summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/mattermost/mattermost-server/v5/model/role.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/mattermost/mattermost-server/v5/model/role.go')
-rw-r--r--vendor/github.com/mattermost/mattermost-server/v5/model/role.go277
1 files changed, 210 insertions, 67 deletions
diff --git a/vendor/github.com/mattermost/mattermost-server/v5/model/role.go b/vendor/github.com/mattermost/mattermost-server/v5/model/role.go
index 38ac1ef7..e880a1d8 100644
--- a/vendor/github.com/mattermost/mattermost-server/v5/model/role.go
+++ b/vendor/github.com/mattermost/mattermost-server/v5/model/role.go
@@ -9,10 +9,24 @@ import (
"strings"
)
+// SysconsoleAncillaryPermissions maps the non-sysconsole permissions required by each sysconsole view.
+var SysconsoleAncillaryPermissions map[string][]*Permission
+var SystemManagerDefaultPermissions []string
+var SystemUserManagerDefaultPermissions []string
+var SystemReadOnlyAdminDefaultPermissions []string
+
var BuiltInSchemeManagedRoleIDs []string
+var NewSystemRoleIDs []string
+
func init() {
- BuiltInSchemeManagedRoleIDs = []string{
+ NewSystemRoleIDs = []string{
+ SYSTEM_USER_MANAGER_ROLE_ID,
+ SYSTEM_READ_ONLY_ADMIN_ROLE_ID,
+ SYSTEM_MANAGER_ROLE_ID,
+ }
+
+ BuiltInSchemeManagedRoleIDs = append([]string{
SYSTEM_GUEST_ROLE_ID,
SYSTEM_USER_ROLE_ID,
SYSTEM_ADMIN_ROLE_ID,
@@ -29,7 +43,125 @@ func init() {
CHANNEL_GUEST_ROLE_ID,
CHANNEL_USER_ROLE_ID,
CHANNEL_ADMIN_ROLE_ID,
+ }, NewSystemRoleIDs...)
+
+ // When updating the values here, the values in mattermost-redux must also be updated.
+ SysconsoleAncillaryPermissions = map[string][]*Permission{
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id: {
+ PERMISSION_READ_PUBLIC_CHANNEL,
+ PERMISSION_READ_CHANNEL,
+ PERMISSION_READ_PUBLIC_CHANNEL_GROUPS,
+ PERMISSION_READ_PRIVATE_CHANNEL_GROUPS,
+ },
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_USERS.Id: {
+ PERMISSION_READ_OTHER_USERS_TEAMS,
+ },
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id: {
+ PERMISSION_LIST_PRIVATE_TEAMS,
+ PERMISSION_LIST_PUBLIC_TEAMS,
+ PERMISSION_VIEW_TEAM,
+ },
+ PERMISSION_SYSCONSOLE_READ_ENVIRONMENT.Id: {
+ PERMISSION_READ_JOBS,
+ },
+ PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id: {
+ PERMISSION_READ_JOBS,
+ },
+ PERMISSION_SYSCONSOLE_READ_REPORTING.Id: {
+ PERMISSION_VIEW_TEAM,
+ },
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_USERS.Id: {
+ PERMISSION_EDIT_OTHER_USERS,
+ PERMISSION_DEMOTE_TO_GUEST,
+ PERMISSION_PROMOTE_GUEST,
+ },
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS.Id: {
+ PERMISSION_MANAGE_TEAM,
+ PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES,
+ PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES,
+ PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS,
+ PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS,
+ PERMISSION_DELETE_PRIVATE_CHANNEL,
+ PERMISSION_DELETE_PUBLIC_CHANNEL,
+ PERMISSION_MANAGE_CHANNEL_ROLES,
+ PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE,
+ PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC,
+ },
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS.Id: {
+ PERMISSION_MANAGE_TEAM,
+ PERMISSION_MANAGE_TEAM_ROLES,
+ PERMISSION_REMOVE_USER_FROM_TEAM,
+ PERMISSION_JOIN_PRIVATE_TEAMS,
+ PERMISSION_JOIN_PUBLIC_TEAMS,
+ PERMISSION_ADD_USER_TO_TEAM,
+ },
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS.Id: {
+ PERMISSION_MANAGE_TEAM,
+ PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS,
+ PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS,
+ PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE,
+ PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC,
+ },
+ PERMISSION_SYSCONSOLE_WRITE_ENVIRONMENT.Id: {
+ PERMISSION_MANAGE_JOBS,
+ },
+ PERMISSION_SYSCONSOLE_WRITE_SITE.Id: {
+ PERMISSION_EDIT_BRAND,
+ },
}
+
+ SystemUserManagerDefaultPermissions = []string{
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS.Id,
+ PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id,
+ }
+
+ SystemReadOnlyAdminDefaultPermissions = []string{
+ PERMISSION_SYSCONSOLE_READ_ABOUT.Id,
+ PERMISSION_SYSCONSOLE_READ_REPORTING.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_USERS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS.Id,
+ PERMISSION_SYSCONSOLE_READ_ENVIRONMENT.Id,
+ PERMISSION_SYSCONSOLE_READ_SITE.Id,
+ PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id,
+ PERMISSION_SYSCONSOLE_READ_PLUGINS.Id,
+ PERMISSION_SYSCONSOLE_READ_INTEGRATIONS.Id,
+ PERMISSION_SYSCONSOLE_READ_EXPERIMENTAL.Id,
+ }
+
+ SystemManagerDefaultPermissions = []string{
+ PERMISSION_SYSCONSOLE_READ_ABOUT.Id,
+ PERMISSION_SYSCONSOLE_READ_REPORTING.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS.Id,
+ PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS.Id,
+ PERMISSION_SYSCONSOLE_READ_ENVIRONMENT.Id,
+ PERMISSION_SYSCONSOLE_WRITE_ENVIRONMENT.Id,
+ PERMISSION_SYSCONSOLE_READ_SITE.Id,
+ PERMISSION_SYSCONSOLE_WRITE_SITE.Id,
+ PERMISSION_SYSCONSOLE_READ_AUTHENTICATION.Id,
+ PERMISSION_SYSCONSOLE_READ_PLUGINS.Id,
+ PERMISSION_SYSCONSOLE_READ_INTEGRATIONS.Id,
+ PERMISSION_SYSCONSOLE_WRITE_INTEGRATIONS.Id,
+ }
+
+ // Add the ancillary permissions to each system role
+ SystemUserManagerDefaultPermissions = addAncillaryPermissions(SystemUserManagerDefaultPermissions)
+ SystemReadOnlyAdminDefaultPermissions = addAncillaryPermissions(SystemReadOnlyAdminDefaultPermissions)
+ SystemManagerDefaultPermissions = addAncillaryPermissions(SystemManagerDefaultPermissions)
}
type RoleType string
@@ -42,6 +174,9 @@ const (
SYSTEM_POST_ALL_ROLE_ID = "system_post_all"
SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public"
SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token"
+ SYSTEM_USER_MANAGER_ROLE_ID = "system_user_manager"
+ SYSTEM_READ_ONLY_ADMIN_ROLE_ID = "system_read_only_admin"
+ SYSTEM_MANAGER_ROLE_ID = "system_manager"
TEAM_GUEST_ROLE_ID = "team_guest"
TEAM_USER_ROLE_ID = "team_user"
@@ -135,8 +270,8 @@ func (r *Role) MergeChannelHigherScopedPermissions(higherScopedPermissions *Role
higherScopedPermissionsMap := AsStringBoolMap(higherScopedPermissions.Permissions)
rolePermissionsMap := AsStringBoolMap(r.Permissions)
- for _, cp := range ALL_PERMISSIONS {
- if cp.Scope != PERMISSION_SCOPE_CHANNEL {
+ for _, cp := range AllPermissions {
+ if cp.Scope != PermissionScopeChannel {
continue
}
@@ -150,7 +285,7 @@ func (r *Role) MergeChannelHigherScopedPermissions(higherScopedPermissions *Role
continue
}
- _, permissionIsModerated := CHANNEL_MODERATED_PERMISSIONS_MAP[cp.Id]
+ _, permissionIsModerated := ChannelModeratedPermissionsMap[cp.Id]
if permissionIsModerated {
_, presentOnRole := rolePermissionsMap[cp.Id]
if presentOnRole && presentOnHigherScope {
@@ -216,13 +351,13 @@ func ChannelModeratedPermissionsChangedByPatch(role *Role, patch *RolePatch) []s
patchMap := make(map[string]bool)
for _, permission := range role.Permissions {
- if channelModeratedPermissionName, found := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; found {
+ if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found {
roleMap[channelModeratedPermissionName] = true
}
}
for _, permission := range *patch.Permissions {
- if channelModeratedPermissionName, found := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; found {
+ if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found {
patchMap[channelModeratedPermissionName] = true
}
}
@@ -246,11 +381,11 @@ func ChannelModeratedPermissionsChangedByPatch(role *Role, patch *RolePatch) []s
func (r *Role) GetChannelModeratedPermissions(channelType string) map[string]bool {
moderatedPermissions := make(map[string]bool)
for _, permission := range r.Permissions {
- if _, found := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; !found {
+ if _, found := ChannelModeratedPermissionsMap[permission]; !found {
continue
}
- for moderated, moderatedPermissionValue := range CHANNEL_MODERATED_PERMISSIONS_MAP {
+ for moderated, moderatedPermissionValue := range ChannelModeratedPermissionsMap {
// the moderated permission has already been found to be true so skip this iteration
if moderatedPermissions[moderatedPermissionValue] {
continue
@@ -279,14 +414,14 @@ func (r *Role) RolePatchFromChannelModerationsPatch(channelModerationsPatch []*C
// Iterate through the list of existing permissions on the role and append permissions that we want to keep.
for _, permission := range r.Permissions {
// Permission is not moderated so dont add it to the patch and skip the channelModerationsPatch
- if _, isModerated := CHANNEL_MODERATED_PERMISSIONS_MAP[permission]; !isModerated {
+ if _, isModerated := ChannelModeratedPermissionsMap[permission]; !isModerated {
continue
}
permissionEnabled := true
// Check if permission has a matching moderated permission name inside the channel moderation patch
for _, channelModerationPatch := range channelModerationsPatch {
- if *channelModerationPatch.Name == CHANNEL_MODERATED_PERMISSIONS_MAP[permission] {
+ if *channelModerationPatch.Name == ChannelModeratedPermissionsMap[permission] {
// Permission key exists in patch with a value of false so skip over it
if roleName == "members" {
if channelModerationPatch.Roles.Members != nil && !*channelModerationPatch.Roles.Members {
@@ -307,7 +442,7 @@ func (r *Role) RolePatchFromChannelModerationsPatch(channelModerationsPatch []*C
// Iterate through the patch and add any permissions that dont already exist on the role
for _, channelModerationPatch := range channelModerationsPatch {
- for permission, moderatedPermissionName := range CHANNEL_MODERATED_PERMISSIONS_MAP {
+ for permission, moderatedPermissionName := range ChannelModeratedPermissionsMap {
if roleName == "members" && channelModerationPatch.Roles.Members != nil && *channelModerationPatch.Roles.Members && *channelModerationPatch.Name == moderatedPermissionName {
permissionsToAddToPatch[permission] = true
}
@@ -349,7 +484,7 @@ func (r *Role) IsValidWithoutId() bool {
for _, permission := range r.Permissions {
permissionValidated := false
- for _, p := range ALL_PERMISSIONS {
+ for _, p := range append(AllPermissions, DeprecatedPermissions...) {
if permission == p.Id {
permissionValidated = true
break
@@ -364,6 +499,23 @@ func (r *Role) IsValidWithoutId() bool {
return true
}
+func CleanRoleNames(roleNames []string) ([]string, bool) {
+ var cleanedRoleNames []string
+ for _, roleName := range roleNames {
+ if strings.TrimSpace(roleName) == "" {
+ continue
+ }
+
+ if !IsValidRoleName(roleName) {
+ return roleNames, false
+ }
+
+ cleanedRoleNames = append(cleanedRoleNames, roleName)
+ }
+
+ return cleanedRoleNames, true
+}
+
func IsValidRoleName(roleName string) bool {
if len(roleName) <= 0 || len(roleName) > ROLE_NAME_MAX_LENGTH {
return false
@@ -493,6 +645,8 @@ func MakeDefaultRoles() map[string]*Role {
PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
+ PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE.Id,
+ PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC.Id,
},
SchemeManaged: true,
BuiltIn: true,
@@ -562,6 +716,38 @@ func MakeDefaultRoles() map[string]*Role {
BuiltIn: true,
}
+ roles[SYSTEM_USER_MANAGER_ROLE_ID] = &Role{
+ Name: "system_user_manager",
+ DisplayName: "authentication.roles.system_user_manager.name",
+ Description: "authentication.roles.system_user_manager.description",
+ Permissions: SystemUserManagerDefaultPermissions,
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SYSTEM_READ_ONLY_ADMIN_ROLE_ID] = &Role{
+ Name: "system_read_only_admin",
+ DisplayName: "authentication.roles.system_read_only_admin.name",
+ Description: "authentication.roles.system_read_only_admin.description",
+ Permissions: SystemReadOnlyAdminDefaultPermissions,
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ roles[SYSTEM_MANAGER_ROLE_ID] = &Role{
+ Name: "system_manager",
+ DisplayName: "authentication.roles.system_manager.name",
+ Description: "authentication.roles.system_manager.description",
+ Permissions: SystemManagerDefaultPermissions,
+ SchemeManaged: false,
+ BuiltIn: true,
+ }
+
+ allPermissionIDs := []string{}
+ for _, permission := range AllPermissions {
+ allPermissionIDs = append(allPermissionIDs, permission.Id)
+ }
+
roles[SYSTEM_ADMIN_ROLE_ID] = &Role{
Name: "system_admin",
DisplayName: "authentication.roles.global_admin.name",
@@ -569,64 +755,21 @@ func MakeDefaultRoles() map[string]*Role {
// System admins can do anything channel and team admins can do
// plus everything members of teams and channels can do to all teams
// and channels on the system
- Permissions: append(
- append(
- append(
- append(
- []string{
- PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
- PERMISSION_MANAGE_SYSTEM.Id,
- PERMISSION_MANAGE_ROLES.Id,
- PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
- PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
- PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
- PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
- PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
- PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
- PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
- PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
- PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
- PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
- PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
- PERMISSION_EDIT_OTHER_USERS.Id,
- PERMISSION_EDIT_OTHERS_POSTS.Id,
- PERMISSION_MANAGE_OAUTH.Id,
- PERMISSION_INVITE_USER.Id,
- PERMISSION_INVITE_GUEST.Id,
- PERMISSION_PROMOTE_GUEST.Id,
- PERMISSION_DEMOTE_TO_GUEST.Id,
- PERMISSION_DELETE_POST.Id,
- PERMISSION_DELETE_OTHERS_POSTS.Id,
- PERMISSION_CREATE_TEAM.Id,
- PERMISSION_ADD_USER_TO_TEAM.Id,
- PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
- PERMISSION_MANAGE_JOBS.Id,
- PERMISSION_CREATE_POST_PUBLIC.Id,
- PERMISSION_CREATE_POST_EPHEMERAL.Id,
- PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
- PERMISSION_READ_USER_ACCESS_TOKEN.Id,
- PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
- PERMISSION_CREATE_BOT.Id,
- PERMISSION_READ_BOTS.Id,
- PERMISSION_READ_OTHERS_BOTS.Id,
- PERMISSION_MANAGE_BOTS.Id,
- PERMISSION_MANAGE_OTHERS_BOTS.Id,
- PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
- PERMISSION_LIST_PRIVATE_TEAMS.Id,
- PERMISSION_JOIN_PRIVATE_TEAMS.Id,
- PERMISSION_VIEW_MEMBERS.Id,
- },
- roles[TEAM_USER_ROLE_ID].Permissions...,
- ),
- roles[CHANNEL_USER_ROLE_ID].Permissions...,
- ),
- roles[TEAM_ADMIN_ROLE_ID].Permissions...,
- ),
- roles[CHANNEL_ADMIN_ROLE_ID].Permissions...,
- ),
+ Permissions: allPermissionIDs,
SchemeManaged: true,
BuiltIn: true,
}
return roles
}
+
+func addAncillaryPermissions(permissions []string) []string {
+ for _, permission := range permissions {
+ if ancillaryPermissions, ok := SysconsoleAncillaryPermissions[permission]; ok {
+ for _, ancillaryPermission := range ancillaryPermissions {
+ permissions = append(permissions, ancillaryPermission.Id)
+ }
+ }
+ }
+ return permissions
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 02:30:38 +0000