Fixing update roles API (#4060)

4 files changed, 179 insertions, 221 deletions

diff --git a/api/team.go b/api/team.go
index 83367f31f..0f3475098 100644
--- a/api/team.go
+++ b/api/team.go
@@ -35,6 +35,7 @@ func InitTeam() {
 
 	BaseRoutes.NeedTeam.Handle("/me", ApiUserRequired(getMyTeam)).Methods("GET")
 	BaseRoutes.NeedTeam.Handle("/update", ApiUserRequired(updateTeam)).Methods("POST")
+	BaseRoutes.NeedTeam.Handle("/update_member_roles", ApiUserRequired(updateMemberRoles)).Methods("POST")
 
 	BaseRoutes.NeedTeam.Handle("/invite_members", ApiUserRequired(inviteMembers)).Methods("POST")
 
@@ -784,6 +785,62 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(oldTeam.ToJson()))
 }
 
+func updateMemberRoles(c *Context, w http.ResponseWriter, r *http.Request) {
+	props := model.MapFromJson(r.Body)
+
+	userId := props["user_id"]
+	if len(userId) != 26 {
+		c.SetInvalidParam("updateMemberRoles", "user_id")
+		return
+	}
+
+	mchan := Srv.Store.Team().GetTeamsForUser(userId)
+
+	teamId := c.TeamId
+
+	newRoles := props["new_roles"]
+	if !(model.IsValidUserRoles(newRoles)) {
+		c.SetInvalidParam("updateMemberRoles", "new_roles")
+		return
+	}
+
+	if !HasPermissionToTeamContext(c, teamId, model.PERMISSION_MANAGE_ROLES) {
+		return
+	}
+
+	var member *model.TeamMember
+	if result := <-mchan; result.Err != nil {
+		c.Err = result.Err
+		return
+	} else {
+		members := result.Data.([]*model.TeamMember)
+		for _, m := range members {
+			if m.TeamId == teamId {
+				member = m
+			}
+		}
+	}
+
+	if member == nil {
+		c.Err = model.NewLocAppError("updateMemberRoles", "api.team.update_member_roles.not_a_member", nil, "userId="+userId+" teamId="+teamId)
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	member.Roles = newRoles
+
+	if result := <-Srv.Store.Team().UpdateMember(member); result.Err != nil {
+		c.Err = result.Err
+		return
+	}
+
+	RemoveAllSessionsForUserId(userId)
+
+	rdata := map[string]string{}
+	rdata["status"] = "ok"
+	w.Write([]byte(model.MapToJson(rdata)))
+}
+
 func PermanentDeleteTeam(c *Context, team *model.Team) *model.AppError {
 	l4g.Warn(utils.T("api.team.permanent_delete_team.attempting.warn"), team.Name, team.Id)
 	c.Path = "/teams/permanent_delete"
diff --git a/api/team_test.go b/api/team_test.go
index 1a754b5e6..936ba696b 100644
--- a/api/team_test.go
+++ b/api/team_test.go
@@ -567,3 +567,66 @@ func TestGetTeamMembers(t *testing.T) {
 		t.Log(members)
 	}
 }
+
+func TestUpdateTeamMemberRoles(t *testing.T) {
+	th := Setup().InitSystemAdmin().InitBasic()
+	th.SystemAdminClient.SetTeamId(th.BasicTeam.Id)
+	LinkUserToTeam(th.SystemAdminUser, th.BasicTeam)
+
+	const BASIC_MEMBER = "team_user"
+	const TEAM_ADMIN = "team_user team_admin"
+
+	// user 1 trying to promote user 2
+	if _, err := th.BasicClient.UpdateTeamRoles(th.BasicUser2.Id, TEAM_ADMIN); err == nil {
+		t.Fatal("Should have errored, not team admin")
+	}
+
+	// user 1 trying to promote themselves
+	if _, err := th.BasicClient.UpdateTeamRoles(th.BasicUser.Id, TEAM_ADMIN); err == nil {
+		t.Fatal("Should have errored, not team admin")
+	}
+
+	// user 1 trying to demote someone
+	if _, err := th.BasicClient.UpdateTeamRoles(th.SystemAdminUser.Id, BASIC_MEMBER); err == nil {
+		t.Fatal("Should have errored, not team admin")
+	}
+
+	// system admin promoting user1
+	if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser.Id, TEAM_ADMIN); err != nil {
+		t.Fatal("Should have worked: " + err.Error())
+	}
+
+	// user 1 trying to promote user 2
+	if _, err := th.BasicClient.UpdateTeamRoles(th.BasicUser2.Id, TEAM_ADMIN); err != nil {
+		t.Fatal("Should have worked, user is team admin: " + th.BasicUser.Id)
+	}
+
+	// user 1 trying to demote user 2
+	if _, err := th.BasicClient.UpdateTeamRoles(th.BasicUser2.Id, BASIC_MEMBER); err != nil {
+		t.Fatal("Should have worked, user is team admin")
+	}
+
+	// user 1 trying to demote a system admin
+	if _, err := th.BasicClient.UpdateTeamRoles(th.SystemAdminUser.Id, BASIC_MEMBER); err != nil {
+		t.Fatal("Should have worked, user is team admin and has the ability to manage permissions on this team.")
+		// Note to anyone who thinks this test is wrong:
+		// This operation will not effect the system admin's permissions because they have global access to all teams.
+		// Their team level permissions are irrelavent. A team admin should be able to manage team level permissions.
+	}
+
+	// System admins should be able to manipulate permission no matter what their team level permissions are.
+	// systemAdmin trying to promote user 2
+	if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser2.Id, TEAM_ADMIN); err != nil {
+		t.Fatal("Should have worked, user is system admin")
+	}
+
+	// system admin trying to demote user 2
+	if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser2.Id, BASIC_MEMBER); err != nil {
+		t.Fatal("Should have worked, user is system admin")
+	}
+
+	// user 1 trying to demote himself
+	if _, err := th.BasicClient.UpdateTeamRoles(th.BasicUser.Id, BASIC_MEMBER); err != nil {
+		t.Fatal("Should have worked, user is team admin")
+	}
+}
diff --git a/api/user.go b/api/user.go
index c0fe403b3..e8040f74e 100644
--- a/api/user.go
+++ b/api/user.go
@@ -39,7 +39,6 @@ func InitUser() {
 
 	BaseRoutes.Users.Handle("/create", ApiAppHandler(createUser)).Methods("POST")
 	BaseRoutes.Users.Handle("/update", ApiUserRequired(updateUser)).Methods("POST")
-	BaseRoutes.Users.Handle("/update_roles", ApiUserRequired(updateRoles)).Methods("POST")
 	BaseRoutes.Users.Handle("/update_active", ApiUserRequired(updateActive)).Methods("POST")
 	BaseRoutes.Users.Handle("/update_notify", ApiUserRequired(updateUserNotify)).Methods("POST")
 	BaseRoutes.Users.Handle("/newpassword", ApiUserRequired(updatePassword)).Methods("POST")
@@ -71,6 +70,7 @@ func InitUser() {
 	BaseRoutes.NeedUser.Handle("/sessions", ApiUserRequired(getSessions)).Methods("GET")
 	BaseRoutes.NeedUser.Handle("/audits", ApiUserRequired(getAudits)).Methods("GET")
 	BaseRoutes.NeedUser.Handle("/image", ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET")
+	BaseRoutes.NeedUser.Handle("/update_roles", ApiUserRequired(updateRoles)).Methods("POST")
 
 	BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(loginWithSaml)).Methods("GET")
 	BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(completeSaml)).Methods("POST")
@@ -1428,142 +1428,64 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 
 func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
+	params := mux.Vars(r)
 
-	user_id := props["user_id"]
-	if len(user_id) != 26 {
-		c.SetInvalidParam("updateRoles", "user_id")
-		return
-	}
-
-	team_id := props["team_id"]
-
-	// Set context TeamId as the team_id in the request cause at this point c.TeamId is empty
-	if len(c.TeamId) == 0 {
-		c.TeamId = team_id
-	}
-
-	if !(len(user_id) == 26 || len(user_id) == 0) {
-		c.SetInvalidParam("updateRoles", "team_id")
-		return
-	}
-
-	new_roles := props["new_roles"]
-	if !(model.IsValidUserRoles(new_roles)) {
-		c.SetInvalidParam("updateRoles", "new_roles")
+	userId := params["user_id"]
+	if len(userId) != 26 {
+		c.SetInvalidParam("updateMemberRoles", "user_id")
 		return
 	}
 
-	// If you are not the team admin then you can only demote yourself
-	if user_id != c.Session.UserId && !HasPermissionToTeamContext(c, team_id, model.PERMISSION_MANAGE_ROLES) {
-		c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.team_admin_needed.app_error", nil, "")
-		c.Err.StatusCode = http.StatusForbidden
+	newRoles := props["new_roles"]
+	if !(model.IsValidUserRoles(newRoles)) {
+		c.SetInvalidParam("updateMemberRoles", "new_roles")
 		return
 	}
 
-	// If your trying to assign the system admin role, you must have that permission
-	if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN.Id) && !HasPermissionToContext(c, model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE) {
-		c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_set.app_error", nil, "")
+	if !HasPermissionToContext(c, model.PERMISSION_MANAGE_ROLES) {
 		return
 	}
 
 	var user *model.User
-	if result := <-Srv.Store.User().Get(user_id); result.Err != nil {
+	if result := <-Srv.Store.User().Get(userId); result.Err != nil {
 		c.Err = result.Err
 		return
 	} else {
 		user = result.Data.(*model.User)
 	}
 
-	// only another system admin can modify another system admin
-	if model.IsInRole(user.GetRawRoles(), model.ROLE_SYSTEM_ADMIN.Id) && !HasPermissionToContext(c, model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE) {
-		c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_needed.app_error", nil, "")
-		c.Err.StatusCode = http.StatusForbidden
+	UpdateUserRoles(c, user, newRoles)
+	if c.Err != nil {
 		return
 	}
 
-	// if the team role has changed then lets update team members
-	if len(team_id) > 0 {
-
-		var members []*model.TeamMember
-		if result := <-Srv.Store.Team().GetTeamsForUser(user_id); result.Err != nil {
-			c.Err = result.Err
-			return
-		} else {
-			members = result.Data.([]*model.TeamMember)
-		}
-
-		var member *model.TeamMember
-		for _, m := range members {
-			if m.TeamId == team_id {
-				member = m
-			}
-		}
-
-		if member == nil {
-			c.SetInvalidParam("updateRoles", "team_id")
-			return
-		}
-
-		if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
-			currentUserTeamMember := c.Session.GetTeamByTeamId(team_id)
-
-			// Only the system admin can modify other team
-			if currentUserTeamMember == nil {
-				c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_needed.app_error", nil, "")
-				c.Err.StatusCode = http.StatusForbidden
-				return
-			}
-
-			// Only another team admin can make a team admin
-			if model.IsInRole(new_roles, model.ROLE_TEAM_ADMIN.Id) && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_ROLES) {
-				c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.team_admin_needed.app_error", nil, "")
-				c.Err.StatusCode = http.StatusForbidden
-				return
-			}
-		}
-		c.Err = nil
-
-		member.Roles = new_roles
-
-		if result := <-Srv.Store.Team().UpdateMember(member); result.Err != nil {
-			c.Err = result.Err
-			return
-		}
-	} else {
-		// If the users role has changed then lets update the user
-		UpdateUserRoles(c, user, new_roles)
-		if c.Err != nil {
-			return
-		}
-
-		uchan := Srv.Store.Session().UpdateRoles(user.Id, new_roles)
-
-		if result := <-uchan; result.Err != nil {
-			// soft error since the user roles were still updated
-			l4g.Error(result.Err)
-		}
-	}
-
-	RemoveAllSessionsForUserId(user_id)
-
-	data := make(map[string]string)
-	data["user_id"] = user_id
-	w.Write([]byte(model.MapToJson(data)))
+	rdata := map[string]string{}
+	rdata["status"] = "ok"
+	w.Write([]byte(model.MapToJson(rdata)))
 }
 
-func UpdateUserRoles(c *Context, user *model.User, roles string) *model.User {
+func UpdateUserRoles(c *Context, user *model.User, newRoles string) *model.User {
 
-	user.Roles = roles
+	user.Roles = newRoles
+	uchan := Srv.Store.User().Update(user, true)
+	schan := Srv.Store.Session().UpdateRoles(user.Id, newRoles)
 
 	var ruser *model.User
-	if result := <-Srv.Store.User().Update(user, true); result.Err != nil {
+	if result := <-uchan; result.Err != nil {
 		c.Err = result.Err
 		return nil
 	} else {
-		c.LogAuditWithUserId(user.Id, "roles="+roles)
+		c.LogAuditWithUserId(user.Id, "roles="+newRoles)
 		ruser = result.Data.([2]*model.User)[0]
 	}
 
+	if result := <-schan; result.Err != nil {
+		// soft error since the user roles were still updated
+		l4g.Error(result.Err)
+	}
+
+	RemoveAllSessionsForUserId(user.Id)
+
 	return ruser
 }
 
diff --git a/api/user_test.go b/api/user_test.go
index a68d1199a..7f36083a6 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -924,18 +924,14 @@ func TestUserUpdateRoles(t *testing.T) {
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
 
-	data := make(map[string]string)
-	data["user_id"] = user.Id
-	data["new_roles"] = ""
-
-	if _, err := Client.UpdateUserRoles(data); err == nil {
+	if _, err := Client.UpdateUserRoles(user.Id, ""); err == nil {
 		t.Fatal("Should have errored, not logged in")
 	}
 
 	Client.Login(user2.Email, "passwd1")
 	Client.SetTeamId(team.Id)
 
-	if _, err := Client.UpdateUserRoles(data); err == nil {
+	if _, err := Client.UpdateUserRoles(user.Id, ""); err == nil {
 		t.Fatal("Should have errored, not admin")
 	}
 
@@ -950,158 +946,78 @@ func TestUserUpdateRoles(t *testing.T) {
 	Client.Login(user3.Email, "passwd1")
 	Client.SetTeamId(team2.Id)
 
-	data["user_id"] = user2.Id
-
-	if _, err := Client.UpdateUserRoles(data); err == nil {
+	if _, err := Client.UpdateUserRoles(user2.Id, ""); err == nil {
 		t.Fatal("Should have errored, wrong team")
 	}
 
 	Client.Login(user.Email, "passwd1")
 
-	data["user_id"] = "junk"
-
-	if _, err := Client.UpdateUserRoles(data); err == nil {
+	if _, err := Client.UpdateUserRoles("junk", ""); err == nil {
 		t.Fatal("Should have errored, bad id")
 	}
 
-	data["user_id"] = "12345678901234567890123456"
-
-	if _, err := Client.UpdateUserRoles(data); err == nil {
+	if _, err := Client.UpdateUserRoles("12345678901234567890123456", ""); err == nil {
 		t.Fatal("Should have errored, bad id")
 	}
 
-	data["user_id"] = user2.Id
-	data["new_roles"] = "junk"
-
-	if _, err := Client.UpdateUserRoles(data); err == nil {
+	if _, err := Client.UpdateUserRoles(user2.Id, "junk"); err == nil {
 		t.Fatal("Should have errored, bad role")
 	}
 }
 
 func TestUserUpdateRolesMoreCases(t *testing.T) {
 	th := Setup().InitSystemAdmin().InitBasic()
+	th.SystemAdminClient.SetTeamId(th.BasicTeam.Id)
+	LinkUserToTeam(th.SystemAdminUser, th.BasicTeam)
 
-	data := make(map[string]string)
-
-	// invalid team Id
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = ""
-	data["team_id"] = model.NewId()
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored")
-	}
-
-	// user 1 is trying to change user 2
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = ""
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored, you can only demote yourself")
-	}
+	const BASIC_USER = "system_user"
+	const SYSTEM_ADMIN = "system_user system_admin"
 
 	// user 1 is trying to promote user 2
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = model.ROLE_TEAM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored, you can only demote yourself")
+	if _, err := th.BasicClient.UpdateUserRoles(th.BasicUser2.Id, SYSTEM_ADMIN); err == nil {
+		t.Fatal("Should have errored, basic user is not a system admin")
 	}
 
-	// user 1 is trying to promote user 2
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = model.ROLE_SYSTEM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored, you can only demote yourself")
-	}
-
-	// user 1 is trying to promote himself
-	data["user_id"] = th.BasicUser.Id
-	data["new_roles"] = model.ROLE_TEAM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored, you cannot elevate your permissions")
+	// user 1 is trying to demote system admin
+	if _, err := th.BasicClient.UpdateUserRoles(th.SystemAdminUser.Id, BASIC_USER); err == nil {
+		t.Fatal("Should have errored, can only be system admin")
 	}
 
 	// user 1 is trying to promote himself
-	data["user_id"] = th.BasicUser.Id
-	data["new_roles"] = model.ROLE_SYSTEM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored, you cannot elevate your permissions")
-	}
-
-	th.LoginSystemAdmin()
-
-	// promote user to team admin
-	data["user_id"] = th.BasicUser.Id
-	data["new_roles"] = model.ROLE_TEAM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.SystemAdminClient.UpdateUserRoles(data); err != nil {
-		t.Fatal("Should have succeeded since they are system admin")
+	if _, err := th.BasicClient.UpdateUserRoles(th.BasicUser.Id, SYSTEM_ADMIN); err == nil {
+		t.Fatal("Should have errored, can only be system admin")
 	}
 
-	// demote team admin to basic member
-	data["user_id"] = th.BasicUser.Id
-	data["new_roles"] = ""
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.SystemAdminClient.UpdateUserRoles(data); err != nil {
+	// System admin promoting user 2
+	if _, err := th.SystemAdminClient.UpdateUserRoles(th.BasicUser2.Id, SYSTEM_ADMIN); err != nil {
 		t.Fatal("Should have succeeded since they are system admin")
 	}
 
-	// re-promote user to team admin
-	data["user_id"] = th.BasicUser.Id
-	data["new_roles"] = model.ROLE_TEAM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.SystemAdminClient.UpdateUserRoles(data); err != nil {
+	// System admin demoting user 2
+	if _, err := th.SystemAdminClient.UpdateUserRoles(th.BasicUser2.Id, BASIC_USER); err != nil {
 		t.Fatal("Should have succeeded since they are system admin")
 	}
 
-	// user 1 is promoting user 2 to team admin
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = model.ROLE_TEAM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err != nil {
-		t.Fatal("Should have succeeded since they are team admin")
-	}
-
-	// user 1 is trying to promote user 2 from team admin to system admin
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = model.ROLE_SYSTEM_ADMIN.Id
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
-		t.Fatal("Should have errored, can only be system admin")
-	}
+	// Setting user to team admin should have no effect on results
+	th.BasicClient.Must(th.SystemAdminClient.UpdateTeamRoles(th.BasicUser.Id, "team_user team_admin"))
 
-	// user 1 is demoting user 2 to a regular member
-	data["user_id"] = th.BasicUser2.Id
-	data["new_roles"] = ""
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err != nil {
-		t.Fatal("Should have succeeded since they are team admin")
+	// user 1 is trying to promote user 2
+	if _, err := th.BasicClient.UpdateUserRoles(th.BasicUser2.Id, SYSTEM_ADMIN); err == nil {
+		t.Fatal("Should have errored, basic user is not a system admin")
 	}
 
 	// user 1 is trying to demote system admin
-	data["user_id"] = th.SystemAdminUser.Id
-	data["new_roles"] = ""
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
+	if _, err := th.BasicClient.UpdateUserRoles(th.SystemAdminUser.Id, BASIC_USER); err == nil {
 		t.Fatal("Should have errored, can only be system admin")
 	}
 
-	// user 1 as team admin is demoting himself
-	data["user_id"] = th.BasicUser.Id
-	data["new_roles"] = ""
-	data["team_id"] = th.BasicTeam.Id
-	if _, err := th.BasicClient.UpdateUserRoles(data); err != nil {
-		t.Fatal("Should have succeeded")
+	// user 1 is trying to promote himself
+	if _, err := th.BasicClient.UpdateUserRoles(th.BasicUser.Id, SYSTEM_ADMIN); err == nil {
+		t.Fatal("Should have errored, can only be system admin")
 	}
 
 	// system admin demoting himself
-	data["user_id"] = th.SystemAdminUser.Id
-	data["new_roles"] = ""
-	data["team_id"] = ""
-	if _, err := th.SystemAdminClient.UpdateUserRoles(data); err != nil {
+	if _, err := th.SystemAdminClient.UpdateUserRoles(th.SystemAdminUser.Id, BASIC_USER); err != nil {
 		t.Fatal("Should have succeeded since they are system admin")
 	}
 }