diff options
author | Chris <ccbrown112@gmail.com> | 2017-11-21 13:08:32 -0600 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2017-11-21 11:08:32 -0800 |
commit | 816a30397da6ceff836d8723233dc5cdbda70871 (patch) | |
tree | d9075e04c6570296cea924b97088839f49d6ce9d /utils | |
parent | 01e652ed481ed0ef0a8d8c021751655c1a58dd2a (diff) | |
download | chat-816a30397da6ceff836d8723233dc5cdbda70871.tar.gz chat-816a30397da6ceff836d8723233dc5cdbda70871.tar.bz2 chat-816a30397da6ceff836d8723233dc5cdbda70871.zip |
Role refactor (#7867)
* role refactor
* add missing file
* fix web test
Diffstat (limited to 'utils')
-rw-r--r-- | utils/authorization.go | 208 | ||||
-rw-r--r-- | utils/config.go | 1 |
2 files changed, 107 insertions, 102 deletions
diff --git a/utils/authorization.go b/utils/authorization.go index 37ca2c7ff..39a0d606c 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -7,271 +7,277 @@ import ( "github.com/mattermost/mattermost-server/model" ) -func SetDefaultRolesBasedOnConfig() { - // Reset the roles to default to make this logic easier - model.InitalizeRoles() +func DefaultRolesBasedOnConfig(cfg *model.Config) map[string]*model.Role { + roles := make(map[string]*model.Role) + for id, role := range model.DefaultRoles { + copy := &model.Role{} + *copy = *role + roles[id] = copy + } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelCreation { + switch *cfg.TeamSettings.RestrictPublicChannelCreation { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelManagement { + switch *cfg.TeamSettings.RestrictPublicChannelManagement { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelDeletion { + switch *cfg.TeamSettings.RestrictPublicChannelDeletion { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelCreation { + switch *cfg.TeamSettings.RestrictPrivateChannelCreation { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelManagement { + switch *cfg.TeamSettings.RestrictPrivateChannelManagement { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion { + switch *cfg.TeamSettings.RestrictPrivateChannelDeletion { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) } // Restrict permissions for Private Channel Manage Members if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers { + switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers { case model.PERMISSIONS_ALL: - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) } } else { - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) } - if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations { + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_WEBHOOKS.Id, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, ) - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_OAUTH.Id, ) } // Grant permissions for inviting and adding users to a team. if IsLicensed() { - if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) - } else if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + } else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } if IsLicensed() { - switch *Cfg.ServiceSettings.RestrictPostDelete { + switch *cfg.ServiceSettings.RestrictPostDelete { case model.PERMISSIONS_DELETE_POST_ALL: - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) } } else { - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) } - if Cfg.TeamSettings.EnableTeamCreation { - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + if cfg.TeamSettings.EnableTeamCreation { + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_TEAM.Id, ) } + + return roles } diff --git a/utils/config.go b/utils/config.go index 25e684411..a91a20711 100644 --- a/utils/config.go +++ b/utils/config.go @@ -420,7 +420,6 @@ func LoadGlobalConfig(fileName string) *model.Config { clientCfgJson, _ := json.Marshal(ClientCfg) ClientCfgHash = fmt.Sprintf("%x", md5.Sum(clientCfgJson)) - SetDefaultRolesBasedOnConfig() SetSiteURL(*Cfg.ServiceSettings.SiteURL) InvokeGlobalConfigListeners(&oldConfig, config) |