1 files changed, 57 insertions, 3 deletions
diff --git a/app/app.go b/app/app.go
index cd9fdaa66..27227d271 100644
--- a/app/app.go
+++ b/app/app.go
@@ -8,6 +8,7 @@ import (
 	"html/template"
 	"net"
 	"net/http"
+	"reflect"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -26,6 +27,8 @@ import (
 	"github.com/mattermost/mattermost-server/utils"
 )
 
+const ADVANCED_PERMISSIONS_MIGRATION_KEY = "AdvancedPermissionsMigrationComplete"
+
 type App struct {
 	goroutineCount      int32
 	goroutineExitSignal chan struct{}
@@ -71,7 +74,6 @@ type App struct {
 
 	htmlTemplateWatcher  *utils.HTMLTemplateWatcher
 	sessionCache         *utils.Cache
-	roles                map[string]*model.Role
 	configListenerId     string
 	licenseListenerId    string
 	disableConfigWatch   bool
@@ -155,7 +157,6 @@ func New(options ...Option) (outApp *App, outErr error) {
 
 	})
 	app.regenerateClientConfig()
-	app.setDefaultRolesBasedOnConfig()
 
 	l4g.Info(utils.T("api.server.new_server.init.info"))
 
@@ -196,7 +197,6 @@ func New(options ...Option) (outApp *App, outErr error) {
 
 func (a *App) configOrLicenseListener() {
 	a.regenerateClientConfig()
-	a.setDefaultRolesBasedOnConfig()
 }
 
 func (a *App) Shutdown() {
@@ -495,3 +495,57 @@ func (a *App) Handle404(w http.ResponseWriter, r *http.Request) {
 
 	utils.RenderWebAppError(w, r, err, a.AsymmetricSigningKey())
 }
+
+// This function migrates the default built in roles from code/config to the database.
+func (a *App) DoAdvancedPermissionsMigration() {
+	// If the migration is already marked as completed, don't do it again.
+	if result := <-a.Srv.Store.System().GetByName(ADVANCED_PERMISSIONS_MIGRATION_KEY); result.Err == nil {
+		return
+	}
+
+	l4g.Info("Migrating roles to database.")
+	roles := model.MakeDefaultRoles()
+	roles = utils.SetRolePermissionsFromConfig(roles, a.Config(), a.License() != nil)
+
+	allSucceeded := true
+
+	for _, role := range roles {
+		if result := <-a.Srv.Store.Role().Save(role); result.Err != nil {
+			// If this failed for reasons other than the role already existing, don't mark the migration as done.
+			if result2 := <-a.Srv.Store.Role().GetByName(role.Name); result2.Err != nil {
+				l4g.Critical("Failed to migrate role to database.")
+				l4g.Critical(result.Err)
+				allSucceeded = false
+			} else {
+				// If the role already existed, check it is the same and update if not.
+				fetchedRole := result.Data.(*model.Role)
+				if !reflect.DeepEqual(fetchedRole.Permissions, role.Permissions) ||
+					fetchedRole.DisplayName != role.DisplayName ||
+					fetchedRole.Description != role.Description ||
+					fetchedRole.SchemeManaged != role.SchemeManaged {
+					role.Id = fetchedRole.Id
+					if result := <-a.Srv.Store.Role().Save(role); result.Err != nil {
+						// Role is not the same, but failed to update.
+						l4g.Critical("Failed to migrate role to database.")
+						l4g.Critical(result.Err)
+						allSucceeded = false
+					}
+				}
+			}
+		}
+	}
+
+	if !allSucceeded {
+		return
+	}
+
+	system := model.System{
+		Name:  ADVANCED_PERMISSIONS_MIGRATION_KEY,
+		Value: "true",
+	}
+
+	if result := <-a.Srv.Store.System().Save(&system); result.Err != nil {
+		l4g.Critical("Failed to mark advanced permissions migration as completed.")
+		l4g.Critical(result.Err)
+	}
+}