Unverified Commit 84afd470 authored by Jesús Espino's avatar Jesús Espino Committed by GitHub

Split Emojis and Webhooks permissions (#10239)

* Split Emojis and Webhooks permissions

* Fixing some tests

* Fixing more tests

* Fix more tests

* Fixed review comments

* Fixing review comments
parent a4e3dfae
......@@ -47,7 +47,7 @@ func createEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// Allow any user with MANAGE_EMOJIS permission at Team level to manage emojis at system level
// Allow any user with CREATE_EMOJIS permission at Team level to create emojis at system level
memberships, err := c.App.GetTeamMembersForUser(c.App.Session.UserId)
if err != nil {
......@@ -55,16 +55,16 @@ func createEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_EMOJIS) {
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_CREATE_EMOJIS) {
hasPermission := false
for _, membership := range memberships {
if c.App.SessionHasPermissionToTeam(c.App.Session, membership.TeamId, model.PERMISSION_MANAGE_EMOJIS) {
if c.App.SessionHasPermissionToTeam(c.App.Session, membership.TeamId, model.PERMISSION_CREATE_EMOJIS) {
hasPermission = true
break
}
}
if !hasPermission {
c.SetPermissionError(model.PERMISSION_MANAGE_EMOJIS)
c.SetPermissionError(model.PERMISSION_CREATE_EMOJIS)
return
}
}
......@@ -125,7 +125,7 @@ func deleteEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// Allow any user with MANAGE_EMOJIS permission at Team level to manage emojis at system level
// Allow any user with DELETE_EMOJIS permission at Team level to delete emojis at system level
memberships, err := c.App.GetTeamMembersForUser(c.App.Session.UserId)
if err != nil {
......@@ -133,32 +133,32 @@ func deleteEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_EMOJIS) {
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_DELETE_EMOJIS) {
hasPermission := false
for _, membership := range memberships {
if c.App.SessionHasPermissionToTeam(c.App.Session, membership.TeamId, model.PERMISSION_MANAGE_EMOJIS) {
if c.App.SessionHasPermissionToTeam(c.App.Session, membership.TeamId, model.PERMISSION_DELETE_EMOJIS) {
hasPermission = true
break
}
}
if !hasPermission {
c.SetPermissionError(model.PERMISSION_MANAGE_EMOJIS)
c.SetPermissionError(model.PERMISSION_DELETE_EMOJIS)
return
}
}
if c.App.Session.UserId != emoji.CreatorId {
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_OTHERS_EMOJIS) {
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_DELETE_OTHERS_EMOJIS) {
hasPermission := false
for _, membership := range memberships {
if c.App.SessionHasPermissionToTeam(c.App.Session, membership.TeamId, model.PERMISSION_MANAGE_OTHERS_EMOJIS) {
if c.App.SessionHasPermissionToTeam(c.App.Session, membership.TeamId, model.PERMISSION_DELETE_OTHERS_EMOJIS) {
hasPermission = true
break
}
}
if !hasPermission {
c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_EMOJIS)
c.SetPermissionError(model.PERMISSION_DELETE_OTHERS_EMOJIS)
return
}
}
......
......@@ -159,7 +159,7 @@ func TestCreateEmoji(t *testing.T) {
CheckForbiddenStatus(t, resp)
// try to create an emoji without permissions
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_CREATE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
......@@ -170,7 +170,7 @@ func TestCreateEmoji(t *testing.T) {
CheckForbiddenStatus(t, resp)
// create an emoji with permissions in one team
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_CREATE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
......@@ -324,12 +324,12 @@ func TestDeleteEmoji(t *testing.T) {
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
_, resp = Client.DeleteEmoji(newEmoji.Id)
CheckForbiddenStatus(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
//Try to delete other user's custom emoji without MANAGE_EMOJIS permissions
//Try to delete other user's custom emoji without DELETE_EMOJIS permissions
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
......@@ -338,8 +338,8 @@ func TestDeleteEmoji(t *testing.T) {
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic2()
......@@ -347,13 +347,13 @@ func TestDeleteEmoji(t *testing.T) {
_, resp = Client.DeleteEmoji(newEmoji.Id)
CheckForbiddenStatus(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic()
//Try to delete other user's custom emoji without MANAGE_OTHERS_EMOJIS permissions
//Try to delete other user's custom emoji without DELETE_OTHERS_EMOJIS permissions
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
......@@ -380,8 +380,8 @@ func TestDeleteEmoji(t *testing.T) {
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic2()
......@@ -396,12 +396,12 @@ func TestDeleteEmoji(t *testing.T) {
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.DeleteEmoji(newEmoji.Id)
CheckNoError(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
//Try to delete other user's custom emoji with permissions at team level
emoji = &model.Emoji{
......@@ -412,11 +412,11 @@ func TestDeleteEmoji(t *testing.T) {
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_DELETE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_DELETE_OTHERS_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic2()
......
......@@ -99,11 +99,13 @@ func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
if c.App.License() == nil && patch.Permissions != nil {
allowedPermissions := []string{
model.PERMISSION_CREATE_TEAM.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
model.PERMISSION_CREATE_EMOJIS.Id,
model.PERMISSION_DELETE_EMOJIS.Id,
model.PERMISSION_EDIT_OTHERS_POSTS.Id,
}
......
......@@ -164,7 +164,7 @@ func TestPatchRole(t *testing.T) {
defer th.App.Srv.Store.Job().Delete(role.Id)
patch := &model.RolePatch{
Permissions: &[]string{"manage_system", "create_public_channel", "manage_webhooks"},
Permissions: &[]string{"manage_system", "create_public_channel", "manage_incoming_webhooks", "manage_outgoing_webhooks"},
}
received, resp := th.SystemAdminClient.PatchRole(role.Id, patch)
......@@ -174,7 +174,7 @@ func TestPatchRole(t *testing.T) {
assert.Equal(t, received.Name, role.Name)
assert.Equal(t, received.DisplayName, role.DisplayName)
assert.Equal(t, received.Description, role.Description)
assert.EqualValues(t, received.Permissions, []string{"manage_system", "create_public_channel", "manage_webhooks"})
assert.EqualValues(t, received.Permissions, []string{"manage_system", "create_public_channel", "manage_incoming_webhooks", "manage_outgoing_webhooks"})
assert.Equal(t, received.SchemeManaged, role.SchemeManaged)
// Check a no-op patch succeeds.
......@@ -192,7 +192,7 @@ func TestPatchRole(t *testing.T) {
// Check a change that the license would not allow.
patch = &model.RolePatch{
Permissions: &[]string{"manage_system", "manage_webhooks"},
Permissions: &[]string{"manage_system", "manage_incoming_webhooks", "manage_outgoing_webhooks"},
}
_, resp = th.SystemAdminClient.PatchRole(role.Id, patch)
......@@ -209,6 +209,6 @@ func TestPatchRole(t *testing.T) {
assert.Equal(t, received.Name, role.Name)
assert.Equal(t, received.DisplayName, role.DisplayName)
assert.Equal(t, received.Description, role.Description)
assert.EqualValues(t, received.Permissions, []string{"manage_system", "manage_webhooks"})
assert.EqualValues(t, received.Permissions, []string{"manage_system", "manage_incoming_webhooks", "manage_outgoing_webhooks"})
assert.Equal(t, received.SchemeManaged, role.SchemeManaged)
}
This diff is collapsed.
......@@ -25,8 +25,8 @@ func TestCreateIncomingWebhook(t *testing.T) {
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id}
......@@ -58,7 +58,7 @@ func TestCreateIncomingWebhook(t *testing.T) {
_, resp = Client.CreateIncomingWebhook(hook)
CheckForbiddenStatus(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.CreateIncomingWebhook(hook)
CheckNoError(t, resp)
......@@ -85,8 +85,8 @@ func TestGetIncomingWebhooks(t *testing.T) {
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id}
rhook, resp := th.SystemAdminClient.CreateIncomingWebhook(hook)
......@@ -137,7 +137,7 @@ func TestGetIncomingWebhooks(t *testing.T) {
_, resp = Client.GetIncomingWebhooks(0, 1000, "")
CheckForbiddenStatus(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.GetIncomingWebhooksForTeam(th.BasicTeam.Id, 0, 1000, "")
CheckNoError(t, resp)
......@@ -254,8 +254,8 @@ func TestCreateOutgoingWebhook(t *testing.T) {
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId, CallbackURLs: []string{"http://nowhere.com"}, Username: "some-user-name", IconURL: "http://some-icon-url/"}
......@@ -283,7 +283,7 @@ func TestCreateOutgoingWebhook(t *testing.T) {
_, resp = Client.CreateOutgoingWebhook(hook)
CheckForbiddenStatus(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.CreateOutgoingWebhook(hook)
CheckNoError(t, resp)
......@@ -303,8 +303,8 @@ func TestGetOutgoingWebhooks(t *testing.T) {
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId, CallbackURLs: []string{"http://nowhere.com"}}
rhook, resp := th.SystemAdminClient.CreateOutgoingWebhook(hook)
......@@ -372,7 +372,7 @@ func TestGetOutgoingWebhooks(t *testing.T) {
_, resp = Client.GetOutgoingWebhooks(0, 1000, "")
CheckForbiddenStatus(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.GetOutgoingWebhooksForTeam(th.BasicTeam.Id, 0, 1000, "")
CheckNoError(t, resp)
......@@ -435,8 +435,8 @@ func TestUpdateIncomingHook(t *testing.T) {
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook1 := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id}
......@@ -567,11 +567,11 @@ func TestUpdateIncomingHook(t *testing.T) {
CheckForbiddenStatus(t, resp)
})
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
t.Run("OnlyAdminIntegrationsDisabled", func(t *testing.T) {
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
t.Run("UpdateHookOfSameUser", func(t *testing.T) {
sameUserHook := &model.IncomingWebhook{ChannelId: th.BasicChannel.Id, UserId: th.BasicUser2.Id}
......@@ -589,8 +589,8 @@ func TestUpdateIncomingHook(t *testing.T) {
})
})
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
Client.Logout()
th.UpdateUserToTeamAdmin(th.BasicUser2, th.BasicTeam)
......@@ -681,8 +681,8 @@ func TestUpdateOutgoingHook(t *testing.T) {
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
createdHook := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId,
CallbackURLs: []string{"http://nowhere.com"}, TriggerWords: []string{"cats"}}
......@@ -755,7 +755,7 @@ func TestUpdateOutgoingHook(t *testing.T) {
CheckForbiddenStatus(t, resp)
})
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
hook2 := &model.OutgoingWebhook{ChannelId: th.BasicChannel.Id, TeamId: th.BasicChannel.TeamId,
CallbackURLs: []string{"http://nowhere.com"}, TriggerWords: []string{"rats2"}}
......@@ -765,8 +765,8 @@ func TestUpdateOutgoingHook(t *testing.T) {
_, resp = Client.UpdateOutgoingWebhook(createdHook2)
CheckForbiddenStatus(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id, model.TEAM_ADMIN_ROLE_ID)
Client.Logout()
th.UpdateUserToTeamAdmin(th.BasicUser2, th.BasicTeam)
......
......@@ -5,6 +5,7 @@ package app
import (
"fmt"
"sort"
"testing"
"github.com/stretchr/testify/assert"
......@@ -110,10 +111,12 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
model.PERMISSION_IMPORT_TEAM.Id,
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
},
......@@ -147,7 +150,8 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_EDIT_OTHER_USERS.Id,
model.PERMISSION_EDIT_OTHERS_POSTS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
......@@ -187,7 +191,8 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_EDIT_POST.Id,
},
}
......@@ -281,10 +286,12 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
model.PERMISSION_IMPORT_TEAM.Id,
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
model.PERMISSION_DELETE_POST.Id,
......@@ -320,7 +327,8 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_EDIT_OTHER_USERS.Id,
model.PERMISSION_EDIT_OTHERS_POSTS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
......@@ -360,7 +368,8 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_EDIT_POST.Id,
},
}
......@@ -459,7 +468,8 @@ func TestDoEmojisPermissionsMigration(t *testing.T) {
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_EDIT_OTHER_USERS.Id,
model.PERMISSION_EDIT_OTHERS_POSTS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
......@@ -499,14 +509,18 @@ func TestDoEmojisPermissionsMigration(t *testing.T) {
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_EDIT_POST.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id,
model.PERMISSION_CREATE_EMOJIS.Id,
model.PERMISSION_DELETE_EMOJIS.Id,
model.PERMISSION_DELETE_OTHERS_EMOJIS.Id,
}
sort.Strings(expectedSystemAdmin)
role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
assert.Nil(t, err1)
sort.Strings(role1.Permissions)
assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
th.App.UpdateConfig(func(cfg *model.Config) {
......@@ -524,18 +538,24 @@ func TestDoEmojisPermissionsMigration(t *testing.T) {
model.PERMISSION_IMPORT_TEAM.Id,
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_MANAGE_INCOMING_WEBHOOKS.Id,
model.PERMISSION_MANAGE_OUTGOING_WEBHOOKS.Id,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
model.PERMISSION_CREATE_EMOJIS.Id,
model.PERMISSION_DELETE_EMOJIS.Id,
}
sort.Strings(expected2)
sort.Strings(role2.Permissions)
assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID))
systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
assert.Nil(t, systemAdminErr1)
sort.Strings(systemAdmin1.Permissions)
assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
th.App.UpdateConfig(func(cfg *model.Config) {
......@@ -552,11 +572,15 @@ func TestDoEmojisPermissionsMigration(t *testing.T) {
model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
model.PERMISSION_PERMANENT_DELETE_USER.Id,
model.PERMISSION_CREATE_TEAM.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
model.PERMISSION_CREATE_EMOJIS.Id,
model.PERMISSION_DELETE_EMOJIS.Id,
}
sort.Strings(expected3)
sort.Strings(role3.Permissions)
assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID))
systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
assert.Nil(t, systemAdminErr2)
sort.Strings(systemAdmin2.Permissions)
assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
}
......@@ -429,7 +429,15 @@ func (me *TestHelper) ResetRoleMigration() {
func (me *TestHelper) ResetEmojisMigration() {
sqlSupplier := mainHelper.GetSqlSupplier()
if _, err := sqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ', manage_emojis', '') WHERE builtin=True"); err != nil {
if _, err := sqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ' create_emojis', '') WHERE builtin=True"); err != nil {
panic(err)
}
if _, err := sqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ' delete_emojis', '') WHERE builtin=True"); err != nil {
panic(err)
}
if _, err := sqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ' delete_others_emojis', '') WHERE builtin=True"); err != nil {
panic(err)
}
......
......@@ -123,7 +123,7 @@ func (a *App) DoEmojisPermissionsMigration() {
}
if role != nil {
role.Permissions = append(role.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
role.Permissions = append(role.Permissions, model.PERMISSION_CREATE_EMOJIS.Id, model.PERMISSION_DELETE_EMOJIS.Id)
if result := <-a.Srv.Store.Role().Save(role); result.Err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(result.Err.Error())
......@@ -138,8 +138,8 @@ func (a *App) DoEmojisPermissionsMigration() {
return
}
systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id)
systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_CREATE_EMOJIS.Id, model.PERMISSION_DELETE_EMOJIS.Id)
systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_DELETE_OTHERS_EMOJIS.Id)
if result := <-a.Srv.Store.Role().Save(systemAdminRole); result.Err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(result.Err.Error())
......
......@@ -60,6 +60,7 @@ func (a *App) ResetPermissionsSystem() *model.AppError {
// Now that the permissions system has been reset, re-run the migration to reinitialise it.
a.DoAdvancedPermissionsMigration()
a.DoEmojisPermissionsMigration()
a.DoPermissionsMigrations()
return nil
}
......
// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package app
import "github.com/mattermost/mattermost-server/model"
type permissionTransformation struct {
On func(map[string]bool) bool
Add []string
Remove []string
}
type permissionsMap []permissionTransformation
const (
MIGRATION_KEY_EMOJI_PERMISSIONS_SPLIT = "emoji_permissions_split"
MIGRATION_KEY_WEBHOOK_PERMISSIONS_SPLIT = "webhook_permissions_split"
PERMISSION_MANAGE_EMOJIS = "manage_emojis"
PERMISSION_MANAGE_OTHERS_EMOJIS = "manage_others_emojis"
PERMISSION_CREATE_EMOJIS = "create_emojis"
PERMISSION_DELETE_EMOJIS = "delete_emojis"
PERMISSION_DELETE_OTHERS_EMOJIS = "delete_others_emojis"
PERMISSION_MANAGE_WEBHOOKS = "manage_webhooks"
PERMISSION_MANAGE_OTHERS_WEBHOOKS = "manage_others_webhooks"
PERMISSION_MANAGE_INCOMING_WEBHOOKS = "manage_incoming_webhooks"
PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS = "manage_others_incoming_webhooks"
PERMISSION_MANAGE_OUTGOING_WEBHOOKS = "manage_outgoing_webhooks"
PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS = "manage_others_outgoing_webhooks"
)
func permissionExists(permission string) func(map[string]bool) bool {
return func(permissions map[string]bool) bool {
val, ok := permissions[permission]
return ok && val
}
}
func permissionNotExists(permission string) func(map[string]bool) bool {
return func(permissions map[string]bool) bool {
val, ok := permissions[permission]
return !(ok && val)
}
}
func permissionOr(funcs ...func(map[string]bool) bool) func(map[string]bool) bool {
return func(permissions map[string]bool) bool {
for _, f := range funcs {
if f(permissions) {
return true
}