From 1e7985a87a72bea9a308cf1506dacc828c6e2e1c Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Tue, 13 Sep 2016 12:42:48 -0400 Subject: Modifying permissions system. (#3897) --- api/authorization.go | 149 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 api/authorization.go (limited to 'api/authorization.go') diff --git a/api/authorization.go b/api/authorization.go new file mode 100644 index 000000000..fb04b069b --- /dev/null +++ b/api/authorization.go @@ -0,0 +1,149 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api + +import ( + "net/http" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/model" +) + +func HasPermissionToContext(c *Context, permission *model.Permission) bool { + userRoles := c.Session.GetUserRoles() + if !CheckIfRolesGrantPermission(userRoles, permission.Id) { + c.Err = model.NewLocAppError("HasPermissionToContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id+" "+model.RoleIdsToString(userRoles)) + c.Err.StatusCode = http.StatusForbidden + return false + } + + return true +} + +func HasPermissionTo(user *model.User, permission *model.Permission) bool { + roles := user.GetRoles() + + return CheckIfRolesGrantPermission(roles, permission.Id) +} + +func HasPermissionToCurrentTeamContext(c *Context, permission *model.Permission) bool { + return HasPermissionToTeamContext(c, c.TeamId, permission) +} + +func HasPermissionToTeamContext(c *Context, teamId string, permission *model.Permission) bool { + teamMember := c.Session.GetTeamByTeamId(teamId) + if teamMember != nil { + roles := teamMember.GetRoles() + + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + } + + if HasPermissionToContext(c, permission) { + return true + } + + c.Err = model.NewLocAppError("HasPermissionToTeamContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id) + c.Err.StatusCode = http.StatusForbidden + return false +} + +func HasPermissionToTeam(user *model.User, teamMember *model.TeamMember, permission *model.Permission) bool { + if teamMember == nil { + return false + } + + roles := teamMember.GetRoles() + + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + + return HasPermissionTo(user, permission) +} + +func HasPermissionToChannelContext(c *Context, channelId string, permission *model.Permission) bool { + cmc := Srv.Store.Channel().GetMember(channelId, c.Session.UserId) + + var channelRoles []string + if cmcresult := <-cmc; cmcresult.Err == nil { + channelMember := cmcresult.Data.(model.ChannelMember) + channelRoles = channelMember.GetRoles() + + if CheckIfRolesGrantPermission(channelRoles, permission.Id) { + return true + } + } + + cc := Srv.Store.Channel().Get(channelId) + if ccresult := <-cc; ccresult.Err == nil { + channel := ccresult.Data.(*model.Channel) + + if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { + roles := teamMember.GetRoles() + + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + } + + } + + if HasPermissionToContext(c, permission) { + return true + } + + c.Err = model.NewLocAppError("HasPermissionToChannelContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) + c.Err.StatusCode = http.StatusForbidden + return false +} + +func HasPermissionToChannel(user *model.User, teamMember *model.TeamMember, channelMember *model.ChannelMember, permission *model.Permission) bool { + if channelMember == nil { + return false + } + + roles := channelMember.GetRoles() + + if CheckIfRolesGrantPermission(roles, permission.Id) { + return true + } + + return HasPermissionToTeam(user, teamMember, permission) +} + +func HasPermissionToUser(c *Context, userId string) bool { + // You are the user (users autmaticly have permissions to themselves) + if c.Session.UserId == userId { + return true + } + + // You have permission + if HasPermissionToContext(c, model.PERMISSION_EDIT_OTHER_USERS) { + return true + } + + c.Err = model.NewLocAppError("HasPermissionToUser", "api.context.permissions.app_error", nil, "userId="+userId) + c.Err.StatusCode = http.StatusForbidden + return false +} + +func CheckIfRolesGrantPermission(roles []string, permissionId string) bool { + for _, roleId := range roles { + if role, ok := model.BuiltInRoles[roleId]; !ok { + l4g.Debug("Bad role in system " + roleId) + return false + } else { + permissions := role.Permissions + for _, permission := range permissions { + if permission == permissionId { + return true + } + } + } + } + + return false +} -- cgit v1.2.3-1-g7c22