From 58d0d9afd286afd715e9f04825e1305045d404e2 Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Fri, 4 Sep 2015 11:59:10 -0700
Subject: Adding cmd line options

---
 api/user.go | 87 ++++++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 52 insertions(+), 35 deletions(-)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index d69244fad..f4ebcaaf8 100644
--- a/api/user.go
+++ b/api/user.go
@@ -925,7 +925,16 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	new_roles := props["new_roles"]
-	// no check since we allow the clearing of Roles
+	if model.IsValidRoles(new_roles) {
+		c.SetInvalidParam("updateRoles", "new_roles")
+		return
+	}
+
+	if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN) {
+		c.Err = model.NewAppError("updateRoles", "The system_admin role can only be set from the command line", "")
+		c.Err.StatusCode = http.StatusForbidden
+		return
+	}
 
 	var user *model.User
 	if result := <-Srv.Store.User().Get(user_id); result.Err != nil {
@@ -939,43 +948,15 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !strings.Contains(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
+	if !model.IsInRole(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
 		c.Err = model.NewAppError("updateRoles", "You do not have the appropriate permissions", "userId="+user_id)
 		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
-	// make sure there is at least 1 other active admin
-	if strings.Contains(user.Roles, model.ROLE_ADMIN) && !strings.Contains(new_roles, model.ROLE_ADMIN) {
-		if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
-			c.Err = result.Err
-			return
-		} else {
-			activeAdmins := -1
-			profileUsers := result.Data.(map[string]*model.User)
-			for _, profileUser := range profileUsers {
-				if profileUser.DeleteAt == 0 && strings.Contains(profileUser.Roles, model.ROLE_ADMIN) {
-					activeAdmins = activeAdmins + 1
-				}
-			}
-
-			if activeAdmins <= 0 {
-				c.Err = model.NewAppError("updateRoles", "There must be at least one active admin", "userId="+user_id)
-				return
-			}
-		}
-	}
-
-	user.Roles = new_roles
-
-	var ruser *model.User
-	if result := <-Srv.Store.User().Update(user, true); result.Err != nil {
-		c.Err = result.Err
+	ruser := UpdateRoles(c, user, new_roles)
+	if c.Err != nil {
 		return
-	} else {
-		c.LogAuditWithUserId(user.Id, "roles="+new_roles)
-
-		ruser = result.Data.([2]*model.User)[0]
 	}
 
 	uchan := Srv.Store.Session().UpdateRoles(user.Id, new_roles)
@@ -1002,6 +983,42 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(ruser.ToJson()))
 }
 
+func UpdateRoles(c *Context, user *model.User, roles string) *model.User {
+	// make sure there is at least 1 other active admin
+	if model.IsInRole(user.Roles, model.ROLE_ADMIN) && !model.IsInRole(roles, model.ROLE_ADMIN) {
+		if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
+			c.Err = result.Err
+			return nil
+		} else {
+			activeAdmins := -1
+			profileUsers := result.Data.(map[string]*model.User)
+			for _, profileUser := range profileUsers {
+				if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_ADMIN) {
+					activeAdmins = activeAdmins + 1
+				}
+			}
+
+			if activeAdmins <= 0 {
+				c.Err = model.NewAppError("updateRoles", "There must be at least one active admin", "")
+				return nil
+			}
+		}
+	}
+
+	user.Roles = roles
+
+	var ruser *model.User
+	if result := <-Srv.Store.User().Update(user, true); result.Err != nil {
+		c.Err = result.Err
+		return nil
+	} else {
+		c.LogAuditWithUserId(user.Id, "roles="+roles)
+		ruser = result.Data.([2]*model.User)[0]
+	}
+
+	return ruser
+}
+
 func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
@@ -1025,14 +1042,14 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !strings.Contains(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
+	if !model.IsInRole(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
 		c.Err = model.NewAppError("updateActive", "You do not have the appropriate permissions", "userId="+user_id)
 		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
 	// make sure there is at least 1 other active admin
-	if !active && strings.Contains(user.Roles, model.ROLE_ADMIN) {
+	if !active && model.IsInRole(user.Roles, model.ROLE_ADMIN) {
 		if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
 			c.Err = result.Err
 			return
@@ -1040,7 +1057,7 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
 			activeAdmins := -1
 			profileUsers := result.Data.(map[string]*model.User)
 			for _, profileUser := range profileUsers {
-				if profileUser.DeleteAt == 0 && strings.Contains(profileUser.Roles, model.ROLE_ADMIN) {
+				if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_ADMIN) {
 					activeAdmins = activeAdmins + 1
 				}
 			}
-- 
cgit v1.2.3-1-g7c22


From e54d0da392119e75788f3d5a431b85e931a7e824 Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Fri, 4 Sep 2015 16:56:18 -0700
Subject: Adding unit tests for cmd line

---
 api/user.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index f4ebcaaf8..48f974dd5 100644
--- a/api/user.go
+++ b/api/user.go
@@ -925,7 +925,7 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	new_roles := props["new_roles"]
-	if model.IsValidRoles(new_roles) {
+	if !model.IsValidRoles(new_roles) {
 		c.SetInvalidParam("updateRoles", "new_roles")
 		return
 	}
-- 
cgit v1.2.3-1-g7c22


From 8bf35081c80a56051037d0bc374e9fec3fb9529e Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Thu, 10 Sep 2015 14:56:37 -0700
Subject: PLT-12 UI framework for admin console

---
 api/user.go | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index 48f974dd5..0698ea2f0 100644
--- a/api/user.go
+++ b/api/user.go
@@ -985,22 +985,25 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 
 func UpdateRoles(c *Context, user *model.User, roles string) *model.User {
 	// make sure there is at least 1 other active admin
-	if model.IsInRole(user.Roles, model.ROLE_ADMIN) && !model.IsInRole(roles, model.ROLE_ADMIN) {
-		if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
-			c.Err = result.Err
-			return nil
-		} else {
-			activeAdmins := -1
-			profileUsers := result.Data.(map[string]*model.User)
-			for _, profileUser := range profileUsers {
-				if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_ADMIN) {
-					activeAdmins = activeAdmins + 1
-				}
-			}
 
-			if activeAdmins <= 0 {
-				c.Err = model.NewAppError("updateRoles", "There must be at least one active admin", "")
+	if !model.IsInRole(roles, model.ROLE_SYSTEM_ADMIN) {
+		if model.IsInRole(user.Roles, model.ROLE_ADMIN) && !model.IsInRole(roles, model.ROLE_ADMIN) {
+			if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
+				c.Err = result.Err
 				return nil
+			} else {
+				activeAdmins := -1
+				profileUsers := result.Data.(map[string]*model.User)
+				for _, profileUser := range profileUsers {
+					if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_ADMIN) {
+						activeAdmins = activeAdmins + 1
+					}
+				}
+
+				if activeAdmins <= 0 {
+					c.Err = model.NewAppError("updateRoles", "There must be at least one active admin", "")
+					return nil
+				}
 			}
 		}
 	}
-- 
cgit v1.2.3-1-g7c22


From e5e88d16049f4527eaab6b066c731fbe4247b574 Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Fri, 11 Sep 2015 09:39:28 -0700
Subject: Renaming ROLE_ADMIN to ROLE_TEAM_ADMIN

---
 api/user.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index f32bbbe13..c87b89c7a 100644
--- a/api/user.go
+++ b/api/user.go
@@ -170,7 +170,7 @@ func CreateUser(c *Context, team *model.Team, user *model.User) *model.User {
 
 	channelRole := ""
 	if team.Email == user.Email {
-		user.Roles = model.ROLE_ADMIN
+		user.Roles = model.ROLE_TEAM_ADMIN
 		channelRole = model.CHANNEL_ROLE_ADMIN
 	} else {
 		user.Roles = ""
@@ -945,7 +945,7 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !model.IsInRole(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
+	if !model.IsInRole(c.Session.Roles, model.ROLE_TEAM_ADMIN) && !c.IsSystemAdmin() {
 		c.Err = model.NewAppError("updateRoles", "You do not have the appropriate permissions", "userId="+user_id)
 		c.Err.StatusCode = http.StatusForbidden
 		return
@@ -984,7 +984,7 @@ func UpdateRoles(c *Context, user *model.User, roles string) *model.User {
 	// make sure there is at least 1 other active admin
 
 	if !model.IsInRole(roles, model.ROLE_SYSTEM_ADMIN) {
-		if model.IsInRole(user.Roles, model.ROLE_ADMIN) && !model.IsInRole(roles, model.ROLE_ADMIN) {
+		if model.IsInRole(user.Roles, model.ROLE_TEAM_ADMIN) && !model.IsInRole(roles, model.ROLE_TEAM_ADMIN) {
 			if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
 				c.Err = result.Err
 				return nil
@@ -992,7 +992,7 @@ func UpdateRoles(c *Context, user *model.User, roles string) *model.User {
 				activeAdmins := -1
 				profileUsers := result.Data.(map[string]*model.User)
 				for _, profileUser := range profileUsers {
-					if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_ADMIN) {
+					if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_TEAM_ADMIN) {
 						activeAdmins = activeAdmins + 1
 					}
 				}
@@ -1042,14 +1042,14 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !model.IsInRole(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
+	if !model.IsInRole(c.Session.Roles, model.ROLE_TEAM_ADMIN) && !c.IsSystemAdmin() {
 		c.Err = model.NewAppError("updateActive", "You do not have the appropriate permissions", "userId="+user_id)
 		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
 	// make sure there is at least 1 other active admin
-	if !active && model.IsInRole(user.Roles, model.ROLE_ADMIN) {
+	if !active && model.IsInRole(user.Roles, model.ROLE_TEAM_ADMIN) {
 		if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
 			c.Err = result.Err
 			return
@@ -1057,7 +1057,7 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
 			activeAdmins := -1
 			profileUsers := result.Data.(map[string]*model.User)
 			for _, profileUser := range profileUsers {
-				if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_ADMIN) {
+				if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_TEAM_ADMIN) {
 					activeAdmins = activeAdmins + 1
 				}
 			}
-- 
cgit v1.2.3-1-g7c22