From e49f5928c55ba57c39efa11c568c66342b962aae Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Mon, 3 Apr 2017 18:13:28 +0100
Subject: PLT-6139 (Server): Private Channel member managing (#5941)

Adds an EE policy feature to allow restricting system-wide which level of
Admins can manage the membership of private channels.
---
 api/channel_test.go | 222 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 220 insertions(+), 2 deletions(-)

(limited to 'api')

diff --git a/api/channel_test.go b/api/channel_test.go
index bace5df5c..23705f172 100644
--- a/api/channel_test.go
+++ b/api/channel_test.go
@@ -1532,9 +1532,10 @@ func TestGetChannelStats(t *testing.T) {
 }
 
 func TestAddChannelMember(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 	team := th.BasicTeam
+	user1 := th.BasicUser
 	user2 := th.BasicUser2
 	user3 := th.CreateUser(Client)
 
@@ -1581,12 +1582,118 @@ func TestAddChannelMember(t *testing.T) {
 	if _, err := Client.AddChannelMember(channel1.Id, user3.Id); err == nil {
 		t.Fatal("Should have errored, user not on team")
 	}
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel3 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel3 = Client.Must(th.SystemAdminClient.CreateChannel(channel3)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel3.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can add other users.
+	channel4 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel4 = Client.Must(th.SystemAdminClient.CreateChannel(channel4)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel4.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel5 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel5 = Client.Must(th.SystemAdminClient.CreateChannel(channel5)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel5.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	MakeUserChannelAdmin(user1, channel5)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	if _, err := Client.AddChannelMember(channel5.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel6 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel6 = Client.Must(th.SystemAdminClient.CreateChannel(channel6)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel6.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	UpdateUserToTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	if _, err := Client.AddChannelMember(channel6.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel7 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel7 = Client.Must(th.SystemAdminClient.CreateChannel(channel7)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user1.Id))
+	if _, err := Client.AddChannelMember(channel7.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	if _, err := th.SystemAdminClient.AddChannelMember(channel7.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestRemoveChannelMember(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 	team := th.BasicTeam
+	user1 := th.BasicUser
 	user2 := th.BasicUser2
 	UpdateUserToTeamAdmin(user2, team)
 
@@ -1646,6 +1753,117 @@ func TestRemoveChannelMember(t *testing.T) {
 	if _, err := Client.RemoveChannelMember(townSquare.Id, userStd.Id); err == nil {
 		t.Fatal("should have errored, channel is default")
 	}
+
+	th.LoginBasic()
+
+	// Test policy does not apply to TE.
+	restrictPrivateChannel := *utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = restrictPrivateChannel
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel3 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel3 = Client.Must(th.SystemAdminClient.CreateChannel(channel3)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel3.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel3.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a license
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Check that a regular channel user can remove other users.
+	channel4 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel4 = Client.Must(th.SystemAdminClient.CreateChannel(channel4)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel4.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel4.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with CHANNEL_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_CHANNEL_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel5 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel5 = Client.Must(th.SystemAdminClient.CreateChannel(channel5)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel5.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel5.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	MakeUserChannelAdmin(user1, channel5)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+
+	if _, err := Client.RemoveChannelMember(channel5.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with TEAM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel6 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel6 = Client.Must(th.SystemAdminClient.CreateChannel(channel6)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel6.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel6.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	UpdateUserToTeamAdmin(user1, team)
+	app.InvalidateAllCaches()
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	if _, err := Client.RemoveChannelMember(channel6.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Test with SYSTEM_ADMIN level permission.
+	*utils.Cfg.TeamSettings.RestrictPrivateChannelManageMembers = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+
+	channel7 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel7 = Client.Must(th.SystemAdminClient.CreateChannel(channel7)).Data.(*model.Channel)
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user1.Id))
+	Client.Must(th.SystemAdminClient.AddChannelMember(channel7.Id, user2.Id))
+	if _, err := Client.RemoveChannelMember(channel7.Id, user2.Id); err == nil {
+		t.Fatal("Should have failed due to permissions")
+	}
+
+	if _, err := th.SystemAdminClient.RemoveChannelMember(channel7.Id, user2.Id); err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestUpdateNotifyProps(t *testing.T) {
-- 
cgit v1.2.3-1-g7c22