From aa6cb03b2042ff0f11e7c418ad2535eccc29d218 Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Tue, 1 Nov 2016 12:05:48 -0400
Subject: Prevent system_admin role mistake (#4405)

---
 api/user_test.go |  4 ++++
 mattermost.go    | 13 +++++++++++--
 model/user.go    |  5 +++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/api/user_test.go b/api/user_test.go
index 20c555931..2c6238c54 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -986,6 +986,10 @@ func TestUserUpdateRoles(t *testing.T) {
 		t.Fatal("Should have errored, bad id")
 	}
 
+	if _, err := Client.UpdateUserRoles("system_admin", ""); err == nil {
+		t.Fatal("Should have errored, we want to avoid this mistake")
+	}
+
 	if _, err := Client.UpdateUserRoles("12345678901234567890123456", ""); err == nil {
 		t.Fatal("Should have errored, bad id")
 	}
diff --git a/mattermost.go b/mattermost.go
index 6d80f19e7..50427450a 100644
--- a/mattermost.go
+++ b/mattermost.go
@@ -706,6 +706,15 @@ func cmdAssignRole() {
 			os.Exit(1)
 		}
 
+		// Do some conversions
+		if flagRole == "system_admin" {
+			flagRole = "system_user system_admin"
+		}
+
+		if flagRole == "" {
+			flagRole = "system_user"
+		}
+
 		if !model.IsValidUserRoles(flagRole) {
 			fmt.Fprintln(os.Stderr, "flag invalid argument: -role")
 			flag.Usage()
@@ -1527,7 +1536,7 @@ FLAGS:
 
     -role="system_admin"              The role used in other commands
                                       valid values are
-                                        "" - The empty role is basic user
+                                        "system_user" - Is basic user
                                            permissions
                                         "system_admin" - Represents a system
                                            admin who has access to all teams
@@ -1572,7 +1581,7 @@ COMMANDS:
     -assign_role                      Assigns role to a user.  It requires the -role and
                                       -email flag.  You may need to log out
                                       of your current sessions for the new role to be
-                                      applied.
+                                      applied. For system admin use "system_admin". For Regular user just use "system_user".
         Example:
             platform -assign_role -email="user@example.com" -role="system_admin"
 
diff --git a/model/user.go b/model/user.go
index f5edf302f..330d26d82 100644
--- a/model/user.go
+++ b/model/user.go
@@ -337,6 +337,11 @@ func IsValidUserRoles(userRoles string) bool {
 		}
 	}
 
+	// Exclude just the system_admin role explicitly to prevent mistakes
+	if len(roles) == 1 && roles[0] == "system_admin" {
+		return false
+	}
+
 	return true
 }
 
-- 
cgit v1.2.3-1-g7c22