From e9c9688b343049c6d461260bd15fff3486238f92 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 23 Jan 2017 08:12:05 -0500 Subject: Move permissions code into app package (#5146) * Move permissions code into app package * Revert getPosts permission --- api/apitestlib.go | 25 ++++-- api/authorization.go | 188 ---------------------------------------------- api/authorization_test.go | 36 --------- api/channel.go | 63 ++++++++++------ api/channel_test.go | 3 +- api/command.go | 19 ++--- api/context.go | 11 ++- api/deprecated.go | 3 +- api/emoji.go | 2 +- api/file.go | 6 +- api/license.go | 3 +- api/oauth.go | 14 ++-- api/post.go | 34 ++++++--- api/reaction.go | 9 ++- api/team.go | 175 ++++++++++-------------------------------- api/team_test.go | 46 +++++------- api/user.go | 65 ++++++++-------- api/user_test.go | 148 ++++++++++++++++++++++-------------- api/webhook.go | 26 ++++--- 19 files changed, 323 insertions(+), 553 deletions(-) delete mode 100644 api/authorization.go delete mode 100644 api/authorization_test.go (limited to 'api') diff --git a/api/apitestlib.go b/api/apitestlib.go index 09aed0e33..475469a36 100644 --- a/api/apitestlib.go +++ b/api/apitestlib.go @@ -80,13 +80,14 @@ func Setup() *TestHelper { func (me *TestHelper) InitBasic() *TestHelper { me.BasicClient = me.CreateClient() - me.BasicTeam = me.CreateTeam(me.BasicClient) me.BasicUser = me.CreateUser(me.BasicClient) + me.LoginBasic() + me.BasicTeam = me.CreateTeam(me.BasicClient) LinkUserToTeam(me.BasicUser, me.BasicTeam) + UpdateUserToNonTeamAdmin(me.BasicUser, me.BasicTeam) me.BasicUser2 = me.CreateUser(me.BasicClient) LinkUserToTeam(me.BasicUser2, me.BasicTeam) me.BasicClient.SetTeamId(me.BasicTeam.Id) - me.LoginBasic() me.BasicChannel = me.CreateChannel(me.BasicClient, me.BasicTeam) me.BasicPost = me.CreatePost(me.BasicClient, me.BasicChannel) @@ -95,13 +96,13 @@ func (me *TestHelper) InitBasic() *TestHelper { func (me *TestHelper) InitSystemAdmin() *TestHelper { me.SystemAdminClient = me.CreateClient() - me.SystemAdminTeam = me.CreateTeam(me.SystemAdminClient) me.SystemAdminUser = me.CreateUser(me.SystemAdminClient) + me.SystemAdminUser.Password = "Password1" + me.LoginSystemAdmin() + me.SystemAdminTeam = me.CreateTeam(me.SystemAdminClient) LinkUserToTeam(me.SystemAdminUser, me.SystemAdminTeam) me.SystemAdminClient.SetTeamId(me.SystemAdminTeam.Id) app.UpdateUserRoles(me.SystemAdminUser.Id, model.ROLE_SYSTEM_USER.Id+" "+model.ROLE_SYSTEM_ADMIN.Id) - me.SystemAdminUser.Password = "Password1" - me.LoginSystemAdmin() me.SystemAdminChannel = me.CreateChannel(me.SystemAdminClient, me.SystemAdminTeam) return me @@ -176,6 +177,20 @@ func UpdateUserToTeamAdmin(user *model.User, team *model.Team) { utils.EnableDebugLogForTest() } +func UpdateUserToNonTeamAdmin(user *model.User, team *model.Team) { + utils.DisableDebugLogForTest() + + tm := &model.TeamMember{TeamId: team.Id, UserId: user.Id, Roles: model.ROLE_TEAM_USER.Id} + if tmr := <-app.Srv.Store.Team().UpdateMember(tm); tmr.Err != nil { + utils.EnableDebugLogForTest() + l4g.Error(tmr.Err.Error()) + l4g.Close() + time.Sleep(time.Second) + panic(tmr.Err) + } + utils.EnableDebugLogForTest() +} + func MakeUserChannelAdmin(user *model.User, channel *model.Channel) { utils.DisableDebugLogForTest() diff --git a/api/authorization.go b/api/authorization.go deleted file mode 100644 index ac50d45ff..000000000 --- a/api/authorization.go +++ /dev/null @@ -1,188 +0,0 @@ -// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -package api - -import ( - "net/http" - "strings" - - l4g "github.com/alecthomas/log4go" - "github.com/mattermost/platform/app" - "github.com/mattermost/platform/model" -) - -func HasPermissionToContext(c *Context, permission *model.Permission) bool { - userRoles := c.Session.GetUserRoles() - if !CheckIfRolesGrantPermission(userRoles, permission.Id) { - c.Err = model.NewLocAppError("HasPermissionToContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id+" "+model.RoleIdsToString(userRoles)) - c.Err.StatusCode = http.StatusForbidden - return false - } - - return true -} - -func HasPermissionTo(user *model.User, permission *model.Permission) bool { - roles := user.GetRoles() - - return CheckIfRolesGrantPermission(roles, permission.Id) -} - -func HasPermissionToCurrentTeamContext(c *Context, permission *model.Permission) bool { - return HasPermissionToTeamContext(c, c.TeamId, permission) -} - -func HasPermissionToTeamContext(c *Context, teamId string, permission *model.Permission) bool { - teamMember := c.Session.GetTeamByTeamId(teamId) - if teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToTeamContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+c.TeamId+" permission="+permission.Id) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToTeam(user *model.User, teamMember *model.TeamMember, permission *model.Permission) bool { - if teamMember == nil { - return false - } - - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - - return HasPermissionTo(user, permission) -} - -func HasPermissionToChannelContext(c *Context, channelId string, permission *model.Permission) bool { - cmc := app.Srv.Store.Channel().GetAllChannelMembersForUser(c.Session.UserId, true) - - var channelRoles []string - if cmcresult := <-cmc; cmcresult.Err == nil { - ids := cmcresult.Data.(map[string]string) - if roles, ok := ids[channelId]; ok { - channelRoles = strings.Fields(roles) - if CheckIfRolesGrantPermission(channelRoles, permission.Id) { - return true - } - } - } - - cc := app.Srv.Store.Channel().Get(channelId, true) - if ccresult := <-cc; ccresult.Err == nil { - channel := ccresult.Data.(*model.Channel) - - if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToChannelContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToChannel(user *model.User, teamMember *model.TeamMember, channelMember *model.ChannelMember, permission *model.Permission) bool { - if channelMember == nil { - return false - } - - roles := channelMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - - return HasPermissionToTeam(user, teamMember, permission) -} - -func HasPermissionToChannelByPostContext(c *Context, postId string, permission *model.Permission) bool { - cmc := app.Srv.Store.Channel().GetMemberForPost(postId, c.Session.UserId) - - var channelRoles []string - if cmcresult := <-cmc; cmcresult.Err == nil { - channelMember := cmcresult.Data.(*model.ChannelMember) - channelRoles = channelMember.GetRoles() - - if CheckIfRolesGrantPermission(channelRoles, permission.Id) { - return true - } - } - - cc := app.Srv.Store.Channel().GetForPost(postId) - if ccresult := <-cc; ccresult.Err == nil { - channel := ccresult.Data.(*model.Channel) - - if teamMember := c.Session.GetTeamByTeamId(channel.TeamId); teamMember != nil { - roles := teamMember.GetRoles() - - if CheckIfRolesGrantPermission(roles, permission.Id) { - return true - } - } - - } - - if HasPermissionToContext(c, permission) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToChannelByPostContext", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id+" channelRoles="+model.RoleIdsToString(channelRoles)) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func HasPermissionToUser(c *Context, userId string) bool { - // You are the user (users autmaticly have permissions to themselves) - if c.Session.UserId == userId { - return true - } - - // You have permission - if HasPermissionToContext(c, model.PERMISSION_EDIT_OTHER_USERS) { - return true - } - - c.Err = model.NewLocAppError("HasPermissionToUser", "api.context.permissions.app_error", nil, "userId="+userId) - c.Err.StatusCode = http.StatusForbidden - return false -} - -func CheckIfRolesGrantPermission(roles []string, permissionId string) bool { - for _, roleId := range roles { - if role, ok := model.BuiltInRoles[roleId]; !ok { - l4g.Debug("Bad role in system " + roleId) - return false - } else { - permissions := role.Permissions - for _, permission := range permissions { - if permission == permissionId { - return true - } - } - } - } - - return false -} diff --git a/api/authorization_test.go b/api/authorization_test.go deleted file mode 100644 index 5613751c2..000000000 --- a/api/authorization_test.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -package api - -import ( - "testing" - - "github.com/mattermost/platform/model" -) - -func TestCheckIfRolesGrantPermission(t *testing.T) { - Setup() - - cases := []struct { - roles []string - permissionId string - shouldGrant bool - }{ - {[]string{model.ROLE_SYSTEM_ADMIN.Id}, model.ROLE_SYSTEM_ADMIN.Permissions[0], true}, - {[]string{model.ROLE_SYSTEM_ADMIN.Id}, "non-existant-permission", false}, - {[]string{model.ROLE_CHANNEL_USER.Id}, model.ROLE_CHANNEL_USER.Permissions[0], true}, - {[]string{model.ROLE_CHANNEL_USER.Id}, model.PERMISSION_MANAGE_SYSTEM.Id, false}, - {[]string{model.ROLE_SYSTEM_ADMIN.Id, model.ROLE_CHANNEL_USER.Id}, model.PERMISSION_MANAGE_SYSTEM.Id, true}, - {[]string{model.ROLE_CHANNEL_USER.Id, model.ROLE_SYSTEM_ADMIN.Id}, model.PERMISSION_MANAGE_SYSTEM.Id, true}, - {[]string{model.ROLE_TEAM_USER.Id, model.ROLE_TEAM_ADMIN.Id}, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, true}, - {[]string{model.ROLE_TEAM_ADMIN.Id, model.ROLE_TEAM_USER.Id}, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, true}, - } - - for testnum, testcase := range cases { - if CheckIfRolesGrantPermission(testcase.roles, testcase.permissionId) != testcase.shouldGrant { - t.Fatal("Failed test case ", testnum) - } - } - -} diff --git a/api/channel.go b/api/channel.go index 4c0c56496..474c41d07 100644 --- a/api/channel.go +++ b/api/channel.go @@ -71,11 +71,13 @@ func createChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_CREATE_PUBLIC_CHANNEL) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_CREATE_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_CREATE_PUBLIC_CHANNEL) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_CREATE_PRIVATE_CHANNEL) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_CREATE_PRIVATE_CHANNEL) { + c.SetPermissionError(model.PERMISSION_CREATE_PRIVATE_CHANNEL) return } @@ -105,7 +107,8 @@ func createChannel(c *Context, w http.ResponseWriter, r *http.Request) { } func createDirectChannel(c *Context, w http.ResponseWriter, r *http.Request) { - if !HasPermissionToContext(c, model.PERMISSION_CREATE_DIRECT_CHANNEL) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_DIRECT_CHANNEL) { + c.SetPermissionError(model.PERMISSION_CREATE_DIRECT_CHANNEL) return } @@ -126,11 +129,13 @@ func createDirectChannel(c *Context, w http.ResponseWriter, r *http.Request) { } func CanManageChannel(c *Context, channel *model.Channel) bool { - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) return false } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) return false } @@ -345,7 +350,8 @@ func getMoreChannelsPage(c *Context, w http.ResponseWriter, r *http.Request) { } // user is already in the team - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + c.SetPermissionError(model.PERMISSION_LIST_TEAM_CHANNELS) return } @@ -396,7 +402,8 @@ func join(c *Context, w http.ResponseWriter, r *http.Request) { } if channel.Type == model.CHANNEL_OPEN { - if !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) return } } @@ -445,11 +452,13 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { // Allow delete if user is the only member left in channel if memberCount > 1 { - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PRIVATE_CHANNEL) return } } @@ -509,7 +518,8 @@ func getChannelByName(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = err return } else { - if !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -544,7 +554,8 @@ func getChannelStats(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -562,7 +573,8 @@ func getChannelMember(c *Context, w http.ResponseWriter, r *http.Request) { channelId := params["channel_id"] userId := params["user_id"] - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -602,11 +614,13 @@ func addMember(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) return } @@ -655,11 +669,13 @@ func removeMember(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) return } - if channel.Type == model.CHANNEL_PRIVATE && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) return } @@ -704,7 +720,8 @@ func updateNotifyProps(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToUser(c, userId) { + if !app.SessionHasPermissionToUser(c.Session, userId) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -725,7 +742,8 @@ func searchMoreChannels(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -747,7 +765,8 @@ func autocompleteChannels(c *Context, w http.ResponseWriter, r *http.Request) { term := r.URL.Query().Get("term") if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -792,7 +811,8 @@ func getChannelMembersByIds(c *Context, w http.ResponseWriter, r *http.Request) return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -816,7 +836,8 @@ func updateChannelMemberRoles(c *Context, w http.ResponseWriter, r *http.Request return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_MANAGE_CHANNEL_ROLES) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_MANAGE_CHANNEL_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_CHANNEL_ROLES) return } diff --git a/api/channel_test.go b/api/channel_test.go index 119578e8b..450c5556e 100644 --- a/api/channel_test.go +++ b/api/channel_test.go @@ -20,7 +20,7 @@ func TestCreateChannel(t *testing.T) { Client := th.BasicClient SystemAdminClient := th.SystemAdminClient team := th.BasicTeam - Client.Must(Client.Logout()) + th.LoginBasic2() team2 := th.CreateTeam(th.BasicClient) th.LoginBasic() th.BasicClient.SetTeamId(team.Id) @@ -126,6 +126,7 @@ func TestCreateChannel(t *testing.T) { *utils.Cfg.TeamSettings.RestrictPrivateChannelCreation = model.PERMISSIONS_TEAM_ADMIN utils.SetDefaultRolesBasedOnConfig() + th.LoginBasic2() channel2.Name = "a" + model.NewId() + "a" channel3.Name = "a" + model.NewId() + "a" if _, err := Client.CreateChannel(channel2); err == nil { diff --git a/api/command.go b/api/command.go index 376cb1075..7e0a1e232 100644 --- a/api/command.go +++ b/api/command.go @@ -97,7 +97,8 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { } if len(commandArgs.ChannelId) > 0 { - if !HasPermissionToChannelContext(c, commandArgs.ChannelId, model.PERMISSION_USE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToChannel(c.Session, commandArgs.ChannelId, model.PERMISSION_USE_SLASH_COMMANDS) { + c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS) return } } @@ -260,7 +261,7 @@ func createCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("createCommand", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -316,7 +317,7 @@ func updateCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("updateCommand", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -340,7 +341,7 @@ func updateCommand(c *Context, w http.ResponseWriter, r *http.Request) { } else { oldCmd = result.Data.(*model.Command) - if c.Session.UserId != oldCmd.CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS) { + if c.Session.UserId != oldCmd.CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("updateCommand", "api.command.update.app_error", nil, "user_id="+c.Session.UserId) return @@ -375,7 +376,7 @@ func listTeamCommands(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("listTeamCommands", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -397,7 +398,7 @@ func regenCommandToken(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("regenCommandToken", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -420,7 +421,7 @@ func regenCommandToken(c *Context, w http.ResponseWriter, r *http.Request) { } else { cmd = result.Data.(*model.Command) - if c.TeamId != cmd.TeamId || (c.Session.UserId != cmd.CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { + if c.TeamId != cmd.TeamId || (c.Session.UserId != cmd.CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("regenToken", "api.command.regen.app_error", nil, "user_id="+c.Session.UserId) return @@ -444,7 +445,7 @@ func deleteCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_SLASH_COMMANDS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SLASH_COMMANDS) { c.Err = model.NewLocAppError("deleteCommand", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -464,7 +465,7 @@ func deleteCommand(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.TeamId != result.Data.(*model.Command).TeamId || (c.Session.UserId != result.Data.(*model.Command).CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { + if c.TeamId != result.Data.(*model.Command).TeamId || (c.Session.UserId != result.Data.(*model.Command).CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteCommand", "api.command.delete.app_error", nil, "user_id="+c.Session.UserId) return diff --git a/api/context.go b/api/context.go index e77f6da24..edee8bb21 100644 --- a/api/context.go +++ b/api/context.go @@ -345,7 +345,7 @@ func (c *Context) SystemAdminRequired() { c.Err = model.NewLocAppError("", "api.context.session_expired.app_error", nil, "SystemAdminRequired") c.Err.StatusCode = http.StatusUnauthorized return - } else if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + } else if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { c.Err = model.NewLocAppError("", "api.context.permissions.app_error", nil, "AdminRequired") c.Err.StatusCode = http.StatusForbidden return @@ -378,6 +378,11 @@ func (c *Context) SetUnknownError(where string, details string) { c.Err = model.NewLocAppError(where, "api.context.unknown.app_error", nil, details) } +func (c *Context) SetPermissionError(permission *model.Permission) { + c.Err = model.NewLocAppError("Permissions", "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", "+"permission="+permission.Id) + c.Err.StatusCode = http.StatusForbidden +} + func (c *Context) setTeamURL(url string, valid bool) { c.teamURL = url c.teamURLValid = valid @@ -462,14 +467,14 @@ func Handle404(w http.ResponseWriter, r *http.Request) { func (c *Context) CheckTeamId() { if c.TeamId != "" && c.Session.GetTeamByTeamId(c.TeamId) == nil { - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { if result := <-app.Srv.Store.Team().Get(c.TeamId); result.Err != nil { c.Err = result.Err c.Err.StatusCode = http.StatusBadRequest return } } else { - // HasPermissionToContext automatically fills the Context error + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } diff --git a/api/deprecated.go b/api/deprecated.go index 765c3aac1..9c1d2a4ce 100644 --- a/api/deprecated.go +++ b/api/deprecated.go @@ -32,7 +32,8 @@ func InitDeprecated() { func getMoreChannels(c *Context, w http.ResponseWriter, r *http.Request) { // user is already in the team - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_LIST_TEAM_CHANNELS) { + c.SetPermissionError(model.PERMISSION_LIST_TEAM_CHANNELS) return } diff --git a/api/emoji.go b/api/emoji.go index fb511cd03..8f665fbc1 100644 --- a/api/emoji.go +++ b/api/emoji.go @@ -217,7 +217,7 @@ func deleteEmoji(c *Context, w http.ResponseWriter, r *http.Request) { } else { emoji = result.Data.(*model.Emoji) - if c.Session.UserId != emoji.CreatorId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if c.Session.UserId != emoji.CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { c.Err = model.NewLocAppError("deleteEmoji", "api.emoji.delete.permissions.app_error", nil, "user_id="+c.Session.UserId) c.Err.StatusCode = http.StatusUnauthorized return diff --git a/api/file.go b/api/file.go index 9fda76d8f..bbe06f2da 100644 --- a/api/file.go +++ b/api/file.go @@ -65,7 +65,8 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_UPLOAD_FILE) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_UPLOAD_FILE) { + c.SetPermissionError(model.PERMISSION_UPLOAD_FILE) return } @@ -254,7 +255,8 @@ func getFileInfoForRequest(c *Context, r *http.Request, requireFileVisible bool) } if requireFileVisible { - if !HasPermissionToChannelByPostContext(c, info.PostId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannelByPost(c.Session, info.PostId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return nil, c.Err } } diff --git a/api/license.go b/api/license.go index 8a6ee7385..41cba914d 100644 --- a/api/license.go +++ b/api/license.go @@ -174,8 +174,7 @@ func RemoveLicense() *model.AppError { } func getClientLicenceConfig(c *Context, w http.ResponseWriter, r *http.Request) { - useSanitizedLicense := !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) - c.Err = nil + useSanitizedLicense := !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) etag := utils.GetClientLicenseEtag(useSanitizedLicense) if HandleEtag(etag, "Get Client License Config", w, r) { diff --git a/api/oauth.go b/api/oauth.go index 538831ee0..abb216414 100644 --- a/api/oauth.go +++ b/api/oauth.go @@ -54,7 +54,7 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -93,14 +93,14 @@ func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewLocAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return } var ochan store.StoreChannel - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { ochan = app.Srv.Store.OAuth().GetApps() } else { c.Err = nil @@ -297,7 +297,7 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { case model.OAUTH_ACTION_LOGIN: user := LoginByOAuth(c, w, r, service, body) if len(teamId) > 0 { - c.Err = app.JoinUserToTeamById(teamId, user) + c.Err = app.AddUserToTeamByTeamId(teamId, user) } if c.Err == nil { if val, ok := props["redirect_to"]; ok { @@ -855,7 +855,7 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_OAUTH) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewLocAppError("deleteOAuthApp", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -875,7 +875,7 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteOAuthApp", "api.oauth.delete.permissions.app_error", nil, "user_id="+c.Session.UserId) return @@ -958,7 +958,7 @@ func regenerateOAuthSecret(c *Context, w http.ResponseWriter, r *http.Request) { } else { oauthApp = result.Data.(*model.OAuthApp) - if oauthApp.CreatorId != c.Session.UserId && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return diff --git a/api/post.go b/api/post.go index ba089ec4f..9121adb92 100644 --- a/api/post.go +++ b/api/post.go @@ -48,7 +48,8 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { cchan := app.Srv.Store.Channel().Get(post.ChannelId, true) - if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_CREATE_POST) { + if !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_CREATE_POST) { + c.SetPermissionError(model.PERMISSION_CREATE_POST) return } @@ -67,7 +68,7 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if post.CreateAt != 0 && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if post.CreateAt != 0 && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { post.CreateAt = 0 } @@ -113,7 +114,8 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(post.Id) - if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_EDIT_POST) { + if !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_EDIT_POST) { + c.SetPermissionError(model.PERMISSION_EDIT_POST) return } @@ -233,7 +235,8 @@ func getPosts(c *Context, w http.ResponseWriter, r *http.Request) { etagChan := app.Srv.Store.Post().GetEtag(id, true) - if !HasPermissionToChannelContext(c, id, model.PERMISSION_CREATE_POST) { + if !app.SessionHasPermissionToChannel(c.Session, id, model.PERMISSION_CREATE_POST) { + c.SetPermissionError(model.PERMISSION_CREATE_POST) return } @@ -274,7 +277,8 @@ func getPostsSince(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().GetPostsSince(id, time, true) - if !HasPermissionToChannelContext(c, id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -306,7 +310,8 @@ func getPost(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(postId) - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -350,7 +355,8 @@ func getPostById(c *Context, w http.ResponseWriter, r *http.Request) { } post := list.Posts[list.Order[0]] - if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -391,7 +397,8 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToTeamContext(c, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) return } @@ -424,7 +431,8 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_DELETE_POST) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_DELETE_POST) { + c.SetPermissionError(model.PERMISSION_DELETE_POST) return } @@ -448,7 +456,7 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if post.UserId != c.Session.UserId && !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) { + if post.UserId != c.Session.UserId && !app.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) { c.Err = model.NewLocAppError("deletePost", "api.post.delete_post.permissions.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -529,7 +537,8 @@ func getPostsBeforeOrAfter(c *Context, w http.ResponseWriter, r *http.Request, b // We can do better than this etag in this situation etagChan := app.Srv.Store.Post().GetEtag(id, true) - if !HasPermissionToChannelContext(c, id, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -614,7 +623,8 @@ func getFileInfosForPost(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(postId) fchan := app.Srv.Store.FileInfo().GetForPost(postId) - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } diff --git a/api/reaction.go b/api/reaction.go index ac5df4516..fd9a05779 100644 --- a/api/reaction.go +++ b/api/reaction.go @@ -41,7 +41,8 @@ func saveReaction(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -99,7 +100,8 @@ func deleteReaction(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -179,7 +181,8 @@ func listReactions(c *Context, w http.ResponseWriter, r *http.Request) { pchan := app.Srv.Store.Post().Get(postId) - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } diff --git a/api/team.go b/api/team.go index 096e0a49f..2c5a25a3f 100644 --- a/api/team.go +++ b/api/team.go @@ -21,7 +21,7 @@ import ( func InitTeam() { l4g.Debug(utils.T("api.team.init.debug")) - BaseRoutes.Teams.Handle("/create", ApiAppHandler(createTeam)).Methods("POST") + BaseRoutes.Teams.Handle("/create", ApiUserRequired(createTeam)).Methods("POST") BaseRoutes.Teams.Handle("/all", ApiAppHandler(getAll)).Methods("GET") BaseRoutes.Teams.Handle("/all_team_listings", ApiUserRequired(GetAllTeamListings)).Methods("GET") BaseRoutes.Teams.Handle("/get_invite_info", ApiAppHandler(getInviteInfo)).Methods("POST") @@ -56,74 +56,20 @@ func createTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var user *model.User - var err *model.AppError - if len(c.Session.UserId) > 0 { - if user, err = app.GetUser(c.Session.UserId); err != nil { - c.Err = err - return - } else { - team.Email = user.Email - } - } - - if !isTeamCreationAllowed(c, team.Email) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_TEAM) { + c.Err = model.NewLocAppError("createTeam", "api.team.is_team_creation_allowed.disabled.app_error", nil, "") return } - rteam, err := app.CreateTeam(team) + rteam, err := app.CreateTeamWithUser(team, c.Session.UserId) if err != nil { c.Err = err return } - if user != nil { - err := app.JoinUserToTeam(team, user) - if err != nil { - c.Err = err - return - } - } - w.Write([]byte(rteam.ToJson())) } -func isTeamCreationAllowed(c *Context, email string) bool { - - email = strings.ToLower(email) - - if !utils.Cfg.TeamSettings.EnableTeamCreation && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { - c.Err = model.NewLocAppError("isTeamCreationAllowed", "api.team.is_team_creation_allowed.disabled.app_error", nil, "") - return false - } - c.Err = nil - - if user, err := app.GetUserByEmail(email); err == nil { - if len(user.AuthService) > 0 && len(*user.AuthData) > 0 { - return true - } - } - - // commas and @ signs are optional - // can be in the form of "@corp.mattermost.com, mattermost.com mattermost.org" -> corp.mattermost.com mattermost.com mattermost.org - domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(utils.Cfg.TeamSettings.RestrictCreationToDomains, "@", " ", -1), ",", " ", -1)))) - - matched := false - for _, d := range domains { - if strings.HasSuffix(email, "@"+d) { - matched = true - break - } - } - - if len(utils.Cfg.TeamSettings.RestrictCreationToDomains) > 0 && !matched { - c.Err = model.NewLocAppError("isTeamCreationAllowed", "api.team.is_team_creation_allowed.domain.app_error", nil, "") - return false - } - - return true -} - func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { var teams []*model.Team var err *model.AppError @@ -136,10 +82,9 @@ func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) { m := make(map[string]*model.Team) for _, v := range teams { m[v.Id] = v - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.HasPermissionTo(c.Session.UserId, model.PERMISSION_MANAGE_SYSTEM) { m[v.Id].Sanitize() } - c.Err = nil } w.Write([]byte(model.TeamMapToJson(m))) @@ -151,10 +96,9 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { var teams []*model.Team var err *model.AppError - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.HasPermissionTo(c.Session.UserId, model.PERMISSION_MANAGE_SYSTEM) { teams, err = app.GetAllTeams() } else { - c.Err = nil teams, err = app.GetTeamsForUser(c.Session.UserId) } @@ -173,31 +117,21 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) { func inviteMembers(c *Context, w http.ResponseWriter, r *http.Request) { invites := model.InvitesFromJson(r.Body) - if len(invites.Invites) == 0 { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.no_one.app_error", nil, "") - c.Err.StatusCode = http.StatusBadRequest - return - } - if utils.IsLicensed { - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_INVITE_USER) { - if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_SYSTEM_ADMIN { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_system_admin.app_error", nil, "") - } - if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { - c.Err = model.NewLocAppError("inviteMembers", "api.team.invite_members.restricted_team_admin.app_error", nil, "") - } - c.Err.StatusCode = http.StatusForbidden - return + if utils.IsLicensed && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_INVITE_USER) { + errorId := "" + if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_SYSTEM_ADMIN { + errorId = "api.team.invite_members.restricted_system_admin.app_error" + } else if *utils.Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { + errorId = "api.team.invite_members.restricted_team_admin.app_error" } - } - emailList := make([]string, len(invites.Invites)) - for _, invite := range invites.Invites { - emailList = append(emailList, invite["email"]) + c.Err = model.NewLocAppError("inviteMembers", errorId, nil, "") + c.Err.StatusCode = http.StatusForbidden + return } - if err := app.InviteNewUsersToTeam(emailList, c.TeamId, c.Session.UserId, c.GetSiteURL()); err != nil { + if err := app.InviteNewUsersToTeam(invites.ToEmailList(), c.TeamId, c.Session.UserId, c.GetSiteURL()); err != nil { c.Err = err return } @@ -214,24 +148,12 @@ func addUserToTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var team *model.Team - var err *model.AppError - if team, err = app.GetTeam(c.TeamId); err != nil { - c.Err = err - return - } - - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_ADD_USER_TO_TEAM) { - return - } - - var user *model.User - if user, err = app.GetUser(userId); err != nil { - c.Err = err + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_ADD_USER_TO_TEAM) { + c.SetPermissionError(model.PERMISSION_ADD_USER_TO_TEAM) return } - if err := app.JoinUserToTeam(team, user); err != nil { + if _, err := app.AddUserToTeam(c.TeamId, c.Session.UserId); err != nil { c.Err = err return } @@ -248,26 +170,14 @@ func removeUserFromTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - var team *model.Team - var err *model.AppError - if team, err = app.GetTeam(c.TeamId); err != nil { - c.Err = err - return - } - - var user *model.User - if user, err = app.GetUser(userId); err != nil { - c.Err = err - return - } - - if c.Session.UserId != user.Id { - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_REMOVE_USER_FROM_TEAM) { + if c.Session.UserId != userId { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_REMOVE_USER_FROM_TEAM) { + c.SetPermissionError(model.PERMISSION_REMOVE_USER_FROM_TEAM) return } } - if err := app.LeaveTeam(team, user); err != nil { + if err := app.RemoveUserFromTeam(c.TeamId, userId); err != nil { c.Err = err return } @@ -285,9 +195,9 @@ func addUserToTeamFromInvite(c *Context, w http.ResponseWriter, r *http.Request) var err *model.AppError if len(hash) > 0 { - team, err = app.JoinUserToTeamByHash(c.Session.UserId, hash, data) + team, err = app.AddUserToTeamByHash(c.Session.UserId, hash, data) } else if len(inviteId) > 0 { - team, err = app.JoinUserToTeamByInviteId(inviteId, c.Session.UserId) + team, err = app.AddUserToTeamByInviteId(inviteId, c.Session.UserId) } else { c.Err = model.NewLocAppError("addUserToTeamFromInvite", "api.user.create_user.signup_link_invalid.app_error", nil, "") return @@ -326,7 +236,8 @@ func getTeamByName(c *Context, w http.ResponseWriter, r *http.Request) { return } else { if team.Type != model.TEAM_OPEN && c.Session.GetTeamByTeamId(team.Id) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -363,7 +274,6 @@ func getMyTeamsUnread(c *Context, w http.ResponseWriter, r *http.Request) { func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { team := model.TeamFromJson(r.Body) - if team == nil { c.SetInvalidParam("updateTeam", "team") return @@ -371,9 +281,8 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { team.Id = c.TeamId - if !HasPermissionToTeamContext(c, team.Id, model.PERMISSION_MANAGE_TEAM) { - c.Err = model.NewLocAppError("updateTeam", "api.team.update_team.permissions.app_error", nil, "userId="+c.Session.UserId) - c.Err.StatusCode = http.StatusForbidden + if !app.SessionHasPermissionToTeam(c.Session, team.Id, model.PERMISSION_MANAGE_TEAM) { + c.SetPermissionError(model.PERMISSION_MANAGE_TEAM) return } @@ -386,12 +295,6 @@ func updateTeam(c *Context, w http.ResponseWriter, r *http.Request) { return } - updatedTeam.Sanitize() - - message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_UPDATE_TEAM, "", "", "", nil) - message.Add("team", updatedTeam.ToJson()) - go app.Publish(message) - w.Write([]byte(updatedTeam.ToJson())) } @@ -412,7 +315,8 @@ func updateMemberRoles(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToTeamContext(c, teamId, model.PERMISSION_MANAGE_ROLES) { + if !app.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_MANAGE_TEAM_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_TEAM_ROLES) return } @@ -446,7 +350,8 @@ func getMyTeam(c *Context, w http.ResponseWriter, r *http.Request) { func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) { if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -461,9 +366,8 @@ func getTeamStats(c *Context, w http.ResponseWriter, r *http.Request) { } func importTeam(c *Context, w http.ResponseWriter, r *http.Request) { - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_IMPORT_TEAM) { - c.Err = model.NewLocAppError("importTeam", "api.team.import_team.admin.app_error", nil, "userId="+c.Session.UserId) - c.Err.StatusCode = http.StatusForbidden + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_IMPORT_TEAM) { + c.SetPermissionError(model.PERMISSION_IMPORT_TEAM) return } @@ -569,7 +473,8 @@ func getTeamMembers(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -593,7 +498,8 @@ func getTeamMember(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } @@ -615,7 +521,8 @@ func getTeamMembersByIds(c *Context, w http.ResponseWriter, r *http.Request) { } if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToTeamContext(c, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } diff --git a/api/team_test.go b/api/team_test.go index fdc7e334b..1b1b555fe 100644 --- a/api/team_test.go +++ b/api/team_test.go @@ -14,7 +14,6 @@ import ( func TestCreateTeam(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} @@ -58,6 +57,8 @@ func TestCreateTeam(t *testing.T) { func TestAddUserToTeam(t *testing.T) { th := Setup().InitSystemAdmin().InitBasic() + th.BasicClient.Logout() + th.LoginBasic2() user2 := th.CreateUser(th.BasicClient) @@ -66,7 +67,7 @@ func TestAddUserToTeam(t *testing.T) { } th.SystemAdminClient.SetTeamId(th.BasicTeam.Id) - if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser.Id, "team_user team_admin"); err != nil { + if _, err := th.SystemAdminClient.UpdateTeamRoles(th.BasicUser2.Id, "team_user team_admin"); err != nil { t.Fatal(err) } @@ -132,12 +133,13 @@ func TestAddUserToTeamFromInvite(t *testing.T) { func TestGetAllTeams(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -165,12 +167,13 @@ func TestGetAllTeams(t *testing.T) { func TestGetAllTeamListings(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN, AllowOpenInvite: true} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -211,12 +214,13 @@ func TestGetAllTeamListings(t *testing.T) { func TestTeamPermDelete(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user1 := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user1 = Client.Must(Client.CreateUser(user1, "")).Data.(*model.User) LinkUserToTeam(user1, team) @@ -254,13 +258,14 @@ func TestTeamPermDelete(t *testing.T) { func TestInviteMembers(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() - th.BasicClient.Logout() Client := th.BasicClient SystemAdminClient := th.SystemAdminClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: model.NewId() + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -339,16 +344,12 @@ func TestInviteMembers(t *testing.T) { func TestUpdateTeamDisplayName(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) - user := &model.User{Email: team.Email, Nickname: "Corey Hulen", Password: "passwd1"} - user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) - LinkUserToTeam(user, team) - store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + Client.Logout() user2 := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User) @@ -364,7 +365,7 @@ func TestUpdateTeamDisplayName(t *testing.T) { t.Fatal("Should have errored, not admin") } - Client.Login(user.Email, "passwd1") + th.LoginBasic() vteam.DisplayName = "" if _, err := Client.UpdateTeam(vteam); err == nil { @@ -379,7 +380,6 @@ func TestUpdateTeamDisplayName(t *testing.T) { func TestFuzzyTeamCreate(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient for i := 0; i < len(utils.FUZZY_STRINGS_NAMES) || i < len(utils.FUZZY_STRINGS_EMAILS); i++ { @@ -404,13 +404,14 @@ func TestFuzzyTeamCreate(t *testing.T) { func TestGetMyTeam(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(team) team = rteam.Data.(*model.Team) + Client.Logout() + user := model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -670,16 +671,12 @@ func TestGetTeamStats(t *testing.T) { func TestUpdateTeamDescription(t *testing.T) { th := Setup().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) - user := &model.User{Email: team.Email, Nickname: "My Testing", Password: "passwd1"} - user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) - LinkUserToTeam(user, team) - store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + Client.Logout() user2 := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Jabba the Hutt", Password: "passwd1"} user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User) @@ -695,7 +692,7 @@ func TestUpdateTeamDescription(t *testing.T) { t.Fatal("Should have errored, not admin") } - Client.Login(user.Email, "passwd1") + th.LoginBasic() vteam.Description = "" if _, err := Client.UpdateTeam(vteam); err != nil { @@ -710,7 +707,6 @@ func TestUpdateTeamDescription(t *testing.T) { func TestGetTeamByName(t *testing.T) { th := Setup().InitSystemAdmin().InitBasic() - th.BasicClient.Logout() Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_INVITE} @@ -719,12 +715,6 @@ func TestGetTeamByName(t *testing.T) { team2 := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "success+" + model.NewId() + "@simulator.amazonses.com", Type: model.TEAM_OPEN} team2 = Client.Must(Client.CreateTeam(team2)).Data.(*model.Team) - user := &model.User{Email: team.Email, Nickname: "My Testing", Password: "passwd1"} - user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) - LinkUserToTeam(user, team) - store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) - - Client.Login(user.Email, "passwd1") if _, err := Client.GetTeamByName(team.Name); err != nil { t.Fatal("Failed to get team") } @@ -747,7 +737,7 @@ func TestGetTeamByName(t *testing.T) { // TEAM_INVITE and user is not part of the team if _, err := Client.GetTeamByName(team.Name); err == nil { - t.Fatal("Should not fail dont have permissions to get the team") + t.Fatal("Should fail dont have permissions to get the team") } if _, err := Client.GetTeamByName("InvalidTeamName"); err == nil { diff --git a/api/user.go b/api/user.go index 37c9948ed..789e10f5e 100644 --- a/api/user.go +++ b/api/user.go @@ -443,7 +443,8 @@ func getSessions(c *Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) id := params["user_id"] - if !HasPermissionToUser(c, id) { + if !app.SessionHasPermissionToUser(c.Session, id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -538,12 +539,11 @@ func getInitialLoad(c *Context, w http.ResponseWriter, r *http.Request) { } il.ClientCfg = utils.ClientCfg - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { il.LicenseCfg = utils.ClientLicense } else { il.LicenseCfg = utils.GetSanitizedClientLicense() } - c.Err = nil w.Write([]byte(il.ToJson())) } @@ -652,7 +652,7 @@ func getProfilesInTeam(c *Context, w http.ResponseWriter, r *http.Request) { teamId := params["team_id"] if c.Session.GetTeamByTeamId(teamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return } } @@ -695,12 +695,14 @@ func getProfilesInChannel(c *Context, w http.ResponseWriter, r *http.Request) { channelId := params["channel_id"] if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -736,12 +738,14 @@ func getProfilesNotInChannel(c *Context, w http.ResponseWriter, r *http.Request) channelId := params["channel_id"] if c.Session.GetTeamByTeamId(c.TeamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) return } } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -776,7 +780,8 @@ func getAudits(c *Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) id := params["user_id"] - if !HasPermissionToUser(c, id) { + if !app.SessionHasPermissionToUser(c.Session, id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -887,7 +892,8 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToUser(c, user.Id) { + if !app.SessionHasPermissionToUser(c.Session, user.Id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -1006,7 +1012,8 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_ROLES) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_ROLES) { + c.SetPermissionError(model.PERMISSION_MANAGE_ROLES) return } @@ -1042,7 +1049,7 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) { // true when you're trying to de-activate yourself isSelfDeactive := !active && userId == c.Session.UserId - if !isSelfDeactive && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !isSelfDeactive && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { c.Err = model.NewLocAppError("updateActive", "api.user.update_active.permissions.app_error", nil, "userId="+userId) c.Err.StatusCode = http.StatusForbidden return @@ -1166,7 +1173,7 @@ func ResetPassword(c *Context, userId, newPassword string) *model.AppError { return err } - if user.AuthData != nil && len(*user.AuthData) != 0 && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if user.AuthData != nil && len(*user.AuthData) != 0 && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return model.NewLocAppError("ResetPassword", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id) } @@ -1187,7 +1194,8 @@ func updateUserNotify(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToUser(c, userId) { + if !app.SessionHasPermissionToUser(c.Session, userId) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } @@ -1828,12 +1836,11 @@ func userTyping(req *model.WebSocketRequest) (map[string]interface{}, *model.App func sanitizeProfile(c *Context, user *model.User) *model.User { options := utils.Cfg.GetSanitizeOptions() - if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { options["email"] = true options["fullname"] = true options["authservice"] = true } - c.Err = nil user.SanitizeProfile(options) @@ -1852,18 +1859,20 @@ func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { return } - if props.InChannelId != "" && !HasPermissionToChannelContext(c, props.InChannelId, model.PERMISSION_READ_CHANNEL) { + if props.InChannelId != "" && !app.SessionHasPermissionToChannel(c.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } - if props.NotInChannelId != "" && !HasPermissionToChannelContext(c, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { + if props.NotInChannelId != "" && !app.SessionHasPermissionToChannel(c.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } searchOptions := map[string]bool{} searchOptions[store.USER_SEARCH_OPTION_ALLOW_INACTIVE] = props.AllowInactive - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { hideFullName := !utils.Cfg.PrivacySettings.ShowFullName hideEmail := !utils.Cfg.PrivacySettings.ShowEmailAddress @@ -1874,8 +1883,6 @@ func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { } else if hideEmail { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } - - c.Err = nil } var profiles []*model.User @@ -1928,21 +1935,21 @@ func autocompleteUsersInChannel(c *Context, w http.ResponseWriter, r *http.Reque term := r.URL.Query().Get("term") if c.Session.GetTeamByTeamId(teamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return } } - if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { + if !app.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } searchOptions := map[string]bool{} hideFullName := !utils.Cfg.PrivacySettings.ShowFullName - if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if hideFullName && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - c.Err = nil } else { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } @@ -1971,7 +1978,7 @@ func autocompleteUsersInTeam(c *Context, w http.ResponseWriter, r *http.Request) term := r.URL.Query().Get("term") if c.Session.GetTeamByTeamId(teamId) == nil { - if !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { return } } @@ -1979,9 +1986,8 @@ func autocompleteUsersInTeam(c *Context, w http.ResponseWriter, r *http.Request) searchOptions := map[string]bool{} hideFullName := !utils.Cfg.PrivacySettings.ShowFullName - if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if hideFullName && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - c.Err = nil } else { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } @@ -2005,9 +2011,8 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { searchOptions := map[string]bool{} hideFullName := !utils.Cfg.PrivacySettings.ShowFullName - if hideFullName && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) { + if hideFullName && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - c.Err = nil } else { searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true } diff --git a/api/user_test.go b/api/user_test.go index 96d1fd3d0..a7d6224ea 100644 --- a/api/user_test.go +++ b/api/user_test.go @@ -28,9 +28,6 @@ func TestCreateUser(t *testing.T) { th := Setup() Client := th.CreateClient() - team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - rteam, _ := Client.CreateTeam(&team) - user := model.User{Email: strings.ToLower("success+"+model.NewId()) + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "hello1", Username: "n" + model.NewId()} ruser, err := Client.CreateUser(&user, "") @@ -38,6 +35,11 @@ func TestCreateUser(t *testing.T) { t.Fatal(err) } + Client.Login(user.Email, user.Password) + + team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + rteam, _ := Client.CreateTeam(&team) + LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) if ruser.Data.(*model.User).Nickname != user.Nickname { @@ -108,8 +110,8 @@ func TestCheckUserDomain(t *testing.T) { } func TestLogin(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient enableSignInWithEmail := *utils.Cfg.EmailSettings.EnableSignInWithEmail enableSignInWithUsername := *utils.Cfg.EmailSettings.EnableSignInWithUsername @@ -127,6 +129,11 @@ func TestLogin(t *testing.T) { team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_INVITE} + rteam2 := Client.Must(Client.CreateTeam(&team2)) + + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Username: "corey" + model.NewId(), Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -191,9 +198,6 @@ func TestLogin(t *testing.T) { Client.AuthToken = "" - team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_INVITE} - rteam2 := Client.Must(Client.CreateTeam(&team2)) - user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} if _, err := Client.CreateUserFromSignup(&user2, "junk", "1231312"); err == nil { @@ -235,12 +239,14 @@ func TestLogin(t *testing.T) { } func TestLoginByLdap(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Username: "corey" + model.NewId(), Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -363,12 +369,17 @@ func TestSessions(t *testing.T) { } func TestGetUser(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + rteam2, _ := Client.CreateTeam(&team2) + + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -379,9 +390,6 @@ func TestGetUser(t *testing.T) { LinkUserToTeam(ruser2.Data.(*model.User), rteam.Data.(*model.Team)) store.Must(app.Srv.Store.User().VerifyEmail(ruser2.Data.(*model.User).Id)) - team2 := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - rteam2, _ := Client.CreateTeam(&team2) - user3 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser3, _ := Client.CreateUser(&user3, "") LinkUserToTeam(ruser3.Data.(*model.User), rteam2.Data.(*model.Team)) @@ -466,8 +474,8 @@ func TestGetUser(t *testing.T) { if userMap, err := Client.GetProfilesInTeam(rteam.Data.(*model.Team).Id, 0, 100, ""); err != nil { t.Fatal(err) - } else if len(userMap.Data.(map[string]*model.User)) != 2 { - t.Fatal("should have been 2") + } else if len(userMap.Data.(map[string]*model.User)) != 3 { + t.Fatal("should have been 3") } else if userMap.Data.(map[string]*model.User)[rId].Id != rId { t.Fatal("should have been valid") } else { @@ -629,12 +637,14 @@ func TestGetProfilesByIds(t *testing.T) { } func TestGetAudits(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) @@ -667,8 +677,8 @@ func TestGetAudits(t *testing.T) { } func TestUserCreateImage(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient b, err := app.CreateProfileImage("Corey Hulen", "eo1zkdr96pdj98pjmq8zy35wba") if err != nil { @@ -729,12 +739,14 @@ func TestUserCreateImage(t *testing.T) { } func TestUserUploadProfileImage(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -838,12 +850,14 @@ func TestUserUploadProfileImage(t *testing.T) { } func TestUserUpdate(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", Roles: ""} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -890,11 +904,13 @@ func TestUserUpdate(t *testing.T) { } func TestUserUpdatePassword(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + + Client.Logout() Client.SetTeamId(team.Id) user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} @@ -973,12 +989,14 @@ func TestUserUpdatePassword(t *testing.T) { } func TestUserUpdateRoles(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -1092,8 +1110,8 @@ func TestUserUpdateRolesMoreCases(t *testing.T) { } func TestUserUpdateDeviceId(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -1123,13 +1141,18 @@ func TestUserUpdateDeviceId(t *testing.T) { } func TestUserUpdateActive(t *testing.T) { - th := Setup().InitSystemAdmin() - Client := th.CreateClient() + th := Setup().InitBasic().InitSystemAdmin() + Client := th.BasicClient SystemAdminClient := th.SystemAdminClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + team2 := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} + team2 = Client.Must(Client.CreateTeam(team2)).Data.(*model.Team) + + Client.Logout() + user := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -1153,9 +1176,6 @@ func TestUserUpdateActive(t *testing.T) { Client.Must(Client.Logout()) - team2 := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} - team2 = Client.Must(Client.CreateTeam(team2)).Data.(*model.Team) - user3 := &model.User{Email: "success+" + model.NewId() + "@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} user3 = Client.Must(Client.CreateUser(user3, "")).Data.(*model.User) LinkUserToTeam(user2, team2) @@ -1193,8 +1213,8 @@ func TestUserUpdateActive(t *testing.T) { } func TestUserPermDelete(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -1235,8 +1255,8 @@ func TestUserPermDelete(t *testing.T) { } func TestSendPasswordReset(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) @@ -1246,6 +1266,8 @@ func TestSendPasswordReset(t *testing.T) { LinkUserToTeam(user, team) store.Must(app.Srv.Store.User().VerifyEmail(user.Id)) + Client.Logout() + if result, err := Client.SendPasswordReset(user.Email); err != nil { t.Fatal(err) } else { @@ -1360,12 +1382,14 @@ func TestResetPassword(t *testing.T) { } func TestUserUpdateNotify(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team) + Client.Logout() + user := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1", Roles: ""} user = Client.Must(Client.CreateUser(user, "")).Data.(*model.User) LinkUserToTeam(user, team) @@ -1442,12 +1466,14 @@ func TestUserUpdateNotify(t *testing.T) { } func TestFuzzyUserCreate(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + for i := 0; i < len(utils.FUZZY_STRINGS_NAMES) || i < len(utils.FUZZY_STRINGS_EMAILS); i++ { testName := "Name" testEmail := "test@nowhere.com" @@ -1471,12 +1497,14 @@ func TestFuzzyUserCreate(t *testing.T) { } func TestEmailToOAuth(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser := Client.Must(Client.CreateUser(&user, "")).Data.(*model.User) LinkUserToTeam(ruser, rteam.Data.(*model.Team)) @@ -1522,12 +1550,14 @@ func TestEmailToOAuth(t *testing.T) { } func TestOAuthToEmail(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser := Client.Must(Client.CreateUser(&user, "")).Data.(*model.User) LinkUserToTeam(ruser, rteam.Data.(*model.Team)) @@ -1573,8 +1603,8 @@ func TestOAuthToEmail(t *testing.T) { } func TestLDAPToEmail(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) @@ -1626,8 +1656,8 @@ func TestLDAPToEmail(t *testing.T) { } func TestEmailToLDAP(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) @@ -1757,8 +1787,8 @@ func TestMeInitialLoad(t *testing.T) { } func TestGenerateMfaSecret(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) @@ -1784,8 +1814,8 @@ func TestGenerateMfaSecret(t *testing.T) { } func TestUpdateMfa(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient if utils.License.Features.MFA == nil { utils.License.Features.MFA = new(bool) @@ -1834,12 +1864,14 @@ func TestUpdateMfa(t *testing.T) { } func TestCheckMfa(t *testing.T) { - th := Setup() - Client := th.CreateClient() + th := Setup().InitBasic() + Client := th.BasicClient team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN} rteam, _ := Client.CreateTeam(&team) + Client.Logout() + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", Password: "passwd1"} ruser, _ := Client.CreateUser(&user, "") LinkUserToTeam(ruser.Data.(*model.User), rteam.Data.(*model.Team)) diff --git a/api/webhook.go b/api/webhook.go index 32c6d80b9..5d36409eb 100644 --- a/api/webhook.go +++ b/api/webhook.go @@ -43,7 +43,8 @@ func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { + c.SetPermissionError(model.PERMISSION_MANAGE_WEBHOOKS) return } @@ -69,8 +70,9 @@ func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { channel = result.Data.(*model.Channel) } - if channel.Type != model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if channel.Type != model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { c.LogAudit("fail - bad channel permissions") + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } @@ -91,7 +93,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("deleteIncomingHook", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -111,7 +113,7 @@ func deleteIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.Session.UserId != result.Data.(*model.IncomingWebhook).UserId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + if c.Session.UserId != result.Data.(*model.IncomingWebhook).UserId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteIncomingHook", "api.webhook.delete_incoming.permissions.app_errror", nil, "user_id="+c.Session.UserId) return @@ -134,7 +136,7 @@ func getIncomingHooks(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("getIncomingHooks", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -156,7 +158,7 @@ func createOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("createOutgoingHook", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -235,7 +237,7 @@ func getOutgoingHooks(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("getOutgoingHooks", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -257,7 +259,7 @@ func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("deleteOutgoingHook", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -277,7 +279,7 @@ func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.Session.UserId != result.Data.(*model.OutgoingWebhook).CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + if c.Session.UserId != result.Data.(*model.OutgoingWebhook).CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteOutgoingHook", "api.webhook.delete_outgoing.permissions.app_error", nil, "user_id="+c.Session.UserId) return @@ -300,7 +302,7 @@ func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request) return } - if !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_WEBHOOKS) { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_WEBHOOKS) { c.Err = model.NewLocAppError("regenOutgoingHookToken", "api.command.admin_only.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -323,7 +325,7 @@ func regenOutgoingHookToken(c *Context, w http.ResponseWriter, r *http.Request) } else { hook = result.Data.(*model.OutgoingWebhook) - if c.TeamId != hook.TeamId && c.Session.UserId != hook.CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { + if c.TeamId != hook.TeamId && c.Session.UserId != hook.CreatorId && !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_MANAGE_OTHERS_WEBHOOKS) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("regenOutgoingHookToken", "api.webhook.regen_outgoing_token.permissions.app_error", nil, "user_id="+c.Session.UserId) return @@ -485,7 +487,7 @@ func incomingWebhook(c *Context, w http.ResponseWriter, r *http.Request) { c.TeamId = hook.TeamId - if channel.Type != model.CHANNEL_OPEN && !HasPermissionToChannelContext(c, channel.Id, model.PERMISSION_READ_CHANNEL) { + if channel.Type != model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { c.Err = model.NewLocAppError("incomingWebhook", "web.incoming_webhook.permissions.app_error", nil, "") return } -- cgit v1.2.3-1-g7c22