Merge branch 'advanced-permissions-phase-2'

13 files changed, 410 insertions, 45 deletions

diff --git a/model/channel.go b/model/channel.go
index 950e910dd..5617240e6 100644
--- a/model/channel.go
+++ b/model/channel.go
@@ -32,20 +32,21 @@ const (
 )
 
 type Channel struct {
-	Id            string `json:"id"`
-	CreateAt      int64  `json:"create_at"`
-	UpdateAt      int64  `json:"update_at"`
-	DeleteAt      int64  `json:"delete_at"`
-	TeamId        string `json:"team_id"`
-	Type          string `json:"type"`
-	DisplayName   string `json:"display_name"`
-	Name          string `json:"name"`
-	Header        string `json:"header"`
-	Purpose       string `json:"purpose"`
-	LastPostAt    int64  `json:"last_post_at"`
-	TotalMsgCount int64  `json:"total_msg_count"`
-	ExtraUpdateAt int64  `json:"extra_update_at"`
-	CreatorId     string `json:"creator_id"`
+	Id            string  `json:"id"`
+	CreateAt      int64   `json:"create_at"`
+	UpdateAt      int64   `json:"update_at"`
+	DeleteAt      int64   `json:"delete_at"`
+	TeamId        string  `json:"team_id"`
+	Type          string  `json:"type"`
+	DisplayName   string  `json:"display_name"`
+	Name          string  `json:"name"`
+	Header        string  `json:"header"`
+	Purpose       string  `json:"purpose"`
+	LastPostAt    int64   `json:"last_post_at"`
+	TotalMsgCount int64   `json:"total_msg_count"`
+	ExtraUpdateAt int64   `json:"extra_update_at"`
+	CreatorId     string  `json:"creator_id"`
+	SchemeId      *string `json:"scheme_id"`
 }
 
 type ChannelPatch struct {
diff --git a/model/channel_member.go b/model/channel_member.go
index e9895aea0..709ad3ccd 100644
--- a/model/channel_member.go
+++ b/model/channel_member.go
@@ -28,14 +28,17 @@ type ChannelUnread struct {
 }
 
 type ChannelMember struct {
-	ChannelId    string    `json:"channel_id"`
-	UserId       string    `json:"user_id"`
-	Roles        string    `json:"roles"`
-	LastViewedAt int64     `json:"last_viewed_at"`
-	MsgCount     int64     `json:"msg_count"`
-	MentionCount int64     `json:"mention_count"`
-	NotifyProps  StringMap `json:"notify_props"`
-	LastUpdateAt int64     `json:"last_update_at"`
+	ChannelId     string    `json:"channel_id"`
+	UserId        string    `json:"user_id"`
+	Roles         string    `json:"roles"`
+	LastViewedAt  int64     `json:"last_viewed_at"`
+	MsgCount      int64     `json:"msg_count"`
+	MentionCount  int64     `json:"mention_count"`
+	NotifyProps   StringMap `json:"notify_props"`
+	LastUpdateAt  int64     `json:"last_update_at"`
+	SchemeUser    bool      `json:"scheme_user"`
+	SchemeAdmin   bool      `json:"scheme_admin"`
+	ExplicitRoles string    `json:"explicit_roles"`
 }
 
 type ChannelMembers []ChannelMember
diff --git a/model/client4.go b/model/client4.go
index 97dd30790..c2b6ba948 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -368,6 +368,14 @@ func (c *Client4) GetRolesRoute() string {
 	return fmt.Sprintf("/roles")
 }
 
+func (c *Client4) GetSchemesRoute() string {
+	return fmt.Sprintf("/schemes")
+}
+
+func (c *Client4) GetSchemeRoute(id string) string {
+	return c.GetSchemesRoute() + fmt.Sprintf("/%v", id)
+}
+
 func (c *Client4) GetAnalyticsRoute() string {
 	return fmt.Sprintf("/analytics")
 }
@@ -376,6 +384,14 @@ func (c *Client4) GetTimezonesRoute() string {
 	return fmt.Sprintf(c.GetSystemRoute() + "/timezones")
 }
 
+func (c *Client4) GetChannelSchemeRoute(channelId string) string {
+	return fmt.Sprintf(c.GetChannelsRoute()+"/%v/scheme", channelId)
+}
+
+func (c *Client4) GetTeamSchemeRoute(teamId string) string {
+	return fmt.Sprintf(c.GetTeamsRoute()+"/%v/scheme", teamId)
+}
+
 func (c *Client4) DoApiGet(url string, etag string) (*http.Response, *AppError) {
 	return c.DoApiRequest(http.MethodGet, c.ApiUrl+url, "", etag)
 }
@@ -3484,6 +3500,78 @@ func (c *Client4) PatchRole(roleId string, patch *RolePatch) (*Role, *Response)
 	}
 }
 
+// Schemes Section
+
+// CreateScheme creates a new Scheme.
+func (c *Client4) CreateScheme(scheme *Scheme) (*Scheme, *Response) {
+	if r, err := c.DoApiPost(c.GetSchemesRoute(), scheme.ToJson()); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return SchemeFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// GetScheme gets a single scheme by ID.
+func (c *Client4) GetScheme(id string) (*Scheme, *Response) {
+	if r, err := c.DoApiGet(c.GetSchemeRoute(id), ""); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return SchemeFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// Get all schemes, sorted with the most recently created first, optionally filtered by scope.
+func (c *Client4) GetSchemes(scope string, page int, perPage int) ([]*Scheme, *Response) {
+	if r, err := c.DoApiGet(c.GetSchemesRoute()+fmt.Sprintf("?scope=%v&page=%v&per_page=%v", scope, page, perPage), ""); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return SchemesFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// DeleteScheme deletes a single scheme by ID.
+func (c *Client4) DeleteScheme(id string) (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSchemeRoute(id)); err != nil {
+		return false, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// PatchScheme partially updates a scheme in the system. Any missing fields are not updated.
+func (c *Client4) PatchScheme(id string, patch *SchemePatch) (*Scheme, *Response) {
+	if r, err := c.DoApiPut(c.GetSchemeRoute(id)+"/patch", patch.ToJson()); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return SchemeFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// Get the teams using this scheme, sorted alphabetically by display name.
+func (c *Client4) GetTeamsForScheme(schemeId string, page int, perPage int) ([]*Team, *Response) {
+	if r, err := c.DoApiGet(c.GetSchemeRoute(schemeId)+fmt.Sprintf("/teams?page=%v&per_page=%v", page, perPage), ""); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return TeamListFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// Get the channels using this scheme, sorted alphabetically by display name.
+func (c *Client4) GetChannelsForScheme(schemeId string, page int, perPage int) (ChannelList, *Response) {
+	if r, err := c.DoApiGet(c.GetSchemeRoute(schemeId)+fmt.Sprintf("/channels?page=%v&per_page=%v", page, perPage), ""); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return *ChannelListFromJson(r.Body), BuildResponse(r)
+	}
+}
+
 // Plugin Section
 
 // UploadPlugin takes an io.Reader stream pointing to the contents of a .tar.gz plugin.
@@ -3589,3 +3677,25 @@ func (c *Client4) DeactivatePlugin(id string) (bool, *Response) {
 		return CheckStatusOK(r), BuildResponse(r)
 	}
 }
+
+// UpdateChannelScheme will update a channel's scheme.
+func (c *Client4) UpdateChannelScheme(channelId, schemeId string) (bool, *Response) {
+	sip := &SchemeIDPatch{SchemeID: &schemeId}
+	if r, err := c.DoApiPut(c.GetChannelSchemeRoute(channelId), sip.ToJson()); err != nil {
+		return false, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// UpdateTeamScheme will update a team's scheme.
+func (c *Client4) UpdateTeamScheme(teamId, schemeId string) (bool, *Response) {
+	sip := &SchemeIDPatch{SchemeID: &schemeId}
+	if r, err := c.DoApiPut(c.GetTeamSchemeRoute(teamId), sip.ToJson()); err != nil {
+		return false, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
diff --git a/model/cluster_message.go b/model/cluster_message.go
index cf9e3f9f2..d02da3ee1 100644
--- a/model/cluster_message.go
+++ b/model/cluster_message.go
@@ -22,6 +22,7 @@ const (
 	CLUSTER_EVENT_INVALIDATE_CACHE_FOR_USER                         = "inv_user"
 	CLUSTER_EVENT_CLEAR_SESSION_CACHE_FOR_USER                      = "clear_session_user"
 	CLUSTER_EVENT_INVALIDATE_CACHE_FOR_ROLES                        = "inv_roles"
+	CLUSTER_EVENT_INVALIDATE_CACHE_FOR_SCHEMES                      = "inv_schemes"
 
 	CLUSTER_SEND_BEST_EFFORT = "best_effort"
 	CLUSTER_SEND_RELIABLE    = "reliable"
diff --git a/model/job.go b/model/job.go
index e10ed1f5d..c16614958 100644
--- a/model/job.go
+++ b/model/job.go
@@ -16,6 +16,7 @@ const (
 	JOB_TYPE_ELASTICSEARCH_POST_INDEXING    = "elasticsearch_post_indexing"
 	JOB_TYPE_ELASTICSEARCH_POST_AGGREGATION = "elasticsearch_post_aggregation"
 	JOB_TYPE_LDAP_SYNC                      = "ldap_sync"
+	JOB_TYPE_MIGRATIONS                     = "migrations"
 
 	JOB_STATUS_PENDING          = "pending"
 	JOB_STATUS_IN_PROGRESS      = "in_progress"
@@ -52,6 +53,7 @@ func (j *Job) IsValid() *AppError {
 	case JOB_TYPE_ELASTICSEARCH_POST_AGGREGATION:
 	case JOB_TYPE_LDAP_SYNC:
 	case JOB_TYPE_MESSAGE_EXPORT:
+	case JOB_TYPE_MIGRATIONS:
 	default:
 		return NewAppError("Job.IsValid", "model.job.is_valid.type.app_error", nil, "id="+j.Id, http.StatusBadRequest)
 	}
diff --git a/model/license.go b/model/license.go
index b69c13c54..b6a6f2ac8 100644
--- a/model/license.go
+++ b/model/license.go
@@ -55,6 +55,7 @@ type Features struct {
 	EmailNotificationContents *bool `json:"email_notification_contents"`
 	DataRetention             *bool `json:"data_retention"`
 	MessageExport             *bool `json:"message_export"`
+	CustomPermissionsSchemes  *bool `json:"custom_permissions_schemes"`
 
 	// after we enabled more features for webrtc we'll need to control them with this
 	FutureFeatures *bool `json:"future_features"`
@@ -76,6 +77,7 @@ func (f *Features) ToMap() map[string]interface{} {
 		"email_notification_contents": *f.EmailNotificationContents,
 		"data_retention":              *f.DataRetention,
 		"message_export":              *f.MessageExport,
+		"custom_permissions_schemes":  *f.CustomPermissionsSchemes,
 		"future":                      *f.FutureFeatures,
 	}
 }
@@ -152,6 +154,10 @@ func (f *Features) SetDefaults() {
 	if f.MessageExport == nil {
 		f.MessageExport = NewBool(*f.FutureFeatures)
 	}
+
+	if f.CustomPermissionsSchemes == nil {
+		f.CustomPermissionsSchemes = NewBool(*f.FutureFeatures)
+	}
 }
 
 func (l *License) IsExpired() bool {
diff --git a/model/license_test.go b/model/license_test.go
index 4b40c4101..a9379d78e 100644
--- a/model/license_test.go
+++ b/model/license_test.go
@@ -27,6 +27,8 @@ func TestLicenseFeaturesToMap(t *testing.T) {
 	CheckTrue(t, m["elastic_search"].(bool))
 	CheckTrue(t, m["email_notification_contents"].(bool))
 	CheckTrue(t, m["data_retention"].(bool))
+	CheckTrue(t, m["message_export"].(bool))
+	CheckTrue(t, m["custom_permissions_schemes"].(bool))
 	CheckTrue(t, m["future"].(bool))
 }
 
@@ -48,6 +50,8 @@ func TestLicenseFeaturesSetDefaults(t *testing.T) {
 	CheckTrue(t, *f.Elasticsearch)
 	CheckTrue(t, *f.EmailNotificationContents)
 	CheckTrue(t, *f.DataRetention)
+	CheckTrue(t, *f.MessageExport)
+	CheckTrue(t, *f.CustomPermissionsSchemes)
 	CheckTrue(t, *f.FutureFeatures)
 
 	f = Features{}
@@ -67,6 +71,8 @@ func TestLicenseFeaturesSetDefaults(t *testing.T) {
 	*f.SAML = true
 	*f.Elasticsearch = true
 	*f.DataRetention = true
+	*f.MessageExport = true
+	*f.CustomPermissionsSchemes = true
 	*f.EmailNotificationContents = true
 
 	f.SetDefaults()
@@ -85,6 +91,8 @@ func TestLicenseFeaturesSetDefaults(t *testing.T) {
 	CheckTrue(t, *f.Elasticsearch)
 	CheckTrue(t, *f.EmailNotificationContents)
 	CheckTrue(t, *f.DataRetention)
+	CheckTrue(t, *f.MessageExport)
+	CheckTrue(t, *f.CustomPermissionsSchemes)
 	CheckFalse(t, *f.FutureFeatures)
 }
 
@@ -166,6 +174,8 @@ func TestLicenseToFromJson(t *testing.T) {
 	CheckBool(t, *f1.SAML, *f.SAML)
 	CheckBool(t, *f1.Elasticsearch, *f.Elasticsearch)
 	CheckBool(t, *f1.DataRetention, *f.DataRetention)
+	CheckBool(t, *f1.MessageExport, *f.MessageExport)
+	CheckBool(t, *f1.CustomPermissionsSchemes, *f.CustomPermissionsSchemes)
 	CheckBool(t, *f1.FutureFeatures, *f.FutureFeatures)
 
 	invalid := `{"asdf`
diff --git a/model/migration.go b/model/migration.go
new file mode 100644
index 000000000..ead7acce2
--- /dev/null
+++ b/model/migration.go
@@ -0,0 +1,8 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+const (
+	MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2 = "migration_advanced_permissions_phase_2"
+)
diff --git a/model/permission.go b/model/permission.go
index 792c7d42e..737321cc7 100644
--- a/model/permission.go
+++ b/model/permission.go
@@ -50,6 +50,8 @@ var PERMISSION_MANAGE_WEBHOOKS *Permission
 var PERMISSION_MANAGE_OTHERS_WEBHOOKS *Permission
 var PERMISSION_MANAGE_OAUTH *Permission
 var PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH *Permission
+var PERMISSION_MANAGE_EMOJIS *Permission
+var PERMISSION_MANAGE_OTHERS_EMOJIS *Permission
 var PERMISSION_CREATE_POST *Permission
 var PERMISSION_CREATE_POST_PUBLIC *Permission
 var PERMISSION_CREATE_POST_EPHEMERAL *Permission
@@ -286,6 +288,18 @@ func initializePermissions() {
 		"authentication.permissions.manage_system_wide_oauth.description",
 		PERMISSION_SCOPE_SYSTEM,
 	}
+	PERMISSION_MANAGE_EMOJIS = &Permission{
+		"manage_emojis",
+		"authentication.permissions.manage_emojis.name",
+		"authentication.permissions.manage_emojis.description",
+		PERMISSION_SCOPE_TEAM,
+	}
+	PERMISSION_MANAGE_OTHERS_EMOJIS = &Permission{
+		"manage_others_emojis",
+		"authentication.permissions.manage_others_emojis.name",
+		"authentication.permissions.manage_others_emojis.description",
+		PERMISSION_SCOPE_TEAM,
+	}
 	PERMISSION_CREATE_POST = &Permission{
 		"create_post",
 		"authentication.permissions.create_post.name",
@@ -424,6 +438,8 @@ func initializePermissions() {
 		PERMISSION_MANAGE_OTHERS_WEBHOOKS,
 		PERMISSION_MANAGE_OAUTH,
 		PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH,
+		PERMISSION_MANAGE_EMOJIS,
+		PERMISSION_MANAGE_OTHERS_EMOJIS,
 		PERMISSION_CREATE_POST,
 		PERMISSION_CREATE_POST_PUBLIC,
 		PERMISSION_CREATE_POST_EPHEMERAL,
diff --git a/model/role.go b/model/role.go
index f10b52537..80ae1ae34 100644
--- a/model/role.go
+++ b/model/role.go
@@ -39,6 +39,7 @@ type Role struct {
 	DeleteAt      int64    `json:"delete_at"`
 	Permissions   []string `json:"permissions"`
 	SchemeManaged bool     `json:"scheme_managed"`
+	BuiltIn       bool     `json:"built_in"`
 }
 
 type RolePatch struct {
@@ -187,6 +188,7 @@ func MakeDefaultRoles() map[string]*Role {
 			PERMISSION_USE_SLASH_COMMANDS.Id,
 		},
 		SchemeManaged: true,
+		BuiltIn:       true,
 	}
 
 	roles[CHANNEL_ADMIN_ROLE_ID] = &Role{
@@ -197,6 +199,7 @@ func MakeDefaultRoles() map[string]*Role {
 			PERMISSION_MANAGE_CHANNEL_ROLES.Id,
 		},
 		SchemeManaged: true,
+		BuiltIn:       true,
 	}
 
 	roles[TEAM_USER_ROLE_ID] = &Role{
@@ -210,6 +213,7 @@ func MakeDefaultRoles() map[string]*Role {
 			PERMISSION_VIEW_TEAM.Id,
 		},
 		SchemeManaged: true,
+		BuiltIn:       true,
 	}
 
 	roles[TEAM_POST_ALL_ROLE_ID] = &Role{
@@ -219,7 +223,8 @@ func MakeDefaultRoles() map[string]*Role {
 		Permissions: []string{
 			PERMISSION_CREATE_POST.Id,
 		},
-		SchemeManaged: true,
+		SchemeManaged: false,
+		BuiltIn:       true,
 	}
 
 	roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
@@ -229,7 +234,8 @@ func MakeDefaultRoles() map[string]*Role {
 		Permissions: []string{
 			PERMISSION_CREATE_POST_PUBLIC.Id,
 		},
-		SchemeManaged: true,
+		SchemeManaged: false,
+		BuiltIn:       true,
 	}
 
 	roles[TEAM_ADMIN_ROLE_ID] = &Role{
@@ -249,6 +255,7 @@ func MakeDefaultRoles() map[string]*Role {
 			PERMISSION_MANAGE_WEBHOOKS.Id,
 		},
 		SchemeManaged: true,
+		BuiltIn:       true,
 	}
 
 	roles[SYSTEM_USER_ROLE_ID] = &Role{
@@ -261,6 +268,7 @@ func MakeDefaultRoles() map[string]*Role {
 			PERMISSION_PERMANENT_DELETE_USER.Id,
 		},
 		SchemeManaged: true,
+		BuiltIn:       true,
 	}
 
 	roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{
@@ -270,7 +278,8 @@ func MakeDefaultRoles() map[string]*Role {
 		Permissions: []string{
 			PERMISSION_CREATE_POST.Id,
 		},
-		SchemeManaged: true,
+		SchemeManaged: false,
+		BuiltIn:       true,
 	}
 
 	roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
@@ -280,7 +289,8 @@ func MakeDefaultRoles() map[string]*Role {
 		Permissions: []string{
 			PERMISSION_CREATE_POST_PUBLIC.Id,
 		},
-		SchemeManaged: true,
+		SchemeManaged: false,
+		BuiltIn:       true,
 	}
 
 	roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{
@@ -292,7 +302,8 @@ func MakeDefaultRoles() map[string]*Role {
 			PERMISSION_READ_USER_ACCESS_TOKEN.Id,
 			PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
 		},
-		SchemeManaged: true,
+		SchemeManaged: false,
+		BuiltIn:       true,
 	}
 
 	roles[SYSTEM_ADMIN_ROLE_ID] = &Role{
@@ -345,6 +356,7 @@ func MakeDefaultRoles() map[string]*Role {
 			roles[CHANNEL_ADMIN_ROLE_ID].Permissions...,
 		),
 		SchemeManaged: true,
+		BuiltIn:       true,
 	}
 
 	return roles
diff --git a/model/scheme.go b/model/scheme.go
new file mode 100644
index 000000000..959b80c24
--- /dev/null
+++ b/model/scheme.go
@@ -0,0 +1,192 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"regexp"
+)
+
+const (
+	SCHEME_DISPLAY_NAME_MAX_LENGTH = 128
+	SCHEME_NAME_MAX_LENGTH         = 64
+	SCHEME_DESCRIPTION_MAX_LENGTH  = 1024
+	SCHEME_SCOPE_TEAM              = "team"
+	SCHEME_SCOPE_CHANNEL           = "channel"
+)
+
+type Scheme struct {
+	Id                      string `json:"id"`
+	Name                    string `json:"name"`
+	DisplayName             string `json:"display_name"`
+	Description             string `json:"description"`
+	CreateAt                int64  `json:"create_at"`
+	UpdateAt                int64  `json:"update_at"`
+	DeleteAt                int64  `json:"delete_at"`
+	Scope                   string `json:"scope"`
+	DefaultTeamAdminRole    string `json:"default_team_admin_role"`
+	DefaultTeamUserRole     string `json:"default_team_user_role"`
+	DefaultChannelAdminRole string `json:"default_channel_admin_role"`
+	DefaultChannelUserRole  string `json:"default_channel_user_role"`
+}
+
+type SchemePatch struct {
+	Name        *string `json:"name"`
+	DisplayName *string `json:"display_name"`
+	Description *string `json:"description"`
+}
+
+type SchemeIDPatch struct {
+	SchemeID *string `json:"scheme_id"`
+}
+
+// SchemeConveyor is used for importing and exporting a Scheme and its associated Roles.
+type SchemeConveyor struct {
+	Name         string  `json:"name"`
+	DisplayName  string  `json:"display_name"`
+	Description  string  `json:"description"`
+	Scope        string  `json:"scope"`
+	TeamAdmin    string  `json:"default_team_admin_role"`
+	TeamUser     string  `json:"default_team_user_role"`
+	ChannelAdmin string  `json:"default_channel_admin_role"`
+	ChannelUser  string  `json:"default_channel_user_role"`
+	Roles        []*Role `json:"roles"`
+}
+
+func (sc *SchemeConveyor) Scheme() *Scheme {
+	return &Scheme{
+		DisplayName:             sc.DisplayName,
+		Name:                    sc.Name,
+		Description:             sc.Description,
+		Scope:                   sc.Scope,
+		DefaultTeamAdminRole:    sc.TeamAdmin,
+		DefaultTeamUserRole:     sc.TeamUser,
+		DefaultChannelAdminRole: sc.ChannelAdmin,
+		DefaultChannelUserRole:  sc.ChannelUser,
+	}
+}
+
+func (scheme *Scheme) ToJson() string {
+	b, _ := json.Marshal(scheme)
+	return string(b)
+}
+
+func SchemeFromJson(data io.Reader) *Scheme {
+	var scheme *Scheme
+	json.NewDecoder(data).Decode(&scheme)
+	return scheme
+}
+
+func SchemesToJson(schemes []*Scheme) string {
+	b, _ := json.Marshal(schemes)
+	return string(b)
+}
+
+func SchemesFromJson(data io.Reader) []*Scheme {
+	var schemes []*Scheme
+	if err := json.NewDecoder(data).Decode(&schemes); err == nil {
+		return schemes
+	} else {
+		return nil
+	}
+}
+
+func (scheme *Scheme) IsValid() bool {
+	if len(scheme.Id) != 26 {
+		return false
+	}
+
+	return scheme.IsValidForCreate()
+}
+
+func (scheme *Scheme) IsValidForCreate() bool {
+	if len(scheme.DisplayName) == 0 || len(scheme.DisplayName) > SCHEME_DISPLAY_NAME_MAX_LENGTH {
+		return false
+	}
+
+	if !IsValidSchemeName(scheme.Name) {
+		return false
+	}
+
+	if len(scheme.Description) > SCHEME_DESCRIPTION_MAX_LENGTH {
+		return false
+	}
+
+	switch scheme.Scope {
+	case SCHEME_SCOPE_TEAM, SCHEME_SCOPE_CHANNEL:
+	default:
+		return false
+	}
+
+	if !IsValidRoleName(scheme.DefaultChannelAdminRole) {
+		return false
+	}
+
+	if !IsValidRoleName(scheme.DefaultChannelUserRole) {
+		return false
+	}
+
+	if scheme.Scope == SCHEME_SCOPE_TEAM {
+		if !IsValidRoleName(scheme.DefaultTeamAdminRole) {
+			return false
+		}
+
+		if !IsValidRoleName(scheme.DefaultTeamUserRole) {
+			return false
+		}
+	}
+
+	if scheme.Scope == SCHEME_SCOPE_CHANNEL {
+		if len(scheme.DefaultTeamAdminRole) != 0 {
+			return false
+		}
+
+		if len(scheme.DefaultTeamUserRole) != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (scheme *Scheme) Patch(patch *SchemePatch) {
+	if patch.DisplayName != nil {
+		scheme.DisplayName = *patch.DisplayName
+	}
+	if patch.Name != nil {
+		scheme.Name = *patch.Name
+	}
+	if patch.Description != nil {
+		scheme.Description = *patch.Description
+	}
+}
+
+func (patch *SchemePatch) ToJson() string {
+	b, _ := json.Marshal(patch)
+	return string(b)
+}
+
+func SchemePatchFromJson(data io.Reader) *SchemePatch {
+	var patch *SchemePatch
+	json.NewDecoder(data).Decode(&patch)
+	return patch
+}
+
+func SchemeIDFromJson(data io.Reader) *string {
+	var p *SchemeIDPatch
+	json.NewDecoder(data).Decode(&p)
+	return p.SchemeID
+}
+
+func (p *SchemeIDPatch) ToJson() string {
+	b, _ := json.Marshal(p)
+	return string(b)
+}
+
+func IsValidSchemeName(name string) bool {
+	re := regexp.MustCompile(fmt.Sprintf("^[a-z0-9_]{0,%d}$", SCHEME_NAME_MAX_LENGTH))
+	return re.MatchString(name)
+}
diff --git a/model/team.go b/model/team.go
index 7968c9d48..edf9d3a41 100644
--- a/model/team.go
+++ b/model/team.go
@@ -26,20 +26,21 @@ const (
 )
 
 type Team struct {
-	Id                 string `json:"id"`
-	CreateAt           int64  `json:"create_at"`
-	UpdateAt           int64  `json:"update_at"`
-	DeleteAt           int64  `json:"delete_at"`
-	DisplayName        string `json:"display_name"`
-	Name               string `json:"name"`
-	Description        string `json:"description"`
-	Email              string `json:"email"`
-	Type               string `json:"type"`
-	CompanyName        string `json:"company_name"`
-	AllowedDomains     string `json:"allowed_domains"`
-	InviteId           string `json:"invite_id"`
-	AllowOpenInvite    bool   `json:"allow_open_invite"`
-	LastTeamIconUpdate int64  `json:"last_team_icon_update,omitempty"`
+	Id                 string  `json:"id"`
+	CreateAt           int64   `json:"create_at"`
+	UpdateAt           int64   `json:"update_at"`
+	DeleteAt           int64   `json:"delete_at"`
+	DisplayName        string  `json:"display_name"`
+	Name               string  `json:"name"`
+	Description        string  `json:"description"`
+	Email              string  `json:"email"`
+	Type               string  `json:"type"`
+	CompanyName        string  `json:"company_name"`
+	AllowedDomains     string  `json:"allowed_domains"`
+	InviteId           string  `json:"invite_id"`
+	AllowOpenInvite    bool    `json:"allow_open_invite"`
+	LastTeamIconUpdate int64   `json:"last_team_icon_update,omitempty"`
+	SchemeId           *string `json:"scheme_id"`
 }
 
 type TeamPatch struct {
diff --git a/model/team_member.go b/model/team_member.go
index 2fcd1e151..0bda96121 100644
--- a/model/team_member.go
+++ b/model/team_member.go
@@ -11,10 +11,13 @@ import (
 )
 
 type TeamMember struct {
-	TeamId   string `json:"team_id"`
-	UserId   string `json:"user_id"`
-	Roles    string `json:"roles"`
-	DeleteAt int64  `json:"delete_at"`
+	TeamId        string `json:"team_id"`
+	UserId        string `json:"user_id"`
+	Roles         string `json:"roles"`
+	DeleteAt      int64  `json:"delete_at"`
+	SchemeUser    bool   `json:"scheme_user"`
+	SchemeAdmin   bool   `json:"scheme_admin"`
+	ExplicitRoles string `json:"explicit_roles"`
 }
 
 type TeamUnread struct {