PLT-5050 (Server). API to update channel member roles. (#5043)

Implements API reference proposal mattermost-api-reference:#66.

2 files changed, 120 insertions, 0 deletions

diff --git a/api/channel.go b/api/channel.go
index ae92ab618..cc63edd07 100644
--- a/api/channel.go
+++ b/api/channel.go
@@ -45,6 +45,7 @@ func InitChannel() {
 	BaseRoutes.NeedChannel.Handle("/delete", ApiUserRequired(deleteChannel)).Methods("POST")
 	BaseRoutes.NeedChannel.Handle("/add", ApiUserRequired(addMember)).Methods("POST")
 	BaseRoutes.NeedChannel.Handle("/remove", ApiUserRequired(removeMember)).Methods("POST")
+	BaseRoutes.NeedChannel.Handle("/update_member_roles", ApiUserRequired(updateChannelMemberRoles)).Methods("POST")
 }
 
 func createChannel(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -1320,3 +1321,49 @@ func getChannelMembersByIds(c *Context, w http.ResponseWriter, r *http.Request)
 		return
 	}
 }
+
+func updateChannelMemberRoles(c *Context, w http.ResponseWriter, r *http.Request) {
+	params := mux.Vars(r)
+	channelId := params["channel_id"]
+
+	props := model.MapFromJson(r.Body)
+
+	userId := props["user_id"]
+	if len(userId) != 26 {
+		c.SetInvalidParam("updateChannelMemberRoles", "user_id")
+		return
+	}
+
+	mchan := Srv.Store.Channel().GetMember(channelId, userId)
+
+	newRoles := props["new_roles"]
+	if !(model.IsValidUserRoles(newRoles)) {
+		c.SetInvalidParam("updateChannelMemberRoles", "new_roles")
+		return
+	}
+
+	if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_MANAGE_CHANNEL_ROLES) {
+		return
+	}
+
+	var member model.ChannelMember
+	if result := <-mchan; result.Err != nil {
+		c.Err = result.Err
+		return
+	} else {
+		member = result.Data.(model.ChannelMember)
+	}
+
+	member.Roles = newRoles
+
+	if result := <-Srv.Store.Channel().UpdateMember(&member); result.Err != nil {
+		c.Err = result.Err
+		return
+	}
+
+	InvalidateCacheForUser(userId)
+
+	rdata := map[string]string{}
+	rdata["status"] = "ok"
+	w.Write([]byte(model.MapToJson(rdata)))
+}
diff --git a/api/channel_test.go b/api/channel_test.go
index 25fd885ca..8bfa0e896 100644
--- a/api/channel_test.go
+++ b/api/channel_test.go
@@ -1920,3 +1920,76 @@ func TestGetChannelMembersByIds(t *testing.T) {
 		t.Fatal("should have errored - empty user ids")
 	}
 }
+
+func TestUpdateChannelRoles(t *testing.T) {
+	th := Setup().InitSystemAdmin().InitBasic()
+	th.SystemAdminClient.SetTeamId(th.BasicTeam.Id)
+	LinkUserToTeam(th.SystemAdminUser, th.BasicTeam)
+
+	const CHANNEL_ADMIN = "channel_admin channel_user"
+	const CHANNEL_MEMBER = "channel_user"
+
+	// User 1 creates a channel, making them channel admin by default.
+	createChannel := model.Channel{
+		DisplayName: "Test API Name",
+		Name:        "a" + model.NewId() + "a",
+		Type:        model.CHANNEL_OPEN,
+		TeamId:      th.BasicTeam.Id,
+	}
+
+	rchannel, err := th.BasicClient.CreateChannel(&createChannel)
+	if err != nil {
+		t.Fatal("Failed to create channel:", err)
+	}
+	channel := rchannel.Data.(*model.Channel)
+
+	// User 1 adds User 2 to the channel, making them a channel member by default.
+	if _, err := th.BasicClient.AddChannelMember(channel.Id, th.BasicUser2.Id); err != nil {
+		t.Fatal("Failed to add user 2 to the channel:", err)
+	}
+
+	// System Admin can demote User 1 (channel admin).
+	if data, meta := th.SystemAdminClient.UpdateChannelRoles(channel.Id, th.BasicUser.Id, CHANNEL_MEMBER); data == nil {
+		t.Fatal("System Admin failed to demote channel admin to channel member:", meta)
+	}
+
+	// User 1 (channel_member) cannot promote user 2 (channel_member).
+	if data, meta := th.BasicClient.UpdateChannelRoles(channel.Id, th.BasicUser2.Id, CHANNEL_ADMIN); data != nil {
+		t.Fatal("Channel member should not be able to promote another channel member to channel admin:", meta)
+	}
+
+	// System Admin can promote user 1 (channel member).
+	if data, meta := th.SystemAdminClient.UpdateChannelRoles(channel.Id, th.BasicUser.Id, CHANNEL_ADMIN); data == nil {
+		t.Fatal("System Admin failed to promote channel member to channel admin:", meta)
+	}
+
+	// User 1 (channel_admin) can promote User 2 (channel member).
+	if data, meta := th.BasicClient.UpdateChannelRoles(channel.Id, th.BasicUser2.Id, CHANNEL_ADMIN); data == nil {
+		t.Fatal("Channel admin failed to promote channel member to channel admin:", meta)
+	}
+
+	// User 1 (channel admin) can demote User 2 (channel admin).
+	if data, meta := th.BasicClient.UpdateChannelRoles(channel.Id, th.BasicUser2.Id, CHANNEL_MEMBER); data == nil {
+		t.Fatal("Channel admin failed to demote channel admin to channel member:", meta)
+	}
+
+	// User 1 (channel admin) can demote itself.
+	if data, meta := th.BasicClient.UpdateChannelRoles(channel.Id, th.BasicUser.Id, CHANNEL_MEMBER); data == nil {
+		t.Fatal("Channel admin failed to demote itself to channel member:", meta)
+	}
+
+	// Promote User2 again for next test.
+	if data, meta := th.SystemAdminClient.UpdateChannelRoles(channel.Id, th.BasicUser2.Id, CHANNEL_ADMIN); data == nil {
+		t.Fatal("System Admin failed to promote channel member to channel admin:", meta)
+	}
+
+	// User 1 (channel member) cannot demote user 2 (channel admin).
+	if data, meta := th.BasicClient.UpdateChannelRoles(channel.Id, th.BasicUser2.Id, CHANNEL_MEMBER); data != nil {
+		t.Fatal("Channel member should not be able to demote another channel admin to channel member:", meta)
+	}
+
+	// User 1 (channel member) cannot promote itself.
+	if data, meta := th.BasicClient.UpdateChannelRoles(channel.Id, th.BasicUser.Id, CHANNEL_ADMIN); data != nil {
+		t.Fatal("Channel member should not be able to promote itself to channel admin:", meta)
+	}
+}