2020-08-10 00:29:54 +02:00
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.
package model
import (
"encoding/json"
"io"
"strings"
)
2020-10-19 23:40:00 +02:00
// SysconsoleAncillaryPermissions maps the non-sysconsole permissions required by each sysconsole view.
var SysconsoleAncillaryPermissions map [ string ] [ ] * Permission
var SystemManagerDefaultPermissions [ ] string
var SystemUserManagerDefaultPermissions [ ] string
var SystemReadOnlyAdminDefaultPermissions [ ] string
2020-08-10 00:29:54 +02:00
var BuiltInSchemeManagedRoleIDs [ ] string
2020-10-19 23:40:00 +02:00
var NewSystemRoleIDs [ ] string
2020-08-10 00:29:54 +02:00
func init ( ) {
2020-10-19 23:40:00 +02:00
NewSystemRoleIDs = [ ] string {
SYSTEM_USER_MANAGER_ROLE_ID ,
SYSTEM_READ_ONLY_ADMIN_ROLE_ID ,
SYSTEM_MANAGER_ROLE_ID ,
}
BuiltInSchemeManagedRoleIDs = append ( [ ] string {
2020-08-10 00:29:54 +02:00
SYSTEM_GUEST_ROLE_ID ,
SYSTEM_USER_ROLE_ID ,
SYSTEM_ADMIN_ROLE_ID ,
SYSTEM_POST_ALL_ROLE_ID ,
SYSTEM_POST_ALL_PUBLIC_ROLE_ID ,
SYSTEM_USER_ACCESS_TOKEN_ROLE_ID ,
TEAM_GUEST_ROLE_ID ,
TEAM_USER_ROLE_ID ,
TEAM_ADMIN_ROLE_ID ,
TEAM_POST_ALL_ROLE_ID ,
TEAM_POST_ALL_PUBLIC_ROLE_ID ,
CHANNEL_GUEST_ROLE_ID ,
CHANNEL_USER_ROLE_ID ,
CHANNEL_ADMIN_ROLE_ID ,
2020-10-19 23:40:00 +02:00
} , NewSystemRoleIDs ... )
// When updating the values here, the values in mattermost-redux must also be updated.
SysconsoleAncillaryPermissions = map [ string ] [ ] * Permission {
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS . Id : {
PERMISSION_READ_PUBLIC_CHANNEL ,
PERMISSION_READ_CHANNEL ,
PERMISSION_READ_PUBLIC_CHANNEL_GROUPS ,
PERMISSION_READ_PRIVATE_CHANNEL_GROUPS ,
} ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_USERS . Id : {
PERMISSION_READ_OTHER_USERS_TEAMS ,
} ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS . Id : {
PERMISSION_LIST_PRIVATE_TEAMS ,
PERMISSION_LIST_PUBLIC_TEAMS ,
PERMISSION_VIEW_TEAM ,
} ,
PERMISSION_SYSCONSOLE_READ_ENVIRONMENT . Id : {
PERMISSION_READ_JOBS ,
} ,
PERMISSION_SYSCONSOLE_READ_AUTHENTICATION . Id : {
PERMISSION_READ_JOBS ,
} ,
PERMISSION_SYSCONSOLE_READ_REPORTING . Id : {
PERMISSION_VIEW_TEAM ,
} ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_USERS . Id : {
PERMISSION_EDIT_OTHER_USERS ,
PERMISSION_DEMOTE_TO_GUEST ,
PERMISSION_PROMOTE_GUEST ,
} ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS . Id : {
PERMISSION_MANAGE_TEAM ,
PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES ,
PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES ,
PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS ,
PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS ,
PERMISSION_DELETE_PRIVATE_CHANNEL ,
PERMISSION_DELETE_PUBLIC_CHANNEL ,
PERMISSION_MANAGE_CHANNEL_ROLES ,
PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE ,
PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC ,
} ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS . Id : {
PERMISSION_MANAGE_TEAM ,
PERMISSION_MANAGE_TEAM_ROLES ,
PERMISSION_REMOVE_USER_FROM_TEAM ,
PERMISSION_JOIN_PRIVATE_TEAMS ,
PERMISSION_JOIN_PUBLIC_TEAMS ,
PERMISSION_ADD_USER_TO_TEAM ,
} ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS . Id : {
PERMISSION_MANAGE_TEAM ,
PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS ,
PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS ,
PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE ,
PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC ,
} ,
PERMISSION_SYSCONSOLE_WRITE_ENVIRONMENT . Id : {
PERMISSION_MANAGE_JOBS ,
} ,
PERMISSION_SYSCONSOLE_WRITE_SITE . Id : {
PERMISSION_EDIT_BRAND ,
} ,
2020-08-10 00:29:54 +02:00
}
2020-10-19 23:40:00 +02:00
SystemUserManagerDefaultPermissions = [ ] string {
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS . Id ,
PERMISSION_SYSCONSOLE_READ_AUTHENTICATION . Id ,
}
SystemReadOnlyAdminDefaultPermissions = [ ] string {
PERMISSION_SYSCONSOLE_READ_ABOUT . Id ,
PERMISSION_SYSCONSOLE_READ_REPORTING . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_USERS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS . Id ,
PERMISSION_SYSCONSOLE_READ_ENVIRONMENT . Id ,
PERMISSION_SYSCONSOLE_READ_SITE . Id ,
PERMISSION_SYSCONSOLE_READ_AUTHENTICATION . Id ,
PERMISSION_SYSCONSOLE_READ_PLUGINS . Id ,
2020-12-31 14:48:12 +01:00
PERMISSION_SYSCONSOLE_READ_COMPLIANCE . Id ,
2020-10-19 23:40:00 +02:00
PERMISSION_SYSCONSOLE_READ_INTEGRATIONS . Id ,
PERMISSION_SYSCONSOLE_READ_EXPERIMENTAL . Id ,
}
SystemManagerDefaultPermissions = [ ] string {
PERMISSION_SYSCONSOLE_READ_ABOUT . Id ,
PERMISSION_SYSCONSOLE_READ_REPORTING . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_GROUPS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_TEAMS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_CHANNELS . Id ,
PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_PERMISSIONS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_GROUPS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_TEAMS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_CHANNELS . Id ,
PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS . Id ,
PERMISSION_SYSCONSOLE_READ_ENVIRONMENT . Id ,
PERMISSION_SYSCONSOLE_WRITE_ENVIRONMENT . Id ,
PERMISSION_SYSCONSOLE_READ_SITE . Id ,
PERMISSION_SYSCONSOLE_WRITE_SITE . Id ,
PERMISSION_SYSCONSOLE_READ_AUTHENTICATION . Id ,
PERMISSION_SYSCONSOLE_READ_PLUGINS . Id ,
PERMISSION_SYSCONSOLE_READ_INTEGRATIONS . Id ,
PERMISSION_SYSCONSOLE_WRITE_INTEGRATIONS . Id ,
}
// Add the ancillary permissions to each system role
SystemUserManagerDefaultPermissions = addAncillaryPermissions ( SystemUserManagerDefaultPermissions )
SystemReadOnlyAdminDefaultPermissions = addAncillaryPermissions ( SystemReadOnlyAdminDefaultPermissions )
SystemManagerDefaultPermissions = addAncillaryPermissions ( SystemManagerDefaultPermissions )
2020-08-10 00:29:54 +02:00
}
type RoleType string
type RoleScope string
const (
SYSTEM_GUEST_ROLE_ID = "system_guest"
SYSTEM_USER_ROLE_ID = "system_user"
SYSTEM_ADMIN_ROLE_ID = "system_admin"
SYSTEM_POST_ALL_ROLE_ID = "system_post_all"
SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public"
SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token"
2020-10-19 23:40:00 +02:00
SYSTEM_USER_MANAGER_ROLE_ID = "system_user_manager"
SYSTEM_READ_ONLY_ADMIN_ROLE_ID = "system_read_only_admin"
SYSTEM_MANAGER_ROLE_ID = "system_manager"
2020-08-10 00:29:54 +02:00
TEAM_GUEST_ROLE_ID = "team_guest"
TEAM_USER_ROLE_ID = "team_user"
TEAM_ADMIN_ROLE_ID = "team_admin"
TEAM_POST_ALL_ROLE_ID = "team_post_all"
TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public"
CHANNEL_GUEST_ROLE_ID = "channel_guest"
CHANNEL_USER_ROLE_ID = "channel_user"
CHANNEL_ADMIN_ROLE_ID = "channel_admin"
ROLE_NAME_MAX_LENGTH = 64
ROLE_DISPLAY_NAME_MAX_LENGTH = 128
ROLE_DESCRIPTION_MAX_LENGTH = 1024
RoleScopeSystem RoleScope = "System"
RoleScopeTeam RoleScope = "Team"
RoleScopeChannel RoleScope = "Channel"
RoleTypeGuest RoleType = "Guest"
RoleTypeUser RoleType = "User"
RoleTypeAdmin RoleType = "Admin"
)
type Role struct {
Id string ` json:"id" `
Name string ` json:"name" `
DisplayName string ` json:"display_name" `
Description string ` json:"description" `
CreateAt int64 ` json:"create_at" `
UpdateAt int64 ` json:"update_at" `
DeleteAt int64 ` json:"delete_at" `
Permissions [ ] string ` json:"permissions" `
SchemeManaged bool ` json:"scheme_managed" `
BuiltIn bool ` json:"built_in" `
}
type RolePatch struct {
Permissions * [ ] string ` json:"permissions" `
}
type RolePermissions struct {
RoleID string
Permissions [ ] string
}
func ( r * Role ) ToJson ( ) string {
b , _ := json . Marshal ( r )
return string ( b )
}
func RoleFromJson ( data io . Reader ) * Role {
var r * Role
json . NewDecoder ( data ) . Decode ( & r )
return r
}
func RoleListToJson ( r [ ] * Role ) string {
b , _ := json . Marshal ( r )
return string ( b )
}
func RoleListFromJson ( data io . Reader ) [ ] * Role {
var roles [ ] * Role
json . NewDecoder ( data ) . Decode ( & roles )
return roles
}
func ( r * RolePatch ) ToJson ( ) string {
b , _ := json . Marshal ( r )
return string ( b )
}
func RolePatchFromJson ( data io . Reader ) * RolePatch {
var rolePatch * RolePatch
json . NewDecoder ( data ) . Decode ( & rolePatch )
return rolePatch
}
func ( r * Role ) Patch ( patch * RolePatch ) {
if patch . Permissions != nil {
r . Permissions = * patch . Permissions
}
}
// MergeChannelHigherScopedPermissions is meant to be invoked on a channel scheme's role and merges the higher-scoped
// channel role's permissions.
func ( r * Role ) MergeChannelHigherScopedPermissions ( higherScopedPermissions * RolePermissions ) {
mergedPermissions := [ ] string { }
higherScopedPermissionsMap := AsStringBoolMap ( higherScopedPermissions . Permissions )
rolePermissionsMap := AsStringBoolMap ( r . Permissions )
2020-10-19 23:40:00 +02:00
for _ , cp := range AllPermissions {
if cp . Scope != PermissionScopeChannel {
2020-08-10 00:29:54 +02:00
continue
}
_ , presentOnHigherScope := higherScopedPermissionsMap [ cp . Id ]
// For the channel admin role always look to the higher scope to determine if the role has ther permission.
// The channel admin is a special case because they're not part of the UI to be "channel moderated", only
// channel members and channel guests are.
if higherScopedPermissions . RoleID == CHANNEL_ADMIN_ROLE_ID && presentOnHigherScope {
mergedPermissions = append ( mergedPermissions , cp . Id )
continue
}
2020-10-19 23:40:00 +02:00
_ , permissionIsModerated := ChannelModeratedPermissionsMap [ cp . Id ]
2020-08-10 00:29:54 +02:00
if permissionIsModerated {
_ , presentOnRole := rolePermissionsMap [ cp . Id ]
if presentOnRole && presentOnHigherScope {
mergedPermissions = append ( mergedPermissions , cp . Id )
}
} else {
if presentOnHigherScope {
mergedPermissions = append ( mergedPermissions , cp . Id )
}
}
}
r . Permissions = mergedPermissions
}
// Returns an array of permissions that are in either role.Permissions
// or patch.Permissions, but not both.
func PermissionsChangedByPatch ( role * Role , patch * RolePatch ) [ ] string {
var result [ ] string
if patch . Permissions == nil {
return result
}
roleMap := make ( map [ string ] bool )
patchMap := make ( map [ string ] bool )
for _ , permission := range role . Permissions {
roleMap [ permission ] = true
}
for _ , permission := range * patch . Permissions {
patchMap [ permission ] = true
}
for _ , permission := range role . Permissions {
if ! patchMap [ permission ] {
result = append ( result , permission )
}
}
for _ , permission := range * patch . Permissions {
if ! roleMap [ permission ] {
result = append ( result , permission )
}
}
return result
}
func ChannelModeratedPermissionsChangedByPatch ( role * Role , patch * RolePatch ) [ ] string {
var result [ ] string
if role == nil {
return result
}
if patch . Permissions == nil {
return result
}
roleMap := make ( map [ string ] bool )
patchMap := make ( map [ string ] bool )
for _ , permission := range role . Permissions {
2020-10-19 23:40:00 +02:00
if channelModeratedPermissionName , found := ChannelModeratedPermissionsMap [ permission ] ; found {
2020-08-10 00:29:54 +02:00
roleMap [ channelModeratedPermissionName ] = true
}
}
for _ , permission := range * patch . Permissions {
2020-10-19 23:40:00 +02:00
if channelModeratedPermissionName , found := ChannelModeratedPermissionsMap [ permission ] ; found {
2020-08-10 00:29:54 +02:00
patchMap [ channelModeratedPermissionName ] = true
}
}
for permissionKey := range roleMap {
if ! patchMap [ permissionKey ] {
result = append ( result , permissionKey )
}
}
for permissionKey := range patchMap {
if ! roleMap [ permissionKey ] {
result = append ( result , permissionKey )
}
}
return result
}
// GetChannelModeratedPermissions returns a map of channel moderated permissions that the role has access to
func ( r * Role ) GetChannelModeratedPermissions ( channelType string ) map [ string ] bool {
moderatedPermissions := make ( map [ string ] bool )
for _ , permission := range r . Permissions {
2020-10-19 23:40:00 +02:00
if _ , found := ChannelModeratedPermissionsMap [ permission ] ; ! found {
2020-08-10 00:29:54 +02:00
continue
}
2020-10-19 23:40:00 +02:00
for moderated , moderatedPermissionValue := range ChannelModeratedPermissionsMap {
2020-08-10 00:29:54 +02:00
// the moderated permission has already been found to be true so skip this iteration
if moderatedPermissions [ moderatedPermissionValue ] {
continue
}
if moderated == permission {
// Special case where the channel moderated permission for `manage_members` is different depending on whether the channel is private or public
if moderated == PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS . Id || moderated == PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS . Id {
canManagePublic := channelType == CHANNEL_OPEN && moderated == PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS . Id
canManagePrivate := channelType == CHANNEL_PRIVATE && moderated == PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS . Id
moderatedPermissions [ moderatedPermissionValue ] = canManagePublic || canManagePrivate
} else {
moderatedPermissions [ moderatedPermissionValue ] = true
}
}
}
}
return moderatedPermissions
}
// RolePatchFromChannelModerationsPatch Creates and returns a RolePatch based on a slice of ChannelModerationPatchs, roleName is expected to be either "members" or "guests".
func ( r * Role ) RolePatchFromChannelModerationsPatch ( channelModerationsPatch [ ] * ChannelModerationPatch , roleName string ) * RolePatch {
permissionsToAddToPatch := make ( map [ string ] bool )
// Iterate through the list of existing permissions on the role and append permissions that we want to keep.
for _ , permission := range r . Permissions {
// Permission is not moderated so dont add it to the patch and skip the channelModerationsPatch
2020-10-19 23:40:00 +02:00
if _ , isModerated := ChannelModeratedPermissionsMap [ permission ] ; ! isModerated {
2020-08-10 00:29:54 +02:00
continue
}
permissionEnabled := true
// Check if permission has a matching moderated permission name inside the channel moderation patch
for _ , channelModerationPatch := range channelModerationsPatch {
2020-10-19 23:40:00 +02:00
if * channelModerationPatch . Name == ChannelModeratedPermissionsMap [ permission ] {
2020-08-10 00:29:54 +02:00
// Permission key exists in patch with a value of false so skip over it
if roleName == "members" {
if channelModerationPatch . Roles . Members != nil && ! * channelModerationPatch . Roles . Members {
permissionEnabled = false
}
} else if roleName == "guests" {
if channelModerationPatch . Roles . Guests != nil && ! * channelModerationPatch . Roles . Guests {
permissionEnabled = false
}
}
}
}
if permissionEnabled {
permissionsToAddToPatch [ permission ] = true
}
}
// Iterate through the patch and add any permissions that dont already exist on the role
for _ , channelModerationPatch := range channelModerationsPatch {
2020-10-19 23:40:00 +02:00
for permission , moderatedPermissionName := range ChannelModeratedPermissionsMap {
2020-08-10 00:29:54 +02:00
if roleName == "members" && channelModerationPatch . Roles . Members != nil && * channelModerationPatch . Roles . Members && * channelModerationPatch . Name == moderatedPermissionName {
permissionsToAddToPatch [ permission ] = true
}
if roleName == "guests" && channelModerationPatch . Roles . Guests != nil && * channelModerationPatch . Roles . Guests && * channelModerationPatch . Name == moderatedPermissionName {
permissionsToAddToPatch [ permission ] = true
}
}
}
patchPermissions := make ( [ ] string , 0 , len ( permissionsToAddToPatch ) )
for permission := range permissionsToAddToPatch {
patchPermissions = append ( patchPermissions , permission )
}
return & RolePatch { Permissions : & patchPermissions }
}
func ( r * Role ) IsValid ( ) bool {
if ! IsValidId ( r . Id ) {
return false
}
return r . IsValidWithoutId ( )
}
func ( r * Role ) IsValidWithoutId ( ) bool {
if ! IsValidRoleName ( r . Name ) {
return false
}
if len ( r . DisplayName ) == 0 || len ( r . DisplayName ) > ROLE_DISPLAY_NAME_MAX_LENGTH {
return false
}
if len ( r . Description ) > ROLE_DESCRIPTION_MAX_LENGTH {
return false
}
2020-12-31 14:48:12 +01:00
check := func ( perms [ ] * Permission , permission string ) bool {
for _ , p := range perms {
2020-08-10 00:29:54 +02:00
if permission == p . Id {
2020-12-31 14:48:12 +01:00
return true
2020-08-10 00:29:54 +02:00
}
}
2020-12-31 14:48:12 +01:00
return false
}
for _ , permission := range r . Permissions {
permissionValidated := check ( AllPermissions , permission ) || check ( DeprecatedPermissions , permission )
2020-08-10 00:29:54 +02:00
if ! permissionValidated {
return false
}
}
return true
}
2020-10-19 23:40:00 +02:00
func CleanRoleNames ( roleNames [ ] string ) ( [ ] string , bool ) {
var cleanedRoleNames [ ] string
for _ , roleName := range roleNames {
if strings . TrimSpace ( roleName ) == "" {
continue
}
if ! IsValidRoleName ( roleName ) {
return roleNames , false
}
cleanedRoleNames = append ( cleanedRoleNames , roleName )
}
return cleanedRoleNames , true
}
2020-08-10 00:29:54 +02:00
func IsValidRoleName ( roleName string ) bool {
if len ( roleName ) <= 0 || len ( roleName ) > ROLE_NAME_MAX_LENGTH {
return false
}
if strings . TrimLeft ( roleName , "abcdefghijklmnopqrstuvwxyz0123456789_" ) != "" {
return false
}
return true
}
func MakeDefaultRoles ( ) map [ string ] * Role {
roles := make ( map [ string ] * Role )
roles [ CHANNEL_GUEST_ROLE_ID ] = & Role {
Name : "channel_guest" ,
DisplayName : "authentication.roles.channel_guest.name" ,
Description : "authentication.roles.channel_guest.description" ,
Permissions : [ ] string {
PERMISSION_READ_CHANNEL . Id ,
PERMISSION_ADD_REACTION . Id ,
PERMISSION_REMOVE_REACTION . Id ,
PERMISSION_UPLOAD_FILE . Id ,
PERMISSION_EDIT_POST . Id ,
PERMISSION_CREATE_POST . Id ,
PERMISSION_USE_CHANNEL_MENTIONS . Id ,
PERMISSION_USE_SLASH_COMMANDS . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ CHANNEL_USER_ROLE_ID ] = & Role {
Name : "channel_user" ,
DisplayName : "authentication.roles.channel_user.name" ,
Description : "authentication.roles.channel_user.description" ,
Permissions : [ ] string {
PERMISSION_READ_CHANNEL . Id ,
PERMISSION_ADD_REACTION . Id ,
PERMISSION_REMOVE_REACTION . Id ,
PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS . Id ,
PERMISSION_UPLOAD_FILE . Id ,
PERMISSION_GET_PUBLIC_LINK . Id ,
PERMISSION_CREATE_POST . Id ,
PERMISSION_USE_CHANNEL_MENTIONS . Id ,
PERMISSION_USE_SLASH_COMMANDS . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ CHANNEL_ADMIN_ROLE_ID ] = & Role {
Name : "channel_admin" ,
DisplayName : "authentication.roles.channel_admin.name" ,
Description : "authentication.roles.channel_admin.description" ,
Permissions : [ ] string {
PERMISSION_MANAGE_CHANNEL_ROLES . Id ,
PERMISSION_USE_GROUP_MENTIONS . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ TEAM_GUEST_ROLE_ID ] = & Role {
Name : "team_guest" ,
DisplayName : "authentication.roles.team_guest.name" ,
Description : "authentication.roles.team_guest.description" ,
Permissions : [ ] string {
PERMISSION_VIEW_TEAM . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ TEAM_USER_ROLE_ID ] = & Role {
Name : "team_user" ,
DisplayName : "authentication.roles.team_user.name" ,
Description : "authentication.roles.team_user.description" ,
Permissions : [ ] string {
PERMISSION_LIST_TEAM_CHANNELS . Id ,
PERMISSION_JOIN_PUBLIC_CHANNELS . Id ,
PERMISSION_READ_PUBLIC_CHANNEL . Id ,
PERMISSION_VIEW_TEAM . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ TEAM_POST_ALL_ROLE_ID ] = & Role {
Name : "team_post_all" ,
DisplayName : "authentication.roles.team_post_all.name" ,
Description : "authentication.roles.team_post_all.description" ,
Permissions : [ ] string {
PERMISSION_CREATE_POST . Id ,
PERMISSION_USE_CHANNEL_MENTIONS . Id ,
} ,
SchemeManaged : false ,
BuiltIn : true ,
}
roles [ TEAM_POST_ALL_PUBLIC_ROLE_ID ] = & Role {
Name : "team_post_all_public" ,
DisplayName : "authentication.roles.team_post_all_public.name" ,
Description : "authentication.roles.team_post_all_public.description" ,
Permissions : [ ] string {
PERMISSION_CREATE_POST_PUBLIC . Id ,
PERMISSION_USE_CHANNEL_MENTIONS . Id ,
} ,
SchemeManaged : false ,
BuiltIn : true ,
}
roles [ TEAM_ADMIN_ROLE_ID ] = & Role {
Name : "team_admin" ,
DisplayName : "authentication.roles.team_admin.name" ,
Description : "authentication.roles.team_admin.description" ,
Permissions : [ ] string {
PERMISSION_REMOVE_USER_FROM_TEAM . Id ,
PERMISSION_MANAGE_TEAM . Id ,
PERMISSION_IMPORT_TEAM . Id ,
PERMISSION_MANAGE_TEAM_ROLES . Id ,
PERMISSION_MANAGE_CHANNEL_ROLES . Id ,
PERMISSION_MANAGE_OTHERS_INCOMING_WEBHOOKS . Id ,
PERMISSION_MANAGE_OTHERS_OUTGOING_WEBHOOKS . Id ,
PERMISSION_MANAGE_SLASH_COMMANDS . Id ,
PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS . Id ,
PERMISSION_MANAGE_INCOMING_WEBHOOKS . Id ,
PERMISSION_MANAGE_OUTGOING_WEBHOOKS . Id ,
2020-10-19 23:40:00 +02:00
PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE . Id ,
PERMISSION_CONVERT_PRIVATE_CHANNEL_TO_PUBLIC . Id ,
2020-08-10 00:29:54 +02:00
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ SYSTEM_GUEST_ROLE_ID ] = & Role {
Name : "system_guest" ,
DisplayName : "authentication.roles.global_guest.name" ,
Description : "authentication.roles.global_guest.description" ,
Permissions : [ ] string {
PERMISSION_CREATE_DIRECT_CHANNEL . Id ,
PERMISSION_CREATE_GROUP_CHANNEL . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ SYSTEM_USER_ROLE_ID ] = & Role {
Name : "system_user" ,
DisplayName : "authentication.roles.global_user.name" ,
Description : "authentication.roles.global_user.description" ,
Permissions : [ ] string {
PERMISSION_LIST_PUBLIC_TEAMS . Id ,
PERMISSION_JOIN_PUBLIC_TEAMS . Id ,
PERMISSION_CREATE_DIRECT_CHANNEL . Id ,
PERMISSION_CREATE_GROUP_CHANNEL . Id ,
PERMISSION_VIEW_MEMBERS . Id ,
} ,
SchemeManaged : true ,
BuiltIn : true ,
}
roles [ SYSTEM_POST_ALL_ROLE_ID ] = & Role {
Name : "system_post_all" ,
DisplayName : "authentication.roles.system_post_all.name" ,
Description : "authentication.roles.system_post_all.description" ,
Permissions : [ ] string {
PERMISSION_CREATE_POST . Id ,
PERMISSION_USE_CHANNEL_MENTIONS . Id ,
} ,
SchemeManaged : false ,
BuiltIn : true ,
}
roles [ SYSTEM_POST_ALL_PUBLIC_ROLE_ID ] = & Role {
Name : "system_post_all_public" ,
DisplayName : "authentication.roles.system_post_all_public.name" ,
Description : "authentication.roles.system_post_all_public.description" ,
Permissions : [ ] string {
PERMISSION_CREATE_POST_PUBLIC . Id ,
PERMISSION_USE_CHANNEL_MENTIONS . Id ,
} ,
SchemeManaged : false ,
BuiltIn : true ,
}
roles [ SYSTEM_USER_ACCESS_TOKEN_ROLE_ID ] = & Role {
Name : "system_user_access_token" ,
DisplayName : "authentication.roles.system_user_access_token.name" ,
Description : "authentication.roles.system_user_access_token.description" ,
Permissions : [ ] string {
PERMISSION_CREATE_USER_ACCESS_TOKEN . Id ,
PERMISSION_READ_USER_ACCESS_TOKEN . Id ,
PERMISSION_REVOKE_USER_ACCESS_TOKEN . Id ,
} ,
SchemeManaged : false ,
BuiltIn : true ,
}
2020-10-19 23:40:00 +02:00
roles [ SYSTEM_USER_MANAGER_ROLE_ID ] = & Role {
Name : "system_user_manager" ,
DisplayName : "authentication.roles.system_user_manager.name" ,
Description : "authentication.roles.system_user_manager.description" ,
Permissions : SystemUserManagerDefaultPermissions ,
SchemeManaged : false ,
BuiltIn : true ,
}
roles [ SYSTEM_READ_ONLY_ADMIN_ROLE_ID ] = & Role {
Name : "system_read_only_admin" ,
DisplayName : "authentication.roles.system_read_only_admin.name" ,
Description : "authentication.roles.system_read_only_admin.description" ,
Permissions : SystemReadOnlyAdminDefaultPermissions ,
SchemeManaged : false ,
BuiltIn : true ,
}
roles [ SYSTEM_MANAGER_ROLE_ID ] = & Role {
Name : "system_manager" ,
DisplayName : "authentication.roles.system_manager.name" ,
Description : "authentication.roles.system_manager.description" ,
Permissions : SystemManagerDefaultPermissions ,
SchemeManaged : false ,
BuiltIn : true ,
}
allPermissionIDs := [ ] string { }
for _ , permission := range AllPermissions {
allPermissionIDs = append ( allPermissionIDs , permission . Id )
}
2020-08-10 00:29:54 +02:00
roles [ SYSTEM_ADMIN_ROLE_ID ] = & Role {
Name : "system_admin" ,
DisplayName : "authentication.roles.global_admin.name" ,
Description : "authentication.roles.global_admin.description" ,
// System admins can do anything channel and team admins can do
// plus everything members of teams and channels can do to all teams
// and channels on the system
2020-10-19 23:40:00 +02:00
Permissions : allPermissionIDs ,
2020-08-10 00:29:54 +02:00
SchemeManaged : true ,
BuiltIn : true ,
}
return roles
}
2020-10-19 23:40:00 +02:00
func addAncillaryPermissions ( permissions [ ] string ) [ ] string {
for _ , permission := range permissions {
if ancillaryPermissions , ok := SysconsoleAncillaryPermissions [ permission ] ; ok {
for _ , ancillaryPermission := range ancillaryPermissions {
permissions = append ( permissions , ancillaryPermission . Id )
}
}
}
return permissions
}