github.com/jlevesy/mattermost-server@v5.3.2-0.20181003190404-7468f35cb0c8+incompatible/app/authorization.go (about)

     1  // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
     2  // See License.txt for license information.
     3  
     4  package app
     5  
     6  import (
     7  	"fmt"
     8  	"net/http"
     9  	"strings"
    10  
    11  	"github.com/mattermost/mattermost-server/mlog"
    12  	"github.com/mattermost/mattermost-server/model"
    13  )
    14  
    15  func (a *App) SessionHasPermissionTo(session model.Session, permission *model.Permission) bool {
    16  	return a.RolesGrantPermission(session.GetUserRoles(), permission.Id)
    17  }
    18  
    19  /// DO NOT USE: LEGACY
    20  func (a *App) SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool {
    21  	if teamId == "" {
    22  		return false
    23  	}
    24  
    25  	teamMember := session.GetTeamByTeamId(teamId)
    26  	if teamMember != nil {
    27  		if a.RolesGrantPermission(teamMember.GetRoles(), permission.Id) {
    28  			return true
    29  		}
    30  	}
    31  
    32  	return a.RolesGrantPermission(session.GetUserRoles(), permission.Id)
    33  }
    34  
    35  func (a *App) SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool {
    36  	if channelId == "" {
    37  		return false
    38  	}
    39  
    40  	cmc := a.Srv.Store.Channel().GetAllChannelMembersForUser(session.UserId, true, true)
    41  
    42  	var channelRoles []string
    43  	if cmcresult := <-cmc; cmcresult.Err == nil {
    44  		ids := cmcresult.Data.(map[string]string)
    45  		if roles, ok := ids[channelId]; ok {
    46  			channelRoles = strings.Fields(roles)
    47  			if a.RolesGrantPermission(channelRoles, permission.Id) {
    48  				return true
    49  			}
    50  		}
    51  	}
    52  
    53  	channel, err := a.GetChannel(channelId)
    54  	if err == nil && channel.TeamId != "" {
    55  		return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
    56  	}
    57  
    58  	if err != nil && err.StatusCode == http.StatusNotFound {
    59  		return false
    60  	}
    61  
    62  	return a.SessionHasPermissionTo(session, permission)
    63  }
    64  
    65  func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool {
    66  	var channelMember *model.ChannelMember
    67  	if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil {
    68  		channelMember = result.Data.(*model.ChannelMember)
    69  
    70  		if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
    71  			return true
    72  		}
    73  	}
    74  
    75  	if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
    76  		channel := result.Data.(*model.Channel)
    77  		if channel.TeamId != "" {
    78  			return a.SessionHasPermissionToTeam(session, channel.TeamId, permission)
    79  		}
    80  	}
    81  
    82  	return a.SessionHasPermissionTo(session, permission)
    83  }
    84  
    85  func (a *App) SessionHasPermissionToUser(session model.Session, userId string) bool {
    86  	if userId == "" {
    87  		return false
    88  	}
    89  
    90  	if session.UserId == userId {
    91  		return true
    92  	}
    93  
    94  	if a.SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) {
    95  		return true
    96  	}
    97  
    98  	return false
    99  }
   100  
   101  func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool {
   102  	user, err := a.GetUser(askingUserId)
   103  	if err != nil {
   104  		return false
   105  	}
   106  
   107  	roles := user.GetRoles()
   108  
   109  	return a.RolesGrantPermission(roles, permission.Id)
   110  }
   111  
   112  func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool {
   113  	if teamId == "" || askingUserId == "" {
   114  		return false
   115  	}
   116  
   117  	teamMember, err := a.GetTeamMember(teamId, askingUserId)
   118  	if err != nil {
   119  		return false
   120  	}
   121  
   122  	roles := teamMember.GetRoles()
   123  
   124  	if a.RolesGrantPermission(roles, permission.Id) {
   125  		return true
   126  	}
   127  
   128  	return a.HasPermissionTo(askingUserId, permission)
   129  }
   130  
   131  func (a *App) HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool {
   132  	if channelId == "" || askingUserId == "" {
   133  		return false
   134  	}
   135  
   136  	channelMember, err := a.GetChannelMember(channelId, askingUserId)
   137  	if err == nil {
   138  		roles := channelMember.GetRoles()
   139  		if a.RolesGrantPermission(roles, permission.Id) {
   140  			return true
   141  		}
   142  	}
   143  
   144  	var channel *model.Channel
   145  	channel, err = a.GetChannel(channelId)
   146  	if err == nil {
   147  		return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission)
   148  	}
   149  
   150  	return a.HasPermissionTo(askingUserId, permission)
   151  }
   152  
   153  func (a *App) HasPermissionToChannelByPost(askingUserId string, postId string, permission *model.Permission) bool {
   154  	var channelMember *model.ChannelMember
   155  	if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, askingUserId); result.Err == nil {
   156  		channelMember = result.Data.(*model.ChannelMember)
   157  
   158  		if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) {
   159  			return true
   160  		}
   161  	}
   162  
   163  	if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
   164  		channel := result.Data.(*model.Channel)
   165  		return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission)
   166  	}
   167  
   168  	return a.HasPermissionTo(askingUserId, permission)
   169  }
   170  
   171  func (a *App) HasPermissionToUser(askingUserId string, userId string) bool {
   172  	if askingUserId == userId {
   173  		return true
   174  	}
   175  
   176  	if a.HasPermissionTo(askingUserId, model.PERMISSION_EDIT_OTHER_USERS) {
   177  		return true
   178  	}
   179  
   180  	return false
   181  }
   182  
   183  func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool {
   184  	roles, err := a.GetRolesByNames(roleNames)
   185  	if err != nil {
   186  		// This should only happen if something is very broken. We can't realistically
   187  		// recover the situation, so deny permission and log an error.
   188  		mlog.Error("Failed to get roles from database with role names: " + strings.Join(roleNames, ","))
   189  		mlog.Error(fmt.Sprint(err))
   190  		return false
   191  	}
   192  
   193  	for _, role := range roles {
   194  		if role.DeleteAt != 0 {
   195  			continue
   196  		}
   197  
   198  		permissions := role.Permissions
   199  		for _, permission := range permissions {
   200  			if permission == permissionId {
   201  				return true
   202  			}
   203  		}
   204  	}
   205  
   206  	return false
   207  }