diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2017-01-23 08:12:05 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-23 08:12:05 -0500 |
| commit | e9c9688b343049c6d461260bd15fff3486238f92 (patch) | |
| tree | a112e51de0e7f9989b173b7dbc4ad89080cc0e34 /app/authorization.go | |
| parent | b064457c745ae6bf27e5e6933a0a7406f3f4921d (diff) | |
| download | chat-e9c9688b343049c6d461260bd15fff3486238f92.tar.gz chat-e9c9688b343049c6d461260bd15fff3486238f92.tar.bz2 chat-e9c9688b343049c6d461260bd15fff3486238f92.zip | |
Move permissions code into app package (#5146)
* Move permissions code into app package
* Revert getPosts permission
Diffstat (limited to 'app/authorization.go')
| -rw-r--r-- | app/authorization.go | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/app/authorization.go b/app/authorization.go new file mode 100644 index 000000000..0f48b3c9d --- /dev/null +++ b/app/authorization.go @@ -0,0 +1,166 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package app + +import ( + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/model" +) + +func SessionHasPermissionTo(session model.Session, permission *model.Permission) bool { + return CheckIfRolesGrantPermission(session.GetUserRoles(), permission.Id) +} + +func SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool { + if teamId == "" { + return false + } + + teamMember := session.GetTeamByTeamId(teamId) + if teamMember != nil { + if CheckIfRolesGrantPermission(teamMember.GetRoles(), permission.Id) { + return true + } + } + + return SessionHasPermissionTo(session, permission) +} + +func SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool { + if channelId == "" { + return false + } + + channelMember, err := GetChannelMember(channelId, session.UserId) + if err == nil { + roles := channelMember.GetRoles() + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + } + + var channel *model.Channel + channel, err = GetChannel(channelId) + if err == nil { + return SessionHasPermissionToTeam(session, channel.TeamId, permission) + } + + return SessionHasPermissionTo(session, permission) +} + +func SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool { + var channelMember *model.ChannelMember + if result := <-Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil { + channelMember = result.Data.(*model.ChannelMember) + + if CheckIfRolesGrantPermission(channelMember.GetRoles(), permission.Id) { + return true + } + } + + if result := <-Srv.Store.Channel().GetForPost(postId); result.Err == nil { + channel := result.Data.(*model.Channel) + return SessionHasPermissionToTeam(session, channel.TeamId, permission) + } + + return SessionHasPermissionTo(session, permission) +} + +func SessionHasPermissionToUser(session model.Session, userId string) bool { + if userId == "" { + return false + } + + if session.UserId == userId { + return true + } + + if SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) { + return true + } + + return false +} + +func HasPermissionTo(askingUserId string, permission *model.Permission) bool { + user, err := GetUser(askingUserId) + if err != nil { + return false + } + + roles := user.GetRoles() + + return CheckIfRolesGrantPermission(roles, permission.Id) +} + +func HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool { + if teamId == "" || askingUserId == "" { + return false + } + + teamMember, err := GetTeamMember(teamId, askingUserId) + if err != nil { + return false + } + + roles := teamMember.GetRoles() + + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + + return HasPermissionTo(askingUserId, permission) +} + +func HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool { + if channelId == "" || askingUserId == "" { + return false + } + + channelMember, err := GetChannelMember(channelId, askingUserId) + if err == nil { + roles := channelMember.GetRoles() + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + } + + var channel *model.Channel + channel, err = GetChannel(channelId) + if err == nil { + return HasPermissionToTeam(askingUserId, channel.TeamId, permission) + } + + return HasPermissionTo(askingUserId, permission) +} + +func HasPermissionToUser(askingUserId string, userId string) bool { + if askingUserId == userId { + return true + } + + if HasPermissionTo(askingUserId, model.PERMISSION_EDIT_OTHER_USERS) { + return true + } + + return false +} + +func CheckIfRolesGrantPermission(roles []string, permissionId string) bool { + for _, roleId := range roles { + if role, ok := model.BuiltInRoles[roleId]; !ok { + l4g.Debug("Bad role in system " + roleId) + return false + } else { + permissions := role.Permissions + for _, permission := range permissions { + if permission == permissionId { + return true + } + } + } + } + + return false +} |