github.com/psyb0t/mattermost-server@v4.6.1-0.20180125161845-5503a1351abf+incompatible/model/authorization.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package model 5 6 type Permission struct { 7 Id string `json:"id"` 8 Name string `json:"name"` 9 Description string `json:"description"` 10 } 11 12 type Role struct { 13 Id string `json:"id"` 14 Name string `json:"name"` 15 Description string `json:"description"` 16 Permissions []string `json:"permissions"` 17 } 18 19 var PERMISSION_INVITE_USER *Permission 20 var PERMISSION_ADD_USER_TO_TEAM *Permission 21 var PERMISSION_USE_SLASH_COMMANDS *Permission 22 var PERMISSION_MANAGE_SLASH_COMMANDS *Permission 23 var PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS *Permission 24 var PERMISSION_CREATE_PUBLIC_CHANNEL *Permission 25 var PERMISSION_CREATE_PRIVATE_CHANNEL *Permission 26 var PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS *Permission 27 var PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS *Permission 28 var PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE *Permission 29 var PERMISSION_MANAGE_ROLES *Permission 30 var PERMISSION_MANAGE_TEAM_ROLES *Permission 31 var PERMISSION_MANAGE_CHANNEL_ROLES *Permission 32 var PERMISSION_CREATE_DIRECT_CHANNEL *Permission 33 var PERMISSION_CREATE_GROUP_CHANNEL *Permission 34 var PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES *Permission 35 var PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES *Permission 36 var PERMISSION_LIST_TEAM_CHANNELS *Permission 37 var PERMISSION_JOIN_PUBLIC_CHANNELS *Permission 38 var PERMISSION_DELETE_PUBLIC_CHANNEL *Permission 39 var PERMISSION_DELETE_PRIVATE_CHANNEL *Permission 40 var PERMISSION_EDIT_OTHER_USERS *Permission 41 var PERMISSION_READ_CHANNEL *Permission 42 var PERMISSION_READ_PUBLIC_CHANNEL *Permission 43 var PERMISSION_PERMANENT_DELETE_USER *Permission 44 var PERMISSION_UPLOAD_FILE *Permission 45 var PERMISSION_GET_PUBLIC_LINK *Permission 46 var PERMISSION_MANAGE_WEBHOOKS *Permission 47 var PERMISSION_MANAGE_OTHERS_WEBHOOKS *Permission 48 var PERMISSION_MANAGE_OAUTH *Permission 49 var PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH *Permission 50 var PERMISSION_CREATE_POST *Permission 51 var PERMISSION_CREATE_POST_PUBLIC *Permission 52 var PERMISSION_EDIT_POST *Permission 53 var PERMISSION_EDIT_OTHERS_POSTS *Permission 54 var PERMISSION_DELETE_POST *Permission 55 var PERMISSION_DELETE_OTHERS_POSTS *Permission 56 var PERMISSION_REMOVE_USER_FROM_TEAM *Permission 57 var PERMISSION_CREATE_TEAM *Permission 58 var PERMISSION_MANAGE_TEAM *Permission 59 var PERMISSION_IMPORT_TEAM *Permission 60 var PERMISSION_VIEW_TEAM *Permission 61 var PERMISSION_LIST_USERS_WITHOUT_TEAM *Permission 62 var PERMISSION_MANAGE_JOBS *Permission 63 var PERMISSION_CREATE_USER_ACCESS_TOKEN *Permission 64 var PERMISSION_READ_USER_ACCESS_TOKEN *Permission 65 var PERMISSION_REVOKE_USER_ACCESS_TOKEN *Permission 66 67 // General permission that encompases all system admin functions 68 // in the future this could be broken up to allow access to some 69 // admin functions but not others 70 var PERMISSION_MANAGE_SYSTEM *Permission 71 72 const ( 73 SYSTEM_USER_ROLE_ID = "system_user" 74 SYSTEM_ADMIN_ROLE_ID = "system_admin" 75 SYSTEM_POST_ALL_ROLE_ID = "system_post_all" 76 SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public" 77 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token" 78 79 TEAM_USER_ROLE_ID = "team_user" 80 TEAM_ADMIN_ROLE_ID = "team_admin" 81 TEAM_POST_ALL_ROLE_ID = "team_post_all" 82 TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public" 83 84 CHANNEL_USER_ROLE_ID = "channel_user" 85 CHANNEL_ADMIN_ROLE_ID = "channel_admin" 86 CHANNEL_GUEST_ROLE_ID = "guest" 87 ) 88 89 func initializePermissions() { 90 PERMISSION_INVITE_USER = &Permission{ 91 "invite_user", 92 "authentication.permissions.team_invite_user.name", 93 "authentication.permissions.team_invite_user.description", 94 } 95 PERMISSION_ADD_USER_TO_TEAM = &Permission{ 96 "add_user_to_team", 97 "authentication.permissions.add_user_to_team.name", 98 "authentication.permissions.add_user_to_team.description", 99 } 100 PERMISSION_USE_SLASH_COMMANDS = &Permission{ 101 "use_slash_commands", 102 "authentication.permissions.team_use_slash_commands.name", 103 "authentication.permissions.team_use_slash_commands.description", 104 } 105 PERMISSION_MANAGE_SLASH_COMMANDS = &Permission{ 106 "manage_slash_commands", 107 "authentication.permissions.manage_slash_commands.name", 108 "authentication.permissions.manage_slash_commands.description", 109 } 110 PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS = &Permission{ 111 "manage_others_slash_commands", 112 "authentication.permissions.manage_others_slash_commands.name", 113 "authentication.permissions.manage_others_slash_commands.description", 114 } 115 PERMISSION_CREATE_PUBLIC_CHANNEL = &Permission{ 116 "create_public_channel", 117 "authentication.permissions.create_public_channel.name", 118 "authentication.permissions.create_public_channel.description", 119 } 120 PERMISSION_CREATE_PRIVATE_CHANNEL = &Permission{ 121 "create_private_channel", 122 "authentication.permissions.create_private_channel.name", 123 "authentication.permissions.create_private_channel.description", 124 } 125 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS = &Permission{ 126 "manage_public_channel_members", 127 "authentication.permissions.manage_public_channel_members.name", 128 "authentication.permissions.manage_public_channel_members.description", 129 } 130 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS = &Permission{ 131 "manage_private_channel_members", 132 "authentication.permissions.manage_private_channel_members.name", 133 "authentication.permissions.manage_private_channel_members.description", 134 } 135 PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE = &Permission{ 136 "assign_system_admin_role", 137 "authentication.permissions.assign_system_admin_role.name", 138 "authentication.permissions.assign_system_admin_role.description", 139 } 140 PERMISSION_MANAGE_ROLES = &Permission{ 141 "manage_roles", 142 "authentication.permissions.manage_roles.name", 143 "authentication.permissions.manage_roles.description", 144 } 145 PERMISSION_MANAGE_TEAM_ROLES = &Permission{ 146 "manage_team_roles", 147 "authentication.permissions.manage_team_roles.name", 148 "authentication.permissions.manage_team_roles.description", 149 } 150 PERMISSION_MANAGE_CHANNEL_ROLES = &Permission{ 151 "manage_channel_roles", 152 "authentication.permissions.manage_channel_roles.name", 153 "authentication.permissions.manage_channel_roles.description", 154 } 155 PERMISSION_MANAGE_SYSTEM = &Permission{ 156 "manage_system", 157 "authentication.permissions.manage_system.name", 158 "authentication.permissions.manage_system.description", 159 } 160 PERMISSION_CREATE_DIRECT_CHANNEL = &Permission{ 161 "create_direct_channel", 162 "authentication.permissions.create_direct_channel.name", 163 "authentication.permissions.create_direct_channel.description", 164 } 165 PERMISSION_CREATE_GROUP_CHANNEL = &Permission{ 166 "create_group_channel", 167 "authentication.permissions.create_group_channel.name", 168 "authentication.permissions.create_group_channel.description", 169 } 170 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES = &Permission{ 171 "manage__publicchannel_properties", 172 "authentication.permissions.manage_public_channel_properties.name", 173 "authentication.permissions.manage_public_channel_properties.description", 174 } 175 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES = &Permission{ 176 "manage_private_channel_properties", 177 "authentication.permissions.manage_private_channel_properties.name", 178 "authentication.permissions.manage_private_channel_properties.description", 179 } 180 PERMISSION_LIST_TEAM_CHANNELS = &Permission{ 181 "list_team_channels", 182 "authentication.permissions.list_team_channels.name", 183 "authentication.permissions.list_team_channels.description", 184 } 185 PERMISSION_JOIN_PUBLIC_CHANNELS = &Permission{ 186 "join_public_channels", 187 "authentication.permissions.join_public_channels.name", 188 "authentication.permissions.join_public_channels.description", 189 } 190 PERMISSION_DELETE_PUBLIC_CHANNEL = &Permission{ 191 "delete_public_channel", 192 "authentication.permissions.delete_public_channel.name", 193 "authentication.permissions.delete_public_channel.description", 194 } 195 PERMISSION_DELETE_PRIVATE_CHANNEL = &Permission{ 196 "delete_private_channel", 197 "authentication.permissions.delete_private_channel.name", 198 "authentication.permissions.delete_private_channel.description", 199 } 200 PERMISSION_EDIT_OTHER_USERS = &Permission{ 201 "edit_other_users", 202 "authentication.permissions.edit_other_users.name", 203 "authentication.permissions.edit_other_users.description", 204 } 205 PERMISSION_READ_CHANNEL = &Permission{ 206 "read_channel", 207 "authentication.permissions.read_channel.name", 208 "authentication.permissions.read_channel.description", 209 } 210 PERMISSION_READ_PUBLIC_CHANNEL = &Permission{ 211 "read_public_channel", 212 "authentication.permissions.read_public_channel.name", 213 "authentication.permissions.read_public_channel.description", 214 } 215 PERMISSION_PERMANENT_DELETE_USER = &Permission{ 216 "permanent_delete_user", 217 "authentication.permissions.permanent_delete_user.name", 218 "authentication.permissions.permanent_delete_user.description", 219 } 220 PERMISSION_UPLOAD_FILE = &Permission{ 221 "upload_file", 222 "authentication.permissions.upload_file.name", 223 "authentication.permissions.upload_file.description", 224 } 225 PERMISSION_GET_PUBLIC_LINK = &Permission{ 226 "get_public_link", 227 "authentication.permissions.get_public_link.name", 228 "authentication.permissions.get_public_link.description", 229 } 230 PERMISSION_MANAGE_WEBHOOKS = &Permission{ 231 "manage_webhooks", 232 "authentication.permissions.manage_webhooks.name", 233 "authentication.permissions.manage_webhooks.description", 234 } 235 PERMISSION_MANAGE_OTHERS_WEBHOOKS = &Permission{ 236 "manage_others_webhooks", 237 "authentication.permissions.manage_others_webhooks.name", 238 "authentication.permissions.manage_others_webhooks.description", 239 } 240 PERMISSION_MANAGE_OAUTH = &Permission{ 241 "manage_oauth", 242 "authentication.permissions.manage_oauth.name", 243 "authentication.permissions.manage_oauth.description", 244 } 245 PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH = &Permission{ 246 "manage_sytem_wide_oauth", 247 "authentication.permissions.manage_sytem_wide_oauth.name", 248 "authentication.permissions.manage_sytem_wide_oauth.description", 249 } 250 PERMISSION_CREATE_POST = &Permission{ 251 "create_post", 252 "authentication.permissions.create_post.name", 253 "authentication.permissions.create_post.description", 254 } 255 PERMISSION_CREATE_POST_PUBLIC = &Permission{ 256 "create_post_public", 257 "authentication.permissions.create_post_public.name", 258 "authentication.permissions.create_post_public.description", 259 } 260 PERMISSION_EDIT_POST = &Permission{ 261 "edit_post", 262 "authentication.permissions.edit_post.name", 263 "authentication.permissions.edit_post.description", 264 } 265 PERMISSION_EDIT_OTHERS_POSTS = &Permission{ 266 "edit_others_posts", 267 "authentication.permissions.edit_others_posts.name", 268 "authentication.permissions.edit_others_posts.description", 269 } 270 PERMISSION_DELETE_POST = &Permission{ 271 "delete_post", 272 "authentication.permissions.delete_post.name", 273 "authentication.permissions.delete_post.description", 274 } 275 PERMISSION_DELETE_OTHERS_POSTS = &Permission{ 276 "delete_others_posts", 277 "authentication.permissions.delete_others_posts.name", 278 "authentication.permissions.delete_others_posts.description", 279 } 280 PERMISSION_REMOVE_USER_FROM_TEAM = &Permission{ 281 "remove_user_from_team", 282 "authentication.permissions.remove_user_from_team.name", 283 "authentication.permissions.remove_user_from_team.description", 284 } 285 PERMISSION_CREATE_TEAM = &Permission{ 286 "create_team", 287 "authentication.permissions.create_team.name", 288 "authentication.permissions.create_team.description", 289 } 290 PERMISSION_MANAGE_TEAM = &Permission{ 291 "manage_team", 292 "authentication.permissions.manage_team.name", 293 "authentication.permissions.manage_team.description", 294 } 295 PERMISSION_IMPORT_TEAM = &Permission{ 296 "import_team", 297 "authentication.permissions.import_team.name", 298 "authentication.permissions.import_team.description", 299 } 300 PERMISSION_VIEW_TEAM = &Permission{ 301 "view_team", 302 "authentication.permissions.view_team.name", 303 "authentication.permissions.view_team.description", 304 } 305 PERMISSION_LIST_USERS_WITHOUT_TEAM = &Permission{ 306 "list_users_without_team", 307 "authentication.permissions.list_users_without_team.name", 308 "authentication.permissions.list_users_without_team.description", 309 } 310 PERMISSION_CREATE_USER_ACCESS_TOKEN = &Permission{ 311 "create_user_access_token", 312 "authentication.permissions.create_user_access_token.name", 313 "authentication.permissions.create_user_access_token.description", 314 } 315 PERMISSION_READ_USER_ACCESS_TOKEN = &Permission{ 316 "read_user_access_token", 317 "authentication.permissions.read_user_access_token.name", 318 "authentication.permissions.read_user_access_token.description", 319 } 320 PERMISSION_REVOKE_USER_ACCESS_TOKEN = &Permission{ 321 "revoke_user_access_token", 322 "authentication.permissions.revoke_user_access_token.name", 323 "authentication.permissions.revoke_user_access_token.description", 324 } 325 PERMISSION_MANAGE_JOBS = &Permission{ 326 "manage_jobs", 327 "authentication.permisssions.manage_jobs.name", 328 "authentication.permisssions.manage_jobs.description", 329 } 330 } 331 332 var DefaultRoles map[string]*Role 333 334 func initializeDefaultRoles() { 335 DefaultRoles = make(map[string]*Role) 336 337 DefaultRoles[CHANNEL_USER_ROLE_ID] = &Role{ 338 "channel_user", 339 "authentication.roles.channel_user.name", 340 "authentication.roles.channel_user.description", 341 []string{ 342 PERMISSION_READ_CHANNEL.Id, 343 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 344 PERMISSION_UPLOAD_FILE.Id, 345 PERMISSION_GET_PUBLIC_LINK.Id, 346 PERMISSION_CREATE_POST.Id, 347 PERMISSION_EDIT_POST.Id, 348 PERMISSION_USE_SLASH_COMMANDS.Id, 349 }, 350 } 351 352 DefaultRoles[CHANNEL_ADMIN_ROLE_ID] = &Role{ 353 "channel_admin", 354 "authentication.roles.channel_admin.name", 355 "authentication.roles.channel_admin.description", 356 []string{ 357 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 358 }, 359 } 360 361 DefaultRoles[CHANNEL_GUEST_ROLE_ID] = &Role{ 362 "guest", 363 "authentication.roles.global_guest.name", 364 "authentication.roles.global_guest.description", 365 []string{}, 366 } 367 368 DefaultRoles[TEAM_USER_ROLE_ID] = &Role{ 369 "team_user", 370 "authentication.roles.team_user.name", 371 "authentication.roles.team_user.description", 372 []string{ 373 PERMISSION_LIST_TEAM_CHANNELS.Id, 374 PERMISSION_JOIN_PUBLIC_CHANNELS.Id, 375 PERMISSION_READ_PUBLIC_CHANNEL.Id, 376 PERMISSION_VIEW_TEAM.Id, 377 }, 378 } 379 380 DefaultRoles[TEAM_POST_ALL_ROLE_ID] = &Role{ 381 "team_post_all", 382 "authentication.roles.team_post_all.name", 383 "authentication.roles.team_post_all.description", 384 []string{ 385 PERMISSION_CREATE_POST.Id, 386 }, 387 } 388 389 DefaultRoles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 390 "team_post_all_public", 391 "authentication.roles.team_post_all_public.name", 392 "authentication.roles.team_post_all_public.description", 393 []string{ 394 PERMISSION_CREATE_POST_PUBLIC.Id, 395 }, 396 } 397 398 DefaultRoles[TEAM_ADMIN_ROLE_ID] = &Role{ 399 "team_admin", 400 "authentication.roles.team_admin.name", 401 "authentication.roles.team_admin.description", 402 []string{ 403 PERMISSION_EDIT_OTHERS_POSTS.Id, 404 PERMISSION_REMOVE_USER_FROM_TEAM.Id, 405 PERMISSION_MANAGE_TEAM.Id, 406 PERMISSION_IMPORT_TEAM.Id, 407 PERMISSION_MANAGE_TEAM_ROLES.Id, 408 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 409 PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, 410 PERMISSION_MANAGE_SLASH_COMMANDS.Id, 411 PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, 412 PERMISSION_MANAGE_WEBHOOKS.Id, 413 }, 414 } 415 416 DefaultRoles[SYSTEM_USER_ROLE_ID] = &Role{ 417 "system_user", 418 "authentication.roles.global_user.name", 419 "authentication.roles.global_user.description", 420 []string{ 421 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 422 PERMISSION_CREATE_GROUP_CHANNEL.Id, 423 PERMISSION_PERMANENT_DELETE_USER.Id, 424 }, 425 } 426 427 DefaultRoles[SYSTEM_POST_ALL_ROLE_ID] = &Role{ 428 "system_post_all", 429 "authentication.roles.system_post_all.name", 430 "authentication.roles.system_post_all.description", 431 []string{ 432 PERMISSION_CREATE_POST.Id, 433 }, 434 } 435 436 DefaultRoles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 437 "system_post_all_public", 438 "authentication.roles.system_post_all_public.name", 439 "authentication.roles.system_post_all_public.description", 440 []string{ 441 PERMISSION_CREATE_POST_PUBLIC.Id, 442 }, 443 } 444 445 DefaultRoles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{ 446 "system_user_access_token", 447 "authentication.roles.system_user_access_token.name", 448 "authentication.roles.system_user_access_token.description", 449 []string{ 450 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 451 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 452 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 453 }, 454 } 455 456 DefaultRoles[SYSTEM_ADMIN_ROLE_ID] = &Role{ 457 "system_admin", 458 "authentication.roles.global_admin.name", 459 "authentication.roles.global_admin.description", 460 // System admins can do anything channel and team admins can do 461 // plus everything members of teams and channels can do to all teams 462 // and channels on the system 463 append( 464 append( 465 append( 466 append( 467 []string{ 468 PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, 469 PERMISSION_MANAGE_SYSTEM.Id, 470 PERMISSION_MANAGE_ROLES.Id, 471 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 472 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 473 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 474 PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 475 PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 476 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 477 PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 478 PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 479 PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, 480 PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, 481 PERMISSION_EDIT_OTHER_USERS.Id, 482 PERMISSION_MANAGE_OAUTH.Id, 483 PERMISSION_INVITE_USER.Id, 484 PERMISSION_DELETE_POST.Id, 485 PERMISSION_DELETE_OTHERS_POSTS.Id, 486 PERMISSION_CREATE_TEAM.Id, 487 PERMISSION_ADD_USER_TO_TEAM.Id, 488 PERMISSION_LIST_USERS_WITHOUT_TEAM.Id, 489 PERMISSION_MANAGE_JOBS.Id, 490 PERMISSION_CREATE_POST_PUBLIC.Id, 491 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 492 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 493 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 494 }, 495 DefaultRoles[TEAM_USER_ROLE_ID].Permissions..., 496 ), 497 DefaultRoles[CHANNEL_USER_ROLE_ID].Permissions..., 498 ), 499 DefaultRoles[TEAM_ADMIN_ROLE_ID].Permissions..., 500 ), 501 DefaultRoles[CHANNEL_ADMIN_ROLE_ID].Permissions..., 502 ), 503 } 504 } 505 506 func RoleIdsToString(roles []string) string { 507 output := "" 508 for _, role := range roles { 509 output += role + ", " 510 } 511 512 if output == "" { 513 return "[<NO ROLES>]" 514 } 515 516 return output[:len(output)-1] 517 } 518 519 func init() { 520 initializePermissions() 521 initializeDefaultRoles() 522 }