github.com/adacta-ru/mattermost-server/v6@v6.0.0/app/permissions_migrations.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package app 5 6 import ( 7 "errors" 8 "net/http" 9 "strings" 10 11 "github.com/adacta-ru/mattermost-server/v6/model" 12 "github.com/adacta-ru/mattermost-server/v6/store" 13 ) 14 15 type permissionTransformation struct { 16 On func(*model.Role, map[string]map[string]bool) bool 17 Add []string 18 Remove []string 19 } 20 type permissionsMap []permissionTransformation 21 22 const ( 23 PERMISSION_MANAGE_SYSTEM = "manage_system" 24 PERMISSION_MANAGE_TEAM = "manage_team" 25 PERMISSION_MANAGE_EMOJIS = "manage_emojis" 26 PERMISSION_MANAGE_OTHERS_EMOJIS = "manage_others_emojis" 27 PERMISSION_CREATE_EMOJIS = "create_emojis" 28 PERMISSION_DELETE_EMOJIS = "delete_emojis" 29 PERMISSION_DELETE_OTHERS_EMOJIS = "delete_others_emojis" 30 PERMISSION_MANAGE_WEBHOOKS = "manage_webhooks" 31 PERMISSION_MANAGE_OTHERS_WEBHOOKS = "manage_others_webhooks" 32 PERMISSION_MANAGE_INCOMING_WEBHOOKS = "manage_incoming_webhooks" 33 PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS = "manage_others_incoming_webhooks" 34 PERMISSION_MANAGE_OUTGOING_WEBHOOKS = "manage_outgoing_webhooks" 35 PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS = "manage_others_outgoing_webhooks" 36 PERMISSION_LIST_PUBLIC_TEAMS = "list_public_teams" 37 PERMISSION_LIST_PRIVATE_TEAMS = "list_private_teams" 38 PERMISSION_JOIN_PUBLIC_TEAMS = "join_public_teams" 39 PERMISSION_JOIN_PRIVATE_TEAMS = "join_private_teams" 40 PERMISSION_PERMANENT_DELETE_USER = "permanent_delete_user" 41 PERMISSION_CREATE_BOT = "create_bot" 42 PERMISSION_READ_BOTS = "read_bots" 43 PERMISSION_READ_OTHERS_BOTS = "read_others_bots" 44 PERMISSION_MANAGE_BOTS = "manage_bots" 45 PERMISSION_MANAGE_OTHERS_BOTS = "manage_others_bots" 46 PERMISSION_DELETE_PUBLIC_CHANNEL = "delete_public_channel" 47 PERMISSION_DELETE_PRIVATE_CHANNEL = "delete_private_channel" 48 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES = "manage_public_channel_properties" 49 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES = "manage_private_channel_properties" 50 PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE = "convert_public_channel_to_private" 51 PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC = "convert_private_channel_to_public" 52 PERMISSION_VIEW_MEMBERS = "view_members" 53 PERMISSION_INVITE_USER = "invite_user" 54 PERMISSION_INVITE_GUEST = "invite_guest" 55 PERMISSION_PROMOTE_GUEST = "promote_guest" 56 PERMISSION_DEMOTE_TO_GUEST = "demote_to_guest" 57 PERMISSION_USE_CHANNEL_MENTIONS = "use_channel_mentions" 58 PERMISSION_CREATE_POST = "create_post" 59 PERMISSION_CREATE_POST_PUBLIC = "create_post_public" 60 PERMISSION_USE_GROUP_MENTIONS = "use_group_mentions" 61 PERMISSION_ADD_REACTION = "add_reaction" 62 PERMISSION_REMOVE_REACTION = "remove_reaction" 63 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS = "manage_public_channel_members" 64 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS = "manage_private_channel_members" 65 PERMISSION_READ_JOBS = "read_jobs" 66 PERMISSION_MANAGE_JOBS = "manage_jobs" 67 PERMISSION_READ_OTHER_USERS_TEAMS = "read_other_users_teams" 68 PERMISSION_EDIT_OTHER_USERS = "edit_other_users" 69 PERMISSION_READ_PUBLIC_CHANNEL_GROUPS = "read_public_channel_groups" 70 PERMISSION_READ_PRIVATE_CHANNEL_GROUPS = "read_private_channel_groups" 71 PERMISSION_EDIT_BRAND = "edit_brand" 72 PERMISSION_MANAGE_SHARED_CHANNELS = "manage_shared_channels" 73 PERMISSION_MANAGE_REMOTE_CLUSTERS = "manage_remote_clusters" 74 ) 75 76 func isRole(roleName string) func(*model.Role, map[string]map[string]bool) bool { 77 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 78 return role.Name == roleName 79 } 80 } 81 82 func isNotRole(roleName string) func(*model.Role, map[string]map[string]bool) bool { 83 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 84 return role.Name != roleName 85 } 86 } 87 88 func isNotSchemeRole(roleName string) func(*model.Role, map[string]map[string]bool) bool { 89 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 90 return !strings.Contains(role.DisplayName, roleName) 91 } 92 } 93 94 func permissionExists(permission string) func(*model.Role, map[string]map[string]bool) bool { 95 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 96 val, ok := permissionsMap[role.Name][permission] 97 return ok && val 98 } 99 } 100 101 func permissionNotExists(permission string) func(*model.Role, map[string]map[string]bool) bool { 102 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 103 val, ok := permissionsMap[role.Name][permission] 104 return !(ok && val) 105 } 106 } 107 108 func onOtherRole(otherRole string, function func(*model.Role, map[string]map[string]bool) bool) func(*model.Role, map[string]map[string]bool) bool { 109 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 110 return function(&model.Role{Name: otherRole}, permissionsMap) 111 } 112 } 113 114 func permissionOr(funcs ...func(*model.Role, map[string]map[string]bool) bool) func(*model.Role, map[string]map[string]bool) bool { 115 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 116 for _, f := range funcs { 117 if f(role, permissionsMap) { 118 return true 119 } 120 } 121 return false 122 } 123 } 124 125 func permissionAnd(funcs ...func(*model.Role, map[string]map[string]bool) bool) func(*model.Role, map[string]map[string]bool) bool { 126 return func(role *model.Role, permissionsMap map[string]map[string]bool) bool { 127 for _, f := range funcs { 128 if !f(role, permissionsMap) { 129 return false 130 } 131 } 132 return true 133 } 134 } 135 136 func applyPermissionsMap(role *model.Role, roleMap map[string]map[string]bool, migrationMap permissionsMap) []string { 137 var result []string 138 139 roleName := role.Name 140 for _, transformation := range migrationMap { 141 if transformation.On(role, roleMap) { 142 for _, permission := range transformation.Add { 143 roleMap[roleName][permission] = true 144 } 145 for _, permission := range transformation.Remove { 146 roleMap[roleName][permission] = false 147 } 148 } 149 } 150 151 for key, active := range roleMap[roleName] { 152 if active { 153 result = append(result, key) 154 } 155 } 156 return result 157 } 158 159 func (a *App) doPermissionsMigration(key string, migrationMap permissionsMap, roles []*model.Role) *model.AppError { 160 if _, err := a.Srv().Store.System().GetByName(key); err == nil { 161 return nil 162 } 163 164 roleMap := make(map[string]map[string]bool) 165 for _, role := range roles { 166 roleMap[role.Name] = make(map[string]bool) 167 for _, permission := range role.Permissions { 168 roleMap[role.Name][permission] = true 169 } 170 } 171 172 for _, role := range roles { 173 role.Permissions = applyPermissionsMap(role, roleMap, migrationMap) 174 if _, err := a.Srv().Store.Role().Save(role); err != nil { 175 var invErr *store.ErrInvalidInput 176 switch { 177 case errors.As(err, &invErr): 178 return model.NewAppError("doPermissionsMigration", "app.role.save.invalid_role.app_error", nil, invErr.Error(), http.StatusBadRequest) 179 default: 180 return model.NewAppError("doPermissionsMigration", "app.role.save.insert.app_error", nil, err.Error(), http.StatusInternalServerError) 181 } 182 } 183 } 184 185 if err := a.Srv().Store.System().Save(&model.System{Name: key, Value: "true"}); err != nil { 186 return model.NewAppError("doPermissionsMigration", "app.system.save.app_error", nil, err.Error(), http.StatusInternalServerError) 187 } 188 return nil 189 } 190 191 func (a *App) getEmojisPermissionsSplitMigration() (permissionsMap, error) { 192 return permissionsMap{ 193 permissionTransformation{ 194 On: permissionExists(PERMISSION_MANAGE_EMOJIS), 195 Add: []string{PERMISSION_CREATE_EMOJIS, PERMISSION_DELETE_EMOJIS}, 196 Remove: []string{PERMISSION_MANAGE_EMOJIS}, 197 }, 198 permissionTransformation{ 199 On: permissionExists(PERMISSION_MANAGE_OTHERS_EMOJIS), 200 Add: []string{PERMISSION_DELETE_OTHERS_EMOJIS}, 201 Remove: []string{PERMISSION_MANAGE_OTHERS_EMOJIS}, 202 }, 203 }, nil 204 } 205 206 func (a *App) getWebhooksPermissionsSplitMigration() (permissionsMap, error) { 207 return permissionsMap{ 208 permissionTransformation{ 209 On: permissionExists(PERMISSION_MANAGE_WEBHOOKS), 210 Add: []string{PERMISSION_MANAGE_INCOMING_WEBHOOKS, PERMISSION_MANAGE_OUTGOING_WEBHOOKS}, 211 Remove: []string{PERMISSION_MANAGE_WEBHOOKS}, 212 }, 213 permissionTransformation{ 214 On: permissionExists(PERMISSION_MANAGE_OTHERS_WEBHOOKS), 215 Add: []string{PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS, PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS}, 216 Remove: []string{PERMISSION_MANAGE_OTHERS_WEBHOOKS}, 217 }, 218 }, nil 219 } 220 221 func (a *App) getListJoinPublicPrivateTeamsPermissionsMigration() (permissionsMap, error) { 222 return permissionsMap{ 223 permissionTransformation{ 224 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 225 Add: []string{PERMISSION_LIST_PRIVATE_TEAMS, PERMISSION_JOIN_PRIVATE_TEAMS}, 226 Remove: []string{}, 227 }, 228 permissionTransformation{ 229 On: isRole(model.SYSTEM_USER_ROLE_ID), 230 Add: []string{PERMISSION_LIST_PUBLIC_TEAMS, PERMISSION_JOIN_PUBLIC_TEAMS}, 231 Remove: []string{}, 232 }, 233 }, nil 234 } 235 236 func (a *App) removePermanentDeleteUserMigration() (permissionsMap, error) { 237 return permissionsMap{ 238 permissionTransformation{ 239 On: permissionExists(PERMISSION_PERMANENT_DELETE_USER), 240 Remove: []string{PERMISSION_PERMANENT_DELETE_USER}, 241 }, 242 }, nil 243 } 244 245 func (a *App) getAddBotPermissionsMigration() (permissionsMap, error) { 246 return permissionsMap{ 247 permissionTransformation{ 248 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 249 Add: []string{PERMISSION_CREATE_BOT, PERMISSION_READ_BOTS, PERMISSION_READ_OTHERS_BOTS, PERMISSION_MANAGE_BOTS, PERMISSION_MANAGE_OTHERS_BOTS}, 250 Remove: []string{}, 251 }, 252 }, nil 253 } 254 255 func (a *App) applyChannelManageDeleteToChannelUser() (permissionsMap, error) { 256 return permissionsMap{ 257 permissionTransformation{ 258 On: permissionAnd(isRole(model.CHANNEL_USER_ROLE_ID), onOtherRole(model.TEAM_USER_ROLE_ID, permissionExists(PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES))), 259 Add: []string{PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES}, 260 }, 261 permissionTransformation{ 262 On: permissionAnd(isRole(model.CHANNEL_USER_ROLE_ID), onOtherRole(model.TEAM_USER_ROLE_ID, permissionExists(PERMISSION_DELETE_PRIVATE_CHANNEL))), 263 Add: []string{PERMISSION_DELETE_PRIVATE_CHANNEL}, 264 }, 265 permissionTransformation{ 266 On: permissionAnd(isRole(model.CHANNEL_USER_ROLE_ID), onOtherRole(model.TEAM_USER_ROLE_ID, permissionExists(PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES))), 267 Add: []string{PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES}, 268 }, 269 permissionTransformation{ 270 On: permissionAnd(isRole(model.CHANNEL_USER_ROLE_ID), onOtherRole(model.TEAM_USER_ROLE_ID, permissionExists(PERMISSION_DELETE_PUBLIC_CHANNEL))), 271 Add: []string{PERMISSION_DELETE_PUBLIC_CHANNEL}, 272 }, 273 }, nil 274 } 275 276 func (a *App) removeChannelManageDeleteFromTeamUser() (permissionsMap, error) { 277 return permissionsMap{ 278 permissionTransformation{ 279 On: permissionAnd(isRole(model.TEAM_USER_ROLE_ID), permissionExists(PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES)), 280 Remove: []string{PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES}, 281 }, 282 permissionTransformation{ 283 On: permissionAnd(isRole(model.TEAM_USER_ROLE_ID), permissionExists(PERMISSION_DELETE_PRIVATE_CHANNEL)), 284 Remove: []string{model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id}, 285 }, 286 permissionTransformation{ 287 On: permissionAnd(isRole(model.TEAM_USER_ROLE_ID), permissionExists(PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES)), 288 Remove: []string{PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES}, 289 }, 290 permissionTransformation{ 291 On: permissionAnd(isRole(model.TEAM_USER_ROLE_ID), permissionExists(PERMISSION_DELETE_PUBLIC_CHANNEL)), 292 Remove: []string{PERMISSION_DELETE_PUBLIC_CHANNEL}, 293 }, 294 }, nil 295 } 296 297 func (a *App) getViewMembersPermissionMigration() (permissionsMap, error) { 298 return permissionsMap{ 299 permissionTransformation{ 300 On: isRole(model.SYSTEM_USER_ROLE_ID), 301 Add: []string{PERMISSION_VIEW_MEMBERS}, 302 }, 303 permissionTransformation{ 304 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 305 Add: []string{PERMISSION_VIEW_MEMBERS}, 306 }, 307 }, nil 308 } 309 310 func (a *App) getAddManageGuestsPermissionsMigration() (permissionsMap, error) { 311 return permissionsMap{ 312 permissionTransformation{ 313 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 314 Add: []string{PERMISSION_PROMOTE_GUEST, PERMISSION_DEMOTE_TO_GUEST, PERMISSION_INVITE_GUEST}, 315 }, 316 }, nil 317 } 318 319 func (a *App) channelModerationPermissionsMigration() (permissionsMap, error) { 320 transformations := permissionsMap{} 321 322 var allTeamSchemes []*model.Scheme 323 next := a.SchemesIterator(model.SCHEME_SCOPE_TEAM, 100) 324 var schemeBatch []*model.Scheme 325 for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() { 326 allTeamSchemes = append(allTeamSchemes, schemeBatch...) 327 } 328 329 moderatedPermissionsMinusCreatePost := []string{ 330 PERMISSION_ADD_REACTION, 331 PERMISSION_REMOVE_REACTION, 332 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS, 333 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS, 334 PERMISSION_USE_CHANNEL_MENTIONS, 335 } 336 337 teamAndChannelAdminConditionalTransformations := func(teamAdminID, channelAdminID, channelUserID, channelGuestID string) []permissionTransformation { 338 transformations := []permissionTransformation{} 339 340 for _, perm := range moderatedPermissionsMinusCreatePost { 341 // add each moderated permission to the channel admin if channel user or guest has the permission 342 trans := permissionTransformation{ 343 On: permissionAnd( 344 isRole(channelAdminID), 345 permissionOr( 346 onOtherRole(channelUserID, permissionExists(perm)), 347 onOtherRole(channelGuestID, permissionExists(perm)), 348 ), 349 ), 350 Add: []string{perm}, 351 } 352 transformations = append(transformations, trans) 353 354 // add each moderated permission to the team admin if channel admin, user, or guest has the permission 355 trans = permissionTransformation{ 356 On: permissionAnd( 357 isRole(teamAdminID), 358 permissionOr( 359 onOtherRole(channelAdminID, permissionExists(perm)), 360 onOtherRole(channelUserID, permissionExists(perm)), 361 onOtherRole(channelGuestID, permissionExists(perm)), 362 ), 363 ), 364 Add: []string{perm}, 365 } 366 transformations = append(transformations, trans) 367 } 368 369 return transformations 370 } 371 372 for _, ts := range allTeamSchemes { 373 // ensure all team scheme channel admins have create_post because it's not exposed via the UI 374 trans := permissionTransformation{ 375 On: isRole(ts.DefaultChannelAdminRole), 376 Add: []string{PERMISSION_CREATE_POST}, 377 } 378 transformations = append(transformations, trans) 379 380 // ensure all team scheme team admins have create_post because it's not exposed via the UI 381 trans = permissionTransformation{ 382 On: isRole(ts.DefaultTeamAdminRole), 383 Add: []string{PERMISSION_CREATE_POST}, 384 } 385 transformations = append(transformations, trans) 386 387 // conditionally add all other moderated permissions to team and channel admins 388 transformations = append(transformations, teamAndChannelAdminConditionalTransformations( 389 ts.DefaultTeamAdminRole, 390 ts.DefaultChannelAdminRole, 391 ts.DefaultChannelUserRole, 392 ts.DefaultChannelGuestRole, 393 )...) 394 } 395 396 // ensure team admins have create_post 397 transformations = append(transformations, permissionTransformation{ 398 On: isRole(model.TEAM_ADMIN_ROLE_ID), 399 Add: []string{PERMISSION_CREATE_POST}, 400 }) 401 402 // ensure channel admins have create_post 403 transformations = append(transformations, permissionTransformation{ 404 On: isRole(model.CHANNEL_ADMIN_ROLE_ID), 405 Add: []string{PERMISSION_CREATE_POST}, 406 }) 407 408 // conditionally add all other moderated permissions to team and channel admins 409 transformations = append(transformations, teamAndChannelAdminConditionalTransformations( 410 model.TEAM_ADMIN_ROLE_ID, 411 model.CHANNEL_ADMIN_ROLE_ID, 412 model.CHANNEL_USER_ROLE_ID, 413 model.CHANNEL_GUEST_ROLE_ID, 414 )...) 415 416 // ensure system admin has all of the moderated permissions 417 transformations = append(transformations, permissionTransformation{ 418 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 419 Add: append(moderatedPermissionsMinusCreatePost, PERMISSION_CREATE_POST), 420 }) 421 422 // add the new use_channel_mentions permission to everyone who has create_post 423 transformations = append(transformations, permissionTransformation{ 424 On: permissionOr(permissionExists(PERMISSION_CREATE_POST), permissionExists(PERMISSION_CREATE_POST_PUBLIC)), 425 Add: []string{PERMISSION_USE_CHANNEL_MENTIONS}, 426 }) 427 428 return transformations, nil 429 } 430 431 func (a *App) getAddUseGroupMentionsPermissionMigration() (permissionsMap, error) { 432 return permissionsMap{ 433 permissionTransformation{ 434 On: permissionAnd( 435 isNotRole(model.CHANNEL_GUEST_ROLE_ID), 436 isNotSchemeRole("Channel Guest Role for Scheme"), 437 permissionOr(permissionExists(PERMISSION_CREATE_POST), permissionExists(PERMISSION_CREATE_POST_PUBLIC)), 438 ), 439 Add: []string{PERMISSION_USE_GROUP_MENTIONS}, 440 }, 441 }, nil 442 } 443 444 func (a *App) getAddSystemConsolePermissionsMigration() (permissionsMap, error) { 445 transformations := []permissionTransformation{} 446 447 permissionsToAdd := []string{} 448 for _, permission := range append(model.SysconsoleReadPermissions, model.SysconsoleWritePermissions...) { 449 permissionsToAdd = append(permissionsToAdd, permission.Id) 450 } 451 452 // add the new permissions to system admin 453 transformations = append(transformations, 454 permissionTransformation{ 455 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 456 Add: permissionsToAdd, 457 }) 458 459 // add read_jobs to all roles with manage_jobs 460 transformations = append(transformations, permissionTransformation{ 461 On: permissionExists(PERMISSION_MANAGE_JOBS), 462 Add: []string{PERMISSION_READ_JOBS}, 463 }) 464 465 // add read_other_users_teams to all roles with edit_other_users 466 transformations = append(transformations, permissionTransformation{ 467 On: permissionExists(PERMISSION_EDIT_OTHER_USERS), 468 Add: []string{PERMISSION_READ_OTHER_USERS_TEAMS}, 469 }) 470 471 // add read_public_channel_groups to all roles with manage_public_channel_members 472 transformations = append(transformations, permissionTransformation{ 473 On: permissionExists(PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS), 474 Add: []string{PERMISSION_READ_PUBLIC_CHANNEL_GROUPS}, 475 }) 476 477 // add read_private_channel_groups to all roles with manage_private_channel_members 478 transformations = append(transformations, permissionTransformation{ 479 On: permissionExists(PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS), 480 Add: []string{PERMISSION_READ_PRIVATE_CHANNEL_GROUPS}, 481 }) 482 483 // add edit_brand to all roles with manage_system 484 transformations = append(transformations, permissionTransformation{ 485 On: permissionExists(PERMISSION_MANAGE_SYSTEM), 486 Add: []string{PERMISSION_EDIT_BRAND}, 487 }) 488 489 return transformations, nil 490 } 491 492 func (a *App) getAddConvertChannelPermissionsMigration() (permissionsMap, error) { 493 return permissionsMap{ 494 permissionTransformation{ 495 On: permissionExists(PERMISSION_MANAGE_TEAM), 496 Add: []string{PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE, PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC}, 497 }, 498 }, nil 499 } 500 501 func (a *App) getSystemRolesPermissionsMigration() (permissionsMap, error) { 502 return permissionsMap{ 503 permissionTransformation{ 504 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 505 Add: []string{model.PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_SYSTEM_ROLES.Id, model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES.Id}, 506 }, 507 }, nil 508 } 509 510 func (a *App) getAddManageSharedChannelsPermissionsMigration() (permissionsMap, error) { 511 return permissionsMap{ 512 permissionTransformation{ 513 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 514 Add: []string{PERMISSION_MANAGE_SHARED_CHANNELS}, 515 }, 516 }, nil 517 } 518 519 func (a *App) getBillingPermissionsMigration() (permissionsMap, error) { 520 return permissionsMap{ 521 permissionTransformation{ 522 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 523 Add: []string{model.PERMISSION_SYSCONSOLE_READ_BILLING.Id, model.PERMISSION_SYSCONSOLE_WRITE_BILLING.Id}, 524 }, 525 }, nil 526 } 527 528 func (a *App) getAddManageRemoteClustersPermissionsMigration() (permissionsMap, error) { 529 return permissionsMap{ 530 permissionTransformation{ 531 On: isRole(model.SYSTEM_ADMIN_ROLE_ID), 532 Add: []string{PERMISSION_MANAGE_REMOTE_CLUSTERS}, 533 }, 534 }, nil 535 } 536 537 // DoPermissionsMigrations execute all the permissions migrations need by the current version. 538 func (a *App) DoPermissionsMigrations() error { 539 PermissionsMigrations := []struct { 540 Key string 541 Migration func() (permissionsMap, error) 542 }{ 543 {Key: model.MIGRATION_KEY_EMOJI_PERMISSIONS_SPLIT, Migration: a.getEmojisPermissionsSplitMigration}, 544 {Key: model.MIGRATION_KEY_WEBHOOK_PERMISSIONS_SPLIT, Migration: a.getWebhooksPermissionsSplitMigration}, 545 {Key: model.MIGRATION_KEY_LIST_JOIN_PUBLIC_PRIVATE_TEAMS, Migration: a.getListJoinPublicPrivateTeamsPermissionsMigration}, 546 {Key: model.MIGRATION_KEY_REMOVE_PERMANENT_DELETE_USER, Migration: a.removePermanentDeleteUserMigration}, 547 {Key: model.MIGRATION_KEY_ADD_BOT_PERMISSIONS, Migration: a.getAddBotPermissionsMigration}, 548 {Key: model.MIGRATION_KEY_APPLY_CHANNEL_MANAGE_DELETE_TO_CHANNEL_USER, Migration: a.applyChannelManageDeleteToChannelUser}, 549 {Key: model.MIGRATION_KEY_REMOVE_CHANNEL_MANAGE_DELETE_FROM_TEAM_USER, Migration: a.removeChannelManageDeleteFromTeamUser}, 550 {Key: model.MIGRATION_KEY_VIEW_MEMBERS_NEW_PERMISSION, Migration: a.getViewMembersPermissionMigration}, 551 {Key: model.MIGRATION_KEY_ADD_MANAGE_GUESTS_PERMISSIONS, Migration: a.getAddManageGuestsPermissionsMigration}, 552 {Key: model.MIGRATION_KEY_CHANNEL_MODERATIONS_PERMISSIONS, Migration: a.channelModerationPermissionsMigration}, 553 {Key: model.MIGRATION_KEY_ADD_USE_GROUP_MENTIONS_PERMISSION, Migration: a.getAddUseGroupMentionsPermissionMigration}, 554 {Key: model.MIGRATION_KEY_ADD_SYSTEM_CONSOLE_PERMISSIONS, Migration: a.getAddSystemConsolePermissionsMigration}, 555 {Key: model.MIGRATION_KEY_ADD_CONVERT_CHANNEL_PERMISSIONS, Migration: a.getAddConvertChannelPermissionsMigration}, 556 {Key: model.MIGRATION_KEY_ADD_MANAGE_SHARED_CHANNEL_PERMISSIONS, Migration: a.getAddManageSharedChannelsPermissionsMigration}, 557 {Key: model.MIGRATION_KEY_ADD_MANAGE_REMOTE_CLUSTERS_PERMISSIONS, Migration: a.getAddManageRemoteClustersPermissionsMigration}, 558 {Key: model.MIGRATION_KEY_ADD_SYSTEM_ROLES_PERMISSIONS, Migration: a.getSystemRolesPermissionsMigration}, 559 {Key: model.MIGRATION_KEY_ADD_BILLING_PERMISSIONS, Migration: a.getBillingPermissionsMigration}, 560 } 561 562 roles, err := a.GetAllRoles() 563 if err != nil { 564 return err 565 } 566 567 for _, migration := range PermissionsMigrations { 568 migMap, err := migration.Migration() 569 if err != nil { 570 return err 571 } 572 if err := a.doPermissionsMigration(migration.Key, migMap, roles); err != nil { 573 return err 574 } 575 } 576 return nil 577 }