github.com/iDevoid/mattermost-server@v5.11.1+incompatible/utils/authorization.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package utils 5 6 import ( 7 "github.com/mattermost/mattermost-server/model" 8 ) 9 10 func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config, isLicensed bool) map[string]*model.Role { 11 if isLicensed { 12 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPublicChannelCreation { 13 case model.PERMISSIONS_ALL: 14 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 15 roles[model.TEAM_USER_ROLE_ID].Permissions, 16 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 17 ) 18 case model.PERMISSIONS_TEAM_ADMIN: 19 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 20 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 21 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 22 ) 23 } 24 } else { 25 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 26 roles[model.TEAM_USER_ROLE_ID].Permissions, 27 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 28 ) 29 } 30 31 if isLicensed { 32 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPublicChannelManagement { 33 case model.PERMISSIONS_ALL: 34 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 35 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 36 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 37 ) 38 case model.PERMISSIONS_CHANNEL_ADMIN: 39 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 40 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 41 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 42 ) 43 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 44 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 45 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 46 ) 47 case model.PERMISSIONS_TEAM_ADMIN: 48 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 49 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 50 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 51 ) 52 } 53 } else { 54 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 55 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 56 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 57 ) 58 } 59 60 if isLicensed { 61 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPublicChannelDeletion { 62 case model.PERMISSIONS_ALL: 63 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 64 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 65 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 66 ) 67 case model.PERMISSIONS_CHANNEL_ADMIN: 68 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 69 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 70 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 71 ) 72 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 73 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 74 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 75 ) 76 case model.PERMISSIONS_TEAM_ADMIN: 77 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 78 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 79 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 80 ) 81 } 82 } else { 83 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 84 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 85 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 86 ) 87 } 88 89 if isLicensed { 90 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelCreation { 91 case model.PERMISSIONS_ALL: 92 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 93 roles[model.TEAM_USER_ROLE_ID].Permissions, 94 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 95 ) 96 case model.PERMISSIONS_TEAM_ADMIN: 97 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 98 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 99 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 100 ) 101 } 102 } else { 103 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 104 roles[model.TEAM_USER_ROLE_ID].Permissions, 105 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 106 ) 107 } 108 109 if isLicensed { 110 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelManagement { 111 case model.PERMISSIONS_ALL: 112 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 113 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 114 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 115 ) 116 case model.PERMISSIONS_CHANNEL_ADMIN: 117 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 118 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 119 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 120 ) 121 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 122 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 123 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 124 ) 125 case model.PERMISSIONS_TEAM_ADMIN: 126 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 127 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 128 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 129 ) 130 } 131 } else { 132 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 133 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 134 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 135 ) 136 } 137 138 if isLicensed { 139 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelDeletion { 140 case model.PERMISSIONS_ALL: 141 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 142 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 143 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 144 ) 145 case model.PERMISSIONS_CHANNEL_ADMIN: 146 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 147 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 148 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 149 ) 150 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 151 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 152 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 153 ) 154 case model.PERMISSIONS_TEAM_ADMIN: 155 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 156 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 157 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 158 ) 159 } 160 } else { 161 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 162 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 163 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 164 ) 165 } 166 167 // Restrict permissions for Private Channel Manage Members 168 if isLicensed { 169 switch *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateChannelManageMembers { 170 case model.PERMISSIONS_ALL: 171 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 172 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 173 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 174 ) 175 case model.PERMISSIONS_CHANNEL_ADMIN: 176 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 177 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 178 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 179 ) 180 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 181 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 182 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 183 ) 184 case model.PERMISSIONS_TEAM_ADMIN: 185 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 186 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 187 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 188 ) 189 } 190 } else { 191 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 192 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 193 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 194 ) 195 } 196 197 if !*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_EnableOnlyAdminIntegrations { 198 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 199 roles[model.TEAM_USER_ROLE_ID].Permissions, 200 model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 201 model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 202 model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, 203 ) 204 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 205 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 206 model.PERMISSION_MANAGE_OAUTH.Id, 207 ) 208 } 209 210 // Grant permissions for inviting and adding users to a team. 211 if isLicensed { 212 if *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { 213 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 214 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 215 model.PERMISSION_INVITE_USER.Id, 216 model.PERMISSION_ADD_USER_TO_TEAM.Id, 217 ) 218 } else if *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_RestrictTeamInvite == model.PERMISSIONS_ALL { 219 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 220 roles[model.TEAM_USER_ROLE_ID].Permissions, 221 model.PERMISSION_INVITE_USER.Id, 222 model.PERMISSION_ADD_USER_TO_TEAM.Id, 223 ) 224 } 225 } else { 226 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 227 roles[model.TEAM_USER_ROLE_ID].Permissions, 228 model.PERMISSION_INVITE_USER.Id, 229 model.PERMISSION_ADD_USER_TO_TEAM.Id, 230 ) 231 } 232 233 if isLicensed { 234 switch *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictPostDelete { 235 case model.PERMISSIONS_DELETE_POST_ALL: 236 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 237 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 238 model.PERMISSION_DELETE_POST.Id, 239 ) 240 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 241 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 242 model.PERMISSION_DELETE_POST.Id, 243 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 244 ) 245 case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: 246 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 247 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 248 model.PERMISSION_DELETE_POST.Id, 249 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 250 ) 251 } 252 } else { 253 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 254 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 255 model.PERMISSION_DELETE_POST.Id, 256 ) 257 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 258 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 259 model.PERMISSION_DELETE_POST.Id, 260 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 261 ) 262 } 263 264 if *cfg.TeamSettings.DEPRECATED_DO_NOT_USE_EnableTeamCreation { 265 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 266 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 267 model.PERMISSION_CREATE_TEAM.Id, 268 ) 269 } 270 271 if isLicensed { 272 switch *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost { 273 case model.ALLOW_EDIT_POST_ALWAYS, model.ALLOW_EDIT_POST_TIME_LIMIT: 274 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 275 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 276 model.PERMISSION_EDIT_POST.Id, 277 ) 278 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( 279 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, 280 model.PERMISSION_EDIT_POST.Id, 281 ) 282 } 283 } else { 284 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 285 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 286 model.PERMISSION_EDIT_POST.Id, 287 ) 288 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( 289 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, 290 model.PERMISSION_EDIT_POST.Id, 291 ) 292 } 293 294 return roles 295 }