summaryrefslogtreecommitdiffstats
path: root/utils
diff options
context:
space:
mode:
Diffstat (limited to 'utils')
-rw-r--r--utils/authorization.go43
-rw-r--r--utils/authorization_test.go133
-rw-r--r--utils/config.go2
-rw-r--r--utils/policies-roles-mapping.json532
4 files changed, 693 insertions, 17 deletions
diff --git a/utils/authorization.go b/utils/authorization.go
index 42815b807..16f33bc1a 100644
--- a/utils/authorization.go
+++ b/utils/authorization.go
@@ -7,14 +7,7 @@ import (
"github.com/mattermost/mattermost-server/model"
)
-func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*model.Role {
- roles := make(map[string]*model.Role)
- for id, role := range model.DefaultRoles {
- copy := &model.Role{}
- *copy = *role
- roles[id] = copy
- }
-
+func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config, isLicensed bool) map[string]*model.Role {
if isLicensed {
switch *cfg.TeamSettings.RestrictPublicChannelCreation {
case model.PERMISSIONS_ALL:
@@ -222,8 +215,8 @@ func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*m
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
} else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL {
- roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
- roles[model.SYSTEM_USER_ROLE_ID].Permissions,
+ roles[model.TEAM_USER_ROLE_ID].Permissions = append(
+ roles[model.TEAM_USER_ROLE_ID].Permissions,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
)
@@ -243,11 +236,6 @@ func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*m
roles[model.CHANNEL_USER_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
)
- roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append(
- roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions,
- model.PERMISSION_DELETE_POST.Id,
- model.PERMISSION_DELETE_OTHERS_POSTS.Id,
- )
roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append(
roles[model.TEAM_ADMIN_ROLE_ID].Permissions,
model.PERMISSION_DELETE_POST.Id,
@@ -272,12 +260,35 @@ func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*m
)
}
- if cfg.TeamSettings.EnableTeamCreation {
+ if *cfg.TeamSettings.EnableTeamCreation {
roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
roles[model.SYSTEM_USER_ROLE_ID].Permissions,
model.PERMISSION_CREATE_TEAM.Id,
)
}
+ if isLicensed {
+ switch *cfg.ServiceSettings.AllowEditPost {
+ case model.ALLOW_EDIT_POST_ALWAYS, model.ALLOW_EDIT_POST_TIME_LIMIT:
+ roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
+ roles[model.CHANNEL_USER_ROLE_ID].Permissions,
+ model.PERMISSION_EDIT_POST.Id,
+ )
+ roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append(
+ roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions,
+ model.PERMISSION_EDIT_POST.Id,
+ )
+ }
+ } else {
+ roles[model.CHANNEL_USER_ROLE_ID].Permissions = append(
+ roles[model.CHANNEL_USER_ROLE_ID].Permissions,
+ model.PERMISSION_EDIT_POST.Id,
+ )
+ roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append(
+ roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions,
+ model.PERMISSION_EDIT_POST.Id,
+ )
+ }
+
return roles
}
diff --git a/utils/authorization_test.go b/utils/authorization_test.go
new file mode 100644
index 000000000..8c78dcbda
--- /dev/null
+++ b/utils/authorization_test.go
@@ -0,0 +1,133 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package utils
+
+import (
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "reflect"
+ "strconv"
+ "strings"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+
+ "github.com/mattermost/mattermost-server/model"
+)
+
+type RoleState struct {
+ RoleName string `json:"roleName"`
+ Permission string `json:"permission"`
+ ShouldHave bool `json:"shouldHave"`
+}
+
+func mockConfig() *model.Config {
+ config := model.Config{}
+ config.SetDefaults()
+ return &config
+}
+
+func mapping() (map[string]map[string][]RoleState, error) {
+
+ policiesRolesMapping := make(map[string]map[string][]RoleState)
+
+ raw, err := ioutil.ReadFile("./policies-roles-mapping.json")
+ if err != nil {
+ return policiesRolesMapping, err
+ }
+
+ var f map[string]interface{}
+ err = json.Unmarshal(raw, &f)
+ if err != nil {
+ return policiesRolesMapping, err
+ }
+
+ for policyName, value := range f {
+
+ capitalizedName := fmt.Sprintf("%v%v", strings.ToUpper(policyName[:1]), policyName[1:])
+ policiesRolesMapping[capitalizedName] = make(map[string][]RoleState)
+
+ for policyValue, roleStatesMappings := range value.(map[string]interface{}) {
+
+ var roleStates []RoleState
+ for _, roleStateMapping := range roleStatesMappings.([]interface{}) {
+
+ roleStateMappingJSON, _ := json.Marshal(roleStateMapping)
+ var roleState RoleState
+ _ = json.Unmarshal(roleStateMappingJSON, &roleState)
+
+ roleStates = append(roleStates, roleState)
+
+ }
+
+ policiesRolesMapping[capitalizedName][policyValue] = roleStates
+
+ }
+
+ }
+
+ return policiesRolesMapping, nil
+}
+
+func TestSetRolePermissionsFromConfig(t *testing.T) {
+
+ mapping, err := mapping()
+ if err != nil {
+ require.NoError(t, err)
+ }
+
+ for policyName, v := range mapping {
+ for policyValue, rolesMappings := range v {
+
+ config := mockConfig()
+ updateConfig(config, policyName, policyValue)
+ roles := model.MakeDefaultRoles()
+ SetRolePermissionsFromConfig(roles, config, true)
+
+ for _, roleMappingItem := range rolesMappings {
+ role := roles[roleMappingItem.RoleName]
+
+ permission := roleMappingItem.Permission
+ hasPermission := roleHasPermission(role, permission)
+
+ if (roleMappingItem.ShouldHave && !hasPermission) || (!roleMappingItem.ShouldHave && hasPermission) {
+ wording := "not to"
+ if roleMappingItem.ShouldHave {
+ wording = "to"
+ }
+ t.Errorf("Expected '%v' %v have '%v' permission when '%v' is set to '%v'.", role.Name, wording, permission, policyName, policyValue)
+ }
+
+ }
+
+ }
+ }
+}
+
+func updateConfig(config *model.Config, key string, value string) {
+ v := reflect.ValueOf(config.ServiceSettings)
+ field := v.FieldByName(key)
+ if !field.IsValid() {
+ v = reflect.ValueOf(config.TeamSettings)
+ field = v.FieldByName(key)
+ }
+
+ switch value {
+ case "true", "false":
+ b, _ := strconv.ParseBool(value)
+ field.Elem().SetBool(b)
+ default:
+ field.Elem().SetString(value)
+ }
+}
+
+func roleHasPermission(role *model.Role, permission string) bool {
+ for _, p := range role.Permissions {
+ if p == permission {
+ return true
+ }
+ }
+ return false
+}
diff --git a/utils/config.go b/utils/config.go
index 679e5f62c..b28cf918d 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -346,8 +346,8 @@ func GenerateClientConfig(c *model.Config, diagnosticId string, license *model.L
props["SiteURL"] = strings.TrimRight(*c.ServiceSettings.SiteURL, "/")
props["WebsocketURL"] = strings.TrimRight(*c.ServiceSettings.WebsocketURL, "/")
props["SiteName"] = c.TeamSettings.SiteName
+ props["EnableTeamCreation"] = strconv.FormatBool(*c.TeamSettings.EnableTeamCreation)
props["EnableAPIv3"] = strconv.FormatBool(*c.ServiceSettings.EnableAPIv3)
- props["EnableTeamCreation"] = strconv.FormatBool(c.TeamSettings.EnableTeamCreation)
props["EnableUserCreation"] = strconv.FormatBool(c.TeamSettings.EnableUserCreation)
props["EnableOpenServer"] = strconv.FormatBool(*c.TeamSettings.EnableOpenServer)
props["RestrictDirectMessage"] = *c.TeamSettings.RestrictDirectMessage
diff --git a/utils/policies-roles-mapping.json b/utils/policies-roles-mapping.json
new file mode 100644
index 000000000..6b09c6c72
--- /dev/null
+++ b/utils/policies-roles-mapping.json
@@ -0,0 +1,532 @@
+{
+ "restrictTeamInvite": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "invite_user",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "invite_user",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "invite_user",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "invite_user",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "invite_user",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPublicChannelCreation": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "create_public_channel",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "create_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "create_public_channel",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "create_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "create_public_channel",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPrivateChannelCreation": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "create_private_channel",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "create_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "create_private_channel",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "create_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "create_private_channel",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPublicChannelManagement": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": true
+ }
+ ],
+ "channel_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_public_channel_properties",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPublicChannelDeletion": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_public_channel",
+ "shouldHave": true
+ }
+ ],
+ "channel_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "delete_public_channel",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_public_channel",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "delete_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_public_channel",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "delete_public_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_public_channel",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPrivateChannelManagement": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": true
+ }
+ ],
+ "channel_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_private_channel_properties",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPrivateChannelManageMembers": {
+ "all": [
+ {
+ "roleName": "channel_user",
+ "permission": "manage_private_channel_members",
+ "shouldHave": true
+ }
+ ],
+ "channel_admin": [
+ {
+ "roleName": "channel_user",
+ "permission": "manage_private_channel_members",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_private_channel_members",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_private_channel_members",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "channel_user",
+ "permission": "manage_private_channel_members",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_private_channel_members",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_private_channel_members",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "channel_user",
+ "permission": "manage_private_channel_members",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "manage_private_channel_members",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "manage_private_channel_members",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPrivateChannelDeletion": {
+ "all": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_private_channel",
+ "shouldHave": true
+ }
+ ],
+ "channel_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "delete_private_channel",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_private_channel",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "delete_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_private_channel",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "team_user",
+ "permission": "delete_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "channel_admin",
+ "permission": "delete_private_channel",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_private_channel",
+ "shouldHave": false
+ }
+ ]
+ },
+ "allowEditPost": {
+ "always": [
+ {
+ "roleName": "channel_user",
+ "permission": "edit_post",
+ "shouldHave": true
+ },
+ {
+ "roleName": "system_admin",
+ "permission": "edit_post",
+ "shouldHave": true
+ }
+ ],
+ "never": [
+ {
+ "roleName": "channel_user",
+ "permission": "edit_post",
+ "shouldHave": false
+ },
+ {
+ "roleName": "system_admin",
+ "permission": "edit_post",
+ "shouldHave": false
+ }
+ ]
+ },
+ "restrictPostDelete": {
+ "all": [
+ {
+ "roleName": "channel_user",
+ "permission": "delete_post",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_post",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_others_posts",
+ "shouldHave": true
+ }
+ ],
+ "team_admin": [
+ {
+ "roleName": "channel_user",
+ "permission": "delete_post",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_post",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_others_posts",
+ "shouldHave": true
+ }
+ ],
+ "system_admin": [
+ {
+ "roleName": "channel_user",
+ "permission": "delete_post",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_post",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_admin",
+ "permission": "delete_others_posts",
+ "shouldHave": false
+ }
+ ]
+ },
+ "enableTeamCreation": {
+ "true": [
+ {
+ "roleName": "system_user",
+ "permission": "create_team",
+ "shouldHave": true
+ }
+ ],
+ "false": [
+ {
+ "roleName": "system_user",
+ "permission": "create_team",
+ "shouldHave": false
+ }
+ ]
+ },
+ "enableOnlyAdminIntegrations": {
+ "true": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_webhooks",
+ "shouldHave": false
+ },
+ {
+ "roleName": "team_user",
+ "permission": "manage_slash_commands",
+ "shouldHave": false
+ },
+ {
+ "roleName": "system_user",
+ "permission": "manage_oauth",
+ "shouldHave": false
+ }
+ ],
+ "false": [
+ {
+ "roleName": "team_user",
+ "permission": "manage_webhooks",
+ "shouldHave": true
+ },
+ {
+ "roleName": "team_user",
+ "permission": "manage_slash_commands",
+ "shouldHave": true
+ },
+ {
+ "roleName": "system_user",
+ "permission": "manage_oauth",
+ "shouldHave": true
+ }
+ ]
+ }
+}