github.com/Ne0nd0g/gophish@v0.7.1-0.20190220040016-11493024a07d/models/rbac.go

github.com/Ne0nd0g/gophish@v0.7.1-0.20190220040016-11493024a07d/models/rbac.go (about)

     1  package models
     2  
     3  /*
     4  Design:
     5  
     6  Gophish implements simple Role-Based-Access-Control (RBAC) to control access to
     7  certain resources.
     8  
     9  By default, Gophish has two separate roles, with each user being assigned to
    10  a single role:
    11  
    12  * Admin  - Can modify all objects as well as system-level configuration
    13  * User   - Can modify all objects
    14  
    15  It's important to note that these are global roles. In the future, we'll likely
    16  add the concept of teams, which will include their own roles and permission
    17  system similar to these global permissions.
    18  
    19  Each role maps to one or more permissions, making it easy to add more granular
    20  permissions over time.
    21  
    22  This is supported through a simple API on a user object,
    23  `HasPermission(Permission)`, which returns a boolean and an error.
    24  This API checks the role associated with the user to see if that role has the
    25  requested permission.
    26  */
    27  
    28  const (
    29  	// RoleAdmin is used for Gophish system administrators. Users with this
    30  	// role have the ability to manage all objects within Gophish, as well as
    31  	// system-level configuration, such as users and URLs.
    32  	RoleAdmin = "admin"
    33  	// RoleUser is used for standard Gophish users. Users with this role can
    34  	// create, manage, and view Gophish objects and campaigns.
    35  	RoleUser = "user"
    36  
    37  	// PermissionViewObjects determines if a role can view standard Gophish
    38  	// objects such as campaigns, groups, landing pages, etc.
    39  	PermissionViewObjects = "view_objects"
    40  	// PermissionModifyObjects determines if a role can create and modify
    41  	// standard Gophish objects.
    42  	PermissionModifyObjects = "modify_objects"
    43  	// PermissionModifySystem determines if a role can manage system-level
    44  	// configuration.
    45  	PermissionModifySystem = "modify_system"
    46  )
    47  
    48  // Role represents a user role within Gophish. Each user has a single role
    49  // which maps to a set of permissions.
    50  type Role struct {
    51  	ID          int64        `json:"id"`
    52  	Slug        string       `json:"slug"`
    53  	Name        string       `json:"name"`
    54  	Description string       `json:"description"`
    55  	Permissions []Permission `json:"-" gorm:"many2many:role_permissions;"`
    56  }
    57  
    58  // Permission determines what a particular role can do. Each role may have one
    59  // or more permissions.
    60  type Permission struct {
    61  	ID          int64  `json:"id"`
    62  	Slug        string `json:"slug"`
    63  	Name        string `json:"name"`
    64  	Description string `json:"description"`
    65  }
    66  
    67  // GetRoleBySlug returns a role that can be assigned to a user.
    68  func GetRoleBySlug(slug string) (Role, error) {
    69  	role := Role{}
    70  	err := db.Where("slug=?", slug).First(&role).Error
    71  	return role, err
    72  }
    73  
    74  // HasPermission checks to see if the user has a role with the requested
    75  // permission.
    76  func (u *User) HasPermission(slug string) (bool, error) {
    77  	perm := []Permission{}
    78  	err := db.Model(Role{ID: u.RoleID}).Where("slug=?", slug).Association("Permissions").Find(&perm).Error
    79  	if err != nil {
    80  		return false, err
    81  	}
    82  	// Gorm doesn't return an ErrRecordNotFound whe scanning into a slice, so
    83  	// we need to check the length (ref jinzhu/gorm#228)
    84  	if len(perm) == 0 {
    85  		return false, nil
    86  	}
    87  	return true, nil
    88  }