertions, 407 deletions

diff --git a/api4/channel_test.go b/api4/channel_test.go
index 724b0d84b..4deceb4c4 100644
--- a/api4/channel_test.go
+++ b/api4/channel_test.go
@@ -14,7 +14,6 @@ import (
 
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/store/sqlstore"
-	"github.com/mattermost/mattermost-server/utils"
 )
 
 func TestCreateChannel(t *testing.T) {
@@ -79,26 +78,16 @@ func TestCreateChannel(t *testing.T) {
 	_, resp = Client.CreateChannel(private)
 	CheckForbiddenStatus(t, resp)
 
-	th.LoginBasic()
-
-	// Check permissions with policy config changes
-	isLicensed := utils.IsLicensed()
-	license := utils.License()
-	restrictPublicChannel := *th.App.Config().TeamSettings.RestrictPublicChannelCreation
-	restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelCreation
+	// Check the appropriate permissions are enforced.
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelCreation = restrictPublicChannel })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelCreation = restrictPrivateChannel })
-		utils.SetIsLicensed(isLicensed)
-		utils.SetLicense(license)
-		th.App.SetDefaultRolesBasedOnConfig()
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_ALL })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_ALL })
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	th.AddPermissionToRole(model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+	th.AddPermissionToRole(model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+
+	th.LoginBasic()
 
 	channel.Name = GenerateTestChannelName()
 	_, resp = Client.CreateChannel(channel)
@@ -108,13 +97,10 @@ func TestCreateChannel(t *testing.T) {
 	_, resp = Client.CreateChannel(private)
 	CheckNoError(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_TEAM_ADMIN
-	})
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_TEAM_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
+	th.AddPermissionToRole(model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, model.TEAM_ADMIN_ROLE_ID)
+	th.AddPermissionToRole(model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, model.TEAM_ADMIN_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
 
 	_, resp = Client.CreateChannel(channel)
 	CheckForbiddenStatus(t, resp)
@@ -140,51 +126,7 @@ func TestCreateChannel(t *testing.T) {
 	_, resp = th.SystemAdminClient.CreateChannel(private)
 	CheckNoError(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_SYSTEM_ADMIN
-	})
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_SYSTEM_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	th.LoginBasic()
-
-	_, resp = Client.CreateChannel(channel)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.CreateChannel(private)
-	CheckForbiddenStatus(t, resp)
-
-	th.LoginTeamAdmin()
-
-	_, resp = Client.CreateChannel(channel)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.CreateChannel(private)
-	CheckForbiddenStatus(t, resp)
-
-	channel.Name = GenerateTestChannelName()
-	_, resp = th.SystemAdminClient.CreateChannel(channel)
-	CheckNoError(t, resp)
-
-	private.Name = GenerateTestChannelName()
-	_, resp = th.SystemAdminClient.CreateChannel(private)
-	CheckNoError(t, resp)
-
-	// Check that if unlicensed the policy restriction is not enforced.
-	utils.SetIsLicensed(false)
-	utils.SetLicense(nil)
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	channel.Name = GenerateTestChannelName()
-	_, resp = Client.CreateChannel(channel)
-	CheckNoError(t, resp)
-
-	private.Name = GenerateTestChannelName()
-	_, resp = Client.CreateChannel(private)
-	CheckNoError(t, resp)
-
+	// Test posting Garbage
 	if r, err := Client.DoApiPost("/channels", "garbage"); err == nil {
 		t.Fatal("should have errored")
 	} else {
@@ -887,23 +829,16 @@ func TestDeleteChannel(t *testing.T) {
 
 	th.InitBasic().InitSystemAdmin()
 
-	isLicensed := utils.IsLicensed()
-	license := utils.License()
-	restrictPublicChannel := *th.App.Config().TeamSettings.RestrictPublicChannelManagement
-	restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManagement
+	// Check the appropriate permissions are enforced.
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelManagement = restrictPublicChannel })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManagement = restrictPrivateChannel })
-		utils.SetIsLicensed(isLicensed)
-		utils.SetLicense(license)
-		th.App.SetDefaultRolesBasedOnConfig()
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_ALL })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_ALL })
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	th.AddPermissionToRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+	th.AddPermissionToRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
 
 	Client = th.Client
 	team = th.BasicTeam
@@ -924,13 +859,11 @@ func TestDeleteChannel(t *testing.T) {
 	_, resp = Client.DeleteChannel(privateChannel7.Id)
 	CheckNoError(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_CHANNEL_ADMIN
-	})
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_CHANNEL_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Restrict permissions to Channel Admins
+	th.RemovePermissionFromRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+	th.AddPermissionToRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
+	th.AddPermissionToRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
 
 	// channels created by SystemAdmin
 	publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
@@ -957,129 +890,9 @@ func TestDeleteChannel(t *testing.T) {
 	_, resp = Client.DeleteChannel(privateChannel7.Id)
 	CheckNoError(t, resp)
 
-	// // channels created by SystemAdmin
-	publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
-	privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
-	th.App.AddUserToChannel(user, publicChannel6)
-	th.App.AddUserToChannel(user, privateChannel7)
-	th.App.AddUserToChannel(user2, privateChannel7)
-
-	// successful delete by team admin
-	th.UpdateUserToTeamAdmin(user, team)
-	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckNoError(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckNoError(t, resp)
-
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_TEAM_ADMIN
-	})
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_TEAM_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
-	th.UpdateUserToNonTeamAdmin(user, team)
-	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-
-	// channels created by SystemAdmin
-	publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
-	privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
-	th.App.AddUserToChannel(user, publicChannel6)
-	th.App.AddUserToChannel(user, privateChannel7)
-	th.App.AddUserToChannel(user2, privateChannel7)
-
-	// cannot delete by user
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckForbiddenStatus(t, resp)
-
-	// // cannot delete by channel admin
-	th.MakeUserChannelAdmin(user, publicChannel6)
-	th.MakeUserChannelAdmin(user, privateChannel7)
-	sqlstore.ClearChannelCaches()
-
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckForbiddenStatus(t, resp)
-
-	// successful delete by team admin
-	th.UpdateUserToTeamAdmin(th.BasicUser, team)
-	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckNoError(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckNoError(t, resp)
-
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_SYSTEM_ADMIN
-	})
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_SYSTEM_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	// channels created by SystemAdmin
-	publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
-	privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
-	th.App.AddUserToChannel(user, publicChannel6)
-	th.App.AddUserToChannel(user, privateChannel7)
-	th.App.AddUserToChannel(user2, privateChannel7)
-
-	// cannot delete by user
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckForbiddenStatus(t, resp)
-
-	// cannot delete by channel admin
-	th.MakeUserChannelAdmin(user, publicChannel6)
-	th.MakeUserChannelAdmin(user, privateChannel7)
-	sqlstore.ClearChannelCaches()
-
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckForbiddenStatus(t, resp)
-
-	// cannot delete by team admin
-	th.UpdateUserToTeamAdmin(th.BasicUser, team)
-	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-
-	_, resp = Client.DeleteChannel(publicChannel6.Id)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = Client.DeleteChannel(privateChannel7.Id)
-	CheckForbiddenStatus(t, resp)
-
-	// successful delete by SystemAdmin
-	_, resp = th.SystemAdminClient.DeleteChannel(publicChannel6.Id)
-	CheckNoError(t, resp)
-
-	_, resp = th.SystemAdminClient.DeleteChannel(privateChannel7.Id)
-	CheckNoError(t, resp)
+	// Make sure team admins don't have permission to delete channels.
+	th.RemovePermissionFromRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
 
 	// last member of a public channel should have required permission to delete
 	publicChannel6 = th.CreateChannelWithClient(th.Client, model.CHANNEL_OPEN)
@@ -1822,42 +1635,13 @@ func TestAddChannelMember(t *testing.T) {
 	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
 	CheckNoError(t, resp)
 
-	// Test policy does not apply to TE.
-	restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManageMembers
+	// Check the appropriate permissions are enforced.
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
-		th.App.UpdateConfig(func(cfg *model.Config) {
-			*cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
-		})
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	Client.Login(user2.Username, user2.Password)
-	privateChannel = th.CreatePrivateChannel()
-	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
-	CheckNoError(t, resp)
-	Client.Logout()
 
-	Client.Login(user.Username, user.Password)
-	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
-	CheckNoError(t, resp)
-	Client.Logout()
-
-	// Add a license
-	isLicensed := utils.IsLicensed()
-	license := utils.License()
-	defer func() {
-		utils.SetIsLicensed(isLicensed)
-		utils.SetLicense(license)
-		th.App.SetDefaultRolesBasedOnConfig()
-	}()
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL })
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
 
 	// Check that a regular channel user can add other users.
 	Client.Login(user2.Username, user2.Password)
@@ -1871,14 +1655,9 @@ func TestAddChannelMember(t *testing.T) {
 	CheckNoError(t, resp)
 	Client.Logout()
 
-	// Test with CHANNEL_ADMIN level permission.
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
-	})
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Restrict the permission for adding users to Channel Admins
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_ADMIN_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
 
 	Client.Login(user2.Username, user2.Password)
 	privateChannel = th.CreatePrivateChannel()
@@ -1893,70 +1672,11 @@ func TestAddChannelMember(t *testing.T) {
 
 	th.MakeUserChannelAdmin(user, privateChannel)
 	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	Client.Login(user.Username, user.Password)
-	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
-	CheckNoError(t, resp)
-	Client.Logout()
-
-	// Test with TEAM_ADMIN level permission.
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
-	})
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	Client.Login(user2.Username, user2.Password)
-	privateChannel = th.CreatePrivateChannel()
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
-	CheckNoError(t, resp)
-	Client.Logout()
-
-	Client.Login(user.Username, user.Password)
-	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
-	CheckForbiddenStatus(t, resp)
-	Client.Logout()
-
-	th.UpdateUserToTeamAdmin(user, team)
-	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
 
 	Client.Login(user.Username, user.Password)
 	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
 	CheckNoError(t, resp)
 	Client.Logout()
-
-	// Test with SYSTEM_ADMIN level permission.
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
-	})
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	Client.Login(user2.Username, user2.Password)
-	privateChannel = th.CreatePrivateChannel()
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
-	CheckNoError(t, resp)
-	Client.Logout()
-
-	Client.Login(user.Username, user.Password)
-	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
-	CheckForbiddenStatus(t, resp)
-	Client.Logout()
-
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user3.Id)
-	CheckNoError(t, resp)
 }
 
 func TestRemoveChannelMember(t *testing.T) {
@@ -2018,43 +1738,16 @@ func TestRemoveChannelMember(t *testing.T) {
 	th.UpdateUserToNonTeamAdmin(user1, team)
 	th.App.InvalidateAllCaches()
 
-	// Test policy does not apply to TE.
-	restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManageMembers
+	// Check the appropriate permissions are enforced.
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
-		th.App.UpdateConfig(func(cfg *model.Config) {
-			*cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
-		})
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
-	})
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
-	CheckNoError(t, resp)
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
-	CheckNoError(t, resp)
 
-	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
-	CheckNoError(t, resp)
-
-	// Add a license
-	isLicensed := utils.IsLicensed()
-	license := utils.License()
-	defer func() {
-		utils.SetIsLicensed(isLicensed)
-		utils.SetLicense(license)
-		th.App.SetDefaultRolesBasedOnConfig()
-	}()
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL })
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
 
 	// Check that a regular channel user can remove other users.
-	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
 	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
 	CheckNoError(t, resp)
 	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
@@ -2063,14 +1756,9 @@ func TestRemoveChannelMember(t *testing.T) {
 	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
 	CheckNoError(t, resp)
 
-	// Test with CHANNEL_ADMIN level permission.
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
-	})
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Restrict the permission for adding users to Channel Admins
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_ADMIN_ROLE_ID)
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
 
 	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
 	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
@@ -2083,58 +1771,7 @@ func TestRemoveChannelMember(t *testing.T) {
 
 	th.MakeUserChannelAdmin(user1, privateChannel)
 	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-
-	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
-	CheckNoError(t, resp)
-
-	// Test with TEAM_ADMIN level permission.
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
-	})
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
-	CheckNoError(t, resp)
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
-	CheckNoError(t, resp)
-
-	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
-	CheckForbiddenStatus(t, resp)
-
-	th.UpdateUserToTeamAdmin(user1, team)
-	th.App.InvalidateAllCaches()
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
 
 	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
 	CheckNoError(t, resp)
-
-	// Test with SYSTEM_ADMIN level permission.
-	th.App.UpdateConfig(func(cfg *model.Config) {
-		*cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
-	})
-	utils.SetIsLicensed(true)
-	utils.SetLicense(&model.License{Features: &model.Features{}})
-	utils.License().Features.SetDefaults()
-	th.App.SetDefaultRolesBasedOnConfig()
-
-	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
-	CheckNoError(t, resp)
-	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
-	CheckNoError(t, resp)
-
-	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
-	CheckForbiddenStatus(t, resp)
-
-	_, resp = th.SystemAdminClient.RemoveUserFromChannel(privateChannel.Id, user2.Id)
-	CheckNoError(t, resp)
 }