From e88fe4bb1dea4918284ee3c6e5aee5a8497ff2b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Espino?= Date: Tue, 29 May 2018 16:58:12 +0200 Subject: MM-8853: Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS permissions (#8860) * MM-8853: Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS permissions * MM-8853: Removing unnecesary emoji enterprise feature * Create emojis migration * Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS always to system admins * Simplifing permissions checks * Revert "Simplifing permissions checks" This reverts commit e2cafc1905fc9e20125dd9a1552d2d0c7340ae59. --- app/app.go | 83 ++++++++++++++++++++++++++++---- app/app_test.go | 135 +++++++++++++++++++++++++++++++++++++++++++++++++++++ app/apptestlib.go | 13 ++++++ app/permissions.go | 1 + 4 files changed, 222 insertions(+), 10 deletions(-) (limited to 'app') diff --git a/app/app.go b/app/app.go index e5a496c6b..bda56ca1a 100644 --- a/app/app.go +++ b/app/app.go @@ -30,6 +30,7 @@ import ( ) const ADVANCED_PERMISSIONS_MIGRATION_KEY = "AdvancedPermissionsMigrationComplete" +const EMOJIS_PERMISSIONS_MIGRATION_KEY = "EmojisPermissionsMigrationComplete" type App struct { goroutineCount int32 @@ -57,7 +58,6 @@ type App struct { Compliance einterfaces.ComplianceInterface DataRetention einterfaces.DataRetentionInterface Elasticsearch einterfaces.ElasticsearchInterface - Emoji einterfaces.EmojiInterface Ldap einterfaces.LdapInterface MessageExport einterfaces.MessageExportInterface Metrics einterfaces.MetricsInterface @@ -288,12 +288,6 @@ func RegisterElasticsearchInterface(f func(*App) einterfaces.ElasticsearchInterf elasticsearchInterface = f } -var emojiInterface func(*App) einterfaces.EmojiInterface - -func RegisterEmojiInterface(f func(*App) einterfaces.EmojiInterface) { - emojiInterface = f -} - var jobsDataRetentionJobInterface func(*App) ejobs.DataRetentionJobInterface func RegisterJobsDataRetentionJobInterface(f func(*App) ejobs.DataRetentionJobInterface) { @@ -376,9 +370,6 @@ func (a *App) initEnterprise() { if elasticsearchInterface != nil { a.Elasticsearch = elasticsearchInterface(a) } - if emojiInterface != nil { - a.Emoji = emojiInterface(a) - } if ldapInterface != nil { a.Ldap = ldapInterface(a) a.AddConfigListener(func(_, cfg *model.Config) { @@ -603,3 +594,75 @@ func (a *App) SetPhase2PermissionsMigrationStatus(isComplete bool) error { a.phase2PermissionsMigrationComplete = isComplete return nil } + +func (a *App) DoEmojisPermissionsMigration() { + // If the migration is already marked as completed, don't do it again. + if result := <-a.Srv.Store.System().GetByName(EMOJIS_PERMISSIONS_MIGRATION_KEY); result.Err == nil { + return + } + + var role *model.Role = nil + var systemAdminRole *model.Role = nil + var err *model.AppError = nil + + mlog.Info("Migrating emojis config to database.") + switch *a.Config().ServiceSettings.RestrictCustomEmojiCreation { + case model.RESTRICT_EMOJI_CREATION_ALL: + role, err = a.GetRoleByName(model.SYSTEM_USER_ROLE_ID) + if err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(err.Error()) + return + } + break + case model.RESTRICT_EMOJI_CREATION_ADMIN: + role, err = a.GetRoleByName(model.TEAM_ADMIN_ROLE_ID) + if err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(err.Error()) + return + } + break + case model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN: + role = nil + break + default: + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical("Invalid restrict emoji creation setting") + return + } + + if role != nil { + role.Permissions = append(role.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id) + if result := <-a.Srv.Store.Role().Save(role); result.Err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(result.Err.Error()) + return + } + } + + systemAdminRole, err = a.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + if err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(err.Error()) + return + } + + systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id) + systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id) + if result := <-a.Srv.Store.Role().Save(systemAdminRole); result.Err != nil { + mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.") + mlog.Critical(result.Err.Error()) + return + } + + system := model.System{ + Name: EMOJIS_PERMISSIONS_MIGRATION_KEY, + Value: "true", + } + + if result := <-a.Srv.Store.System().Save(&system); result.Err != nil { + mlog.Critical("Failed to mark emojis permissions migration as completed.") + mlog.Critical(fmt.Sprint(result.Err)) + } +} diff --git a/app/app_test.go b/app/app_test.go index cb6917073..dd6f0b593 100644 --- a/app/app_test.go +++ b/app/app_test.go @@ -455,3 +455,138 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) { *config.ServiceSettings.PostEditTimeLimit = 300 th.App.SaveConfig(config, false) } + +func TestDoEmojisPermissionsMigration(t *testing.T) { + th := Setup() + defer th.TearDown() + + if testStoreSqlSupplier == nil { + t.Skip("This test requires a TestStore to be run.") + } + + // Add a license and change the policy config. + restrictCustomEmojiCreation := *th.App.Config().ServiceSettings.RestrictCustomEmojiCreation + + defer func() { + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = restrictCustomEmojiCreation + }) + }() + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN + }) + + th.ResetEmojisMigration() + th.App.DoEmojisPermissionsMigration() + + expectedSystemAdmin := []string{ + model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, + model.PERMISSION_MANAGE_SYSTEM.Id, + model.PERMISSION_MANAGE_ROLES.Id, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, + model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, + model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, + model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, + model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, + model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, + model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, + model.PERMISSION_EDIT_OTHER_USERS.Id, + model.PERMISSION_MANAGE_OAUTH.Id, + model.PERMISSION_INVITE_USER.Id, + model.PERMISSION_DELETE_POST.Id, + model.PERMISSION_DELETE_OTHERS_POSTS.Id, + model.PERMISSION_CREATE_TEAM.Id, + model.PERMISSION_ADD_USER_TO_TEAM.Id, + model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id, + model.PERMISSION_MANAGE_JOBS.Id, + model.PERMISSION_CREATE_POST_PUBLIC.Id, + model.PERMISSION_CREATE_POST_EPHEMERAL.Id, + model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, + model.PERMISSION_READ_USER_ACCESS_TOKEN.Id, + model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, + model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id, + model.PERMISSION_LIST_TEAM_CHANNELS.Id, + model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id, + model.PERMISSION_READ_PUBLIC_CHANNEL.Id, + model.PERMISSION_VIEW_TEAM.Id, + model.PERMISSION_READ_CHANNEL.Id, + model.PERMISSION_ADD_REACTION.Id, + model.PERMISSION_REMOVE_REACTION.Id, + model.PERMISSION_UPLOAD_FILE.Id, + model.PERMISSION_GET_PUBLIC_LINK.Id, + model.PERMISSION_CREATE_POST.Id, + model.PERMISSION_USE_SLASH_COMMANDS.Id, + model.PERMISSION_EDIT_OTHERS_POSTS.Id, + model.PERMISSION_REMOVE_USER_FROM_TEAM.Id, + model.PERMISSION_MANAGE_TEAM.Id, + model.PERMISSION_IMPORT_TEAM.Id, + model.PERMISSION_MANAGE_TEAM_ROLES.Id, + model.PERMISSION_MANAGE_CHANNEL_ROLES.Id, + model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_WEBHOOKS.Id, + model.PERMISSION_EDIT_POST.Id, + model.PERMISSION_MANAGE_EMOJIS.Id, + model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, + } + + role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + assert.Nil(t, err1) + assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID)) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ADMIN + }) + + th.ResetEmojisMigration() + th.App.DoEmojisPermissionsMigration() + + role2, err2 := th.App.GetRoleByName(model.TEAM_ADMIN_ROLE_ID) + assert.Nil(t, err2) + expected2 := []string{ + model.PERMISSION_EDIT_OTHERS_POSTS.Id, + model.PERMISSION_REMOVE_USER_FROM_TEAM.Id, + model.PERMISSION_MANAGE_TEAM.Id, + model.PERMISSION_IMPORT_TEAM.Id, + model.PERMISSION_MANAGE_TEAM_ROLES.Id, + model.PERMISSION_MANAGE_CHANNEL_ROLES.Id, + model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, + model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, + model.PERMISSION_MANAGE_WEBHOOKS.Id, + model.PERMISSION_DELETE_POST.Id, + model.PERMISSION_DELETE_OTHERS_POSTS.Id, + model.PERMISSION_MANAGE_EMOJIS.Id, + } + assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID)) + + systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + assert.Nil(t, systemAdminErr1) + assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID)) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ALL + }) + + th.ResetEmojisMigration() + th.App.DoEmojisPermissionsMigration() + + role3, err3 := th.App.GetRoleByName(model.SYSTEM_USER_ROLE_ID) + assert.Nil(t, err3) + expected3 := []string{ + model.PERMISSION_CREATE_DIRECT_CHANNEL.Id, + model.PERMISSION_CREATE_GROUP_CHANNEL.Id, + model.PERMISSION_PERMANENT_DELETE_USER.Id, + model.PERMISSION_CREATE_TEAM.Id, + model.PERMISSION_MANAGE_EMOJIS.Id, + } + assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID)) + + systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID) + assert.Nil(t, systemAdminErr2) + assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID)) +} diff --git a/app/apptestlib.go b/app/apptestlib.go index ec4992a75..d4a79bdcc 100644 --- a/app/apptestlib.go +++ b/app/apptestlib.go @@ -110,6 +110,7 @@ func setupTestHelper(enterprise bool) *TestHelper { th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = prevListenAddress }) th.App.DoAdvancedPermissionsMigration() + th.App.DoEmojisPermissionsMigration() th.App.Srv.Store.MarkSystemRanUnitTests() @@ -433,6 +434,18 @@ func (me *TestHelper) ResetRoleMigration() { } } +func (me *TestHelper) ResetEmojisMigration() { + if _, err := testStoreSqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ', manage_emojis', '') WHERE builtin=True"); err != nil { + panic(err) + } + + testClusterInterface.sendClearRoleCacheMessage() + + if _, err := testStoreSqlSupplier.GetMaster().Exec("DELETE from Systems where Name = :Name", map[string]interface{}{"Name": EMOJIS_PERMISSIONS_MIGRATION_KEY}); err != nil { + panic(err) + } +} + type FakeClusterInterface struct { clusterMessageHandler einterfaces.ClusterMessageHandler } diff --git a/app/permissions.go b/app/permissions.go index 70b8cc689..46090070e 100644 --- a/app/permissions.go +++ b/app/permissions.go @@ -43,6 +43,7 @@ func (a *App) ResetPermissionsSystem() *model.AppError { // Now that the permissions system has been reset, re-run the migration to reinitialise it. a.DoAdvancedPermissionsMigration() + a.DoEmojisPermissionsMigration() return nil } -- cgit v1.2.3-1-g7c22