summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/mattermost/mattermost-server/v6/model/role.go
diff options
context:
space:
mode:
authorWim <wim@42.be>2021-10-16 23:11:32 +0200
committerWim <wim@42.be>2021-10-16 23:23:24 +0200
commit20f6c05ec50739d31f4dbe9fde0d223f2c43f6e8 (patch)
tree230edca06449a8d1755f08aabf45a03e07e6f17c /vendor/github.com/mattermost/mattermost-server/v6/model/role.go
parent57fce93af7f64f025cec6f3ed6088163086bc9fe (diff)
downloadmatterbridge-msglm-20f6c05ec50739d31f4dbe9fde0d223f2c43f6e8.tar.gz
matterbridge-msglm-20f6c05ec50739d31f4dbe9fde0d223f2c43f6e8.tar.bz2
matterbridge-msglm-20f6c05ec50739d31f4dbe9fde0d223f2c43f6e8.zip
Update vendor
Diffstat (limited to 'vendor/github.com/mattermost/mattermost-server/v6/model/role.go')
-rw-r--r--vendor/github.com/mattermost/mattermost-server/v6/model/role.go939
1 files changed, 939 insertions, 0 deletions
diff --git a/vendor/github.com/mattermost/mattermost-server/v6/model/role.go b/vendor/github.com/mattermost/mattermost-server/v6/model/role.go
new file mode 100644
index 00000000..68697838
--- /dev/null
+++ b/vendor/github.com/mattermost/mattermost-server/v6/model/role.go
@@ -0,0 +1,939 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See LICENSE.txt for license information.
+
+package model
+
+import (
+ "strings"
+)
+
+// SysconsoleAncillaryPermissions maps the non-sysconsole permissions required by each sysconsole view.
+var SysconsoleAncillaryPermissions map[string][]*Permission
+var SystemManagerDefaultPermissions []string
+var SystemUserManagerDefaultPermissions []string
+var SystemReadOnlyAdminDefaultPermissions []string
+
+var BuiltInSchemeManagedRoleIDs []string
+
+var NewSystemRoleIDs []string
+
+func init() {
+ NewSystemRoleIDs = []string{
+ SystemUserManagerRoleId,
+ SystemReadOnlyAdminRoleId,
+ SystemManagerRoleId,
+ }
+
+ BuiltInSchemeManagedRoleIDs = append([]string{
+ SystemGuestRoleId,
+ SystemUserRoleId,
+ SystemAdminRoleId,
+ SystemPostAllRoleId,
+ SystemPostAllPublicRoleId,
+ SystemUserAccessTokenRoleId,
+
+ TeamGuestRoleId,
+ TeamUserRoleId,
+ TeamAdminRoleId,
+ TeamPostAllRoleId,
+ TeamPostAllPublicRoleId,
+
+ ChannelGuestRoleId,
+ ChannelUserRoleId,
+ ChannelAdminRoleId,
+ }, NewSystemRoleIDs...)
+
+ // When updating the values here, the values in mattermost-redux must also be updated.
+ SysconsoleAncillaryPermissions = map[string][]*Permission{
+ PermissionSysconsoleReadAboutEditionAndLicense.Id: {
+ PermissionReadLicenseInformation,
+ },
+ PermissionSysconsoleWriteAboutEditionAndLicense.Id: {
+ PermissionManageLicenseInformation,
+ },
+ PermissionSysconsoleReadUserManagementChannels.Id: {
+ PermissionReadPublicChannel,
+ PermissionReadChannel,
+ PermissionReadPublicChannelGroups,
+ PermissionReadPrivateChannelGroups,
+ },
+ PermissionSysconsoleReadUserManagementUsers.Id: {
+ PermissionReadOtherUsersTeams,
+ PermissionGetAnalytics,
+ },
+ PermissionSysconsoleReadUserManagementTeams.Id: {
+ PermissionListPrivateTeams,
+ PermissionListPublicTeams,
+ PermissionViewTeam,
+ },
+ PermissionSysconsoleReadEnvironmentElasticsearch.Id: {
+ PermissionReadElasticsearchPostIndexingJob,
+ PermissionReadElasticsearchPostAggregationJob,
+ },
+ PermissionSysconsoleWriteEnvironmentWebServer.Id: {
+ PermissionTestSiteURL,
+ PermissionReloadConfig,
+ PermissionInvalidateCaches,
+ },
+ PermissionSysconsoleWriteEnvironmentDatabase.Id: {
+ PermissionRecycleDatabaseConnections,
+ },
+ PermissionSysconsoleWriteEnvironmentElasticsearch.Id: {
+ PermissionTestElasticsearch,
+ PermissionCreateElasticsearchPostIndexingJob,
+ PermissionCreateElasticsearchPostAggregationJob,
+ PermissionPurgeElasticsearchIndexes,
+ },
+ PermissionSysconsoleWriteEnvironmentFileStorage.Id: {
+ PermissionTestS3,
+ },
+ PermissionSysconsoleWriteEnvironmentSMTP.Id: {
+ PermissionTestEmail,
+ },
+ PermissionSysconsoleReadReportingServerLogs.Id: {
+ PermissionGetLogs,
+ },
+ PermissionSysconsoleReadReportingSiteStatistics.Id: {
+ PermissionGetAnalytics,
+ },
+ PermissionSysconsoleReadReportingTeamStatistics.Id: {
+ PermissionViewTeam,
+ },
+ PermissionSysconsoleWriteUserManagementUsers.Id: {
+ PermissionEditOtherUsers,
+ PermissionDemoteToGuest,
+ PermissionPromoteGuest,
+ },
+ PermissionSysconsoleWriteUserManagementChannels.Id: {
+ PermissionManageTeam,
+ PermissionManagePublicChannelProperties,
+ PermissionManagePrivateChannelProperties,
+ PermissionManagePrivateChannelMembers,
+ PermissionManagePublicChannelMembers,
+ PermissionDeletePrivateChannel,
+ PermissionDeletePublicChannel,
+ PermissionManageChannelRoles,
+ PermissionConvertPublicChannelToPrivate,
+ PermissionConvertPrivateChannelToPublic,
+ },
+ PermissionSysconsoleWriteUserManagementTeams.Id: {
+ PermissionManageTeam,
+ PermissionManageTeamRoles,
+ PermissionRemoveUserFromTeam,
+ PermissionJoinPrivateTeams,
+ PermissionJoinPublicTeams,
+ PermissionAddUserToTeam,
+ },
+ PermissionSysconsoleWriteUserManagementGroups.Id: {
+ PermissionManageTeam,
+ PermissionManagePrivateChannelMembers,
+ PermissionManagePublicChannelMembers,
+ PermissionConvertPublicChannelToPrivate,
+ PermissionConvertPrivateChannelToPublic,
+ },
+ PermissionSysconsoleWriteSiteCustomization.Id: {
+ PermissionEditBrand,
+ },
+ PermissionSysconsoleWriteComplianceDataRetentionPolicy.Id: {
+ PermissionCreateDataRetentionJob,
+ },
+ PermissionSysconsoleReadComplianceDataRetentionPolicy.Id: {
+ PermissionReadDataRetentionJob,
+ },
+ PermissionSysconsoleWriteComplianceComplianceExport.Id: {
+ PermissionCreateComplianceExportJob,
+ PermissionDownloadComplianceExportResult,
+ },
+ PermissionSysconsoleReadComplianceComplianceExport.Id: {
+ PermissionReadComplianceExportJob,
+ PermissionDownloadComplianceExportResult,
+ },
+ PermissionSysconsoleReadComplianceCustomTermsOfService.Id: {
+ PermissionReadAudits,
+ },
+ PermissionSysconsoleWriteExperimentalBleve.Id: {
+ PermissionCreatePostBleveIndexesJob,
+ PermissionPurgeBleveIndexes,
+ },
+ PermissionSysconsoleWriteAuthenticationLdap.Id: {
+ PermissionCreateLdapSyncJob,
+ PermissionAddLdapPublicCert,
+ PermissionRemoveLdapPublicCert,
+ PermissionAddLdapPrivateCert,
+ PermissionRemoveLdapPrivateCert,
+ },
+ PermissionSysconsoleReadAuthenticationLdap.Id: {
+ PermissionTestLdap,
+ PermissionReadLdapSyncJob,
+ },
+ PermissionSysconsoleWriteAuthenticationEmail.Id: {
+ PermissionInvalidateEmailInvite,
+ },
+ PermissionSysconsoleWriteAuthenticationSaml.Id: {
+ PermissionGetSamlMetadataFromIdp,
+ PermissionAddSamlPublicCert,
+ PermissionAddSamlPrivateCert,
+ PermissionAddSamlIdpCert,
+ PermissionRemoveSamlPublicCert,
+ PermissionRemoveSamlPrivateCert,
+ PermissionRemoveSamlIdpCert,
+ PermissionGetSamlCertStatus,
+ },
+ }
+
+ SystemUserManagerDefaultPermissions = []string{
+ PermissionSysconsoleReadUserManagementGroups.Id,
+ PermissionSysconsoleReadUserManagementTeams.Id,
+ PermissionSysconsoleReadUserManagementChannels.Id,
+ PermissionSysconsoleReadUserManagementPermissions.Id,
+ PermissionSysconsoleWriteUserManagementGroups.Id,
+ PermissionSysconsoleWriteUserManagementTeams.Id,
+ PermissionSysconsoleWriteUserManagementChannels.Id,
+ PermissionSysconsoleReadAuthenticationSignup.Id,
+ PermissionSysconsoleReadAuthenticationEmail.Id,
+ PermissionSysconsoleReadAuthenticationPassword.Id,
+ PermissionSysconsoleReadAuthenticationMfa.Id,
+ PermissionSysconsoleReadAuthenticationLdap.Id,
+ PermissionSysconsoleReadAuthenticationSaml.Id,
+ PermissionSysconsoleReadAuthenticationOpenid.Id,
+ PermissionSysconsoleReadAuthenticationGuestAccess.Id,
+ }
+
+ SystemReadOnlyAdminDefaultPermissions = []string{
+ PermissionSysconsoleReadAboutEditionAndLicense.Id,
+ PermissionSysconsoleReadReportingSiteStatistics.Id,
+ PermissionSysconsoleReadReportingTeamStatistics.Id,
+ PermissionSysconsoleReadReportingServerLogs.Id,
+ PermissionSysconsoleReadUserManagementUsers.Id,
+ PermissionSysconsoleReadUserManagementGroups.Id,
+ PermissionSysconsoleReadUserManagementTeams.Id,
+ PermissionSysconsoleReadUserManagementChannels.Id,
+ PermissionSysconsoleReadUserManagementPermissions.Id,
+ PermissionSysconsoleReadEnvironmentWebServer.Id,
+ PermissionSysconsoleReadEnvironmentDatabase.Id,
+ PermissionSysconsoleReadEnvironmentElasticsearch.Id,
+ PermissionSysconsoleReadEnvironmentFileStorage.Id,
+ PermissionSysconsoleReadEnvironmentImageProxy.Id,
+ PermissionSysconsoleReadEnvironmentSMTP.Id,
+ PermissionSysconsoleReadEnvironmentPushNotificationServer.Id,
+ PermissionSysconsoleReadEnvironmentHighAvailability.Id,
+ PermissionSysconsoleReadEnvironmentRateLimiting.Id,
+ PermissionSysconsoleReadEnvironmentLogging.Id,
+ PermissionSysconsoleReadEnvironmentSessionLengths.Id,
+ PermissionSysconsoleReadEnvironmentPerformanceMonitoring.Id,
+ PermissionSysconsoleReadEnvironmentDeveloper.Id,
+ PermissionSysconsoleReadSiteCustomization.Id,
+ PermissionSysconsoleReadSiteLocalization.Id,
+ PermissionSysconsoleReadSiteUsersAndTeams.Id,
+ PermissionSysconsoleReadSiteNotifications.Id,
+ PermissionSysconsoleReadSiteAnnouncementBanner.Id,
+ PermissionSysconsoleReadSiteEmoji.Id,
+ PermissionSysconsoleReadSitePosts.Id,
+ PermissionSysconsoleReadSiteFileSharingAndDownloads.Id,
+ PermissionSysconsoleReadSitePublicLinks.Id,
+ PermissionSysconsoleReadSiteNotices.Id,
+ PermissionSysconsoleReadAuthenticationSignup.Id,
+ PermissionSysconsoleReadAuthenticationEmail.Id,
+ PermissionSysconsoleReadAuthenticationPassword.Id,
+ PermissionSysconsoleReadAuthenticationMfa.Id,
+ PermissionSysconsoleReadAuthenticationLdap.Id,
+ PermissionSysconsoleReadAuthenticationSaml.Id,
+ PermissionSysconsoleReadAuthenticationOpenid.Id,
+ PermissionSysconsoleReadAuthenticationGuestAccess.Id,
+ PermissionSysconsoleReadPlugins.Id,
+ PermissionSysconsoleReadIntegrationsIntegrationManagement.Id,
+ PermissionSysconsoleReadIntegrationsBotAccounts.Id,
+ PermissionSysconsoleReadIntegrationsGif.Id,
+ PermissionSysconsoleReadIntegrationsCors.Id,
+ PermissionSysconsoleReadComplianceDataRetentionPolicy.Id,
+ PermissionSysconsoleReadComplianceComplianceExport.Id,
+ PermissionSysconsoleReadComplianceComplianceMonitoring.Id,
+ PermissionSysconsoleReadComplianceCustomTermsOfService.Id,
+ PermissionSysconsoleReadExperimentalFeatures.Id,
+ PermissionSysconsoleReadExperimentalFeatureFlags.Id,
+ PermissionSysconsoleReadExperimentalBleve.Id,
+ }
+
+ SystemManagerDefaultPermissions = []string{
+ PermissionSysconsoleReadAboutEditionAndLicense.Id,
+ PermissionSysconsoleReadReportingSiteStatistics.Id,
+ PermissionSysconsoleReadReportingTeamStatistics.Id,
+ PermissionSysconsoleReadReportingServerLogs.Id,
+ PermissionSysconsoleReadUserManagementGroups.Id,
+ PermissionSysconsoleReadUserManagementTeams.Id,
+ PermissionSysconsoleReadUserManagementChannels.Id,
+ PermissionSysconsoleReadUserManagementPermissions.Id,
+ PermissionSysconsoleWriteUserManagementGroups.Id,
+ PermissionSysconsoleWriteUserManagementTeams.Id,
+ PermissionSysconsoleWriteUserManagementChannels.Id,
+ PermissionSysconsoleWriteUserManagementPermissions.Id,
+ PermissionSysconsoleReadEnvironmentWebServer.Id,
+ PermissionSysconsoleReadEnvironmentDatabase.Id,
+ PermissionSysconsoleReadEnvironmentElasticsearch.Id,
+ PermissionSysconsoleReadEnvironmentFileStorage.Id,
+ PermissionSysconsoleReadEnvironmentImageProxy.Id,
+ PermissionSysconsoleReadEnvironmentSMTP.Id,
+ PermissionSysconsoleReadEnvironmentPushNotificationServer.Id,
+ PermissionSysconsoleReadEnvironmentHighAvailability.Id,
+ PermissionSysconsoleReadEnvironmentRateLimiting.Id,
+ PermissionSysconsoleReadEnvironmentLogging.Id,
+ PermissionSysconsoleReadEnvironmentSessionLengths.Id,
+ PermissionSysconsoleReadEnvironmentPerformanceMonitoring.Id,
+ PermissionSysconsoleReadEnvironmentDeveloper.Id,
+ PermissionSysconsoleWriteEnvironmentWebServer.Id,
+ PermissionSysconsoleWriteEnvironmentDatabase.Id,
+ PermissionSysconsoleWriteEnvironmentElasticsearch.Id,
+ PermissionSysconsoleWriteEnvironmentFileStorage.Id,
+ PermissionSysconsoleWriteEnvironmentImageProxy.Id,
+ PermissionSysconsoleWriteEnvironmentSMTP.Id,
+ PermissionSysconsoleWriteEnvironmentPushNotificationServer.Id,
+ PermissionSysconsoleWriteEnvironmentHighAvailability.Id,
+ PermissionSysconsoleWriteEnvironmentRateLimiting.Id,
+ PermissionSysconsoleWriteEnvironmentLogging.Id,
+ PermissionSysconsoleWriteEnvironmentSessionLengths.Id,
+ PermissionSysconsoleWriteEnvironmentPerformanceMonitoring.Id,
+ PermissionSysconsoleWriteEnvironmentDeveloper.Id,
+ PermissionSysconsoleReadSiteCustomization.Id,
+ PermissionSysconsoleWriteSiteCustomization.Id,
+ PermissionSysconsoleReadSiteLocalization.Id,
+ PermissionSysconsoleWriteSiteLocalization.Id,
+ PermissionSysconsoleReadSiteUsersAndTeams.Id,
+ PermissionSysconsoleWriteSiteUsersAndTeams.Id,
+ PermissionSysconsoleReadSiteNotifications.Id,
+ PermissionSysconsoleWriteSiteNotifications.Id,
+ PermissionSysconsoleReadSiteAnnouncementBanner.Id,
+ PermissionSysconsoleWriteSiteAnnouncementBanner.Id,
+ PermissionSysconsoleReadSiteEmoji.Id,
+ PermissionSysconsoleWriteSiteEmoji.Id,
+ PermissionSysconsoleReadSitePosts.Id,
+ PermissionSysconsoleWriteSitePosts.Id,
+ PermissionSysconsoleReadSiteFileSharingAndDownloads.Id,
+ PermissionSysconsoleWriteSiteFileSharingAndDownloads.Id,
+ PermissionSysconsoleReadSitePublicLinks.Id,
+ PermissionSysconsoleWriteSitePublicLinks.Id,
+ PermissionSysconsoleReadSiteNotices.Id,
+ PermissionSysconsoleWriteSiteNotices.Id,
+ PermissionSysconsoleReadAuthenticationSignup.Id,
+ PermissionSysconsoleReadAuthenticationEmail.Id,
+ PermissionSysconsoleReadAuthenticationPassword.Id,
+ PermissionSysconsoleReadAuthenticationMfa.Id,
+ PermissionSysconsoleReadAuthenticationLdap.Id,
+ PermissionSysconsoleReadAuthenticationSaml.Id,
+ PermissionSysconsoleReadAuthenticationOpenid.Id,
+ PermissionSysconsoleReadAuthenticationGuestAccess.Id,
+ PermissionSysconsoleReadPlugins.Id,
+ PermissionSysconsoleReadIntegrationsIntegrationManagement.Id,
+ PermissionSysconsoleReadIntegrationsBotAccounts.Id,
+ PermissionSysconsoleReadIntegrationsGif.Id,
+ PermissionSysconsoleReadIntegrationsCors.Id,
+ PermissionSysconsoleWriteIntegrationsIntegrationManagement.Id,
+ PermissionSysconsoleWriteIntegrationsBotAccounts.Id,
+ PermissionSysconsoleWriteIntegrationsGif.Id,
+ PermissionSysconsoleWriteIntegrationsCors.Id,
+ }
+
+ // Add the ancillary permissions to each system role
+ SystemUserManagerDefaultPermissions = AddAncillaryPermissions(SystemUserManagerDefaultPermissions)
+ SystemReadOnlyAdminDefaultPermissions = AddAncillaryPermissions(SystemReadOnlyAdminDefaultPermissions)
+ SystemManagerDefaultPermissions = AddAncillaryPermissions(SystemManagerDefaultPermissions)
+}
+
+type RoleType string
+type RoleScope string
+
+const (
+ SystemGuestRoleId = "system_guest"
+ SystemUserRoleId = "system_user"
+ SystemAdminRoleId = "system_admin"
+ SystemPostAllRoleId = "system_post_all"
+ SystemPostAllPublicRoleId = "system_post_all_public"
+ SystemUserAccessTokenRoleId = "system_user_access_token"
+ SystemUserManagerRoleId = "system_user_manager"
+ SystemReadOnlyAdminRoleId = "system_read_only_admin"
+ SystemManagerRoleId = "system_manager"
+
+ TeamGuestRoleId = "team_guest"
+ TeamUserRoleId = "team_user"
+ TeamAdminRoleId = "team_admin"
+ TeamPostAllRoleId = "team_post_all"
+ TeamPostAllPublicRoleId = "team_post_all_public"
+
+ ChannelGuestRoleId = "channel_guest"
+ ChannelUserRoleId = "channel_user"
+ ChannelAdminRoleId = "channel_admin"
+
+ RoleNameMaxLength = 64
+ RoleDisplayNameMaxLength = 128
+ RoleDescriptionMaxLength = 1024
+
+ RoleScopeSystem RoleScope = "System"
+ RoleScopeTeam RoleScope = "Team"
+ RoleScopeChannel RoleScope = "Channel"
+
+ RoleTypeGuest RoleType = "Guest"
+ RoleTypeUser RoleType = "User"
+ RoleTypeAdmin RoleType = "Admin"
+)
+
+type Role struct {
+ Id string `json:"id"`
+ Name string `json:"name"`
+ DisplayName string `json:"display_name"`
+ Description string `json:"description"`
+ CreateAt int64 `json:"create_at"`
+ UpdateAt int64 `json:"update_at"`
+ DeleteAt int64 `json:"delete_at"`
+ Permissions []string `json:"permissions"`
+ SchemeManaged bool `json:"scheme_managed"`
+ BuiltIn bool `json:"built_in"`
+}
+
+type RolePatch struct {
+ Permissions *[]string `json:"permissions"`
+}
+
+type RolePermissions struct {
+ RoleID string
+ Permissions []string
+}
+
+func (r *Role) Patch(patch *RolePatch) {
+ if patch.Permissions != nil {
+ r.Permissions = *patch.Permissions
+ }
+}
+
+// MergeChannelHigherScopedPermissions is meant to be invoked on a channel scheme's role and merges the higher-scoped
+// channel role's permissions.
+func (r *Role) MergeChannelHigherScopedPermissions(higherScopedPermissions *RolePermissions) {
+ mergedPermissions := []string{}
+
+ higherScopedPermissionsMap := asStringBoolMap(higherScopedPermissions.Permissions)
+ rolePermissionsMap := asStringBoolMap(r.Permissions)
+
+ for _, cp := range AllPermissions {
+ if cp.Scope != PermissionScopeChannel {
+ continue
+ }
+
+ _, presentOnHigherScope := higherScopedPermissionsMap[cp.Id]
+
+ // For the channel admin role always look to the higher scope to determine if the role has their permission.
+ // The channel admin is a special case because they're not part of the UI to be "channel moderated", only
+ // channel members and channel guests are.
+ if higherScopedPermissions.RoleID == ChannelAdminRoleId && presentOnHigherScope {
+ mergedPermissions = append(mergedPermissions, cp.Id)
+ continue
+ }
+
+ _, permissionIsModerated := ChannelModeratedPermissionsMap[cp.Id]
+ if permissionIsModerated {
+ _, presentOnRole := rolePermissionsMap[cp.Id]
+ if presentOnRole && presentOnHigherScope {
+ mergedPermissions = append(mergedPermissions, cp.Id)
+ }
+ } else {
+ if presentOnHigherScope {
+ mergedPermissions = append(mergedPermissions, cp.Id)
+ }
+ }
+ }
+
+ r.Permissions = mergedPermissions
+}
+
+// Returns an array of permissions that are in either role.Permissions
+// or patch.Permissions, but not both.
+func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string {
+ var result []string
+
+ if patch.Permissions == nil {
+ return result
+ }
+
+ roleMap := make(map[string]bool)
+ patchMap := make(map[string]bool)
+
+ for _, permission := range role.Permissions {
+ roleMap[permission] = true
+ }
+
+ for _, permission := range *patch.Permissions {
+ patchMap[permission] = true
+ }
+
+ for _, permission := range role.Permissions {
+ if !patchMap[permission] {
+ result = append(result, permission)
+ }
+ }
+
+ for _, permission := range *patch.Permissions {
+ if !roleMap[permission] {
+ result = append(result, permission)
+ }
+ }
+
+ return result
+}
+
+func ChannelModeratedPermissionsChangedByPatch(role *Role, patch *RolePatch) []string {
+ var result []string
+
+ if role == nil {
+ return result
+ }
+
+ if patch.Permissions == nil {
+ return result
+ }
+
+ roleMap := make(map[string]bool)
+ patchMap := make(map[string]bool)
+
+ for _, permission := range role.Permissions {
+ if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found {
+ roleMap[channelModeratedPermissionName] = true
+ }
+ }
+
+ for _, permission := range *patch.Permissions {
+ if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found {
+ patchMap[channelModeratedPermissionName] = true
+ }
+ }
+
+ for permissionKey := range roleMap {
+ if !patchMap[permissionKey] {
+ result = append(result, permissionKey)
+ }
+ }
+
+ for permissionKey := range patchMap {
+ if !roleMap[permissionKey] {
+ result = append(result, permissionKey)
+ }
+ }
+
+ return result
+}
+
+// GetChannelModeratedPermissions returns a map of channel moderated permissions that the role has access to
+func (r *Role) GetChannelModeratedPermissions(channelType ChannelType) map[string]bool {
+ moderatedPermissions := make(map[string]bool)
+ for _, permission := range r.Permissions {
+ if _, found := ChannelModeratedPermissionsMap[permission]; !found {
+ continue
+ }
+
+ for moderated, moderatedPermissionValue := range ChannelModeratedPermissionsMap {
+ // the moderated permission has already been found to be true so skip this iteration
+ if moderatedPermissions[moderatedPermissionValue] {
+ continue
+ }
+
+ if moderated == permission {
+ // Special case where the channel moderated permission for `manage_members` is different depending on whether the channel is private or public
+ if moderated == PermissionManagePublicChannelMembers.Id || moderated == PermissionManagePrivateChannelMembers.Id {
+ canManagePublic := channelType == ChannelTypeOpen && moderated == PermissionManagePublicChannelMembers.Id
+ canManagePrivate := channelType == ChannelTypePrivate && moderated == PermissionManagePrivateChannelMembers.Id
+ moderatedPermissions[moderatedPermissionValue] = canManagePublic || canManagePrivate
+ } else {
+ moderatedPermissions[moderatedPermissionValue] = true
+ }
+ }
+ }
+ }
+
+ return moderatedPermissions
+}
+
+// RolePatchFromChannelModerationsPatch Creates and returns a RolePatch based on a slice of ChannelModerationPatchs, roleName is expected to be either "members" or "guests".
+func (r *Role) RolePatchFromChannelModerationsPatch(channelModerationsPatch []*ChannelModerationPatch, roleName string) *RolePatch {
+ permissionsToAddToPatch := make(map[string]bool)
+
+ // Iterate through the list of existing permissions on the role and append permissions that we want to keep.
+ for _, permission := range r.Permissions {
+ // Permission is not moderated so dont add it to the patch and skip the channelModerationsPatch
+ if _, isModerated := ChannelModeratedPermissionsMap[permission]; !isModerated {
+ continue
+ }
+
+ permissionEnabled := true
+ // Check if permission has a matching moderated permission name inside the channel moderation patch
+ for _, channelModerationPatch := range channelModerationsPatch {
+ if *channelModerationPatch.Name == ChannelModeratedPermissionsMap[permission] {
+ // Permission key exists in patch with a value of false so skip over it
+ if roleName == "members" {
+ if channelModerationPatch.Roles.Members != nil && !*channelModerationPatch.Roles.Members {
+ permissionEnabled = false
+ }
+ } else if roleName == "guests" {
+ if channelModerationPatch.Roles.Guests != nil && !*channelModerationPatch.Roles.Guests {
+ permissionEnabled = false
+ }
+ }
+ }
+ }
+
+ if permissionEnabled {
+ permissionsToAddToPatch[permission] = true
+ }
+ }
+
+ // Iterate through the patch and add any permissions that dont already exist on the role
+ for _, channelModerationPatch := range channelModerationsPatch {
+ for permission, moderatedPermissionName := range ChannelModeratedPermissionsMap {
+ if roleName == "members" && channelModerationPatch.Roles.Members != nil && *channelModerationPatch.Roles.Members && *channelModerationPatch.Name == moderatedPermissionName {
+ permissionsToAddToPatch[permission] = true
+ }
+
+ if roleName == "guests" && channelModerationPatch.Roles.Guests != nil && *channelModerationPatch.Roles.Guests && *channelModerationPatch.Name == moderatedPermissionName {
+ permissionsToAddToPatch[permission] = true
+ }
+ }
+ }
+
+ patchPermissions := make([]string, 0, len(permissionsToAddToPatch))
+ for permission := range permissionsToAddToPatch {
+ patchPermissions = append(patchPermissions, permission)
+ }
+
+ return &RolePatch{Permissions: &patchPermissions}
+}
+
+func (r *Role) IsValid() bool {
+ if !IsValidId(r.Id) {
+ return false
+ }
+
+ return r.IsValidWithoutId()
+}
+
+func (r *Role) IsValidWithoutId() bool {
+ if !IsValidRoleName(r.Name) {
+ return false
+ }
+
+ if r.DisplayName == "" || len(r.DisplayName) > RoleDisplayNameMaxLength {
+ return false
+ }
+
+ if len(r.Description) > RoleDescriptionMaxLength {
+ return false
+ }
+
+ check := func(perms []*Permission, permission string) bool {
+ for _, p := range perms {
+ if permission == p.Id {
+ return true
+ }
+ }
+ return false
+ }
+ for _, permission := range r.Permissions {
+ permissionValidated := check(AllPermissions, permission) || check(DeprecatedPermissions, permission)
+ if !permissionValidated {
+ return false
+ }
+ }
+
+ return true
+}
+
+func CleanRoleNames(roleNames []string) ([]string, bool) {
+ var cleanedRoleNames []string
+ for _, roleName := range roleNames {
+ if strings.TrimSpace(roleName) == "" {
+ continue
+ }
+
+ if !IsValidRoleName(roleName) {
+ return roleNames, false
+ }
+
+ cleanedRoleNames = append(cleanedRoleNames, roleName)
+ }
+
+ return cleanedRoleNames, true
+}
+
+func IsValidRoleName(roleName string) bool {
+ if roleName == "" || len(roleName) > RoleNameMaxLength {
+ return false
+ }
+
+ if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" {
+ return false
+ }
+
+ return true
+}
+
+func MakeDefaultRoles() map[string]*Role {
+ roles := make(map[string]*Role)
+
+ roles[ChannelGuestRoleId] = &Role{
+ Name: "channel_guest",
+ DisplayName: "authentication.roles.channel_guest.name",
+ Description: "authentication.roles.channel_guest.description",
+ Permissions: []string{
+ PermissionReadChannel.Id,
+ PermissionAddReaction.Id,
+ PermissionRemoveReaction.Id,
+ PermissionUploadFile.Id,
+ PermissionEditPost.Id,
+ PermissionCreatePost.Id,
+ PermissionUseChannelMentions.Id,
+ PermissionUseSlashCommands.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[ChannelUserRoleId] = &Role{
+ Name: "channel_user",
+ DisplayName: "authentication.roles.channel_user.name",
+ Description: "authentication.roles.channel_user.description",
+ Permissions: []string{
+ PermissionReadChannel.Id,
+ PermissionAddReaction.Id,
+ PermissionRemoveReaction.Id,
+ PermissionManagePublicChannelMembers.Id,
+ PermissionUploadFile.Id,
+ PermissionGetPublicLink.Id,
+ PermissionCreatePost.Id,
+ PermissionUseChannelMentions.Id,
+ PermissionUseSlashCommands.Id,
+ PermissionManagePublicChannelProperties.Id,
+ PermissionDeletePublicChannel.Id,
+ PermissionManagePrivateChannelProperties.Id,
+ PermissionDeletePrivateChannel.Id,
+ PermissionManagePrivateChannelMembers.Id,
+ PermissionDeletePost.Id,
+ PermissionEditPost.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[ChannelAdminRoleId] = &Role{
+ Name: "channel_admin",
+ DisplayName: "authentication.roles.channel_admin.name",
+ Description: "authentication.roles.channel_admin.description",
+ Permissions: []string{
+ PermissionManageChannelRoles.Id,
+ PermissionUseGroupMentions.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[TeamGuestRoleId] = &Role{
+ Name: "team_guest",
+ DisplayName: "authentication.roles.team_guest.name",
+ Description: "authentication.roles.team_guest.description",
+ Permissions: []string{
+ PermissionViewTeam.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[TeamUserRoleId] = &Role{
+ Name: "team_user",
+ DisplayName: "authentication.roles.team_user.name",
+ Description: "authentication.roles.team_user.description",
+ Permissions: []string{
+ PermissionListTeamChannels.Id,
+ PermissionJoinPublicChannels.Id,
+ PermissionReadPublicChannel.Id,
+ PermissionViewTeam.Id,
+ PermissionCreatePublicChannel.Id,
+ PermissionCreatePrivateChannel.Id,
+ PermissionInviteUser.Id,
+ PermissionAddUserToTeam.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[TeamPostAllRoleId] = &Role{
+ Name: "team_post_all",
+ DisplayName: "authentication.roles.team_post_all.name",
+ Description: "authentication.roles.team_post_all.description",
+ Permissions: []string{
+ PermissionCreatePost.Id,
+ PermissionUseChannelMentions.Id,
+ },
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[TeamPostAllPublicRoleId] = &Role{
+ Name: "team_post_all_public",
+ DisplayName: "authentication.roles.team_post_all_public.name",
+ Description: "authentication.roles.team_post_all_public.description",
+ Permissions: []string{
+ PermissionCreatePostPublic.Id,
+ PermissionUseChannelMentions.Id,
+ },
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[TeamAdminRoleId] = &Role{
+ Name: "team_admin",
+ DisplayName: "authentication.roles.team_admin.name",
+ Description: "authentication.roles.team_admin.description",
+ Permissions: []string{
+ PermissionRemoveUserFromTeam.Id,
+ PermissionManageTeam.Id,
+ PermissionImportTeam.Id,
+ PermissionManageTeamRoles.Id,
+ PermissionManageChannelRoles.Id,
+ PermissionManageOthersIncomingWebhooks.Id,
+ PermissionManageOthersOutgoingWebhooks.Id,
+ PermissionManageSlashCommands.Id,
+ PermissionManageOthersSlashCommands.Id,
+ PermissionManageIncomingWebhooks.Id,
+ PermissionManageOutgoingWebhooks.Id,
+ PermissionConvertPublicChannelToPrivate.Id,
+ PermissionConvertPrivateChannelToPublic.Id,
+ PermissionDeletePost.Id,
+ PermissionDeleteOthersPosts.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[SystemGuestRoleId] = &Role{
+ Name: "system_guest",
+ DisplayName: "authentication.roles.global_guest.name",
+ Description: "authentication.roles.global_guest.description",
+ Permissions: []string{
+ PermissionCreateDirectChannel.Id,
+ PermissionCreateGroupChannel.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[SystemUserRoleId] = &Role{
+ Name: "system_user",
+ DisplayName: "authentication.roles.global_user.name",
+ Description: "authentication.roles.global_user.description",
+ Permissions: []string{
+ PermissionListPublicTeams.Id,
+ PermissionJoinPublicTeams.Id,
+ PermissionCreateDirectChannel.Id,
+ PermissionCreateGroupChannel.Id,
+ PermissionViewMembers.Id,
+ PermissionCreateTeam.Id,
+ },
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ roles[SystemPostAllRoleId] = &Role{
+ Name: "system_post_all",
+ DisplayName: "authentication.roles.system_post_all.name",
+ Description: "authentication.roles.system_post_all.description",
+ Permissions: []string{
+ PermissionCreatePost.Id,
+ PermissionUseChannelMentions.Id,
+ },
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SystemPostAllPublicRoleId] = &Role{
+ Name: "system_post_all_public",
+ DisplayName: "authentication.roles.system_post_all_public.name",
+ Description: "authentication.roles.system_post_all_public.description",
+ Permissions: []string{
+ PermissionCreatePostPublic.Id,
+ PermissionUseChannelMentions.Id,
+ },
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SystemUserAccessTokenRoleId] = &Role{
+ Name: "system_user_access_token",
+ DisplayName: "authentication.roles.system_user_access_token.name",
+ Description: "authentication.roles.system_user_access_token.description",
+ Permissions: []string{
+ PermissionCreateUserAccessToken.Id,
+ PermissionReadUserAccessToken.Id,
+ PermissionRevokeUserAccessToken.Id,
+ },
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SystemUserManagerRoleId] = &Role{
+ Name: "system_user_manager",
+ DisplayName: "authentication.roles.system_user_manager.name",
+ Description: "authentication.roles.system_user_manager.description",
+ Permissions: SystemUserManagerDefaultPermissions,
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SystemReadOnlyAdminRoleId] = &Role{
+ Name: "system_read_only_admin",
+ DisplayName: "authentication.roles.system_read_only_admin.name",
+ Description: "authentication.roles.system_read_only_admin.description",
+ Permissions: SystemReadOnlyAdminDefaultPermissions,
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SystemManagerRoleId] = &Role{
+ Name: "system_manager",
+ DisplayName: "authentication.roles.system_manager.name",
+ Description: "authentication.roles.system_manager.description",
+ Permissions: SystemManagerDefaultPermissions,
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ allPermissionIDs := []string{}
+ for _, permission := range AllPermissions {
+ allPermissionIDs = append(allPermissionIDs, permission.Id)
+ }
+
+ roles[SystemAdminRoleId] = &Role{
+ Name: "system_admin",
+ DisplayName: "authentication.roles.global_admin.name",
+ Description: "authentication.roles.global_admin.description",
+ // System admins can do anything channel and team admins can do
+ // plus everything members of teams and channels can do to all teams
+ // and channels on the system
+ Permissions: allPermissionIDs,
+ SchemeManaged: true,
+ BuiltIn: true,
+ }
+
+ return roles
+}
+
+func AddAncillaryPermissions(permissions []string) []string {
+ for _, permission := range permissions {
+ if ancillaryPermissions, ok := SysconsoleAncillaryPermissions[permission]; ok {
+ for _, ancillaryPermission := range ancillaryPermissions {
+ permissions = append(permissions, ancillaryPermission.Id)
+ }
+ }
+ }
+ return permissions
+}
+
+func asStringBoolMap(list []string) map[string]bool {
+ listMap := make(map[string]bool, len(list))
+ for _, p := range list {
+ listMap[p] = true
+ }
+ return listMap
+}