github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/utils/authorization.go

github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/utils/authorization.go (about)

     1  // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
     2  // See LICENSE.txt for license information.
     3  
     4  package utils
     5  
     6  import (
     7  	"github.com/vnforks/kid/v5/model"
     8  )
     9  
    10  func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config, isLicensed bool) map[string]*model.Role {
    11  	if isLicensed {
    12  		switch *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictPublicClassCreation {
    13  		case model.PERMISSIONS_ALL:
    14  			roles[model.BRANCH_USER_ROLE_ID].Permissions = append(
    15  				roles[model.BRANCH_USER_ROLE_ID].Permissions,
    16  				model.PERMISSION_CREATE_CLASS.Id,
    17  			)
    18  		case model.PERMISSIONS_BRANCH_ADMIN:
    19  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
    20  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
    21  				model.PERMISSION_CREATE_CLASS.Id,
    22  			)
    23  		}
    24  	} else {
    25  		roles[model.BRANCH_USER_ROLE_ID].Permissions = append(
    26  			roles[model.BRANCH_USER_ROLE_ID].Permissions,
    27  			model.PERMISSION_CREATE_CLASS.Id,
    28  		)
    29  	}
    30  
    31  	if isLicensed {
    32  		switch *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictPublicClassDeletion {
    33  		case model.PERMISSIONS_ALL:
    34  			roles[model.CLASS_USER_ROLE_ID].Permissions = append(
    35  				roles[model.CLASS_USER_ROLE_ID].Permissions,
    36  				model.PERMISSION_DELETE_CLASS.Id,
    37  			)
    38  		case model.PERMISSIONS_CLASS_ADMIN:
    39  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
    40  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
    41  				model.PERMISSION_DELETE_CLASS.Id,
    42  			)
    43  			roles[model.CLASS_ADMIN_ROLE_ID].Permissions = append(
    44  				roles[model.CLASS_ADMIN_ROLE_ID].Permissions,
    45  				model.PERMISSION_DELETE_CLASS.Id,
    46  			)
    47  		case model.PERMISSIONS_BRANCH_ADMIN:
    48  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
    49  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
    50  				model.PERMISSION_DELETE_CLASS.Id,
    51  			)
    52  		}
    53  	} else {
    54  		roles[model.CLASS_USER_ROLE_ID].Permissions = append(
    55  			roles[model.CLASS_USER_ROLE_ID].Permissions,
    56  			model.PERMISSION_DELETE_CLASS.Id,
    57  		)
    58  	}
    59  
    60  	if isLicensed {
    61  		switch *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictPrivateClassManagement {
    62  		case model.PERMISSIONS_ALL:
    63  			roles[model.CLASS_USER_ROLE_ID].Permissions = append(
    64  				roles[model.CLASS_USER_ROLE_ID].Permissions,
    65  				model.PERMISSION_MANAGE_CLASS.Id,
    66  			)
    67  		case model.PERMISSIONS_CLASS_ADMIN:
    68  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
    69  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
    70  				model.PERMISSION_MANAGE_CLASS.Id,
    71  			)
    72  			roles[model.CLASS_ADMIN_ROLE_ID].Permissions = append(
    73  				roles[model.CLASS_ADMIN_ROLE_ID].Permissions,
    74  				model.PERMISSION_MANAGE_CLASS.Id,
    75  			)
    76  		case model.PERMISSIONS_BRANCH_ADMIN:
    77  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
    78  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
    79  				model.PERMISSION_MANAGE_CLASS.Id,
    80  			)
    81  		}
    82  	} else {
    83  		roles[model.CLASS_USER_ROLE_ID].Permissions = append(
    84  			roles[model.CLASS_USER_ROLE_ID].Permissions,
    85  			model.PERMISSION_MANAGE_CLASS.Id,
    86  		)
    87  	}
    88  
    89  	if !*cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_EnableOnlyAdminIntegrations {
    90  		roles[model.BRANCH_USER_ROLE_ID].Permissions = append(
    91  			roles[model.BRANCH_USER_ROLE_ID].Permissions,
    92  			model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
    93  			model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
    94  			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
    95  		)
    96  		roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
    97  			roles[model.SYSTEM_USER_ROLE_ID].Permissions,
    98  			model.PERMISSION_MANAGE_OAUTH.Id,
    99  		)
   100  	}
   101  
   102  	// Grant permissions for inviting and adding users to a branch.
   103  	if isLicensed {
   104  		if *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictBranchInvite == model.PERMISSIONS_BRANCH_ADMIN {
   105  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
   106  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
   107  				model.PERMISSION_ADD_USER_TO_BRANCH.Id,
   108  			)
   109  		} else if *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_RestrictBranchInvite == model.PERMISSIONS_ALL {
   110  			roles[model.BRANCH_USER_ROLE_ID].Permissions = append(
   111  				roles[model.BRANCH_USER_ROLE_ID].Permissions,
   112  				model.PERMISSION_ADD_USER_TO_BRANCH.Id,
   113  			)
   114  		}
   115  	} else {
   116  		roles[model.BRANCH_USER_ROLE_ID].Permissions = append(
   117  			roles[model.BRANCH_USER_ROLE_ID].Permissions,
   118  			model.PERMISSION_ADD_USER_TO_BRANCH.Id,
   119  		)
   120  	}
   121  
   122  	if isLicensed {
   123  		switch *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_RestrictPostDelete {
   124  		case model.PERMISSIONS_DELETE_POST_ALL:
   125  			roles[model.CLASS_USER_ROLE_ID].Permissions = append(
   126  				roles[model.CLASS_USER_ROLE_ID].Permissions,
   127  				model.PERMISSION_DELETE_POST.Id,
   128  			)
   129  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
   130  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
   131  				model.PERMISSION_DELETE_POST.Id,
   132  				model.PERMISSION_DELETE_OTHERS_POSTS.Id,
   133  			)
   134  		case model.PERMISSIONS_DELETE_POST_BRANCH_ADMIN:
   135  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
   136  				roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
   137  				model.PERMISSION_DELETE_POST.Id,
   138  				model.PERMISSION_DELETE_OTHERS_POSTS.Id,
   139  			)
   140  		}
   141  	} else {
   142  		roles[model.CLASS_USER_ROLE_ID].Permissions = append(
   143  			roles[model.CLASS_USER_ROLE_ID].Permissions,
   144  			model.PERMISSION_DELETE_POST.Id,
   145  		)
   146  		roles[model.BRANCH_ADMIN_ROLE_ID].Permissions = append(
   147  			roles[model.BRANCH_ADMIN_ROLE_ID].Permissions,
   148  			model.PERMISSION_DELETE_POST.Id,
   149  			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
   150  		)
   151  	}
   152  
   153  	if *cfg.BranchSettings.DEPRECATED_DO_NOT_USE_EnableBranchCreation {
   154  		roles[model.SYSTEM_USER_ROLE_ID].Permissions = append(
   155  			roles[model.SYSTEM_USER_ROLE_ID].Permissions,
   156  			model.PERMISSION_CREATE_BRANCH.Id,
   157  		)
   158  	}
   159  
   160  	if isLicensed {
   161  		switch *cfg.ServiceSettings.DEPRECATED_DO_NOT_USE_AllowEditPost {
   162  		case model.ALLOW_EDIT_POST_ALWAYS, model.ALLOW_EDIT_POST_TIME_LIMIT:
   163  			roles[model.CLASS_USER_ROLE_ID].Permissions = append(
   164  				roles[model.CLASS_USER_ROLE_ID].Permissions,
   165  				model.PERMISSION_EDIT_POST.Id,
   166  			)
   167  			roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append(
   168  				roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions,
   169  				model.PERMISSION_EDIT_POST.Id,
   170  			)
   171  		}
   172  	} else {
   173  		roles[model.CLASS_USER_ROLE_ID].Permissions = append(
   174  			roles[model.CLASS_USER_ROLE_ID].Permissions,
   175  			model.PERMISSION_EDIT_POST.Id,
   176  		)
   177  		roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append(
   178  			roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions,
   179  			model.PERMISSION_EDIT_POST.Id,
   180  		)
   181  	}
   182  
   183  	return roles
   184  }