Fix policy application in team edition. (#5771)

1 files changed, 158 insertions, 104 deletions

diff --git a/utils/authorization.go b/utils/authorization.go
index 9a45878a2..2c7f35164 100644
--- a/utils/authorization.go
+++ b/utils/authorization.go
@@ -11,134 +11,176 @@ func SetDefaultRolesBasedOnConfig() {
 	// Reset the roles to default to make this logic easier
 	model.InitalizeRoles()
 
-	switch *Cfg.TeamSettings.RestrictPublicChannelCreation {
-	case model.PERMISSIONS_ALL:
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPublicChannelCreation {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_TEAM_USER.Permissions = append(
+				model.ROLE_TEAM_USER.Permissions,
+				model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
 		)
-		break
-	case model.PERMISSIONS_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
-		)
-		break
 	}
 
-	switch *Cfg.TeamSettings.RestrictPublicChannelManagement {
-	case model.PERMISSIONS_ALL:
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPublicChannelManagement {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_TEAM_USER.Permissions = append(
+				model.ROLE_TEAM_USER.Permissions,
+				model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			)
+			break
+		case model.PERMISSIONS_CHANNEL_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			)
+			model.ROLE_CHANNEL_ADMIN.Permissions = append(
+				model.ROLE_CHANNEL_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
 		)
-		break
-	case model.PERMISSIONS_CHANNEL_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
-		)
-		model.ROLE_CHANNEL_ADMIN.Permissions = append(
-			model.ROLE_CHANNEL_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
-		)
-		break
-	case model.PERMISSIONS_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
-		)
-		break
 	}
 
-	switch *Cfg.TeamSettings.RestrictPublicChannelDeletion {
-	case model.PERMISSIONS_ALL:
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPublicChannelDeletion {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_TEAM_USER.Permissions = append(
+				model.ROLE_TEAM_USER.Permissions,
+				model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			)
+			break
+		case model.PERMISSIONS_CHANNEL_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			)
+			model.ROLE_CHANNEL_ADMIN.Permissions = append(
+				model.ROLE_CHANNEL_ADMIN.Permissions,
+				model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
 		)
-		break
-	case model.PERMISSIONS_CHANNEL_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
-		)
-		model.ROLE_CHANNEL_ADMIN.Permissions = append(
-			model.ROLE_CHANNEL_ADMIN.Permissions,
-			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
-		)
-		break
-	case model.PERMISSIONS_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
-		)
-		break
 	}
 
-	switch *Cfg.TeamSettings.RestrictPrivateChannelCreation {
-	case model.PERMISSIONS_ALL:
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPrivateChannelCreation {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_TEAM_USER.Permissions = append(
+				model.ROLE_TEAM_USER.Permissions,
+				model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
 		)
-		break
-	case model.PERMISSIONS_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
-		)
-		break
 	}
 
-	switch *Cfg.TeamSettings.RestrictPrivateChannelManagement {
-	case model.PERMISSIONS_ALL:
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPrivateChannelManagement {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_TEAM_USER.Permissions = append(
+				model.ROLE_TEAM_USER.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			)
+			break
+		case model.PERMISSIONS_CHANNEL_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			)
+			model.ROLE_CHANNEL_ADMIN.Permissions = append(
+				model.ROLE_CHANNEL_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
 		)
-		break
-	case model.PERMISSIONS_CHANNEL_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
-		)
-		model.ROLE_CHANNEL_ADMIN.Permissions = append(
-			model.ROLE_CHANNEL_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
-		)
-		break
-	case model.PERMISSIONS_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
-		)
-		break
 	}
 
-	switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion {
-	case model.PERMISSIONS_ALL:
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_TEAM_USER.Permissions = append(
+				model.ROLE_TEAM_USER.Permissions,
+				model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			)
+			break
+		case model.PERMISSIONS_CHANNEL_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			)
+			model.ROLE_CHANNEL_ADMIN.Permissions = append(
+				model.ROLE_CHANNEL_ADMIN.Permissions,
+				model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,
 			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
 		)
-		break
-	case model.PERMISSIONS_CHANNEL_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
-		)
-		model.ROLE_CHANNEL_ADMIN.Permissions = append(
-			model.ROLE_CHANNEL_ADMIN.Permissions,
-			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
-		)
-		break
-	case model.PERMISSIONS_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
-		)
-		break
 	}
 
 	if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
@@ -167,8 +209,28 @@ func SetDefaultRolesBasedOnConfig() {
 		)
 	}
 
-	switch *Cfg.ServiceSettings.RestrictPostDelete {
-	case model.PERMISSIONS_DELETE_POST_ALL:
+	if IsLicensed {
+		switch *Cfg.ServiceSettings.RestrictPostDelete {
+		case model.PERMISSIONS_DELETE_POST_ALL:
+			model.ROLE_CHANNEL_USER.Permissions = append(
+				model.ROLE_CHANNEL_USER.Permissions,
+				model.PERMISSION_DELETE_POST.Id,
+			)
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_DELETE_POST.Id,
+				model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+			)
+			break
+		case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_DELETE_POST.Id,
+				model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+			)
+			break
+		}
+	} else {
 		model.ROLE_CHANNEL_USER.Permissions = append(
 			model.ROLE_CHANNEL_USER.Permissions,
 			model.PERMISSION_DELETE_POST.Id,
@@ -178,14 +240,6 @@ func SetDefaultRolesBasedOnConfig() {
 			model.PERMISSION_DELETE_POST.Id,
 			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
 		)
-		break
-	case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN:
-		model.ROLE_TEAM_ADMIN.Permissions = append(
-			model.ROLE_TEAM_ADMIN.Permissions,
-			model.PERMISSION_DELETE_POST.Id,
-			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
-		)
-		break
 	}
 
 	if Cfg.TeamSettings.EnableTeamCreation {