MM-8853: Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS permissions (#8860)

* MM-8853: Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS permissions

* MM-8853: Removing unnecesary emoji enterprise feature

* Create emojis migration

* Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS always to system admins

* Simplifing permissions checks

* Revert "Simplifing permissions checks"

This reverts commit e2cafc1905fc9e20125dd9a1552d2d0c7340ae59.

4 files changed, 222 insertions, 10 deletions

diff --git a/app/app.go b/app/app.go
index e5a496c6b..bda56ca1a 100644
--- a/app/app.go
+++ b/app/app.go
@@ -30,6 +30,7 @@ import (
 )
 
 const ADVANCED_PERMISSIONS_MIGRATION_KEY = "AdvancedPermissionsMigrationComplete"
+const EMOJIS_PERMISSIONS_MIGRATION_KEY = "EmojisPermissionsMigrationComplete"
 
 type App struct {
 	goroutineCount      int32
@@ -57,7 +58,6 @@ type App struct {
 	Compliance       einterfaces.ComplianceInterface
 	DataRetention    einterfaces.DataRetentionInterface
 	Elasticsearch    einterfaces.ElasticsearchInterface
-	Emoji            einterfaces.EmojiInterface
 	Ldap             einterfaces.LdapInterface
 	MessageExport    einterfaces.MessageExportInterface
 	Metrics          einterfaces.MetricsInterface
@@ -288,12 +288,6 @@ func RegisterElasticsearchInterface(f func(*App) einterfaces.ElasticsearchInterf
 	elasticsearchInterface = f
 }
 
-var emojiInterface func(*App) einterfaces.EmojiInterface
-
-func RegisterEmojiInterface(f func(*App) einterfaces.EmojiInterface) {
-	emojiInterface = f
-}
-
 var jobsDataRetentionJobInterface func(*App) ejobs.DataRetentionJobInterface
 
 func RegisterJobsDataRetentionJobInterface(f func(*App) ejobs.DataRetentionJobInterface) {
@@ -376,9 +370,6 @@ func (a *App) initEnterprise() {
 	if elasticsearchInterface != nil {
 		a.Elasticsearch = elasticsearchInterface(a)
 	}
-	if emojiInterface != nil {
-		a.Emoji = emojiInterface(a)
-	}
 	if ldapInterface != nil {
 		a.Ldap = ldapInterface(a)
 		a.AddConfigListener(func(_, cfg *model.Config) {
@@ -603,3 +594,75 @@ func (a *App) SetPhase2PermissionsMigrationStatus(isComplete bool) error {
 	a.phase2PermissionsMigrationComplete = isComplete
 	return nil
 }
+
+func (a *App) DoEmojisPermissionsMigration() {
+	// If the migration is already marked as completed, don't do it again.
+	if result := <-a.Srv.Store.System().GetByName(EMOJIS_PERMISSIONS_MIGRATION_KEY); result.Err == nil {
+		return
+	}
+
+	var role *model.Role = nil
+	var systemAdminRole *model.Role = nil
+	var err *model.AppError = nil
+
+	mlog.Info("Migrating emojis config to database.")
+	switch *a.Config().ServiceSettings.RestrictCustomEmojiCreation {
+	case model.RESTRICT_EMOJI_CREATION_ALL:
+		role, err = a.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
+		if err != nil {
+			mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+			mlog.Critical(err.Error())
+			return
+		}
+		break
+	case model.RESTRICT_EMOJI_CREATION_ADMIN:
+		role, err = a.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
+		if err != nil {
+			mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+			mlog.Critical(err.Error())
+			return
+		}
+		break
+	case model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN:
+		role = nil
+		break
+	default:
+		mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+		mlog.Critical("Invalid restrict emoji creation setting")
+		return
+	}
+
+	if role != nil {
+		role.Permissions = append(role.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
+		if result := <-a.Srv.Store.Role().Save(role); result.Err != nil {
+			mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+			mlog.Critical(result.Err.Error())
+			return
+		}
+	}
+
+	systemAdminRole, err = a.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	if err != nil {
+		mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+		mlog.Critical(err.Error())
+		return
+	}
+
+	systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
+	systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id)
+	if result := <-a.Srv.Store.Role().Save(systemAdminRole); result.Err != nil {
+		mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
+		mlog.Critical(result.Err.Error())
+		return
+	}
+
+	system := model.System{
+		Name:  EMOJIS_PERMISSIONS_MIGRATION_KEY,
+		Value: "true",
+	}
+
+	if result := <-a.Srv.Store.System().Save(&system); result.Err != nil {
+		mlog.Critical("Failed to mark emojis permissions migration as completed.")
+		mlog.Critical(fmt.Sprint(result.Err))
+	}
+}
diff --git a/app/app_test.go b/app/app_test.go
index cb6917073..dd6f0b593 100644
--- a/app/app_test.go
+++ b/app/app_test.go
@@ -455,3 +455,138 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
 	*config.ServiceSettings.PostEditTimeLimit = 300
 	th.App.SaveConfig(config, false)
 }
+
+func TestDoEmojisPermissionsMigration(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	if testStoreSqlSupplier == nil {
+		t.Skip("This test requires a TestStore to be run.")
+	}
+
+	// Add a license and change the policy config.
+	restrictCustomEmojiCreation := *th.App.Config().ServiceSettings.RestrictCustomEmojiCreation
+
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) {
+			*cfg.ServiceSettings.RestrictCustomEmojiCreation = restrictCustomEmojiCreation
+		})
+	}()
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN
+	})
+
+	th.ResetEmojisMigration()
+	th.App.DoEmojisPermissionsMigration()
+
+	expectedSystemAdmin := []string{
+		model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+		model.PERMISSION_MANAGE_SYSTEM.Id,
+		model.PERMISSION_MANAGE_ROLES.Id,
+		model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+		model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+		model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+		model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+		model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+		model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+		model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+		model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+		model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+		model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+		model.PERMISSION_EDIT_OTHER_USERS.Id,
+		model.PERMISSION_MANAGE_OAUTH.Id,
+		model.PERMISSION_INVITE_USER.Id,
+		model.PERMISSION_DELETE_POST.Id,
+		model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		model.PERMISSION_CREATE_TEAM.Id,
+		model.PERMISSION_ADD_USER_TO_TEAM.Id,
+		model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+		model.PERMISSION_MANAGE_JOBS.Id,
+		model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		model.PERMISSION_CREATE_POST_EPHEMERAL.Id,
+		model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+		model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+		model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
+		model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+		model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+		model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+		model.PERMISSION_VIEW_TEAM.Id,
+		model.PERMISSION_READ_CHANNEL.Id,
+		model.PERMISSION_ADD_REACTION.Id,
+		model.PERMISSION_REMOVE_REACTION.Id,
+		model.PERMISSION_UPLOAD_FILE.Id,
+		model.PERMISSION_GET_PUBLIC_LINK.Id,
+		model.PERMISSION_CREATE_POST.Id,
+		model.PERMISSION_USE_SLASH_COMMANDS.Id,
+		model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+		model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM.Id,
+		model.PERMISSION_IMPORT_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+		model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		model.PERMISSION_EDIT_POST.Id,
+		model.PERMISSION_MANAGE_EMOJIS.Id,
+		model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id,
+	}
+
+	role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	assert.Nil(t, err1)
+	assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ADMIN
+	})
+
+	th.ResetEmojisMigration()
+	th.App.DoEmojisPermissionsMigration()
+
+	role2, err2 := th.App.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
+	assert.Nil(t, err2)
+	expected2 := []string{
+		model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+		model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM.Id,
+		model.PERMISSION_IMPORT_TEAM.Id,
+		model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+		model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+		model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+		model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		model.PERMISSION_DELETE_POST.Id,
+		model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		model.PERMISSION_MANAGE_EMOJIS.Id,
+	}
+	assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID))
+
+	systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	assert.Nil(t, systemAdminErr1)
+	assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ALL
+	})
+
+	th.ResetEmojisMigration()
+	th.App.DoEmojisPermissionsMigration()
+
+	role3, err3 := th.App.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
+	assert.Nil(t, err3)
+	expected3 := []string{
+		model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+		model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
+		model.PERMISSION_PERMANENT_DELETE_USER.Id,
+		model.PERMISSION_CREATE_TEAM.Id,
+		model.PERMISSION_MANAGE_EMOJIS.Id,
+	}
+	assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID))
+
+	systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
+	assert.Nil(t, systemAdminErr2)
+	assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
+}
diff --git a/app/apptestlib.go b/app/apptestlib.go
index ec4992a75..d4a79bdcc 100644
--- a/app/apptestlib.go
+++ b/app/apptestlib.go
@@ -110,6 +110,7 @@ func setupTestHelper(enterprise bool) *TestHelper {
 	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = prevListenAddress })
 
 	th.App.DoAdvancedPermissionsMigration()
+	th.App.DoEmojisPermissionsMigration()
 
 	th.App.Srv.Store.MarkSystemRanUnitTests()
 
@@ -433,6 +434,18 @@ func (me *TestHelper) ResetRoleMigration() {
 	}
 }
 
+func (me *TestHelper) ResetEmojisMigration() {
+	if _, err := testStoreSqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ', manage_emojis', '') WHERE builtin=True"); err != nil {
+		panic(err)
+	}
+
+	testClusterInterface.sendClearRoleCacheMessage()
+
+	if _, err := testStoreSqlSupplier.GetMaster().Exec("DELETE from Systems where Name = :Name", map[string]interface{}{"Name": EMOJIS_PERMISSIONS_MIGRATION_KEY}); err != nil {
+		panic(err)
+	}
+}
+
 type FakeClusterInterface struct {
 	clusterMessageHandler einterfaces.ClusterMessageHandler
 }
diff --git a/app/permissions.go b/app/permissions.go
index 70b8cc689..46090070e 100644
--- a/app/permissions.go
+++ b/app/permissions.go
@@ -43,6 +43,7 @@ func (a *App) ResetPermissionsSystem() *model.AppError {
 
 	// Now that the permissions system has been reset, re-run the migration to reinitialise it.
 	a.DoAdvancedPermissionsMigration()
+	a.DoEmojisPermissionsMigration()
 
 	return nil
 }