diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/app.go | 106 | ||||
-rw-r--r-- | app/app_test.go | 135 | ||||
-rw-r--r-- | app/apptestlib.go | 47 | ||||
-rw-r--r-- | app/authorization.go | 17 | ||||
-rw-r--r-- | app/channel.go | 97 | ||||
-rw-r--r-- | app/channel_test.go | 22 | ||||
-rw-r--r-- | app/permissions.go | 159 | ||||
-rw-r--r-- | app/permissions_test.go | 253 | ||||
-rw-r--r-- | app/scheme.go | 168 | ||||
-rw-r--r-- | app/team.go | 96 | ||||
-rw-r--r-- | app/team_test.go | 18 |
11 files changed, 1065 insertions, 53 deletions
diff --git a/app/app.go b/app/app.go index 6de75855c..bda56ca1a 100644 --- a/app/app.go +++ b/app/app.go @@ -20,6 +20,7 @@ import ( "github.com/mattermost/mattermost-server/einterfaces" ejobs "github.com/mattermost/mattermost-server/einterfaces/jobs" "github.com/mattermost/mattermost-server/jobs" + tjobs "github.com/mattermost/mattermost-server/jobs/interfaces" "github.com/mattermost/mattermost-server/mlog" "github.com/mattermost/mattermost-server/model" "github.com/mattermost/mattermost-server/plugin/pluginenv" @@ -29,6 +30,7 @@ import ( ) const ADVANCED_PERMISSIONS_MIGRATION_KEY = "AdvancedPermissionsMigrationComplete" +const EMOJIS_PERMISSIONS_MIGRATION_KEY = "EmojisPermissionsMigrationComplete" type App struct { goroutineCount int32 @@ -56,7 +58,6 @@ type App struct { Compliance einterfaces.ComplianceInterface DataRetention einterfaces.DataRetentionInterface Elasticsearch einterfaces.ElasticsearchInterface - Emoji einterfaces.EmojiInterface Ldap einterfaces.LdapInterface MessageExport einterfaces.MessageExportInterface Metrics einterfaces.MetricsInterface @@ -93,6 +94,8 @@ type App struct { clientConfig map[string]string clientConfigHash string diagnosticId string + + phase2PermissionsMigrationComplete bool } var appCount = 0 @@ -285,12 +288,6 @@ func RegisterElasticsearchInterface(f func(*App) einterfaces.ElasticsearchInterf elasticsearchInterface = f } -var emojiInterface func(*App) einterfaces.EmojiInterface - -func RegisterEmojiInterface(f func(*App) einterfaces.EmojiInterface) { - emojiInterface = f -} - var jobsDataRetentionJobInterface func(*App) ejobs.DataRetentionJobInterface func RegisterJobsDataRetentionJobInterface(f func(*App) ejobs.DataRetentionJobInterface) { @@ -321,6 +318,12 @@ func RegisterJobsLdapSyncInterface(f func(*App) ejobs.LdapSyncInterface) { jobsLdapSyncInterface = f } +var jobsMigrationsInterface func(*App) tjobs.MigrationsJobInterface + +func RegisterJobsMigrationsJobInterface(f func(*App) tjobs.MigrationsJobInterface) { + jobsMigrationsInterface = f +} + var ldapInterface func(*App) einterfaces.LdapInterface func RegisterLdapInterface(f func(*App) einterfaces.LdapInterface) { @@ -367,9 +370,6 @@ func (a *App) initEnterprise() { if elasticsearchInterface != nil { a.Elasticsearch = elasticsearchInterface(a) } - if emojiInterface != nil { - a.Emoji = emojiInterface(a) - } if ldapInterface != nil { a.Ldap = ldapInterface(a) a.AddConfigListener(func(_, cfg *model.Config) { @@ -415,6 +415,9 @@ func (a *App) initJobs() { if jobsLdapSyncInterface != nil { a.Jobs.LdapSync = jobsLdapSyncInterface(a) } + if jobsMigrationsInterface != nil { + a.Jobs.Migrations = jobsMigrationsInterface(a) + } } func (a *App) DiagnosticId() string { @@ -580,3 +583,86 @@ func (a *App) DoAdvancedPermissionsMigration() { mlog.Critical(fmt.Sprint(result.Err)) } } + +func (a *App) SetPhase2PermissionsMigrationStatus(isComplete bool) error { + if !isComplete { + res := <-a.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + if res.Err != nil { + return res.Err + } + } + a.phase2PermissionsMigrationComplete = isComplete + return nil +} + +func (a *App) DoEmojisPermissionsMigration() { + // If the migration is already marked as completed, don't do it again. + if result := <-a.Srv.Store.System().GetByName(EMOJIS_PERMISSIONS_MIGRATION_KEY); result.Err == nil { + return + } + + var role *model.Role = nil + var systemAdminRole *model.Role = nil + var err *model.AppError = nil + + mlog.Info("Migrating emojis config to database.") + switch *a.Config().ServiceSettings.RestrictCustomEmojiCreation { + case model.RESTRICT_EMOJI_CREATION_ALL: + role, err = a.GetRoleByName(model.SYSTEM_USER_ROLE_ID) + if err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(err.Error()) + return + } + break + case model.RESTRICT_EMOJI_CREATION_ADMIN: + role, err = a.GetRoleByName(model.TEAM_ADMIN_ROLE_ID) + if err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(err.Error()) + return + } + break + case model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN: + role = nil + break + default: + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical("Invalid restrict emoji creation setting") + return + } + + if role != nil { + role.Permissions = append(role.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id) + if result := <-a.Srv.Store.Role().Save(role); result.Err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(result.Err.Error()) + return + } + } + + systemAdminRole, err = a.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + if err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(err.Error()) + return + } + + systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id) + systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id) + if result := <-a.Srv.Store.Role().Save(systemAdminRole); result.Err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(result.Err.Error()) + return + } + + system := model.System{ + Name: EMOJIS_PERMISSIONS_MIGRATION_KEY, + Value: "true", + } + + if result := <-a.Srv.Store.System().Save(&system); result.Err != nil { + mlog.Critical("Failed to mark emojis permissions migration as completed.") + mlog.Critical(fmt.Sprint(result.Err)) + } +} diff --git a/app/app_test.go b/app/app_test.go index cb6917073..dd6f0b593 100644 --- a/app/app_test.go +++ b/app/app_test.go @@ -455,3 +455,138 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) { *config.ServiceSettings.PostEditTimeLimit = 300 th.App.SaveConfig(config, false) } + +func TestDoEmojisPermissionsMigration(t *testing.T) { + th := Setup() + defer th.TearDown() + + if testStoreSqlSupplier == nil { + t.Skip("This test requires a TestStore to be run.") + } + + // Add a license and change the policy config. + restrictCustomEmojiCreation := *th.App.Config().ServiceSettings.RestrictCustomEmojiCreation + + defer func() { + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = restrictCustomEmojiCreation + }) + }() + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN + }) + + th.ResetEmojisMigration() + th.App.DoEmojisPermissionsMigration() + + expectedSystemAdmin := []string{ + model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, + model.PERMISSION_MANAGE_SYSTEM.Id, + model.PERMISSION_MANAGE_ROLES.Id, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, + model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, + model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, + model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, + model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, + model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, + model.PERMISSION_EDIT_OTHER_USERS.Id, + model.PERMISSION_MANAGE_OAUTH.Id, + model.PERMISSION_INVITE_USER.Id, + model.PERMISSION_DELETE_POST.Id, + model.PERMISSION_DELETE_OTHERS_POSTS.Id, + model.PERMISSION_CREATE_TEAM.Id, + model.PERMISSION_ADD_USER_TO_TEAM.Id, + model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id, + model.PERMISSION_MANAGE_JOBS.Id, + model.PERMISSION_CREATE_POST_PUBLIC.Id, + model.PERMISSION_CREATE_POST_EPHEMERAL.Id, + model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, + model.PERMISSION_READ_USER_ACCESS_TOKEN.Id, + model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, + model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id, + model.PERMISSION_LIST_TEAM_CHANNELS.Id, + model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id, + model.PERMISSION_READ_PUBLIC_CHANNEL.Id, + model.PERMISSION_VIEW_TEAM.Id, + model.PERMISSION_READ_CHANNEL.Id, + model.PERMISSION_ADD_REACTION.Id, + model.PERMISSION_REMOVE_REACTION.Id, + model.PERMISSION_UPLOAD_FILE.Id, + model.PERMISSION_GET_PUBLIC_LINK.Id, + model.PERMISSION_CREATE_POST.Id, + model.PERMISSION_USE_SLASH_COMMANDS.Id, + model.PERMISSION_EDIT_OTHERS_POSTS.Id, + model.PERMISSION_REMOVE_USER_FROM_TEAM.Id, + model.PERMISSION_MANAGE_TEAM.Id, + model.PERMISSION_IMPORT_TEAM.Id, + model.PERMISSION_MANAGE_TEAM_ROLES.Id, + model.PERMISSION_MANAGE_CHANNEL_ROLES.Id, + model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_WEBHOOKS.Id, + model.PERMISSION_EDIT_POST.Id, + model.PERMISSION_MANAGE_EMOJIS.Id, + model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, + } + + role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + assert.Nil(t, err1) + assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID)) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ADMIN + }) + + th.ResetEmojisMigration() + th.App.DoEmojisPermissionsMigration() + + role2, err2 := th.App.GetRoleByName(model.TEAM_ADMIN_ROLE_ID) + assert.Nil(t, err2) + expected2 := []string{ + model.PERMISSION_EDIT_OTHERS_POSTS.Id, + model.PERMISSION_REMOVE_USER_FROM_TEAM.Id, + model.PERMISSION_MANAGE_TEAM.Id, + model.PERMISSION_IMPORT_TEAM.Id, + model.PERMISSION_MANAGE_TEAM_ROLES.Id, + model.PERMISSION_MANAGE_CHANNEL_ROLES.Id, + model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, + model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_WEBHOOKS.Id, + model.PERMISSION_DELETE_POST.Id, + model.PERMISSION_DELETE_OTHERS_POSTS.Id, + model.PERMISSION_MANAGE_EMOJIS.Id, + } + assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID)) + + systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + assert.Nil(t, systemAdminErr1) + assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID)) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ALL + }) + + th.ResetEmojisMigration() + th.App.DoEmojisPermissionsMigration() + + role3, err3 := th.App.GetRoleByName(model.SYSTEM_USER_ROLE_ID) + assert.Nil(t, err3) + expected3 := []string{ + model.PERMISSION_CREATE_DIRECT_CHANNEL.Id, + model.PERMISSION_CREATE_GROUP_CHANNEL.Id, + model.PERMISSION_PERMANENT_DELETE_USER.Id, + model.PERMISSION_CREATE_TEAM.Id, + model.PERMISSION_MANAGE_EMOJIS.Id, + } + assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID)) + + systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + assert.Nil(t, systemAdminErr2) + assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID)) +} diff --git a/app/apptestlib.go b/app/apptestlib.go index 7fc78c9c9..d4a79bdcc 100644 --- a/app/apptestlib.go +++ b/app/apptestlib.go @@ -110,6 +110,7 @@ func setupTestHelper(enterprise bool) *TestHelper { th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = prevListenAddress }) th.App.DoAdvancedPermissionsMigration() + th.App.DoEmojisPermissionsMigration() th.App.Srv.Store.MarkSystemRanUnitTests() @@ -316,6 +317,40 @@ func (me *TestHelper) AddUserToChannel(user *model.User, channel *model.Channel) return member } +func (me *TestHelper) CreateScheme() (*model.Scheme, []*model.Role) { + utils.DisableDebugLogForTest() + + scheme, err := me.App.CreateScheme(&model.Scheme{ + DisplayName: "Test Scheme Display Name", + Name: model.NewId(), + Description: "Test scheme description", + Scope: model.SCHEME_SCOPE_TEAM, + }) + if err != nil { + panic(err) + } + + roleIDs := []string{ + scheme.DefaultTeamAdminRole, + scheme.DefaultTeamUserRole, + scheme.DefaultChannelAdminRole, + scheme.DefaultChannelUserRole, + } + + var roles []*model.Role + for _, roleID := range roleIDs { + role, err := me.App.GetRole(roleID) + if err != nil { + panic(err) + } + roles = append(roles, role) + } + + utils.EnableDebugLogForTest() + + return scheme, roles +} + func (me *TestHelper) TearDown() { me.App.Shutdown() os.Remove(me.tempConfigPath) @@ -399,6 +434,18 @@ func (me *TestHelper) ResetRoleMigration() { } } +func (me *TestHelper) ResetEmojisMigration() { + if _, err := testStoreSqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ', manage_emojis', '') WHERE builtin=True"); err != nil { + panic(err) + } + + testClusterInterface.sendClearRoleCacheMessage() + + if _, err := testStoreSqlSupplier.GetMaster().Exec("DELETE from Systems where Name = :Name", map[string]interface{}{"Name": EMOJIS_PERMISSIONS_MIGRATION_KEY}); err != nil { + panic(err) + } +} + type FakeClusterInterface struct { clusterMessageHandler einterfaces.ClusterMessageHandler } diff --git a/app/authorization.go b/app/authorization.go index f281b3e65..3de50e27b 100644 --- a/app/authorization.go +++ b/app/authorization.go @@ -94,19 +94,6 @@ func (a *App) SessionHasPermissionToUser(session model.Session, userId string) b return false } -func (a *App) SessionHasPermissionToPost(session model.Session, postId string, permission *model.Permission) bool { - post, err := a.GetSinglePost(postId) - if err != nil { - return false - } - - if post.UserId == session.UserId { - return true - } - - return a.SessionHasPermissionToChannel(session, post.ChannelId, permission) -} - func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool { user, err := a.GetUser(askingUserId) if err != nil { @@ -200,6 +187,10 @@ func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool } for _, role := range roles { + if role.DeleteAt != 0 { + continue + } + permissions := role.Permissions for _, permission := range permissions { if permission == permissionId { diff --git a/app/channel.go b/app/channel.go index b5afdea2d..55a5008d4 100644 --- a/app/channel.go +++ b/app/channel.go @@ -32,7 +32,7 @@ func (a *App) CreateDefaultChannels(teamId string) ([]*model.Channel, *model.App return channels, nil } -func (a *App) JoinDefaultChannels(teamId string, user *model.User, channelRole string, userRequestorId string) *model.AppError { +func (a *App) JoinDefaultChannels(teamId string, user *model.User, shouldBeAdmin bool, userRequestorId string) *model.AppError { var err *model.AppError = nil var requestor *model.User @@ -52,7 +52,8 @@ func (a *App) JoinDefaultChannels(teamId string, user *model.User, channelRole s cm := &model.ChannelMember{ ChannelId: townSquare.Id, UserId: user.Id, - Roles: channelRole, + SchemeUser: true, + SchemeAdmin: shouldBeAdmin, NotifyProps: model.GetDefaultChannelNotifyProps(), } @@ -85,7 +86,8 @@ func (a *App) JoinDefaultChannels(teamId string, user *model.User, channelRole s cm := &model.ChannelMember{ ChannelId: offTopic.Id, UserId: user.Id, - Roles: channelRole, + SchemeUser: true, + SchemeAdmin: shouldBeAdmin, NotifyProps: model.GetDefaultChannelNotifyProps(), } @@ -166,7 +168,8 @@ func (a *App) CreateChannel(channel *model.Channel, addMember bool) (*model.Chan cm := &model.ChannelMember{ ChannelId: sc.Id, UserId: channel.CreatorId, - Roles: model.CHANNEL_USER_ROLE_ID + " " + model.CHANNEL_ADMIN_ROLE_ID, + SchemeUser: true, + SchemeAdmin: true, NotifyProps: model.GetDefaultChannelNotifyProps(), } @@ -322,7 +325,7 @@ func (a *App) createGroupChannel(userIds []string, creatorId string) (*model.Cha UserId: user.Id, ChannelId: group.Id, NotifyProps: model.GetDefaultChannelNotifyProps(), - Roles: model.CHANNEL_USER_ROLE_ID, + SchemeUser: true, } if result := <-a.Srv.Store.Channel().SaveMember(cm); result.Err != nil { @@ -351,6 +354,23 @@ func (a *App) UpdateChannel(channel *model.Channel) (*model.Channel, *model.AppE } } +func (a *App) UpdateChannelScheme(channel *model.Channel) (*model.Channel, *model.AppError) { + var oldChannel *model.Channel + var err *model.AppError + if oldChannel, err = a.GetChannel(channel.Id); err != nil { + return nil, err + } + + oldChannel.SchemeId = channel.SchemeId + + newChannel, err := a.UpdateChannel(oldChannel) + if err != nil { + return nil, err + } + + return newChannel, nil +} + func (a *App) UpdateChannelPrivacy(oldChannel *model.Channel, user *model.User) (*model.Channel, *model.AppError) { if channel, err := a.UpdateChannel(oldChannel); err != nil { return channel, err @@ -438,6 +458,39 @@ func (a *App) PatchChannel(channel *model.Channel, patch *model.ChannelPatch, us return channel, err } +func (a *App) GetSchemeRolesForChannel(channelId string) (string, string, *model.AppError) { + var channel *model.Channel + var err *model.AppError + + if channel, err = a.GetChannel(channelId); err != nil { + return "", "", err + } + + if channel.SchemeId != nil && len(*channel.SchemeId) != 0 { + if scheme, err := a.GetScheme(*channel.SchemeId); err != nil { + return "", "", err + } else { + return scheme.DefaultChannelUserRole, scheme.DefaultChannelAdminRole, nil + } + } + + var team *model.Team + + if team, err = a.GetTeam(channel.TeamId); err != nil { + return "", "", err + } + + if team.SchemeId != nil && len(*team.SchemeId) != 0 { + if scheme, err := a.GetScheme(*team.SchemeId); err != nil { + return "", "", err + } else { + return scheme.DefaultChannelUserRole, scheme.DefaultChannelAdminRole, nil + } + } + + return model.CHANNEL_USER_ROLE_ID, model.CHANNEL_ADMIN_ROLE_ID, nil +} + func (a *App) UpdateChannelMemberRoles(channelId string, userId string, newRoles string) (*model.ChannelMember, *model.AppError) { var member *model.ChannelMember var err *model.AppError @@ -445,14 +498,42 @@ func (a *App) UpdateChannelMemberRoles(channelId string, userId string, newRoles return nil, err } - if err := a.CheckRolesExist(strings.Fields(newRoles)); err != nil { + schemeUserRole, schemeAdminRole, err := a.GetSchemeRolesForChannel(channelId) + if err != nil { return nil, err } - member.Roles = newRoles + var newExplicitRoles []string + member.SchemeUser = false + member.SchemeAdmin = false + + for _, roleName := range strings.Fields(newRoles) { + if role, err := a.GetRoleByName(roleName); err != nil { + err.StatusCode = http.StatusBadRequest + return nil, err + } else if !role.SchemeManaged { + // The role is not scheme-managed, so it's OK to apply it to the explicit roles field. + newExplicitRoles = append(newExplicitRoles, roleName) + } else { + // The role is scheme-managed, so need to check if it is part of the scheme for this channel or not. + switch roleName { + case schemeAdminRole: + member.SchemeAdmin = true + case schemeUserRole: + member.SchemeUser = true + default: + // If not part of the scheme for this channel, then it is not allowed to apply it as an explicit role. + return nil, model.NewAppError("UpdateChannelMemberRoles", "api.channel.update_channel_member_roles.scheme_role.app_error", nil, "role_name="+roleName, http.StatusBadRequest) + } + } + } + + member.ExplicitRoles = strings.Join(newExplicitRoles, " ") if result := <-a.Srv.Store.Channel().UpdateMember(member); result.Err != nil { return nil, result.Err + } else { + member = result.Data.(*model.ChannelMember) } a.InvalidateCacheForUser(userId) @@ -597,7 +678,7 @@ func (a *App) addUserToChannel(user *model.User, channel *model.Channel, teamMem ChannelId: channel.Id, UserId: user.Id, NotifyProps: model.GetDefaultChannelNotifyProps(), - Roles: model.CHANNEL_USER_ROLE_ID, + SchemeUser: true, } if result := <-a.Srv.Store.Channel().SaveMember(newMember); result.Err != nil { mlog.Error(fmt.Sprintf("Failed to add member user_id=%v channel_id=%v err=%v", user.Id, channel.Id, result.Err), mlog.String("user_id", user.Id)) diff --git a/app/channel_test.go b/app/channel_test.go index a4e0806a6..336d9b25b 100644 --- a/app/channel_test.go +++ b/app/channel_test.go @@ -120,7 +120,7 @@ func TestJoinDefaultChannelsCreatesChannelMemberHistoryRecordTownSquare(t *testi // create a new user that joins the default channels user := th.CreateUser() - th.App.JoinDefaultChannels(th.BasicTeam.Id, user, model.CHANNEL_USER_ROLE_ID, "") + th.App.JoinDefaultChannels(th.BasicTeam.Id, user, false, "") // there should be a ChannelMemberHistory record for the user histories := store.Must(th.App.Srv.Store.ChannelMemberHistory().GetUsersInChannelDuring(model.GetMillis()-100, model.GetMillis()+100, townSquareChannelId)).([]*model.ChannelMemberHistoryResult) @@ -146,7 +146,7 @@ func TestJoinDefaultChannelsCreatesChannelMemberHistoryRecordOffTopic(t *testing // create a new user that joins the default channels user := th.CreateUser() - th.App.JoinDefaultChannels(th.BasicTeam.Id, user, model.CHANNEL_USER_ROLE_ID, "") + th.App.JoinDefaultChannels(th.BasicTeam.Id, user, false, "") // there should be a ChannelMemberHistory record for the user histories := store.Must(th.App.Srv.Store.ChannelMemberHistory().GetUsersInChannelDuring(model.GetMillis()-100, model.GetMillis()+100, offTopicChannelId)).([]*model.ChannelMemberHistoryResult) @@ -381,3 +381,21 @@ func TestAddChannelMemberNoUserRequestor(t *testing.T) { assert.Equal(t, user.Username, post.Props["username"]) } } + +func TestAppUpdateChannelScheme(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + channel := th.BasicChannel + mockID := model.NewString("x") + channel.SchemeId = mockID + + updatedChannel, err := th.App.UpdateChannelScheme(channel) + if err != nil { + t.Fatal(err) + } + + if updatedChannel.SchemeId != mockID { + t.Fatal("Wrong Channel SchemeId") + } +} diff --git a/app/permissions.go b/app/permissions.go index be975e03d..46090070e 100644 --- a/app/permissions.go +++ b/app/permissions.go @@ -4,10 +4,33 @@ package app import ( + "bufio" + "encoding/json" + "fmt" + "io" + "github.com/mattermost/mattermost-server/model" + "github.com/pkg/errors" ) +const permissionsExportBatchSize = 100 + func (a *App) ResetPermissionsSystem() *model.AppError { + // Reset all Teams to not have a scheme. + if result := <-a.Srv.Store.Team().ResetAllTeamSchemes(); result.Err != nil { + return result.Err + } + + // Reset all Channels to not have a scheme. + if result := <-a.Srv.Store.Channel().ResetAllChannelSchemes(); result.Err != nil { + return result.Err + } + + // Purge all schemes from the database. + if result := <-a.Srv.Store.Scheme().PermanentDeleteAll(); result.Err != nil { + return result.Err + } + // Purge all roles from the database. if result := <-a.Srv.Store.Role().PermanentDeleteAll(); result.Err != nil { return result.Err @@ -20,6 +43,142 @@ func (a *App) ResetPermissionsSystem() *model.AppError { // Now that the permissions system has been reset, re-run the migration to reinitialise it. a.DoAdvancedPermissionsMigration() + a.DoEmojisPermissionsMigration() + + return nil +} + +func (a *App) ExportPermissions(w io.Writer) error { + + next := a.SchemesIterator(permissionsExportBatchSize) + var schemeBatch []*model.Scheme + + for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() { + + for _, scheme := range schemeBatch { + + roleIDs := []string{ + scheme.DefaultTeamAdminRole, + scheme.DefaultTeamUserRole, + scheme.DefaultChannelAdminRole, + scheme.DefaultChannelUserRole, + } + + roles := []*model.Role{} + for _, roleID := range roleIDs { + if len(roleID) == 0 { + continue + } + role, err := a.GetRole(roleID) + if err != nil { + return err + } + roles = append(roles, role) + } + + schemeExport, err := json.Marshal(&model.SchemeConveyor{ + Name: scheme.Name, + DisplayName: scheme.DisplayName, + Description: scheme.Description, + Scope: scheme.Scope, + TeamAdmin: scheme.DefaultTeamAdminRole, + TeamUser: scheme.DefaultTeamUserRole, + ChannelAdmin: scheme.DefaultChannelAdminRole, + ChannelUser: scheme.DefaultChannelUserRole, + Roles: roles, + }) + if err != nil { + return err + } + + schemeExport = append(schemeExport, []byte("\n")...) + + _, err = w.Write(schemeExport) + if err != nil { + return err + } + } + + } + + return nil +} + +func (a *App) ImportPermissions(jsonl io.Reader) error { + createdSchemeIDs := []string{} + + scanner := bufio.NewScanner(jsonl) + + for scanner.Scan() { + var schemeConveyor *model.SchemeConveyor + err := json.Unmarshal(scanner.Bytes(), &schemeConveyor) + if err != nil { + return err + } + + // Create the new Scheme. The new Roles are created automatically. + var appErr *model.AppError + schemeCreated, appErr := a.CreateScheme(schemeConveyor.Scheme()) + if appErr != nil { + return errors.New(appErr.Message) + } + createdSchemeIDs = append(createdSchemeIDs, schemeCreated.Id) + + schemeIn := schemeConveyor.Scheme() + roleIDTuples := [][]string{ + {schemeCreated.DefaultTeamAdminRole, schemeIn.DefaultTeamAdminRole}, + {schemeCreated.DefaultTeamUserRole, schemeIn.DefaultTeamUserRole}, + {schemeCreated.DefaultChannelAdminRole, schemeIn.DefaultChannelAdminRole}, + {schemeCreated.DefaultChannelUserRole, schemeIn.DefaultChannelUserRole}, + } + for _, roleIDTuple := range roleIDTuples { + if len(roleIDTuple[0]) == 0 || len(roleIDTuple[1]) == 0 { + continue + } + + err = updateRole(a, schemeConveyor, roleIDTuple[0], roleIDTuple[1]) + if err != nil { + // Delete the new Schemes. The new Roles are deleted automatically. + for _, schemeID := range createdSchemeIDs { + a.DeleteScheme(schemeID) + } + return err + } + } + } + + if err := scanner.Err(); err != nil { + return err + } + + return nil +} + +func updateRole(a *App, sc *model.SchemeConveyor, roleCreatedID, defaultRoleID string) error { + var err *model.AppError + + roleCreated, err := a.GetRole(roleCreatedID) + if err != nil { + return errors.New(err.Message) + } + + var roleIn *model.Role + for _, role := range sc.Roles { + if role.Id == defaultRoleID { + roleIn = role + break + } + } + + roleCreated.Name = roleIn.Name + roleCreated.DisplayName = roleIn.DisplayName + roleCreated.Description = roleIn.Description + roleCreated.Permissions = roleIn.Permissions + + _, err = a.UpdateRole(roleCreated) + if err != nil { + return errors.New(fmt.Sprintf("%v: %v\n", err.Message, err.DetailedError)) + } return nil } diff --git a/app/permissions_test.go b/app/permissions_test.go new file mode 100644 index 000000000..575e21429 --- /dev/null +++ b/app/permissions_test.go @@ -0,0 +1,253 @@ +package app + +import ( + "encoding/json" + "fmt" + "strings" + "testing" + + "github.com/mattermost/mattermost-server/model" +) + +type testWriter struct { + write func(p []byte) (int, error) +} + +func (tw testWriter) Write(p []byte) (int, error) { + return tw.write(p) +} + +func TestExportPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + var scheme *model.Scheme + var roles []*model.Role + withMigrationMarkedComplete(th, func() { + scheme, roles = th.CreateScheme() + }) + + results := [][]byte{} + + tw := testWriter{ + write: func(p []byte) (int, error) { + results = append(results, p) + return len(p), nil + }, + } + + err := th.App.ExportPermissions(tw) + if err != nil { + t.Error(err) + } + + if len(results) == 0 { + t.Error("Expected export to have returned something.") + } + + firstResult := results[0] + + var row map[string]interface{} + err = json.Unmarshal(firstResult, &row) + if err != nil { + t.Error(err) + } + + getRoleByID := func(id string) string { + for _, role := range roles { + if role.Id == id { + return role.Id + } + } + return "" + } + + expectations := map[string]func(str string) string{ + scheme.DisplayName: func(str string) string { return row["display_name"].(string) }, + scheme.Name: func(str string) string { return row["name"].(string) }, + scheme.Description: func(str string) string { return row["description"].(string) }, + scheme.Scope: func(str string) string { return row["scope"].(string) }, + scheme.DefaultTeamAdminRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultTeamUserRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultChannelAdminRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultChannelUserRole: func(str string) string { return getRoleByID(str) }, + } + + for key, valF := range expectations { + expected := key + actual := valF(key) + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + } + +} + +func TestImportPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := model.NewId() + + var results []*model.Scheme + var beforeCount int + withMigrationMarkedComplete(th, func() { + + var appErr *model.AppError + results, appErr = th.App.GetSchemes(scope, 0, 100) + if appErr != nil { + panic(appErr) + } + beforeCount = len(results) + + json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + r := strings.NewReader(json) + + err := th.App.ImportPermissions(r) + if err != nil { + t.Error(err) + } + results, appErr = th.App.GetSchemes(scope, 0, 100) + if appErr != nil { + panic(appErr) + } + + }) + + actual := len(results) + expected := beforeCount + 1 + if actual != expected { + t.Errorf("Expected %v roles but got %v.", expected, actual) + } + + newScheme := results[0] + + channelAdminRole, appErr := th.App.GetRole(newScheme.DefaultChannelAdminRole) + if appErr != nil { + t.Error(appErr) + } + + channelUserRole, appErr := th.App.GetRole(newScheme.DefaultChannelUserRole) + if appErr != nil { + t.Error(appErr) + } + + expectations := map[string]string{ + newScheme.DisplayName: displayName, + newScheme.Name: name, + newScheme.Description: description, + newScheme.Scope: scope, + newScheme.DefaultTeamAdminRole: "", + newScheme.DefaultTeamUserRole: "", + channelAdminRole.Name: roleName1, + channelUserRole.Name: roleName2, + } + + for actual, expected := range expectations { + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + } + +} + +func TestImportPermissions_idempotentScheme(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := model.NewId() + + json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + jsonl := strings.Repeat(json+"\n", 4) + r := strings.NewReader(jsonl) + + var results []*model.Scheme + var expected int + withMigrationMarkedComplete(th, func() { + var appErr *model.AppError + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + expected = len(results) + 1 + + err := th.App.ImportPermissions(r) + if err == nil { + t.Error(err) + } + + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + }) + actual := len(results) + + if expected != actual { + t.Errorf("Expected count to be %v but got %v", expected, actual) + } + +} + +func TestImportPermissions_schemeDeletedOnRoleFailure(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := "some invalid role name" + + jsonl := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + r := strings.NewReader(jsonl) + + var results []*model.Scheme + var expected int + withMigrationMarkedComplete(th, func() { + var appErr *model.AppError + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + expected = len(results) + + err := th.App.ImportPermissions(r) + if err == nil { + t.Error(err) + } + + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + }) + actual := len(results) + + if expected != actual { + t.Errorf("Expected count to be %v but got %v", expected, actual) + } + +} + +func withMigrationMarkedComplete(th *TestHelper, f func()) { + // Mark the migration as done. + <-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + <-th.App.Srv.Store.System().Save(&model.System{Name: model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2, Value: "true"}) + // Un-mark the migration at the end of the test. + defer func() { + <-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + }() + f() +} diff --git a/app/scheme.go b/app/scheme.go new file mode 100644 index 000000000..f070e36f8 --- /dev/null +++ b/app/scheme.go @@ -0,0 +1,168 @@ +// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package app + +import ( + "net/http" + + "github.com/mattermost/mattermost-server/model" + "github.com/mattermost/mattermost-server/store" +) + +func (a *App) GetScheme(id string) (*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + if result := <-a.Srv.Store.Scheme().Get(id); result.Err != nil { + return nil, result.Err + } else { + return result.Data.(*model.Scheme), nil + } +} + +func (a *App) GetSchemesPage(scope string, page int, perPage int) ([]*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + return a.GetSchemes(scope, page*perPage, perPage) +} + +func (a *App) GetSchemes(scope string, offset int, limit int) ([]*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + if result := <-a.Srv.Store.Scheme().GetAllPage(scope, offset, limit); result.Err != nil { + return nil, result.Err + } else { + return result.Data.([]*model.Scheme), nil + } +} + +func (a *App) CreateScheme(scheme *model.Scheme) (*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + // Clear any user-provided values for trusted properties. + scheme.DefaultTeamAdminRole = "" + scheme.DefaultTeamUserRole = "" + scheme.DefaultChannelAdminRole = "" + scheme.DefaultChannelUserRole = "" + scheme.CreateAt = 0 + scheme.UpdateAt = 0 + scheme.DeleteAt = 0 + + if result := <-a.Srv.Store.Scheme().Save(scheme); result.Err != nil { + return nil, result.Err + } else { + return scheme, nil + } +} + +func (a *App) PatchScheme(scheme *model.Scheme, patch *model.SchemePatch) (*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + scheme.Patch(patch) + scheme, err := a.UpdateScheme(scheme) + if err != nil { + return nil, err + } + + return scheme, err +} + +func (a *App) UpdateScheme(scheme *model.Scheme) (*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + if result := <-a.Srv.Store.Scheme().Save(scheme); result.Err != nil { + return nil, result.Err + } else { + return scheme, nil + } +} + +func (a *App) DeleteScheme(schemeId string) (*model.Scheme, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + if result := <-a.Srv.Store.Scheme().Delete(schemeId); result.Err != nil { + return nil, result.Err + } else { + return result.Data.(*model.Scheme), nil + } +} + +func (a *App) GetTeamsForSchemePage(scheme *model.Scheme, page int, perPage int) ([]*model.Team, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + return a.GetTeamsForScheme(scheme, page*perPage, perPage) +} + +func (a *App) GetTeamsForScheme(scheme *model.Scheme, offset int, limit int) ([]*model.Team, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + if result := <-a.Srv.Store.Team().GetTeamsByScheme(scheme.Id, offset, limit); result.Err != nil { + return nil, result.Err + } else { + return result.Data.([]*model.Team), nil + } +} + +func (a *App) GetChannelsForSchemePage(scheme *model.Scheme, page int, perPage int) (model.ChannelList, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + return a.GetChannelsForScheme(scheme, page*perPage, perPage) +} + +func (a *App) GetChannelsForScheme(scheme *model.Scheme, offset int, limit int) (model.ChannelList, *model.AppError) { + if err := a.IsPhase2MigrationCompleted(); err != nil { + return nil, err + } + + if result := <-a.Srv.Store.Channel().GetChannelsByScheme(scheme.Id, offset, limit); result.Err != nil { + return nil, result.Err + } else { + return result.Data.(model.ChannelList), nil + } +} + +func (a *App) IsPhase2MigrationCompleted() *model.AppError { + if a.phase2PermissionsMigrationComplete { + return nil + } + + if result := <-a.Srv.Store.System().GetByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2); result.Err != nil { + return model.NewAppError("App.IsPhase2MigrationCompleted", "app.schemes.is_phase_2_migration_completed.not_completed.app_error", nil, result.Err.Error(), http.StatusNotImplemented) + } + + a.phase2PermissionsMigrationComplete = true + + return nil +} + +func (a *App) SchemesIterator(batchSize int) func() []*model.Scheme { + offset := 0 + return func() []*model.Scheme { + var result store.StoreResult + if result = <-a.Srv.Store.Scheme().GetAllPage("", offset, batchSize); result.Err != nil { + return []*model.Scheme{} + } + offset += batchSize + return result.Data.([]*model.Scheme) + } +} diff --git a/app/team.go b/app/team.go index aca99dd1e..2833e2eed 100644 --- a/app/team.go +++ b/app/team.go @@ -114,6 +114,24 @@ func (a *App) UpdateTeam(team *model.Team) (*model.Team, *model.AppError) { return oldTeam, nil } +func (a *App) UpdateTeamScheme(team *model.Team) (*model.Team, *model.AppError) { + var oldTeam *model.Team + var err *model.AppError + if oldTeam, err = a.GetTeam(team.Id); err != nil { + return nil, err + } + + oldTeam.SchemeId = team.SchemeId + + if result := <-a.Srv.Store.Team().Update(oldTeam); result.Err != nil { + return nil, result.Err + } + + a.sendTeamEvent(oldTeam, model.WEBSOCKET_EVENT_UPDATE_TEAM) + + return oldTeam, nil +} + func (a *App) PatchTeam(teamId string, patch *model.TeamPatch) (*model.Team, *model.AppError) { team, err := a.GetTeam(teamId) if err != nil { @@ -142,17 +160,31 @@ func (a *App) sendTeamEvent(team *model.Team, event string) { a.Publish(message) } +func (a *App) GetSchemeRolesForTeam(teamId string) (string, string, *model.AppError) { + var team *model.Team + var err *model.AppError + + if team, err = a.GetTeam(teamId); err != nil { + return "", "", err + } + + if team.SchemeId != nil && len(*team.SchemeId) != 0 { + if scheme, err := a.GetScheme(*team.SchemeId); err != nil { + return "", "", err + } else { + return scheme.DefaultTeamUserRole, scheme.DefaultTeamAdminRole, nil + } + } + + return model.TEAM_USER_ROLE_ID, model.TEAM_ADMIN_ROLE_ID, nil +} + func (a *App) UpdateTeamMemberRoles(teamId string, userId string, newRoles string) (*model.TeamMember, *model.AppError) { var member *model.TeamMember - if result := <-a.Srv.Store.Team().GetTeamsForUser(userId); result.Err != nil { + if result := <-a.Srv.Store.Team().GetMember(teamId, userId); result.Err != nil { return nil, result.Err } else { - members := result.Data.([]*model.TeamMember) - for _, m := range members { - if m.TeamId == teamId { - member = m - } - } + member = result.Data.(*model.TeamMember) } if member == nil { @@ -160,14 +192,42 @@ func (a *App) UpdateTeamMemberRoles(teamId string, userId string, newRoles strin return nil, err } - if err := a.CheckRolesExist(strings.Fields(newRoles)); err != nil { + schemeUserRole, schemeAdminRole, err := a.GetSchemeRolesForTeam(teamId) + if err != nil { return nil, err } - member.Roles = newRoles + var newExplicitRoles []string + member.SchemeUser = false + member.SchemeAdmin = false + + for _, roleName := range strings.Fields(newRoles) { + if role, err := a.GetRoleByName(roleName); err != nil { + err.StatusCode = http.StatusBadRequest + return nil, err + } else if !role.SchemeManaged { + // The role is not scheme-managed, so it's OK to apply it to the explicit roles field. + newExplicitRoles = append(newExplicitRoles, roleName) + } else { + // The role is scheme-managed, so need to check if it is part of the scheme for this channel or not. + switch roleName { + case schemeAdminRole: + member.SchemeAdmin = true + case schemeUserRole: + member.SchemeUser = true + default: + // If not part of the scheme for this channel, then it is not allowed to apply it as an explicit role. + return nil, model.NewAppError("UpdateTeamMemberRoles", "api.channel.update_team_member_roles.scheme_role.app_error", nil, "role_name="+roleName, http.StatusBadRequest) + } + } + } + + member.ExplicitRoles = strings.Join(newExplicitRoles, " ") if result := <-a.Srv.Store.Team().UpdateMember(member); result.Err != nil { return nil, result.Err + } else { + member = result.Data.(*model.TeamMember) } a.ClearSessionCacheForUser(userId) @@ -293,13 +353,13 @@ func (a *App) AddUserToTeamByInviteId(inviteId string, userId string) (*model.Te // 3. a pointer to an AppError if something went wrong. func (a *App) joinUserToTeam(team *model.Team, user *model.User) (*model.TeamMember, bool, *model.AppError) { tm := &model.TeamMember{ - TeamId: team.Id, - UserId: user.Id, - Roles: model.TEAM_USER_ROLE_ID, + TeamId: team.Id, + UserId: user.Id, + SchemeUser: true, } if team.Email == user.Email { - tm.Roles = model.TEAM_USER_ROLE_ID + " " + model.TEAM_ADMIN_ROLE_ID + tm.SchemeAdmin = true } if etmr := <-a.Srv.Store.Team().GetMember(team.Id, user.Id); etmr.Err == nil { @@ -343,15 +403,11 @@ func (a *App) JoinUserToTeam(team *model.Team, user *model.User, userRequestorId return uua.Err } - channelRole := model.CHANNEL_USER_ROLE_ID - - if team.Email == user.Email { - channelRole = model.CHANNEL_USER_ROLE_ID + " " + model.CHANNEL_ADMIN_ROLE_ID - } + shouldBeAdmin := team.Email == user.Email // Soft error if there is an issue joining the default channels - if err := a.JoinDefaultChannels(team.Id, user, channelRole, userRequestorId); err != nil { - mlog.Error(fmt.Sprintf("Encountered an issue joining default channels user_id=%s, team_id=%s, err=%v", user.Id, team.Id, err), mlog.String("user_id", user.Id)) + if err := a.JoinDefaultChannels(team.Id, user, shouldBeAdmin, userRequestorId); err != nil { + mlog.Error(fmt.Sprintf("Encountered an issue joining default channels err=%v", err), mlog.String("user_id", user.Id), mlog.String("team_id", team.Id)) } a.ClearSessionCacheForUser(user.Id) diff --git a/app/team_test.go b/app/team_test.go index 7ebfb8166..6a47da58b 100644 --- a/app/team_test.go +++ b/app/team_test.go @@ -559,3 +559,21 @@ func TestJoinUserToTeam(t *testing.T) { } }) } + +func TestAppUpdateTeamScheme(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + team := th.BasicTeam + mockID := model.NewString("x") + team.SchemeId = mockID + + updatedTeam, err := th.App.UpdateTeamScheme(th.BasicTeam) + if err != nil { + t.Fatal(err) + } + + if updatedTeam.SchemeId != mockID { + t.Fatal("Wrong Team SchemeId") + } +} |