diff options
Diffstat (limited to 'api/authorization.go')
-rw-r--r-- | api/authorization.go | 187 |
1 files changed, 0 insertions, 187 deletions
diff --git a/api/authorization.go b/api/authorization.go deleted file mode 100644 index e931c4b33..000000000 --- a/api/authorization.go +++ /dev/null @@ -1,187 +0,0 @@ -// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -package api - -import ( - "net/http" - "strings" - - l4g "github.com/alecthomas/log4go" - "github.com/mattermost/platform/model" -) - -func HasPermissionToContext(c *Context, permission *model.Permission) bool { - userRoles := c.Session.GetUserRoles() - if !CheckIfRolesGrantPermission(userRoles, permission.Id) { - c.Err = model.NewLocAppError("HasPermissionToContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id+" "+model.RoleIdsToString(userRoles)) - c.Err.StatusCode = http.StatusForbidden - return false - } - - return true -} - -func HasPermissionTo(user *model.User, permission *model.Permission) bool { - roles := user.GetRoles() - - return CheckIfRolesGrantPermission(roles, permission.Id) -} - -func HasPermissionToCurrentTeamContext(c *Context, permission *model.Permission) bool { - return HasPermissionToTeamContext(c, c.TeamId, permission) -} - -func HasPermissionToTeamContext(c *Context, teamId string, permission *model.Permission) bool { - teamMember := c.Session.GetTeamByTeamId(teamId) - if teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToTeamContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToTeam(user *model.User, teamMember *model.TeamMember, permission *model.Permission) bool { - if teamMember == nil { - return false - } - - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - - return HasPermissionTo(user, permission) -} - -func HasPermissionToChannelContext(c *Context, channelId string, permission *model.Permission) bool { - cmc := Srv.Store.Channel().GetAllChannelMembersForUser(c.Session.UserId, true) - - var channelRoles []string - if cmcresult := <-cmc; cmcresult.Err == nil { - ids := cmcresult.Data.(map[string]string) - if roles, ok := ids[channelId]; ok { - channelRoles = strings.Fields(roles) - if CheckIfRolesGrantPermission(channelRoles, permission.Id) { - return true - } - } - } - - cc := Srv.Store.Channel().Get(channelId, true) - if ccresult := <-cc; ccresult.Err == nil { - channel := ccresult.Data.(*model.Channel) - - if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToChannelContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToChannel(user *model.User, teamMember *model.TeamMember, channelMember *model.ChannelMember, permission *model.Permission) bool { - if channelMember == nil { - return false - } - - roles := channelMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - - return HasPermissionToTeam(user, teamMember, permission) -} - -func HasPermissionToChannelByPostContext(c *Context, postId string, permission *model.Permission) bool { - cmc := Srv.Store.Channel().GetMemberForPost(postId, c.Session.UserId) - - var channelRoles []string - if cmcresult := <-cmc; cmcresult.Err == nil { - channelMember := cmcresult.Data.(*model.ChannelMember) - channelRoles = channelMember.GetRoles() - - if CheckIfRolesGrantPermission(channelRoles, permission.Id) { - return true - } - } - - cc := Srv.Store.Channel().GetForPost(postId) - if ccresult := <-cc; ccresult.Err == nil { - channel := ccresult.Data.(*model.Channel) - - if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToChannelByPostContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToUser(c *Context, userId string) bool { - // You are the user (users autmaticly have permissions to themselves) - if c.Session.UserId == userId { - return true - } - - // You have permission - if HasPermissionToContext(c, model.PERMISSION_EDIT_OTHER_USERS) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToUser", "api.context.permissions.app_error", nil, "userId="+userId) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func CheckIfRolesGrantPermission(roles []string, permissionId string) bool { - for _, roleId := range roles { - if role, ok := model.BuiltInRoles[roleId]; !ok { - l4g.Debug("Bad role in system " + roleId) - return false - } else { - permissions := role.Permissions - for _, permission := range permissions { - if permission == permissionId { - return true - } - } - } - } - - return false -} |