summaryrefslogtreecommitdiffstats
path: root/api4
diff options
context:
space:
mode:
Diffstat (limited to 'api4')
-rw-r--r--api4/api.go5
-rw-r--r--api4/apitestlib.go112
-rw-r--r--api4/channel.go1
-rw-r--r--api4/channel_test.go451
-rw-r--r--api4/context.go23
-rw-r--r--api4/oauth_test.go100
-rw-r--r--api4/params.go10
-rw-r--r--api4/post_test.go7
-rw-r--r--api4/role.go100
-rw-r--r--api4/role_test.go184
-rw-r--r--api4/team_test.go127
-rw-r--r--api4/webhook_test.go72
12 files changed, 618 insertions, 574 deletions
diff --git a/api4/api.go b/api4/api.go
index 580bd8c58..583a6041b 100644
--- a/api4/api.go
+++ b/api4/api.go
@@ -96,6 +96,8 @@ type Routes struct {
Reactions *mux.Router // 'api/v4/reactions'
+ Roles *mux.Router // 'api/v4/roles'
+
Emojis *mux.Router // 'api/v4/emoji'
Emoji *mux.Router // 'api/v4/emoji/{emoji_id:[A-Za-z0-9]+}'
EmojiByName *mux.Router // 'api/v4/emoji/name/{emoji_name:[A-Za-z0-9_-\.]+}'
@@ -194,6 +196,8 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
api.BaseRoutes.OpenGraph = api.BaseRoutes.ApiRoot.PathPrefix("/opengraph").Subrouter()
+ api.BaseRoutes.Roles = api.BaseRoutes.ApiRoot.PathPrefix("/roles").Subrouter()
+
api.InitUser()
api.InitTeam()
api.InitChannel()
@@ -219,6 +223,7 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
api.InitWebrtc()
api.InitOpenGraph()
api.InitPlugin()
+ api.InitRole()
root.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404))
diff --git a/api4/apitestlib.go b/api4/apitestlib.go
index b55ce7cbf..67dbc0419 100644
--- a/api4/apitestlib.go
+++ b/api4/apitestlib.go
@@ -122,6 +122,7 @@ func setupTestHelper(enterprise bool) *TestHelper {
Init(th.App, th.App.Srv.Router, true)
wsapi.Init(th.App, th.App.Srv.WebSocketRouter)
th.App.Srv.Store.MarkSystemRanUnitTests()
+ th.App.DoAdvancedPermissionsMigration()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.EnableOpenServer = true })
@@ -802,3 +803,114 @@ func (me *TestHelper) UpdateUserToNonTeamAdmin(user *model.User, team *model.Tea
}
utils.EnableDebugLogForTest()
}
+
+func (me *TestHelper) SaveDefaultRolePermissions() map[string][]string {
+ utils.DisableDebugLogForTest()
+
+ results := make(map[string][]string)
+
+ for _, roleName := range []string{
+ "system_user",
+ "system_admin",
+ "team_user",
+ "team_admin",
+ "channel_user",
+ "channel_admin",
+ } {
+ role, err1 := me.App.GetRoleByName(roleName)
+ if err1 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err1)
+ }
+
+ results[roleName] = role.Permissions
+ }
+
+ utils.EnableDebugLogForTest()
+ return results
+}
+
+func (me *TestHelper) RestoreDefaultRolePermissions(data map[string][]string) {
+ utils.DisableDebugLogForTest()
+
+ for roleName, permissions := range data {
+ role, err1 := me.App.GetRoleByName(roleName)
+ if err1 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err1)
+ }
+
+ if strings.Join(role.Permissions, " ") == strings.Join(permissions, " ") {
+ continue
+ }
+
+ role.Permissions = permissions
+
+ _, err2 := me.App.UpdateRole(role)
+ if err2 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err2)
+ }
+ }
+
+ utils.EnableDebugLogForTest()
+}
+
+func (me *TestHelper) RemovePermissionFromRole(permission string, roleName string) {
+ utils.DisableDebugLogForTest()
+
+ role, err1 := me.App.GetRoleByName(roleName)
+ if err1 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err1)
+ }
+
+ var newPermissions []string
+ for _, p := range role.Permissions {
+ if p != permission {
+ newPermissions = append(newPermissions, p)
+ }
+ }
+
+ if strings.Join(role.Permissions, " ") == strings.Join(newPermissions, " ") {
+ utils.EnableDebugLogForTest()
+ return
+ }
+
+ role.Permissions = newPermissions
+
+ _, err2 := me.App.UpdateRole(role)
+ if err2 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err2)
+ }
+
+ utils.EnableDebugLogForTest()
+}
+
+func (me *TestHelper) AddPermissionToRole(permission string, roleName string) {
+ utils.DisableDebugLogForTest()
+
+ role, err1 := me.App.GetRoleByName(roleName)
+ if err1 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err1)
+ }
+
+ for _, existingPermission := range role.Permissions {
+ if existingPermission == permission {
+ utils.EnableDebugLogForTest()
+ return
+ }
+ }
+
+ role.Permissions = append(role.Permissions, permission)
+
+ _, err2 := me.App.UpdateRole(role)
+ if err2 != nil {
+ utils.EnableDebugLogForTest()
+ panic(err2)
+ }
+
+ utils.EnableDebugLogForTest()
+}
diff --git a/api4/channel.go b/api4/channel.go
index 29dff883f..1670770c6 100644
--- a/api4/channel.go
+++ b/api4/channel.go
@@ -7,6 +7,7 @@ import (
"net/http"
l4g "github.com/alecthomas/log4go"
+
"github.com/mattermost/mattermost-server/model"
)
diff --git a/api4/channel_test.go b/api4/channel_test.go
index 724b0d84b..4deceb4c4 100644
--- a/api4/channel_test.go
+++ b/api4/channel_test.go
@@ -14,7 +14,6 @@ import (
"github.com/mattermost/mattermost-server/model"
"github.com/mattermost/mattermost-server/store/sqlstore"
- "github.com/mattermost/mattermost-server/utils"
)
func TestCreateChannel(t *testing.T) {
@@ -79,26 +78,16 @@ func TestCreateChannel(t *testing.T) {
_, resp = Client.CreateChannel(private)
CheckForbiddenStatus(t, resp)
- th.LoginBasic()
-
- // Check permissions with policy config changes
- isLicensed := utils.IsLicensed()
- license := utils.License()
- restrictPublicChannel := *th.App.Config().TeamSettings.RestrictPublicChannelCreation
- restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelCreation
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelCreation = restrictPublicChannel })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelCreation = restrictPrivateChannel })
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_ALL })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_ALL })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
+
+ th.AddPermissionToRole(model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+
+ th.LoginBasic()
channel.Name = GenerateTestChannelName()
_, resp = Client.CreateChannel(channel)
@@ -108,13 +97,10 @@ func TestCreateChannel(t *testing.T) {
_, resp = Client.CreateChannel(private)
CheckNoError(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_TEAM_ADMIN
- })
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_TEAM_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
+ th.AddPermissionToRole(model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.CreateChannel(channel)
CheckForbiddenStatus(t, resp)
@@ -140,51 +126,7 @@ func TestCreateChannel(t *testing.T) {
_, resp = th.SystemAdminClient.CreateChannel(private)
CheckNoError(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPublicChannelCreation = model.PERMISSIONS_SYSTEM_ADMIN
- })
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_SYSTEM_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
-
- th.LoginBasic()
-
- _, resp = Client.CreateChannel(channel)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.CreateChannel(private)
- CheckForbiddenStatus(t, resp)
-
- th.LoginTeamAdmin()
-
- _, resp = Client.CreateChannel(channel)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.CreateChannel(private)
- CheckForbiddenStatus(t, resp)
-
- channel.Name = GenerateTestChannelName()
- _, resp = th.SystemAdminClient.CreateChannel(channel)
- CheckNoError(t, resp)
-
- private.Name = GenerateTestChannelName()
- _, resp = th.SystemAdminClient.CreateChannel(private)
- CheckNoError(t, resp)
-
- // Check that if unlicensed the policy restriction is not enforced.
- utils.SetIsLicensed(false)
- utils.SetLicense(nil)
- th.App.SetDefaultRolesBasedOnConfig()
-
- channel.Name = GenerateTestChannelName()
- _, resp = Client.CreateChannel(channel)
- CheckNoError(t, resp)
-
- private.Name = GenerateTestChannelName()
- _, resp = Client.CreateChannel(private)
- CheckNoError(t, resp)
-
+ // Test posting Garbage
if r, err := Client.DoApiPost("/channels", "garbage"); err == nil {
t.Fatal("should have errored")
} else {
@@ -887,23 +829,16 @@ func TestDeleteChannel(t *testing.T) {
th.InitBasic().InitSystemAdmin()
- isLicensed := utils.IsLicensed()
- license := utils.License()
- restrictPublicChannel := *th.App.Config().TeamSettings.RestrictPublicChannelManagement
- restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManagement
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelManagement = restrictPublicChannel })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManagement = restrictPrivateChannel })
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_ALL })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_ALL })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
+
+ th.AddPermissionToRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.TEAM_USER_ROLE_ID)
Client = th.Client
team = th.BasicTeam
@@ -924,13 +859,11 @@ func TestDeleteChannel(t *testing.T) {
_, resp = Client.DeleteChannel(privateChannel7.Id)
CheckNoError(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_CHANNEL_ADMIN
- })
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_CHANNEL_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Restrict permissions to Channel Admins
+ th.RemovePermissionFromRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
// channels created by SystemAdmin
publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
@@ -957,129 +890,9 @@ func TestDeleteChannel(t *testing.T) {
_, resp = Client.DeleteChannel(privateChannel7.Id)
CheckNoError(t, resp)
- // // channels created by SystemAdmin
- publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
- privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
- th.App.AddUserToChannel(user, publicChannel6)
- th.App.AddUserToChannel(user, privateChannel7)
- th.App.AddUserToChannel(user2, privateChannel7)
-
- // successful delete by team admin
- th.UpdateUserToTeamAdmin(user, team)
- th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
-
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckNoError(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckNoError(t, resp)
-
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_TEAM_ADMIN
- })
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_TEAM_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
- th.UpdateUserToNonTeamAdmin(user, team)
- th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
-
- // channels created by SystemAdmin
- publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
- privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
- th.App.AddUserToChannel(user, publicChannel6)
- th.App.AddUserToChannel(user, privateChannel7)
- th.App.AddUserToChannel(user2, privateChannel7)
-
- // cannot delete by user
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckForbiddenStatus(t, resp)
-
- // // cannot delete by channel admin
- th.MakeUserChannelAdmin(user, publicChannel6)
- th.MakeUserChannelAdmin(user, privateChannel7)
- sqlstore.ClearChannelCaches()
-
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckForbiddenStatus(t, resp)
-
- // successful delete by team admin
- th.UpdateUserToTeamAdmin(th.BasicUser, team)
- th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
-
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckNoError(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckNoError(t, resp)
-
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPublicChannelDeletion = model.PERMISSIONS_SYSTEM_ADMIN
- })
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelDeletion = model.PERMISSIONS_SYSTEM_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
-
- // channels created by SystemAdmin
- publicChannel6 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN)
- privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
- th.App.AddUserToChannel(user, publicChannel6)
- th.App.AddUserToChannel(user, privateChannel7)
- th.App.AddUserToChannel(user2, privateChannel7)
-
- // cannot delete by user
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckForbiddenStatus(t, resp)
-
- // cannot delete by channel admin
- th.MakeUserChannelAdmin(user, publicChannel6)
- th.MakeUserChannelAdmin(user, privateChannel7)
- sqlstore.ClearChannelCaches()
-
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckForbiddenStatus(t, resp)
-
- // cannot delete by team admin
- th.UpdateUserToTeamAdmin(th.BasicUser, team)
- th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
-
- _, resp = Client.DeleteChannel(publicChannel6.Id)
- CheckForbiddenStatus(t, resp)
-
- _, resp = Client.DeleteChannel(privateChannel7.Id)
- CheckForbiddenStatus(t, resp)
-
- // successful delete by SystemAdmin
- _, resp = th.SystemAdminClient.DeleteChannel(publicChannel6.Id)
- CheckNoError(t, resp)
-
- _, resp = th.SystemAdminClient.DeleteChannel(privateChannel7.Id)
- CheckNoError(t, resp)
+ // Make sure team admins don't have permission to delete channels.
+ th.RemovePermissionFromRole(model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, model.CHANNEL_ADMIN_ROLE_ID)
// last member of a public channel should have required permission to delete
publicChannel6 = th.CreateChannelWithClient(th.Client, model.CHANNEL_OPEN)
@@ -1822,42 +1635,13 @@ func TestAddChannelMember(t *testing.T) {
_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
CheckNoError(t, resp)
- // Test policy does not apply to TE.
- restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManageMembers
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
- })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
-
- Client.Login(user2.Username, user2.Password)
- privateChannel = th.CreatePrivateChannel()
- _, resp = Client.AddChannelMember(privateChannel.Id, user.Id)
- CheckNoError(t, resp)
- Client.Logout()
- Client.Login(user.Username, user.Password)
- _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
- CheckNoError(t, resp)
- Client.Logout()
-
- // Add a license
- isLicensed := utils.IsLicensed()
- license := utils.License()
- defer func() {
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
- }()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
// Check that a regular channel user can add other users.
Client.Login(user2.Username, user2.Password)
@@ -1871,14 +1655,9 @@ func TestAddChannelMember(t *testing.T) {
CheckNoError(t, resp)
Client.Logout()
- // Test with CHANNEL_ADMIN level permission.
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
- })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
+ // Restrict the permission for adding users to Channel Admins
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
Client.Login(user2.Username, user2.Password)
privateChannel = th.CreatePrivateChannel()
@@ -1893,70 +1672,11 @@ func TestAddChannelMember(t *testing.T) {
th.MakeUserChannelAdmin(user, privateChannel)
th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
-
- Client.Login(user.Username, user.Password)
- _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
- CheckNoError(t, resp)
- Client.Logout()
-
- // Test with TEAM_ADMIN level permission.
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
- })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
-
- Client.Login(user2.Username, user2.Password)
- privateChannel = th.CreatePrivateChannel()
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
- CheckNoError(t, resp)
- Client.Logout()
-
- Client.Login(user.Username, user.Password)
- _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
- CheckForbiddenStatus(t, resp)
- Client.Logout()
-
- th.UpdateUserToTeamAdmin(user, team)
- th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
Client.Login(user.Username, user.Password)
_, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
CheckNoError(t, resp)
Client.Logout()
-
- // Test with SYSTEM_ADMIN level permission.
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
- })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
-
- Client.Login(user2.Username, user2.Password)
- privateChannel = th.CreatePrivateChannel()
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user.Id)
- CheckNoError(t, resp)
- Client.Logout()
-
- Client.Login(user.Username, user.Password)
- _, resp = Client.AddChannelMember(privateChannel.Id, user3.Id)
- CheckForbiddenStatus(t, resp)
- Client.Logout()
-
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user3.Id)
- CheckNoError(t, resp)
}
func TestRemoveChannelMember(t *testing.T) {
@@ -2018,43 +1738,16 @@ func TestRemoveChannelMember(t *testing.T) {
th.UpdateUserToNonTeamAdmin(user1, team)
th.App.InvalidateAllCaches()
- // Test policy does not apply to TE.
- restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManageMembers
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
- })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
- })
- th.App.SetDefaultRolesBasedOnConfig()
-
- privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
- CheckNoError(t, resp)
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
- CheckNoError(t, resp)
- _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
- CheckNoError(t, resp)
-
- // Add a license
- isLicensed := utils.IsLicensed()
- license := utils.License()
- defer func() {
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
- }()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
// Check that a regular channel user can remove other users.
- privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
+ privateChannel := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
CheckNoError(t, resp)
_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
@@ -2063,14 +1756,9 @@ func TestRemoveChannelMember(t *testing.T) {
_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
CheckNoError(t, resp)
- // Test with CHANNEL_ADMIN level permission.
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
- })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
+ // Restrict the permission for adding users to Channel Admins
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, model.CHANNEL_USER_ROLE_ID)
privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
_, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
@@ -2083,58 +1771,7 @@ func TestRemoveChannelMember(t *testing.T) {
th.MakeUserChannelAdmin(user1, privateChannel)
th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
-
- _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
- CheckNoError(t, resp)
-
- // Test with TEAM_ADMIN level permission.
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
- })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
-
- privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
- CheckNoError(t, resp)
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
- CheckNoError(t, resp)
-
- _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
- CheckForbiddenStatus(t, resp)
-
- th.UpdateUserToTeamAdmin(user1, team)
- th.App.InvalidateAllCaches()
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
_, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
CheckNoError(t, resp)
-
- // Test with SYSTEM_ADMIN level permission.
- th.App.UpdateConfig(func(cfg *model.Config) {
- *cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
- })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
-
- privateChannel = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE)
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user1.Id)
- CheckNoError(t, resp)
- _, resp = th.SystemAdminClient.AddChannelMember(privateChannel.Id, user2.Id)
- CheckNoError(t, resp)
-
- _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id)
- CheckForbiddenStatus(t, resp)
-
- _, resp = th.SystemAdminClient.RemoveUserFromChannel(privateChannel.Id, user2.Id)
- CheckNoError(t, resp)
}
diff --git a/api4/context.go b/api4/context.go
index 82c8d9e6c..19778dda3 100644
--- a/api4/context.go
+++ b/api4/context.go
@@ -622,3 +622,26 @@ func (c *Context) RequireActionId() *Context {
}
return c
}
+
+func (c *Context) RequireRoleId() *Context {
+ if c.Err != nil {
+ return c
+ }
+
+ if len(c.Params.RoleId) != 26 {
+ c.SetInvalidUrlParam("role_id")
+ }
+ return c
+}
+
+func (c *Context) RequireRoleName() *Context {
+ if c.Err != nil {
+ return c
+ }
+
+ if !model.IsValidRoleName(c.Params.RoleName) {
+ c.SetInvalidUrlParam("role_name")
+ }
+
+ return c
+}
diff --git a/api4/oauth_test.go b/api4/oauth_test.go
index 8dd602456..0959442f0 100644
--- a/api4/oauth_test.go
+++ b/api4/oauth_test.go
@@ -19,13 +19,15 @@ func TestCreateOAuthApp(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
@@ -41,13 +43,15 @@ func TestCreateOAuthApp(t *testing.T) {
t.Fatal("trusted did no match")
}
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
_, resp = Client.CreateOAuthApp(oapp)
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
rapp, resp = Client.CreateOAuthApp(oapp)
CheckNoError(t, resp)
CheckCreatedStatus(t, resp)
@@ -87,13 +91,15 @@ func TestUpdateOAuthApp(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{
Name: "oapp",
@@ -171,8 +177,9 @@ func TestUpdateOAuthApp(t *testing.T) {
th.LoginBasic()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
_, resp = Client.UpdateOAuthApp(oapp)
CheckForbiddenStatus(t, resp)
@@ -181,6 +188,7 @@ func TestUpdateOAuthApp(t *testing.T) {
CheckNotFoundStatus(t, resp)
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = false })
+
_, resp = AdminClient.UpdateOAuthApp(oapp)
CheckNotImplementedStatus(t, resp)
@@ -200,14 +208,15 @@ func TestGetOAuthApps(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
@@ -250,8 +259,8 @@ func TestGetOAuthApps(t *testing.T) {
t.Fatal("wrong apps returned")
}
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
_, resp = Client.GetOAuthApps(0, 1000)
CheckForbiddenStatus(t, resp)
@@ -273,14 +282,15 @@ func TestGetOAuthApp(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
@@ -319,8 +329,8 @@ func TestGetOAuthApp(t *testing.T) {
_, resp = Client.GetOAuthApp(rapp.Id)
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
_, resp = Client.GetOAuthApp(rapp2.Id)
CheckForbiddenStatus(t, resp)
@@ -348,14 +358,15 @@ func TestGetOAuthAppInfo(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
@@ -394,8 +405,8 @@ func TestGetOAuthAppInfo(t *testing.T) {
_, resp = Client.GetOAuthAppInfo(rapp.Id)
CheckNoError(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
_, resp = Client.GetOAuthAppInfo(rapp2.Id)
CheckNoError(t, resp)
@@ -423,14 +434,15 @@ func TestDeleteOAuthApp(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
@@ -464,8 +476,9 @@ func TestDeleteOAuthApp(t *testing.T) {
_, resp = Client.DeleteOAuthApp(rapp2.Id)
CheckNoError(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
_, resp = Client.DeleteOAuthApp(rapp.Id)
CheckForbiddenStatus(t, resp)
@@ -491,14 +504,15 @@ func TestRegenerateOAuthAppSecret(t *testing.T) {
AdminClient := th.SystemAdminClient
enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
- adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ // Grant permission to regular users.
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
@@ -536,8 +550,9 @@ func TestRegenerateOAuthAppSecret(t *testing.T) {
_, resp = Client.RegenerateOAuthAppSecret(rapp2.Id)
CheckNoError(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Revoke permission from regular users.
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
_, resp = Client.RegenerateOAuthAppSecret(rapp.Id)
CheckForbiddenStatus(t, resp)
@@ -627,7 +642,6 @@ func TestAuthorizeOAuthApp(t *testing.T) {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
- th.App.SetDefaultRolesBasedOnConfig()
oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
diff --git a/api4/params.go b/api4/params.go
index 30638578b..357036e80 100644
--- a/api4/params.go
+++ b/api4/params.go
@@ -44,6 +44,8 @@ type ApiParams struct {
JobId string
JobType string
ActionId string
+ RoleId string
+ RoleName string
Page int
PerPage int
LogsPerPage int
@@ -151,6 +153,14 @@ func ApiParamsFromRequest(r *http.Request) *ApiParams {
params.ActionId = val
}
+ if val, ok := props["role_id"]; ok {
+ params.RoleId = val
+ }
+
+ if val, ok := props["role_name"]; ok {
+ params.RoleName = val
+ }
+
if val, err := strconv.Atoi(r.URL.Query().Get("page")); err != nil || val < 0 {
params.Page = PAGE_DEFAULT
} else {
diff --git a/api4/post_test.go b/api4/post_test.go
index 6f770b70a..de627d8bc 100644
--- a/api4/post_test.go
+++ b/api4/post_test.go
@@ -136,14 +136,12 @@ func testCreatePostWithOutgoingHook(
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = enableOutgoingHooks })
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOnlyAdminIntegrations = enableAdminOnlyHooks })
- th.App.SetDefaultRolesBasedOnConfig()
th.App.UpdateConfig(func(cfg *model.Config) {
cfg.ServiceSettings.AllowedUntrustedInternalConnections = &allowedInternalConnections
})
}()
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = true })
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
- th.App.SetDefaultRolesBasedOnConfig()
th.App.UpdateConfig(func(cfg *model.Config) {
*cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost 127.0.0.1"
})
@@ -496,14 +494,11 @@ func TestUpdatePost(t *testing.T) {
utils.SetIsLicensed(isLicensed)
utils.SetLicense(license)
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowEditPost = allowEditPost })
- th.App.SetDefaultRolesBasedOnConfig()
}()
utils.SetIsLicensed(true)
utils.SetLicense(&model.License{Features: &model.Features{}})
utils.License().Features.SetDefaults()
-
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowEditPost = model.ALLOW_EDIT_POST_ALWAYS })
- th.App.SetDefaultRolesBasedOnConfig()
post := &model.Post{ChannelId: channel.Id, Message: "zz" + model.NewId() + "a"}
rpost, resp := Client.CreatePost(post)
@@ -581,14 +576,12 @@ func TestPatchPost(t *testing.T) {
utils.SetIsLicensed(isLicensed)
utils.SetLicense(license)
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowEditPost = allowEditPost })
- th.App.SetDefaultRolesBasedOnConfig()
}()
utils.SetIsLicensed(true)
utils.SetLicense(&model.License{Features: &model.Features{}})
utils.License().Features.SetDefaults()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowEditPost = model.ALLOW_EDIT_POST_ALWAYS })
- th.App.SetDefaultRolesBasedOnConfig()
post := &model.Post{
ChannelId: channel.Id,
diff --git a/api4/role.go b/api4/role.go
new file mode 100644
index 000000000..a401a8034
--- /dev/null
+++ b/api4/role.go
@@ -0,0 +1,100 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+ "net/http"
+
+ "github.com/mattermost/mattermost-server/model"
+)
+
+func (api *API) InitRole() {
+ api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET")
+ api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET")
+ api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST")
+ api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT")
+}
+
+func getRole(c *Context, w http.ResponseWriter, r *http.Request) {
+ c.RequireRoleId()
+ if c.Err != nil {
+ return
+ }
+
+ if role, err := c.App.GetRole(c.Params.RoleId); err != nil {
+ c.Err = err
+ return
+ } else {
+ w.Write([]byte(role.ToJson()))
+ }
+}
+
+func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) {
+ c.RequireRoleName()
+ if c.Err != nil {
+ return
+ }
+
+ if role, err := c.App.GetRoleByName(c.Params.RoleName); err != nil {
+ c.Err = err
+ return
+ } else {
+ w.Write([]byte(role.ToJson()))
+ }
+}
+
+func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) {
+ rolenames := model.ArrayFromJson(r.Body)
+
+ if len(rolenames) == 0 {
+ c.SetInvalidParam("rolenames")
+ return
+ }
+
+ for _, rolename := range rolenames {
+ if !model.IsValidRoleName(rolename) {
+ c.SetInvalidParam("rolename")
+ return
+ }
+ }
+
+ if roles, err := c.App.GetRolesByNames(rolenames); err != nil {
+ c.Err = err
+ return
+ } else {
+ w.Write([]byte(model.RoleListToJson(roles)))
+ }
+}
+
+func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
+ c.RequireRoleId()
+ if c.Err != nil {
+ return
+ }
+
+ patch := model.RolePatchFromJson(r.Body)
+ if patch == nil {
+ c.SetInvalidParam("role")
+ return
+ }
+
+ oldRole, err := c.App.GetRole(c.Params.RoleId)
+ if err != nil {
+ c.Err = err
+ return
+ }
+
+ if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+ c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+ return
+ }
+
+ if role, err := c.App.PatchRole(oldRole, patch); err != nil {
+ c.Err = err
+ return
+ } else {
+ c.LogAudit("")
+ w.Write([]byte(role.ToJson()))
+ }
+}
diff --git a/api4/role_test.go b/api4/role_test.go
new file mode 100644
index 000000000..64b8303e2
--- /dev/null
+++ b/api4/role_test.go
@@ -0,0 +1,184 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+ "strings"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+
+ "github.com/mattermost/mattermost-server/model"
+)
+
+func TestGetRole(t *testing.T) {
+ th := Setup().InitBasic().InitSystemAdmin()
+ defer th.TearDown()
+
+ role := &model.Role{
+ Name: model.NewId(),
+ DisplayName: model.NewId(),
+ Description: model.NewId(),
+ Permissions: []string{"manage_system", "create_public_channel"},
+ SchemeManaged: true,
+ }
+
+ res1 := <-th.App.Srv.Store.Role().Save(role)
+ assert.Nil(t, res1.Err)
+ role = res1.Data.(*model.Role)
+ defer th.App.Srv.Store.Job().Delete(role.Id)
+
+ received, resp := th.Client.GetRole(role.Id)
+ CheckNoError(t, resp)
+
+ assert.Equal(t, received.Id, role.Id)
+ assert.Equal(t, received.Name, role.Name)
+ assert.Equal(t, received.DisplayName, role.DisplayName)
+ assert.Equal(t, received.Description, role.Description)
+ assert.EqualValues(t, received.Permissions, role.Permissions)
+ assert.Equal(t, received.SchemeManaged, role.SchemeManaged)
+
+ _, resp = th.SystemAdminClient.GetRole("1234")
+ CheckBadRequestStatus(t, resp)
+
+ _, resp = th.SystemAdminClient.GetRole(model.NewId())
+ CheckNotFoundStatus(t, resp)
+}
+
+func TestGetRoleByName(t *testing.T) {
+ th := Setup().InitBasic().InitSystemAdmin()
+ defer th.TearDown()
+
+ role := &model.Role{
+ Name: model.NewId(),
+ DisplayName: model.NewId(),
+ Description: model.NewId(),
+ Permissions: []string{"manage_system", "create_public_channel"},
+ SchemeManaged: true,
+ }
+
+ res1 := <-th.App.Srv.Store.Role().Save(role)
+ assert.Nil(t, res1.Err)
+ role = res1.Data.(*model.Role)
+ defer th.App.Srv.Store.Job().Delete(role.Id)
+
+ received, resp := th.Client.GetRoleByName(role.Name)
+ CheckNoError(t, resp)
+
+ assert.Equal(t, received.Id, role.Id)
+ assert.Equal(t, received.Name, role.Name)
+ assert.Equal(t, received.DisplayName, role.DisplayName)
+ assert.Equal(t, received.Description, role.Description)
+ assert.EqualValues(t, received.Permissions, role.Permissions)
+ assert.Equal(t, received.SchemeManaged, role.SchemeManaged)
+
+ _, resp = th.SystemAdminClient.GetRoleByName(strings.Repeat("abcdefghij", 10))
+ CheckBadRequestStatus(t, resp)
+
+ _, resp = th.SystemAdminClient.GetRoleByName(model.NewId())
+ CheckNotFoundStatus(t, resp)
+}
+
+func TestGetRolesByNames(t *testing.T) {
+ th := Setup().InitBasic().InitSystemAdmin()
+ defer th.TearDown()
+
+ role1 := &model.Role{
+ Name: model.NewId(),
+ DisplayName: model.NewId(),
+ Description: model.NewId(),
+ Permissions: []string{"manage_system", "create_public_channel"},
+ SchemeManaged: true,
+ }
+ role2 := &model.Role{
+ Name: model.NewId(),
+ DisplayName: model.NewId(),
+ Description: model.NewId(),
+ Permissions: []string{"manage_system", "delete_private_channel"},
+ SchemeManaged: true,
+ }
+ role3 := &model.Role{
+ Name: model.NewId(),
+ DisplayName: model.NewId(),
+ Description: model.NewId(),
+ Permissions: []string{"manage_system", "manage_public_channel_properties"},
+ SchemeManaged: true,
+ }
+
+ res1 := <-th.App.Srv.Store.Role().Save(role1)
+ assert.Nil(t, res1.Err)
+ role1 = res1.Data.(*model.Role)
+ defer th.App.Srv.Store.Job().Delete(role1.Id)
+
+ res2 := <-th.App.Srv.Store.Role().Save(role2)
+ assert.Nil(t, res2.Err)
+ role2 = res2.Data.(*model.Role)
+ defer th.App.Srv.Store.Job().Delete(role2.Id)
+
+ res3 := <-th.App.Srv.Store.Role().Save(role3)
+ assert.Nil(t, res3.Err)
+ role3 = res3.Data.(*model.Role)
+ defer th.App.Srv.Store.Job().Delete(role3.Id)
+
+ // Check all three roles can be found.
+ received, resp := th.Client.GetRolesByNames([]string{role1.Name, role2.Name, role3.Name})
+ CheckNoError(t, resp)
+
+ assert.Contains(t, received, role1)
+ assert.Contains(t, received, role2)
+ assert.Contains(t, received, role3)
+
+ // Check a list of invalid roles.
+ // TODO: Confirm whether no error for invalid role names is intended.
+ received, resp = th.Client.GetRolesByNames([]string{model.NewId(), model.NewId()})
+ CheckNoError(t, resp)
+
+ _, resp = th.SystemAdminClient.GetRolesByNames([]string{})
+ CheckBadRequestStatus(t, resp)
+}
+
+func TestPatchRole(t *testing.T) {
+ th := Setup().InitBasic().InitSystemAdmin()
+ defer th.TearDown()
+
+ role := &model.Role{
+ Name: model.NewId(),
+ DisplayName: model.NewId(),
+ Description: model.NewId(),
+ Permissions: []string{"manage_system", "create_public_channel"},
+ SchemeManaged: true,
+ }
+
+ res1 := <-th.App.Srv.Store.Role().Save(role)
+ assert.Nil(t, res1.Err)
+ role = res1.Data.(*model.Role)
+ defer th.App.Srv.Store.Job().Delete(role.Id)
+
+ patch := &model.RolePatch{
+ Permissions: &[]string{"manage_system", "delete_public_channel"},
+ }
+
+ received, resp := th.SystemAdminClient.PatchRole(role.Id, patch)
+ CheckNoError(t, resp)
+
+ assert.Equal(t, received.Id, role.Id)
+ assert.Equal(t, received.Name, role.Name)
+ assert.Equal(t, received.DisplayName, role.DisplayName)
+ assert.Equal(t, received.Description, role.Description)
+ assert.EqualValues(t, received.Permissions, []string{"manage_system", "delete_public_channel"})
+ assert.Equal(t, received.SchemeManaged, role.SchemeManaged)
+
+ // Check a no-op patch succeeds.
+ received, resp = th.SystemAdminClient.PatchRole(role.Id, patch)
+ CheckNoError(t, resp)
+
+ received, resp = th.SystemAdminClient.PatchRole("junk", patch)
+ CheckBadRequestStatus(t, resp)
+
+ received, resp = th.Client.PatchRole(model.NewId(), patch)
+ CheckNotFoundStatus(t, resp)
+
+ received, resp = th.Client.PatchRole(role.Id, patch)
+ CheckForbiddenStatus(t, resp)
+}
diff --git a/api4/team_test.go b/api4/team_test.go
index a8696a30b..272b7372e 100644
--- a/api4/team_test.go
+++ b/api4/team_test.go
@@ -67,14 +67,14 @@ func TestCreateTeam(t *testing.T) {
_, resp = Client.CreateTeam(rteam)
CheckUnauthorizedStatus(t, resp)
- // Update permission
- enableTeamCreation := th.App.Config().TeamSettings.EnableTeamCreation
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) { cfg.TeamSettings.EnableTeamCreation = enableTeamCreation })
- th.App.SetDefaultRolesBasedOnConfig()
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
- th.App.UpdateConfig(func(cfg *model.Config) { cfg.TeamSettings.EnableTeamCreation = false })
- th.App.SetDefaultRolesBasedOnConfig()
+
+ th.RemovePermissionFromRole(model.PERMISSION_CREATE_TEAM.Id, model.SYSTEM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_CREATE_TEAM.Id, model.SYSTEM_ADMIN_ROLE_ID)
th.LoginBasic()
_, resp = Client.CreateTeam(team)
@@ -1292,31 +1292,18 @@ func TestAddTeamMember(t *testing.T) {
Client.Logout()
- // Check effects of config and license changes.
- restrictTeamInvite := *th.App.Config().TeamSettings.RestrictTeamInvite
- isLicensed := utils.IsLicensed()
- license := utils.License()
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite })
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
// Set the config so that only team admins can add a user to a team.
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN })
- th.App.SetDefaultRolesBasedOnConfig()
- th.LoginBasic()
-
- // Test without the EE license to see that the permission restriction is ignored.
- _, resp = Client.AddTeamMember(team.Id, otherUser.Id)
- CheckNoError(t, resp)
+ th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID)
- // Add an EE license.
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
th.LoginBasic()
// Check that a regular user can't add someone to the team.
@@ -1326,50 +1313,26 @@ func TestAddTeamMember(t *testing.T) {
// Update user to team admin
th.UpdateUserToTeamAdmin(th.BasicUser, th.BasicTeam)
th.App.InvalidateAllCaches()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
th.LoginBasic()
// Should work as a team admin.
_, resp = Client.AddTeamMember(team.Id, otherUser.Id)
CheckNoError(t, resp)
- // Change permission level to System Admin
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_SYSTEM_ADMIN })
- th.App.SetDefaultRolesBasedOnConfig()
+ // Change permission level to team user
+ th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID)
- // Should not work as team admin.
- _, resp = Client.AddTeamMember(team.Id, otherUser.Id)
- CheckForbiddenStatus(t, resp)
-
- // Should work as system admin.
- _, resp = th.SystemAdminClient.AddTeamMember(team.Id, otherUser.Id)
- CheckNoError(t, resp)
-
- // Change permission level to All
th.UpdateUserToNonTeamAdmin(th.BasicUser, th.BasicTeam)
th.App.InvalidateAllCaches()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_ALL })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
th.LoginBasic()
// Should work as a regular user.
_, resp = Client.AddTeamMember(team.Id, otherUser.Id)
CheckNoError(t, resp)
- // Reset config and license.
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite })
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
- th.LoginBasic()
-
// by hash and data
Client.Login(otherUser.Email, otherUser.Password)
@@ -1506,31 +1469,18 @@ func TestAddTeamMembers(t *testing.T) {
Client.Logout()
- // Check effects of config and license changes.
- restrictTeamInvite := *th.App.Config().TeamSettings.RestrictTeamInvite
- isLicensed := utils.IsLicensed()
- license := utils.License()
+ // Check the appropriate permissions are enforced.
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite })
- utils.SetIsLicensed(isLicensed)
- utils.SetLicense(license)
- th.App.SetDefaultRolesBasedOnConfig()
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
// Set the config so that only team admins can add a user to a team.
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN })
- th.App.SetDefaultRolesBasedOnConfig()
- th.LoginBasic()
-
- // Test without the EE license to see that the permission restriction is ignored.
- _, resp = Client.AddTeamMembers(team.Id, userList)
- CheckNoError(t, resp)
+ th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID)
- // Add an EE license.
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
th.LoginBasic()
// Check that a regular user can't add someone to the team.
@@ -1540,37 +1490,20 @@ func TestAddTeamMembers(t *testing.T) {
// Update user to team admin
th.UpdateUserToTeamAdmin(th.BasicUser, th.BasicTeam)
th.App.InvalidateAllCaches()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
th.LoginBasic()
// Should work as a team admin.
_, resp = Client.AddTeamMembers(team.Id, userList)
CheckNoError(t, resp)
- // Change permission level to System Admin
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_SYSTEM_ADMIN })
- th.App.SetDefaultRolesBasedOnConfig()
-
- // Should not work as team admin.
- _, resp = Client.AddTeamMembers(team.Id, userList)
- CheckForbiddenStatus(t, resp)
-
- // Should work as system admin.
- _, resp = th.SystemAdminClient.AddTeamMembers(team.Id, userList)
- CheckNoError(t, resp)
+ // Change permission level to team user
+ th.AddPermissionToRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_USER_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_INVITE_USER.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_ADD_USER_TO_TEAM.Id, model.TEAM_ADMIN_ROLE_ID)
- // Change permission level to All
th.UpdateUserToNonTeamAdmin(th.BasicUser, th.BasicTeam)
th.App.InvalidateAllCaches()
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_ALL })
- utils.SetIsLicensed(true)
- utils.SetLicense(&model.License{Features: &model.Features{}})
- utils.License().Features.SetDefaults()
- th.App.SetDefaultRolesBasedOnConfig()
th.LoginBasic()
// Should work as a regular user.
diff --git a/api4/webhook_test.go b/api4/webhook_test.go
index 724fd0ea4..0a295b4b2 100644
--- a/api4/webhook_test.go
+++ b/api4/webhook_test.go
@@ -19,10 +19,16 @@ func TestCreateIncomingWebhook(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnablePostUsernameOverride = true })
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnablePostIconOverride = true })
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
+ defer func() {
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
+ }()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
+
hook := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id}
rhook, resp := th.SystemAdminClient.CreateIncomingWebhook(hook)
@@ -53,7 +59,7 @@ func TestCreateIncomingWebhook(t *testing.T) {
_, resp = Client.CreateIncomingWebhook(hook)
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.CreateIncomingWebhook(hook)
CheckNoError(t, resp)
@@ -75,7 +81,13 @@ func TestGetIncomingWebhooks(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
+ defer func() {
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
+ }()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id}
rhook, resp := th.SystemAdminClient.CreateIncomingWebhook(hook)
@@ -126,7 +138,7 @@ func TestGetIncomingWebhooks(t *testing.T) {
_, resp = Client.GetIncomingWebhooks(0, 1000, "")
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.GetIncomingWebhooksForTeam(th.BasicTeam.Id, 0, 1000, "")
CheckNoError(t, resp)
@@ -148,7 +160,6 @@ func TestGetIncomingWebhook(t *testing.T) {
Client := th.SystemAdminClient
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
var resp *model.Response
var rhook *model.IncomingWebhook
@@ -188,7 +199,6 @@ func TestDeleteIncomingWebhook(t *testing.T) {
Client := th.SystemAdminClient
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
var resp *model.Response
var rhook *model.IncomingWebhook
@@ -240,7 +250,13 @@ func TestCreateOutgoingWebhook(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
+ defer func() {
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
+ }()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId, CallbackURLs: []string{"http://nowhere.com"}}
@@ -268,7 +284,7 @@ func TestCreateOutgoingWebhook(t *testing.T) {
_, resp = Client.CreateOutgoingWebhook(hook)
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.CreateOutgoingWebhook(hook)
CheckNoError(t, resp)
@@ -284,7 +300,12 @@ func TestGetOutgoingWebhooks(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
+ defer func() {
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
+ }()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId, CallbackURLs: []string{"http://nowhere.com"}}
rhook, resp := th.SystemAdminClient.CreateOutgoingWebhook(hook)
@@ -352,7 +373,7 @@ func TestGetOutgoingWebhooks(t *testing.T) {
_, resp = Client.GetOutgoingWebhooks(0, 1000, "")
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.GetOutgoingWebhooksForTeam(th.BasicTeam.Id, 0, 1000, "")
CheckNoError(t, resp)
@@ -380,7 +401,6 @@ func TestGetOutgoingWebhook(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
hook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId, CallbackURLs: []string{"http://nowhere.com"}}
@@ -411,7 +431,13 @@ func TestUpdateIncomingHook(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
+ defer func() {
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
+ }()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook1 := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id}
@@ -547,10 +573,11 @@ func TestUpdateIncomingHook(t *testing.T) {
CheckForbiddenStatus(t, resp)
})
- th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
t.Run("OnlyAdminIntegrationsDisabled", func(t *testing.T) {
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
t.Run("UpdateHookOfSameUser", func(t *testing.T) {
sameUserHook := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id, UserId: th.BasicUser2.Id}
@@ -568,7 +595,8 @@ func TestUpdateIncomingHook(t *testing.T) {
})
})
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
Client.Logout()
th.UpdateUserToTeamAdmin(th.BasicUser2, th.BasicTeam)
@@ -623,7 +651,6 @@ func TestRegenOutgoingHookToken(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
hook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId, CallbackURLs: []string{"http://nowhere.com"}}
rhook, resp := th.SystemAdminClient.CreateOutgoingWebhook(hook)
@@ -656,7 +683,12 @@ func TestUpdateOutgoingHook(t *testing.T) {
Client := th.Client
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOutgoingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+ defaultRolePermissions := th.SaveDefaultRolePermissions()
+ defer func() {
+ th.RestoreDefaultRolePermissions(defaultRolePermissions)
+ }()
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
createdHook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId,
CallbackURLs: []string{"http://nowhere.com"}, TriggerWords: []string{"cats"}}
@@ -729,7 +761,7 @@ func TestUpdateOutgoingHook(t *testing.T) {
CheckForbiddenStatus(t, resp)
})
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook2 := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId,
CallbackURLs: []string{"http://nowhere.com"}, TriggerWords: []string{"rats2"}}
@@ -739,7 +771,8 @@ func TestUpdateOutgoingHook(t *testing.T) {
_, resp = Client.UpdateOutgoingWebhook(createdHook2)
CheckForbiddenStatus(t, resp)
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
+ th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
+ th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
Client.Logout()
th.UpdateUserToTeamAdmin(th.BasicUser2, th.BasicTeam)
@@ -813,7 +846,6 @@ func TestDeleteOutgoingHook(t *testing.T) {
Client := th.SystemAdminClient
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
- th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
var resp *model.Response
var rhook *model.OutgoingWebhook