From 816a30397da6ceff836d8723233dc5cdbda70871 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 21 Nov 2017 13:08:32 -0600 Subject: Role refactor (#7867) * role refactor * add missing file * fix web test --- utils/authorization.go | 208 +++++++++++++++++++++++++------------------------ 1 file changed, 107 insertions(+), 101 deletions(-) (limited to 'utils/authorization.go') diff --git a/utils/authorization.go b/utils/authorization.go index 37ca2c7ff..39a0d606c 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -7,271 +7,277 @@ import ( "github.com/mattermost/mattermost-server/model" ) -func SetDefaultRolesBasedOnConfig() { - // Reset the roles to default to make this logic easier - model.InitalizeRoles() +func DefaultRolesBasedOnConfig(cfg *model.Config) map[string]*model.Role { + roles := make(map[string]*model.Role) + for id, role := range model.DefaultRoles { + copy := &model.Role{} + *copy = *role + roles[id] = copy + } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelCreation { + switch *cfg.TeamSettings.RestrictPublicChannelCreation { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelManagement { + switch *cfg.TeamSettings.RestrictPublicChannelManagement { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelDeletion { + switch *cfg.TeamSettings.RestrictPublicChannelDeletion { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelCreation { + switch *cfg.TeamSettings.RestrictPrivateChannelCreation { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelManagement { + switch *cfg.TeamSettings.RestrictPrivateChannelManagement { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion { + switch *cfg.TeamSettings.RestrictPrivateChannelDeletion { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) } // Restrict permissions for Private Channel Manage Members if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers { + switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers { case model.PERMISSIONS_ALL: - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) } } else { - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) } - if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations { + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_WEBHOOKS.Id, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, ) - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_OAUTH.Id, ) } // Grant permissions for inviting and adding users to a team. if IsLicensed() { - if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) - } else if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + } else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } if IsLicensed() { - switch *Cfg.ServiceSettings.RestrictPostDelete { + switch *cfg.ServiceSettings.RestrictPostDelete { case model.PERMISSIONS_DELETE_POST_ALL: - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) } } else { - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) } - if Cfg.TeamSettings.EnableTeamCreation { - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + if cfg.TeamSettings.EnableTeamCreation { + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_TEAM.Id, ) } + + return roles } -- cgit v1.2.3-1-g7c22