1 files changed, 939 insertions, 0 deletions
diff --git a/vendor/github.com/mattermost/mattermost-server/v6/model/role.go b/vendor/github.com/mattermost/mattermost-server/v6/model/role.go
new file mode 100644
index 00000000..68697838
--- /dev/null
+++ b/vendor/github.com/mattermost/mattermost-server/v6/model/role.go
@@ -0,0 +1,939 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See LICENSE.txt for license information.
+
+package model
+
+import (
+	"strings"
+)
+
+// SysconsoleAncillaryPermissions maps the non-sysconsole permissions required by each sysconsole view.
+var SysconsoleAncillaryPermissions map[string][]*Permission
+var SystemManagerDefaultPermissions []string
+var SystemUserManagerDefaultPermissions []string
+var SystemReadOnlyAdminDefaultPermissions []string
+
+var BuiltInSchemeManagedRoleIDs []string
+
+var NewSystemRoleIDs []string
+
+func init() {
+	NewSystemRoleIDs = []string{
+		SystemUserManagerRoleId,
+		SystemReadOnlyAdminRoleId,
+		SystemManagerRoleId,
+	}
+
+	BuiltInSchemeManagedRoleIDs = append([]string{
+		SystemGuestRoleId,
+		SystemUserRoleId,
+		SystemAdminRoleId,
+		SystemPostAllRoleId,
+		SystemPostAllPublicRoleId,
+		SystemUserAccessTokenRoleId,
+
+		TeamGuestRoleId,
+		TeamUserRoleId,
+		TeamAdminRoleId,
+		TeamPostAllRoleId,
+		TeamPostAllPublicRoleId,
+
+		ChannelGuestRoleId,
+		ChannelUserRoleId,
+		ChannelAdminRoleId,
+	}, NewSystemRoleIDs...)
+
+	// When updating the values here, the values in mattermost-redux must also be updated.
+	SysconsoleAncillaryPermissions = map[string][]*Permission{
+		PermissionSysconsoleReadAboutEditionAndLicense.Id: {
+			PermissionReadLicenseInformation,
+		},
+		PermissionSysconsoleWriteAboutEditionAndLicense.Id: {
+			PermissionManageLicenseInformation,
+		},
+		PermissionSysconsoleReadUserManagementChannels.Id: {
+			PermissionReadPublicChannel,
+			PermissionReadChannel,
+			PermissionReadPublicChannelGroups,
+			PermissionReadPrivateChannelGroups,
+		},
+		PermissionSysconsoleReadUserManagementUsers.Id: {
+			PermissionReadOtherUsersTeams,
+			PermissionGetAnalytics,
+		},
+		PermissionSysconsoleReadUserManagementTeams.Id: {
+			PermissionListPrivateTeams,
+			PermissionListPublicTeams,
+			PermissionViewTeam,
+		},
+		PermissionSysconsoleReadEnvironmentElasticsearch.Id: {
+			PermissionReadElasticsearchPostIndexingJob,
+			PermissionReadElasticsearchPostAggregationJob,
+		},
+		PermissionSysconsoleWriteEnvironmentWebServer.Id: {
+			PermissionTestSiteURL,
+			PermissionReloadConfig,
+			PermissionInvalidateCaches,
+		},
+		PermissionSysconsoleWriteEnvironmentDatabase.Id: {
+			PermissionRecycleDatabaseConnections,
+		},
+		PermissionSysconsoleWriteEnvironmentElasticsearch.Id: {
+			PermissionTestElasticsearch,
+			PermissionCreateElasticsearchPostIndexingJob,
+			PermissionCreateElasticsearchPostAggregationJob,
+			PermissionPurgeElasticsearchIndexes,
+		},
+		PermissionSysconsoleWriteEnvironmentFileStorage.Id: {
+			PermissionTestS3,
+		},
+		PermissionSysconsoleWriteEnvironmentSMTP.Id: {
+			PermissionTestEmail,
+		},
+		PermissionSysconsoleReadReportingServerLogs.Id: {
+			PermissionGetLogs,
+		},
+		PermissionSysconsoleReadReportingSiteStatistics.Id: {
+			PermissionGetAnalytics,
+		},
+		PermissionSysconsoleReadReportingTeamStatistics.Id: {
+			PermissionViewTeam,
+		},
+		PermissionSysconsoleWriteUserManagementUsers.Id: {
+			PermissionEditOtherUsers,
+			PermissionDemoteToGuest,
+			PermissionPromoteGuest,
+		},
+		PermissionSysconsoleWriteUserManagementChannels.Id: {
+			PermissionManageTeam,
+			PermissionManagePublicChannelProperties,
+			PermissionManagePrivateChannelProperties,
+			PermissionManagePrivateChannelMembers,
+			PermissionManagePublicChannelMembers,
+			PermissionDeletePrivateChannel,
+			PermissionDeletePublicChannel,
+			PermissionManageChannelRoles,
+			PermissionConvertPublicChannelToPrivate,
+			PermissionConvertPrivateChannelToPublic,
+		},
+		PermissionSysconsoleWriteUserManagementTeams.Id: {
+			PermissionManageTeam,
+			PermissionManageTeamRoles,
+			PermissionRemoveUserFromTeam,
+			PermissionJoinPrivateTeams,
+			PermissionJoinPublicTeams,
+			PermissionAddUserToTeam,
+		},
+		PermissionSysconsoleWriteUserManagementGroups.Id: {
+			PermissionManageTeam,
+			PermissionManagePrivateChannelMembers,
+			PermissionManagePublicChannelMembers,
+			PermissionConvertPublicChannelToPrivate,
+			PermissionConvertPrivateChannelToPublic,
+		},
+		PermissionSysconsoleWriteSiteCustomization.Id: {
+			PermissionEditBrand,
+		},
+		PermissionSysconsoleWriteComplianceDataRetentionPolicy.Id: {
+			PermissionCreateDataRetentionJob,
+		},
+		PermissionSysconsoleReadComplianceDataRetentionPolicy.Id: {
+			PermissionReadDataRetentionJob,
+		},
+		PermissionSysconsoleWriteComplianceComplianceExport.Id: {
+			PermissionCreateComplianceExportJob,
+			PermissionDownloadComplianceExportResult,
+		},
+		PermissionSysconsoleReadComplianceComplianceExport.Id: {
+			PermissionReadComplianceExportJob,
+			PermissionDownloadComplianceExportResult,
+		},
+		PermissionSysconsoleReadComplianceCustomTermsOfService.Id: {
+			PermissionReadAudits,
+		},
+		PermissionSysconsoleWriteExperimentalBleve.Id: {
+			PermissionCreatePostBleveIndexesJob,
+			PermissionPurgeBleveIndexes,
+		},
+		PermissionSysconsoleWriteAuthenticationLdap.Id: {
+			PermissionCreateLdapSyncJob,
+			PermissionAddLdapPublicCert,
+			PermissionRemoveLdapPublicCert,
+			PermissionAddLdapPrivateCert,
+			PermissionRemoveLdapPrivateCert,
+		},
+		PermissionSysconsoleReadAuthenticationLdap.Id: {
+			PermissionTestLdap,
+			PermissionReadLdapSyncJob,
+		},
+		PermissionSysconsoleWriteAuthenticationEmail.Id: {
+			PermissionInvalidateEmailInvite,
+		},
+		PermissionSysconsoleWriteAuthenticationSaml.Id: {
+			PermissionGetSamlMetadataFromIdp,
+			PermissionAddSamlPublicCert,
+			PermissionAddSamlPrivateCert,
+			PermissionAddSamlIdpCert,
+			PermissionRemoveSamlPublicCert,
+			PermissionRemoveSamlPrivateCert,
+			PermissionRemoveSamlIdpCert,
+			PermissionGetSamlCertStatus,
+		},
+	}
+
+	SystemUserManagerDefaultPermissions = []string{
+		PermissionSysconsoleReadUserManagementGroups.Id,
+		PermissionSysconsoleReadUserManagementTeams.Id,
+		PermissionSysconsoleReadUserManagementChannels.Id,
+		PermissionSysconsoleReadUserManagementPermissions.Id,
+		PermissionSysconsoleWriteUserManagementGroups.Id,
+		PermissionSysconsoleWriteUserManagementTeams.Id,
+		PermissionSysconsoleWriteUserManagementChannels.Id,
+		PermissionSysconsoleReadAuthenticationSignup.Id,
+		PermissionSysconsoleReadAuthenticationEmail.Id,
+		PermissionSysconsoleReadAuthenticationPassword.Id,
+		PermissionSysconsoleReadAuthenticationMfa.Id,
+		PermissionSysconsoleReadAuthenticationLdap.Id,
+		PermissionSysconsoleReadAuthenticationSaml.Id,
+		PermissionSysconsoleReadAuthenticationOpenid.Id,
+		PermissionSysconsoleReadAuthenticationGuestAccess.Id,
+	}
+
+	SystemReadOnlyAdminDefaultPermissions = []string{
+		PermissionSysconsoleReadAboutEditionAndLicense.Id,
+		PermissionSysconsoleReadReportingSiteStatistics.Id,
+		PermissionSysconsoleReadReportingTeamStatistics.Id,
+		PermissionSysconsoleReadReportingServerLogs.Id,
+		PermissionSysconsoleReadUserManagementUsers.Id,
+		PermissionSysconsoleReadUserManagementGroups.Id,
+		PermissionSysconsoleReadUserManagementTeams.Id,
+		PermissionSysconsoleReadUserManagementChannels.Id,
+		PermissionSysconsoleReadUserManagementPermissions.Id,
+		PermissionSysconsoleReadEnvironmentWebServer.Id,
+		PermissionSysconsoleReadEnvironmentDatabase.Id,
+		PermissionSysconsoleReadEnvironmentElasticsearch.Id,
+		PermissionSysconsoleReadEnvironmentFileStorage.Id,
+		PermissionSysconsoleReadEnvironmentImageProxy.Id,
+		PermissionSysconsoleReadEnvironmentSMTP.Id,
+		PermissionSysconsoleReadEnvironmentPushNotificationServer.Id,
+		PermissionSysconsoleReadEnvironmentHighAvailability.Id,
+		PermissionSysconsoleReadEnvironmentRateLimiting.Id,
+		PermissionSysconsoleReadEnvironmentLogging.Id,
+		PermissionSysconsoleReadEnvironmentSessionLengths.Id,
+		PermissionSysconsoleReadEnvironmentPerformanceMonitoring.Id,
+		PermissionSysconsoleReadEnvironmentDeveloper.Id,
+		PermissionSysconsoleReadSiteCustomization.Id,
+		PermissionSysconsoleReadSiteLocalization.Id,
+		PermissionSysconsoleReadSiteUsersAndTeams.Id,
+		PermissionSysconsoleReadSiteNotifications.Id,
+		PermissionSysconsoleReadSiteAnnouncementBanner.Id,
+		PermissionSysconsoleReadSiteEmoji.Id,
+		PermissionSysconsoleReadSitePosts.Id,
+		PermissionSysconsoleReadSiteFileSharingAndDownloads.Id,
+		PermissionSysconsoleReadSitePublicLinks.Id,
+		PermissionSysconsoleReadSiteNotices.Id,
+		PermissionSysconsoleReadAuthenticationSignup.Id,
+		PermissionSysconsoleReadAuthenticationEmail.Id,
+		PermissionSysconsoleReadAuthenticationPassword.Id,
+		PermissionSysconsoleReadAuthenticationMfa.Id,
+		PermissionSysconsoleReadAuthenticationLdap.Id,
+		PermissionSysconsoleReadAuthenticationSaml.Id,
+		PermissionSysconsoleReadAuthenticationOpenid.Id,
+		PermissionSysconsoleReadAuthenticationGuestAccess.Id,
+		PermissionSysconsoleReadPlugins.Id,
+		PermissionSysconsoleReadIntegrationsIntegrationManagement.Id,
+		PermissionSysconsoleReadIntegrationsBotAccounts.Id,
+		PermissionSysconsoleReadIntegrationsGif.Id,
+		PermissionSysconsoleReadIntegrationsCors.Id,
+		PermissionSysconsoleReadComplianceDataRetentionPolicy.Id,
+		PermissionSysconsoleReadComplianceComplianceExport.Id,
+		PermissionSysconsoleReadComplianceComplianceMonitoring.Id,
+		PermissionSysconsoleReadComplianceCustomTermsOfService.Id,
+		PermissionSysconsoleReadExperimentalFeatures.Id,
+		PermissionSysconsoleReadExperimentalFeatureFlags.Id,
+		PermissionSysconsoleReadExperimentalBleve.Id,
+	}
+
+	SystemManagerDefaultPermissions = []string{
+		PermissionSysconsoleReadAboutEditionAndLicense.Id,
+		PermissionSysconsoleReadReportingSiteStatistics.Id,
+		PermissionSysconsoleReadReportingTeamStatistics.Id,
+		PermissionSysconsoleReadReportingServerLogs.Id,
+		PermissionSysconsoleReadUserManagementGroups.Id,
+		PermissionSysconsoleReadUserManagementTeams.Id,
+		PermissionSysconsoleReadUserManagementChannels.Id,
+		PermissionSysconsoleReadUserManagementPermissions.Id,
+		PermissionSysconsoleWriteUserManagementGroups.Id,
+		PermissionSysconsoleWriteUserManagementTeams.Id,
+		PermissionSysconsoleWriteUserManagementChannels.Id,
+		PermissionSysconsoleWriteUserManagementPermissions.Id,
+		PermissionSysconsoleReadEnvironmentWebServer.Id,
+		PermissionSysconsoleReadEnvironmentDatabase.Id,
+		PermissionSysconsoleReadEnvironmentElasticsearch.Id,
+		PermissionSysconsoleReadEnvironmentFileStorage.Id,
+		PermissionSysconsoleReadEnvironmentImageProxy.Id,
+		PermissionSysconsoleReadEnvironmentSMTP.Id,
+		PermissionSysconsoleReadEnvironmentPushNotificationServer.Id,
+		PermissionSysconsoleReadEnvironmentHighAvailability.Id,
+		PermissionSysconsoleReadEnvironmentRateLimiting.Id,
+		PermissionSysconsoleReadEnvironmentLogging.Id,
+		PermissionSysconsoleReadEnvironmentSessionLengths.Id,
+		PermissionSysconsoleReadEnvironmentPerformanceMonitoring.Id,
+		PermissionSysconsoleReadEnvironmentDeveloper.Id,
+		PermissionSysconsoleWriteEnvironmentWebServer.Id,
+		PermissionSysconsoleWriteEnvironmentDatabase.Id,
+		PermissionSysconsoleWriteEnvironmentElasticsearch.Id,
+		PermissionSysconsoleWriteEnvironmentFileStorage.Id,
+		PermissionSysconsoleWriteEnvironmentImageProxy.Id,
+		PermissionSysconsoleWriteEnvironmentSMTP.Id,
+		PermissionSysconsoleWriteEnvironmentPushNotificationServer.Id,
+		PermissionSysconsoleWriteEnvironmentHighAvailability.Id,
+		PermissionSysconsoleWriteEnvironmentRateLimiting.Id,
+		PermissionSysconsoleWriteEnvironmentLogging.Id,
+		PermissionSysconsoleWriteEnvironmentSessionLengths.Id,
+		PermissionSysconsoleWriteEnvironmentPerformanceMonitoring.Id,
+		PermissionSysconsoleWriteEnvironmentDeveloper.Id,
+		PermissionSysconsoleReadSiteCustomization.Id,
+		PermissionSysconsoleWriteSiteCustomization.Id,
+		PermissionSysconsoleReadSiteLocalization.Id,
+		PermissionSysconsoleWriteSiteLocalization.Id,
+		PermissionSysconsoleReadSiteUsersAndTeams.Id,
+		PermissionSysconsoleWriteSiteUsersAndTeams.Id,
+		PermissionSysconsoleReadSiteNotifications.Id,
+		PermissionSysconsoleWriteSiteNotifications.Id,
+		PermissionSysconsoleReadSiteAnnouncementBanner.Id,
+		PermissionSysconsoleWriteSiteAnnouncementBanner.Id,
+		PermissionSysconsoleReadSiteEmoji.Id,
+		PermissionSysconsoleWriteSiteEmoji.Id,
+		PermissionSysconsoleReadSitePosts.Id,
+		PermissionSysconsoleWriteSitePosts.Id,
+		PermissionSysconsoleReadSiteFileSharingAndDownloads.Id,
+		PermissionSysconsoleWriteSiteFileSharingAndDownloads.Id,
+		PermissionSysconsoleReadSitePublicLinks.Id,
+		PermissionSysconsoleWriteSitePublicLinks.Id,
+		PermissionSysconsoleReadSiteNotices.Id,
+		PermissionSysconsoleWriteSiteNotices.Id,
+		PermissionSysconsoleReadAuthenticationSignup.Id,
+		PermissionSysconsoleReadAuthenticationEmail.Id,
+		PermissionSysconsoleReadAuthenticationPassword.Id,
+		PermissionSysconsoleReadAuthenticationMfa.Id,
+		PermissionSysconsoleReadAuthenticationLdap.Id,
+		PermissionSysconsoleReadAuthenticationSaml.Id,
+		PermissionSysconsoleReadAuthenticationOpenid.Id,
+		PermissionSysconsoleReadAuthenticationGuestAccess.Id,
+		PermissionSysconsoleReadPlugins.Id,
+		PermissionSysconsoleReadIntegrationsIntegrationManagement.Id,
+		PermissionSysconsoleReadIntegrationsBotAccounts.Id,
+		PermissionSysconsoleReadIntegrationsGif.Id,
+		PermissionSysconsoleReadIntegrationsCors.Id,
+		PermissionSysconsoleWriteIntegrationsIntegrationManagement.Id,
+		PermissionSysconsoleWriteIntegrationsBotAccounts.Id,
+		PermissionSysconsoleWriteIntegrationsGif.Id,
+		PermissionSysconsoleWriteIntegrationsCors.Id,
+	}
+
+	// Add the ancillary permissions to each system role
+	SystemUserManagerDefaultPermissions = AddAncillaryPermissions(SystemUserManagerDefaultPermissions)
+	SystemReadOnlyAdminDefaultPermissions = AddAncillaryPermissions(SystemReadOnlyAdminDefaultPermissions)
+	SystemManagerDefaultPermissions = AddAncillaryPermissions(SystemManagerDefaultPermissions)
+}
+
+type RoleType string
+type RoleScope string
+
+const (
+	SystemGuestRoleId           = "system_guest"
+	SystemUserRoleId            = "system_user"
+	SystemAdminRoleId           = "system_admin"
+	SystemPostAllRoleId         = "system_post_all"
+	SystemPostAllPublicRoleId   = "system_post_all_public"
+	SystemUserAccessTokenRoleId = "system_user_access_token"
+	SystemUserManagerRoleId     = "system_user_manager"
+	SystemReadOnlyAdminRoleId   = "system_read_only_admin"
+	SystemManagerRoleId         = "system_manager"
+
+	TeamGuestRoleId         = "team_guest"
+	TeamUserRoleId          = "team_user"
+	TeamAdminRoleId         = "team_admin"
+	TeamPostAllRoleId       = "team_post_all"
+	TeamPostAllPublicRoleId = "team_post_all_public"
+
+	ChannelGuestRoleId = "channel_guest"
+	ChannelUserRoleId  = "channel_user"
+	ChannelAdminRoleId = "channel_admin"
+
+	RoleNameMaxLength        = 64
+	RoleDisplayNameMaxLength = 128
+	RoleDescriptionMaxLength = 1024
+
+	RoleScopeSystem  RoleScope = "System"
+	RoleScopeTeam    RoleScope = "Team"
+	RoleScopeChannel RoleScope = "Channel"
+
+	RoleTypeGuest RoleType = "Guest"
+	RoleTypeUser  RoleType = "User"
+	RoleTypeAdmin RoleType = "Admin"
+)
+
+type Role struct {
+	Id            string   `json:"id"`
+	Name          string   `json:"name"`
+	DisplayName   string   `json:"display_name"`
+	Description   string   `json:"description"`
+	CreateAt      int64    `json:"create_at"`
+	UpdateAt      int64    `json:"update_at"`
+	DeleteAt      int64    `json:"delete_at"`
+	Permissions   []string `json:"permissions"`
+	SchemeManaged bool     `json:"scheme_managed"`
+	BuiltIn       bool     `json:"built_in"`
+}
+
+type RolePatch struct {
+	Permissions *[]string `json:"permissions"`
+}
+
+type RolePermissions struct {
+	RoleID      string
+	Permissions []string
+}
+
+func (r *Role) Patch(patch *RolePatch) {
+	if patch.Permissions != nil {
+		r.Permissions = *patch.Permissions
+	}
+}
+
+// MergeChannelHigherScopedPermissions is meant to be invoked on a channel scheme's role and merges the higher-scoped
+// channel role's permissions.
+func (r *Role) MergeChannelHigherScopedPermissions(higherScopedPermissions *RolePermissions) {
+	mergedPermissions := []string{}
+
+	higherScopedPermissionsMap := asStringBoolMap(higherScopedPermissions.Permissions)
+	rolePermissionsMap := asStringBoolMap(r.Permissions)
+
+	for _, cp := range AllPermissions {
+		if cp.Scope != PermissionScopeChannel {
+			continue
+		}
+
+		_, presentOnHigherScope := higherScopedPermissionsMap[cp.Id]
+
+		// For the channel admin role always look to the higher scope to determine if the role has their permission.
+		// The channel admin is a special case because they're not part of the UI to be "channel moderated", only
+		// channel members and channel guests are.
+		if higherScopedPermissions.RoleID == ChannelAdminRoleId && presentOnHigherScope {
+			mergedPermissions = append(mergedPermissions, cp.Id)
+			continue
+		}
+
+		_, permissionIsModerated := ChannelModeratedPermissionsMap[cp.Id]
+		if permissionIsModerated {
+			_, presentOnRole := rolePermissionsMap[cp.Id]
+			if presentOnRole && presentOnHigherScope {
+				mergedPermissions = append(mergedPermissions, cp.Id)
+			}
+		} else {
+			if presentOnHigherScope {
+				mergedPermissions = append(mergedPermissions, cp.Id)
+			}
+		}
+	}
+
+	r.Permissions = mergedPermissions
+}
+
+// Returns an array of permissions that are in either role.Permissions
+// or patch.Permissions, but not both.
+func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string {
+	var result []string
+
+	if patch.Permissions == nil {
+		return result
+	}
+
+	roleMap := make(map[string]bool)
+	patchMap := make(map[string]bool)
+
+	for _, permission := range role.Permissions {
+		roleMap[permission] = true
+	}
+
+	for _, permission := range *patch.Permissions {
+		patchMap[permission] = true
+	}
+
+	for _, permission := range role.Permissions {
+		if !patchMap[permission] {
+			result = append(result, permission)
+		}
+	}
+
+	for _, permission := range *patch.Permissions {
+		if !roleMap[permission] {
+			result = append(result, permission)
+		}
+	}
+
+	return result
+}
+
+func ChannelModeratedPermissionsChangedByPatch(role *Role, patch *RolePatch) []string {
+	var result []string
+
+	if role == nil {
+		return result
+	}
+
+	if patch.Permissions == nil {
+		return result
+	}
+
+	roleMap := make(map[string]bool)
+	patchMap := make(map[string]bool)
+
+	for _, permission := range role.Permissions {
+		if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found {
+			roleMap[channelModeratedPermissionName] = true
+		}
+	}
+
+	for _, permission := range *patch.Permissions {
+		if channelModeratedPermissionName, found := ChannelModeratedPermissionsMap[permission]; found {
+			patchMap[channelModeratedPermissionName] = true
+		}
+	}
+
+	for permissionKey := range roleMap {
+		if !patchMap[permissionKey] {
+			result = append(result, permissionKey)
+		}
+	}
+
+	for permissionKey := range patchMap {
+		if !roleMap[permissionKey] {
+			result = append(result, permissionKey)
+		}
+	}
+
+	return result
+}
+
+// GetChannelModeratedPermissions returns a map of channel moderated permissions that the role has access to
+func (r *Role) GetChannelModeratedPermissions(channelType ChannelType) map[string]bool {
+	moderatedPermissions := make(map[string]bool)
+	for _, permission := range r.Permissions {
+		if _, found := ChannelModeratedPermissionsMap[permission]; !found {
+			continue
+		}
+
+		for moderated, moderatedPermissionValue := range ChannelModeratedPermissionsMap {
+			// the moderated permission has already been found to be true so skip this iteration
+			if moderatedPermissions[moderatedPermissionValue] {
+				continue
+			}
+
+			if moderated == permission {
+				// Special case where the channel moderated permission for `manage_members` is different depending on whether the channel is private or public
+				if moderated == PermissionManagePublicChannelMembers.Id || moderated == PermissionManagePrivateChannelMembers.Id {
+					canManagePublic := channelType == ChannelTypeOpen && moderated == PermissionManagePublicChannelMembers.Id
+					canManagePrivate := channelType == ChannelTypePrivate && moderated == PermissionManagePrivateChannelMembers.Id
+					moderatedPermissions[moderatedPermissionValue] = canManagePublic || canManagePrivate
+				} else {
+					moderatedPermissions[moderatedPermissionValue] = true
+				}
+			}
+		}
+	}
+
+	return moderatedPermissions
+}
+
+// RolePatchFromChannelModerationsPatch Creates and returns a RolePatch based on a slice of ChannelModerationPatchs, roleName is expected to be either "members" or "guests".
+func (r *Role) RolePatchFromChannelModerationsPatch(channelModerationsPatch []*ChannelModerationPatch, roleName string) *RolePatch {
+	permissionsToAddToPatch := make(map[string]bool)
+
+	// Iterate through the list of existing permissions on the role and append permissions that we want to keep.
+	for _, permission := range r.Permissions {
+		// Permission is not moderated so dont add it to the patch and skip the channelModerationsPatch
+		if _, isModerated := ChannelModeratedPermissionsMap[permission]; !isModerated {
+			continue
+		}
+
+		permissionEnabled := true
+		// Check if permission has a matching moderated permission name inside the channel moderation patch
+		for _, channelModerationPatch := range channelModerationsPatch {
+			if *channelModerationPatch.Name == ChannelModeratedPermissionsMap[permission] {
+				// Permission key exists in patch with a value of false so skip over it
+				if roleName == "members" {
+					if channelModerationPatch.Roles.Members != nil && !*channelModerationPatch.Roles.Members {
+						permissionEnabled = false
+					}
+				} else if roleName == "guests" {
+					if channelModerationPatch.Roles.Guests != nil && !*channelModerationPatch.Roles.Guests {
+						permissionEnabled = false
+					}
+				}
+			}
+		}
+
+		if permissionEnabled {
+			permissionsToAddToPatch[permission] = true
+		}
+	}
+
+	// Iterate through the patch and add any permissions that dont already exist on the role
+	for _, channelModerationPatch := range channelModerationsPatch {
+		for permission, moderatedPermissionName := range ChannelModeratedPermissionsMap {
+			if roleName == "members" && channelModerationPatch.Roles.Members != nil && *channelModerationPatch.Roles.Members && *channelModerationPatch.Name == moderatedPermissionName {
+				permissionsToAddToPatch[permission] = true
+			}
+
+			if roleName == "guests" && channelModerationPatch.Roles.Guests != nil && *channelModerationPatch.Roles.Guests && *channelModerationPatch.Name == moderatedPermissionName {
+				permissionsToAddToPatch[permission] = true
+			}
+		}
+	}
+
+	patchPermissions := make([]string, 0, len(permissionsToAddToPatch))
+	for permission := range permissionsToAddToPatch {
+		patchPermissions = append(patchPermissions, permission)
+	}
+
+	return &RolePatch{Permissions: &patchPermissions}
+}
+
+func (r *Role) IsValid() bool {
+	if !IsValidId(r.Id) {
+		return false
+	}
+
+	return r.IsValidWithoutId()
+}
+
+func (r *Role) IsValidWithoutId() bool {
+	if !IsValidRoleName(r.Name) {
+		return false
+	}
+
+	if r.DisplayName == "" || len(r.DisplayName) > RoleDisplayNameMaxLength {
+		return false
+	}
+
+	if len(r.Description) > RoleDescriptionMaxLength {
+		return false
+	}
+
+	check := func(perms []*Permission, permission string) bool {
+		for _, p := range perms {
+			if permission == p.Id {
+				return true
+			}
+		}
+		return false
+	}
+	for _, permission := range r.Permissions {
+		permissionValidated := check(AllPermissions, permission) || check(DeprecatedPermissions, permission)
+		if !permissionValidated {
+			return false
+		}
+	}
+
+	return true
+}
+
+func CleanRoleNames(roleNames []string) ([]string, bool) {
+	var cleanedRoleNames []string
+	for _, roleName := range roleNames {
+		if strings.TrimSpace(roleName) == "" {
+			continue
+		}
+
+		if !IsValidRoleName(roleName) {
+			return roleNames, false
+		}
+
+		cleanedRoleNames = append(cleanedRoleNames, roleName)
+	}
+
+	return cleanedRoleNames, true
+}
+
+func IsValidRoleName(roleName string) bool {
+	if roleName == "" || len(roleName) > RoleNameMaxLength {
+		return false
+	}
+
+	if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" {
+		return false
+	}
+
+	return true
+}
+
+func MakeDefaultRoles() map[string]*Role {
+	roles := make(map[string]*Role)
+
+	roles[ChannelGuestRoleId] = &Role{
+		Name:        "channel_guest",
+		DisplayName: "authentication.roles.channel_guest.name",
+		Description: "authentication.roles.channel_guest.description",
+		Permissions: []string{
+			PermissionReadChannel.Id,
+			PermissionAddReaction.Id,
+			PermissionRemoveReaction.Id,
+			PermissionUploadFile.Id,
+			PermissionEditPost.Id,
+			PermissionCreatePost.Id,
+			PermissionUseChannelMentions.Id,
+			PermissionUseSlashCommands.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[ChannelUserRoleId] = &Role{
+		Name:        "channel_user",
+		DisplayName: "authentication.roles.channel_user.name",
+		Description: "authentication.roles.channel_user.description",
+		Permissions: []string{
+			PermissionReadChannel.Id,
+			PermissionAddReaction.Id,
+			PermissionRemoveReaction.Id,
+			PermissionManagePublicChannelMembers.Id,
+			PermissionUploadFile.Id,
+			PermissionGetPublicLink.Id,
+			PermissionCreatePost.Id,
+			PermissionUseChannelMentions.Id,
+			PermissionUseSlashCommands.Id,
+			PermissionManagePublicChannelProperties.Id,
+			PermissionDeletePublicChannel.Id,
+			PermissionManagePrivateChannelProperties.Id,
+			PermissionDeletePrivateChannel.Id,
+			PermissionManagePrivateChannelMembers.Id,
+			PermissionDeletePost.Id,
+			PermissionEditPost.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[ChannelAdminRoleId] = &Role{
+		Name:        "channel_admin",
+		DisplayName: "authentication.roles.channel_admin.name",
+		Description: "authentication.roles.channel_admin.description",
+		Permissions: []string{
+			PermissionManageChannelRoles.Id,
+			PermissionUseGroupMentions.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[TeamGuestRoleId] = &Role{
+		Name:        "team_guest",
+		DisplayName: "authentication.roles.team_guest.name",
+		Description: "authentication.roles.team_guest.description",
+		Permissions: []string{
+			PermissionViewTeam.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[TeamUserRoleId] = &Role{
+		Name:        "team_user",
+		DisplayName: "authentication.roles.team_user.name",
+		Description: "authentication.roles.team_user.description",
+		Permissions: []string{
+			PermissionListTeamChannels.Id,
+			PermissionJoinPublicChannels.Id,
+			PermissionReadPublicChannel.Id,
+			PermissionViewTeam.Id,
+			PermissionCreatePublicChannel.Id,
+			PermissionCreatePrivateChannel.Id,
+			PermissionInviteUser.Id,
+			PermissionAddUserToTeam.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[TeamPostAllRoleId] = &Role{
+		Name:        "team_post_all",
+		DisplayName: "authentication.roles.team_post_all.name",
+		Description: "authentication.roles.team_post_all.description",
+		Permissions: []string{
+			PermissionCreatePost.Id,
+			PermissionUseChannelMentions.Id,
+		},
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[TeamPostAllPublicRoleId] = &Role{
+		Name:        "team_post_all_public",
+		DisplayName: "authentication.roles.team_post_all_public.name",
+		Description: "authentication.roles.team_post_all_public.description",
+		Permissions: []string{
+			PermissionCreatePostPublic.Id,
+			PermissionUseChannelMentions.Id,
+		},
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[TeamAdminRoleId] = &Role{
+		Name:        "team_admin",
+		DisplayName: "authentication.roles.team_admin.name",
+		Description: "authentication.roles.team_admin.description",
+		Permissions: []string{
+			PermissionRemoveUserFromTeam.Id,
+			PermissionManageTeam.Id,
+			PermissionImportTeam.Id,
+			PermissionManageTeamRoles.Id,
+			PermissionManageChannelRoles.Id,
+			PermissionManageOthersIncomingWebhooks.Id,
+			PermissionManageOthersOutgoingWebhooks.Id,
+			PermissionManageSlashCommands.Id,
+			PermissionManageOthersSlashCommands.Id,
+			PermissionManageIncomingWebhooks.Id,
+			PermissionManageOutgoingWebhooks.Id,
+			PermissionConvertPublicChannelToPrivate.Id,
+			PermissionConvertPrivateChannelToPublic.Id,
+			PermissionDeletePost.Id,
+			PermissionDeleteOthersPosts.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[SystemGuestRoleId] = &Role{
+		Name:        "system_guest",
+		DisplayName: "authentication.roles.global_guest.name",
+		Description: "authentication.roles.global_guest.description",
+		Permissions: []string{
+			PermissionCreateDirectChannel.Id,
+			PermissionCreateGroupChannel.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[SystemUserRoleId] = &Role{
+		Name:        "system_user",
+		DisplayName: "authentication.roles.global_user.name",
+		Description: "authentication.roles.global_user.description",
+		Permissions: []string{
+			PermissionListPublicTeams.Id,
+			PermissionJoinPublicTeams.Id,
+			PermissionCreateDirectChannel.Id,
+			PermissionCreateGroupChannel.Id,
+			PermissionViewMembers.Id,
+			PermissionCreateTeam.Id,
+		},
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	roles[SystemPostAllRoleId] = &Role{
+		Name:        "system_post_all",
+		DisplayName: "authentication.roles.system_post_all.name",
+		Description: "authentication.roles.system_post_all.description",
+		Permissions: []string{
+			PermissionCreatePost.Id,
+			PermissionUseChannelMentions.Id,
+		},
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[SystemPostAllPublicRoleId] = &Role{
+		Name:        "system_post_all_public",
+		DisplayName: "authentication.roles.system_post_all_public.name",
+		Description: "authentication.roles.system_post_all_public.description",
+		Permissions: []string{
+			PermissionCreatePostPublic.Id,
+			PermissionUseChannelMentions.Id,
+		},
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[SystemUserAccessTokenRoleId] = &Role{
+		Name:        "system_user_access_token",
+		DisplayName: "authentication.roles.system_user_access_token.name",
+		Description: "authentication.roles.system_user_access_token.description",
+		Permissions: []string{
+			PermissionCreateUserAccessToken.Id,
+			PermissionReadUserAccessToken.Id,
+			PermissionRevokeUserAccessToken.Id,
+		},
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[SystemUserManagerRoleId] = &Role{
+		Name:          "system_user_manager",
+		DisplayName:   "authentication.roles.system_user_manager.name",
+		Description:   "authentication.roles.system_user_manager.description",
+		Permissions:   SystemUserManagerDefaultPermissions,
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[SystemReadOnlyAdminRoleId] = &Role{
+		Name:          "system_read_only_admin",
+		DisplayName:   "authentication.roles.system_read_only_admin.name",
+		Description:   "authentication.roles.system_read_only_admin.description",
+		Permissions:   SystemReadOnlyAdminDefaultPermissions,
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	roles[SystemManagerRoleId] = &Role{
+		Name:          "system_manager",
+		DisplayName:   "authentication.roles.system_manager.name",
+		Description:   "authentication.roles.system_manager.description",
+		Permissions:   SystemManagerDefaultPermissions,
+		SchemeManaged: false,
+		BuiltIn:       true,
+	}
+
+	allPermissionIDs := []string{}
+	for _, permission := range AllPermissions {
+		allPermissionIDs = append(allPermissionIDs, permission.Id)
+	}
+
+	roles[SystemAdminRoleId] = &Role{
+		Name:        "system_admin",
+		DisplayName: "authentication.roles.global_admin.name",
+		Description: "authentication.roles.global_admin.description",
+		// System admins can do anything channel and team admins can do
+		// plus everything members of teams and channels can do to all teams
+		// and channels on the system
+		Permissions:   allPermissionIDs,
+		SchemeManaged: true,
+		BuiltIn:       true,
+	}
+
+	return roles
+}
+
+func AddAncillaryPermissions(permissions []string) []string {
+	for _, permission := range permissions {
+		if ancillaryPermissions, ok := SysconsoleAncillaryPermissions[permission]; ok {
+			for _, ancillaryPermission := range ancillaryPermissions {
+				permissions = append(permissions, ancillaryPermission.Id)
+			}
+		}
+	}
+	return permissions
+}
+
+func asStringBoolMap(list []string) map[string]bool {
+	listMap := make(map[string]bool, len(list))
+	for _, p := range list {
+		listMap[p] = true
+	}
+	return listMap
+}