summaryrefslogtreecommitdiffstats
path: root/api/user.go
diff options
context:
space:
mode:
Diffstat (limited to 'api/user.go')
-rw-r--r--api/user.go67
1 files changed, 32 insertions, 35 deletions
diff --git a/api/user.go b/api/user.go
index a33e2f7d7..35cc3612e 100644
--- a/api/user.go
+++ b/api/user.go
@@ -230,16 +230,16 @@ func IsVerifyHashRequired(user *model.User, team *model.Team, hash string) bool
func CreateUser(user *model.User) (*model.User, *model.AppError) {
- user.Roles = ""
+ user.Roles = model.ROLE_SYSTEM_USER.Id
// Below is a special case where the first user in the entire
- // system is granted the system_admin role instead of admin
+ // system is granted the system_admin role
if result := <-Srv.Store.User().GetTotalUsersCount(); result.Err != nil {
return nil, result.Err
} else {
count := result.Data.(int64)
if count <= 0 {
- user.Roles = model.ROLE_SYSTEM_ADMIN
+ user.Roles = model.ROLE_SYSTEM_ADMIN.Id + " " + model.ROLE_SYSTEM_USER.Id
}
}
@@ -561,7 +561,7 @@ func LoginByOAuth(c *Context, w http.ResponseWriter, r *http.Request, service st
// User MUST be authenticated completely before calling Login
func doLogin(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, deviceId string) {
- session := &model.Session{UserId: user.Id, Roles: user.Roles, DeviceId: deviceId, IsOAuth: false}
+ session := &model.Session{UserId: user.Id, Roles: user.GetRawRoles(), DeviceId: deviceId, IsOAuth: false}
maxAge := *utils.Cfg.ServiceSettings.SessionLengthWebInDays * 60 * 60 * 24
@@ -788,7 +788,7 @@ func getSessions(c *Context, w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)
id := params["user_id"]
- if !c.HasPermissionsToUser(id, "getSessions") {
+ if !HasPermissionToUser(c, id) {
return
}
@@ -918,11 +918,12 @@ func getInitialLoad(c *Context, w http.ResponseWriter, r *http.Request) {
}
il.ClientCfg = utils.ClientCfg
- if c.IsSystemAdmin() {
+ if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
il.LicenseCfg = utils.ClientLicense
} else {
il.LicenseCfg = utils.GetSanitizedClientLicense()
}
+ c.Err = nil
w.Write([]byte(il.ToJson()))
}
@@ -931,18 +932,15 @@ func getUser(c *Context, w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)
id := params["user_id"]
- if !c.HasPermissionsToUser(id, "getUser") {
- return
- }
-
if result := <-Srv.Store.User().Get(id); result.Err != nil {
c.Err = result.Err
return
} else if HandleEtag(result.Data.(*model.User).Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress), w, r) {
return
} else {
- result.Data.(*model.User).Sanitize(map[string]bool{})
- w.Header().Set(model.HEADER_ETAG_SERVER, result.Data.(*model.User).Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress))
+ user := sanitizeProfile(c, result.Data.(*model.User))
+
+ w.Header().Set(model.HEADER_ETAG_SERVER, user.Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress))
w.Write([]byte(result.Data.(*model.User).ToJson()))
return
}
@@ -956,7 +954,7 @@ func getProfilesForDirectMessageList(c *Context, w http.ResponseWriter, r *http.
if *utils.Cfg.TeamSettings.RestrictDirectMessage == model.DIRECT_MESSAGE_TEAM {
if c.Session.GetTeamByTeamId(id) == nil {
- if !c.HasSystemAdminPermissions("getProfiles") {
+ if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
return
}
}
@@ -985,7 +983,7 @@ func getProfiles(c *Context, w http.ResponseWriter, r *http.Request) {
id := params["id"]
if c.Session.GetTeamByTeamId(id) == nil {
- if !c.HasSystemAdminPermissions("getProfiles") {
+ if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
return
}
}
@@ -1035,7 +1033,7 @@ func getAudits(c *Context, w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)
id := params["user_id"]
- if !c.HasPermissionsToUser(id, "getAudits") {
+ if !HasPermissionToUser(c, id) {
return
}
@@ -1292,7 +1290,7 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !c.HasPermissionsToUser(user.Id, "updateUser") {
+ if !HasPermissionToUser(c, user.Id) {
return
}
@@ -1432,22 +1430,21 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
}
new_roles := props["new_roles"]
- if !(model.IsValidUserRoles(new_roles) || model.IsValidTeamRoles(new_roles)) {
+ if !(model.IsValidUserRoles(new_roles)) {
c.SetInvalidParam("updateRoles", "new_roles")
return
}
// If you are not the team admin then you can only demote yourself
- if !c.IsTeamAdmin() && user_id != c.Session.UserId {
+ if user_id != c.Session.UserId && !HasPermissionToTeamContext(c, team_id, model.PERMISSION_MANAGE_ROLES) {
c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.team_admin_needed.app_error", nil, "")
c.Err.StatusCode = http.StatusForbidden
return
}
- // Only another system admin can add the system admin role
- if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN) && !c.IsSystemAdmin() {
+ // If your trying to assign the system admin role, you must have that permission
+ if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN.Id) && !HasPermissionToContext(c, model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE) {
c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_set.app_error", nil, "")
- c.Err.StatusCode = http.StatusForbidden
return
}
@@ -1459,15 +1456,15 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
user = result.Data.(*model.User)
}
- // only another system admin can remove another system admin
- if model.IsInRole(user.Roles, model.ROLE_SYSTEM_ADMIN) && !c.IsSystemAdmin() {
+ // only another system admin can modify another system admin
+ if model.IsInRole(user.GetRawRoles(), model.ROLE_SYSTEM_ADMIN.Id) && !HasPermissionToContext(c, model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE) {
c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_needed.app_error", nil, "")
c.Err.StatusCode = http.StatusForbidden
return
}
// if the team role has changed then lets update team members
- if model.IsValidTeamRoles(new_roles) && len(team_id) > 0 {
+ if len(team_id) > 0 {
var members []*model.TeamMember
if result := <-Srv.Store.Team().GetTeamsForUser(user_id); result.Err != nil {
@@ -1489,7 +1486,7 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !c.IsSystemAdmin() {
+ if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
currentUserTeamMember := c.Session.GetTeamByTeamId(team_id)
// Only the system admin can modify other team
@@ -1500,12 +1497,13 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
}
// Only another team admin can make a team admin
- if !currentUserTeamMember.IsTeamAdmin() && model.IsInRole(new_roles, model.ROLE_TEAM_ADMIN) {
+ if model.IsInRole(new_roles, model.ROLE_TEAM_ADMIN.Id) && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_ROLES) {
c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.team_admin_needed.app_error", nil, "")
c.Err.StatusCode = http.StatusForbidden
return
}
}
+ c.Err = nil
member.Roles = new_roles
@@ -1513,10 +1511,8 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
c.Err = result.Err
return
}
- }
-
- // If the users role has changed then lets update the user
- if model.IsValidUserRoles(new_roles) {
+ } else {
+ // If the users role has changed then lets update the user
UpdateUserRoles(c, user, new_roles)
if c.Err != nil {
return
@@ -1575,7 +1571,7 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
// true when you're trying to de-activate yourself
isSelfDeactive := !active && user_id == c.Session.UserId
- if !isSelfDeactive && !c.IsSystemAdmin() {
+ if !isSelfDeactive && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
c.Err = model.NewLocAppError("updateActive", "api.user.update_active.permissions.app_error", nil, "userId="+user_id)
c.Err.StatusCode = http.StatusForbidden
return
@@ -1626,7 +1622,7 @@ func PermanentDeleteUser(c *Context, user *model.User) *model.AppError {
c.Path = "/users/permanent_delete"
c.LogAuditWithUserId(user.Id, fmt.Sprintf("attempt userId=%v", user.Id))
c.LogAuditWithUserId("", fmt.Sprintf("attempt userId=%v", user.Id))
- if user.IsInRole(model.ROLE_SYSTEM_ADMIN) {
+ if user.IsInRole(model.ROLE_SYSTEM_ADMIN.Id) {
l4g.Warn(utils.T("api.user.permanent_delete_user.system_admin.warn"), user.Email)
}
@@ -1814,7 +1810,7 @@ func ResetPassword(c *Context, userId, newPassword string) *model.AppError {
user = result.Data.(*model.User)
}
- if user.AuthData != nil && len(*user.AuthData) != 0 && !c.IsSystemAdmin() {
+ if user.AuthData != nil && len(*user.AuthData) != 0 && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
return model.NewLocAppError("ResetPassword", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id)
}
@@ -1911,7 +1907,7 @@ func updateUserNotify(c *Context, w http.ResponseWriter, r *http.Request) {
uchan := Srv.Store.User().Get(user_id)
- if !c.HasPermissionsToUser(user_id, "updateUserNotify") {
+ if !HasPermissionToUser(c, user_id) {
return
}
@@ -2567,10 +2563,11 @@ func userTyping(req *model.WebSocketRequest) (map[string]interface{}, *model.App
func sanitizeProfile(c *Context, user *model.User) *model.User {
options := utils.Cfg.GetSanitizeOptions()
- if c.IsSystemAdmin() {
+ if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
options["email"] = true
options["fullname"] = true
}
+ c.Err = nil
user.SanitizeProfile(options)
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-07-02 07:59:54 +0000