From e1cd64613591cf5a990442a69ebf188258bd0cb5 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Tue, 6 Feb 2018 15:34:08 +0000
Subject: XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design.

* XYZ-10: Role store.

* XYZ-9/XYZ-44: Roles API endpoints and WebSocket message.

* XYZ-8: Switch server permissions checks to store backed roles.

* XYZ-58: Proper validation of roles where required.

* XYZ-11/XYZ-55: Migration to store backed roles from policy config.

* XYZ-37: Update unit tests to work with database roles.

* XYZ-56: Remove the "guest" role.

* Changes to SetDefaultRolesFromConfig.

* Short-circuit the store if nothing has changed.

* Address first round of review comments.

* Address second round of review comments.
---
 app/authorization.go | 44 ++++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

(limited to 'app/authorization.go')

diff --git a/app/authorization.go b/app/authorization.go
index 3a64bb717..632dd7566 100644
--- a/app/authorization.go
+++ b/app/authorization.go
@@ -12,7 +12,7 @@ import (
 )
 
 func (a *App) SessionHasPermissionTo(session model.Session, permission *model.Permission) bool {
-	if !a.CheckIfRolesGrantPermission(session.GetUserRoles(), permission.Id) {
+	if !a.RolesGrantPermission(session.GetUserRoles(), permission.Id) {
 		a.ClearSessionCacheForUser(session.UserId)
 		return false
 	}
@@ -28,12 +28,12 @@ func (a *App) SessionHasPermissionToTeam(session model.Session, teamId string, p
 
 	teamMember := session.GetTeamByTeamId(teamId)
 	if teamMember != nil {
-		if a.CheckIfRolesGrantPermission(teamMember.GetRoles(), permission.Id) {
+		if a.RolesGrantPermission(teamMember.GetRoles(), permission.Id) {
 			return true
 		}
 	}
 
-	return a.CheckIfRolesGrantPermission(session.GetUserRoles(), permission.Id)
+	return a.RolesGrantPermission(session.GetUserRoles(), permission.Id)
 }
 
 func (a *App) SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool {
@@ -48,7 +48,7 @@ func (a *App) SessionHasPermissionToChannel(session model.Session, channelId str
 		ids := cmcresult.Data.(map[string]string)
 		if roles, ok := ids[channelId]; ok {
 			channelRoles = strings.Fields(roles)
-			if a.CheckIfRolesGrantPermission(channelRoles, permission.Id) {
+			if a.RolesGrantPermission(channelRoles, permission.Id) {
 				return true
 			}
 		}
@@ -69,7 +69,7 @@ func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId
 	if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil {
 		channelMember = result.Data.(*model.ChannelMember)
 
-		if a.CheckIfRolesGrantPermission(channelMember.GetRoles(), permission.Id) {
+		if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
 			return true
 		}
 	}
@@ -119,7 +119,7 @@ func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission)
 
 	roles := user.GetRoles()
 
-	return a.CheckIfRolesGrantPermission(roles, permission.Id)
+	return a.RolesGrantPermission(roles, permission.Id)
 }
 
 func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool {
@@ -134,7 +134,7 @@ func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission
 
 	roles := teamMember.GetRoles()
 
-	if a.CheckIfRolesGrantPermission(roles, permission.Id) {
+	if a.RolesGrantPermission(roles, permission.Id) {
 		return true
 	}
 
@@ -149,7 +149,7 @@ func (a *App) HasPermissionToChannel(askingUserId string, channelId string, perm
 	channelMember, err := a.GetChannelMember(channelId, askingUserId)
 	if err == nil {
 		roles := channelMember.GetRoles()
-		if a.CheckIfRolesGrantPermission(roles, permission.Id) {
+		if a.RolesGrantPermission(roles, permission.Id) {
 			return true
 		}
 	}
@@ -168,7 +168,7 @@ func (a *App) HasPermissionToChannelByPost(askingUserId string, postId string, p
 	if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, askingUserId); result.Err == nil {
 		channelMember = result.Data.(*model.ChannelMember)
 
-		if a.CheckIfRolesGrantPermission(channelMember.GetRoles(), permission.Id) {
+		if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
 			return true
 		}
 	}
@@ -193,17 +193,21 @@ func (a *App) HasPermissionToUser(askingUserId string, userId string) bool {
 	return false
 }
 
-func (a *App) CheckIfRolesGrantPermission(roles []string, permissionId string) bool {
-	for _, roleId := range roles {
-		if role := a.Role(roleId); role == nil {
-			l4g.Debug("Bad role in system " + roleId)
-			return false
-		} else {
-			permissions := role.Permissions
-			for _, permission := range permissions {
-				if permission == permissionId {
-					return true
-				}
+func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool {
+	roles, err := a.GetRolesByNames(roleNames)
+	if err != nil {
+		// This should only happen if something is very broken. We can't realistically
+		// recover the situation, so deny permission and log an error.
+		l4g.Error("Failed to get roles from database with role names: " + strings.Join(roleNames, ","))
+		l4g.Error(err)
+		return false
+	}
+
+	for _, role := range roles {
+		permissions := role.Permissions
+		for _, permission := range permissions {
+			if permission == permissionId {
+				return true
 			}
 		}
 	}
-- 
cgit v1.2.3-1-g7c22