github.com/spline-fu/mattermost-server@v4.10.10+incompatible/model/role.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package model 5 6 import ( 7 "encoding/json" 8 "io" 9 "strings" 10 ) 11 12 const ( 13 SYSTEM_USER_ROLE_ID = "system_user" 14 SYSTEM_ADMIN_ROLE_ID = "system_admin" 15 SYSTEM_POST_ALL_ROLE_ID = "system_post_all" 16 SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public" 17 SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token" 18 19 TEAM_USER_ROLE_ID = "team_user" 20 TEAM_ADMIN_ROLE_ID = "team_admin" 21 TEAM_POST_ALL_ROLE_ID = "team_post_all" 22 TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public" 23 24 CHANNEL_USER_ROLE_ID = "channel_user" 25 CHANNEL_ADMIN_ROLE_ID = "channel_admin" 26 27 ROLE_NAME_MAX_LENGTH = 64 28 ROLE_DISPLAY_NAME_MAX_LENGTH = 128 29 ROLE_DESCRIPTION_MAX_LENGTH = 1024 30 ) 31 32 type Role struct { 33 Id string `json:"id"` 34 Name string `json:"name"` 35 DisplayName string `json:"display_name"` 36 Description string `json:"description"` 37 CreateAt int64 `json:"create_at"` 38 UpdateAt int64 `json:"update_at"` 39 DeleteAt int64 `json:"delete_at"` 40 Permissions []string `json:"permissions"` 41 SchemeManaged bool `json:"scheme_managed"` 42 } 43 44 type RolePatch struct { 45 Permissions *[]string `json:"permissions"` 46 } 47 48 func (role *Role) ToJson() string { 49 b, _ := json.Marshal(role) 50 return string(b) 51 } 52 53 func RoleFromJson(data io.Reader) *Role { 54 var role *Role 55 json.NewDecoder(data).Decode(&role) 56 return role 57 } 58 59 func RoleListToJson(r []*Role) string { 60 b, _ := json.Marshal(r) 61 return string(b) 62 } 63 64 func RoleListFromJson(data io.Reader) []*Role { 65 var roles []*Role 66 json.NewDecoder(data).Decode(&roles) 67 return roles 68 } 69 70 func (r *RolePatch) ToJson() string { 71 b, _ := json.Marshal(r) 72 return string(b) 73 } 74 75 func RolePatchFromJson(data io.Reader) *RolePatch { 76 var rolePatch *RolePatch 77 json.NewDecoder(data).Decode(&rolePatch) 78 return rolePatch 79 } 80 81 func (o *Role) Patch(patch *RolePatch) { 82 if patch.Permissions != nil { 83 o.Permissions = *patch.Permissions 84 } 85 } 86 87 // Returns an array of permissions that are in either role.Permissions 88 // or patch.Permissions, but not both. 89 func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string { 90 var result []string 91 92 if patch.Permissions == nil { 93 return result 94 } 95 96 roleMap := make(map[string]bool) 97 patchMap := make(map[string]bool) 98 99 for _, permission := range role.Permissions { 100 roleMap[permission] = true 101 } 102 103 for _, permission := range *patch.Permissions { 104 patchMap[permission] = true 105 } 106 107 for _, permission := range role.Permissions { 108 if !patchMap[permission] { 109 result = append(result, permission) 110 } 111 } 112 113 for _, permission := range *patch.Permissions { 114 if !roleMap[permission] { 115 result = append(result, permission) 116 } 117 } 118 119 return result 120 } 121 122 func (role *Role) IsValid() bool { 123 if len(role.Id) != 26 { 124 return false 125 } 126 127 return role.IsValidWithoutId() 128 } 129 130 func (role *Role) IsValidWithoutId() bool { 131 if !IsValidRoleName(role.Name) { 132 return false 133 } 134 135 if len(role.DisplayName) == 0 || len(role.DisplayName) > ROLE_DISPLAY_NAME_MAX_LENGTH { 136 return false 137 } 138 139 if len(role.Description) > ROLE_DESCRIPTION_MAX_LENGTH { 140 return false 141 } 142 143 for _, permission := range role.Permissions { 144 permissionValidated := false 145 for _, p := range ALL_PERMISSIONS { 146 if permission == p.Id { 147 permissionValidated = true 148 break 149 } 150 } 151 152 if !permissionValidated { 153 return false 154 } 155 } 156 157 return true 158 } 159 160 func IsValidRoleName(roleName string) bool { 161 if len(roleName) <= 0 || len(roleName) > ROLE_NAME_MAX_LENGTH { 162 return false 163 } 164 165 if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" { 166 return false 167 } 168 169 return true 170 } 171 172 func MakeDefaultRoles() map[string]*Role { 173 roles := make(map[string]*Role) 174 175 roles[CHANNEL_USER_ROLE_ID] = &Role{ 176 Name: "channel_user", 177 DisplayName: "authentication.roles.channel_user.name", 178 Description: "authentication.roles.channel_user.description", 179 Permissions: []string{ 180 PERMISSION_READ_CHANNEL.Id, 181 PERMISSION_ADD_REACTION.Id, 182 PERMISSION_REMOVE_REACTION.Id, 183 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 184 PERMISSION_UPLOAD_FILE.Id, 185 PERMISSION_GET_PUBLIC_LINK.Id, 186 PERMISSION_CREATE_POST.Id, 187 PERMISSION_USE_SLASH_COMMANDS.Id, 188 }, 189 SchemeManaged: true, 190 } 191 192 roles[CHANNEL_ADMIN_ROLE_ID] = &Role{ 193 Name: "channel_admin", 194 DisplayName: "authentication.roles.channel_admin.name", 195 Description: "authentication.roles.channel_admin.description", 196 Permissions: []string{ 197 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 198 }, 199 SchemeManaged: true, 200 } 201 202 roles[TEAM_USER_ROLE_ID] = &Role{ 203 Name: "team_user", 204 DisplayName: "authentication.roles.team_user.name", 205 Description: "authentication.roles.team_user.description", 206 Permissions: []string{ 207 PERMISSION_LIST_TEAM_CHANNELS.Id, 208 PERMISSION_JOIN_PUBLIC_CHANNELS.Id, 209 PERMISSION_READ_PUBLIC_CHANNEL.Id, 210 PERMISSION_VIEW_TEAM.Id, 211 }, 212 SchemeManaged: true, 213 } 214 215 roles[TEAM_POST_ALL_ROLE_ID] = &Role{ 216 Name: "team_post_all", 217 DisplayName: "authentication.roles.team_post_all.name", 218 Description: "authentication.roles.team_post_all.description", 219 Permissions: []string{ 220 PERMISSION_CREATE_POST.Id, 221 }, 222 SchemeManaged: true, 223 } 224 225 roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 226 Name: "team_post_all_public", 227 DisplayName: "authentication.roles.team_post_all_public.name", 228 Description: "authentication.roles.team_post_all_public.description", 229 Permissions: []string{ 230 PERMISSION_CREATE_POST_PUBLIC.Id, 231 }, 232 SchemeManaged: true, 233 } 234 235 roles[TEAM_ADMIN_ROLE_ID] = &Role{ 236 Name: "team_admin", 237 DisplayName: "authentication.roles.team_admin.name", 238 Description: "authentication.roles.team_admin.description", 239 Permissions: []string{ 240 PERMISSION_EDIT_OTHERS_POSTS.Id, 241 PERMISSION_REMOVE_USER_FROM_TEAM.Id, 242 PERMISSION_MANAGE_TEAM.Id, 243 PERMISSION_IMPORT_TEAM.Id, 244 PERMISSION_MANAGE_TEAM_ROLES.Id, 245 PERMISSION_MANAGE_CHANNEL_ROLES.Id, 246 PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, 247 PERMISSION_MANAGE_SLASH_COMMANDS.Id, 248 PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id, 249 PERMISSION_MANAGE_WEBHOOKS.Id, 250 }, 251 SchemeManaged: true, 252 } 253 254 roles[SYSTEM_USER_ROLE_ID] = &Role{ 255 Name: "system_user", 256 DisplayName: "authentication.roles.global_user.name", 257 Description: "authentication.roles.global_user.description", 258 Permissions: []string{ 259 PERMISSION_CREATE_DIRECT_CHANNEL.Id, 260 PERMISSION_CREATE_GROUP_CHANNEL.Id, 261 PERMISSION_PERMANENT_DELETE_USER.Id, 262 }, 263 SchemeManaged: true, 264 } 265 266 roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{ 267 Name: "system_post_all", 268 DisplayName: "authentication.roles.system_post_all.name", 269 Description: "authentication.roles.system_post_all.description", 270 Permissions: []string{ 271 PERMISSION_CREATE_POST.Id, 272 }, 273 SchemeManaged: true, 274 } 275 276 roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{ 277 Name: "system_post_all_public", 278 DisplayName: "authentication.roles.system_post_all_public.name", 279 Description: "authentication.roles.system_post_all_public.description", 280 Permissions: []string{ 281 PERMISSION_CREATE_POST_PUBLIC.Id, 282 }, 283 SchemeManaged: true, 284 } 285 286 roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{ 287 Name: "system_user_access_token", 288 DisplayName: "authentication.roles.system_user_access_token.name", 289 Description: "authentication.roles.system_user_access_token.description", 290 Permissions: []string{ 291 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 292 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 293 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 294 }, 295 SchemeManaged: true, 296 } 297 298 roles[SYSTEM_ADMIN_ROLE_ID] = &Role{ 299 Name: "system_admin", 300 DisplayName: "authentication.roles.global_admin.name", 301 Description: "authentication.roles.global_admin.description", 302 // System admins can do anything channel and team admins can do 303 // plus everything members of teams and channels can do to all teams 304 // and channels on the system 305 Permissions: append( 306 append( 307 append( 308 append( 309 []string{ 310 PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id, 311 PERMISSION_MANAGE_SYSTEM.Id, 312 PERMISSION_MANAGE_ROLES.Id, 313 PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 314 PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id, 315 PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 316 PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 317 PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 318 PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 319 PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 320 PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 321 PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id, 322 PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id, 323 PERMISSION_EDIT_OTHER_USERS.Id, 324 PERMISSION_MANAGE_OAUTH.Id, 325 PERMISSION_INVITE_USER.Id, 326 PERMISSION_DELETE_POST.Id, 327 PERMISSION_DELETE_OTHERS_POSTS.Id, 328 PERMISSION_CREATE_TEAM.Id, 329 PERMISSION_ADD_USER_TO_TEAM.Id, 330 PERMISSION_LIST_USERS_WITHOUT_TEAM.Id, 331 PERMISSION_MANAGE_JOBS.Id, 332 PERMISSION_CREATE_POST_PUBLIC.Id, 333 PERMISSION_CREATE_POST_EPHEMERAL.Id, 334 PERMISSION_CREATE_USER_ACCESS_TOKEN.Id, 335 PERMISSION_READ_USER_ACCESS_TOKEN.Id, 336 PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id, 337 PERMISSION_REMOVE_OTHERS_REACTIONS.Id, 338 }, 339 roles[TEAM_USER_ROLE_ID].Permissions..., 340 ), 341 roles[CHANNEL_USER_ROLE_ID].Permissions..., 342 ), 343 roles[TEAM_ADMIN_ROLE_ID].Permissions..., 344 ), 345 roles[CHANNEL_ADMIN_ROLE_ID].Permissions..., 346 ), 347 SchemeManaged: true, 348 } 349 350 return roles 351 }