github.com/wgh-/mattermost-server@v4.8.0-rc2+incompatible/utils/authorization.go (about) 1 // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package utils 5 6 import ( 7 "github.com/mattermost/mattermost-server/model" 8 ) 9 10 func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*model.Role { 11 roles := make(map[string]*model.Role) 12 for id, role := range model.DefaultRoles { 13 copy := &model.Role{} 14 *copy = *role 15 roles[id] = copy 16 } 17 18 if isLicensed { 19 switch *cfg.TeamSettings.RestrictPublicChannelCreation { 20 case model.PERMISSIONS_ALL: 21 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 22 roles[model.TEAM_USER_ROLE_ID].Permissions, 23 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 24 ) 25 case model.PERMISSIONS_TEAM_ADMIN: 26 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 27 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 28 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 29 ) 30 } 31 } else { 32 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 33 roles[model.TEAM_USER_ROLE_ID].Permissions, 34 model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id, 35 ) 36 } 37 38 if isLicensed { 39 switch *cfg.TeamSettings.RestrictPublicChannelManagement { 40 case model.PERMISSIONS_ALL: 41 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 42 roles[model.TEAM_USER_ROLE_ID].Permissions, 43 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 44 ) 45 case model.PERMISSIONS_CHANNEL_ADMIN: 46 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 47 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 48 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 49 ) 50 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 51 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 52 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 53 ) 54 case model.PERMISSIONS_TEAM_ADMIN: 55 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 56 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 57 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 58 ) 59 } 60 } else { 61 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 62 roles[model.TEAM_USER_ROLE_ID].Permissions, 63 model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id, 64 ) 65 } 66 67 if isLicensed { 68 switch *cfg.TeamSettings.RestrictPublicChannelDeletion { 69 case model.PERMISSIONS_ALL: 70 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 71 roles[model.TEAM_USER_ROLE_ID].Permissions, 72 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 73 ) 74 case model.PERMISSIONS_CHANNEL_ADMIN: 75 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 76 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 77 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 78 ) 79 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 80 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 81 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 82 ) 83 case model.PERMISSIONS_TEAM_ADMIN: 84 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 85 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 86 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 87 ) 88 } 89 } else { 90 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 91 roles[model.TEAM_USER_ROLE_ID].Permissions, 92 model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id, 93 ) 94 } 95 96 if isLicensed { 97 switch *cfg.TeamSettings.RestrictPrivateChannelCreation { 98 case model.PERMISSIONS_ALL: 99 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 100 roles[model.TEAM_USER_ROLE_ID].Permissions, 101 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 102 ) 103 case model.PERMISSIONS_TEAM_ADMIN: 104 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 105 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 106 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 107 ) 108 } 109 } else { 110 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 111 roles[model.TEAM_USER_ROLE_ID].Permissions, 112 model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id, 113 ) 114 } 115 116 if isLicensed { 117 switch *cfg.TeamSettings.RestrictPrivateChannelManagement { 118 case model.PERMISSIONS_ALL: 119 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 120 roles[model.TEAM_USER_ROLE_ID].Permissions, 121 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 122 ) 123 case model.PERMISSIONS_CHANNEL_ADMIN: 124 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 125 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 126 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 127 ) 128 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 129 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 130 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 131 ) 132 case model.PERMISSIONS_TEAM_ADMIN: 133 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 134 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 135 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 136 ) 137 } 138 } else { 139 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 140 roles[model.TEAM_USER_ROLE_ID].Permissions, 141 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id, 142 ) 143 } 144 145 if isLicensed { 146 switch *cfg.TeamSettings.RestrictPrivateChannelDeletion { 147 case model.PERMISSIONS_ALL: 148 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 149 roles[model.TEAM_USER_ROLE_ID].Permissions, 150 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 151 ) 152 case model.PERMISSIONS_CHANNEL_ADMIN: 153 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 154 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 155 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 156 ) 157 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 158 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 159 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 160 ) 161 case model.PERMISSIONS_TEAM_ADMIN: 162 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 163 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 164 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 165 ) 166 } 167 } else { 168 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 169 roles[model.TEAM_USER_ROLE_ID].Permissions, 170 model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id, 171 ) 172 } 173 174 // Restrict permissions for Private Channel Manage Members 175 if isLicensed { 176 switch *cfg.TeamSettings.RestrictPrivateChannelManageMembers { 177 case model.PERMISSIONS_ALL: 178 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 179 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 180 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 181 ) 182 case model.PERMISSIONS_CHANNEL_ADMIN: 183 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 184 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 185 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 186 ) 187 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 188 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 189 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 190 ) 191 case model.PERMISSIONS_TEAM_ADMIN: 192 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 193 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 194 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 195 ) 196 } 197 } else { 198 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 199 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 200 model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id, 201 ) 202 } 203 204 if !*cfg.ServiceSettings.EnableOnlyAdminIntegrations { 205 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 206 roles[model.TEAM_USER_ROLE_ID].Permissions, 207 model.PERMISSION_MANAGE_WEBHOOKS.Id, 208 model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, 209 ) 210 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 211 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 212 model.PERMISSION_MANAGE_OAUTH.Id, 213 ) 214 } 215 216 // Grant permissions for inviting and adding users to a team. 217 if isLicensed { 218 if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_TEAM_ADMIN { 219 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 220 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 221 model.PERMISSION_INVITE_USER.Id, 222 model.PERMISSION_ADD_USER_TO_TEAM.Id, 223 ) 224 } else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { 225 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 226 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 227 model.PERMISSION_INVITE_USER.Id, 228 model.PERMISSION_ADD_USER_TO_TEAM.Id, 229 ) 230 } 231 } else { 232 roles[model.TEAM_USER_ROLE_ID].Permissions = append( 233 roles[model.TEAM_USER_ROLE_ID].Permissions, 234 model.PERMISSION_INVITE_USER.Id, 235 model.PERMISSION_ADD_USER_TO_TEAM.Id, 236 ) 237 } 238 239 if isLicensed { 240 switch *cfg.ServiceSettings.RestrictPostDelete { 241 case model.PERMISSIONS_DELETE_POST_ALL: 242 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 243 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 244 model.PERMISSION_DELETE_POST.Id, 245 ) 246 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( 247 roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, 248 model.PERMISSION_DELETE_POST.Id, 249 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 250 ) 251 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 252 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 253 model.PERMISSION_DELETE_POST.Id, 254 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 255 ) 256 case model.PERMISSIONS_DELETE_POST_TEAM_ADMIN: 257 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 258 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 259 model.PERMISSION_DELETE_POST.Id, 260 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 261 ) 262 } 263 } else { 264 roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( 265 roles[model.CHANNEL_USER_ROLE_ID].Permissions, 266 model.PERMISSION_DELETE_POST.Id, 267 ) 268 roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( 269 roles[model.TEAM_ADMIN_ROLE_ID].Permissions, 270 model.PERMISSION_DELETE_POST.Id, 271 model.PERMISSION_DELETE_OTHERS_POSTS.Id, 272 ) 273 } 274 275 if cfg.TeamSettings.EnableTeamCreation { 276 roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( 277 roles[model.SYSTEM_USER_ROLE_ID].Permissions, 278 model.PERMISSION_CREATE_TEAM.Id, 279 ) 280 } 281 282 return roles 283 }