github.com/mattermosttest/mattermost-server/v5@v5.0.0-20200917143240-9dfa12e121f9/app/permissions.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package app 5 6 import ( 7 "bufio" 8 "encoding/json" 9 "fmt" 10 "io" 11 "net/http" 12 13 "github.com/mattermost/mattermost-server/v5/model" 14 "github.com/pkg/errors" 15 ) 16 17 const permissionsExportBatchSize = 100 18 const systemSchemeName = "00000000-0000-0000-0000-000000000000" // Prevents collisions with user-created schemes. 19 20 func (a *App) ResetPermissionsSystem() *model.AppError { 21 // Reset all Teams to not have a scheme. 22 if err := a.Srv().Store.Team().ResetAllTeamSchemes(); err != nil { 23 return err 24 } 25 26 // Reset all Channels to not have a scheme. 27 if err := a.Srv().Store.Channel().ResetAllChannelSchemes(); err != nil { 28 return err 29 } 30 31 // Reset all Custom Role assignments to Users. 32 if err := a.Srv().Store.User().ClearAllCustomRoleAssignments(); err != nil { 33 return err 34 } 35 36 // Reset all Custom Role assignments to TeamMembers. 37 if err := a.Srv().Store.Team().ClearAllCustomRoleAssignments(); err != nil { 38 return err 39 } 40 41 // Reset all Custom Role assignments to ChannelMembers. 42 if err := a.Srv().Store.Channel().ClearAllCustomRoleAssignments(); err != nil { 43 return err 44 } 45 46 // Purge all schemes from the database. 47 if err := a.Srv().Store.Scheme().PermanentDeleteAll(); err != nil { 48 return model.NewAppError("ResetPermissionsSystem", "app.scheme.permanent_delete_all.app_error", nil, err.Error(), http.StatusInternalServerError) 49 } 50 51 // Purge all roles from the database. 52 if err := a.Srv().Store.Role().PermanentDeleteAll(); err != nil { 53 return model.NewAppError("ResetPermissionsSystem", "app.role.permanent_delete_all.app_error", nil, err.Error(), http.StatusInternalServerError) 54 } 55 56 // Remove the "System" table entry that marks the advanced permissions migration as done. 57 if _, err := a.Srv().Store.System().PermanentDeleteByName(ADVANCED_PERMISSIONS_MIGRATION_KEY); err != nil { 58 return err 59 } 60 61 // Remove the "System" table entry that marks the emoji permissions migration as done. 62 if _, err := a.Srv().Store.System().PermanentDeleteByName(EMOJIS_PERMISSIONS_MIGRATION_KEY); err != nil { 63 return err 64 } 65 66 // Remove the "System" table entry that marks the guest roles permissions migration as done. 67 if _, err := a.Srv().Store.System().PermanentDeleteByName(GUEST_ROLES_CREATION_MIGRATION_KEY); err != nil { 68 return err 69 } 70 71 // Now that the permissions system has been reset, re-run the migration to reinitialise it. 72 a.DoAppMigrations() 73 74 return nil 75 } 76 77 func (a *App) ExportPermissions(w io.Writer) error { 78 79 next := a.SchemesIterator("", permissionsExportBatchSize) 80 var schemeBatch []*model.Scheme 81 82 for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() { 83 84 for _, scheme := range schemeBatch { 85 86 roleNames := []string{ 87 scheme.DefaultTeamAdminRole, 88 scheme.DefaultTeamUserRole, 89 scheme.DefaultTeamGuestRole, 90 scheme.DefaultChannelAdminRole, 91 scheme.DefaultChannelUserRole, 92 scheme.DefaultChannelGuestRole, 93 } 94 95 roles := []*model.Role{} 96 for _, roleName := range roleNames { 97 if len(roleName) == 0 { 98 continue 99 } 100 role, err := a.GetRoleByName(roleName) 101 if err != nil { 102 return err 103 } 104 roles = append(roles, role) 105 } 106 107 schemeExport, err := json.Marshal(&model.SchemeConveyor{ 108 Name: scheme.Name, 109 DisplayName: scheme.DisplayName, 110 Description: scheme.Description, 111 Scope: scheme.Scope, 112 TeamAdmin: scheme.DefaultTeamAdminRole, 113 TeamUser: scheme.DefaultTeamUserRole, 114 TeamGuest: scheme.DefaultTeamGuestRole, 115 ChannelAdmin: scheme.DefaultChannelAdminRole, 116 ChannelUser: scheme.DefaultChannelUserRole, 117 ChannelGuest: scheme.DefaultChannelGuestRole, 118 Roles: roles, 119 }) 120 if err != nil { 121 return err 122 } 123 124 schemeExport = append(schemeExport, []byte("\n")...) 125 126 _, err = w.Write(schemeExport) 127 if err != nil { 128 return err 129 } 130 } 131 132 } 133 134 defaultRoleNames := []string{} 135 for _, dr := range model.MakeDefaultRoles() { 136 defaultRoleNames = append(defaultRoleNames, dr.Name) 137 } 138 139 roles, appErr := a.GetRolesByNames(defaultRoleNames) 140 if appErr != nil { 141 return errors.New(appErr.Message) 142 } 143 144 schemeExport, err := json.Marshal(&model.SchemeConveyor{ 145 Name: systemSchemeName, 146 Roles: roles, 147 }) 148 if err != nil { 149 return err 150 } 151 152 schemeExport = append(schemeExport, []byte("\n")...) 153 154 _, err = w.Write(schemeExport) 155 return err 156 } 157 158 func (a *App) ImportPermissions(jsonl io.Reader) error { 159 createdSchemeIDs := []string{} 160 161 scanner := bufio.NewScanner(jsonl) 162 163 for scanner.Scan() { 164 var schemeConveyor *model.SchemeConveyor 165 err := json.Unmarshal(scanner.Bytes(), &schemeConveyor) 166 if err != nil { 167 rollback(a, createdSchemeIDs) 168 return err 169 } 170 171 if schemeConveyor.Name == systemSchemeName { 172 for _, roleIn := range schemeConveyor.Roles { 173 dbRole, err := a.GetRoleByName(roleIn.Name) 174 if err != nil { 175 rollback(a, createdSchemeIDs) 176 return errors.New(err.Message) 177 } 178 _, err = a.PatchRole(dbRole, &model.RolePatch{ 179 Permissions: &roleIn.Permissions, 180 }) 181 if err != nil { 182 rollback(a, createdSchemeIDs) 183 return err 184 } 185 } 186 continue 187 } 188 189 // Create the new Scheme. The new Roles are created automatically. 190 var appErr *model.AppError 191 schemeCreated, appErr := a.CreateScheme(schemeConveyor.Scheme()) 192 if appErr != nil { 193 rollback(a, createdSchemeIDs) 194 return errors.New(appErr.Message) 195 } 196 createdSchemeIDs = append(createdSchemeIDs, schemeCreated.Id) 197 198 schemeIn := schemeConveyor.Scheme() 199 roleNameTuples := [][]string{ 200 {schemeCreated.DefaultTeamAdminRole, schemeIn.DefaultTeamAdminRole}, 201 {schemeCreated.DefaultTeamUserRole, schemeIn.DefaultTeamUserRole}, 202 {schemeCreated.DefaultTeamGuestRole, schemeIn.DefaultTeamGuestRole}, 203 {schemeCreated.DefaultChannelAdminRole, schemeIn.DefaultChannelAdminRole}, 204 {schemeCreated.DefaultChannelUserRole, schemeIn.DefaultChannelUserRole}, 205 {schemeCreated.DefaultChannelGuestRole, schemeIn.DefaultChannelGuestRole}, 206 } 207 for _, roleNameTuple := range roleNameTuples { 208 if len(roleNameTuple[0]) == 0 || len(roleNameTuple[1]) == 0 { 209 continue 210 } 211 212 err = updateRole(a, schemeConveyor, roleNameTuple[0], roleNameTuple[1]) 213 if err != nil { 214 // Delete the new Schemes. The new Roles are deleted automatically. 215 rollback(a, createdSchemeIDs) 216 return err 217 } 218 } 219 } 220 221 if err := scanner.Err(); err != nil { 222 rollback(a, createdSchemeIDs) 223 return err 224 } 225 226 return nil 227 } 228 229 func rollback(a *App, createdSchemeIDs []string) { 230 for _, schemeID := range createdSchemeIDs { 231 a.DeleteScheme(schemeID) 232 } 233 } 234 235 func updateRole(a *App, sc *model.SchemeConveyor, roleCreatedName, defaultRoleName string) error { 236 var err *model.AppError 237 238 roleCreated, err := a.GetRoleByName(roleCreatedName) 239 if err != nil { 240 return errors.New(err.Message) 241 } 242 243 var roleIn *model.Role 244 for _, role := range sc.Roles { 245 if role.Name == defaultRoleName { 246 roleIn = role 247 break 248 } 249 } 250 251 roleCreated.DisplayName = roleIn.DisplayName 252 roleCreated.Description = roleIn.Description 253 roleCreated.Permissions = roleIn.Permissions 254 255 _, err = a.UpdateRole(roleCreated) 256 if err != nil { 257 return errors.New(fmt.Sprintf("%v: %v\n", err.Message, err.DetailedError)) 258 } 259 260 return nil 261 }