github.com/coincircle/mattermost-server@v4.8.1-0.20180321182714-9d701c704416+incompatible/app/authorization.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package app 5 6 import ( 7 "net/http" 8 "strings" 9 10 l4g "github.com/alecthomas/log4go" 11 "github.com/mattermost/mattermost-server/model" 12 ) 13 14 func (a *App) SessionHasPermissionTo(session model.Session, permission *model.Permission) bool { 15 if !a.CheckIfRolesGrantPermission(session.GetUserRoles(), permission.Id) { 16 a.ClearSessionCacheForUser(session.UserId) 17 return false 18 } 19 20 return true 21 } 22 23 /// DO NOT USE: LEGACY 24 func (a *App) SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool { 25 if teamId == "" { 26 return false 27 } 28 29 teamMember := session.GetTeamByTeamId(teamId) 30 if teamMember != nil { 31 if a.CheckIfRolesGrantPermission(teamMember.GetRoles(), permission.Id) { 32 return true 33 } 34 } 35 36 return a.CheckIfRolesGrantPermission(session.GetUserRoles(), permission.Id) 37 } 38 39 func (a *App) SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool { 40 if channelId == "" { 41 return false 42 } 43 44 cmc := a.Srv.Store.Channel().GetAllChannelMembersForUser(session.UserId, true) 45 46 var channelRoles []string 47 if cmcresult := <-cmc; cmcresult.Err == nil { 48 ids := cmcresult.Data.(map[string]string) 49 if roles, ok := ids[channelId]; ok { 50 channelRoles = strings.Fields(roles) 51 if a.CheckIfRolesGrantPermission(channelRoles, permission.Id) { 52 return true 53 } 54 } 55 } 56 57 channel, err := a.GetChannel(channelId) 58 if err == nil && channel.TeamId != "" { 59 return a.SessionHasPermissionToTeam(session, channel.TeamId, permission) 60 } else if err != nil && err.StatusCode == http.StatusNotFound { 61 return false 62 } 63 64 return a.SessionHasPermissionTo(session, permission) 65 } 66 67 func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool { 68 var channelMember *model.ChannelMember 69 if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil { 70 channelMember = result.Data.(*model.ChannelMember) 71 72 if a.CheckIfRolesGrantPermission(channelMember.GetRoles(), permission.Id) { 73 return true 74 } 75 } 76 77 if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil { 78 channel := result.Data.(*model.Channel) 79 return a.SessionHasPermissionToTeam(session, channel.TeamId, permission) 80 } 81 82 return a.SessionHasPermissionTo(session, permission) 83 } 84 85 func (a *App) SessionHasPermissionToUser(session model.Session, userId string) bool { 86 if userId == "" { 87 return false 88 } 89 90 if session.UserId == userId { 91 return true 92 } 93 94 if a.SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) { 95 return true 96 } 97 98 return false 99 } 100 101 func (a *App) SessionHasPermissionToPost(session model.Session, postId string, permission *model.Permission) bool { 102 post, err := a.GetSinglePost(postId) 103 if err != nil { 104 return false 105 } 106 107 if post.UserId == session.UserId { 108 return true 109 } 110 111 return a.SessionHasPermissionToChannel(session, post.ChannelId, permission) 112 } 113 114 func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool { 115 user, err := a.GetUser(askingUserId) 116 if err != nil { 117 return false 118 } 119 120 roles := user.GetRoles() 121 122 return a.CheckIfRolesGrantPermission(roles, permission.Id) 123 } 124 125 func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool { 126 if teamId == "" || askingUserId == "" { 127 return false 128 } 129 130 teamMember, err := a.GetTeamMember(teamId, askingUserId) 131 if err != nil { 132 return false 133 } 134 135 roles := teamMember.GetRoles() 136 137 if a.CheckIfRolesGrantPermission(roles, permission.Id) { 138 return true 139 } 140 141 return a.HasPermissionTo(askingUserId, permission) 142 } 143 144 func (a *App) HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool { 145 if channelId == "" || askingUserId == "" { 146 return false 147 } 148 149 channelMember, err := a.GetChannelMember(channelId, askingUserId) 150 if err == nil { 151 roles := channelMember.GetRoles() 152 if a.CheckIfRolesGrantPermission(roles, permission.Id) { 153 return true 154 } 155 } 156 157 var channel *model.Channel 158 channel, err = a.GetChannel(channelId) 159 if err == nil { 160 return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission) 161 } 162 163 return a.HasPermissionTo(askingUserId, permission) 164 } 165 166 func (a *App) HasPermissionToChannelByPost(askingUserId string, postId string, permission *model.Permission) bool { 167 var channelMember *model.ChannelMember 168 if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, askingUserId); result.Err == nil { 169 channelMember = result.Data.(*model.ChannelMember) 170 171 if a.CheckIfRolesGrantPermission(channelMember.GetRoles(), permission.Id) { 172 return true 173 } 174 } 175 176 if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil { 177 channel := result.Data.(*model.Channel) 178 return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission) 179 } 180 181 return a.HasPermissionTo(askingUserId, permission) 182 } 183 184 func (a *App) CheckIfRolesGrantPermission(roles []string, permissionId string) bool { 185 for _, roleId := range roles { 186 if role := a.Role(roleId); role == nil { 187 l4g.Debug("Bad role in system " + roleId) 188 return false 189 } else { 190 permissions := role.Permissions 191 for _, permission := range permissions { 192 if permission == permissionId { 193 return true 194 } 195 } 196 } 197 } 198 199 return false 200 }