github.com/demisto/mattermost-server@v4.9.0-rc3+incompatible/app/authorization.go

github.com/demisto/mattermost-server@v4.9.0-rc3+incompatible/app/authorization.go (about)

     1  // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
     2  // See License.txt for license information.
     3  
     4  package app
     5  
     6  import (
     7  	"net/http"
     8  	"strings"
     9  
    10  	l4g "github.com/alecthomas/log4go"
    11  	"github.com/mattermost/mattermost-server/model"
    12  )
    13  
    14  func (a *App) SessionHasPermissionTo(session model.Session, permission *model.Permission) bool {
    15  	if !a.RolesGrantPermission(session.GetUserRoles(), permission.Id) {
    16  		a.ClearSessionCacheForUser(session.UserId)
    17  		return false
    18  	}
    19  
    20  	return true
    21  }
    22  
    23  /// DO NOT USE: LEGACY
    24  func (a *App) SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool {
    25  	if teamId == "" {
    26  		return false
    27  	}
    28  
    29  	teamMember := session.GetTeamByTeamId(teamId)
    30  	if teamMember != nil {
    31  		if a.RolesGrantPermission(teamMember.GetRoles(), permission.Id) {
    32  			return true
    33  		}
    34  	}
    35  
    36  	return a.RolesGrantPermission(session.GetUserRoles(), permission.Id)
    37  }
    38  
    39  func (a *App) SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool {
    40  	if channelId == "" {
    41  		return false
    42  	}
    43  
    44  	cmc := a.Srv.Store.Channel().GetAllChannelMembersForUser(session.UserId, true)
    45  
    46  	var channelRoles []string
    47  	if cmcresult := <-cmc; cmcresult.Err == nil {
    48  		ids := cmcresult.Data.(map[string]string)
    49  		if roles, ok := ids[channelId]; ok {
    50  			channelRoles = strings.Fields(roles)
    51  			if a.RolesGrantPermission(channelRoles, permission.Id) {
    52  				return true
    53  			}
    54  		}
    55  	}
    56  
    57  	channel, err := a.GetChannel(channelId)
    58  	if err == nil && channel.TeamId != "" {
    59  		return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
    60  	} else if err != nil && err.StatusCode == http.StatusNotFound {
    61  		return false
    62  	}
    63  
    64  	return a.SessionHasPermissionTo(session, permission)
    65  }
    66  
    67  func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool {
    68  	var channelMember *model.ChannelMember
    69  	if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil {
    70  		channelMember = result.Data.(*model.ChannelMember)
    71  
    72  		if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
    73  			return true
    74  		}
    75  	}
    76  
    77  	if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
    78  		channel := result.Data.(*model.Channel)
    79  		return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
    80  	}
    81  
    82  	return a.SessionHasPermissionTo(session, permission)
    83  }
    84  
    85  func (a *App) SessionHasPermissionToUser(session model.Session, userId string) bool {
    86  	if userId == "" {
    87  		return false
    88  	}
    89  
    90  	if session.UserId == userId {
    91  		return true
    92  	}
    93  
    94  	if a.SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) {
    95  		return true
    96  	}
    97  
    98  	return false
    99  }
   100  
   101  func (a *App) SessionHasPermissionToPost(session model.Session, postId string, permission *model.Permission) bool {
   102  	post, err := a.GetSinglePost(postId)
   103  	if err != nil {
   104  		return false
   105  	}
   106  
   107  	if post.UserId == session.UserId {
   108  		return true
   109  	}
   110  
   111  	return a.SessionHasPermissionToChannel(session, post.ChannelId, permission)
   112  }
   113  
   114  func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool {
   115  	user, err := a.GetUser(askingUserId)
   116  	if err != nil {
   117  		return false
   118  	}
   119  
   120  	roles := user.GetRoles()
   121  
   122  	return a.RolesGrantPermission(roles, permission.Id)
   123  }
   124  
   125  func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool {
   126  	if teamId == "" || askingUserId == "" {
   127  		return false
   128  	}
   129  
   130  	teamMember, err := a.GetTeamMember(teamId, askingUserId)
   131  	if err != nil {
   132  		return false
   133  	}
   134  
   135  	roles := teamMember.GetRoles()
   136  
   137  	if a.RolesGrantPermission(roles, permission.Id) {
   138  		return true
   139  	}
   140  
   141  	return a.HasPermissionTo(askingUserId, permission)
   142  }
   143  
   144  func (a *App) HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool {
   145  	if channelId == "" || askingUserId == "" {
   146  		return false
   147  	}
   148  
   149  	channelMember, err := a.GetChannelMember(channelId, askingUserId)
   150  	if err == nil {
   151  		roles := channelMember.GetRoles()
   152  		if a.RolesGrantPermission(roles, permission.Id) {
   153  			return true
   154  		}
   155  	}
   156  
   157  	var channel *model.Channel
   158  	channel, err = a.GetChannel(channelId)
   159  	if err == nil {
   160  		return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission)
   161  	}
   162  
   163  	return a.HasPermissionTo(askingUserId, permission)
   164  }
   165  
   166  func (a *App) HasPermissionToChannelByPost(askingUserId string, postId string, permission *model.Permission) bool {
   167  	var channelMember *model.ChannelMember
   168  	if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, askingUserId); result.Err == nil {
   169  		channelMember = result.Data.(*model.ChannelMember)
   170  
   171  		if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
   172  			return true
   173  		}
   174  	}
   175  
   176  	if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
   177  		channel := result.Data.(*model.Channel)
   178  		return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission)
   179  	}
   180  
   181  	return a.HasPermissionTo(askingUserId, permission)
   182  }
   183  
   184  func (a *App) HasPermissionToUser(askingUserId string, userId string) bool {
   185  	if askingUserId == userId {
   186  		return true
   187  	}
   188  
   189  	if a.HasPermissionTo(askingUserId, model.PERMISSION_EDIT_OTHER_USERS) {
   190  		return true
   191  	}
   192  
   193  	return false
   194  }
   195  
   196  func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool {
   197  	roles, err := a.GetRolesByNames(roleNames)
   198  	if err != nil {
   199  		// This should only happen if something is very broken. We can't realistically
   200  		// recover the situation, so deny permission and log an error.
   201  		l4g.Error("Failed to get roles from database with role names: " + strings.Join(roleNames, ","))
   202  		l4g.Error(err)
   203  		return false
   204  	}
   205  
   206  	for _, role := range roles {
   207  		permissions := role.Permissions
   208  		for _, permission := range permissions {
   209  			if permission == permissionId {
   210  				return true
   211  			}
   212  		}
   213  	}
   214  
   215  	return false
   216  }