From e1cd64613591cf5a990442a69ebf188258bd0cb5 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Tue, 6 Feb 2018 15:34:08 +0000
Subject: XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design.

* XYZ-10: Role store.

* XYZ-9/XYZ-44: Roles API endpoints and WebSocket message.

* XYZ-8: Switch server permissions checks to store backed roles.

* XYZ-58: Proper validation of roles where required.

* XYZ-11/XYZ-55: Migration to store backed roles from policy config.

* XYZ-37: Update unit tests to work with database roles.

* XYZ-56: Remove the "guest" role.

* Changes to SetDefaultRolesFromConfig.

* Short-circuit the store if nothing has changed.

* Address first round of review comments.

* Address second round of review comments.
---
 api4/role.go | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 api4/role.go

(limited to 'api4/role.go')

diff --git a/api4/role.go b/api4/role.go
new file mode 100644
index 000000000..a401a8034
--- /dev/null
+++ b/api4/role.go
@@ -0,0 +1,100 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"net/http"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+func (api *API) InitRole() {
+	api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET")
+	api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET")
+	api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST")
+	api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT")
+}
+
+func getRole(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireRoleId()
+	if c.Err != nil {
+		return
+	}
+
+	if role, err := c.App.GetRole(c.Params.RoleId); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(role.ToJson()))
+	}
+}
+
+func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireRoleName()
+	if c.Err != nil {
+		return
+	}
+
+	if role, err := c.App.GetRoleByName(c.Params.RoleName); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(role.ToJson()))
+	}
+}
+
+func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) {
+	rolenames := model.ArrayFromJson(r.Body)
+
+	if len(rolenames) == 0 {
+		c.SetInvalidParam("rolenames")
+		return
+	}
+
+	for _, rolename := range rolenames {
+		if !model.IsValidRoleName(rolename) {
+			c.SetInvalidParam("rolename")
+			return
+		}
+	}
+
+	if roles, err := c.App.GetRolesByNames(rolenames); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(model.RoleListToJson(roles)))
+	}
+}
+
+func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireRoleId()
+	if c.Err != nil {
+		return
+	}
+
+	patch := model.RolePatchFromJson(r.Body)
+	if patch == nil {
+		c.SetInvalidParam("role")
+		return
+	}
+
+	oldRole, err := c.App.GetRole(c.Params.RoleId)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if role, err := c.App.PatchRole(oldRole, patch); err != nil {
+		c.Err = err
+		return
+	} else {
+		c.LogAudit("")
+		w.Write([]byte(role.ToJson()))
+	}
+}
-- 
cgit v1.2.3-1-g7c22