diff options
Diffstat (limited to 'utils')
-rw-r--r-- | utils/authorization.go | 208 | ||||
-rw-r--r-- | utils/config.go | 1 |
2 files changed, 107 insertions, 102 deletions
diff --git a/utils/authorization.go b/utils/authorization.go index 37ca2c7ff..39a0d606c 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -7,271 +7,277 @@ import ( "github.com/mattermost/mattermost-server/model" ) -func SetDefaultRolesBasedOnConfig() { - // Reset the roles to default to make this logic easier - model.InitalizeRoles() +func DefaultRolesBasedOnConfig(cfg *model.Config) map[string]*model.Role { + roles := make(map[string]*model.Role) + for id, role := range model.DefaultRoles { + copy := &model.Role{} + *copy = *role + roles[id] = copy + } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelCreation { + switch *cfg.TeamSettings.RestrictPublicChannelCreation { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelManagement { + switch *cfg.TeamSettings.RestrictPublicChannelManagement { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPublicChannelDeletion { + switch *cfg.TeamSettings.RestrictPublicChannelDeletion { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelCreation { + switch *cfg.TeamSettings.RestrictPrivateChannelCreation { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelManagement { + switch *cfg.TeamSettings.RestrictPrivateChannelManagement { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, ) } if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelDeletion { + switch *cfg.TeamSettings.RestrictPrivateChannelDeletion { case model.PERMISSIONS_ALL: - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, ) } // Restrict permissions for Private Channel Manage Members if IsLicensed() { - switch *Cfg.TeamSettings.RestrictPrivateChannelManageMembers { + switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers { case model.PERMISSIONS_ALL: - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) case model.PERMISSIONS_CHANNEL_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) case model.PERMISSIONS_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) } } else { - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, ) } - if !*Cfg.ServiceSettings.EnableOnlyAdminIntegrations { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations { + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_WEBHOOKS.Id, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, ) - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_MANAGE_OAUTH.Id, ) } // Grant permissions for inviting and adding users to a team. if IsLicensed() { - if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) - } else if *Cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + } else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } } else { - model.ROLE_TEAM_USER.Permissions = append( - model.ROLE_TEAM_USER.Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } if IsLicensed() { - switch *Cfg.ServiceSettings.RestrictPostDelete { + switch *cfg.ServiceSettings.RestrictPostDelete { case model.PERMISSIONS_DELETE_POST_ALL: - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - model.ROLE_CHANNEL_ADMIN.Permissions = append( - model.ROLE_CHANNEL_ADMIN.Permissions, + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( + roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) } } else { - model.ROLE_CHANNEL_USER.Permissions = append( - model.ROLE_CHANNEL_USER.Permissions, + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - model.ROLE_TEAM_ADMIN.Permissions = append( - model.ROLE_TEAM_ADMIN.Permissions, + roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( + roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, model.PERMISSION_DELETE_OTHERS_POSTS.Id, ) } - if Cfg.TeamSettings.EnableTeamCreation { - model.ROLE_SYSTEM_USER.Permissions = append( - model.ROLE_SYSTEM_USER.Permissions, + if cfg.TeamSettings.EnableTeamCreation { + roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( + roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_TEAM.Id, ) } + + return roles } diff --git a/utils/config.go b/utils/config.go index 25e684411..a91a20711 100644 --- a/utils/config.go +++ b/utils/config.go @@ -420,7 +420,6 @@ func LoadGlobalConfig(fileName string) *model.Config { clientCfgJson, _ := json.Marshal(ClientCfg) ClientCfgHash = fmt.Sprintf("%x", md5.Sum(clientCfgJson)) - SetDefaultRolesBasedOnConfig() SetSiteURL(*Cfg.ServiceSettings.SiteURL) InvokeGlobalConfigListeners(&oldConfig, config) |