Merge branch 'advanced-permissions-phase-2'

author: George Goldberg <george@gberg.me> 2018-05-31 10:25:31 +0100
committer: George Goldberg <george@gberg.me> 2018-05-31 10:25:31 +0100
commit: 27e7841a734e9c3ed71f988a653f5865d2ef6f91 (patch)
tree: 1ccc65246fb166c25a9923f4e05ad7d6223892d1 /app
parent: e39f5f46f3f6cdcb7ab8aeef8c601047f5942f85 (diff)
parent: 994ccf475f96bcad668269fe25b0d22e975bc222 (diff)
download: chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.tar.gz
chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.tar.bz2
chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.zip
11 files changed, 1065 insertions, 53 deletions
diff --git a/app/app.go b/app/app.go
index 6de75855c..bda56ca1a 100644
--- a/app/app.go
+++ b/app/app.go
@@ -20,6 +20,7 @@ import (
 	"github.com/mattermost/mattermost-server/einterfaces"
 	ejobs "github.com/mattermost/mattermost-server/einterfaces/jobs"
 	"github.com/mattermost/mattermost-server/jobs"
+	tjobs "github.com/mattermost/mattermost-server/jobs/interfaces"
 	"github.com/mattermost/mattermost-server/mlog"
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/plugin/pluginenv"
@@ -29,6 +30,7 @@ import (
 )
 
 const ADVANCED_PERMISSIONS_MIGRATION_KEY = "AdvancedPermissionsMigrationComplete"
+const EMOJIS_PERMISSIONS_MIGRATION_KEY = "EmojisPermissionsMigrationComplete"
 
 type App struct {
 	goroutineCount      int32
@@ -56,7 +58,6 @@ type App struct {
 	Compliance       einterfaces.ComplianceInterface
 	DataRetention    einterfaces.DataRetentionInterface
 	Elasticsearch    einterfaces.ElasticsearchInterface
-	Emoji            einterfaces.EmojiInterface
 	Ldap             einterfaces.LdapInterface
 	MessageExport    einterfaces.MessageExportInterface
 	Metrics          einterfaces.MetricsInterface
@@ -93,6 +94,8 @@ type App struct {
 	clientConfig     map[string]string
 	clientConfigHash string
 	diagnosticId     string
+
+	phase2PermissionsMigrationComplete bool
 }
 
 var appCount = 0
@@ -285,12 +288,6 @@ func RegisterElasticsearchInterface(f func(*App) einterfaces.ElasticsearchInterf
 	elasticsearchInterface = f
 }
 
-var emojiInterface func(*App) einterfaces.EmojiInterface
-
-func RegisterEmojiInterface(f func(*App) einterfaces.EmojiInterface) {
-	emojiInterface = f
-}
-
 var jobsDataRetentionJobInterface func(*App) ejobs.DataRetentionJobInterface
 
 func RegisterJobsDataRetentionJobInterface(f func(*App) ejobs.DataRetentionJobInterface) {
@@ -321,6 +318,12 @@ func RegisterJobsLdapSyncInterface(f func(*App) ejobs.LdapSyncInterface) {
 	jobsLdapSyncInterface = f
 }
 
+var jobsMigrationsInterface func(*App) tjobs.MigrationsJobInterface
+
+func RegisterJobsMigrationsJobInterface(f func(*App) tjobs.MigrationsJobInterface) {
+	jobsMigrationsInterface = f
+}
+
 var ldapInterface func(*App) einterfaces.LdapInterface
 
 func RegisterLdapInterface(f func(*App) einterfaces.LdapInterface) {
@@ -367,9 +370,6 @@ func (a *App) initEnterprise() {
 	if elasticsearchInterface != nil {
 		a.Elasticsearch = elasticsearchInterface(a)
 	}
-	if emojiInterface != nil {
-		a.Emoji = emojiInterface(a)
-	}
 	if ldapInterface != nil {
 		a.Ldap = ldapInterface(a)
 		a.AddConfigListener(func(_, cfg *model.Config) {
@@ -415,6 +415,9 @@ func (a *App) initJobs() {
 	if jobsLdapSyncInterface != nil {
 		a.Jobs.LdapSync = jobsLdapSyncInterface(a)
 	}
+	if jobsMigrationsInterface != nil {
+		a.Jobs.Migrations = jobsMigrationsInterface(a)
+	}
 }
 
 func (a *App) DiagnosticId() string {
@@ -580,3 +583,86 @@ func (a *App) DoAdvancedPermissionsMigration() {
 		mlog.Critical(fmt.Sprint(result.Err))
 	}
 }
+
+func (a *App) SetPhase2PermissionsMigrationStatus(isComplete bool) error {
+	if !isComplete {
+		res := <-a.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2)
+		if res.Err != nil {
+			return res.Err
+		}
+	}
+	a.phase2PermissionsMigrationComplete = isComplete
+	return nil
+}
+
+func (a *App) DoEmojisPermissionsMigration() {
+	// If the migration is already marked as completed, don't do it again.
+	if result := <-a.Srv.Store.System().GetByName(EMOJIS_PERMISSIONS_MIGRATION_KEY); result.Err == nil {
+		return
+	}
+
+	var role *model.Role = nil
+	var systemAdminRole *model.Role = nil
+	var err *model.AppError = nil
+
+	mlog.Info("Migrating emojis config to database.")
+	switch *a.Config().ServiceSettings.RestrictCustomEmojiCreation {
+	case model.RESTRICT_EMOJI_CREATION_ALL:
+		role, err = a.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
+		if err != nil {
+			mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+			mlog.Critical(err.Error())
+			return
+		}
+		break
+	case model.RESTRICT_EMOJI_CREATION_ADMIN:
+		role, err = a.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
+		if err != nil {
+			mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+			mlog.Critical(err.Error())
+			return
+		}
+		break
+	case model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN:
+		role = nil
+		break
+	default:
+		mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+		mlog.Critical("Invalid restrict emoji creation setting")
+		return
+	}
+
+	if role != nil {
+		role.Permissions = append(role.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
+		if result := <-a.Srv.Store.Role().Save(role); result.Err != nil {
+			mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+			mlog.Critical(result.Err.Error())
+			return
+		}
+	}
+
+	systemAdminRole, err = a.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	if err != nil {
+		mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+		mlog.Critical(err.Error())
+		return
+	}
+
+	systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
+	systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id)
+	if result := <-a.Srv.Store.Role().Save(systemAdminRole); result.Err != nil {
+		mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+		mlog.Critical(result.Err.Error())
+		return
+	}
+
+	system := model.System{
+		Name:  EMOJIS_PERMISSIONS_MIGRATION_KEY,
+		Value: "true",
+	}
+
+	if result := <-a.Srv.Store.System().Save(&system); result.Err != nil {
+		mlog.Critical("Failed to mark emojis permissions migration as completed.")
+		mlog.Critical(fmt.Sprint(result.Err))
+	}
+}
diff --git a/app/app_test.go b/app/app_test.go
index cb6917073..dd6f0b593 100644
--- a/app/app_test.go
+++ b/app/app_test.go
@@ -455,3 +455,138 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
 	*config.ServiceSettings.PostEditTimeLimit = 300
 	th.App.SaveConfig(config, false)
 }
+
+func TestDoEmojisPermissionsMigration(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	if testStoreSqlSupplier == nil {
+		t.Skip("This test requires a TestStore to be run.")
+	}
+
+	// Add a license and change the policy config.
+	restrictCustomEmojiCreation := *th.App.Config().ServiceSettings.RestrictCustomEmojiCreation
+
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) {
+			*cfg.ServiceSettings.RestrictCustomEmojiCreation = restrictCustomEmojiCreation
+		})
+	}()
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN
+	})
+
+	th.ResetEmojisMigration()
+	th.App.DoEmojisPermissionsMigration()
+
+	expectedSystemAdmin := []string{
+		model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+		model.PERMISSION_MANAGE_SYSTEM.Id,
+		model.PERMISSION_MANAGE_ROLES.Id,
+		model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+		model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+		model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+		model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+		model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+		model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+		model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+		model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+		model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+		model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+		model.PERMISSION_EDIT_OTHER_USERS.Id,
+		model.PERMISSION_MANAGE_OAUTH.Id,
+		model.PERMISSION_INVITE_USER.Id,
+		model.PERMISSION_DELETE_POST.Id,
+		model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		model.PERMISSION_CREATE_TEAM.Id,
+		model.PERMISSION_ADD_USER_TO_TEAM.Id,
+		model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+		model.PERMISSION_MANAGE_JOBS.Id,
+		model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		model.PERMISSION_CREATE_POST_EPHEMERAL.Id,
+		model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+		model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+		model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
+		model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+		model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+		model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+		model.PERMISSION_VIEW_TEAM.Id,
+		model.PERMISSION_READ_CHANNEL.Id,
+		model.PERMISSION_ADD_REACTION.Id,
+		model.PERMISSION_REMOVE_REACTION.Id,
+		model.PERMISSION_UPLOAD_FILE.Id,
+		model.PERMISSION_GET_PUBLIC_LINK.Id,
+		model.PERMISSION_CREATE_POST.Id,
+		model.PERMISSION_USE_SLASH_COMMANDS.Id,
+		model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+		model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM.Id,
+		model.PERMISSION_IMPORT_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+		model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		model.PERMISSION_EDIT_POST.Id,
+		model.PERMISSION_MANAGE_EMOJIS.Id,
+		model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id,
+	}
+
+	role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	assert.Nil(t, err1)
+	assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ADMIN
+	})
+
+	th.ResetEmojisMigration()
+	th.App.DoEmojisPermissionsMigration()
+
+	role2, err2 := th.App.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
+	assert.Nil(t, err2)
+	expected2 := []string{
+		model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+		model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM.Id,
+		model.PERMISSION_IMPORT_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+		model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+		model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		model.PERMISSION_DELETE_POST.Id,
+		model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		model.PERMISSION_MANAGE_EMOJIS.Id,
+	}
+	assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID))
+
+	systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	assert.Nil(t, systemAdminErr1)
+	assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ALL
+	})
+
+	th.ResetEmojisMigration()
+	th.App.DoEmojisPermissionsMigration()
+
+	role3, err3 := th.App.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
+	assert.Nil(t, err3)
+	expected3 := []string{
+		model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+		model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
+		model.PERMISSION_PERMANENT_DELETE_USER.Id,
+		model.PERMISSION_CREATE_TEAM.Id,
+		model.PERMISSION_MANAGE_EMOJIS.Id,
+	}
+	assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID))
+
+	systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	assert.Nil(t, systemAdminErr2)
+	assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
+}
diff --git a/app/apptestlib.go b/app/apptestlib.go
index 7fc78c9c9..d4a79bdcc 100644
--- a/app/apptestlib.go
+++ b/app/apptestlib.go
@@ -110,6 +110,7 @@ func setupTestHelper(enterprise bool) *TestHelper {
 	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = prevListenAddress })
 
 	th.App.DoAdvancedPermissionsMigration()
+	th.App.DoEmojisPermissionsMigration()
 
 	th.App.Srv.Store.MarkSystemRanUnitTests()
 
@@ -316,6 +317,40 @@ func (me *TestHelper) AddUserToChannel(user *model.User, channel *model.Channel)
 	return member
 }
 
+func (me *TestHelper) CreateScheme() (*model.Scheme, []*model.Role) {
+	utils.DisableDebugLogForTest()
+
+	scheme, err := me.App.CreateScheme(&model.Scheme{
+		DisplayName: "Test Scheme Display Name",
+		Name:        model.NewId(),
+		Description: "Test scheme description",
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	roleIDs := []string{
+		scheme.DefaultTeamAdminRole,
+		scheme.DefaultTeamUserRole,
+		scheme.DefaultChannelAdminRole,
+		scheme.DefaultChannelUserRole,
+	}
+
+	var roles []*model.Role
+	for _, roleID := range roleIDs {
+		role, err := me.App.GetRole(roleID)
+		if err != nil {
+			panic(err)
+		}
+		roles = append(roles, role)
+	}
+
+	utils.EnableDebugLogForTest()
+
+	return scheme, roles
+}
+
 func (me *TestHelper) TearDown() {
 	me.App.Shutdown()
 	os.Remove(me.tempConfigPath)
@@ -399,6 +434,18 @@ func (me *TestHelper) ResetRoleMigration() {
 	}
 }
 
+func (me *TestHelper) ResetEmojisMigration() {
+	if _, err := testStoreSqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ', manage_emojis', '') WHERE builtin=True"); err != nil {
+		panic(err)
+	}
+
+	testClusterInterface.sendClearRoleCacheMessage()
+
+	if _, err := testStoreSqlSupplier.GetMaster().Exec("DELETE from Systems where Name = :Name", map[string]interface{}{"Name": EMOJIS_PERMISSIONS_MIGRATION_KEY}); err != nil {
+		panic(err)
+	}
+}
+
 type FakeClusterInterface struct {
 	clusterMessageHandler einterfaces.ClusterMessageHandler
 }
diff --git a/app/authorization.go b/app/authorization.go
index f281b3e65..3de50e27b 100644
--- a/app/authorization.go
+++ b/app/authorization.go
@@ -94,19 +94,6 @@ func (a *App) SessionHasPermissionToUser(session model.Session, userId string) b
 	return false
 }
 
-func (a *App) SessionHasPermissionToPost(session model.Session, postId string, permission *model.Permission) bool {
-	post, err := a.GetSinglePost(postId)
-	if err != nil {
-		return false
-	}
-
-	if post.UserId == session.UserId {
-		return true
-	}
-
-	return a.SessionHasPermissionToChannel(session, post.ChannelId, permission)
-}
-
 func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool {
 	user, err := a.GetUser(askingUserId)
 	if err != nil {
@@ -200,6 +187,10 @@ func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool
 	}
 
 	for _, role := range roles {
+		if role.DeleteAt != 0 {
+			continue
+		}
+
 		permissions := role.Permissions
 		for _, permission := range permissions {
 			if permission == permissionId {
diff --git a/app/channel.go b/app/channel.go
index b5afdea2d..55a5008d4 100644
--- a/app/channel.go
+++ b/app/channel.go
@@ -32,7 +32,7 @@ func (a *App) CreateDefaultChannels(teamId string) ([]*model.Channel, *model.App
 	return channels, nil
 }
 
-func (a *App) JoinDefaultChannels(teamId string, user *model.User, channelRole string, userRequestorId string) *model.AppError {
+func (a *App) JoinDefaultChannels(teamId string, user *model.User, shouldBeAdmin bool, userRequestorId string) *model.AppError {
 	var err *model.AppError = nil
 
 	var requestor *model.User
@@ -52,7 +52,8 @@ func (a *App) JoinDefaultChannels(teamId string, user *model.User, channelRole s
 		cm := &model.ChannelMember{
 			ChannelId:   townSquare.Id,
 			UserId:      user.Id,
-			Roles:       channelRole,
+			SchemeUser:  true,
+			SchemeAdmin: shouldBeAdmin,
 			NotifyProps: model.GetDefaultChannelNotifyProps(),
 		}
 
@@ -85,7 +86,8 @@ func (a *App) JoinDefaultChannels(teamId string, user *model.User, channelRole s
 		cm := &model.ChannelMember{
 			ChannelId:   offTopic.Id,
 			UserId:      user.Id,
-			Roles:       channelRole,
+			SchemeUser:  true,
+			SchemeAdmin: shouldBeAdmin,
 			NotifyProps: model.GetDefaultChannelNotifyProps(),
 		}
 
@@ -166,7 +168,8 @@ func (a *App) CreateChannel(channel *model.Channel, addMember bool) (*model.Chan
 			cm := &model.ChannelMember{
 				ChannelId:   sc.Id,
 				UserId:      channel.CreatorId,
-				Roles:       model.CHANNEL_USER_ROLE_ID + " " + model.CHANNEL_ADMIN_ROLE_ID,
+				SchemeUser:  true,
+				SchemeAdmin: true,
 				NotifyProps: model.GetDefaultChannelNotifyProps(),
 			}
 
@@ -322,7 +325,7 @@ func (a *App) createGroupChannel(userIds []string, creatorId string) (*model.Cha
 				UserId:      user.Id,
 				ChannelId:   group.Id,
 				NotifyProps: model.GetDefaultChannelNotifyProps(),
-				Roles:       model.CHANNEL_USER_ROLE_ID,
+				SchemeUser:  true,
 			}
 
 			if result := <-a.Srv.Store.Channel().SaveMember(cm); result.Err != nil {
@@ -351,6 +354,23 @@ func (a *App) UpdateChannel(channel *model.Channel) (*model.Channel, *model.AppE
 	}
 }
 
+func (a *App) UpdateChannelScheme(channel *model.Channel) (*model.Channel, *model.AppError) {
+	var oldChannel *model.Channel
+	var err *model.AppError
+	if oldChannel, err = a.GetChannel(channel.Id); err != nil {
+		return nil, err
+	}
+
+	oldChannel.SchemeId = channel.SchemeId
+
+	newChannel, err := a.UpdateChannel(oldChannel)
+	if err != nil {
+		return nil, err
+	}
+
+	return newChannel, nil
+}
+
 func (a *App) UpdateChannelPrivacy(oldChannel *model.Channel, user *model.User) (*model.Channel, *model.AppError) {
 	if channel, err := a.UpdateChannel(oldChannel); err != nil {
 		return channel, err
@@ -438,6 +458,39 @@ func (a *App) PatchChannel(channel *model.Channel, patch *model.ChannelPatch, us
 	return channel, err
 }
 
+func (a *App) GetSchemeRolesForChannel(channelId string) (string, string, *model.AppError) {
+	var channel *model.Channel
+	var err *model.AppError
+
+	if channel, err = a.GetChannel(channelId); err != nil {
+		return "", "", err
+	}
+
+	if channel.SchemeId != nil && len(*channel.SchemeId) != 0 {
+		if scheme, err := a.GetScheme(*channel.SchemeId); err != nil {
+			return "", "", err
+		} else {
+			return scheme.DefaultChannelUserRole, scheme.DefaultChannelAdminRole, nil
+		}
+	}
+
+	var team *model.Team
+
+	if team, err = a.GetTeam(channel.TeamId); err != nil {
+		return "", "", err
+	}
+
+	if team.SchemeId != nil && len(*team.SchemeId) != 0 {
+		if scheme, err := a.GetScheme(*team.SchemeId); err != nil {
+			return "", "", err
+		} else {
+			return scheme.DefaultChannelUserRole, scheme.DefaultChannelAdminRole, nil
+		}
+	}
+
+	return model.CHANNEL_USER_ROLE_ID, model.CHANNEL_ADMIN_ROLE_ID, nil
+}
+
 func (a *App) UpdateChannelMemberRoles(channelId string, userId string, newRoles string) (*model.ChannelMember, *model.AppError) {
 	var member *model.ChannelMember
 	var err *model.AppError
@@ -445,14 +498,42 @@ func (a *App) UpdateChannelMemberRoles(channelId string, userId string, newRoles
 		return nil, err
 	}
 
-	if err := a.CheckRolesExist(strings.Fields(newRoles)); err != nil {
+	schemeUserRole, schemeAdminRole, err := a.GetSchemeRolesForChannel(channelId)
+	if err != nil {
 		return nil, err
 	}
 
-	member.Roles = newRoles
+	var newExplicitRoles []string
+	member.SchemeUser = false
+	member.SchemeAdmin = false
+
+	for _, roleName := range strings.Fields(newRoles) {
+		if role, err := a.GetRoleByName(roleName); err != nil {
+			err.StatusCode = http.StatusBadRequest
+			return nil, err
+		} else if !role.SchemeManaged {
+			// The role is not scheme-managed, so it's OK to apply it to the explicit roles field.
+			newExplicitRoles = append(newExplicitRoles, roleName)
+		} else {
+			// The role is scheme-managed, so need to check if it is part of the scheme for this channel or not.
+			switch roleName {
+			case schemeAdminRole:
+				member.SchemeAdmin = true
+			case schemeUserRole:
+				member.SchemeUser = true
+			default:
+				// If not part of the scheme for this channel, then it is not allowed to apply it as an explicit role.
+				return nil, model.NewAppError("UpdateChannelMemberRoles", "api.channel.update_channel_member_roles.scheme_role.app_error", nil, "role_name="+roleName, http.StatusBadRequest)
+			}
+		}
+	}
+
+	member.ExplicitRoles = strings.Join(newExplicitRoles, " ")
 
 	if result := <-a.Srv.Store.Channel().UpdateMember(member); result.Err != nil {
 		return nil, result.Err
+	} else {
+		member = result.Data.(*model.ChannelMember)
 	}
 
 	a.InvalidateCacheForUser(userId)
@@ -597,7 +678,7 @@ func (a *App) addUserToChannel(user *model.User, channel *model.Channel, teamMem
 		ChannelId:   channel.Id,
 		UserId:      user.Id,
 		NotifyProps: model.GetDefaultChannelNotifyProps(),
-		Roles:       model.CHANNEL_USER_ROLE_ID,
+		SchemeUser:  true,
 	}
 	if result := <-a.Srv.Store.Channel().SaveMember(newMember); result.Err != nil {
 		mlog.Error(fmt.Sprintf("Failed to add member user_id=%v channel_id=%v err=%v", user.Id, channel.Id, result.Err), mlog.String("user_id", user.Id))
diff --git a/app/channel_test.go b/app/channel_test.go
index a4e0806a6..336d9b25b 100644
--- a/app/channel_test.go
+++ b/app/channel_test.go
@@ -120,7 +120,7 @@ func TestJoinDefaultChannelsCreatesChannelMemberHistoryRecordTownSquare(t *testi
 
 	// create a new user that joins the default channels
 	user := th.CreateUser()
-	th.App.JoinDefaultChannels(th.BasicTeam.Id, user, model.CHANNEL_USER_ROLE_ID, "")
+	th.App.JoinDefaultChannels(th.BasicTeam.Id, user, false, "")
 
 	// there should be a ChannelMemberHistory record for the user
 	histories := store.Must(th.App.Srv.Store.ChannelMemberHistory().GetUsersInChannelDuring(model.GetMillis()-100, model.GetMillis()+100, townSquareChannelId)).([]*model.ChannelMemberHistoryResult)
@@ -146,7 +146,7 @@ func TestJoinDefaultChannelsCreatesChannelMemberHistoryRecordOffTopic(t *testing
 
 	// create a new user that joins the default channels
 	user := th.CreateUser()
-	th.App.JoinDefaultChannels(th.BasicTeam.Id, user, model.CHANNEL_USER_ROLE_ID, "")
+	th.App.JoinDefaultChannels(th.BasicTeam.Id, user, false, "")
 
 	// there should be a ChannelMemberHistory record for the user
 	histories := store.Must(th.App.Srv.Store.ChannelMemberHistory().GetUsersInChannelDuring(model.GetMillis()-100, model.GetMillis()+100, offTopicChannelId)).([]*model.ChannelMemberHistoryResult)
@@ -381,3 +381,21 @@ func TestAddChannelMemberNoUserRequestor(t *testing.T) {
 		assert.Equal(t, user.Username, post.Props["username"])
 	}
 }
+
+func TestAppUpdateChannelScheme(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	channel := th.BasicChannel
+	mockID := model.NewString("x")
+	channel.SchemeId = mockID
+
+	updatedChannel, err := th.App.UpdateChannelScheme(channel)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if updatedChannel.SchemeId != mockID {
+		t.Fatal("Wrong Channel SchemeId")
+	}
+}
diff --git a/app/permissions.go b/app/permissions.go
index be975e03d..46090070e 100644
--- a/app/permissions.go
+++ b/app/permissions.go
@@ -4,10 +4,33 @@
 package app
 
 import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"io"
+
 	"github.com/mattermost/mattermost-server/model"
+	"github.com/pkg/errors"
 )
 
+const permissionsExportBatchSize = 100
+
 func (a *App) ResetPermissionsSystem() *model.AppError {
+	// Reset all Teams to not have a scheme.
+	if result := <-a.Srv.Store.Team().ResetAllTeamSchemes(); result.Err != nil {
+		return result.Err
+	}
+
+	// Reset all Channels to not have a scheme.
+	if result := <-a.Srv.Store.Channel().ResetAllChannelSchemes(); result.Err != nil {
+		return result.Err
+	}
+
+	// Purge all schemes from the database.
+	if result := <-a.Srv.Store.Scheme().PermanentDeleteAll(); result.Err != nil {
+		return result.Err
+	}
+
 	// Purge all roles from the database.
 	if result := <-a.Srv.Store.Role().PermanentDeleteAll(); result.Err != nil {
 		return result.Err
@@ -20,6 +43,142 @@ func (a *App) ResetPermissionsSystem() *model.AppError {
 
 	// Now that the permissions system has been reset, re-run the migration to reinitialise it.
 	a.DoAdvancedPermissionsMigration()
+	a.DoEmojisPermissionsMigration()
+
+	return nil
+}
+
+func (a *App) ExportPermissions(w io.Writer) error {
+
+	next := a.SchemesIterator(permissionsExportBatchSize)
+	var schemeBatch []*model.Scheme
+
+	for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() {
+
+		for _, scheme := range schemeBatch {
+
+			roleIDs := []string{
+				scheme.DefaultTeamAdminRole,
+				scheme.DefaultTeamUserRole,
+				scheme.DefaultChannelAdminRole,
+				scheme.DefaultChannelUserRole,
+			}
+
+			roles := []*model.Role{}
+			for _, roleID := range roleIDs {
+				if len(roleID) == 0 {
+					continue
+				}
+				role, err := a.GetRole(roleID)
+				if err != nil {
+					return err
+				}
+				roles = append(roles, role)
+			}
+
+			schemeExport, err := json.Marshal(&model.SchemeConveyor{
+				Name:         scheme.Name,
+				DisplayName:  scheme.DisplayName,
+				Description:  scheme.Description,
+				Scope:        scheme.Scope,
+				TeamAdmin:    scheme.DefaultTeamAdminRole,
+				TeamUser:     scheme.DefaultTeamUserRole,
+				ChannelAdmin: scheme.DefaultChannelAdminRole,
+				ChannelUser:  scheme.DefaultChannelUserRole,
+				Roles:        roles,
+			})
+			if err != nil {
+				return err
+			}
+
+			schemeExport = append(schemeExport, []byte("\n")...)
+
+			_, err = w.Write(schemeExport)
+			if err != nil {
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+func (a *App) ImportPermissions(jsonl io.Reader) error {
+	createdSchemeIDs := []string{}
+
+	scanner := bufio.NewScanner(jsonl)
+
+	for scanner.Scan() {
+		var schemeConveyor *model.SchemeConveyor
+		err := json.Unmarshal(scanner.Bytes(), &schemeConveyor)
+		if err != nil {
+			return err
+		}
+
+		// Create the new Scheme. The new Roles are created automatically.
+		var appErr *model.AppError
+		schemeCreated, appErr := a.CreateScheme(schemeConveyor.Scheme())
+		if appErr != nil {
+			return errors.New(appErr.Message)
+		}
+		createdSchemeIDs = append(createdSchemeIDs, schemeCreated.Id)
+
+		schemeIn := schemeConveyor.Scheme()
+		roleIDTuples := [][]string{
+			{schemeCreated.DefaultTeamAdminRole, schemeIn.DefaultTeamAdminRole},
+			{schemeCreated.DefaultTeamUserRole, schemeIn.DefaultTeamUserRole},
+			{schemeCreated.DefaultChannelAdminRole, schemeIn.DefaultChannelAdminRole},
+			{schemeCreated.DefaultChannelUserRole, schemeIn.DefaultChannelUserRole},
+		}
+		for _, roleIDTuple := range roleIDTuples {
+			if len(roleIDTuple[0]) == 0 || len(roleIDTuple[1]) == 0 {
+				continue
+			}
+
+			err = updateRole(a, schemeConveyor, roleIDTuple[0], roleIDTuple[1])
+			if err != nil {
+				// Delete the new Schemes. The new Roles are deleted automatically.
+				for _, schemeID := range createdSchemeIDs {
+					a.DeleteScheme(schemeID)
+				}
+				return err
+			}
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func updateRole(a *App, sc *model.SchemeConveyor, roleCreatedID, defaultRoleID string) error {
+	var err *model.AppError
+
+	roleCreated, err := a.GetRole(roleCreatedID)
+	if err != nil {
+		return errors.New(err.Message)
+	}
+
+	var roleIn *model.Role
+	for _, role := range sc.Roles {
+		if role.Id == defaultRoleID {
+			roleIn = role
+			break
+		}
+	}
+
+	roleCreated.Name = roleIn.Name
+	roleCreated.DisplayName = roleIn.DisplayName
+	roleCreated.Description = roleIn.Description
+	roleCreated.Permissions = roleIn.Permissions
+
+	_, err = a.UpdateRole(roleCreated)
+	if err != nil {
+		return errors.New(fmt.Sprintf("%v: %v\n", err.Message, err.DetailedError))
+	}
 
 	return nil
 }
diff --git a/app/permissions_test.go b/app/permissions_test.go
new file mode 100644
index 000000000..575e21429
--- /dev/null
+++ b/app/permissions_test.go
@@ -0,0 +1,253 @@
+package app
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+type testWriter struct {
+	write func(p []byte) (int, error)
+}
+
+func (tw testWriter) Write(p []byte) (int, error) {
+	return tw.write(p)
+}
+
+func TestExportPermissions(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	var scheme *model.Scheme
+	var roles []*model.Role
+	withMigrationMarkedComplete(th, func() {
+		scheme, roles = th.CreateScheme()
+	})
+
+	results := [][]byte{}
+
+	tw := testWriter{
+		write: func(p []byte) (int, error) {
+			results = append(results, p)
+			return len(p), nil
+		},
+	}
+
+	err := th.App.ExportPermissions(tw)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if len(results) == 0 {
+		t.Error("Expected export to have returned something.")
+	}
+
+	firstResult := results[0]
+
+	var row map[string]interface{}
+	err = json.Unmarshal(firstResult, &row)
+	if err != nil {
+		t.Error(err)
+	}
+
+	getRoleByID := func(id string) string {
+		for _, role := range roles {
+			if role.Id == id {
+				return role.Id
+			}
+		}
+		return ""
+	}
+
+	expectations := map[string]func(str string) string{
+		scheme.DisplayName:             func(str string) string { return row["display_name"].(string) },
+		scheme.Name:                    func(str string) string { return row["name"].(string) },
+		scheme.Description:             func(str string) string { return row["description"].(string) },
+		scheme.Scope:                   func(str string) string { return row["scope"].(string) },
+		scheme.DefaultTeamAdminRole:    func(str string) string { return getRoleByID(str) },
+		scheme.DefaultTeamUserRole:     func(str string) string { return getRoleByID(str) },
+		scheme.DefaultChannelAdminRole: func(str string) string { return getRoleByID(str) },
+		scheme.DefaultChannelUserRole:  func(str string) string { return getRoleByID(str) },
+	}
+
+	for key, valF := range expectations {
+		expected := key
+		actual := valF(key)
+		if actual != expected {
+			t.Errorf("Expected %v but got %v.", expected, actual)
+		}
+	}
+
+}
+
+func TestImportPermissions(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	name := model.NewId()
+	displayName := model.NewId()
+	description := "my test description"
+	scope := model.SCHEME_SCOPE_CHANNEL
+	roleName1 := model.NewId()
+	roleName2 := model.NewId()
+
+	var results []*model.Scheme
+	var beforeCount int
+	withMigrationMarkedComplete(th, func() {
+
+		var appErr *model.AppError
+		results, appErr = th.App.GetSchemes(scope, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+		beforeCount = len(results)
+
+		json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2)
+		r := strings.NewReader(json)
+
+		err := th.App.ImportPermissions(r)
+		if err != nil {
+			t.Error(err)
+		}
+		results, appErr = th.App.GetSchemes(scope, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+
+	})
+
+	actual := len(results)
+	expected := beforeCount + 1
+	if actual != expected {
+		t.Errorf("Expected %v roles but got %v.", expected, actual)
+	}
+
+	newScheme := results[0]
+
+	channelAdminRole, appErr := th.App.GetRole(newScheme.DefaultChannelAdminRole)
+	if appErr != nil {
+		t.Error(appErr)
+	}
+
+	channelUserRole, appErr := th.App.GetRole(newScheme.DefaultChannelUserRole)
+	if appErr != nil {
+		t.Error(appErr)
+	}
+
+	expectations := map[string]string{
+		newScheme.DisplayName:          displayName,
+		newScheme.Name:                 name,
+		newScheme.Description:          description,
+		newScheme.Scope:                scope,
+		newScheme.DefaultTeamAdminRole: "",
+		newScheme.DefaultTeamUserRole:  "",
+		channelAdminRole.Name:          roleName1,
+		channelUserRole.Name:           roleName2,
+	}
+
+	for actual, expected := range expectations {
+		if actual != expected {
+			t.Errorf("Expected %v but got %v.", expected, actual)
+		}
+	}
+
+}
+
+func TestImportPermissions_idempotentScheme(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	name := model.NewId()
+	displayName := model.NewId()
+	description := "my test description"
+	scope := model.SCHEME_SCOPE_CHANNEL
+	roleName1 := model.NewId()
+	roleName2 := model.NewId()
+
+	json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2)
+	jsonl := strings.Repeat(json+"\n", 4)
+	r := strings.NewReader(jsonl)
+
+	var results []*model.Scheme
+	var expected int
+	withMigrationMarkedComplete(th, func() {
+		var appErr *model.AppError
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+		expected = len(results) + 1
+
+		err := th.App.ImportPermissions(r)
+		if err == nil {
+			t.Error(err)
+		}
+
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+	})
+	actual := len(results)
+
+	if expected != actual {
+		t.Errorf("Expected count to be %v but got %v", expected, actual)
+	}
+
+}
+
+func TestImportPermissions_schemeDeletedOnRoleFailure(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	name := model.NewId()
+	displayName := model.NewId()
+	description := "my test description"
+	scope := model.SCHEME_SCOPE_CHANNEL
+	roleName1 := model.NewId()
+	roleName2 := "some invalid role name"
+
+	jsonl := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2)
+	r := strings.NewReader(jsonl)
+
+	var results []*model.Scheme
+	var expected int
+	withMigrationMarkedComplete(th, func() {
+		var appErr *model.AppError
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+		expected = len(results)
+
+		err := th.App.ImportPermissions(r)
+		if err == nil {
+			t.Error(err)
+		}
+
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+	})
+	actual := len(results)
+
+	if expected != actual {
+		t.Errorf("Expected count to be %v but got %v", expected, actual)
+	}
+
+}
+
+func withMigrationMarkedComplete(th *TestHelper, f func()) {
+	// Mark the migration as done.
+	<-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2)
+	<-th.App.Srv.Store.System().Save(&model.System{Name: model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2, Value: "true"})
+	// Un-mark the migration at the end of the test.
+	defer func() {
+		<-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2)
+	}()
+	f()
+}
diff --git a/app/scheme.go b/app/scheme.go
new file mode 100644
index 000000000..f070e36f8
--- /dev/null
+++ b/app/scheme.go
@@ -0,0 +1,168 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package app
+
+import (
+	"net/http"
+
+	"github.com/mattermost/mattermost-server/model"
+	"github.com/mattermost/mattermost-server/store"
+)
+
+func (a *App) GetScheme(id string) (*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	if result := <-a.Srv.Store.Scheme().Get(id); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return result.Data.(*model.Scheme), nil
+	}
+}
+
+func (a *App) GetSchemesPage(scope string, page int, perPage int) ([]*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	return a.GetSchemes(scope, page*perPage, perPage)
+}
+
+func (a *App) GetSchemes(scope string, offset int, limit int) ([]*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	if result := <-a.Srv.Store.Scheme().GetAllPage(scope, offset, limit); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return result.Data.([]*model.Scheme), nil
+	}
+}
+
+func (a *App) CreateScheme(scheme *model.Scheme) (*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	// Clear any user-provided values for trusted properties.
+	scheme.DefaultTeamAdminRole = ""
+	scheme.DefaultTeamUserRole = ""
+	scheme.DefaultChannelAdminRole = ""
+	scheme.DefaultChannelUserRole = ""
+	scheme.CreateAt = 0
+	scheme.UpdateAt = 0
+	scheme.DeleteAt = 0
+
+	if result := <-a.Srv.Store.Scheme().Save(scheme); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return scheme, nil
+	}
+}
+
+func (a *App) PatchScheme(scheme *model.Scheme, patch *model.SchemePatch) (*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	scheme.Patch(patch)
+	scheme, err := a.UpdateScheme(scheme)
+	if err != nil {
+		return nil, err
+	}
+
+	return scheme, err
+}
+
+func (a *App) UpdateScheme(scheme *model.Scheme) (*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	if result := <-a.Srv.Store.Scheme().Save(scheme); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return scheme, nil
+	}
+}
+
+func (a *App) DeleteScheme(schemeId string) (*model.Scheme, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	if result := <-a.Srv.Store.Scheme().Delete(schemeId); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return result.Data.(*model.Scheme), nil
+	}
+}
+
+func (a *App) GetTeamsForSchemePage(scheme *model.Scheme, page int, perPage int) ([]*model.Team, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	return a.GetTeamsForScheme(scheme, page*perPage, perPage)
+}
+
+func (a *App) GetTeamsForScheme(scheme *model.Scheme, offset int, limit int) ([]*model.Team, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	if result := <-a.Srv.Store.Team().GetTeamsByScheme(scheme.Id, offset, limit); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return result.Data.([]*model.Team), nil
+	}
+}
+
+func (a *App) GetChannelsForSchemePage(scheme *model.Scheme, page int, perPage int) (model.ChannelList, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	return a.GetChannelsForScheme(scheme, page*perPage, perPage)
+}
+
+func (a *App) GetChannelsForScheme(scheme *model.Scheme, offset int, limit int) (model.ChannelList, *model.AppError) {
+	if err := a.IsPhase2MigrationCompleted(); err != nil {
+		return nil, err
+	}
+
+	if result := <-a.Srv.Store.Channel().GetChannelsByScheme(scheme.Id, offset, limit); result.Err != nil {
+		return nil, result.Err
+	} else {
+		return result.Data.(model.ChannelList), nil
+	}
+}
+
+func (a *App) IsPhase2MigrationCompleted() *model.AppError {
+	if a.phase2PermissionsMigrationComplete {
+		return nil
+	}
+
+	if result := <-a.Srv.Store.System().GetByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2); result.Err != nil {
+		return model.NewAppError("App.IsPhase2MigrationCompleted", "app.schemes.is_phase_2_migration_completed.not_completed.app_error", nil, result.Err.Error(), http.StatusNotImplemented)
+	}
+
+	a.phase2PermissionsMigrationComplete = true
+
+	return nil
+}
+
+func (a *App) SchemesIterator(batchSize int) func() []*model.Scheme {
+	offset := 0
+	return func() []*model.Scheme {
+		var result store.StoreResult
+		if result = <-a.Srv.Store.Scheme().GetAllPage("", offset, batchSize); result.Err != nil {
+			return []*model.Scheme{}
+		}
+		offset += batchSize
+		return result.Data.([]*model.Scheme)
+	}
+}
diff --git a/app/team.go b/app/team.go
index aca99dd1e..2833e2eed 100644
--- a/app/team.go
+++ b/app/team.go
@@ -114,6 +114,24 @@ func (a *App) UpdateTeam(team *model.Team) (*model.Team, *model.AppError) {
 	return oldTeam, nil
 }
 
+func (a *App) UpdateTeamScheme(team *model.Team) (*model.Team, *model.AppError) {
+	var oldTeam *model.Team
+	var err *model.AppError
+	if oldTeam, err = a.GetTeam(team.Id); err != nil {
+		return nil, err
+	}
+
+	oldTeam.SchemeId = team.SchemeId
+
+	if result := <-a.Srv.Store.Team().Update(oldTeam); result.Err != nil {
+		return nil, result.Err
+	}
+
+	a.sendTeamEvent(oldTeam, model.WEBSOCKET_EVENT_UPDATE_TEAM)
+
+	return oldTeam, nil
+}
+
 func (a *App) PatchTeam(teamId string, patch *model.TeamPatch) (*model.Team, *model.AppError) {
 	team, err := a.GetTeam(teamId)
 	if err != nil {
@@ -142,17 +160,31 @@ func (a *App) sendTeamEvent(team *model.Team, event string) {
 	a.Publish(message)
 }
 
+func (a *App) GetSchemeRolesForTeam(teamId string) (string, string, *model.AppError) {
+	var team *model.Team
+	var err *model.AppError
+
+	if team, err = a.GetTeam(teamId); err != nil {
+		return "", "", err
+	}
+
+	if team.SchemeId != nil && len(*team.SchemeId) != 0 {
+		if scheme, err := a.GetScheme(*team.SchemeId); err != nil {
+			return "", "", err
+		} else {
+			return scheme.DefaultTeamUserRole, scheme.DefaultTeamAdminRole, nil
+		}
+	}
+
+	return model.TEAM_USER_ROLE_ID, model.TEAM_ADMIN_ROLE_ID, nil
+}
+
 func (a *App) UpdateTeamMemberRoles(teamId string, userId string, newRoles string) (*model.TeamMember, *model.AppError) {
 	var member *model.TeamMember
-	if result := <-a.Srv.Store.Team().GetTeamsForUser(userId); result.Err != nil {
+	if result := <-a.Srv.Store.Team().GetMember(teamId, userId); result.Err != nil {
 		return nil, result.Err
 	} else {
-		members := result.Data.([]*model.TeamMember)
-		for _, m := range members {
-			if m.TeamId == teamId {
-				member = m
-			}
-		}
+		member = result.Data.(*model.TeamMember)
 	}
 
 	if member == nil {
@@ -160,14 +192,42 @@ func (a *App) UpdateTeamMemberRoles(teamId string, userId string, newRoles strin
 		return nil, err
 	}
 
-	if err := a.CheckRolesExist(strings.Fields(newRoles)); err != nil {
+	schemeUserRole, schemeAdminRole, err := a.GetSchemeRolesForTeam(teamId)
+	if err != nil {
 		return nil, err
 	}
 
-	member.Roles = newRoles
+	var newExplicitRoles []string
+	member.SchemeUser = false
+	member.SchemeAdmin = false
+
+	for _, roleName := range strings.Fields(newRoles) {
+		if role, err := a.GetRoleByName(roleName); err != nil {
+			err.StatusCode = http.StatusBadRequest
+			return nil, err
+		} else if !role.SchemeManaged {
+			// The role is not scheme-managed, so it's OK to apply it to the explicit roles field.
+			newExplicitRoles = append(newExplicitRoles, roleName)
+		} else {
+			// The role is scheme-managed, so need to check if it is part of the scheme for this channel or not.
+			switch roleName {
+			case schemeAdminRole:
+				member.SchemeAdmin = true
+			case schemeUserRole:
+				member.SchemeUser = true
+			default:
+				// If not part of the scheme for this channel, then it is not allowed to apply it as an explicit role.
+				return nil, model.NewAppError("UpdateTeamMemberRoles", "api.channel.update_team_member_roles.scheme_role.app_error", nil, "role_name="+roleName, http.StatusBadRequest)
+			}
+		}
+	}
+
+	member.ExplicitRoles = strings.Join(newExplicitRoles, " ")
 
 	if result := <-a.Srv.Store.Team().UpdateMember(member); result.Err != nil {
 		return nil, result.Err
+	} else {
+		member = result.Data.(*model.TeamMember)
 	}
 
 	a.ClearSessionCacheForUser(userId)
@@ -293,13 +353,13 @@ func (a *App) AddUserToTeamByInviteId(inviteId string, userId string) (*model.Te
 // 3. a pointer to an AppError if something went wrong.
 func (a *App) joinUserToTeam(team *model.Team, user *model.User) (*model.TeamMember, bool, *model.AppError) {
 	tm := &model.TeamMember{
-		TeamId: team.Id,
-		UserId: user.Id,
-		Roles:  model.TEAM_USER_ROLE_ID,
+		TeamId:     team.Id,
+		UserId:     user.Id,
+		SchemeUser: true,
 	}
 
 	if team.Email == user.Email {
-		tm.Roles = model.TEAM_USER_ROLE_ID + " " + model.TEAM_ADMIN_ROLE_ID
+		tm.SchemeAdmin = true
 	}
 
 	if etmr := <-a.Srv.Store.Team().GetMember(team.Id, user.Id); etmr.Err == nil {
@@ -343,15 +403,11 @@ func (a *App) JoinUserToTeam(team *model.Team, user *model.User, userRequestorId
 		return uua.Err
 	}
 
-	channelRole := model.CHANNEL_USER_ROLE_ID
-
-	if team.Email == user.Email {
-		channelRole = model.CHANNEL_USER_ROLE_ID + " " + model.CHANNEL_ADMIN_ROLE_ID
-	}
+	shouldBeAdmin := team.Email == user.Email
 
 	// Soft error if there is an issue joining the default channels
-	if err := a.JoinDefaultChannels(team.Id, user, channelRole, userRequestorId); err != nil {
-		mlog.Error(fmt.Sprintf("Encountered an issue joining default channels user_id=%s, team_id=%s, err=%v", user.Id, team.Id, err), mlog.String("user_id", user.Id))
+	if err := a.JoinDefaultChannels(team.Id, user, shouldBeAdmin, userRequestorId); err != nil {
+		mlog.Error(fmt.Sprintf("Encountered an issue joining default channels err=%v", err), mlog.String("user_id", user.Id), mlog.String("team_id", team.Id))
 	}
 
 	a.ClearSessionCacheForUser(user.Id)
diff --git a/app/team_test.go b/app/team_test.go
index 7ebfb8166..6a47da58b 100644
--- a/app/team_test.go
+++ b/app/team_test.go
@@ -559,3 +559,21 @@ func TestJoinUserToTeam(t *testing.T) {
 		}
 	})
 }
+
+func TestAppUpdateTeamScheme(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	team := th.BasicTeam
+	mockID := model.NewString("x")
+	team.SchemeId = mockID
+
+	updatedTeam, err := th.App.UpdateTeamScheme(th.BasicTeam)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if updatedTeam.SchemeId != mockID {
+		t.Fatal("Wrong Team SchemeId")
+	}
+}
author	George Goldberg <george@gberg.me>	2018-05-31 10:25:31 +0100
committer	George Goldberg <george@gberg.me>	2018-05-31 10:25:31 +0100
commit	27e7841a734e9c3ed71f988a653f5865d2ef6f91 (patch)
tree	1ccc65246fb166c25a9923f4e05ad7d6223892d1 /app
parent	e39f5f46f3f6cdcb7ab8aeef8c601047f5942f85 (diff)
parent	994ccf475f96bcad668269fe25b0d22e975bc222 (diff)
download	chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.tar.gz chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.tar.bz2 chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.zip