github.com/mattermosttest/mattermost-server/v5@v5.0.0-20200917143240-9dfa12e121f9/model/role.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package model 5 6 import ( 7 "encoding/json" 8 "io" 9 "strings" 10 ) 11 12 var BuiltInSchemeManagedRoleIDs []string 13 14 func init() { 15 BuiltInSchemeManagedRoleIDs = []string{ 16 SYSTEM_GUEST_ROLE_ID, 17 SYSTEM_USER_ROLE_ID, 18 SYSTEM_ADMIN_ROLE_ID, 19 SYSTEM_POST_ALL_ROLE_ID, 20 SYSTEM_POST_ALL_PUBLIC_ROLE_ID, 21 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID, 22 23 TEAM_GUEST_ROLE_ID, 24 TEAM_USER_ROLE_ID, 25 TEAM_ADMIN_ROLE_ID, 26 TEAM_POST_ALL_ROLE_ID, 27 TEAM_POST_ALL_PUBLIC_ROLE_ID, 28 29 CHANNEL_GUEST_ROLE_ID, 30 CHANNEL_USER_ROLE_ID, 31 CHANNEL_ADMIN_ROLE_ID, 32 } 33 } 34 35 type RoleType string 36 type RoleScope string 37 38 const ( 39 SYSTEM_GUEST_ROLE_ID = "system_guest" 40 SYSTEM_USER_ROLE_ID = "system_user" 41 SYSTEM_ADMIN_ROLE_ID = "system_admin" 42 SYSTEM_POST_ALL_ROLE_ID = "system_post_all" 43 SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public" 44 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token" 45 46 TEAM_GUEST_ROLE_ID = "team_guest" 47 TEAM_USER_ROLE_ID = "team_user" 48 TEAM_ADMIN_ROLE_ID = "team_admin" 49 TEAM_POST_ALL_ROLE_ID = "team_post_all" 50 TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public" 51 52 CHANNEL_GUEST_ROLE_ID = "channel_guest" 53 CHANNEL_USER_ROLE_ID = "channel_user" 54 CHANNEL_ADMIN_ROLE_ID = "channel_admin" 55 56 ROLE_NAME_MAX_LENGTH = 64 57 ROLE_DISPLAY_NAME_MAX_LENGTH = 128 58 ROLE_DESCRIPTION_MAX_LENGTH = 1024 59 60 RoleScopeSystem RoleScope = "System" 61 RoleScopeTeam RoleScope = "Team" 62 RoleScopeChannel RoleScope = "Channel" 63 64 RoleTypeGuest RoleType = "Guest" 65 RoleTypeUser RoleType = "User" 66 RoleTypeAdmin RoleType = "Admin" 67 ) 68 69 type Role struct { 70 Id string `json:"id"` 71 Name string `json:"name"` 72 DisplayName string `json:"display_name"` 73 Description string `json:"description"` 74 CreateAt int64 `json:"create_at"` 75 UpdateAt int64 `json:"update_at"` 76 DeleteAt int64 `json:"delete_at"` 77 Permissions []string `json:"permissions"` 78 SchemeManaged bool `json:"scheme_managed"` 79 BuiltIn bool `json:"built_in"` 80 } 81 82 type RolePatch struct { 83 Permissions *[]string `json:"permissions"` 84 } 85 86 type RolePermissions struct { 87 RoleID string 88 Permissions []string 89 } 90 91 func (r *Role) ToJson() string { 92 b, _ := json.Marshal(r) 93 return string(b) 94 } 95 96 func RoleFromJson(data io.Reader) *Role { 97 var r *Role 98 json.NewDecoder(data).Decode(&r) 99 return r 100 } 101 102 func RoleListToJson(r []*Role) string { 103 b, _ := json.Marshal(r) 104 return string(b) 105 } 106 107 func RoleListFromJson(data io.Reader) []*Role { 108 var roles []*Role 109 json.NewDecoder(data).Decode(&roles) 110 return roles 111 } 112 113 func (r *RolePatch) ToJson() string { 114 b, _ := json.Marshal(r) 115 return string(b) 116 } 117 118 func RolePatchFromJson(data io.Reader) *RolePatch { 119 var rolePatch *RolePatch 120 json.NewDecoder(data).Decode(&rolePatch) 121 return rolePatch 122 } 123 124 func (r *Role) Patch(patch *RolePatch) { 125 if patch.Permissions != nil { 126 r.Permissions = *patch.Permissions 127 } 128 } 129 130 // MergeChannelHigherScopedPermissions is meant to be invoked on a channel scheme's role and merges the higher-scoped 131 // channel role's permissions. 132 func (r *Role) MergeChannelHigherScopedPermissions(higherScopedPermissions *RolePermissions) { 133 mergedPermissions := []string{} 134 135 higherScopedPermissionsMap := AsStringBoolMap(higherScopedPermissions.Permissions) 136 rolePermissionsMap := AsStringBoolMap(r.Permissions) 137 138 for _, cp := range ALL_PERMISSIONS { 139 if cp.Scope != PERMISSION_SCOPE_CHANNEL { 140 continue 141 } 142 143 _, presentOnHigherScope := higherScopedPermissionsMap[cp.Id] 144 145 // For the channel admin role always look to the higher scope to determine if the role has ther permission. 146 // The channel admin is a special case because they're not part of the UI to be "channel moderated", only 147 // channel members and channel guests are. 148 if higherScopedPermissions.RoleID == CHANNEL_ADMIN_ROLE_ID && presentOnHigherScope { 149 mergedPermissions = append(mergedPermissions, cp.Id) 150 continue 151 } 152 153 _, permissionIsModerated := CHANNEL_MODERATED_PERMISSIONS_MAP[cp.Id] 154 if permissionIsModerated { 155 _, presentOnRole := rolePermissionsMap[cp.Id] 156 if presentOnRole && presentOnHigherScope { 157 mergedPermissions = append(mergedPermissions, cp.Id) 158 } 159 } else { 160 if presentOnHigherScope { 161 mergedPermissions = append(mergedPermissions, cp.Id) 162 } 163 } 164 } 165 166 r.Permissions = mergedPermissions 167 } 168 169 // Returns an array of permissions that are in either role.Permissions 170 // or patch.Permissions, but not both. 171 func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string { 172 var result []string 173 174 if patch.Permissions == nil { 175 return result 176 } 177 178 roleMap := make(map[string]bool) 179 patchMap := make(map[string]bool) 180 181 for _, permission := range role.Permissions { 182 roleMap[permission] = true 183 } 184 185 for _, permission := range *patch.Permissions { 186 patchMap[permission] = true 187 } 188 189 for _, permission := range role.Permissions { 190 if !patchMap[permission] { 191 result = append(result, permission) 192 } 193 } 194 195 for _, permission := range *patch.Permissions { 196 if !roleMap[permission] { 197 result = append(result, permission) 198 } 199 } 200 201 return result 202 } 203 204 func ChannelModeratedPermissionsChangedByPatch(role *Role, patch *RolePatch) []string { 205 var result []string 206 207 if role == nil { 208 return result 209 } 210 211 if patch.Permissions == nil { 212 return result 213 } 214 215 roleMap := make(map[string]bool) 216 patchMap := make(map[string]bool) 217 218 for _, permission := range role.Permissions { 219 if channelModeratedPermissionName, found := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; found { 220 roleMap[channelModeratedPermissionName] = true 221 } 222 } 223 224 for _, permission := range *patch.Permissions { 225 if channelModeratedPermissionName, found := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; found { 226 patchMap[channelModeratedPermissionName] = true 227 } 228 } 229 230 for permissionKey := range roleMap { 231 if !patchMap[permissionKey] { 232 result = append(result, permissionKey) 233 } 234 } 235 236 for permissionKey := range patchMap { 237 if !roleMap[permissionKey] { 238 result = append(result, permissionKey) 239 } 240 } 241 242 return result 243 } 244 245 // GetChannelModeratedPermissions returns a map of channel moderated permissions that the role has access to 246 func (r *Role) GetChannelModeratedPermissions(channelType string) map[string]bool { 247 moderatedPermissions := make(map[string]bool) 248 for _, permission := range r.Permissions { 249 if _, found := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; !found { 250 continue 251 } 252 253 for moderated, moderatedPermissionValue := range CHANNEL_MODERATED_PERMISSIONS_MAP { 254 // the moderated permission has already been found to be true so skip this iteration 255 if moderatedPermissions[moderatedPermissionValue] { 256 continue 257 } 258 259 if moderated == permission { 260 // Special case where the channel moderated permission for `manage_members` is different depending on whether the channel is private or public 261 if moderated == PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id || moderated == PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id { 262 canManagePublic := channelType == CHANNEL_OPEN && moderated == PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id 263 canManagePrivate := channelType == CHANNEL_PRIVATE && moderated == PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id 264 moderatedPermissions[moderatedPermissionValue] = canManagePublic || canManagePrivate 265 } else { 266 moderatedPermissions[moderatedPermissionValue] = true 267 } 268 } 269 } 270 } 271 272 return moderatedPermissions 273 } 274 275 // RolePatchFromChannelModerationsPatch Creates and returns a RolePatch based on a slice of ChannelModerationPatchs, roleName is expected to be either "members" or "guests". 276 func (r *Role) RolePatchFromChannelModerationsPatch(channelModerationsPatch []*ChannelModerationPatch, roleName string) *RolePatch { 277 permissionsToAddToPatch := make(map[string]bool) 278 279 // Iterate through the list of existing permissions on the role and append permissions that we want to keep. 280 for _, permission := range r.Permissions { 281 // Permission is not moderated so dont add it to the patch and skip the channelModerationsPatch 282 if _, isModerated := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; !isModerated { 283 continue 284 } 285 286 permissionEnabled := true 287 // Check if permission has a matching moderated permission name inside the channel moderation patch 288 for _, channelModerationPatch := range channelModerationsPatch { 289 if *channelModerationPatch.Name == CHANNEL_MODERATED_PERMISSIONS_MAP[permission] { 290 // Permission key exists in patch with a value of false so skip over it 291 if roleName == "members" { 292 if channelModerationPatch.Roles.Members != nil && !*channelModerationPatch.Roles.Members { 293 permissionEnabled = false 294 } 295 } else if roleName == "guests" { 296 if channelModerationPatch.Roles.Guests != nil && !*channelModerationPatch.Roles.Guests { 297 permissionEnabled = false 298 } 299 } 300 } 301 } 302 303 if permissionEnabled { 304 permissionsToAddToPatch[permission] = true 305 } 306 } 307 308 // Iterate through the patch and add any permissions that dont already exist on the role 309 for _, channelModerationPatch := range channelModerationsPatch { 310 for permission, moderatedPermissionName := range CHANNEL_MODERATED_PERMISSIONS_MAP { 311 if roleName == "members" && channelModerationPatch.Roles.Members != nil && *channelModerationPatch.Roles.Members && *channelModerationPatch.Name == moderatedPermissionName { 312 permissionsToAddToPatch[permission] = true 313 } 314 315 if roleName == "guests" && channelModerationPatch.Roles.Guests != nil && *channelModerationPatch.Roles.Guests && *channelModerationPatch.Name == moderatedPermissionName { 316 permissionsToAddToPatch[permission] = true 317 } 318 } 319 } 320 321 patchPermissions := make([]string, 0, len(permissionsToAddToPatch)) 322 for permission := range permissionsToAddToPatch { 323 patchPermissions = append(patchPermissions, permission) 324 } 325 326 return &RolePatch{Permissions: &patchPermissions} 327 } 328 329 func (r *Role) IsValid() bool { 330 if !IsValidId(r.Id) { 331 return false 332 } 333 334 return r.IsValidWithoutId() 335 } 336 337 func (r *Role) IsValidWithoutId() bool { 338 if !IsValidRoleName(r.Name) { 339 return false 340 } 341 342 if len(r.DisplayName) == 0 || len(r.DisplayName) > ROLE_DISPLAY_NAME_MAX_LENGTH { 343 return false 344 } 345 346 if len(r.Description) > ROLE_DESCRIPTION_MAX_LENGTH { 347 return false 348 } 349 350 for _, permission := range r.Permissions { 351 permissionValidated := false 352 for _, p := range ALL_PERMISSIONS { 353 if permission == p.Id { 354 permissionValidated = true 355 break 356 } 357 } 358 359 if !permissionValidated { 360 return false 361 } 362 } 363 364 return true 365 } 366 367 func CleanRoleNames(roleNames []string) ([]string, bool) { 368 var cleanedRoleNames []string 369 for _, roleName := range roleNames { 370 if strings.TrimSpace(roleName) == "" { 371 continue 372 } 373 374 if !IsValidRoleName(roleName) { 375 return roleNames, false 376 } 377 378 cleanedRoleNames = append(cleanedRoleNames, roleName) 379 } 380 381 return cleanedRoleNames, true 382 } 383 384 func IsValidRoleName(roleName string) bool { 385 if len(roleName) <= 0 || len(roleName) > ROLE_NAME_MAX_LENGTH { 386 return false 387 } 388 389 if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" { 390 return false 391 } 392 393 return true 394 } 395 396 func MakeDefaultRoles() map[string]*Role { 397 roles := make(map[string]*Role) 398 399 roles[CHANNEL_GUEST_ROLE_ID] = &Role{ 400 Name: "channel_guest", 401 DisplayName: "authentication.roles.channel_guest.name", 402 Description: "authentication.roles.channel_guest.description", 403 Permissions: []string{ 404 PERMISSION_READ_CHANNEL.Id, 405 PERMISSION_ADD_REACTION.Id, 406 PERMISSION_REMOVE_REACTION.Id, 407 PERMISSION_UPLOAD_FILE.Id, 408 PERMISSION_EDIT_POST.Id, 409 PERMISSION_CREATE_POST.Id, 410 PERMISSION_USE_CHANNEL_MENTIONS.Id, 411 PERMISSION_USE_SLASH_COMMANDS.Id, 412 }, 413 SchemeManaged: true, 414 BuiltIn: true, 415 } 416 417 roles[CHANNEL_USER_ROLE_ID] = &Role{ 418 Name: "channel_user", 419 DisplayName: "authentication.roles.channel_user.name", 420 Description: "authentication.roles.channel_user.description", 421 Permissions: []string{ 422 PERMISSION_READ_CHANNEL.Id, 423 PERMISSION_ADD_REACTION.Id, 424 PERMISSION_REMOVE_REACTION.Id, 425 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 426 PERMISSION_UPLOAD_FILE.Id, 427 PERMISSION_GET_PUBLIC_LINK.Id, 428 PERMISSION_CREATE_POST.Id, 429 PERMISSION_USE_CHANNEL_MENTIONS.Id, 430 PERMISSION_USE_SLASH_COMMANDS.Id, 431 }, 432 SchemeManaged: true, 433 BuiltIn: true, 434 } 435 436 roles[CHANNEL_ADMIN_ROLE_ID] = &Role{ 437 Name: "channel_admin", 438 DisplayName: "authentication.roles.channel_admin.name", 439 Description: "authentication.roles.channel_admin.description", 440 Permissions: []string{ 441 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 442 PERMISSION_USE_GROUP_MENTIONS.Id, 443 }, 444 SchemeManaged: true, 445 BuiltIn: true, 446 } 447 448 roles[TEAM_GUEST_ROLE_ID] = &Role{ 449 Name: "team_guest", 450 DisplayName: "authentication.roles.team_guest.name", 451 Description: "authentication.roles.team_guest.description", 452 Permissions: []string{ 453 PERMISSION_VIEW_TEAM.Id, 454 }, 455 SchemeManaged: true, 456 BuiltIn: true, 457 } 458 459 roles[TEAM_USER_ROLE_ID] = &Role{ 460 Name: "team_user", 461 DisplayName: "authentication.roles.team_user.name", 462 Description: "authentication.roles.team_user.description", 463 Permissions: []string{ 464 PERMISSION_LIST_TEAM_CHANNELS.Id, 465 PERMISSION_JOIN_PUBLIC_CHANNELS.Id, 466 PERMISSION_READ_PUBLIC_CHANNEL.Id, 467 PERMISSION_VIEW_TEAM.Id, 468 }, 469 SchemeManaged: true, 470 BuiltIn: true, 471 } 472 473 roles[TEAM_POST_ALL_ROLE_ID] = &Role{ 474 Name: "team_post_all", 475 DisplayName: "authentication.roles.team_post_all.name", 476 Description: "authentication.roles.team_post_all.description", 477 Permissions: []string{ 478 PERMISSION_CREATE_POST.Id, 479 PERMISSION_USE_CHANNEL_MENTIONS.Id, 480 }, 481 SchemeManaged: false, 482 BuiltIn: true, 483 } 484 485 roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 486 Name: "team_post_all_public", 487 DisplayName: "authentication.roles.team_post_all_public.name", 488 Description: "authentication.roles.team_post_all_public.description", 489 Permissions: []string{ 490 PERMISSION_CREATE_POST_PUBLIC.Id, 491 PERMISSION_USE_CHANNEL_MENTIONS.Id, 492 }, 493 SchemeManaged: false, 494 BuiltIn: true, 495 } 496 497 roles[TEAM_ADMIN_ROLE_ID] = &Role{ 498 Name: "team_admin", 499 DisplayName: "authentication.roles.team_admin.name", 500 Description: "authentication.roles.team_admin.description", 501 Permissions: []string{ 502 PERMISSION_REMOVE_USER_FROM_TEAM.Id, 503 PERMISSION_MANAGE_TEAM.Id, 504 PERMISSION_IMPORT_TEAM.Id, 505 PERMISSION_MANAGE_TEAM_ROLES.Id, 506 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 507 PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id, 508 PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id, 509 PERMISSION_MANAGE_SLASH_COMMANDS.Id, 510 PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, 511 PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 512 PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 513 }, 514 SchemeManaged: true, 515 BuiltIn: true, 516 } 517 518 roles[SYSTEM_GUEST_ROLE_ID] = &Role{ 519 Name: "system_guest", 520 DisplayName: "authentication.roles.global_guest.name", 521 Description: "authentication.roles.global_guest.description", 522 Permissions: []string{ 523 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 524 PERMISSION_CREATE_GROUP_CHANNEL.Id, 525 }, 526 SchemeManaged: true, 527 BuiltIn: true, 528 } 529 530 roles[SYSTEM_USER_ROLE_ID] = &Role{ 531 Name: "system_user", 532 DisplayName: "authentication.roles.global_user.name", 533 Description: "authentication.roles.global_user.description", 534 Permissions: []string{ 535 PERMISSION_LIST_PUBLIC_TEAMS.Id, 536 PERMISSION_JOIN_PUBLIC_TEAMS.Id, 537 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 538 PERMISSION_CREATE_GROUP_CHANNEL.Id, 539 PERMISSION_VIEW_MEMBERS.Id, 540 }, 541 SchemeManaged: true, 542 BuiltIn: true, 543 } 544 545 roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{ 546 Name: "system_post_all", 547 DisplayName: "authentication.roles.system_post_all.name", 548 Description: "authentication.roles.system_post_all.description", 549 Permissions: []string{ 550 PERMISSION_CREATE_POST.Id, 551 PERMISSION_USE_CHANNEL_MENTIONS.Id, 552 }, 553 SchemeManaged: false, 554 BuiltIn: true, 555 } 556 557 roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 558 Name: "system_post_all_public", 559 DisplayName: "authentication.roles.system_post_all_public.name", 560 Description: "authentication.roles.system_post_all_public.description", 561 Permissions: []string{ 562 PERMISSION_CREATE_POST_PUBLIC.Id, 563 PERMISSION_USE_CHANNEL_MENTIONS.Id, 564 }, 565 SchemeManaged: false, 566 BuiltIn: true, 567 } 568 569 roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{ 570 Name: "system_user_access_token", 571 DisplayName: "authentication.roles.system_user_access_token.name", 572 Description: "authentication.roles.system_user_access_token.description", 573 Permissions: []string{ 574 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 575 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 576 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 577 }, 578 SchemeManaged: false, 579 BuiltIn: true, 580 } 581 582 roles[SYSTEM_ADMIN_ROLE_ID] = &Role{ 583 Name: "system_admin", 584 DisplayName: "authentication.roles.global_admin.name", 585 Description: "authentication.roles.global_admin.description", 586 // System admins can do anything channel and team admins can do 587 // plus everything members of teams and channels can do to all teams 588 // and channels on the system 589 Permissions: append( 590 append( 591 append( 592 append( 593 []string{ 594 PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, 595 PERMISSION_MANAGE_SYSTEM.Id, 596 PERMISSION_MANAGE_ROLES.Id, 597 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 598 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 599 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 600 PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 601 PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 602 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 603 PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 604 PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 605 PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, 606 PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id, 607 PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id, 608 PERMISSION_EDIT_OTHER_USERS.Id, 609 PERMISSION_EDIT_OTHERS_POSTS.Id, 610 PERMISSION_MANAGE_OAUTH.Id, 611 PERMISSION_INVITE_USER.Id, 612 PERMISSION_INVITE_GUEST.Id, 613 PERMISSION_PROMOTE_GUEST.Id, 614 PERMISSION_DEMOTE_TO_GUEST.Id, 615 PERMISSION_DELETE_POST.Id, 616 PERMISSION_DELETE_OTHERS_POSTS.Id, 617 PERMISSION_CREATE_TEAM.Id, 618 PERMISSION_ADD_USER_TO_TEAM.Id, 619 PERMISSION_LIST_USERS_WITHOUT_TEAM.Id, 620 PERMISSION_MANAGE_JOBS.Id, 621 PERMISSION_CREATE_POST_PUBLIC.Id, 622 PERMISSION_CREATE_POST_EPHEMERAL.Id, 623 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 624 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 625 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 626 PERMISSION_CREATE_BOT.Id, 627 PERMISSION_READ_BOTS.Id, 628 PERMISSION_READ_OTHERS_BOTS.Id, 629 PERMISSION_MANAGE_BOTS.Id, 630 PERMISSION_MANAGE_OTHERS_BOTS.Id, 631 PERMISSION_REMOVE_OTHERS_REACTIONS.Id, 632 PERMISSION_LIST_PRIVATE_TEAMS.Id, 633 PERMISSION_JOIN_PRIVATE_TEAMS.Id, 634 PERMISSION_VIEW_MEMBERS.Id, 635 }, 636 roles[TEAM_USER_ROLE_ID].Permissions..., 637 ), 638 roles[CHANNEL_USER_ROLE_ID].Permissions..., 639 ), 640 roles[TEAM_ADMIN_ROLE_ID].Permissions..., 641 ), 642 roles[CHANNEL_ADMIN_ROLE_ID].Permissions..., 643 ), 644 SchemeManaged: true, 645 BuiltIn: true, 646 } 647 648 return roles 649 }