605c0079eb
* skeleton lifecycle * bare minimum to satisfy mm-server import * added boards_imports.go * move boards_imports.go to correct package * bump mmserver version; remove replace in go.mod; use module workspaces; remove logger service * rename product.go --> boards.go * add FileInfoStore and Cloud services for product; create minimal pluginAPI interfaces for all packages * rename Boards -> BoardsProduct * compile success * remove hooks service; guard for nil BoardsApp * update to latest mmserver ver * upgrade mmserver to master tip * upgrade mmserver to master tip * bump plugin-api to master tip * fix users service * fix OnActivate crash; normalize AppError returns * fileBackend interface for server/app * feature flag * bump mmserver version * fix linter errors * make go.work when linting * fix go.work creation for CI * add execute flag for script * fix more linter errors * always create a go.work * fix ci go.work * OS agnostic go.work generator * fix path * fix path again * partially disable cypress test * fix case Id --> ID * bump mmserver version * include in go.work for dev * addressed review comments. Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
111 lines
3.1 KiB
Go
111 lines
3.1 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package mmpermissions
|
|
|
|
import (
|
|
"github.com/mattermost/focalboard/server/model"
|
|
"github.com/mattermost/focalboard/server/services/permissions"
|
|
|
|
mmModel "github.com/mattermost/mattermost-server/v6/model"
|
|
"github.com/mattermost/mattermost-server/v6/shared/mlog"
|
|
)
|
|
|
|
type APIInterface interface {
|
|
HasPermissionToTeam(userID string, teamID string, permission *mmModel.Permission) bool
|
|
HasPermissionToChannel(userID string, channelID string, permission *mmModel.Permission) bool
|
|
}
|
|
|
|
type Service struct {
|
|
store permissions.Store
|
|
api APIInterface
|
|
logger mlog.LoggerIFace
|
|
}
|
|
|
|
func New(store permissions.Store, api APIInterface, logger mlog.LoggerIFace) *Service {
|
|
return &Service{
|
|
store: store,
|
|
api: api,
|
|
}
|
|
}
|
|
|
|
func (s *Service) HasPermissionToTeam(userID, teamID string, permission *mmModel.Permission) bool {
|
|
if userID == "" || teamID == "" || permission == nil {
|
|
return false
|
|
}
|
|
return s.api.HasPermissionToTeam(userID, teamID, permission)
|
|
}
|
|
|
|
func (s *Service) HasPermissionToChannel(userID, channelID string, permission *mmModel.Permission) bool {
|
|
if userID == "" || channelID == "" || permission == nil {
|
|
return false
|
|
}
|
|
return s.api.HasPermissionToChannel(userID, channelID, permission)
|
|
}
|
|
|
|
func (s *Service) HasPermissionToBoard(userID, boardID string, permission *mmModel.Permission) bool {
|
|
if userID == "" || boardID == "" || permission == nil {
|
|
return false
|
|
}
|
|
|
|
board, err := s.store.GetBoard(boardID)
|
|
if model.IsErrNotFound(err) {
|
|
var boards []*model.Board
|
|
boards, err = s.store.GetBoardHistory(boardID, model.QueryBoardHistoryOptions{Limit: 1, Descending: true})
|
|
if err != nil {
|
|
return false
|
|
}
|
|
if len(boards) == 0 {
|
|
return false
|
|
}
|
|
board = boards[0]
|
|
} else if err != nil {
|
|
s.logger.Error("error getting board",
|
|
mlog.String("boardID", boardID),
|
|
mlog.String("userID", userID),
|
|
mlog.Err(err),
|
|
)
|
|
return false
|
|
}
|
|
|
|
// we need to check that the user has permission to see the team
|
|
// regardless of its local permissions to the board
|
|
if !s.HasPermissionToTeam(userID, board.TeamID, model.PermissionViewTeam) {
|
|
return false
|
|
}
|
|
|
|
member, err := s.store.GetMemberForBoard(boardID, userID)
|
|
if model.IsErrNotFound(err) {
|
|
return false
|
|
}
|
|
if err != nil {
|
|
s.logger.Error("error getting member for board",
|
|
mlog.String("boardID", boardID),
|
|
mlog.String("userID", userID),
|
|
mlog.Err(err),
|
|
)
|
|
return false
|
|
}
|
|
|
|
switch member.MinimumRole {
|
|
case "admin":
|
|
member.SchemeAdmin = true
|
|
case "editor":
|
|
member.SchemeEditor = true
|
|
case "commenter":
|
|
member.SchemeCommenter = true
|
|
case "viewer":
|
|
member.SchemeViewer = true
|
|
}
|
|
|
|
switch permission {
|
|
case model.PermissionManageBoardType, model.PermissionDeleteBoard, model.PermissionManageBoardRoles, model.PermissionShareBoard:
|
|
return member.SchemeAdmin
|
|
case model.PermissionManageBoardCards, model.PermissionManageBoardProperties:
|
|
return member.SchemeAdmin || member.SchemeEditor
|
|
case model.PermissionViewBoard:
|
|
return member.SchemeAdmin || member.SchemeEditor || member.SchemeCommenter || member.SchemeViewer
|
|
default:
|
|
return false
|
|
}
|
|
}
|