1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package api4
import (
"net/http"
"github.com/mattermost/mattermost-server/model"
"github.com/mattermost/mattermost-server/utils"
)
func (api *API) InitRole() {
api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET")
api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET")
api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST")
api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT")
}
func getRole(c *Context, w http.ResponseWriter, r *http.Request) {
c.RequireRoleId()
if c.Err != nil {
return
}
if role, err := c.App.GetRole(c.Params.RoleId); err != nil {
c.Err = err
return
} else {
w.Write([]byte(role.ToJson()))
}
}
func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) {
c.RequireRoleName()
if c.Err != nil {
return
}
if role, err := c.App.GetRoleByName(c.Params.RoleName); err != nil {
c.Err = err
return
} else {
w.Write([]byte(role.ToJson()))
}
}
func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) {
rolenames := model.ArrayFromJson(r.Body)
if len(rolenames) == 0 {
c.SetInvalidParam("rolenames")
return
}
for _, rolename := range rolenames {
if !model.IsValidRoleName(rolename) {
c.SetInvalidParam("rolename")
return
}
}
if roles, err := c.App.GetRolesByNames(rolenames); err != nil {
c.Err = err
return
} else {
w.Write([]byte(model.RoleListToJson(roles)))
}
}
func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
c.RequireRoleId()
if c.Err != nil {
return
}
patch := model.RolePatchFromJson(r.Body)
if patch == nil {
c.SetInvalidParam("role")
return
}
oldRole, err := c.App.GetRole(c.Params.RoleId)
if err != nil {
c.Err = err
return
}
if !utils.IsLicensed() && patch.Permissions != nil {
allowedPermissions := []string{
model.PERMISSION_CREATE_TEAM.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
}
changedPermissions := model.PermissionsChangedByPatch(oldRole, patch)
for _, permission := range changedPermissions {
allowed := false
for _, allowedPermission := range allowedPermissions {
if permission == allowedPermission {
allowed = true
}
}
if !allowed {
c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
return
}
}
}
if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
return
}
if role, err := c.App.PatchRole(oldRole, patch); err != nil {
c.Err = err
return
} else {
c.LogAudit("")
w.Write([]byte(role.ToJson()))
}
}
|