github.com/adacta-ru/mattermost-server/v6@v6.0.0/api4/role.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package api4 5 6 import ( 7 "net/http" 8 9 "github.com/adacta-ru/mattermost-server/v6/audit" 10 "github.com/adacta-ru/mattermost-server/v6/model" 11 ) 12 13 var allowedPermissions = []string{ 14 model.PERMISSION_CREATE_TEAM.Id, 15 model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 16 model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 17 model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, 18 model.PERMISSION_MANAGE_OAUTH.Id, 19 model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, 20 model.PERMISSION_CREATE_EMOJIS.Id, 21 model.PERMISSION_DELETE_EMOJIS.Id, 22 model.PERMISSION_EDIT_OTHERS_POSTS.Id, 23 } 24 25 var notAllowedPermissions = []string{ 26 model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES.Id, 27 model.PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_SYSTEM_ROLES.Id, 28 model.PERMISSION_MANAGE_ROLES.Id, 29 } 30 31 func (api *API) InitRole() { 32 api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET") 33 api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET") 34 api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST") 35 api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT") 36 } 37 38 func getRole(c *Context, w http.ResponseWriter, r *http.Request) { 39 c.RequireRoleId() 40 if c.Err != nil { 41 return 42 } 43 44 role, err := c.App.GetRole(c.Params.RoleId) 45 if err != nil { 46 c.Err = err 47 return 48 } 49 50 w.Write([]byte(role.ToJson())) 51 } 52 53 func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) { 54 c.RequireRoleName() 55 if c.Err != nil { 56 return 57 } 58 59 role, err := c.App.GetRoleByName(c.Params.RoleName) 60 if err != nil { 61 c.Err = err 62 return 63 } 64 65 w.Write([]byte(role.ToJson())) 66 } 67 68 func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) { 69 rolenames := model.ArrayFromJson(r.Body) 70 71 if len(rolenames) == 0 { 72 c.SetInvalidParam("rolenames") 73 return 74 } 75 76 cleanedRoleNames, valid := model.CleanRoleNames(rolenames) 77 if !valid { 78 c.SetInvalidParam("rolename") 79 return 80 } 81 82 roles, err := c.App.GetRolesByNames(cleanedRoleNames) 83 if err != nil { 84 c.Err = err 85 return 86 } 87 88 w.Write([]byte(model.RoleListToJson(roles))) 89 } 90 91 func patchRole(c *Context, w http.ResponseWriter, r *http.Request) { 92 c.RequireRoleId() 93 if c.Err != nil { 94 return 95 } 96 97 patch := model.RolePatchFromJson(r.Body) 98 if patch == nil { 99 c.SetInvalidParam("role") 100 return 101 } 102 103 auditRec := c.MakeAuditRecord("patchRole", audit.Fail) 104 defer c.LogAuditRec(auditRec) 105 106 oldRole, err := c.App.GetRole(c.Params.RoleId) 107 if err != nil { 108 c.Err = err 109 return 110 } 111 auditRec.AddMeta("role", oldRole) 112 113 // manage_system permission is required to patch system_admin 114 requiredPermission := model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS 115 specialProtectedSystemRoles := append(model.NewSystemRoleIDs, model.SYSTEM_ADMIN_ROLE_ID) 116 for _, roleID := range specialProtectedSystemRoles { 117 if oldRole.Name == roleID { 118 requiredPermission = model.PERMISSION_MANAGE_SYSTEM 119 } 120 } 121 if !c.App.SessionHasPermissionTo(*c.App.Session(), requiredPermission) { 122 c.SetPermissionError(requiredPermission) 123 return 124 } 125 126 isGuest := oldRole.Name == model.SYSTEM_GUEST_ROLE_ID || oldRole.Name == model.TEAM_GUEST_ROLE_ID || oldRole.Name == model.CHANNEL_GUEST_ROLE_ID 127 if c.App.Srv().License() == nil && patch.Permissions != nil { 128 if isGuest { 129 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented) 130 return 131 } 132 133 changedPermissions := model.PermissionsChangedByPatch(oldRole, patch) 134 for _, permission := range changedPermissions { 135 allowed := false 136 for _, allowedPermission := range allowedPermissions { 137 if permission == allowedPermission { 138 allowed = true 139 } 140 } 141 142 if !allowed { 143 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented) 144 return 145 } 146 } 147 } 148 149 if patch.Permissions != nil { 150 deltaPermissions := model.PermissionsChangedByPatch(oldRole, patch) 151 152 for _, permission := range deltaPermissions { 153 notAllowed := false 154 for _, notAllowedPermission := range notAllowedPermissions { 155 if permission == notAllowedPermission { 156 notAllowed = true 157 } 158 } 159 160 if notAllowed { 161 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.not_allowed_permission.error", nil, "Cannot add or remove permission: "+permission, http.StatusNotImplemented) 162 return 163 } 164 } 165 } 166 167 if c.App.Srv().License() != nil && isGuest && !*c.App.Srv().License().Features.GuestAccountsPermissions { 168 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented) 169 return 170 } 171 172 if oldRole.Name == model.TEAM_ADMIN_ROLE_ID || oldRole.Name == model.CHANNEL_ADMIN_ROLE_ID || oldRole.Name == model.SYSTEM_USER_ROLE_ID || oldRole.Name == model.TEAM_USER_ROLE_ID || oldRole.Name == model.CHANNEL_USER_ROLE_ID || oldRole.Name == model.SYSTEM_GUEST_ROLE_ID || oldRole.Name == model.TEAM_GUEST_ROLE_ID || oldRole.Name == model.CHANNEL_GUEST_ROLE_ID { 173 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS) { 174 c.SetPermissionError(model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS) 175 return 176 } 177 } else { 178 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES) { 179 c.SetPermissionError(model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES) 180 return 181 } 182 } 183 184 role, err := c.App.PatchRole(oldRole, patch) 185 if err != nil { 186 c.Err = err 187 return 188 } 189 190 auditRec.Success() 191 auditRec.AddMeta("patch", role) 192 c.LogAudit("") 193 194 w.Write([]byte(role.ToJson())) 195 }