github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/api4/role.go

github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/api4/role.go (about)

     1  // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
     2  // See LICENSE.txt for license information.
     3  
     4  package api4
     5  
     6  import (
     7  	"net/http"
     8  	"strings"
     9  
    10  	"github.com/vnforks/kid/v5/audit"
    11  	"github.com/vnforks/kid/v5/model"
    12  )
    13  
    14  func (api *API) InitRole() {
    15  	api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getRole)).Methods("GET")
    16  	api.BaseRoutes.Roles.Handle("/name/{role_name:[a-z0-9_]+}", api.ApiSessionRequiredTrustRequester(getRoleByName)).Methods("GET")
    17  	api.BaseRoutes.Roles.Handle("/names", api.ApiSessionRequiredTrustRequester(getRolesByNames)).Methods("POST")
    18  	api.BaseRoutes.Roles.Handle("/{role_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchRole)).Methods("PUT")
    19  }
    20  
    21  func getRole(c *Context, w http.ResponseWriter, r *http.Request) {
    22  	c.RequireRoleId()
    23  	if c.Err != nil {
    24  		return
    25  	}
    26  
    27  	role, err := c.App.GetRole(c.Params.RoleId)
    28  	if err != nil {
    29  		c.Err = err
    30  		return
    31  	}
    32  
    33  	w.Write([]byte(role.ToJson()))
    34  }
    35  
    36  func getRoleByName(c *Context, w http.ResponseWriter, r *http.Request) {
    37  	c.RequireRoleName()
    38  	if c.Err != nil {
    39  		return
    40  	}
    41  
    42  	role, err := c.App.GetRoleByName(c.Params.RoleName)
    43  	if err != nil {
    44  		c.Err = err
    45  		return
    46  	}
    47  
    48  	w.Write([]byte(role.ToJson()))
    49  }
    50  
    51  func getRolesByNames(c *Context, w http.ResponseWriter, r *http.Request) {
    52  	rolenames := model.ArrayFromJson(r.Body)
    53  
    54  	if len(rolenames) == 0 {
    55  		c.SetInvalidParam("rolenames")
    56  		return
    57  	}
    58  
    59  	var cleanedRoleNames []string
    60  	for _, rolename := range rolenames {
    61  		if strings.TrimSpace(rolename) == "" {
    62  			continue
    63  		}
    64  
    65  		if !model.IsValidRoleName(rolename) {
    66  			c.SetInvalidParam("rolename")
    67  			return
    68  		}
    69  
    70  		cleanedRoleNames = append(cleanedRoleNames, rolename)
    71  	}
    72  
    73  	roles, err := c.App.GetRolesByNames(cleanedRoleNames)
    74  	if err != nil {
    75  		c.Err = err
    76  		return
    77  	}
    78  
    79  	w.Write([]byte(model.RoleListToJson(roles)))
    80  }
    81  
    82  func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
    83  	c.RequireRoleId()
    84  	if c.Err != nil {
    85  		return
    86  	}
    87  
    88  	patch := model.RolePatchFromJson(r.Body)
    89  	if patch == nil {
    90  		c.SetInvalidParam("role")
    91  		return
    92  	}
    93  
    94  	auditRec := c.MakeAuditRecord("patchRole", audit.Fail)
    95  	defer c.LogAuditRec(auditRec)
    96  	auditRec.AddMeta("role_id", c.Params.RoleId)
    97  
    98  	oldRole, err := c.App.GetRole(c.Params.RoleId)
    99  	if err != nil {
   100  		c.Err = err
   101  		return
   102  	}
   103  	auditRec.AddMeta("role_id", oldRole.Name)
   104  	auditRec.AddMeta("role_desc", oldRole.Description)
   105  	auditRec.AddMeta("role_display", oldRole.DisplayName)
   106  
   107  	if c.App.License() == nil && patch.Permissions != nil {
   108  		if oldRole.Name == "system_guest" || oldRole.Name == "branch_guest" || oldRole.Name == "class_guest" {
   109  			c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
   110  			return
   111  		}
   112  		allowedPermissions := []string{
   113  			model.PERMISSION_CREATE_BRANCH.Id,
   114  			model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
   115  			model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
   116  			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
   117  			model.PERMISSION_MANAGE_OAUTH.Id,
   118  			model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
   119  			model.PERMISSION_CREATE_EMOJIS.Id,
   120  			model.PERMISSION_DELETE_EMOJIS.Id,
   121  			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
   122  		}
   123  
   124  		changedPermissions := model.PermissionsChangedByPatch(oldRole, patch)
   125  		for _, permission := range changedPermissions {
   126  			allowed := false
   127  			for _, allowedPermission := range allowedPermissions {
   128  				if permission == allowedPermission {
   129  					allowed = true
   130  				}
   131  			}
   132  
   133  			if !allowed {
   134  				c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
   135  				return
   136  			}
   137  		}
   138  	}
   139  
   140  	if c.App.License() != nil && (oldRole.Name == "system_guest" || oldRole.Name == "branch_guest" || oldRole.Name == "class_guest") && !*c.App.License().Features.GuestAccountsPermissions {
   141  		c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.license.error", nil, "", http.StatusNotImplemented)
   142  		return
   143  	}
   144  
   145  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM) {
   146  		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
   147  		return
   148  	}
   149  
   150  	role, err := c.App.PatchRole(oldRole, patch)
   151  	if err != nil {
   152  		c.Err = err
   153  		return
   154  	}
   155  
   156  	auditRec.Success()
   157  	c.LogAudit("")
   158  
   159  	w.Write([]byte(role.ToJson()))
   160  }