Commit e88fe4bb authored by Jesús Espino's avatar Jesús Espino Committed by George Goldberg

MM-8853: Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS permissions (#8860)

* MM-8853: Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS permissions

* MM-8853: Removing unnecesary emoji enterprise feature

* Create emojis migration

* Adding MANAGE_EMOJIS and MANAGE_OTHERS_EMOJIS always to system admins

* Simplifing permissions checks

* Revert "Simplifing permissions checks"

This reverts commit e2cafc1905fc9e20125dd9a1552d2d0c7340ae59.
parent bf4cefc3
......@@ -125,6 +125,7 @@ func setupTestHelper(enterprise bool) *TestHelper {
wsapi.Init(th.App, th.App.Srv.WebSocketRouter)
th.App.Srv.Store.MarkSystemRanUnitTests()
th.App.DoAdvancedPermissionsMigration()
th.App.DoEmojisPermissionsMigration()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.EnableOpenServer = true })
......
......@@ -33,12 +33,6 @@ func createEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
if emojiInterface := c.App.Emoji; emojiInterface != nil &&
!emojiInterface.CanUserCreateEmoji(c.Session.Roles, c.Session.TeamMembers) {
c.Err = model.NewAppError("getEmoji", "api.emoji.disabled.app_error", nil, "user_id="+c.Session.UserId, http.StatusUnauthorized)
return
}
if len(*c.App.Config().FileSettings.DriverName) == 0 {
c.Err = model.NewAppError("createEmoji", "api.emoji.storage.app_error", nil, "", http.StatusNotImplemented)
return
......@@ -54,6 +48,28 @@ func createEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
// Allow any user with MANAGE_EMOJIS permission at Team level to manage emojis at system level
memberships, err := c.App.GetTeamMembersForUser(c.Session.UserId)
if err != nil {
c.Err = err
return
}
if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_EMOJIS) {
hasPermission := false
for _, membership := range memberships {
if c.App.SessionHasPermissionToTeam(c.Session, membership.TeamId, model.PERMISSION_MANAGE_EMOJIS) {
hasPermission = true
break
}
}
if !hasPermission {
c.SetPermissionError(model.PERMISSION_MANAGE_EMOJIS)
return
}
}
m := r.MultipartForm
props := m.Value
......@@ -110,11 +126,45 @@ func deleteEmoji(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
if c.Session.UserId != emoji.CreatorId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
c.Err = model.NewAppError("deleteImage", "api.emoji.delete.permissions.app_error", nil, "user_id="+c.Session.UserId, http.StatusUnauthorized)
// Allow any user with MANAGE_EMOJIS permission at Team level to manage emojis at system level
memberships, err := c.App.GetTeamMembersForUser(c.Session.UserId)
if err != nil {
c.Err = err
return
}
if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_EMOJIS) {
hasPermission := false
for _, membership := range memberships {
if c.App.SessionHasPermissionToTeam(c.Session, membership.TeamId, model.PERMISSION_MANAGE_EMOJIS) {
hasPermission = true
break
}
}
if !hasPermission {
c.SetPermissionError(model.PERMISSION_MANAGE_EMOJIS)
return
}
}
if c.Session.UserId != emoji.CreatorId {
if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OTHERS_EMOJIS) {
hasPermission := false
for _, membership := range memberships {
if c.App.SessionHasPermissionToTeam(c.Session, membership.TeamId, model.PERMISSION_MANAGE_OTHERS_EMOJIS) {
hasPermission = true
break
}
}
if !hasPermission {
c.SetPermissionError(model.PERMISSION_MANAGE_OTHERS_EMOJIS)
return
}
}
}
err = c.App.DeleteEmoji(emoji)
if err != nil {
c.Err = err
......
......@@ -26,6 +26,11 @@ func TestCreateEmoji(t *testing.T) {
}()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableCustomEmoji = false })
defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
emoji := &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
......@@ -141,6 +146,28 @@ func TestCreateEmoji(t *testing.T) {
_, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckForbiddenStatus(t, resp)
// try to create an emoji without permissions
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
}
_, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckForbiddenStatus(t, resp)
// create an emoji with permissions in one team
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
}
_, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
}
func TestGetEmojiList(t *testing.T) {
......@@ -186,7 +213,7 @@ func TestGetEmojiList(t *testing.T) {
}
}
if !found {
t.Fatalf("failed to get emoji with id %v", emoji.Id)
t.Fatalf("failed to get emoji with id %v, %v", emoji.Id, len(listEmoji))
}
}
......@@ -231,6 +258,11 @@ func TestDeleteEmoji(t *testing.T) {
}()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableCustomEmoji = true })
defaultRolePermissions := th.SaveDefaultRolePermissions()
defer func() {
th.RestoreDefaultRolePermissions(defaultRolePermissions)
}()
emoji := &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
......@@ -277,14 +309,100 @@ func TestDeleteEmoji(t *testing.T) {
_, resp = Client.DeleteEmoji("")
CheckNotFoundStatus(t, resp)
//Try to delete other user's custom emoji
//Try to delete my custom emoji without permissions
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
_, resp = Client.DeleteEmoji(newEmoji.Id)
CheckForbiddenStatus(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
//Try to delete other user's custom emoji without MANAGE_EMOJIS permissions
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
}
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic2()
ok, resp = Client.DeleteEmoji(newEmoji.Id)
CheckUnauthorizedStatus(t, resp)
CheckForbiddenStatus(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic()
//Try to delete other user's custom emoji without MANAGE_OTHERS_EMOJIS permissions
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
}
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
Client.Logout()
th.LoginBasic2()
ok, resp = Client.DeleteEmoji(newEmoji.Id)
CheckForbiddenStatus(t, resp)
Client.Logout()
th.LoginBasic()
//Try to delete other user's custom emoji with permissions
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
}
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic2()
ok, resp = Client.DeleteEmoji(newEmoji.Id)
CheckNoError(t, resp)
Client.Logout()
th.LoginBasic()
//Try to delete my custom emoji with permissions at team level
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
_, resp = Client.DeleteEmoji(newEmoji.Id)
CheckNoError(t, resp)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
//Try to delete other user's custom emoji with permissions at team level
emoji = &model.Emoji{
CreatorId: th.BasicUser.Id,
Name: model.NewId(),
}
newEmoji, resp = Client.CreateEmoji(emoji, utils.CreateTestGif(t, 10, 10), "image.gif")
CheckNoError(t, resp)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.SYSTEM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
th.AddPermissionToRole(model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id, model.TEAM_USER_ROLE_ID)
Client.Logout()
th.LoginBasic2()
ok, resp = Client.DeleteEmoji(newEmoji.Id)
CheckNoError(t, resp)
}
func TestGetEmoji(t *testing.T) {
......
......@@ -100,6 +100,7 @@ func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
}
changedPermissions := model.PermissionsChangedByPatch(oldRole, patch)
......
......@@ -30,6 +30,7 @@ import (
)
const ADVANCED_PERMISSIONS_MIGRATION_KEY = "AdvancedPermissionsMigrationComplete"
const EMOJIS_PERMISSIONS_MIGRATION_KEY = "EmojisPermissionsMigrationComplete"
type App struct {
goroutineCount int32
......@@ -57,7 +58,6 @@ type App struct {
Compliance einterfaces.ComplianceInterface
DataRetention einterfaces.DataRetentionInterface
Elasticsearch einterfaces.ElasticsearchInterface
Emoji einterfaces.EmojiInterface
Ldap einterfaces.LdapInterface
MessageExport einterfaces.MessageExportInterface
Metrics einterfaces.MetricsInterface
......@@ -288,12 +288,6 @@ func RegisterElasticsearchInterface(f func(*App) einterfaces.ElasticsearchInterf
elasticsearchInterface = f
}
var emojiInterface func(*App) einterfaces.EmojiInterface
func RegisterEmojiInterface(f func(*App) einterfaces.EmojiInterface) {
emojiInterface = f
}
var jobsDataRetentionJobInterface func(*App) ejobs.DataRetentionJobInterface
func RegisterJobsDataRetentionJobInterface(f func(*App) ejobs.DataRetentionJobInterface) {
......@@ -376,9 +370,6 @@ func (a *App) initEnterprise() {
if elasticsearchInterface != nil {
a.Elasticsearch = elasticsearchInterface(a)
}
if emojiInterface != nil {
a.Emoji = emojiInterface(a)
}
if ldapInterface != nil {
a.Ldap = ldapInterface(a)
a.AddConfigListener(func(_, cfg *model.Config) {
......@@ -603,3 +594,75 @@ func (a *App) SetPhase2PermissionsMigrationStatus(isComplete bool) error {
a.phase2PermissionsMigrationComplete = isComplete
return nil
}
func (a *App) DoEmojisPermissionsMigration() {
// If the migration is already marked as completed, don't do it again.
if result := <-a.Srv.Store.System().GetByName(EMOJIS_PERMISSIONS_MIGRATION_KEY); result.Err == nil {
return
}
var role *model.Role = nil
var systemAdminRole *model.Role = nil
var err *model.AppError = nil
mlog.Info("Migrating emojis config to database.")
switch *a.Config().ServiceSettings.RestrictCustomEmojiCreation {
case model.RESTRICT_EMOJI_CREATION_ALL:
role, err = a.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
if err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(err.Error())
return
}
break
case model.RESTRICT_EMOJI_CREATION_ADMIN:
role, err = a.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
if err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(err.Error())
return
}
break
case model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN:
role = nil
break
default:
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical("Invalid restrict emoji creation setting")
return
}
if role != nil {
role.Permissions = append(role.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
if result := <-a.Srv.Store.Role().Save(role); result.Err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(result.Err.Error())
return
}
}
systemAdminRole, err = a.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
if err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(err.Error())
return
}
systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_EMOJIS.Id)
systemAdminRole.Permissions = append(systemAdminRole.Permissions, model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id)
if result := <-a.Srv.Store.Role().Save(systemAdminRole); result.Err != nil {
mlog.Critical("Failed to migrate emojis creation permissions from mattermost config.")
mlog.Critical(result.Err.Error())
return
}
system := model.System{
Name: EMOJIS_PERMISSIONS_MIGRATION_KEY,
Value: "true",
}
if result := <-a.Srv.Store.System().Save(&system); result.Err != nil {
mlog.Critical("Failed to mark emojis permissions migration as completed.")
mlog.Critical(fmt.Sprint(result.Err))
}
}
......@@ -455,3 +455,138 @@ func TestDoAdvancedPermissionsMigration(t *testing.T) {
*config.ServiceSettings.PostEditTimeLimit = 300
th.App.SaveConfig(config, false)
}
func TestDoEmojisPermissionsMigration(t *testing.T) {
th := Setup()
defer th.TearDown()
if testStoreSqlSupplier == nil {
t.Skip("This test requires a TestStore to be run.")
}
// Add a license and change the policy config.
restrictCustomEmojiCreation := *th.App.Config().ServiceSettings.RestrictCustomEmojiCreation
defer func() {
th.App.UpdateConfig(func(cfg *model.Config) {
*cfg.ServiceSettings.RestrictCustomEmojiCreation = restrictCustomEmojiCreation
})
}()
th.App.UpdateConfig(func(cfg *model.Config) {
*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_SYSTEM_ADMIN
})
th.ResetEmojisMigration()
th.App.DoEmojisPermissionsMigration()
expectedSystemAdmin := []string{
model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
model.PERMISSION_MANAGE_SYSTEM.Id,
model.PERMISSION_MANAGE_ROLES.Id,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_EDIT_OTHER_USERS.Id,
model.PERMISSION_MANAGE_OAUTH.Id,
model.PERMISSION_INVITE_USER.Id,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
model.PERMISSION_CREATE_TEAM.Id,
model.PERMISSION_ADD_USER_TO_TEAM.Id,
model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
model.PERMISSION_MANAGE_JOBS.Id,
model.PERMISSION_CREATE_POST_PUBLIC.Id,
model.PERMISSION_CREATE_POST_EPHEMERAL.Id,
model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
model.PERMISSION_LIST_TEAM_CHANNELS.Id,
model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
model.PERMISSION_VIEW_TEAM.Id,
model.PERMISSION_READ_CHANNEL.Id,
model.PERMISSION_ADD_REACTION.Id,
model.PERMISSION_REMOVE_REACTION.Id,
model.PERMISSION_UPLOAD_FILE.Id,
model.PERMISSION_GET_PUBLIC_LINK.Id,
model.PERMISSION_CREATE_POST.Id,
model.PERMISSION_USE_SLASH_COMMANDS.Id,
model.PERMISSION_EDIT_OTHERS_POSTS.Id,
model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
model.PERMISSION_MANAGE_TEAM.Id,
model.PERMISSION_IMPORT_TEAM.Id,
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_EDIT_POST.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
model.PERMISSION_MANAGE_OTHERS_EMOJIS.Id,
}
role1, err1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
assert.Nil(t, err1)
assert.Equal(t, expectedSystemAdmin, role1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
th.App.UpdateConfig(func(cfg *model.Config) {
*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ADMIN
})
th.ResetEmojisMigration()
th.App.DoEmojisPermissionsMigration()
role2, err2 := th.App.GetRoleByName(model.TEAM_ADMIN_ROLE_ID)
assert.Nil(t, err2)
expected2 := []string{
model.PERMISSION_EDIT_OTHERS_POSTS.Id,
model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
model.PERMISSION_MANAGE_TEAM.Id,
model.PERMISSION_IMPORT_TEAM.Id,
model.PERMISSION_MANAGE_TEAM_ROLES.Id,
model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
model.PERMISSION_MANAGE_WEBHOOKS.Id,
model.PERMISSION_DELETE_POST.Id,
model.PERMISSION_DELETE_OTHERS_POSTS.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
}
assert.Equal(t, expected2, role2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.TEAM_ADMIN_ROLE_ID))
systemAdmin1, systemAdminErr1 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
assert.Nil(t, systemAdminErr1)
assert.Equal(t, expectedSystemAdmin, systemAdmin1.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
th.App.UpdateConfig(func(cfg *model.Config) {
*cfg.ServiceSettings.RestrictCustomEmojiCreation = model.RESTRICT_EMOJI_CREATION_ALL
})
th.ResetEmojisMigration()
th.App.DoEmojisPermissionsMigration()
role3, err3 := th.App.GetRoleByName(model.SYSTEM_USER_ROLE_ID)
assert.Nil(t, err3)
expected3 := []string{
model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
model.PERMISSION_PERMANENT_DELETE_USER.Id,
model.PERMISSION_CREATE_TEAM.Id,
model.PERMISSION_MANAGE_EMOJIS.Id,
}
assert.Equal(t, expected3, role3.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_USER_ROLE_ID))
systemAdmin2, systemAdminErr2 := th.App.GetRoleByName(model.SYSTEM_ADMIN_ROLE_ID)
assert.Nil(t, systemAdminErr2)
assert.Equal(t, expectedSystemAdmin, systemAdmin2.Permissions, fmt.Sprintf("'%v' did not have expected permissions", model.SYSTEM_ADMIN_ROLE_ID))
}
......@@ -110,6 +110,7 @@ func setupTestHelper(enterprise bool) *TestHelper {
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = prevListenAddress })
th.App.DoAdvancedPermissionsMigration()
th.App.DoEmojisPermissionsMigration()
th.App.Srv.Store.MarkSystemRanUnitTests()
......@@ -433,6 +434,18 @@ func (me *TestHelper) ResetRoleMigration() {
}
}
func (me *TestHelper) ResetEmojisMigration() {
if _, err := testStoreSqlSupplier.GetMaster().Exec("UPDATE Roles SET Permissions=REPLACE(Permissions, ', manage_emojis', '') WHERE builtin=True"); err != nil {
panic(err)
}
testClusterInterface.sendClearRoleCacheMessage()
if _, err := testStoreSqlSupplier.GetMaster().Exec("DELETE from Systems where Name = :Name", map[string]interface{}{"Name": EMOJIS_PERMISSIONS_MIGRATION_KEY}); err != nil {
panic(err)
}
}
type FakeClusterInterface struct {
clusterMessageHandler einterfaces.ClusterMessageHandler
}
......
......@@ -43,6 +43,7 @@ func (a *App) ResetPermissionsSystem() *model.AppError {
// Now that the permissions system has been reset, re-run the migration to reinitialise it.
a.DoAdvancedPermissionsMigration()
a.DoEmojisPermissionsMigration()
return nil
}
......
......@@ -23,6 +23,7 @@ func InitDBCommandContextCobra(command *cobra.Command) (*app.App, error) {
}
a.DoAdvancedPermissionsMigration()
a.DoEmojisPermissionsMigration()
return a, nil
}
......
......@@ -92,6 +92,7 @@ func runServer(configFileLocation string, disableConfigWatch bool, usedPlatform
}
a.DoAdvancedPermissionsMigration()
a.DoEmojisPermissionsMigration()
a.InitPlugins(*a.Config().PluginSettings.Directory, *a.Config().PluginSettings.ClientDirectory, nil)
a.AddConfigListener(func(prevCfg, cfg *model.Config) {
......
// Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package einterfaces
import (
"github.com/mattermost/mattermost-server/model"
)
type EmojiInterface interface {
CanUserCreateEmoji(string, []*model.TeamMember) bool
}
......@@ -1336,10 +1336,6 @@
"id": "api.emoji.delete.delete_reactions.app_error",
"translation": "Unable to delete reactions when deleting emoji with emoji name %v"
},
{
"id": "api.emoji.delete.permissions.app_error",
"translation": "Invalid permissions to delete emoji."
},
{
"id": "api.emoji.disabled.app_error",
"translation": "Custom emoji have been disabled by the system admin."
......
......@@ -111,6 +111,7 @@ func setupTestHelper(enterprise bool) *TestHelper {
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ListenAddress = prevListenAddress })
th.App.DoAdvancedPermissionsMigration()
th.App.DoEmojisPermissionsMigration()
th.App.Srv.Store.MarkSystemRanUnitTests()
......
......@@ -50,6 +50,8 @@ var PERMISSION_MANAGE_WEBHOOKS *Permission
var PERMISSION_MANAGE_OTHERS_WEBHOOKS *Permission
var PERMISSION_MANAGE_OAUTH *Permission
var PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH *Permission
var PERMISSION_MANAGE_EMOJIS *Permission
var PERMISSION_MANAGE_OTHERS_EMOJIS *Permission
var PERMISSION_CREATE_POST *Permission
var PERMISSION_CREATE_POST_PUBLIC *Permission
var PERMISSION_CREATE_POST_EPHEMERAL *Permission
......@@ -286,6 +288,18 @@ func initializePermissions() {
"authentication.permissions.manage_system_wide_oauth.description",
PERMISSION_SCOPE_SYSTEM,
}
PERMISSION_MANAGE_EMOJIS = &Permission{
"manage_emojis",
"authentication.permissions.manage_emojis.name",
"authentication.permissions.manage_emojis.description",
PERMISSION_SCOPE_TEAM,
}
PERMISSION_MANAGE_OTHERS_EMOJIS = &Permission{
"manage_others_emojis",
"authentication.permissions.manage_others_emojis.name",
"authentication.permissions.manage_others_emojis.description",
PERMISSION_SCOPE_TEAM,
}
PERMISSION_CREATE_POST = &Permission{
"create_post",
"authentication.permissions.create_post.name",
......@@ -424,6 +438,8 @@ func initializePermissions() {
PERMISSION_MANAGE_OTHERS_WEBHOOKS,
PERMISSION_MANAGE_OAUTH,
PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH,
PERMISSION_MANAGE_EMOJIS,
PERMISSION_MANAGE_OTHERS_EMOJIS,
PERMISSION_CREATE_POST,
PERMISSION_CREATE_POST_PUBLIC,
PERMISSION_CREATE_POST_EPHEMERAL,
......
......@@ -425,6 +425,10 @@ func UpgradeDatabaseToVersion410(sqlStore SqlStore) {
}
func UpgradeDatabaseToVersion50(sqlStore SqlStore) {
// This version of Mattermost includes an App-Layer migration which migrates from hard-coded emojis configured
// in `config.json` to a `Permission` in the database. The migration code can be seen
// in the file `app/app.go` in the function `DoEmojisPermissionsMigration()`.
// TODO: Uncomment following condition when version 5.0.0 is released
//if shouldPerformUpgrade(sqlStore, VERSION_4_10_0, VERSION_5_0_0) {
......
......@@ -61,6 +61,7 @@ func Setup() *TestHelper {
ApiClient = model.NewAPIv4Client(URL)
a.DoAdvancedPermissionsMigration()
a.DoEmojisPermissionsMigration()
a.Srv.Store.MarkSystemRanUnitTests()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment