From 91d430b2a39a03b052cc103f73f44c68cbc96b2d Mon Sep 17 00:00:00 2001 From: George Goldberg Date: Wed, 15 Mar 2017 19:32:02 +0000 Subject: Fix policy application in team edition. (#5771) --- utils/authorization.go | 262 +++++++++++++++++++++++++++++-------------------- 1 file changed, 158 insertions(+), 104 deletions(-) (limited to 'utils') diff --git a/utils/authorization.go b/utils/authorization.go index 9a45878a2..2c7f35164 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -11,134 +11,176 @@ func SetDefaultRolesBasedOnConfig() { // Reset the roles to default to make this logic easier model.InitalizeRoles() - switch *Cfg.TeamSettings.RestrictPublicChannelCreation { - case model.PERMISSIONS_ALL: + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPublicChannelCreation { + case model.PERMISSIONS_ALL: + model.ROLE_TEAM_USER.Permissions = append( + model.ROLE_TEAM_USER.Permissions, + model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, + ) + break + } + } else { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) - break - case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, - ) - break } - switch *Cfg.TeamSettings.RestrictPublicChannelManagement { - case model.PERMISSIONS_ALL: + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPublicChannelManagement { + case model.PERMISSIONS_ALL: + model.ROLE_TEAM_USER.Permissions = append( + model.ROLE_TEAM_USER.Permissions, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, + ) + break + case model.PERMISSIONS_CHANNEL_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, + ) + model.ROLE_CHANNEL_ADMIN.Permissions = append( + model.ROLE_CHANNEL_ADMIN.Permissions, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, + ) + break + } + } else { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) - break - case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, - ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, - model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, - ) - break - case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, - ) - break } - switch *Cfg.TeamSettings.RestrictPublicChannelDeletion { - case model.PERMISSIONS_ALL: + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPublicChannelDeletion { + case model.PERMISSIONS_ALL: + model.ROLE_TEAM_USER.Permissions = append( + model.ROLE_TEAM_USER.Permissions, + model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, + ) + break + case model.PERMISSIONS_CHANNEL_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, + ) + model.ROLE_CHANNEL_ADMIN.Permissions = append( + model.ROLE_CHANNEL_ADMIN.Permissions, + model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, + ) + break + } + } else { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) - break - case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, - ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, - model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, - ) - break - case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, - ) - break } - switch *Cfg.TeamSettings.RestrictPrivateChannelCreation { - case model.PERMISSIONS_ALL: + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPrivateChannelCreation { + case model.PERMISSIONS_ALL: + model.ROLE_TEAM_USER.Permissions = append( + model.ROLE_TEAM_USER.Permissions, + model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, + ) + break + } + } else { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) - break - case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, - ) - break } - switch *Cfg.TeamSettings.RestrictPrivateChannelManagement { - case model.PERMISSIONS_ALL: + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPrivateChannelManagement { + case model.PERMISSIONS_ALL: + model.ROLE_TEAM_USER.Permissions = append( + model.ROLE_TEAM_USER.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, + ) + break + case model.PERMISSIONS_CHANNEL_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, + ) + model.ROLE_CHANNEL_ADMIN.Permissions = append( + model.ROLE_CHANNEL_ADMIN.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, + ) + break + } + } else { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) - break - case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, - ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, - model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, - ) - break - case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, - ) - break } - switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion { - case model.PERMISSIONS_ALL: + if IsLicensed { + switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion { + case model.PERMISSIONS_ALL: + model.ROLE_TEAM_USER.Permissions = append( + model.ROLE_TEAM_USER.Permissions, + model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, + ) + break + case model.PERMISSIONS_CHANNEL_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, + ) + model.ROLE_CHANNEL_ADMIN.Permissions = append( + model.ROLE_CHANNEL_ADMIN.Permissions, + model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, + ) + break + case model.PERMISSIONS_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, + ) + break + } + } else { model.ROLE_TEAM_USER.Permissions = append( model.ROLE_TEAM_USER.Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) - break - case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, - ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, - model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, - ) - break - case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, - ) - break } if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations { @@ -167,8 +209,28 @@ func SetDefaultRolesBasedOnConfig() { ) } - switch *Cfg.ServiceSettings.RestrictPostDelete { - case model.PERMISSIONS_DELETE_POST_ALL: + if IsLicensed { + switch *Cfg.ServiceSettings.RestrictPostDelete { + case model.PERMISSIONS_DELETE_POST_ALL: + model.ROLE_CHANNEL_USER.Permissions = append( + model.ROLE_CHANNEL_USER.Permissions, + model.PERMISSION_DELETE_POST.Id, + ) + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_DELETE_POST.Id, + model.PERMISSION_DELETE_OTHERS_POSTS.Id, + ) + break + case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: + model.ROLE_TEAM_ADMIN.Permissions = append( + model.ROLE_TEAM_ADMIN.Permissions, + model.PERMISSION_DELETE_POST.Id, + model.PERMISSION_DELETE_OTHERS_POSTS.Id, + ) + break + } + } else { model.ROLE_CHANNEL_USER.Permissions = append( model.ROLE_CHANNEL_USER.Permissions, model.PERMISSION_DELETE_POST.Id, @@ -178,14 +240,6 @@ func SetDefaultRolesBasedOnConfig() { model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) - break - case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, - model.PERMISSION_DELETE_POST.Id, - model.PERMISSION_DELETE_OTHERS_POSTS.Id, - ) - break } if Cfg.TeamSettings.EnableTeamCreation { -- cgit v1.2.3-1-g7c22