github.com/adacta-ru/mattermost-server/v6@v6.0.0/api4/role.go

github.com/adacta-ru/mattermost-server/v6@v6.0.0/api4/role.go (about)

     1  // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
     2  // See LICENSE.txt for license information.
     3  
     4  package api4
     5  
     6  import (
     7  	"net/http"
     8  
     9  	"github.com/adacta-ru/mattermost-server/v6/audit"
    10  	"github.com/adacta-ru/mattermost-server/v6/model"
    11  )
    12  
    13  var allowedPermissions = []string{
    14  	model.PERMISSION_CREATE_TEAM.Id,
    15  	model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
    16  	model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
    17  	model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
    18  	model.PERMISSION_MANAGE_OAUTH.Id,
    19  	model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
    20  	model.PERMISSION_CREATE_EMOJIS.Id,
    21  	model.PERMISSION_DELETE_EMOJIS.Id,
    22  	model.PERMISSION_EDIT_OTHERS_POSTS.Id,
    23  }
    24  
    25  var notAllowedPermissions = []string{
    26  	model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES.Id,
    27  	model.PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_SYSTEM_ROLES.Id,
    28  	model.PERMISSION_MANAGE_ROLES.Id,
    29  }
    30  
    31  func (api *API) InitRole() {
    32  	api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET")
    33  	api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET")
    34  	api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST")
    35  	api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT")
    36  }
    37  
    38  func getRole(c *Context, w http.ResponseWriter, r *http.Request) {
    39  	c.RequireRoleId()
    40  	if c.Err != nil {
    41  		return
    42  	}
    43  
    44  	role, err := c.App.GetRole(c.Params.RoleId)
    45  	if err != nil {
    46  		c.Err = err
    47  		return
    48  	}
    49  
    50  	w.Write([]byte(role.ToJson()))
    51  }
    52  
    53  func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) {
    54  	c.RequireRoleName()
    55  	if c.Err != nil {
    56  		return
    57  	}
    58  
    59  	role, err := c.App.GetRoleByName(c.Params.RoleName)
    60  	if err != nil {
    61  		c.Err = err
    62  		return
    63  	}
    64  
    65  	w.Write([]byte(role.ToJson()))
    66  }
    67  
    68  func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) {
    69  	rolenames := model.ArrayFromJson(r.Body)
    70  
    71  	if len(rolenames) == 0 {
    72  		c.SetInvalidParam("rolenames")
    73  		return
    74  	}
    75  
    76  	cleanedRoleNames, valid := model.CleanRoleNames(rolenames)
    77  	if !valid {
    78  		c.SetInvalidParam("rolename")
    79  		return
    80  	}
    81  
    82  	roles, err := c.App.GetRolesByNames(cleanedRoleNames)
    83  	if err != nil {
    84  		c.Err = err
    85  		return
    86  	}
    87  
    88  	w.Write([]byte(model.RoleListToJson(roles)))
    89  }
    90  
    91  func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
    92  	c.RequireRoleId()
    93  	if c.Err != nil {
    94  		return
    95  	}
    96  
    97  	patch := model.RolePatchFromJson(r.Body)
    98  	if patch == nil {
    99  		c.SetInvalidParam("role")
   100  		return
   101  	}
   102  
   103  	auditRec := c.MakeAuditRecord("patchRole", audit.Fail)
   104  	defer c.LogAuditRec(auditRec)
   105  
   106  	oldRole, err := c.App.GetRole(c.Params.RoleId)
   107  	if err != nil {
   108  		c.Err = err
   109  		return
   110  	}
   111  	auditRec.AddMeta("role", oldRole)
   112  
   113  	// manage_system permission is required to patch system_admin
   114  	requiredPermission := model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS
   115  	specialProtectedSystemRoles := append(model.NewSystemRoleIDs, model.SYSTEM_ADMIN_ROLE_ID)
   116  	for _, roleID := range specialProtectedSystemRoles {
   117  		if oldRole.Name == roleID {
   118  			requiredPermission = model.PERMISSION_MANAGE_SYSTEM
   119  		}
   120  	}
   121  	if !c.App.SessionHasPermissionTo(*c.App.Session(), requiredPermission) {
   122  		c.SetPermissionError(requiredPermission)
   123  		return
   124  	}
   125  
   126  	isGuest := oldRole.Name == model.SYSTEM_GUEST_ROLE_ID || oldRole.Name == model.TEAM_GUEST_ROLE_ID || oldRole.Name == model.CHANNEL_GUEST_ROLE_ID
   127  	if c.App.Srv().License() == nil && patch.Permissions != nil {
   128  		if isGuest {
   129  			c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
   130  			return
   131  		}
   132  
   133  		changedPermissions := model.PermissionsChangedByPatch(oldRole, patch)
   134  		for _, permission := range changedPermissions {
   135  			allowed := false
   136  			for _, allowedPermission := range allowedPermissions {
   137  				if permission == allowedPermission {
   138  					allowed = true
   139  				}
   140  			}
   141  
   142  			if !allowed {
   143  				c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
   144  				return
   145  			}
   146  		}
   147  	}
   148  
   149  	if patch.Permissions != nil {
   150  		deltaPermissions := model.PermissionsChangedByPatch(oldRole, patch)
   151  
   152  		for _, permission := range deltaPermissions {
   153  			notAllowed := false
   154  			for _, notAllowedPermission := range notAllowedPermissions {
   155  				if permission == notAllowedPermission {
   156  					notAllowed = true
   157  				}
   158  			}
   159  
   160  			if notAllowed {
   161  				c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.not_allowed_permission.error", nil, "Cannot add or remove permission: "+permission, http.StatusNotImplemented)
   162  				return
   163  			}
   164  		}
   165  	}
   166  
   167  	if c.App.Srv().License() != nil && isGuest && !*c.App.Srv().License().Features.GuestAccountsPermissions {
   168  		c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
   169  		return
   170  	}
   171  
   172  	if oldRole.Name == model.TEAM_ADMIN_ROLE_ID || oldRole.Name == model.CHANNEL_ADMIN_ROLE_ID || oldRole.Name == model.SYSTEM_USER_ROLE_ID || oldRole.Name == model.TEAM_USER_ROLE_ID || oldRole.Name == model.CHANNEL_USER_ROLE_ID || oldRole.Name == model.SYSTEM_GUEST_ROLE_ID || oldRole.Name == model.TEAM_GUEST_ROLE_ID || oldRole.Name == model.CHANNEL_GUEST_ROLE_ID {
   173  		if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS) {
   174  			c.SetPermissionError(model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS)
   175  			return
   176  		}
   177  	} else {
   178  		if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES) {
   179  			c.SetPermissionError(model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES)
   180  			return
   181  		}
   182  	}
   183  
   184  	role, err := c.App.PatchRole(oldRole, patch)
   185  	if err != nil {
   186  		c.Err = err
   187  		return
   188  	}
   189  
   190  	auditRec.Success()
   191  	auditRec.AddMeta("patch", role)
   192  	c.LogAudit("")
   193  
   194  	w.Write([]byte(role.ToJson()))
   195  }