PLT-6139 (Server): Private Channel member managing (#5941)

Adds an EE policy feature to allow restricting system-wide which level of
Admins can manage the membership of private channels.

1 files changed, 33 insertions, 0 deletions

diff --git a/utils/authorization.go b/utils/authorization.go
index 086caa565..8078f4023 100644
--- a/utils/authorization.go
+++ b/utils/authorization.go
@@ -183,6 +183,39 @@ func SetDefaultRolesBasedOnConfig() {
 		)
 	}
 
+	// Restrict permissions for Private Channel Manage Members
+	if IsLicensed {
+		switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers {
+		case model.PERMISSIONS_ALL:
+			model.ROLE_CHANNEL_USER.Permissions = append(
+				model.ROLE_CHANNEL_USER.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			break
+		case model.PERMISSIONS_CHANNEL_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			model.ROLE_CHANNEL_ADMIN.Permissions = append(
+				model.ROLE_CHANNEL_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			break
+		case model.PERMISSIONS_TEAM_ADMIN:
+			model.ROLE_TEAM_ADMIN.Permissions = append(
+				model.ROLE_TEAM_ADMIN.Permissions,
+				model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			)
+			break
+		}
+	} else {
+		model.ROLE_CHANNEL_USER.Permissions = append(
+			model.ROLE_CHANNEL_USER.Permissions,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+		)
+	}
+
 	if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations {
 		model.ROLE_TEAM_USER.Permissions = append(
 			model.ROLE_TEAM_USER.Permissions,