github.com/masterhung0112/hk_server/v5@v5.0.0-20220302090640-ec71aef15e1c/api4/role.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package api4 5 6 import ( 7 "net/http" 8 9 "github.com/masterhung0112/hk_server/v5/audit" 10 "github.com/masterhung0112/hk_server/v5/model" 11 ) 12 13 var allowedPermissions = []string{ 14 model.PERMISSION_CREATE_TEAM.Id, 15 model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 16 model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 17 model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, 18 model.PERMISSION_MANAGE_OAUTH.Id, 19 model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, 20 model.PERMISSION_CREATE_EMOJIS.Id, 21 model.PERMISSION_DELETE_EMOJIS.Id, 22 model.PERMISSION_EDIT_OTHERS_POSTS.Id, 23 } 24 25 var notAllowedPermissions = []string{ 26 model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES.Id, 27 model.PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_SYSTEM_ROLES.Id, 28 model.PERMISSION_MANAGE_ROLES.Id, 29 } 30 31 func (api *API) InitRole() { 32 api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET") 33 api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET") 34 api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST") 35 api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT") 36 } 37 38 func getRole(c *Context, w http.ResponseWriter, r *http.Request) { 39 c.RequireRoleId() 40 if c.Err != nil { 41 return 42 } 43 44 role, err := c.App.GetRole(c.Params.RoleId) 45 if err != nil { 46 c.Err = err 47 return 48 } 49 50 w.Write([]byte(role.ToJson())) 51 } 52 53 func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) { 54 c.RequireRoleName() 55 if c.Err != nil { 56 return 57 } 58 59 role, err := c.App.GetRoleByName(r.Context(), c.Params.RoleName) 60 if err != nil { 61 c.Err = err 62 return 63 } 64 65 w.Write([]byte(role.ToJson())) 66 } 67 68 func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) { 69 rolenames := model.ArrayFromJson(r.Body) 70 71 if len(rolenames) == 0 { 72 c.SetInvalidParam("rolenames") 73 return 74 } 75 76 cleanedRoleNames, valid := model.CleanRoleNames(rolenames) 77 if !valid { 78 c.SetInvalidParam("rolename") 79 return 80 } 81 82 roles, err := c.App.GetRolesByNames(cleanedRoleNames) 83 if err != nil { 84 c.Err = err 85 return 86 } 87 88 w.Write([]byte(model.RoleListToJson(roles))) 89 } 90 91 func patchRole(c *Context, w http.ResponseWriter, r *http.Request) { 92 c.RequireRoleId() 93 if c.Err != nil { 94 return 95 } 96 97 patch := model.RolePatchFromJson(r.Body) 98 if patch == nil { 99 c.SetInvalidParam("role") 100 return 101 } 102 103 auditRec := c.MakeAuditRecord("patchRole", audit.Fail) 104 defer c.LogAuditRec(auditRec) 105 106 oldRole, err := c.App.GetRole(c.Params.RoleId) 107 if err != nil { 108 c.Err = err 109 return 110 } 111 auditRec.AddMeta("role", oldRole) 112 113 // manage_system permission is required to patch system_admin 114 requiredPermission := model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS 115 specialProtectedSystemRoles := append(model.NewSystemRoleIDs, model.SYSTEM_ADMIN_ROLE_ID) 116 for _, roleID := range specialProtectedSystemRoles { 117 if oldRole.Name == roleID { 118 requiredPermission = model.PERMISSION_MANAGE_SYSTEM 119 } 120 } 121 if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), requiredPermission) { 122 c.SetPermissionError(requiredPermission) 123 return 124 } 125 126 isGuest := oldRole.Name == model.SYSTEM_GUEST_ROLE_ID || oldRole.Name == model.TEAM_GUEST_ROLE_ID || oldRole.Name == model.CHANNEL_GUEST_ROLE_ID 127 if c.App.Srv().License() == nil && patch.Permissions != nil { 128 if isGuest { 129 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented) 130 return 131 } 132 133 changedPermissions := model.PermissionsChangedByPatch(oldRole, patch) 134 for _, permission := range changedPermissions { 135 allowed := false 136 for _, allowedPermission := range allowedPermissions { 137 if permission == allowedPermission { 138 allowed = true 139 } 140 } 141 142 if !allowed { 143 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented) 144 return 145 } 146 } 147 } 148 149 if patch.Permissions != nil { 150 deltaPermissions := model.PermissionsChangedByPatch(oldRole, patch) 151 152 for _, permission := range deltaPermissions { 153 notAllowed := false 154 for _, notAllowedPermission := range notAllowedPermissions { 155 if permission == notAllowedPermission { 156 notAllowed = true 157 } 158 } 159 160 if notAllowed { 161 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.not_allowed_permission.error", nil, "Cannot add or remove permission: "+permission, http.StatusNotImplemented) 162 return 163 } 164 } 165 166 *patch.Permissions = model.UniqueStrings(*patch.Permissions) 167 } 168 169 if c.App.Srv().License() != nil && isGuest && !*c.App.Srv().License().Features.GuestAccountsPermissions { 170 c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented) 171 return 172 } 173 174 if oldRole.Name == model.TEAM_ADMIN_ROLE_ID || oldRole.Name == model.CHANNEL_ADMIN_ROLE_ID || oldRole.Name == model.SYSTEM_USER_ROLE_ID || oldRole.Name == model.TEAM_USER_ROLE_ID || oldRole.Name == model.CHANNEL_USER_ROLE_ID || oldRole.Name == model.SYSTEM_GUEST_ROLE_ID || oldRole.Name == model.TEAM_GUEST_ROLE_ID || oldRole.Name == model.CHANNEL_GUEST_ROLE_ID { 175 if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS) { 176 c.SetPermissionError(model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS) 177 return 178 } 179 } else { 180 if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES) { 181 c.SetPermissionError(model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES) 182 return 183 } 184 } 185 186 role, err := c.App.PatchRole(oldRole, patch) 187 if err != nil { 188 c.Err = err 189 return 190 } 191 192 auditRec.Success() 193 auditRec.AddMeta("patch", role) 194 c.LogAudit("") 195 196 w.Write([]byte(role.ToJson())) 197 }