github.com/jlevesy/mattermost-server@v5.3.2-0.20181003190404-7468f35cb0c8+incompatible/app/authorization.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package app 5 6 import ( 7 "fmt" 8 "net/http" 9 "strings" 10 11 "github.com/mattermost/mattermost-server/mlog" 12 "github.com/mattermost/mattermost-server/model" 13 ) 14 15 func (a *App) SessionHasPermissionTo(session model.Session, permission *model.Permission) bool { 16 return a.RolesGrantPermission(session.GetUserRoles(), permission.Id) 17 } 18 19 /// DO NOT USE: LEGACY 20 func (a *App) SessionHasPermissionToTeam(session model.Session, teamId string, permission *model.Permission) bool { 21 if teamId == "" { 22 return false 23 } 24 25 teamMember := session.GetTeamByTeamId(teamId) 26 if teamMember != nil { 27 if a.RolesGrantPermission(teamMember.GetRoles(), permission.Id) { 28 return true 29 } 30 } 31 32 return a.RolesGrantPermission(session.GetUserRoles(), permission.Id) 33 } 34 35 func (a *App) SessionHasPermissionToChannel(session model.Session, channelId string, permission *model.Permission) bool { 36 if channelId == "" { 37 return false 38 } 39 40 cmc := a.Srv.Store.Channel().GetAllChannelMembersForUser(session.UserId, true, true) 41 42 var channelRoles []string 43 if cmcresult := <-cmc; cmcresult.Err == nil { 44 ids := cmcresult.Data.(map[string]string) 45 if roles, ok := ids[channelId]; ok { 46 channelRoles = strings.Fields(roles) 47 if a.RolesGrantPermission(channelRoles, permission.Id) { 48 return true 49 } 50 } 51 } 52 53 channel, err := a.GetChannel(channelId) 54 if err == nil && channel.TeamId != "" { 55 return a.SessionHasPermissionToTeam(session, channel.TeamId, permission) 56 } 57 58 if err != nil && err.StatusCode == http.StatusNotFound { 59 return false 60 } 61 62 return a.SessionHasPermissionTo(session, permission) 63 } 64 65 func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId string, permission *model.Permission) bool { 66 var channelMember *model.ChannelMember 67 if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, session.UserId); result.Err == nil { 68 channelMember = result.Data.(*model.ChannelMember) 69 70 if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) { 71 return true 72 } 73 } 74 75 if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil { 76 channel := result.Data.(*model.Channel) 77 if channel.TeamId != "" { 78 return a.SessionHasPermissionToTeam(session, channel.TeamId, permission) 79 } 80 } 81 82 return a.SessionHasPermissionTo(session, permission) 83 } 84 85 func (a *App) SessionHasPermissionToUser(session model.Session, userId string) bool { 86 if userId == "" { 87 return false 88 } 89 90 if session.UserId == userId { 91 return true 92 } 93 94 if a.SessionHasPermissionTo(session, model.PERMISSION_EDIT_OTHER_USERS) { 95 return true 96 } 97 98 return false 99 } 100 101 func (a *App) HasPermissionTo(askingUserId string, permission *model.Permission) bool { 102 user, err := a.GetUser(askingUserId) 103 if err != nil { 104 return false 105 } 106 107 roles := user.GetRoles() 108 109 return a.RolesGrantPermission(roles, permission.Id) 110 } 111 112 func (a *App) HasPermissionToTeam(askingUserId string, teamId string, permission *model.Permission) bool { 113 if teamId == "" || askingUserId == "" { 114 return false 115 } 116 117 teamMember, err := a.GetTeamMember(teamId, askingUserId) 118 if err != nil { 119 return false 120 } 121 122 roles := teamMember.GetRoles() 123 124 if a.RolesGrantPermission(roles, permission.Id) { 125 return true 126 } 127 128 return a.HasPermissionTo(askingUserId, permission) 129 } 130 131 func (a *App) HasPermissionToChannel(askingUserId string, channelId string, permission *model.Permission) bool { 132 if channelId == "" || askingUserId == "" { 133 return false 134 } 135 136 channelMember, err := a.GetChannelMember(channelId, askingUserId) 137 if err == nil { 138 roles := channelMember.GetRoles() 139 if a.RolesGrantPermission(roles, permission.Id) { 140 return true 141 } 142 } 143 144 var channel *model.Channel 145 channel, err = a.GetChannel(channelId) 146 if err == nil { 147 return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission) 148 } 149 150 return a.HasPermissionTo(askingUserId, permission) 151 } 152 153 func (a *App) HasPermissionToChannelByPost(askingUserId string, postId string, permission *model.Permission) bool { 154 var channelMember *model.ChannelMember 155 if result := <-a.Srv.Store.Channel().GetMemberForPost(postId, askingUserId); result.Err == nil { 156 channelMember = result.Data.(*model.ChannelMember) 157 158 if a.RolesGrantPermission(channelMember.GetRoles(), permission.Id) { 159 return true 160 } 161 } 162 163 if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil { 164 channel := result.Data.(*model.Channel) 165 return a.HasPermissionToTeam(askingUserId, channel.TeamId, permission) 166 } 167 168 return a.HasPermissionTo(askingUserId, permission) 169 } 170 171 func (a *App) HasPermissionToUser(askingUserId string, userId string) bool { 172 if askingUserId == userId { 173 return true 174 } 175 176 if a.HasPermissionTo(askingUserId, model.PERMISSION_EDIT_OTHER_USERS) { 177 return true 178 } 179 180 return false 181 } 182 183 func (a *App) RolesGrantPermission(roleNames []string, permissionId string) bool { 184 roles, err := a.GetRolesByNames(roleNames) 185 if err != nil { 186 // This should only happen if something is very broken. We can't realistically 187 // recover the situation, so deny permission and log an error. 188 mlog.Error("Failed to get roles from database with role names: " + strings.Join(roleNames, ",")) 189 mlog.Error(fmt.Sprint(err)) 190 return false 191 } 192 193 for _, role := range roles { 194 if role.DeleteAt != 0 { 195 continue 196 } 197 198 permissions := role.Permissions 199 for _, permission := range permissions { 200 if permission == permissionId { 201 return true 202 } 203 } 204 } 205 206 return false 207 }