PLT-6139 (Server): Private Channel member managing (#5941)

Adds an EE policy feature to allow restricting system-wide which level of Admins can manage the membership of private channels.
author: George Goldberg <george@gberg.me> 2017-04-03 18:13:28 +0100
committer: Harrison Healey <harrisonmhealey@gmail.com> 2017-04-03 13:13:28 -0400
commit: e49f5928c55ba57c39efa11c568c66342b962aae (patch)
tree: c3199ea07e1c17aebdd77d53ad1397b469a0f963 /api4
parent: 232a99f0c7b9364cb4386264f9ff7f97549a4378 (diff)
download: chat-e49f5928c55ba57c39efa11c568c66342b962aae.tar.gz
chat-e49f5928c55ba57c39efa11c568c66342b962aae.tar.bz2
chat-e49f5928c55ba57c39efa11c568c66342b962aae.zip
1 files changed, 248 insertions, 0 deletions
diff --git a/api4/channel_test.go b/api4/channel_test.go
index 1d8053a0a..0496be495 100644
--- a/api4/channel_test.go
+++ b/api4/channel_test.go
@@ -1497,9 +1497,14 @@ func TestAddChannelMember(t *testing.T) {
 	Client := th.Client
 	user := th.BasicUser
 	user2 := th.BasicUser2
+	team := th.BasicTeam
 	publicChannel := th.CreatePublicChannel()
 	privateChannel := th.CreatePrivateChannel()
 
+	user3 := th.CreateUserWithClient(th.SystemAdminClient)
+	_, resp := th.SystemAdminClient.AddTeamMember(team.Id, user3.Id, "", "", team.InviteId)
+	CheckNoError(t, resp)
+
 	cm, resp := Client.AddChannelMember(publicChannel.Id, user2.Id)
 	CheckNoError(t, resp)
 	CheckCreatedStatus(t, resp)
@@ -1582,10 +1587,139 @@ func TestAddChannelMember(t *testing.T) {
 
 	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
 	CheckNoError(t, resp)
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can add other users.
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	MakeUserChannelAdmin(user, privateChannel)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	UpdateUserToTeamAdmin(user, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	Client.Login(user2.Username, user2.Password)
+	privateChannel = th.CreatePrivateChannel()
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
+	CheckNoError(t, resp)
+	Client.Logout()
+
+	Client.Login(user.Username, user.Password)
+	_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user3.Id)
+	CheckNoError(t, resp)
 }
 
 func TestRemoveChannelMember(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
+	user1 := th.BasicUser
+	user2 := th.BasicUser2
+	team := th.BasicTeam
 	defer TearDown()
 	Client := th.Client
 
@@ -1635,4 +1769,118 @@ func TestRemoveChannelMember(t *testing.T) {
 
 	_, resp = th.SystemAdminClient.RemoveUserFromChannel(private.Id, th.BasicUser.Id)
 	CheckNoError(t, resp)
+
+	th.LoginBasic()
+	UpdateUserToNonTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can remove other users.
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckForbiddenStatus(t, resp)
+
+	MakeUserChannelAdmin(user1, privateChannel)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckForbiddenStatus(t, resp)
+
+	UpdateUserToTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
+	CheckNoError(t, resp)
+	_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
+
+	_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.RemoveUserFromChannel(privateChannel.Id, user2.Id)
+	CheckNoError(t, resp)
 }
author	George Goldberg <george@gberg.me>	2017-04-03 18:13:28 +0100
committer	Harrison Healey <harrisonmhealey@gmail.com>	2017-04-03 13:13:28 -0400
commit	e49f5928c55ba57c39efa11c568c66342b962aae (patch)
tree	c3199ea07e1c17aebdd77d53ad1397b469a0f963 /api4
parent	232a99f0c7b9364cb4386264f9ff7f97549a4378 (diff)
download	chat-e49f5928c55ba57c39efa11c568c66342b962aae.tar.gz chat-e49f5928c55ba57c39efa11c568c66342b962aae.tar.bz2 chat-e49f5928c55ba57c39efa11c568c66342b962aae.zip