github.com/levb/mattermost-server@v5.3.1+incompatible/utils/authorization.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package utils 5 6 import ( 7 "github.com/mattermost/mattermost-server/model" 8 ) 9 10 func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config, isLicensed bool) map[string]*model.Role { 11 if isLicensed { 12 switch *cfg.TeamSettings.RestrictPublicChannelCreation { 13 case model.PERMISSIONS_ALL: 14 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 15 roles[model.TEAM_USER_ROLE_ID].Permissions, 16 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 17 ) 18 case model.PERMISSIONS_TEAM_ADMIN: 19 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 20 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 21 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 22 ) 23 } 24 } else { 25 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 26 roles[model.TEAM_USER_ROLE_ID].Permissions, 27 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 28 ) 29 } 30 31 if isLicensed { 32 switch *cfg.TeamSettings.RestrictPublicChannelManagement { 33 case model.PERMISSIONS_ALL: 34 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 35 roles[model.TEAM_USER_ROLE_ID].Permissions, 36 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 37 ) 38 case model.PERMISSIONS_CHANNEL_ADMIN: 39 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 40 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 41 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 42 ) 43 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 44 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 45 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 46 ) 47 case model.PERMISSIONS_TEAM_ADMIN: 48 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 49 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 50 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 51 ) 52 } 53 } else { 54 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 55 roles[model.TEAM_USER_ROLE_ID].Permissions, 56 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 57 ) 58 } 59 60 if isLicensed { 61 switch *cfg.TeamSettings.RestrictPublicChannelDeletion { 62 case model.PERMISSIONS_ALL: 63 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 64 roles[model.TEAM_USER_ROLE_ID].Permissions, 65 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 66 ) 67 case model.PERMISSIONS_CHANNEL_ADMIN: 68 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 69 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 70 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 71 ) 72 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 73 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 74 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 75 ) 76 case model.PERMISSIONS_TEAM_ADMIN: 77 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 78 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 79 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 80 ) 81 } 82 } else { 83 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 84 roles[model.TEAM_USER_ROLE_ID].Permissions, 85 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 86 ) 87 } 88 89 if isLicensed { 90 switch *cfg.TeamSettings.RestrictPrivateChannelCreation { 91 case model.PERMISSIONS_ALL: 92 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 93 roles[model.TEAM_USER_ROLE_ID].Permissions, 94 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 95 ) 96 case model.PERMISSIONS_TEAM_ADMIN: 97 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 98 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 99 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 100 ) 101 } 102 } else { 103 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 104 roles[model.TEAM_USER_ROLE_ID].Permissions, 105 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 106 ) 107 } 108 109 if isLicensed { 110 switch *cfg.TeamSettings.RestrictPrivateChannelManagement { 111 case model.PERMISSIONS_ALL: 112 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 113 roles[model.TEAM_USER_ROLE_ID].Permissions, 114 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 115 ) 116 case model.PERMISSIONS_CHANNEL_ADMIN: 117 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 118 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 119 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 120 ) 121 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 122 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 123 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 124 ) 125 case model.PERMISSIONS_TEAM_ADMIN: 126 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 127 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 128 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 129 ) 130 } 131 } else { 132 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 133 roles[model.TEAM_USER_ROLE_ID].Permissions, 134 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 135 ) 136 } 137 138 if isLicensed { 139 switch *cfg.TeamSettings.RestrictPrivateChannelDeletion { 140 case model.PERMISSIONS_ALL: 141 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 142 roles[model.TEAM_USER_ROLE_ID].Permissions, 143 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 144 ) 145 case model.PERMISSIONS_CHANNEL_ADMIN: 146 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 147 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 148 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 149 ) 150 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 151 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 152 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 153 ) 154 case model.PERMISSIONS_TEAM_ADMIN: 155 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 156 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 157 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 158 ) 159 } 160 } else { 161 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 162 roles[model.TEAM_USER_ROLE_ID].Permissions, 163 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 164 ) 165 } 166 167 // Restrict permissions for Private Channel Manage Members 168 if isLicensed { 169 switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers { 170 case model.PERMISSIONS_ALL: 171 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 172 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 173 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 174 ) 175 case model.PERMISSIONS_CHANNEL_ADMIN: 176 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 177 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 178 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 179 ) 180 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 181 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 182 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 183 ) 184 case model.PERMISSIONS_TEAM_ADMIN: 185 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 186 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 187 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 188 ) 189 } 190 } else { 191 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 192 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 193 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 194 ) 195 } 196 197 if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations { 198 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 199 roles[model.TEAM_USER_ROLE_ID].Permissions, 200 model.PERMISSION_MANAGE_WEBHOOKS.Id, 201 model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, 202 ) 203 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 204 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 205 model.PERMISSION_MANAGE_OAUTH.Id, 206 ) 207 } 208 209 // Grant permissions for inviting and adding users to a team. 210 if isLicensed { 211 if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { 212 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 213 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 214 model.PERMISSION_INVITE_USER.Id, 215 model.PERMISSION_ADD_USER_TO_TEAM.Id, 216 ) 217 } else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { 218 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 219 roles[model.TEAM_USER_ROLE_ID].Permissions, 220 model.PERMISSION_INVITE_USER.Id, 221 model.PERMISSION_ADD_USER_TO_TEAM.Id, 222 ) 223 } 224 } else { 225 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 226 roles[model.TEAM_USER_ROLE_ID].Permissions, 227 model.PERMISSION_INVITE_USER.Id, 228 model.PERMISSION_ADD_USER_TO_TEAM.Id, 229 ) 230 } 231 232 if isLicensed { 233 switch *cfg.ServiceSettings.RestrictPostDelete { 234 case model.PERMISSIONS_DELETE_POST_ALL: 235 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 236 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 237 model.PERMISSION_DELETE_POST.Id, 238 ) 239 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 240 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 241 model.PERMISSION_DELETE_POST.Id, 242 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 243 ) 244 case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: 245 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 246 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 247 model.PERMISSION_DELETE_POST.Id, 248 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 249 ) 250 } 251 } else { 252 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 253 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 254 model.PERMISSION_DELETE_POST.Id, 255 ) 256 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 257 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 258 model.PERMISSION_DELETE_POST.Id, 259 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 260 ) 261 } 262 263 if *cfg.TeamSettings.EnableTeamCreation { 264 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 265 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 266 model.PERMISSION_CREATE_TEAM.Id, 267 ) 268 } 269 270 if isLicensed { 271 switch *cfg.ServiceSettings.AllowEditPost { 272 case model.ALLOW_EDIT_POST_ALWAYS, model.ALLOW_EDIT_POST_TIME_LIMIT: 273 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 274 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 275 model.PERMISSION_EDIT_POST.Id, 276 ) 277 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( 278 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, 279 model.PERMISSION_EDIT_POST.Id, 280 ) 281 } 282 } else { 283 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 284 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 285 model.PERMISSION_EDIT_POST.Id, 286 ) 287 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( 288 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, 289 model.PERMISSION_EDIT_POST.Id, 290 ) 291 } 292 293 return roles 294 }