github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/utils/authorization.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package utils 5 6 import ( 7 "github.com/vnforks/kid/v5/model" 8 ) 9 10 func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config, isLicensed bool) map[string]*model.Role { 11 if isLicensed { 12 switch *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictPublicClassCreation { 13 case model.PERMISSIONS_ALL: 14 roles[model.BRANCH_USER_ROLE_ID].Permissions = append( 15 roles[model.BRANCH_USER_ROLE_ID].Permissions, 16 model.PERMISSION_CREATE_CLASS.Id, 17 ) 18 case model.PERMISSIONS_BRANCH_ADMIN: 19 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 20 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 21 model.PERMISSION_CREATE_CLASS.Id, 22 ) 23 } 24 } else { 25 roles[model.BRANCH_USER_ROLE_ID].Permissions = append( 26 roles[model.BRANCH_USER_ROLE_ID].Permissions, 27 model.PERMISSION_CREATE_CLASS.Id, 28 ) 29 } 30 31 if isLicensed { 32 switch *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictPublicClassDeletion { 33 case model.PERMISSIONS_ALL: 34 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 35 roles[model.CLASS_USER_ROLE_ID].Permissions, 36 model.PERMISSION_DELETE_CLASS.Id, 37 ) 38 case model.PERMISSIONS_CLASS_ADMIN: 39 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 40 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 41 model.PERMISSION_DELETE_CLASS.Id, 42 ) 43 roles[model.CLASS_ADMIN_ROLE_ID].Permissions = append( 44 roles[model.CLASS_ADMIN_ROLE_ID].Permissions, 45 model.PERMISSION_DELETE_CLASS.Id, 46 ) 47 case model.PERMISSIONS_BRANCH_ADMIN: 48 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 49 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 50 model.PERMISSION_DELETE_CLASS.Id, 51 ) 52 } 53 } else { 54 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 55 roles[model.CLASS_USER_ROLE_ID].Permissions, 56 model.PERMISSION_DELETE_CLASS.Id, 57 ) 58 } 59 60 if isLicensed { 61 switch *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateClassManagement { 62 case model.PERMISSIONS_ALL: 63 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 64 roles[model.CLASS_USER_ROLE_ID].Permissions, 65 model.PERMISSION_MANAGE_CLASS.Id, 66 ) 67 case model.PERMISSIONS_CLASS_ADMIN: 68 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 69 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 70 model.PERMISSION_MANAGE_CLASS.Id, 71 ) 72 roles[model.CLASS_ADMIN_ROLE_ID].Permissions = append( 73 roles[model.CLASS_ADMIN_ROLE_ID].Permissions, 74 model.PERMISSION_MANAGE_CLASS.Id, 75 ) 76 case model.PERMISSIONS_BRANCH_ADMIN: 77 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 78 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 79 model.PERMISSION_MANAGE_CLASS.Id, 80 ) 81 } 82 } else { 83 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 84 roles[model.CLASS_USER_ROLE_ID].Permissions, 85 model.PERMISSION_MANAGE_CLASS.Id, 86 ) 87 } 88 89 if !*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_EnableOnlyAdminIntegrations { 90 roles[model.BRANCH_USER_ROLE_ID].Permissions = append( 91 roles[model.BRANCH_USER_ROLE_ID].Permissions, 92 model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, 93 model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, 94 model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, 95 ) 96 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 97 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 98 model.PERMISSION_MANAGE_OAUTH.Id, 99 ) 100 } 101 102 // Grant permissions for inviting and adding users to a branch. 103 if isLicensed { 104 if *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictBranchInvite == model.PERMISSIONS_BRANCH_ADMIN { 105 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 106 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 107 model.PERMISSION_ADD_USER_TO_BRANCH.Id, 108 ) 109 } else if *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictBranchInvite == model.PERMISSIONS_ALL { 110 roles[model.BRANCH_USER_ROLE_ID].Permissions = append( 111 roles[model.BRANCH_USER_ROLE_ID].Permissions, 112 model.PERMISSION_ADD_USER_TO_BRANCH.Id, 113 ) 114 } 115 } else { 116 roles[model.BRANCH_USER_ROLE_ID].Permissions = append( 117 roles[model.BRANCH_USER_ROLE_ID].Permissions, 118 model.PERMISSION_ADD_USER_TO_BRANCH.Id, 119 ) 120 } 121 122 if isLicensed { 123 switch *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictPostDelete { 124 case model.PERMISSIONS_DELETE_POST_ALL: 125 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 126 roles[model.CLASS_USER_ROLE_ID].Permissions, 127 model.PERMISSION_DELETE_POST.Id, 128 ) 129 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 130 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 131 model.PERMISSION_DELETE_POST.Id, 132 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 133 ) 134 case model.PERMISSIONS_DELETE_POST_BRANCH_ADMIN: 135 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 136 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 137 model.PERMISSION_DELETE_POST.Id, 138 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 139 ) 140 } 141 } else { 142 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 143 roles[model.CLASS_USER_ROLE_ID].Permissions, 144 model.PERMISSION_DELETE_POST.Id, 145 ) 146 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append( 147 roles[model.BRANCH_ADMIN_ROLE_ID].Permissions, 148 model.PERMISSION_DELETE_POST.Id, 149 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 150 ) 151 } 152 153 if *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_EnableBranchCreation { 154 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 155 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 156 model.PERMISSION_CREATE_BRANCH.Id, 157 ) 158 } 159 160 if isLicensed { 161 switch *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost { 162 case model.ALLOW_EDIT_POST_ALWAYS, model.ALLOW_EDIT_POST_TIME_LIMIT: 163 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 164 roles[model.CLASS_USER_ROLE_ID].Permissions, 165 model.PERMISSION_EDIT_POST.Id, 166 ) 167 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( 168 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, 169 model.PERMISSION_EDIT_POST.Id, 170 ) 171 } 172 } else { 173 roles[model.CLASS_USER_ROLE_ID].Permissions = append( 174 roles[model.CLASS_USER_ROLE_ID].Permissions, 175 model.PERMISSION_EDIT_POST.Id, 176 ) 177 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( 178 roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, 179 model.PERMISSION_EDIT_POST.Id, 180 ) 181 } 182 183 return roles 184 }