github.com/haalcala/mattermost-server-change-repo/v5@v5.33.2/model/role.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package model 5 6 import ( 7 "encoding/json" 8 "io" 9 "strings" 10 ) 11 12 // SysconsoleAncillaryPermissions maps the non-sysconsole permissions required by each sysconsole view. 13 var SysconsoleAncillaryPermissions map[string][]*Permission 14 var SystemManagerDefaultPermissions []string 15 var SystemUserManagerDefaultPermissions []string 16 var SystemReadOnlyAdminDefaultPermissions []string 17 18 var BuiltInSchemeManagedRoleIDs []string 19 20 var NewSystemRoleIDs []string 21 22 func init() { 23 NewSystemRoleIDs = []string{ 24 SYSTEM_USER_MANAGER_ROLE_ID, 25 SYSTEM_READ_ONLY_ADMIN_ROLE_ID, 26 SYSTEM_MANAGER_ROLE_ID, 27 } 28 29 BuiltInSchemeManagedRoleIDs = append([]string{ 30 SYSTEM_GUEST_ROLE_ID, 31 SYSTEM_USER_ROLE_ID, 32 SYSTEM_ADMIN_ROLE_ID, 33 SYSTEM_POST_ALL_ROLE_ID, 34 SYSTEM_POST_ALL_PUBLIC_ROLE_ID, 35 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID, 36 37 TEAM_GUEST_ROLE_ID, 38 TEAM_USER_ROLE_ID, 39 TEAM_ADMIN_ROLE_ID, 40 TEAM_POST_ALL_ROLE_ID, 41 TEAM_POST_ALL_PUBLIC_ROLE_ID, 42 43 CHANNEL_GUEST_ROLE_ID, 44 CHANNEL_USER_ROLE_ID, 45 CHANNEL_ADMIN_ROLE_ID, 46 }, NewSystemRoleIDs...) 47 48 // When updating the values here, the values in mattermost-redux must also be updated. 49 SysconsoleAncillaryPermissions = map[string][]*Permission{ 50 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id: { 51 PERMISSION_READ_PUBLIC_CHANNEL, 52 PERMISSION_READ_CHANNEL, 53 PERMISSION_READ_PUBLIC_CHANNEL_GROUPS, 54 PERMISSION_READ_PRIVATE_CHANNEL_GROUPS, 55 }, 56 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_USERS.Id: { 57 PERMISSION_READ_OTHER_USERS_TEAMS, 58 }, 59 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id: { 60 PERMISSION_LIST_PRIVATE_TEAMS, 61 PERMISSION_LIST_PUBLIC_TEAMS, 62 PERMISSION_VIEW_TEAM, 63 }, 64 PERMISSION_SYSCONSOLE_WRITE_COMPLIANCE.Id: { 65 PERMISSION_MANAGE_JOBS, 66 }, 67 PERMISSION_SYSCONSOLE_READ_COMPLIANCE.Id: { 68 PERMISSION_READ_JOBS, 69 PERMISSION_DOWNLOAD_COMPLIANCE_EXPORT_RESULT, 70 }, 71 PERMISSION_SYSCONSOLE_READ_ENVIRONMENT.Id: { 72 PERMISSION_READ_JOBS, 73 }, 74 PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id: { 75 PERMISSION_READ_JOBS, 76 }, 77 PERMISSION_SYSCONSOLE_READ_REPORTING.Id: { 78 PERMISSION_VIEW_TEAM, 79 }, 80 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_USERS.Id: { 81 PERMISSION_EDIT_OTHER_USERS, 82 PERMISSION_DEMOTE_TO_GUEST, 83 PERMISSION_PROMOTE_GUEST, 84 }, 85 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS.Id: { 86 PERMISSION_MANAGE_TEAM, 87 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES, 88 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES, 89 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS, 90 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS, 91 PERMISSION_DELETE_PRIVATE_CHANNEL, 92 PERMISSION_DELETE_PUBLIC_CHANNEL, 93 PERMISSION_MANAGE_CHANNEL_ROLES, 94 PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE, 95 PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC, 96 }, 97 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS.Id: { 98 PERMISSION_MANAGE_TEAM, 99 PERMISSION_MANAGE_TEAM_ROLES, 100 PERMISSION_REMOVE_USER_FROM_TEAM, 101 PERMISSION_JOIN_PRIVATE_TEAMS, 102 PERMISSION_JOIN_PUBLIC_TEAMS, 103 PERMISSION_ADD_USER_TO_TEAM, 104 }, 105 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS.Id: { 106 PERMISSION_MANAGE_TEAM, 107 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS, 108 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS, 109 PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE, 110 PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC, 111 }, 112 PERMISSION_SYSCONSOLE_WRITE_ENVIRONMENT.Id: { 113 PERMISSION_MANAGE_JOBS, 114 }, 115 PERMISSION_SYSCONSOLE_WRITE_SITE.Id: { 116 PERMISSION_EDIT_BRAND, 117 }, 118 } 119 120 SystemUserManagerDefaultPermissions = []string{ 121 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS.Id, 122 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id, 123 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id, 124 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS.Id, 125 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS.Id, 126 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS.Id, 127 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS.Id, 128 PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id, 129 } 130 131 SystemReadOnlyAdminDefaultPermissions = []string{ 132 PERMISSION_SYSCONSOLE_READ_ABOUT.Id, 133 PERMISSION_SYSCONSOLE_READ_REPORTING.Id, 134 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_USERS.Id, 135 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS.Id, 136 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id, 137 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id, 138 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS.Id, 139 PERMISSION_SYSCONSOLE_READ_ENVIRONMENT.Id, 140 PERMISSION_SYSCONSOLE_READ_SITE.Id, 141 PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id, 142 PERMISSION_SYSCONSOLE_READ_PLUGINS.Id, 143 PERMISSION_SYSCONSOLE_READ_COMPLIANCE.Id, 144 PERMISSION_SYSCONSOLE_READ_INTEGRATIONS.Id, 145 PERMISSION_SYSCONSOLE_READ_EXPERIMENTAL.Id, 146 } 147 148 SystemManagerDefaultPermissions = []string{ 149 PERMISSION_SYSCONSOLE_READ_ABOUT.Id, 150 PERMISSION_SYSCONSOLE_READ_REPORTING.Id, 151 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS.Id, 152 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id, 153 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id, 154 PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS.Id, 155 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS.Id, 156 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS.Id, 157 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS.Id, 158 PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS.Id, 159 PERMISSION_SYSCONSOLE_READ_ENVIRONMENT.Id, 160 PERMISSION_SYSCONSOLE_WRITE_ENVIRONMENT.Id, 161 PERMISSION_SYSCONSOLE_READ_SITE.Id, 162 PERMISSION_SYSCONSOLE_WRITE_SITE.Id, 163 PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id, 164 PERMISSION_SYSCONSOLE_READ_PLUGINS.Id, 165 PERMISSION_SYSCONSOLE_READ_INTEGRATIONS.Id, 166 PERMISSION_SYSCONSOLE_WRITE_INTEGRATIONS.Id, 167 } 168 169 // Add the ancillary permissions to each system role 170 SystemUserManagerDefaultPermissions = addAncillaryPermissions(SystemUserManagerDefaultPermissions) 171 SystemReadOnlyAdminDefaultPermissions = addAncillaryPermissions(SystemReadOnlyAdminDefaultPermissions) 172 SystemManagerDefaultPermissions = addAncillaryPermissions(SystemManagerDefaultPermissions) 173 } 174 175 type RoleType string 176 type RoleScope string 177 178 const ( 179 SYSTEM_GUEST_ROLE_ID = "system_guest" 180 SYSTEM_USER_ROLE_ID = "system_user" 181 SYSTEM_ADMIN_ROLE_ID = "system_admin" 182 SYSTEM_POST_ALL_ROLE_ID = "system_post_all" 183 SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public" 184 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token" 185 SYSTEM_USER_MANAGER_ROLE_ID = "system_user_manager" 186 SYSTEM_READ_ONLY_ADMIN_ROLE_ID = "system_read_only_admin" 187 SYSTEM_MANAGER_ROLE_ID = "system_manager" 188 189 TEAM_GUEST_ROLE_ID = "team_guest" 190 TEAM_USER_ROLE_ID = "team_user" 191 TEAM_ADMIN_ROLE_ID = "team_admin" 192 TEAM_POST_ALL_ROLE_ID = "team_post_all" 193 TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public" 194 195 CHANNEL_GUEST_ROLE_ID = "channel_guest" 196 CHANNEL_USER_ROLE_ID = "channel_user" 197 CHANNEL_ADMIN_ROLE_ID = "channel_admin" 198 199 ROLE_NAME_MAX_LENGTH = 64 200 ROLE_DISPLAY_NAME_MAX_LENGTH = 128 201 ROLE_DESCRIPTION_MAX_LENGTH = 1024 202 203 RoleScopeSystem RoleScope = "System" 204 RoleScopeTeam RoleScope = "Team" 205 RoleScopeChannel RoleScope = "Channel" 206 207 RoleTypeGuest RoleType = "Guest" 208 RoleTypeUser RoleType = "User" 209 RoleTypeAdmin RoleType = "Admin" 210 ) 211 212 type Role struct { 213 Id string `json:"id"` 214 Name string `json:"name"` 215 DisplayName string `json:"display_name"` 216 Description string `json:"description"` 217 CreateAt int64 `json:"create_at"` 218 UpdateAt int64 `json:"update_at"` 219 DeleteAt int64 `json:"delete_at"` 220 Permissions []string `json:"permissions"` 221 SchemeManaged bool `json:"scheme_managed"` 222 BuiltIn bool `json:"built_in"` 223 } 224 225 type RolePatch struct { 226 Permissions *[]string `json:"permissions"` 227 } 228 229 type RolePermissions struct { 230 RoleID string 231 Permissions []string 232 } 233 234 func (r *Role) ToJson() string { 235 b, _ := json.Marshal(r) 236 return string(b) 237 } 238 239 func RoleFromJson(data io.Reader) *Role { 240 var r *Role 241 json.NewDecoder(data).Decode(&r) 242 return r 243 } 244 245 func RoleListToJson(r []*Role) string { 246 b, _ := json.Marshal(r) 247 return string(b) 248 } 249 250 func RoleListFromJson(data io.Reader) []*Role { 251 var roles []*Role 252 json.NewDecoder(data).Decode(&roles) 253 return roles 254 } 255 256 func (r *RolePatch) ToJson() string { 257 b, _ := json.Marshal(r) 258 return string(b) 259 } 260 261 func RolePatchFromJson(data io.Reader) *RolePatch { 262 var rolePatch *RolePatch 263 json.NewDecoder(data).Decode(&rolePatch) 264 return rolePatch 265 } 266 267 func (r *Role) Patch(patch *RolePatch) { 268 if patch.Permissions != nil { 269 r.Permissions = *patch.Permissions 270 } 271 } 272 273 // MergeChannelHigherScopedPermissions is meant to be invoked on a channel scheme's role and merges the higher-scoped 274 // channel role's permissions. 275 func (r *Role) MergeChannelHigherScopedPermissions(higherScopedPermissions *RolePermissions) { 276 mergedPermissions := []string{} 277 278 higherScopedPermissionsMap := AsStringBoolMap(higherScopedPermissions.Permissions) 279 rolePermissionsMap := AsStringBoolMap(r.Permissions) 280 281 for _, cp := range AllPermissions { 282 if cp.Scope != PermissionScopeChannel { 283 continue 284 } 285 286 _, presentOnHigherScope := higherScopedPermissionsMap[cp.Id] 287 288 // For the channel admin role always look to the higher scope to determine if the role has their permission. 289 // The channel admin is a special case because they're not part of the UI to be "channel moderated", only 290 // channel members and channel guests are. 291 if higherScopedPermissions.RoleID == CHANNEL_ADMIN_ROLE_ID && presentOnHigherScope { 292 mergedPermissions = append(mergedPermissions, cp.Id) 293 continue 294 } 295 296 _, permissionIsModerated := ChannelModeratedPermissionsMap[cp.Id] 297 if permissionIsModerated { 298 _, presentOnRole := rolePermissionsMap[cp.Id] 299 if presentOnRole && presentOnHigherScope { 300 mergedPermissions = append(mergedPermissions, cp.Id) 301 } 302 } else { 303 if presentOnHigherScope { 304 mergedPermissions = append(mergedPermissions, cp.Id) 305 } 306 } 307 } 308 309 r.Permissions = mergedPermissions 310 } 311 312 // Returns an array of permissions that are in either role.Permissions 313 // or patch.Permissions, but not both. 314 func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string { 315 var result []string 316 317 if patch.Permissions == nil { 318 return result 319 } 320 321 roleMap := make(map[string]bool) 322 patchMap := make(map[string]bool) 323 324 for _, permission := range role.Permissions { 325 roleMap[permission] = true 326 } 327 328 for _, permission := range *patch.Permissions { 329 patchMap[permission] = true 330 } 331 332 for _, permission := range role.Permissions { 333 if !patchMap[permission] { 334 result = append(result, permission) 335 } 336 } 337 338 for _, permission := range *patch.Permissions { 339 if !roleMap[permission] { 340 result = append(result, permission) 341 } 342 } 343 344 return result 345 } 346 347 func ChannelModeratedPermissionsChangedByPatch(role *Role, patch *RolePatch) []string { 348 var result []string 349 350 if role == nil { 351 return result 352 } 353 354 if patch.Permissions == nil { 355 return result 356 } 357 358 roleMap := make(map[string]bool) 359 patchMap := make(map[string]bool) 360 361 for _, permission := range role.Permissions { 362 if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found { 363 roleMap[channelModeratedPermissionName] = true 364 } 365 } 366 367 for _, permission := range *patch.Permissions { 368 if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found { 369 patchMap[channelModeratedPermissionName] = true 370 } 371 } 372 373 for permissionKey := range roleMap { 374 if !patchMap[permissionKey] { 375 result = append(result, permissionKey) 376 } 377 } 378 379 for permissionKey := range patchMap { 380 if !roleMap[permissionKey] { 381 result = append(result, permissionKey) 382 } 383 } 384 385 return result 386 } 387 388 // GetChannelModeratedPermissions returns a map of channel moderated permissions that the role has access to 389 func (r *Role) GetChannelModeratedPermissions(channelType string) map[string]bool { 390 moderatedPermissions := make(map[string]bool) 391 for _, permission := range r.Permissions { 392 if _, found := ChannelModeratedPermissionsMap[permission]; !found { 393 continue 394 } 395 396 for moderated, moderatedPermissionValue := range ChannelModeratedPermissionsMap { 397 // the moderated permission has already been found to be true so skip this iteration 398 if moderatedPermissions[moderatedPermissionValue] { 399 continue 400 } 401 402 if moderated == permission { 403 // Special case where the channel moderated permission for `manage_members` is different depending on whether the channel is private or public 404 if moderated == PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id || moderated == PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id { 405 canManagePublic := channelType == CHANNEL_OPEN && moderated == PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id 406 canManagePrivate := channelType == CHANNEL_PRIVATE && moderated == PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id 407 moderatedPermissions[moderatedPermissionValue] = canManagePublic || canManagePrivate 408 } else { 409 moderatedPermissions[moderatedPermissionValue] = true 410 } 411 } 412 } 413 } 414 415 return moderatedPermissions 416 } 417 418 // RolePatchFromChannelModerationsPatch Creates and returns a RolePatch based on a slice of ChannelModerationPatchs, roleName is expected to be either "members" or "guests". 419 func (r *Role) RolePatchFromChannelModerationsPatch(channelModerationsPatch []*ChannelModerationPatch, roleName string) *RolePatch { 420 permissionsToAddToPatch := make(map[string]bool) 421 422 // Iterate through the list of existing permissions on the role and append permissions that we want to keep. 423 for _, permission := range r.Permissions { 424 // Permission is not moderated so dont add it to the patch and skip the channelModerationsPatch 425 if _, isModerated := ChannelModeratedPermissionsMap[permission]; !isModerated { 426 continue 427 } 428 429 permissionEnabled := true 430 // Check if permission has a matching moderated permission name inside the channel moderation patch 431 for _, channelModerationPatch := range channelModerationsPatch { 432 if *channelModerationPatch.Name == ChannelModeratedPermissionsMap[permission] { 433 // Permission key exists in patch with a value of false so skip over it 434 if roleName == "members" { 435 if channelModerationPatch.Roles.Members != nil && !*channelModerationPatch.Roles.Members { 436 permissionEnabled = false 437 } 438 } else if roleName == "guests" { 439 if channelModerationPatch.Roles.Guests != nil && !*channelModerationPatch.Roles.Guests { 440 permissionEnabled = false 441 } 442 } 443 } 444 } 445 446 if permissionEnabled { 447 permissionsToAddToPatch[permission] = true 448 } 449 } 450 451 // Iterate through the patch and add any permissions that dont already exist on the role 452 for _, channelModerationPatch := range channelModerationsPatch { 453 for permission, moderatedPermissionName := range ChannelModeratedPermissionsMap { 454 if roleName == "members" && channelModerationPatch.Roles.Members != nil && *channelModerationPatch.Roles.Members && *channelModerationPatch.Name == moderatedPermissionName { 455 permissionsToAddToPatch[permission] = true 456 } 457 458 if roleName == "guests" && channelModerationPatch.Roles.Guests != nil && *channelModerationPatch.Roles.Guests && *channelModerationPatch.Name == moderatedPermissionName { 459 permissionsToAddToPatch[permission] = true 460 } 461 } 462 } 463 464 patchPermissions := make([]string, 0, len(permissionsToAddToPatch)) 465 for permission := range permissionsToAddToPatch { 466 patchPermissions = append(patchPermissions, permission) 467 } 468 469 return &RolePatch{Permissions: &patchPermissions} 470 } 471 472 func (r *Role) IsValid() bool { 473 if !IsValidId(r.Id) { 474 return false 475 } 476 477 return r.IsValidWithoutId() 478 } 479 480 func (r *Role) IsValidWithoutId() bool { 481 if !IsValidRoleName(r.Name) { 482 return false 483 } 484 485 if r.DisplayName == "" || len(r.DisplayName) > ROLE_DISPLAY_NAME_MAX_LENGTH { 486 return false 487 } 488 489 if len(r.Description) > ROLE_DESCRIPTION_MAX_LENGTH { 490 return false 491 } 492 493 check := func(perms []*Permission, permission string) bool { 494 for _, p := range perms { 495 if permission == p.Id { 496 return true 497 } 498 } 499 return false 500 } 501 for _, permission := range r.Permissions { 502 permissionValidated := check(AllPermissions, permission) || check(DeprecatedPermissions, permission) 503 if !permissionValidated { 504 return false 505 } 506 } 507 508 return true 509 } 510 511 func CleanRoleNames(roleNames []string) ([]string, bool) { 512 var cleanedRoleNames []string 513 for _, roleName := range roleNames { 514 if strings.TrimSpace(roleName) == "" { 515 continue 516 } 517 518 if !IsValidRoleName(roleName) { 519 return roleNames, false 520 } 521 522 cleanedRoleNames = append(cleanedRoleNames, roleName) 523 } 524 525 return cleanedRoleNames, true 526 } 527 528 func IsValidRoleName(roleName string) bool { 529 if roleName == "" || len(roleName) > ROLE_NAME_MAX_LENGTH { 530 return false 531 } 532 533 if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" { 534 return false 535 } 536 537 return true 538 } 539 540 func MakeDefaultRoles() map[string]*Role { 541 roles := make(map[string]*Role) 542 543 roles[CHANNEL_GUEST_ROLE_ID] = &Role{ 544 Name: "channel_guest", 545 DisplayName: "authentication.roles.channel_guest.name", 546 Description: "authentication.roles.channel_guest.description", 547 Permissions: []string{ 548 PERMISSION_READ_CHANNEL.Id, 549 PERMISSION_ADD_REACTION.Id, 550 PERMISSION_REMOVE_REACTION.Id, 551 PERMISSION_UPLOAD_FILE.Id, 552 PERMISSION_EDIT_POST.Id, 553 PERMISSION_CREATE_POST.Id, 554 PERMISSION_USE_CHANNEL_MENTIONS.Id, 555 PERMISSION_USE_SLASH_COMMANDS.Id, 556 }, 557 SchemeManaged: true, 558 BuiltIn: true, 559 } 560 561 roles[CHANNEL_USER_ROLE_ID] = &Role{ 562 Name: "channel_user", 563 DisplayName: "authentication.roles.channel_user.name", 564 Description: "authentication.roles.channel_user.description", 565 Permissions: []string{ 566 PERMISSION_READ_CHANNEL.Id, 567 PERMISSION_ADD_REACTION.Id, 568 PERMISSION_REMOVE_REACTION.Id, 569 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 570 PERMISSION_UPLOAD_FILE.Id, 571 PERMISSION_GET_PUBLIC_LINK.Id, 572 PERMISSION_CREATE_POST.Id, 573 PERMISSION_USE_CHANNEL_MENTIONS.Id, 574 PERMISSION_USE_SLASH_COMMANDS.Id, 575 }, 576 SchemeManaged: true, 577 BuiltIn: true, 578 } 579 580 roles[CHANNEL_ADMIN_ROLE_ID] = &Role{ 581 Name: "channel_admin", 582 DisplayName: "authentication.roles.channel_admin.name", 583 Description: "authentication.roles.channel_admin.description", 584 Permissions: []string{ 585 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 586 PERMISSION_USE_GROUP_MENTIONS.Id, 587 }, 588 SchemeManaged: true, 589 BuiltIn: true, 590 } 591 592 roles[TEAM_GUEST_ROLE_ID] = &Role{ 593 Name: "team_guest", 594 DisplayName: "authentication.roles.team_guest.name", 595 Description: "authentication.roles.team_guest.description", 596 Permissions: []string{ 597 PERMISSION_VIEW_TEAM.Id, 598 }, 599 SchemeManaged: true, 600 BuiltIn: true, 601 } 602 603 roles[TEAM_USER_ROLE_ID] = &Role{ 604 Name: "team_user", 605 DisplayName: "authentication.roles.team_user.name", 606 Description: "authentication.roles.team_user.description", 607 Permissions: []string{ 608 PERMISSION_LIST_TEAM_CHANNELS.Id, 609 PERMISSION_JOIN_PUBLIC_CHANNELS.Id, 610 PERMISSION_READ_PUBLIC_CHANNEL.Id, 611 PERMISSION_VIEW_TEAM.Id, 612 }, 613 SchemeManaged: true, 614 BuiltIn: true, 615 } 616 617 roles[TEAM_POST_ALL_ROLE_ID] = &Role{ 618 Name: "team_post_all", 619 DisplayName: "authentication.roles.team_post_all.name", 620 Description: "authentication.roles.team_post_all.description", 621 Permissions: []string{ 622 PERMISSION_CREATE_POST.Id, 623 PERMISSION_USE_CHANNEL_MENTIONS.Id, 624 }, 625 SchemeManaged: false, 626 BuiltIn: true, 627 } 628 629 roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 630 Name: "team_post_all_public", 631 DisplayName: "authentication.roles.team_post_all_public.name", 632 Description: "authentication.roles.team_post_all_public.description", 633 Permissions: []string{ 634 PERMISSION_CREATE_POST_PUBLIC.Id, 635 PERMISSION_USE_CHANNEL_MENTIONS.Id, 636 }, 637 SchemeManaged: false, 638 BuiltIn: true, 639 } 640 641 roles[TEAM_ADMIN_ROLE_ID] = &Role{ 642 Name: "team_admin", 643 DisplayName: "authentication.roles.team_admin.name", 644 Description: "authentication.roles.team_admin.description", 645 Permissions: []string{ 646 PERMISSION_REMOVE_USER_FROM_TEAM.Id, 647 PERMISSION_MANAGE_TEAM.Id, 648 PERMISSION_IMPORT_TEAM.Id, 649 PERMISSION_MANAGE_TEAM_ROLES.Id, 650 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 651 PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id, 652 PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id, 653 PERMISSION_MANAGE_SLASH_COMMANDS.Id, 654 PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, 655 PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 656 PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 657 PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE.Id, 658 PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC.Id, 659 }, 660 SchemeManaged: true, 661 BuiltIn: true, 662 } 663 664 roles[SYSTEM_GUEST_ROLE_ID] = &Role{ 665 Name: "system_guest", 666 DisplayName: "authentication.roles.global_guest.name", 667 Description: "authentication.roles.global_guest.description", 668 Permissions: []string{ 669 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 670 PERMISSION_CREATE_GROUP_CHANNEL.Id, 671 }, 672 SchemeManaged: true, 673 BuiltIn: true, 674 } 675 676 roles[SYSTEM_USER_ROLE_ID] = &Role{ 677 Name: "system_user", 678 DisplayName: "authentication.roles.global_user.name", 679 Description: "authentication.roles.global_user.description", 680 Permissions: []string{ 681 PERMISSION_LIST_PUBLIC_TEAMS.Id, 682 PERMISSION_JOIN_PUBLIC_TEAMS.Id, 683 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 684 PERMISSION_CREATE_GROUP_CHANNEL.Id, 685 PERMISSION_VIEW_MEMBERS.Id, 686 }, 687 SchemeManaged: true, 688 BuiltIn: true, 689 } 690 691 roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{ 692 Name: "system_post_all", 693 DisplayName: "authentication.roles.system_post_all.name", 694 Description: "authentication.roles.system_post_all.description", 695 Permissions: []string{ 696 PERMISSION_CREATE_POST.Id, 697 PERMISSION_USE_CHANNEL_MENTIONS.Id, 698 }, 699 SchemeManaged: false, 700 BuiltIn: true, 701 } 702 703 roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 704 Name: "system_post_all_public", 705 DisplayName: "authentication.roles.system_post_all_public.name", 706 Description: "authentication.roles.system_post_all_public.description", 707 Permissions: []string{ 708 PERMISSION_CREATE_POST_PUBLIC.Id, 709 PERMISSION_USE_CHANNEL_MENTIONS.Id, 710 }, 711 SchemeManaged: false, 712 BuiltIn: true, 713 } 714 715 roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{ 716 Name: "system_user_access_token", 717 DisplayName: "authentication.roles.system_user_access_token.name", 718 Description: "authentication.roles.system_user_access_token.description", 719 Permissions: []string{ 720 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 721 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 722 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 723 }, 724 SchemeManaged: false, 725 BuiltIn: true, 726 } 727 728 roles[SYSTEM_USER_MANAGER_ROLE_ID] = &Role{ 729 Name: "system_user_manager", 730 DisplayName: "authentication.roles.system_user_manager.name", 731 Description: "authentication.roles.system_user_manager.description", 732 Permissions: SystemUserManagerDefaultPermissions, 733 SchemeManaged: false, 734 BuiltIn: true, 735 } 736 737 roles[SYSTEM_READ_ONLY_ADMIN_ROLE_ID] = &Role{ 738 Name: "system_read_only_admin", 739 DisplayName: "authentication.roles.system_read_only_admin.name", 740 Description: "authentication.roles.system_read_only_admin.description", 741 Permissions: SystemReadOnlyAdminDefaultPermissions, 742 SchemeManaged: false, 743 BuiltIn: true, 744 } 745 746 roles[SYSTEM_MANAGER_ROLE_ID] = &Role{ 747 Name: "system_manager", 748 DisplayName: "authentication.roles.system_manager.name", 749 Description: "authentication.roles.system_manager.description", 750 Permissions: SystemManagerDefaultPermissions, 751 SchemeManaged: false, 752 BuiltIn: true, 753 } 754 755 allPermissionIDs := []string{} 756 for _, permission := range AllPermissions { 757 allPermissionIDs = append(allPermissionIDs, permission.Id) 758 } 759 760 roles[SYSTEM_ADMIN_ROLE_ID] = &Role{ 761 Name: "system_admin", 762 DisplayName: "authentication.roles.global_admin.name", 763 Description: "authentication.roles.global_admin.description", 764 // System admins can do anything channel and team admins can do 765 // plus everything members of teams and channels can do to all teams 766 // and channels on the system 767 Permissions: allPermissionIDs, 768 SchemeManaged: true, 769 BuiltIn: true, 770 } 771 772 return roles 773 } 774 775 func addAncillaryPermissions(permissions []string) []string { 776 for _, permission := range permissions { 777 if ancillaryPermissions, ok := SysconsoleAncillaryPermissions[permission]; ok { 778 for _, ancillaryPermission := range ancillaryPermissions { 779 permissions = append(permissions, ancillaryPermission.Id) 780 } 781 } 782 } 783 return permissions 784 }