XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design. * XYZ-10: Role store. * XYZ-9/XYZ-44: Roles API endpoints and WebSocket message. * XYZ-8: Switch server permissions checks to store backed roles. * XYZ-58: Proper validation of roles where required. * XYZ-11/XYZ-55: Migration to store backed roles from policy config. * XYZ-37: Update unit tests to work with database roles. * XYZ-56: Remove the "guest" role. * Changes to SetDefaultRolesFromConfig. * Short-circuit the store if nothing has changed. * Address first round of review comments. * Address second round of review comments.
author: George Goldberg <george@gberg.me> 2018-02-06 15:34:08 +0000
committer: GitHub <noreply@github.com> 2018-02-06 15:34:08 +0000
commit: e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch)
tree: ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /model
parent: 1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff)
download: chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz
chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2
chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip
8 files changed, 486 insertions, 219 deletions
diff --git a/model/client4.go b/model/client4.go
index 0694ecbdf..55179bdf9 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -306,6 +306,10 @@ func (c *Client4) GetJobsRoute() string {
 	return fmt.Sprintf("/jobs")
 }
 
+func (c *Client4) GetRolesRoute() string {
+	return fmt.Sprintf("/roles")
+}
+
 func (c *Client4) GetAnalyticsRoute() string {
 	return fmt.Sprintf("/analytics")
 }
@@ -3204,6 +3208,48 @@ func (c *Client4) CancelJob(jobId string) (bool, *Response) {
 	}
 }
 
+// Roles Section
+
+// GetRole gets a single role by ID.
+func (c *Client4) GetRole(id string) (*Role, *Response) {
+	if r, err := c.DoApiGet(c.GetRolesRoute()+fmt.Sprintf("/%v", id), ""); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return RoleFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// GetRoleByName gets a single role by Name.
+func (c *Client4) GetRoleByName(name string) (*Role, *Response) {
+	if r, err := c.DoApiGet(c.GetRolesRoute()+fmt.Sprintf("/name/%v", name), ""); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return RoleFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// GetRolesByNames returns a list of roles based on the provided role names.
+func (c *Client4) GetRolesByNames(roleNames []string) ([]*Role, *Response) {
+	if r, err := c.DoApiPost(c.GetRolesRoute()+"/names", ArrayToJson(roleNames)); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return RoleListFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// PatchRole partially updates a role in the system. Any missing fields are not updated.
+func (c *Client4) PatchRole(roleId string, patch *RolePatch) (*Role, *Response) {
+	if r, err := c.DoApiPut(c.GetRolesRoute()+fmt.Sprintf("/%v/patch", roleId), patch.ToJson()); err != nil {
+		return nil, BuildErrorResponse(r, err)
+	} else {
+		defer closeBody(r)
+		return RoleFromJson(r.Body), BuildResponse(r)
+	}
+}
+
 // Plugin Section
 
 // UploadPlugin takes an io.Reader stream pointing to the contents of a .tar.gz plugin.
diff --git a/model/cluster_message.go b/model/cluster_message.go
index a6dec2e7f..9cf0e4d55 100644
--- a/model/cluster_message.go
+++ b/model/cluster_message.go
@@ -21,6 +21,7 @@ const (
 	CLUSTER_EVENT_INVALIDATE_CACHE_FOR_CHANNEL                      = "inv_channel"
 	CLUSTER_EVENT_INVALIDATE_CACHE_FOR_USER                         = "inv_user"
 	CLUSTER_EVENT_CLEAR_SESSION_CACHE_FOR_USER                      = "clear_session_user"
+	CLUSTER_EVENT_INVALIDATE_CACHE_FOR_ROLES                        = "inv_roles"
 
 	CLUSTER_SEND_BEST_EFFORT = "best_effort"
 	CLUSTER_SEND_RELIABLE    = "reliable"
diff --git a/model/authorization.go b/model/permission.go
index 9f4e36eab..0dc09f49a 100644
--- a/model/authorization.go
+++ b/model/permission.go
@@ -3,17 +3,17 @@
 
 package model
 
+const (
+	PERMISSION_SCOPE_SYSTEM  = "system_scope"
+	PERMISSION_SCOPE_TEAM    = "team_scope"
+	PERMISSION_SCOPE_CHANNEL = "channel_scope"
+)
+
 type Permission struct {
 	Id          string `json:"id"`
 	Name        string `json:"name"`
 	Description string `json:"description"`
-}
-
-type Role struct {
-	Id          string   `json:"id"`
-	Name        string   `json:"name"`
-	Description string   `json:"description"`
-	Permissions []string `json:"permissions"`
+	Scope       string `json:"scope"`
 }
 
 var PERMISSION_INVITE_USER *Permission
@@ -64,459 +64,355 @@ var PERMISSION_CREATE_USER_ACCESS_TOKEN *Permission
 var PERMISSION_READ_USER_ACCESS_TOKEN *Permission
 var PERMISSION_REVOKE_USER_ACCESS_TOKEN *Permission
 
-// General permission that encompases all system admin functions
+// General permission that encompasses all system admin functions
 // in the future this could be broken up to allow access to some
 // admin functions but not others
 var PERMISSION_MANAGE_SYSTEM *Permission
 
-const (
-	SYSTEM_USER_ROLE_ID              = "system_user"
-	SYSTEM_ADMIN_ROLE_ID             = "system_admin"
-	SYSTEM_POST_ALL_ROLE_ID          = "system_post_all"
-	SYSTEM_POST_ALL_PUBLIC_ROLE_ID   = "system_post_all_public"
-	SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token"
-
-	TEAM_USER_ROLE_ID            = "team_user"
-	TEAM_ADMIN_ROLE_ID           = "team_admin"
-	TEAM_POST_ALL_ROLE_ID        = "team_post_all"
-	TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public"
-
-	CHANNEL_USER_ROLE_ID  = "channel_user"
-	CHANNEL_ADMIN_ROLE_ID = "channel_admin"
-	CHANNEL_GUEST_ROLE_ID = "guest"
-)
+var ALL_PERMISSIONS []*Permission
 
 func initializePermissions() {
 	PERMISSION_INVITE_USER = &Permission{
 		"invite_user",
 		"authentication.permissions.team_invite_user.name",
 		"authentication.permissions.team_invite_user.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_ADD_USER_TO_TEAM = &Permission{
 		"add_user_to_team",
 		"authentication.permissions.add_user_to_team.name",
 		"authentication.permissions.add_user_to_team.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_USE_SLASH_COMMANDS = &Permission{
 		"use_slash_commands",
 		"authentication.permissions.team_use_slash_commands.name",
 		"authentication.permissions.team_use_slash_commands.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_MANAGE_SLASH_COMMANDS = &Permission{
 		"manage_slash_commands",
 		"authentication.permissions.manage_slash_commands.name",
 		"authentication.permissions.manage_slash_commands.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS = &Permission{
 		"manage_others_slash_commands",
 		"authentication.permissions.manage_others_slash_commands.name",
 		"authentication.permissions.manage_others_slash_commands.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_CREATE_PUBLIC_CHANNEL = &Permission{
 		"create_public_channel",
 		"authentication.permissions.create_public_channel.name",
 		"authentication.permissions.create_public_channel.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_CREATE_PRIVATE_CHANNEL = &Permission{
 		"create_private_channel",
 		"authentication.permissions.create_private_channel.name",
 		"authentication.permissions.create_private_channel.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS = &Permission{
 		"manage_public_channel_members",
 		"authentication.permissions.manage_public_channel_members.name",
 		"authentication.permissions.manage_public_channel_members.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS = &Permission{
 		"manage_private_channel_members",
 		"authentication.permissions.manage_private_channel_members.name",
 		"authentication.permissions.manage_private_channel_members.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE = &Permission{
 		"assign_system_admin_role",
 		"authentication.permissions.assign_system_admin_role.name",
 		"authentication.permissions.assign_system_admin_role.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_ROLES = &Permission{
 		"manage_roles",
 		"authentication.permissions.manage_roles.name",
 		"authentication.permissions.manage_roles.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_TEAM_ROLES = &Permission{
 		"manage_team_roles",
 		"authentication.permissions.manage_team_roles.name",
 		"authentication.permissions.manage_team_roles.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_MANAGE_CHANNEL_ROLES = &Permission{
 		"manage_channel_roles",
 		"authentication.permissions.manage_channel_roles.name",
 		"authentication.permissions.manage_channel_roles.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_MANAGE_SYSTEM = &Permission{
 		"manage_system",
 		"authentication.permissions.manage_system.name",
 		"authentication.permissions.manage_system.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_CREATE_DIRECT_CHANNEL = &Permission{
 		"create_direct_channel",
 		"authentication.permissions.create_direct_channel.name",
 		"authentication.permissions.create_direct_channel.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_CREATE_GROUP_CHANNEL = &Permission{
 		"create_group_channel",
 		"authentication.permissions.create_group_channel.name",
 		"authentication.permissions.create_group_channel.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES = &Permission{
-		"manage__publicchannel_properties",
+		"manage_public_channel_properties",
 		"authentication.permissions.manage_public_channel_properties.name",
 		"authentication.permissions.manage_public_channel_properties.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES = &Permission{
 		"manage_private_channel_properties",
 		"authentication.permissions.manage_private_channel_properties.name",
 		"authentication.permissions.manage_private_channel_properties.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_LIST_TEAM_CHANNELS = &Permission{
 		"list_team_channels",
 		"authentication.permissions.list_team_channels.name",
 		"authentication.permissions.list_team_channels.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_JOIN_PUBLIC_CHANNELS = &Permission{
 		"join_public_channels",
 		"authentication.permissions.join_public_channels.name",
 		"authentication.permissions.join_public_channels.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_DELETE_PUBLIC_CHANNEL = &Permission{
 		"delete_public_channel",
 		"authentication.permissions.delete_public_channel.name",
 		"authentication.permissions.delete_public_channel.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_DELETE_PRIVATE_CHANNEL = &Permission{
 		"delete_private_channel",
 		"authentication.permissions.delete_private_channel.name",
 		"authentication.permissions.delete_private_channel.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_EDIT_OTHER_USERS = &Permission{
 		"edit_other_users",
 		"authentication.permissions.edit_other_users.name",
 		"authentication.permissions.edit_other_users.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_READ_CHANNEL = &Permission{
 		"read_channel",
 		"authentication.permissions.read_channel.name",
 		"authentication.permissions.read_channel.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_READ_PUBLIC_CHANNEL = &Permission{
 		"read_public_channel",
 		"authentication.permissions.read_public_channel.name",
 		"authentication.permissions.read_public_channel.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_PERMANENT_DELETE_USER = &Permission{
 		"permanent_delete_user",
 		"authentication.permissions.permanent_delete_user.name",
 		"authentication.permissions.permanent_delete_user.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_UPLOAD_FILE = &Permission{
 		"upload_file",
 		"authentication.permissions.upload_file.name",
 		"authentication.permissions.upload_file.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_GET_PUBLIC_LINK = &Permission{
 		"get_public_link",
 		"authentication.permissions.get_public_link.name",
 		"authentication.permissions.get_public_link.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_WEBHOOKS = &Permission{
 		"manage_webhooks",
 		"authentication.permissions.manage_webhooks.name",
 		"authentication.permissions.manage_webhooks.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_MANAGE_OTHERS_WEBHOOKS = &Permission{
 		"manage_others_webhooks",
 		"authentication.permissions.manage_others_webhooks.name",
 		"authentication.permissions.manage_others_webhooks.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_MANAGE_OAUTH = &Permission{
 		"manage_oauth",
 		"authentication.permissions.manage_oauth.name",
 		"authentication.permissions.manage_oauth.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH = &Permission{
 		"manage_sytem_wide_oauth",
 		"authentication.permissions.manage_sytem_wide_oauth.name",
 		"authentication.permissions.manage_sytem_wide_oauth.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_CREATE_POST = &Permission{
 		"create_post",
 		"authentication.permissions.create_post.name",
 		"authentication.permissions.create_post.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_CREATE_POST_PUBLIC = &Permission{
 		"create_post_public",
 		"authentication.permissions.create_post_public.name",
 		"authentication.permissions.create_post_public.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_EDIT_POST = &Permission{
 		"edit_post",
 		"authentication.permissions.edit_post.name",
 		"authentication.permissions.edit_post.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_EDIT_OTHERS_POSTS = &Permission{
 		"edit_others_posts",
 		"authentication.permissions.edit_others_posts.name",
 		"authentication.permissions.edit_others_posts.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_DELETE_POST = &Permission{
 		"delete_post",
 		"authentication.permissions.delete_post.name",
 		"authentication.permissions.delete_post.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_DELETE_OTHERS_POSTS = &Permission{
 		"delete_others_posts",
 		"authentication.permissions.delete_others_posts.name",
 		"authentication.permissions.delete_others_posts.description",
+		PERMISSION_SCOPE_CHANNEL,
 	}
 	PERMISSION_REMOVE_USER_FROM_TEAM = &Permission{
 		"remove_user_from_team",
 		"authentication.permissions.remove_user_from_team.name",
 		"authentication.permissions.remove_user_from_team.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_CREATE_TEAM = &Permission{
 		"create_team",
 		"authentication.permissions.create_team.name",
 		"authentication.permissions.create_team.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_TEAM = &Permission{
 		"manage_team",
 		"authentication.permissions.manage_team.name",
 		"authentication.permissions.manage_team.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_IMPORT_TEAM = &Permission{
 		"import_team",
 		"authentication.permissions.import_team.name",
 		"authentication.permissions.import_team.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_VIEW_TEAM = &Permission{
 		"view_team",
 		"authentication.permissions.view_team.name",
 		"authentication.permissions.view_team.description",
+		PERMISSION_SCOPE_TEAM,
 	}
 	PERMISSION_LIST_USERS_WITHOUT_TEAM = &Permission{
 		"list_users_without_team",
 		"authentication.permissions.list_users_without_team.name",
 		"authentication.permissions.list_users_without_team.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_CREATE_USER_ACCESS_TOKEN = &Permission{
 		"create_user_access_token",
 		"authentication.permissions.create_user_access_token.name",
 		"authentication.permissions.create_user_access_token.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_READ_USER_ACCESS_TOKEN = &Permission{
 		"read_user_access_token",
 		"authentication.permissions.read_user_access_token.name",
 		"authentication.permissions.read_user_access_token.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_REVOKE_USER_ACCESS_TOKEN = &Permission{
 		"revoke_user_access_token",
 		"authentication.permissions.revoke_user_access_token.name",
 		"authentication.permissions.revoke_user_access_token.description",
+		PERMISSION_SCOPE_SYSTEM,
 	}
 	PERMISSION_MANAGE_JOBS = &Permission{
 		"manage_jobs",
 		"authentication.permisssions.manage_jobs.name",
 		"authentication.permisssions.manage_jobs.description",
-	}
-}
-
-var DefaultRoles map[string]*Role
-
-func initializeDefaultRoles() {
-	DefaultRoles = make(map[string]*Role)
-
-	DefaultRoles[CHANNEL_USER_ROLE_ID] = &Role{
-		"channel_user",
-		"authentication.roles.channel_user.name",
-		"authentication.roles.channel_user.description",
-		[]string{
-			PERMISSION_READ_CHANNEL.Id,
-			PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
-			PERMISSION_UPLOAD_FILE.Id,
-			PERMISSION_GET_PUBLIC_LINK.Id,
-			PERMISSION_CREATE_POST.Id,
-			PERMISSION_EDIT_POST.Id,
-			PERMISSION_USE_SLASH_COMMANDS.Id,
-		},
-	}
-
-	DefaultRoles[CHANNEL_ADMIN_ROLE_ID] = &Role{
-		"channel_admin",
-		"authentication.roles.channel_admin.name",
-		"authentication.roles.channel_admin.description",
-		[]string{
-			PERMISSION_MANAGE_CHANNEL_ROLES.Id,
-		},
-	}
-
-	DefaultRoles[CHANNEL_GUEST_ROLE_ID] = &Role{
-		"guest",
-		"authentication.roles.global_guest.name",
-		"authentication.roles.global_guest.description",
-		[]string{},
-	}
-
-	DefaultRoles[TEAM_USER_ROLE_ID] = &Role{
-		"team_user",
-		"authentication.roles.team_user.name",
-		"authentication.roles.team_user.description",
-		[]string{
-			PERMISSION_LIST_TEAM_CHANNELS.Id,
-			PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
-			PERMISSION_READ_PUBLIC_CHANNEL.Id,
-			PERMISSION_VIEW_TEAM.Id,
-		},
+		PERMISSION_SCOPE_SYSTEM,
 	}
 
-	DefaultRoles[TEAM_POST_ALL_ROLE_ID] = &Role{
-		"team_post_all",
-		"authentication.roles.team_post_all.name",
-		"authentication.roles.team_post_all.description",
-		[]string{
-			PERMISSION_CREATE_POST.Id,
-		},
+	ALL_PERMISSIONS = []*Permission{
+		PERMISSION_INVITE_USER,
+		PERMISSION_ADD_USER_TO_TEAM,
+		PERMISSION_USE_SLASH_COMMANDS,
+		PERMISSION_MANAGE_SLASH_COMMANDS,
+		PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS,
+		PERMISSION_CREATE_PUBLIC_CHANNEL,
+		PERMISSION_CREATE_PRIVATE_CHANNEL,
+		PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS,
+		PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS,
+		PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE,
+		PERMISSION_MANAGE_ROLES,
+		PERMISSION_MANAGE_TEAM_ROLES,
+		PERMISSION_MANAGE_CHANNEL_ROLES,
+		PERMISSION_CREATE_DIRECT_CHANNEL,
+		PERMISSION_CREATE_GROUP_CHANNEL,
+		PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES,
+		PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES,
+		PERMISSION_LIST_TEAM_CHANNELS,
+		PERMISSION_JOIN_PUBLIC_CHANNELS,
+		PERMISSION_DELETE_PUBLIC_CHANNEL,
+		PERMISSION_DELETE_PRIVATE_CHANNEL,
+		PERMISSION_EDIT_OTHER_USERS,
+		PERMISSION_READ_CHANNEL,
+		PERMISSION_READ_PUBLIC_CHANNEL,
+		PERMISSION_PERMANENT_DELETE_USER,
+		PERMISSION_UPLOAD_FILE,
+		PERMISSION_GET_PUBLIC_LINK,
+		PERMISSION_MANAGE_WEBHOOKS,
+		PERMISSION_MANAGE_OTHERS_WEBHOOKS,
+		PERMISSION_MANAGE_OAUTH,
+		PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH,
+		PERMISSION_CREATE_POST,
+		PERMISSION_CREATE_POST_PUBLIC,
+		PERMISSION_EDIT_POST,
+		PERMISSION_EDIT_OTHERS_POSTS,
+		PERMISSION_DELETE_POST,
+		PERMISSION_DELETE_OTHERS_POSTS,
+		PERMISSION_REMOVE_USER_FROM_TEAM,
+		PERMISSION_CREATE_TEAM,
+		PERMISSION_MANAGE_TEAM,
+		PERMISSION_IMPORT_TEAM,
+		PERMISSION_VIEW_TEAM,
+		PERMISSION_LIST_USERS_WITHOUT_TEAM,
+		PERMISSION_MANAGE_JOBS,
+		PERMISSION_CREATE_USER_ACCESS_TOKEN,
+		PERMISSION_READ_USER_ACCESS_TOKEN,
+		PERMISSION_REVOKE_USER_ACCESS_TOKEN,
+		PERMISSION_MANAGE_SYSTEM,
 	}
-
-	DefaultRoles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
-		"team_post_all_public",
-		"authentication.roles.team_post_all_public.name",
-		"authentication.roles.team_post_all_public.description",
-		[]string{
-			PERMISSION_CREATE_POST_PUBLIC.Id,
-		},
-	}
-
-	DefaultRoles[TEAM_ADMIN_ROLE_ID] = &Role{
-		"team_admin",
-		"authentication.roles.team_admin.name",
-		"authentication.roles.team_admin.description",
-		[]string{
-			PERMISSION_EDIT_OTHERS_POSTS.Id,
-			PERMISSION_REMOVE_USER_FROM_TEAM.Id,
-			PERMISSION_MANAGE_TEAM.Id,
-			PERMISSION_IMPORT_TEAM.Id,
-			PERMISSION_MANAGE_TEAM_ROLES.Id,
-			PERMISSION_MANAGE_CHANNEL_ROLES.Id,
-			PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
-			PERMISSION_MANAGE_SLASH_COMMANDS.Id,
-			PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
-			PERMISSION_MANAGE_WEBHOOKS.Id,
-		},
-	}
-
-	DefaultRoles[SYSTEM_USER_ROLE_ID] = &Role{
-		"system_user",
-		"authentication.roles.global_user.name",
-		"authentication.roles.global_user.description",
-		[]string{
-			PERMISSION_CREATE_DIRECT_CHANNEL.Id,
-			PERMISSION_CREATE_GROUP_CHANNEL.Id,
-			PERMISSION_PERMANENT_DELETE_USER.Id,
-		},
-	}
-
-	DefaultRoles[SYSTEM_POST_ALL_ROLE_ID] = &Role{
-		"system_post_all",
-		"authentication.roles.system_post_all.name",
-		"authentication.roles.system_post_all.description",
-		[]string{
-			PERMISSION_CREATE_POST.Id,
-		},
-	}
-
-	DefaultRoles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
-		"system_post_all_public",
-		"authentication.roles.system_post_all_public.name",
-		"authentication.roles.system_post_all_public.description",
-		[]string{
-			PERMISSION_CREATE_POST_PUBLIC.Id,
-		},
-	}
-
-	DefaultRoles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{
-		"system_user_access_token",
-		"authentication.roles.system_user_access_token.name",
-		"authentication.roles.system_user_access_token.description",
-		[]string{
-			PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
-			PERMISSION_READ_USER_ACCESS_TOKEN.Id,
-			PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
-		},
-	}
-
-	DefaultRoles[SYSTEM_ADMIN_ROLE_ID] = &Role{
-		"system_admin",
-		"authentication.roles.global_admin.name",
-		"authentication.roles.global_admin.description",
-		// System admins can do anything channel and team admins can do
-		// plus everything members of teams and channels can do to all teams
-		// and channels on the system
-		append(
-			append(
-				append(
-					append(
-						[]string{
-							PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
-							PERMISSION_MANAGE_SYSTEM.Id,
-							PERMISSION_MANAGE_ROLES.Id,
-							PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
-							PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
-							PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
-							PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
-							PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
-							PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
-							PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
-							PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
-							PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
-							PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
-							PERMISSION_EDIT_OTHER_USERS.Id,
-							PERMISSION_MANAGE_OAUTH.Id,
-							PERMISSION_INVITE_USER.Id,
-							PERMISSION_DELETE_POST.Id,
-							PERMISSION_DELETE_OTHERS_POSTS.Id,
-							PERMISSION_CREATE_TEAM.Id,
-							PERMISSION_ADD_USER_TO_TEAM.Id,
-							PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
-							PERMISSION_MANAGE_JOBS.Id,
-							PERMISSION_CREATE_POST_PUBLIC.Id,
-							PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
-							PERMISSION_READ_USER_ACCESS_TOKEN.Id,
-							PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
-						},
-						DefaultRoles[TEAM_USER_ROLE_ID].Permissions...,
-					),
-					DefaultRoles[CHANNEL_USER_ROLE_ID].Permissions...,
-				),
-				DefaultRoles[TEAM_ADMIN_ROLE_ID].Permissions...,
-			),
-			DefaultRoles[CHANNEL_ADMIN_ROLE_ID].Permissions...,
-		),
-	}
-}
-
-func RoleIdsToString(roles []string) string {
-	output := ""
-	for _, role := range roles {
-		output += role + ", "
-	}
-
-	if output == "" {
-		return "[<NO ROLES>]"
-	}
-
-	return output[:len(output)-1]
 }
 
 func init() {
 	initializePermissions()
-	initializeDefaultRoles()
 }
diff --git a/model/permission_test.go b/model/permission_test.go
new file mode 100644
index 000000000..cef72af90
--- /dev/null
+++ b/model/permission_test.go
@@ -0,0 +1,18 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// This is a test to ensure that we don't accidentally add more permissions than can fit
+// in the database column for role permissions.
+func TestPermissionsLength(t *testing.T) {
+	permissionsString := ""
+	for _, permission := range ALL_PERMISSIONS {
+		permissionsString += " " + permission.Id
+	}
+
+	assert.True(t, len(permissionsString) < 4096)
+}
diff --git a/model/role.go b/model/role.go
new file mode 100644
index 000000000..254513ae0
--- /dev/null
+++ b/model/role.go
@@ -0,0 +1,310 @@
+// Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"encoding/json"
+	"io"
+	"strings"
+)
+
+const (
+	SYSTEM_USER_ROLE_ID              = "system_user"
+	SYSTEM_ADMIN_ROLE_ID             = "system_admin"
+	SYSTEM_POST_ALL_ROLE_ID          = "system_post_all"
+	SYSTEM_POST_ALL_PUBLIC_ROLE_ID   = "system_post_all_public"
+	SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token"
+
+	TEAM_USER_ROLE_ID            = "team_user"
+	TEAM_ADMIN_ROLE_ID           = "team_admin"
+	TEAM_POST_ALL_ROLE_ID        = "team_post_all"
+	TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public"
+
+	CHANNEL_USER_ROLE_ID  = "channel_user"
+	CHANNEL_ADMIN_ROLE_ID = "channel_admin"
+
+	ROLE_NAME_MAX_LENGTH         = 64
+	ROLE_DISPLAY_NAME_MAX_LENGTH = 128
+	ROLE_DESCRIPTION_MAX_LENGTH  = 1024
+)
+
+type Role struct {
+	Id            string   `json:"id"`
+	Name          string   `json:"name"`
+	DisplayName   string   `json:"display_name"`
+	Description   string   `json:"description"`
+	Permissions   []string `json:"permissions"`
+	SchemeManaged bool     `json:"scheme_managed"`
+}
+
+type RolePatch struct {
+	Permissions *[]string `json:"permissions"`
+}
+
+func (role *Role) ToJson() string {
+	b, _ := json.Marshal(role)
+	return string(b)
+}
+
+func RoleFromJson(data io.Reader) *Role {
+	var role *Role
+	json.NewDecoder(data).Decode(&role)
+	return role
+}
+
+func RoleListToJson(r []*Role) string {
+	b, _ := json.Marshal(r)
+	return string(b)
+}
+
+func RoleListFromJson(data io.Reader) []*Role {
+	var roles []*Role
+	json.NewDecoder(data).Decode(&roles)
+	return roles
+}
+
+func (r *RolePatch) ToJson() string {
+	b, _ := json.Marshal(r)
+	return string(b)
+}
+
+func RolePatchFromJson(data io.Reader) *RolePatch {
+	var rolePatch *RolePatch
+	json.NewDecoder(data).Decode(&rolePatch)
+	return rolePatch
+}
+
+func (o *Role) Patch(patch *RolePatch) {
+	if patch.Permissions != nil {
+		o.Permissions = *patch.Permissions
+	}
+}
+
+func (role *Role) IsValid() bool {
+	if len(role.Id) != 26 {
+		return false
+	}
+
+	return role.IsValidWithoutId()
+}
+
+func (role *Role) IsValidWithoutId() bool {
+	if !IsValidRoleName(role.Name) {
+		return false
+	}
+
+	if len(role.DisplayName) == 0 || len(role.DisplayName) > ROLE_DISPLAY_NAME_MAX_LENGTH {
+		return false
+	}
+
+	if len(role.Description) > ROLE_DESCRIPTION_MAX_LENGTH {
+		return false
+	}
+
+	for _, permission := range role.Permissions {
+		permissionValidated := false
+		for _, p := range ALL_PERMISSIONS {
+			if permission == p.Id {
+				permissionValidated = true
+				break
+			}
+		}
+
+		if !permissionValidated {
+			return false
+		}
+	}
+
+	return true
+}
+
+func IsValidRoleName(roleName string) bool {
+	if len(roleName) <= 0 || len(roleName) > ROLE_NAME_MAX_LENGTH {
+		return false
+	}
+
+	if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" {
+		return false
+	}
+
+	return true
+}
+
+func MakeDefaultRoles() map[string]*Role {
+	roles := make(map[string]*Role)
+
+	roles[CHANNEL_USER_ROLE_ID] = &Role{
+		Name:        "channel_user",
+		DisplayName: "authentication.roles.channel_user.name",
+		Description: "authentication.roles.channel_user.description",
+		Permissions: []string{
+			PERMISSION_READ_CHANNEL.Id,
+			PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			PERMISSION_UPLOAD_FILE.Id,
+			PERMISSION_GET_PUBLIC_LINK.Id,
+			PERMISSION_CREATE_POST.Id,
+			PERMISSION_EDIT_POST.Id,
+			PERMISSION_USE_SLASH_COMMANDS.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[CHANNEL_ADMIN_ROLE_ID] = &Role{
+		Name:        "channel_admin",
+		DisplayName: "authentication.roles.channel_admin.name",
+		Description: "authentication.roles.channel_admin.description",
+		Permissions: []string{
+			PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[TEAM_USER_ROLE_ID] = &Role{
+		Name:        "team_user",
+		DisplayName: "authentication.roles.team_user.name",
+		Description: "authentication.roles.team_user.description",
+		Permissions: []string{
+			PERMISSION_LIST_TEAM_CHANNELS.Id,
+			PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			PERMISSION_VIEW_TEAM.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[TEAM_POST_ALL_ROLE_ID] = &Role{
+		Name:        "team_post_all",
+		DisplayName: "authentication.roles.team_post_all.name",
+		Description: "authentication.roles.team_post_all.description",
+		Permissions: []string{
+			PERMISSION_CREATE_POST.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
+		Name:        "team_post_all_public",
+		DisplayName: "authentication.roles.team_post_all_public.name",
+		Description: "authentication.roles.team_post_all_public.description",
+		Permissions: []string{
+			PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[TEAM_ADMIN_ROLE_ID] = &Role{
+		Name:        "team_admin",
+		DisplayName: "authentication.roles.team_admin.name",
+		Description: "authentication.roles.team_admin.description",
+		Permissions: []string{
+			PERMISSION_EDIT_OTHERS_POSTS.Id,
+			PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			PERMISSION_MANAGE_TEAM.Id,
+			PERMISSION_IMPORT_TEAM.Id,
+			PERMISSION_MANAGE_TEAM_ROLES.Id,
+			PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			PERMISSION_MANAGE_WEBHOOKS.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[SYSTEM_USER_ROLE_ID] = &Role{
+		Name:        "system_user",
+		DisplayName: "authentication.roles.global_user.name",
+		Description: "authentication.roles.global_user.description",
+		Permissions: []string{
+			PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+			PERMISSION_CREATE_GROUP_CHANNEL.Id,
+			PERMISSION_PERMANENT_DELETE_USER.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{
+		Name:        "system_post_all",
+		DisplayName: "authentication.roles.system_post_all.name",
+		Description: "authentication.roles.system_post_all.description",
+		Permissions: []string{
+			PERMISSION_CREATE_POST.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
+		Name:        "system_post_all_public",
+		DisplayName: "authentication.roles.system_post_all_public.name",
+		Description: "authentication.roles.system_post_all_public.description",
+		Permissions: []string{
+			PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{
+		Name:        "system_user_access_token",
+		DisplayName: "authentication.roles.system_user_access_token.name",
+		Description: "authentication.roles.system_user_access_token.description",
+		Permissions: []string{
+			PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		},
+		SchemeManaged: true,
+	}
+
+	roles[SYSTEM_ADMIN_ROLE_ID] = &Role{
+		Name:        "system_admin",
+		DisplayName: "authentication.roles.global_admin.name",
+		Description: "authentication.roles.global_admin.description",
+		// System admins can do anything channel and team admins can do
+		// plus everything members of teams and channels can do to all teams
+		// and channels on the system
+		Permissions: append(
+			append(
+				append(
+					append(
+						[]string{
+							PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+							PERMISSION_MANAGE_SYSTEM.Id,
+							PERMISSION_MANAGE_ROLES.Id,
+							PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+							PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+							PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+							PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+							PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+							PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+							PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+							PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+							PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+							PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+							PERMISSION_EDIT_OTHER_USERS.Id,
+							PERMISSION_MANAGE_OAUTH.Id,
+							PERMISSION_INVITE_USER.Id,
+							PERMISSION_DELETE_POST.Id,
+							PERMISSION_DELETE_OTHERS_POSTS.Id,
+							PERMISSION_CREATE_TEAM.Id,
+							PERMISSION_ADD_USER_TO_TEAM.Id,
+							PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+							PERMISSION_MANAGE_JOBS.Id,
+							PERMISSION_CREATE_POST_PUBLIC.Id,
+							PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+							PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+							PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+						},
+						roles[TEAM_USER_ROLE_ID].Permissions...,
+					),
+					roles[CHANNEL_USER_ROLE_ID].Permissions...,
+				),
+				roles[TEAM_ADMIN_ROLE_ID].Permissions...,
+			),
+			roles[CHANNEL_ADMIN_ROLE_ID].Permissions...,
+		),
+		SchemeManaged: true,
+	}
+
+	return roles
+}
diff --git a/model/user.go b/model/user.go
index 4c08eac24..556ebb1f7 100644
--- a/model/user.go
+++ b/model/user.go
@@ -432,7 +432,7 @@ func IsValidUserRoles(userRoles string) bool {
 	roles := strings.Fields(userRoles)
 
 	for _, r := range roles {
-		if !isValidRole(r) {
+		if !IsValidRoleName(r) {
 			return false
 		}
 	}
@@ -445,11 +445,6 @@ func IsValidUserRoles(userRoles string) bool {
 	return true
 }
 
-func isValidRole(roleId string) bool {
-	_, ok := DefaultRoles[roleId]
-	return ok
-}
-
 // Make sure you acually want to use this function. In context.go there are functions to check permissions
 // This function should not be used to check permissions.
 func (u *User) IsInRole(inRole string) bool {
diff --git a/model/user_test.go b/model/user_test.go
index c91051532..5f97b3ff2 100644
--- a/model/user_test.go
+++ b/model/user_test.go
@@ -263,11 +263,11 @@ func TestCleanUsername(t *testing.T) {
 
 func TestRoles(t *testing.T) {
 
-	if IsValidUserRoles("admin") {
+	if !IsValidUserRoles("team_user") {
 		t.Fatal()
 	}
 
-	if IsValidUserRoles("junk") {
+	if IsValidUserRoles("system_admin") {
 		t.Fatal()
 	}
 
diff --git a/model/websocket_message.go b/model/websocket_message.go
index bf2535dc3..d0e8cb039 100644
--- a/model/websocket_message.go
+++ b/model/websocket_message.go
@@ -42,6 +42,7 @@ const (
 	WEBSOCKET_EVENT_CHANNEL_VIEWED      = "channel_viewed"
 	WEBSOCKET_EVENT_PLUGIN_ACTIVATED    = "plugin_activated"   // EXPERIMENTAL - SUBJECT TO CHANGE
 	WEBSOCKET_EVENT_PLUGIN_DEACTIVATED  = "plugin_deactivated" // EXPERIMENTAL - SUBJECT TO CHANGE
+	WEBSOCKET_EVENT_ROLE_UPDATED        = "role_updated"
 )
 
 type WebSocketMessage interface {
author	George Goldberg <george@gberg.me>	2018-02-06 15:34:08 +0000
committer	GitHub <noreply@github.com>	2018-02-06 15:34:08 +0000
commit	e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch)
tree	ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /model
parent	1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff)
download	chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2 chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip