github.com/rajatvaryani/mattermost-server@v5.11.1+incompatible/model/role.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package model 5 6 import ( 7 "encoding/json" 8 "io" 9 "strings" 10 ) 11 12 const ( 13 SYSTEM_USER_ROLE_ID = "system_user" 14 SYSTEM_ADMIN_ROLE_ID = "system_admin" 15 SYSTEM_POST_ALL_ROLE_ID = "system_post_all" 16 SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public" 17 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token" 18 19 TEAM_USER_ROLE_ID = "team_user" 20 TEAM_ADMIN_ROLE_ID = "team_admin" 21 TEAM_POST_ALL_ROLE_ID = "team_post_all" 22 TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public" 23 24 CHANNEL_USER_ROLE_ID = "channel_user" 25 CHANNEL_ADMIN_ROLE_ID = "channel_admin" 26 27 ROLE_NAME_MAX_LENGTH = 64 28 ROLE_DISPLAY_NAME_MAX_LENGTH = 128 29 ROLE_DESCRIPTION_MAX_LENGTH = 1024 30 ) 31 32 type Role struct { 33 Id string `json:"id"` 34 Name string `json:"name"` 35 DisplayName string `json:"display_name"` 36 Description string `json:"description"` 37 CreateAt int64 `json:"create_at"` 38 UpdateAt int64 `json:"update_at"` 39 DeleteAt int64 `json:"delete_at"` 40 Permissions []string `json:"permissions"` 41 SchemeManaged bool `json:"scheme_managed"` 42 BuiltIn bool `json:"built_in"` 43 } 44 45 type RolePatch struct { 46 Permissions *[]string `json:"permissions"` 47 } 48 49 func (role *Role) ToJson() string { 50 b, _ := json.Marshal(role) 51 return string(b) 52 } 53 54 func RoleFromJson(data io.Reader) *Role { 55 var role *Role 56 json.NewDecoder(data).Decode(&role) 57 return role 58 } 59 60 func RoleListToJson(r []*Role) string { 61 b, _ := json.Marshal(r) 62 return string(b) 63 } 64 65 func RoleListFromJson(data io.Reader) []*Role { 66 var roles []*Role 67 json.NewDecoder(data).Decode(&roles) 68 return roles 69 } 70 71 func (r *RolePatch) ToJson() string { 72 b, _ := json.Marshal(r) 73 return string(b) 74 } 75 76 func RolePatchFromJson(data io.Reader) *RolePatch { 77 var rolePatch *RolePatch 78 json.NewDecoder(data).Decode(&rolePatch) 79 return rolePatch 80 } 81 82 func (o *Role) Patch(patch *RolePatch) { 83 if patch.Permissions != nil { 84 o.Permissions = *patch.Permissions 85 } 86 } 87 88 // Returns an array of permissions that are in either role.Permissions 89 // or patch.Permissions, but not both. 90 func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string { 91 var result []string 92 93 if patch.Permissions == nil { 94 return result 95 } 96 97 roleMap := make(map[string]bool) 98 patchMap := make(map[string]bool) 99 100 for _, permission := range role.Permissions { 101 roleMap[permission] = true 102 } 103 104 for _, permission := range *patch.Permissions { 105 patchMap[permission] = true 106 } 107 108 for _, permission := range role.Permissions { 109 if !patchMap[permission] { 110 result = append(result, permission) 111 } 112 } 113 114 for _, permission := range *patch.Permissions { 115 if !roleMap[permission] { 116 result = append(result, permission) 117 } 118 } 119 120 return result 121 } 122 123 func (role *Role) IsValid() bool { 124 if len(role.Id) != 26 { 125 return false 126 } 127 128 return role.IsValidWithoutId() 129 } 130 131 func (role *Role) IsValidWithoutId() bool { 132 if !IsValidRoleName(role.Name) { 133 return false 134 } 135 136 if len(role.DisplayName) == 0 || len(role.DisplayName) > ROLE_DISPLAY_NAME_MAX_LENGTH { 137 return false 138 } 139 140 if len(role.Description) > ROLE_DESCRIPTION_MAX_LENGTH { 141 return false 142 } 143 144 for _, permission := range role.Permissions { 145 permissionValidated := false 146 for _, p := range ALL_PERMISSIONS { 147 if permission == p.Id { 148 permissionValidated = true 149 break 150 } 151 } 152 153 if !permissionValidated { 154 return false 155 } 156 } 157 158 return true 159 } 160 161 func IsValidRoleName(roleName string) bool { 162 if len(roleName) <= 0 || len(roleName) > ROLE_NAME_MAX_LENGTH { 163 return false 164 } 165 166 if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" { 167 return false 168 } 169 170 return true 171 } 172 173 func MakeDefaultRoles() map[string]*Role { 174 roles := make(map[string]*Role) 175 176 roles[CHANNEL_USER_ROLE_ID] = &Role{ 177 Name: "channel_user", 178 DisplayName: "authentication.roles.channel_user.name", 179 Description: "authentication.roles.channel_user.description", 180 Permissions: []string{ 181 PERMISSION_READ_CHANNEL.Id, 182 PERMISSION_ADD_REACTION.Id, 183 PERMISSION_REMOVE_REACTION.Id, 184 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 185 PERMISSION_UPLOAD_FILE.Id, 186 PERMISSION_GET_PUBLIC_LINK.Id, 187 PERMISSION_CREATE_POST.Id, 188 PERMISSION_USE_SLASH_COMMANDS.Id, 189 }, 190 SchemeManaged: true, 191 BuiltIn: true, 192 } 193 194 roles[CHANNEL_ADMIN_ROLE_ID] = &Role{ 195 Name: "channel_admin", 196 DisplayName: "authentication.roles.channel_admin.name", 197 Description: "authentication.roles.channel_admin.description", 198 Permissions: []string{ 199 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 200 }, 201 SchemeManaged: true, 202 BuiltIn: true, 203 } 204 205 roles[TEAM_USER_ROLE_ID] = &Role{ 206 Name: "team_user", 207 DisplayName: "authentication.roles.team_user.name", 208 Description: "authentication.roles.team_user.description", 209 Permissions: []string{ 210 PERMISSION_LIST_TEAM_CHANNELS.Id, 211 PERMISSION_JOIN_PUBLIC_CHANNELS.Id, 212 PERMISSION_READ_PUBLIC_CHANNEL.Id, 213 PERMISSION_VIEW_TEAM.Id, 214 }, 215 SchemeManaged: true, 216 BuiltIn: true, 217 } 218 219 roles[TEAM_POST_ALL_ROLE_ID] = &Role{ 220 Name: "team_post_all", 221 DisplayName: "authentication.roles.team_post_all.name", 222 Description: "authentication.roles.team_post_all.description", 223 Permissions: []string{ 224 PERMISSION_CREATE_POST.Id, 225 }, 226 SchemeManaged: false, 227 BuiltIn: true, 228 } 229 230 roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 231 Name: "team_post_all_public", 232 DisplayName: "authentication.roles.team_post_all_public.name", 233 Description: "authentication.roles.team_post_all_public.description", 234 Permissions: []string{ 235 PERMISSION_CREATE_POST_PUBLIC.Id, 236 }, 237 SchemeManaged: false, 238 BuiltIn: true, 239 } 240 241 roles[TEAM_ADMIN_ROLE_ID] = &Role{ 242 Name: "team_admin", 243 DisplayName: "authentication.roles.team_admin.name", 244 Description: "authentication.roles.team_admin.description", 245 Permissions: []string{ 246 PERMISSION_REMOVE_USER_FROM_TEAM.Id, 247 PERMISSION_MANAGE_TEAM.Id, 248 PERMISSION_IMPORT_TEAM.Id, 249 PERMISSION_MANAGE_TEAM_ROLES.Id, 250 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 251 PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id, 252 PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id, 253 PERMISSION_MANAGE_SLASH_COMMANDS.Id, 254 PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, 255 PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 256 PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 257 }, 258 SchemeManaged: true, 259 BuiltIn: true, 260 } 261 262 roles[SYSTEM_USER_ROLE_ID] = &Role{ 263 Name: "system_user", 264 DisplayName: "authentication.roles.global_user.name", 265 Description: "authentication.roles.global_user.description", 266 Permissions: []string{ 267 PERMISSION_LIST_PUBLIC_TEAMS.Id, 268 PERMISSION_JOIN_PUBLIC_TEAMS.Id, 269 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 270 PERMISSION_CREATE_GROUP_CHANNEL.Id, 271 }, 272 SchemeManaged: true, 273 BuiltIn: true, 274 } 275 276 roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{ 277 Name: "system_post_all", 278 DisplayName: "authentication.roles.system_post_all.name", 279 Description: "authentication.roles.system_post_all.description", 280 Permissions: []string{ 281 PERMISSION_CREATE_POST.Id, 282 }, 283 SchemeManaged: false, 284 BuiltIn: true, 285 } 286 287 roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 288 Name: "system_post_all_public", 289 DisplayName: "authentication.roles.system_post_all_public.name", 290 Description: "authentication.roles.system_post_all_public.description", 291 Permissions: []string{ 292 PERMISSION_CREATE_POST_PUBLIC.Id, 293 }, 294 SchemeManaged: false, 295 BuiltIn: true, 296 } 297 298 roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{ 299 Name: "system_user_access_token", 300 DisplayName: "authentication.roles.system_user_access_token.name", 301 Description: "authentication.roles.system_user_access_token.description", 302 Permissions: []string{ 303 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 304 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 305 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 306 }, 307 SchemeManaged: false, 308 BuiltIn: true, 309 } 310 311 roles[SYSTEM_ADMIN_ROLE_ID] = &Role{ 312 Name: "system_admin", 313 DisplayName: "authentication.roles.global_admin.name", 314 Description: "authentication.roles.global_admin.description", 315 // System admins can do anything channel and team admins can do 316 // plus everything members of teams and channels can do to all teams 317 // and channels on the system 318 Permissions: append( 319 append( 320 append( 321 append( 322 []string{ 323 PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, 324 PERMISSION_MANAGE_SYSTEM.Id, 325 PERMISSION_MANAGE_ROLES.Id, 326 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 327 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 328 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 329 PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 330 PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 331 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 332 PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 333 PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 334 PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, 335 PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id, 336 PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id, 337 PERMISSION_EDIT_OTHER_USERS.Id, 338 PERMISSION_EDIT_OTHERS_POSTS.Id, 339 PERMISSION_MANAGE_OAUTH.Id, 340 PERMISSION_INVITE_USER.Id, 341 PERMISSION_DELETE_POST.Id, 342 PERMISSION_DELETE_OTHERS_POSTS.Id, 343 PERMISSION_CREATE_TEAM.Id, 344 PERMISSION_ADD_USER_TO_TEAM.Id, 345 PERMISSION_LIST_USERS_WITHOUT_TEAM.Id, 346 PERMISSION_MANAGE_JOBS.Id, 347 PERMISSION_CREATE_POST_PUBLIC.Id, 348 PERMISSION_CREATE_POST_EPHEMERAL.Id, 349 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 350 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 351 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 352 PERMISSION_CREATE_BOT.Id, 353 PERMISSION_READ_BOTS.Id, 354 PERMISSION_READ_OTHERS_BOTS.Id, 355 PERMISSION_MANAGE_BOTS.Id, 356 PERMISSION_MANAGE_OTHERS_BOTS.Id, 357 PERMISSION_REMOVE_OTHERS_REACTIONS.Id, 358 PERMISSION_LIST_PRIVATE_TEAMS.Id, 359 PERMISSION_JOIN_PRIVATE_TEAMS.Id, 360 }, 361 roles[TEAM_USER_ROLE_ID].Permissions..., 362 ), 363 roles[CHANNEL_USER_ROLE_ID].Permissions..., 364 ), 365 roles[TEAM_ADMIN_ROLE_ID].Permissions..., 366 ), 367 roles[CHANNEL_ADMIN_ROLE_ID].Permissions..., 368 ), 369 SchemeManaged: true, 370 BuiltIn: true, 371 } 372 373 return roles 374 }