Implement endpoint for APIv4: PUT /teams/{team_id}/members/{user_id}/roles (#5471)

2 files changed, 106 insertions, 0 deletions

diff --git a/api4/team.go b/api4/team.go
index 206ea7b0e..ed096e058 100644
--- a/api4/team.go
+++ b/api4/team.go
@@ -23,6 +23,7 @@ func InitTeam() {
 
 	BaseRoutes.TeamByName.Handle("", ApiSessionRequired(getTeamByName)).Methods("GET")
 	BaseRoutes.TeamMember.Handle("", ApiSessionRequired(getTeamMember)).Methods("GET")
+	BaseRoutes.TeamMember.Handle("/roles", ApiSessionRequired(updateTeamMemberRoles)).Methods("PUT")
 }
 
 func createTeam(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -140,3 +141,30 @@ func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 }
+
+func updateTeamMemberRoles(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireTeamId().RequireUserId()
+	if c.Err != nil {
+		return
+	}
+
+	props := model.MapFromJson(r.Body)
+
+	newRoles := props["roles"]
+	if !model.IsValidUserRoles(newRoles) {
+		c.SetInvalidParam("team_member_roles")
+		return
+	}
+
+	if !app.SessionHasPermissionToTeam(c.Session, c.Params.TeamId, model.PERMISSION_MANAGE_TEAM_ROLES) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_TEAM_ROLES)
+		return
+	}
+
+	if _, err := app.UpdateTeamMemberRoles(c.Params.TeamId, c.Params.UserId, newRoles); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
diff --git a/api4/team_test.go b/api4/team_test.go
index 4381f903c..8f0becaa7 100644
--- a/api4/team_test.go
+++ b/api4/team_test.go
@@ -283,3 +283,81 @@ func TestGetTeamStats(t *testing.T) {
 	_, resp = Client.GetTeamStats(th.BasicTeam.Id, "")
 	CheckUnauthorizedStatus(t, resp)
 }
+
+func TestUpdateTeamMemberRoles(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+	SystemAdminClient := th.SystemAdminClient
+
+	const TEAM_MEMBER = "team_user"
+	const TEAM_ADMIN = "team_user team_admin"
+
+	// user 1 tries to promote user 2
+	ok, resp := Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser2.Id, TEAM_ADMIN)
+	CheckForbiddenStatus(t, resp)
+	if ok {
+		t.Fatal("should have returned false")
+	}
+
+	// user 1 tries to promote himself
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser.Id, TEAM_ADMIN)
+	CheckForbiddenStatus(t, resp)
+
+	// user 1 tries to demote someone
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.SystemAdminUser.Id, TEAM_MEMBER)
+	CheckForbiddenStatus(t, resp)
+
+	// system admin promotes user 1
+	ok, resp = SystemAdminClient.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser.Id, TEAM_ADMIN)
+	CheckNoError(t, resp)
+	if !ok {
+		t.Fatal("should have returned true")
+	}
+
+	// user 1 (team admin) promotes user 2
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser2.Id, TEAM_ADMIN)
+	CheckNoError(t, resp)
+
+	// user 1 (team admin) demotes user 2 (team admin)
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser2.Id, TEAM_MEMBER)
+	CheckNoError(t, resp)
+
+	// user 1 (team admin) tries to demote system admin (not member of a team)
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.SystemAdminUser.Id, TEAM_MEMBER)
+	CheckBadRequestStatus(t, resp)
+
+	// user 1 (team admin) demotes system admin (member of a team)
+	LinkUserToTeam(th.SystemAdminUser, th.BasicTeam)
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.SystemAdminUser.Id, TEAM_MEMBER)
+	CheckNoError(t, resp)
+	// Note from API v3
+	// Note to anyone who thinks this (above) test is wrong:
+	// This operation will not affect the system admin's permissions because they have global access to all teams.
+	// Their team level permissions are irrelavent. A team admin should be able to manage team level permissions.
+
+	// System admins should be able to manipulate permission no matter what their team level permissions are.
+	// system admin promotes user 2
+	_, resp = SystemAdminClient.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser2.Id, TEAM_ADMIN)
+	CheckNoError(t, resp)
+
+	// system admin demotes user 2 (team admin)
+	_, resp = SystemAdminClient.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser2.Id, TEAM_MEMBER)
+	CheckNoError(t, resp)
+
+	// user 1 (team admin) tries to promote himself to a random team
+	_, resp = Client.UpdateTeamMemberRoles(model.NewId(), th.BasicUser.Id, TEAM_ADMIN)
+	CheckForbiddenStatus(t, resp)
+
+	// user 1 (team admin) tries to promote a random user
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, model.NewId(), TEAM_ADMIN)
+	CheckBadRequestStatus(t, resp)
+
+	// user 1 (team admin) tries to promote invalid team permission
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser.Id, "junk")
+	CheckBadRequestStatus(t, resp)
+
+	// user 1 (team admin) demotes himself
+	_, resp = Client.UpdateTeamMemberRoles(th.BasicTeam.Id, th.BasicUser.Id, TEAM_MEMBER)
+	CheckNoError(t, resp)
+}