diff --git a/changelog.d/3-bug-fixes/WPB-5695 b/changelog.d/3-bug-fixes/WPB-5695 new file mode 100644 index 00000000000..efd7fdb31b2 --- /dev/null +++ b/changelog.d/3-bug-fixes/WPB-5695 @@ -0,0 +1 @@ +Enforce external partner permissions on the backend diff --git a/integration/integration.cabal b/integration/integration.cabal index 6bf252ef0d2..2d1b495b60d 100644 --- a/integration/integration.cabal +++ b/integration/integration.cabal @@ -110,6 +110,7 @@ library Test.Conversation Test.Demo Test.Errors + Test.ExternalPartner Test.Federation Test.Federator Test.MessageTimer diff --git a/integration/test/API/Galley.hs b/integration/test/API/Galley.hs index 4a5822115ed..0e8fc98db40 100644 --- a/integration/test/API/Galley.hs +++ b/integration/test/API/Galley.hs @@ -416,6 +416,7 @@ getConversationCode user conv mbZHost = do & maybe id zHost mbZHost ) +-- https://staging-nginz-https.zinfra.io/v5/api/swagger-ui/#/default/put_conversations__cnv_domain___cnv__name changeConversationName :: (HasCallStack, MakesValue user, MakesValue conv, MakesValue name) => user -> diff --git a/integration/test/SetupHelpers.hs b/integration/test/SetupHelpers.hs index e7d8c749f0b..8c72d3f0524 100644 --- a/integration/test/SetupHelpers.hs +++ b/integration/test/SetupHelpers.hs @@ -26,7 +26,7 @@ deleteUser :: (HasCallStack, MakesValue user) => user -> App () deleteUser user = bindResponse (API.Brig.deleteUser user) $ \resp -> do resp.status `shouldMatchInt` 200 --- | returns (user, team id) +-- | returns (owner, team id, members) createTeam :: (HasCallStack, MakesValue domain) => domain -> Int -> App (Value, String, [Value]) createTeam domain memberCount = do res <- createUser domain def {team = True} diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs new file mode 100644 index 00000000000..a35522140b2 --- /dev/null +++ b/integration/test/Test/ExternalPartner.hs @@ -0,0 +1,82 @@ +{-# OPTIONS_GHC -Wno-ambiguous-fields #-} + +-- This file is part of the Wire Server implementation. +-- +-- Copyright (C) 2023 Wire Swiss GmbH +-- +-- This program is free software: you can redistribute it and/or modify it under +-- the terms of the GNU Affero General Public License as published by the Free +-- Software Foundation, either version 3 of the License, or (at your option) any +-- later version. +-- +-- This program is distributed in the hope that it will be useful, but WITHOUT +-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +-- details. +-- +-- You should have received a copy of the GNU Affero General Public License along +-- with this program. If not, see . + +module Test.ExternalPartner where + +import API.Galley +import GHC.Stack +import MLS.Util +import SetupHelpers +import Testlib.Prelude + +testExternalPartnerPermissions :: HasCallStack => App () +testExternalPartnerPermissions = do + (owner, tid, u1 : u2 : u3 : _) <- createTeam OwnDomain 4 + + partner <- createTeamMemberWithRole owner tid "partner" + + -- a partner should not be able to create conversation with 2 additional users or more + void $ postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1, u2]}) >>= getJSON 403 + + do + -- a partner can create a one to one conversation with a user from the same team + conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 + + -- they should not be able to add another team member to the one to one conversation + bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do + resp.status `shouldMatchInt` 403 + + -- the other member in the conversation gets deleted + deleteUser u1 + + -- now they still should not be able to add another member + bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do + resp.status `shouldMatchInt` 403 + + do + -- also an external partner cannot add someone to a conversation, even if it is empty + conv <- postConversation partner (defProteus {team = Just tid}) >>= getJSON 201 + bindResponse (addMembers partner conv def {users = [u3]}) $ \resp -> do + resp.status `shouldMatchInt` 403 + +testExternalPartnerPermissionsMls :: HasCallStack => App () +testExternalPartnerPermissionsMls = do + -- external partners should not be able to create (MLS) conversations + (owner, tid, _) <- createTeam OwnDomain 2 + bobExt <- createTeamMemberWithRole owner tid "partner" + bobExtClient <- createMLSClient def bobExt + bindResponse (postConversation bobExtClient defMLS) $ \resp -> do + resp.status `shouldMatchInt` 403 + +testExternalPartnerPermissionMlsOne2One :: HasCallStack => App () +testExternalPartnerPermissionMlsOne2One = do + (owner, tid, alice : _) <- createTeam OwnDomain 2 + bobExternal <- createTeamMemberWithRole owner tid "partner" + void $ getMLSOne2OneConversation alice bobExternal >>= getJSON 200 + +testExternalPartnerPermissionsConvName :: HasCallStack => App () +testExternalPartnerPermissionsConvName = do + (owner, tid, u1 : _) <- createTeam OwnDomain 2 + + partner <- createTeamMemberWithRole owner tid "partner" + + conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 + + bindResponse (changeConversationName partner conv "new name") $ \resp -> do + resp.status `shouldMatchInt` 403 diff --git a/libs/galley-types/src/Galley/Types/Teams.hs b/libs/galley-types/src/Galley/Types/Teams.hs index e77b04951b0..e1887cee9f0 100644 --- a/libs/galley-types/src/Galley/Types/Teams.hs +++ b/libs/galley-types/src/Galley/Types/Teams.hs @@ -133,9 +133,9 @@ rolePerms RoleAdmin = rolePerms RoleMember = rolePerms RoleExternalPartner <> Set.fromList - [ DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + [ DeleteConversation, + AddRemoveConvMember, + ModifyConvName, GetMemberPermissions ] rolePerms RoleExternalPartner = diff --git a/libs/wire-api/src/Wire/API/Team/Permission.hs b/libs/wire-api/src/Wire/API/Team/Permission.hs index 7ed42a29e03..3b108391eda 100644 --- a/libs/wire-api/src/Wire/API/Team/Permission.hs +++ b/libs/wire-api/src/Wire/API/Team/Permission.hs @@ -117,7 +117,7 @@ serviceWhitelistPermissions = Set.fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetTeamData ] @@ -127,11 +127,20 @@ serviceWhitelistPermissions = -- | Team-level permission. Analog to conversation-level 'Action'. data Perm = CreateConversation - | DoNotUseDeprecatedDeleteConversation -- NOTE: This gets now overruled by conv level checks + | -- NOTE: This may get overruled by conv level checks in case those are more restrictive + -- We currently cannot get rid of this team-level permission in favor of the conv-level action + -- because it is used for e.g. for the team role 'RoleExternalPartner' + DeleteConversation | AddTeamMember | RemoveTeamMember - | DoNotUseDeprecatedAddRemoveConvMember -- NOTE: This gets now overruled by conv level checks - | DoNotUseDeprecatedModifyConvName -- NOTE: This gets now overruled by conv level checks + | -- NOTE: This may get overruled by conv level checks in case those are more restrictive + -- We currently cannot get rid of this team-level permission in favor of the conv-level action + -- because it is used for e.g. for the team role 'RoleExternalPartner' + AddRemoveConvMember + | -- NOTE: This may get overruled by conv level checks in case those are more restrictive + -- We currently cannot get rid of this team-level permission in favor of the conv-level action + -- because it is used for e.g. for the team role 'RoleExternalPartner' + ModifyConvName | GetBilling | SetBilling | SetTeamData @@ -159,11 +168,11 @@ intToPerms n = permToInt :: Perm -> Word64 permToInt CreateConversation = 0x0001 -permToInt DoNotUseDeprecatedDeleteConversation = 0x0002 +permToInt DeleteConversation = 0x0002 permToInt AddTeamMember = 0x0004 permToInt RemoveTeamMember = 0x0008 -permToInt DoNotUseDeprecatedAddRemoveConvMember = 0x0010 -permToInt DoNotUseDeprecatedModifyConvName = 0x0020 +permToInt AddRemoveConvMember = 0x0010 +permToInt ModifyConvName = 0x0020 permToInt GetBilling = 0x0040 permToInt SetBilling = 0x0080 permToInt SetTeamData = 0x0100 @@ -174,11 +183,11 @@ permToInt SetMemberPermissions = 0x1000 intToPerm :: Word64 -> Maybe Perm intToPerm 0x0001 = Just CreateConversation -intToPerm 0x0002 = Just DoNotUseDeprecatedDeleteConversation +intToPerm 0x0002 = Just DeleteConversation intToPerm 0x0004 = Just AddTeamMember intToPerm 0x0008 = Just RemoveTeamMember -intToPerm 0x0010 = Just DoNotUseDeprecatedAddRemoveConvMember -intToPerm 0x0020 = Just DoNotUseDeprecatedModifyConvName +intToPerm 0x0010 = Just AddRemoveConvMember +intToPerm 0x0020 = Just ModifyConvName intToPerm 0x0040 = Just GetBilling intToPerm 0x0080 = Just SetBilling intToPerm 0x0100 = Just SetTeamData diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs index f3c56c53990..c80d19bea0e 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs @@ -233,11 +233,11 @@ testObject_Event_team_18 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -249,11 +249,11 @@ testObject_Event_team_18 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, GetMemberPermissions, SetMemberPermissions, @@ -275,10 +275,10 @@ testObject_Event_team_19 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, GetMemberPermissions, @@ -286,9 +286,9 @@ testObject_Event_team_19 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, GetBilling, SetBilling, GetMemberPermissions, diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs index a2c41fd3f50..34294b4bd00 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs @@ -27,15 +27,15 @@ import Imports (Maybe (Just, Nothing), fromJust) import Wire.API.Team.Member (NewTeamMember, mkNewTeamMember) import Wire.API.Team.Permission ( Perm - ( AddTeamMember, + ( AddRemoveConvMember, + AddTeamMember, CreateConversation, + DeleteConversation, DeleteTeam, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedModifyConvName, GetBilling, GetMemberPermissions, GetTeamConversations, + ModifyConvName, RemoveTeamMember, SetBilling, SetMemberPermissions, @@ -63,13 +63,13 @@ testObject_NewTeamMember_team_2 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName + AddRemoveConvMember, + ModifyConvName ], - _copy = fromList [DoNotUseDeprecatedDeleteConversation, DoNotUseDeprecatedAddRemoveConvMember] + _copy = fromList [DeleteConversation, AddRemoveConvMember] } ) ( Just @@ -85,8 +85,8 @@ testObject_NewTeamMember_team_3 = ( Permissions { _self = fromList - [CreateConversation, DoNotUseDeprecatedDeleteConversation, RemoveTeamMember, GetBilling, DeleteTeam], - _copy = fromList [CreateConversation, DoNotUseDeprecatedDeleteConversation, GetBilling] + [CreateConversation, DeleteConversation, RemoveTeamMember, GetBilling, DeleteTeam], + _copy = fromList [CreateConversation, DeleteConversation, GetBilling] } ) ( Just @@ -124,7 +124,7 @@ testObject_NewTeamMember_team_6 = ( Permissions { _self = fromList - [CreateConversation, DoNotUseDeprecatedDeleteConversation, GetBilling, SetTeamData, SetMemberPermissions], + [CreateConversation, DeleteConversation, GetBilling, SetTeamData, SetMemberPermissions], _copy = fromList [CreateConversation, GetBilling] } ) @@ -141,7 +141,7 @@ testObject_NewTeamMember_team_7 = ( Permissions { _self = fromList - [AddTeamMember, RemoveTeamMember, DoNotUseDeprecatedModifyConvName, GetTeamConversations, DeleteTeam], + [AddTeamMember, RemoveTeamMember, ModifyConvName, GetTeamConversations, DeleteTeam], _copy = fromList [AddTeamMember] } ) @@ -156,8 +156,8 @@ testObject_NewTeamMember_team_8 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000008-0000-0003-0000-000200000003"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedModifyConvName], - _copy = fromList [DoNotUseDeprecatedModifyConvName] + { _self = fromList [ModifyConvName], + _copy = fromList [ModifyConvName] } ) ( Just @@ -193,7 +193,7 @@ testObject_NewTeamMember_team_11 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000006-0000-0005-0000-000000000002"))) ( Permissions - { _self = fromList [CreateConversation, DoNotUseDeprecatedModifyConvName, SetTeamData], + { _self = fromList [CreateConversation, ModifyConvName, SetTeamData], _copy = fromList [] } ) @@ -215,8 +215,8 @@ testObject_NewTeamMember_team_13 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000002-0000-0004-0000-000600000001"))) ( Permissions - { _self = fromList [AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, SetTeamData, GetTeamConversations], - _copy = fromList [AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, GetTeamConversations] + { _self = fromList [AddTeamMember, AddRemoveConvMember, SetTeamData, GetTeamConversations], + _copy = fromList [AddTeamMember, AddRemoveConvMember, GetTeamConversations] } ) Nothing @@ -228,7 +228,7 @@ testObject_NewTeamMember_team_14 = ( Permissions { _self = fromList - [CreateConversation, DoNotUseDeprecatedDeleteConversation, DoNotUseDeprecatedModifyConvName, GetBilling], + [CreateConversation, DeleteConversation, ModifyConvName, GetBilling], _copy = fromList [] } ) @@ -291,8 +291,8 @@ testObject_NewTeamMember_team_19 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000004-0000-0005-0000-000100000008"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedDeleteConversation, RemoveTeamMember, SetBilling, SetMemberPermissions], - _copy = fromList [DoNotUseDeprecatedDeleteConversation, SetBilling] + { _self = fromList [DeleteConversation, RemoveTeamMember, SetBilling, SetMemberPermissions], + _copy = fromList [DeleteConversation, SetBilling] } ) Nothing @@ -305,8 +305,8 @@ testObject_NewTeamMember_team_20 = { _self = fromList [ AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, GetMemberPermissions, GetTeamConversations diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs index 1d6e451f5a5..fd47570ce6c 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs @@ -22,15 +22,15 @@ module Test.Wire.API.Golden.Generated.Permissions_team where import GHC.Exts (IsList (fromList)) import Wire.API.Team.Permission ( Perm - ( AddTeamMember, + ( AddRemoveConvMember, + AddTeamMember, CreateConversation, + DeleteConversation, DeleteTeam, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedModifyConvName, GetBilling, GetMemberPermissions, GetTeamConversations, + ModifyConvName, RemoveTeamMember, SetBilling, SetMemberPermissions, @@ -47,11 +47,11 @@ testObject_Permissions_team_2 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, SetMemberPermissions, @@ -60,11 +60,11 @@ testObject_Permissions_team_2 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, SetMemberPermissions, @@ -77,10 +77,10 @@ testObject_Permissions_team_3 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, GetMemberPermissions, SetMemberPermissions, @@ -91,7 +91,7 @@ testObject_Permissions_team_3 = fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, GetMemberPermissions, SetMemberPermissions, GetTeamConversations, @@ -104,9 +104,9 @@ testObject_Permissions_team_4 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, GetBilling, SetBilling, GetMemberPermissions, @@ -124,7 +124,7 @@ testObject_Permissions_team_5 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetTeamData, GetMemberPermissions, @@ -135,7 +135,7 @@ testObject_Permissions_team_5 = fromList [ CreateConversation, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, GetMemberPermissions, DeleteTeam @@ -150,8 +150,8 @@ testObject_Permissions_team_6 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -163,8 +163,8 @@ testObject_Permissions_team_6 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, GetMemberPermissions, @@ -179,14 +179,14 @@ testObject_Permissions_team_7 = fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, GetTeamConversations, DeleteTeam ], - _copy = fromList [DoNotUseDeprecatedAddRemoveConvMember, GetBilling, DeleteTeam] + _copy = fromList [AddRemoveConvMember, GetBilling, DeleteTeam] } testObject_Permissions_team_8 :: Permissions @@ -195,11 +195,11 @@ testObject_Permissions_team_8 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -211,8 +211,8 @@ testObject_Permissions_team_8 = fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, GetMemberPermissions, SetMemberPermissions @@ -225,11 +225,11 @@ testObject_Permissions_team_9 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, + DeleteConversation, + AddRemoveConvMember, GetMemberPermissions ], - _copy = fromList [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember, GetMemberPermissions] + _copy = fromList [CreateConversation, AddRemoveConvMember, GetMemberPermissions] } testObject_Permissions_team_10 :: Permissions @@ -238,10 +238,10 @@ testObject_Permissions_team_10 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations, @@ -250,10 +250,10 @@ testObject_Permissions_team_10 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations, @@ -266,7 +266,7 @@ testObject_Permissions_team_11 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, RemoveTeamMember, GetBilling, GetMemberPermissions, @@ -283,10 +283,10 @@ testObject_Permissions_team_12 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -298,10 +298,10 @@ testObject_Permissions_team_12 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -319,7 +319,7 @@ testObject_Permissions_team_13 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetTeamData, SetMemberPermissions @@ -333,10 +333,10 @@ testObject_Permissions_team_14 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, SetTeamData, GetMemberPermissions, @@ -345,10 +345,10 @@ testObject_Permissions_team_14 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, SetTeamData, GetMemberPermissions, @@ -361,11 +361,11 @@ testObject_Permissions_team_15 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, GetMemberPermissions, SetMemberPermissions, @@ -379,8 +379,8 @@ testObject_Permissions_team_16 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, + [ DeleteConversation, + AddRemoveConvMember, GetBilling, SetTeamData, SetMemberPermissions, @@ -388,7 +388,7 @@ testObject_Permissions_team_16 = ], _copy = fromList - [DoNotUseDeprecatedDeleteConversation, GetBilling, SetTeamData, SetMemberPermissions, GetTeamConversations] + [DeleteConversation, GetBilling, SetTeamData, SetMemberPermissions, GetTeamConversations] } testObject_Permissions_team_17 :: Permissions @@ -396,10 +396,10 @@ testObject_Permissions_team_17 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, SetTeamData, GetMemberPermissions, SetMemberPermissions, @@ -408,10 +408,10 @@ testObject_Permissions_team_17 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, SetTeamData, GetMemberPermissions, SetMemberPermissions, @@ -427,7 +427,7 @@ testObject_Permissions_team_18 = fromList [ CreateConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, GetMemberPermissions, SetMemberPermissions, @@ -437,7 +437,7 @@ testObject_Permissions_team_18 = fromList [ CreateConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, GetMemberPermissions, DeleteTeam @@ -450,11 +450,11 @@ testObject_Permissions_team_19 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, SetTeamData, GetMemberPermissions, @@ -465,10 +465,10 @@ testObject_Permissions_team_19 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations, @@ -482,9 +482,9 @@ testObject_Permissions_team_20 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -493,9 +493,9 @@ testObject_Permissions_team_20 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetBilling, SetTeamData, diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs index 03c976ffd9c..358b5cf8810 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs @@ -34,15 +34,15 @@ import Imports (Maybe (Just, Nothing), fromJust) import Wire.API.Team.Member (TeamMember, mkTeamMember) import Wire.API.Team.Permission ( Perm - ( AddTeamMember, + ( AddRemoveConvMember, + AddTeamMember, CreateConversation, + DeleteConversation, DeleteTeam, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedModifyConvName, GetBilling, GetMemberPermissions, GetTeamConversations, + ModifyConvName, RemoveTeamMember, SetBilling, SetMemberPermissions, @@ -71,7 +71,7 @@ testObject_TeamMember_team_2 :: TeamMember testObject_TeamMember_team_2 = mkTeamMember (Id (fromJust (UUID.fromString "00000003-0000-0000-0000-000500000005"))) - (Permissions {_self = fromList [DoNotUseDeprecatedModifyConvName, SetMemberPermissions], _copy = fromList []}) + (Permissions {_self = fromList [ModifyConvName, SetMemberPermissions], _copy = fromList []}) ( Just ( Id (fromJust (UUID.fromString "00000000-0000-0000-0000-000000000004")), fromJust (readUTCTimeMillis "1864-05-03T14:56:52.508Z") @@ -86,7 +86,7 @@ testObject_TeamMember_team_3 = ( Permissions { _self = fromList - [DoNotUseDeprecatedDeleteConversation, AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, GetBilling], + [DeleteConversation, AddTeamMember, AddRemoveConvMember, GetBilling], _copy = fromList [GetBilling] } ) @@ -102,7 +102,7 @@ testObject_TeamMember_team_4 = mkTeamMember (Id (fromJust (UUID.fromString "00000008-0000-0005-0000-000100000006"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedModifyConvName, SetMemberPermissions], + { _self = fromList [ModifyConvName, SetMemberPermissions], _copy = fromList [SetMemberPermissions] } ) @@ -118,8 +118,8 @@ testObject_TeamMember_team_5 = mkTeamMember (Id (fromJust (UUID.fromString "00000007-0000-0000-0000-000200000001"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedDeleteConversation, GetBilling, SetBilling, GetMemberPermissions], - _copy = fromList [DoNotUseDeprecatedDeleteConversation, GetMemberPermissions] + { _self = fromList [DeleteConversation, GetBilling, SetBilling, GetMemberPermissions], + _copy = fromList [DeleteConversation, GetMemberPermissions] } ) ( Just @@ -136,7 +136,7 @@ testObject_TeamMember_team_6 = ( Permissions { _self = fromList - [CreateConversation, AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, SetBilling, SetTeamData], + [CreateConversation, AddTeamMember, AddRemoveConvMember, SetBilling, SetTeamData], _copy = fromList [] } ) @@ -154,8 +154,8 @@ testObject_TeamMember_team_7 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, + [ DeleteConversation, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations @@ -173,8 +173,8 @@ testObject_TeamMember_team_8 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + [ AddRemoveConvMember, + ModifyConvName, SetTeamData, SetMemberPermissions, DeleteTeam @@ -194,8 +194,8 @@ testObject_TeamMember_team_9 = mkTeamMember (Id (fromJust (UUID.fromString "00000008-0000-0006-0000-000300000003"))) ( Permissions - { _self = fromList [AddTeamMember, DoNotUseDeprecatedModifyConvName], - _copy = fromList [DoNotUseDeprecatedModifyConvName] + { _self = fromList [AddTeamMember, ModifyConvName], + _copy = fromList [ModifyConvName] } ) Nothing @@ -205,7 +205,7 @@ testObject_TeamMember_team_10 :: TeamMember testObject_TeamMember_team_10 = mkTeamMember (Id (fromJust (UUID.fromString "00000002-0000-0000-0000-000100000006"))) - (Permissions {_self = fromList [DoNotUseDeprecatedDeleteConversation, AddTeamMember], _copy = fromList []}) + (Permissions {_self = fromList [DeleteConversation, AddTeamMember], _copy = fromList []}) ( Just ( Id (fromJust (UUID.fromString "00000008-0000-0005-0000-000000000002")), fromJust (readUTCTimeMillis "1864-05-03T19:02:13.669Z") @@ -219,7 +219,7 @@ testObject_TeamMember_team_11 = (Id (fromJust (UUID.fromString "00000004-0000-0001-0000-000400000007"))) ( Permissions { _self = - fromList [CreateConversation, DoNotUseDeprecatedDeleteConversation, SetTeamData, SetMemberPermissions], + fromList [CreateConversation, DeleteConversation, SetTeamData, SetMemberPermissions], _copy = fromList [] } ) @@ -259,7 +259,7 @@ testObject_TeamMember_team_14 = mkTeamMember (Id (fromJust (UUID.fromString "00000004-0000-0000-0000-000300000007"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedDeleteConversation, AddTeamMember, GetBilling, GetMemberPermissions], + { _self = fromList [DeleteConversation, AddTeamMember, GetBilling, GetMemberPermissions], _copy = fromList [GetBilling, GetMemberPermissions] } ) @@ -286,7 +286,7 @@ testObject_TeamMember_team_16 :: TeamMember testObject_TeamMember_team_16 = mkTeamMember (Id (fromJust (UUID.fromString "00000000-0000-0008-0000-000200000008"))) - (Permissions {_self = fromList [DoNotUseDeprecatedDeleteConversation, GetTeamConversations], _copy = fromList []}) + (Permissions {_self = fromList [DeleteConversation, GetTeamConversations], _copy = fromList []}) ( Just ( Id (fromJust (UUID.fromString "00000006-0000-0000-0000-000400000002")), fromJust (readUTCTimeMillis "1864-05-10T04:27:37.101Z") @@ -301,13 +301,13 @@ testObject_TeamMember_team_17 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + [ AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, GetTeamConversations ], - _copy = fromList [DoNotUseDeprecatedAddRemoveConvMember] + _copy = fromList [AddRemoveConvMember] } ) ( Just @@ -323,7 +323,7 @@ testObject_TeamMember_team_18 = (Id (fromJust (UUID.fromString "00000005-0000-0005-0000-000200000008"))) ( Permissions { _self = - fromList [RemoveTeamMember, DoNotUseDeprecatedModifyConvName, GetMemberPermissions, SetMemberPermissions], + fromList [RemoveTeamMember, ModifyConvName, GetMemberPermissions, SetMemberPermissions], _copy = fromList [SetMemberPermissions] } ) @@ -340,7 +340,7 @@ testObject_TeamMember_team_19 = (Id (fromJust (UUID.fromString "00000003-0000-0002-0000-000200000008"))) ( Permissions { _self = - fromList [AddTeamMember, DoNotUseDeprecatedModifyConvName, GetBilling, SetBilling, SetMemberPermissions], + fromList [AddTeamMember, ModifyConvName, GetBilling, SetBilling, SetMemberPermissions], _copy = fromList [SetMemberPermissions] } ) @@ -356,7 +356,7 @@ testObject_TeamMember_team_20 = mkTeamMember (Id (fromJust (UUID.fromString "00000005-0000-0007-0000-000100000005"))) ( Permissions - { _self = fromList [CreateConversation, AddTeamMember, DoNotUseDeprecatedModifyConvName, GetBilling], + { _self = fromList [CreateConversation, AddTeamMember, ModifyConvName, GetBilling], _copy = fromList [] } ) diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index 387875269ef..c3a3448f77d 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -91,6 +91,7 @@ import Galley.Env (Env) import Galley.Intra.Push import Galley.Options import Galley.Types.Conversations.Members +import Galley.Types.Teams (IsPerm (hasPermission)) import Galley.Types.UserList import Galley.Validation import Imports hiding ((\\)) @@ -122,6 +123,7 @@ import Wire.API.Routes.Internal.Brig.Connection import Wire.API.Team.Feature import Wire.API.Team.LegalHold import Wire.API.Team.Member +import Wire.API.Team.Permission (Perm (AddRemoveConvMember, ModifyConvName)) import Wire.API.User qualified as User data NoChanges = NoChanges @@ -202,7 +204,9 @@ type family HasConversationActionEffects (tag :: ConversationActionTag) r :: Con ) HasConversationActionEffects 'ConversationRenameTag r = ( Member (Error InvalidInput) r, - Member ConversationStore r + Member ConversationStore r, + Member TeamStore r, + Member (ErrorS InvalidOperation) r ) HasConversationActionEffects 'ConversationAccessDataTag r = ( Member BotAccess r, @@ -464,6 +468,8 @@ performAction tag origUser lconv action = do pure (mempty, action) SConversationRenameTag -> do + zusrMembership <- join <$> forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (qUnqualified origUser)) + for_ zusrMembership $ \tm -> unless (tm `hasPermission` ModifyConvName) $ throwS @'InvalidOperation cn <- rangeChecked (cupName action) E.setConversationName (tUnqualified lcnv) cn pure (mempty, action) @@ -520,7 +526,7 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do checkLHPolicyConflictsLocal (ulLocals newMembers) checkLHPolicyConflictsRemote (FutureWork (ulRemotes newMembers)) checkRemoteBackendsConnected lusr - + checkTeamMemberAddPermissions lusr addMembersToLocalConversation (fmap (.convId) lconv) newMembers role where checkRemoteBackendsConnected :: Local x -> Sem r () @@ -609,6 +615,12 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do Sem r () checkLHPolicyConflictsRemote _remotes = pure () + checkTeamMemberAddPermissions :: Local UserId -> Sem r () + checkTeamMemberAddPermissions lusr = + forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (tUnqualified lusr)) + >>= (maybe (pure ()) (\tm -> unless (tm `hasPermission` AddRemoveConvMember) $ throwS @'InvalidOperation)) + . join + performConversationAccessData :: ( HasConversationActionEffects 'ConversationAccessDataTag r, Member (Error FederationError) r, diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index 23c6681db41..182e96fbc5b 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -31,6 +31,7 @@ module Galley.API.Create ) where +import Control.Error (headMay) import Control.Lens hiding ((??)) import Data.Id import Data.List1 (list1) @@ -244,10 +245,14 @@ checkCreateConvPermissions :: checkCreateConvPermissions lusr _newConv Nothing allUsers = do activated <- listToMaybe <$> lookupActivatedUsers [tUnqualified lusr] void $ noteS @OperationDenied activated + -- an external partner is not allowed to create group conversations (except 1:1 team conversations that are handled below) + tm <- getTeamMember (tUnqualified lusr) Nothing + for_ tm $ + permissionCheck AddRemoveConvMember . Just ensureConnected lusr allUsers checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do let convTeam = cnvTeamId tinfo - zusrMembership <- E.getTeamMember convTeam (tUnqualified lusr) + zusrMembership <- getTeamMember (tUnqualified lusr) (Just convTeam) void $ permissionCheck CreateConversation zusrMembership convLocalMemberships <- mapM (E.getTeamMember convTeam) (ulLocals allUsers) ensureAccessRole (accessRoles newConv) (zip (ulLocals allUsers) convLocalMemberships) @@ -261,14 +266,20 @@ checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do -- Not sure at the moment how to best solve this but it is unlikely -- we can ever get rid of the team permission model anyway - the only thing I can -- think of is that 'partners' can create convs but not be admins... - when (length allUsers > 1) $ do - void $ permissionCheck DoNotUseDeprecatedAddRemoveConvMember zusrMembership + -- this only applies to proteus conversations, because in MLS we have proper 1:1 conversations, + -- so we don't allow an external partner to create an MLS group conversation at all + when (length allUsers > 1 || newConv.newConvProtocol == BaseProtocolMLSTag) $ do + void $ permissionCheck AddRemoveConvMember zusrMembership -- Team members are always considered to be connected, so we only check -- 'ensureConnected' for non-team-members. ensureConnectedToLocals (tUnqualified lusr) (notTeamMember (ulLocals allUsers) (catMaybes convLocalMemberships)) ensureConnectedToRemotes lusr (ulRemotes allUsers) +getTeamMember :: Member TeamStore r => UserId -> Maybe TeamId -> Sem r (Maybe TeamMember) +getTeamMember uid (Just tid) = E.getTeamMember tid uid +getTeamMember uid Nothing = E.getUserTeams uid >>= maybe (pure Nothing) (flip E.getTeamMember uid) . headMay + ---------------------------------------------------------------------------- -- Other kinds of conversations diff --git a/services/galley/src/Galley/API/Teams.hs b/services/galley/src/Galley/API/Teams.hs index 03f8cf65203..e907e4883d8 100644 --- a/services/galley/src/Galley/API/Teams.hs +++ b/services/galley/src/Galley/API/Teams.hs @@ -124,7 +124,7 @@ import SAML2.WebSSO qualified as SAML import System.Logger (Msg) import System.Logger qualified as Log import Wire.API.Conversation (ConversationRemoveMembers (..)) -import Wire.API.Conversation.Role (Action (DeleteConversation), wireConvRoles) +import Wire.API.Conversation.Role (wireConvRoles) import Wire.API.Conversation.Role qualified as Public import Wire.API.Error import Wire.API.Error.Galley @@ -1109,7 +1109,7 @@ deleteTeamConversation :: Member (ErrorS 'ConvNotFound) r, Member (ErrorS 'InvalidOperation) r, Member (ErrorS 'NotATeamMember) r, - Member (ErrorS ('ActionDenied 'DeleteConversation)) r, + Member (ErrorS ('ActionDenied 'Public.DeleteConversation)) r, Member FederatorAccess r, Member MemberStore r, Member ProposalStore r, diff --git a/services/galley/src/Galley/API/Update.hs b/services/galley/src/Galley/API/Update.hs index 174e6ee985a..f571617def6 100644 --- a/services/galley/src/Galley/API/Update.hs +++ b/services/galley/src/Galley/API/Update.hs @@ -1375,7 +1375,8 @@ updateConversationName :: Member ExternalAccess r, Member GundeckAccess r, Member (Input UTCTime) r, - Member (Logger (Msg -> Msg)) r + Member (Logger (Msg -> Msg)) r, + Member TeamStore r ) => Local UserId -> ConnId -> @@ -1401,7 +1402,8 @@ updateUnqualifiedConversationName :: Member ExternalAccess r, Member GundeckAccess r, Member (Input UTCTime) r, - Member (Logger (Msg -> Msg)) r + Member (Logger (Msg -> Msg)) r, + Member TeamStore r ) => Local UserId -> ConnId -> @@ -1423,7 +1425,8 @@ updateLocalConversationName :: Member ExternalAccess r, Member GundeckAccess r, Member (Input UTCTime) r, - Member (Logger (Msg -> Msg)) r + Member (Logger (Msg -> Msg)) r, + Member TeamStore r ) => Local UserId -> ConnId -> diff --git a/services/galley/test/integration/API/Teams.hs b/services/galley/test/integration/API/Teams.hs index 0b95dd4c4d9..a213949cb27 100644 --- a/services/galley/test/integration/API/Teams.hs +++ b/services/galley/test/integration/API/Teams.hs @@ -89,7 +89,7 @@ import Wire.API.Team.Member import Wire.API.Team.Member qualified as Member import Wire.API.Team.Member qualified as TM import Wire.API.Team.Member qualified as Teams -import Wire.API.Team.Permission +import Wire.API.Team.Permission as P import Wire.API.Team.Role import Wire.API.Team.SearchVisibility import Wire.API.User qualified as Public @@ -473,8 +473,8 @@ testEnableTeamSearchVisibilityPerTeam = do testCreateOne2OneFailForNonTeamMembers :: TestM () testCreateOne2OneFailForNonTeamMembers = do owner <- Util.randomUser - let p1 = Util.symmPermissions [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember] - let p2 = Util.symmPermissions [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember, AddTeamMember] + let p1 = Util.symmPermissions [CreateConversation, AddRemoveConvMember] + let p2 = Util.symmPermissions [CreateConversation, AddRemoveConvMember, AddTeamMember] mem1 <- newTeamMember' p1 <$> Util.randomUser mem2 <- newTeamMember' p2 <$> Util.randomUser Util.connectUsers owner (list1 (mem1 ^. userId) [mem2 ^. userId]) @@ -732,7 +732,7 @@ testAddTeamConvLegacy = do c <- view tsCannon (owner, tid) <- Util.createBindingTeam extern <- Util.randomUser - let p = Util.symmPermissions [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember] + let p = Util.symmPermissions [CreateConversation, AddRemoveConvMember] mem1 <- newTeamMember' p <$> Util.randomUser mem2 <- newTeamMember' p <$> Util.randomUser Util.connectUsers owner (list1 (mem1 ^. userId) [extern, mem2 ^. userId]) @@ -826,7 +826,7 @@ testAddTeamMemberToConv :: TestM () testAddTeamMemberToConv = do personalUser <- Util.randomUser (ownerT1, qOwnerT1) <- Util.randomUserTuple - let p = Util.symmPermissions [DoNotUseDeprecatedAddRemoveConvMember] + let p = Util.symmPermissions [AddRemoveConvMember] mem1T1 <- Util.randomUser qMem1T1 <- Qualified mem1T1 <$> viewFederationDomain mem2T1 <- Util.randomUser @@ -858,7 +858,7 @@ testAddTeamMemberToConv = do qcidPersonal <- Qualified cidPersonal <$> viewFederationDomain -- NOTE: This functionality was _changed_ as there was no need for it... -- mem1T1 (who is *not* a member of the new conversation) can *not* add other team members - -- despite being a team member and having the permission `DoNotUseDeprecatedAddRemoveConvMember`. + -- despite being a team member and having the permission `AddRemoveConvMember`. Util.assertNotConvMember mem1T1 cidT1 Util.postMembers mem1T1 (pure qMem2T1) qcidT1 !!! const 404 === statusCode Util.assertNotConvMember mem2T1 cidT1 @@ -1235,7 +1235,7 @@ testDeleteTeamConv = do c <- view tsCannon (tid, owner, _) <- Util.createBindingTeamWithMembers 2 qOwner <- Qualified owner <$> viewFederationDomain - let p = Util.symmPermissions [DoNotUseDeprecatedDeleteConversation] + let p = Util.symmPermissions [P.DeleteConversation] member <- newTeamMember' p <$> Util.randomUser qMember <- Qualified (member ^. userId) <$> viewFederationDomain Util.addTeamMemberInternal tid (member ^. userId) (member ^. permissions) Nothing