From 6263a5bd5dfe41d4ac383cc85132e797e572d2c4 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 30 Nov 2023 16:08:19 +0000 Subject: [PATCH 01/18] on member add check permissions --- integration/integration.cabal | 3 +- integration/test/SetupHelpers.hs | 2 +- integration/test/Test/ExternalPartner.hs | 57 +++++++++++++++++++ libs/bilge/bilge.cabal | 2 +- libs/brig-types/brig-types.cabal | 4 +- libs/cargohold-types/cargohold-types.cabal | 2 +- libs/cassandra-util/cassandra-util.cabal | 2 +- .../deriving-swagger2/deriving-swagger2.cabal | 2 +- libs/dns-util/dns-util.cabal | 4 +- libs/extended/extended.cabal | 4 +- libs/galley-types/galley-types.cabal | 4 +- libs/gundeck-types/gundeck-types.cabal | 2 +- libs/imports/imports.cabal | 2 +- libs/jwt-tools/jwt-tools.cabal | 4 +- libs/metrics-core/metrics-core.cabal | 2 +- libs/metrics-wai/metrics-wai.cabal | 4 +- .../polysemy-wire-zoo/polysemy-wire-zoo.cabal | 4 +- libs/ropes/ropes.cabal | 2 +- .../schema-profunctor/schema-profunctor.cabal | 4 +- .../sodium-crypto-sign.cabal | 2 +- libs/ssl-util/ssl-util.cabal | 2 +- libs/tasty-cannon/tasty-cannon.cabal | 2 +- libs/types-common-aws/types-common-aws.cabal | 2 +- .../types-common-journal.cabal | 2 +- libs/types-common/types-common.cabal | 4 +- libs/wai-utilities/wai-utilities.cabal | 2 +- .../wire-api-federation.cabal | 4 +- libs/wire-api/wire-api.cabal | 2 +- .../wire-message-proto-lens.cabal | 2 +- libs/zauth/zauth.cabal | 6 +- .../background-worker/background-worker.cabal | 6 +- services/brig/brig.cabal | 2 +- services/cannon/cannon.cabal | 8 +-- services/cargohold/cargohold.cabal | 6 +- services/federator/federator.cabal | 8 +-- services/galley/galley.cabal | 4 +- services/galley/src/Galley/API/Action.hs | 20 ++++++- services/gundeck/gundeck.cabal | 12 ++-- services/proxy/proxy.cabal | 4 +- services/spar/spar.cabal | 12 ++-- tools/db/assets/assets.cabal | 2 +- tools/db/auto-whitelist/auto-whitelist.cabal | 2 +- tools/db/find-undead/find-undead.cabal | 2 +- .../db/inconsistencies/inconsistencies.cabal | 2 +- .../migrate-sso-feature-flag.cabal | 2 +- tools/db/move-team/move-team.cabal | 6 +- .../repair-brig-clients-table.cabal | 2 +- tools/db/repair-handles/repair-handles.cabal | 2 +- .../service-backfill/service-backfill.cabal | 2 +- tools/fedcalls/fedcalls.cabal | 2 +- tools/mlsstats/mlsstats.cabal | 4 +- .../rabbitmq-consumer/rabbitmq-consumer.cabal | 2 +- tools/stern/stern.cabal | 6 +- tools/test-stats/test-stats.cabal | 2 +- 54 files changed, 168 insertions(+), 92 deletions(-) create mode 100644 integration/test/Test/ExternalPartner.hs diff --git a/integration/integration.cabal b/integration/integration.cabal index 406970323c8..9ba9137d52b 100644 --- a/integration/integration.cabal +++ b/integration/integration.cabal @@ -24,7 +24,6 @@ common common-all -Wall -Wpartial-fields -fwarn-tabs -Wno-incomplete-uni-patterns default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns BlockArguments @@ -50,6 +49,7 @@ common common-all MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedLabels OverloadedRecordDot PackageImports @@ -110,6 +110,7 @@ library Test.Conversation Test.Demo Test.Errors + Test.ExternalPartner Test.Federation Test.Federator Test.MessageTimer diff --git a/integration/test/SetupHelpers.hs b/integration/test/SetupHelpers.hs index be86bbfc69f..840e5815849 100644 --- a/integration/test/SetupHelpers.hs +++ b/integration/test/SetupHelpers.hs @@ -26,7 +26,7 @@ deleteUser :: (HasCallStack, MakesValue user) => user -> App () deleteUser user = bindResponse (API.Brig.deleteUser user) $ \resp -> do resp.status `shouldMatchInt` 200 --- | returns (user, team id) +-- | returns (user, team id, members) createTeam :: (HasCallStack, MakesValue domain) => domain -> Int -> App (Value, String, [Value]) createTeam domain memberCount = do res <- createUser domain def {team = True} diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs new file mode 100644 index 00000000000..171d8ccd314 --- /dev/null +++ b/integration/test/Test/ExternalPartner.hs @@ -0,0 +1,57 @@ +{-# OPTIONS_GHC -Wno-ambiguous-fields #-} + +-- This file is part of the Wire Server implementation. +-- +-- Copyright (C) 2023 Wire Swiss GmbH +-- +-- This program is free software: you can redistribute it and/or modify it under +-- the terms of the GNU Affero General Public License as published by the Free +-- Software Foundation, either version 3 of the License, or (at your option) any +-- later version. +-- +-- This program is distributed in the hope that it will be useful, but WITHOUT +-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +-- details. +-- +-- You should have received a copy of the GNU Affero General Public License along +-- with this program. If not, see . + +module Test.ExternalPartner where + +-- import API.Brig (getConnection) +import API.Galley +import GHC.Stack +import SetupHelpers +import Testlib.Prelude + +testExternalPartnerPermissions :: HasCallStack => App () +testExternalPartnerPermissions = do + (owner, tid, u1 : u2 : u3 : _) <- createTeam OwnDomain 6 + + partner <- createTeamMemberWithRole owner tid "partner" + + -- a partner should not be able to create conversation with more than 2 users + void $ postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1, u2]}) >>= getJSON 403 + + -- a partner can create a one to one conversation with a user from the same team + do + conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 + + -- they should not be able to add another team member to the one to one conversation + bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do + resp.status `shouldMatchInt` 403 + + -- they should be able to create an empty conversation and add a member + -- because this is the conversation creation flow for MLS conversations + do + conv <- postConversation partner (defProteus {team = Just tid}) >>= getJSON 201 + bindResponse (addMembers partner conv def {users = [u3]}) $ \resp -> do + resp.status `shouldMatchInt` 200 + + -- now they should not be able to add another member + bindResponse (addMembers partner conv def {users = [u1]}) $ \resp -> do + resp.status `shouldMatchInt` 403 + +-- FUTUREWORK: handle deletion of members +-- deleteUser u3 diff --git a/libs/bilge/bilge.cabal b/libs/bilge/bilge.cabal index 4b88843ece0..b3b4154bbc7 100644 --- a/libs/bilge/bilge.cabal +++ b/libs/bilge/bilge.cabal @@ -29,7 +29,6 @@ library other-modules: Paths_bilge hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -53,6 +52,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/brig-types/brig-types.cabal b/libs/brig-types/brig-types.cabal index faac2030515..d7a933c90bb 100644 --- a/libs/brig-types/brig-types.cabal +++ b/libs/brig-types/brig-types.cabal @@ -28,7 +28,6 @@ library other-modules: Paths_brig_types hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -52,6 +51,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -103,7 +103,6 @@ test-suite brig-types-tests hs-source-dirs: test/unit default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -127,6 +126,7 @@ test-suite brig-types-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/cargohold-types/cargohold-types.cabal b/libs/cargohold-types/cargohold-types.cabal index bbb40fda15c..f6c031f79ae 100644 --- a/libs/cargohold-types/cargohold-types.cabal +++ b/libs/cargohold-types/cargohold-types.cabal @@ -18,7 +18,6 @@ library other-modules: Paths_cargohold_types hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -42,6 +41,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/cassandra-util/cassandra-util.cabal b/libs/cassandra-util/cassandra-util.cabal index 7ca83d15077..2612b0ee9b2 100644 --- a/libs/cassandra-util/cassandra-util.cabal +++ b/libs/cassandra-util/cassandra-util.cabal @@ -22,7 +22,6 @@ library other-modules: Paths_cassandra_util hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -46,6 +45,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedRecordDot OverloadedStrings diff --git a/libs/deriving-swagger2/deriving-swagger2.cabal b/libs/deriving-swagger2/deriving-swagger2.cabal index 6e5b3f9de4a..35816fc7f52 100644 --- a/libs/deriving-swagger2/deriving-swagger2.cabal +++ b/libs/deriving-swagger2/deriving-swagger2.cabal @@ -15,7 +15,6 @@ library other-modules: Paths_deriving_swagger2 hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -39,6 +38,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/dns-util/dns-util.cabal b/libs/dns-util/dns-util.cabal index b2f2f00b953..4745b16e4ff 100644 --- a/libs/dns-util/dns-util.cabal +++ b/libs/dns-util/dns-util.cabal @@ -20,7 +20,6 @@ library other-modules: Paths_dns_util hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -44,6 +43,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -85,7 +85,6 @@ test-suite spec hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -109,6 +108,7 @@ test-suite spec MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/extended/extended.cabal b/libs/extended/extended.cabal index 389b59b9447..9ff76607ba5 100644 --- a/libs/extended/extended.cabal +++ b/libs/extended/extended.cabal @@ -30,7 +30,6 @@ library other-modules: Paths_extended hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -54,6 +53,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedRecordDot OverloadedStrings @@ -116,7 +116,6 @@ test-suite extended-tests hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -140,6 +139,7 @@ test-suite extended-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/galley-types/galley-types.cabal b/libs/galley-types/galley-types.cabal index 11833627945..97c786cf57f 100644 --- a/libs/galley-types/galley-types.cabal +++ b/libs/galley-types/galley-types.cabal @@ -24,7 +24,6 @@ library other-modules: Paths_galley_types hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -48,6 +47,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -103,7 +103,6 @@ test-suite galley-types-tests hs-source-dirs: test/unit default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -127,6 +126,7 @@ test-suite galley-types-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/gundeck-types/gundeck-types.cabal b/libs/gundeck-types/gundeck-types.cabal index 33bf7ddbd1f..26e75b33b7f 100644 --- a/libs/gundeck-types/gundeck-types.cabal +++ b/libs/gundeck-types/gundeck-types.cabal @@ -22,7 +22,6 @@ library other-modules: Paths_gundeck_types hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -46,6 +45,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/imports/imports.cabal b/libs/imports/imports.cabal index 949161a4cc6..845228c8f10 100644 --- a/libs/imports/imports.cabal +++ b/libs/imports/imports.cabal @@ -22,7 +22,6 @@ library other-modules: Paths_imports hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -46,6 +45,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/jwt-tools/jwt-tools.cabal b/libs/jwt-tools/jwt-tools.cabal index 56f1a3afe80..12a29c322f5 100644 --- a/libs/jwt-tools/jwt-tools.cabal +++ b/libs/jwt-tools/jwt-tools.cabal @@ -16,7 +16,6 @@ library hs-source-dirs: src other-modules: Paths_jwt_tools default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -40,6 +39,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -92,7 +92,6 @@ test-suite jwt-tools-tests -Wredundant-constraints -Wunused-packages default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -116,6 +115,7 @@ test-suite jwt-tools-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/metrics-core/metrics-core.cabal b/libs/metrics-core/metrics-core.cabal index 48fd08c0280..278c23d2a84 100644 --- a/libs/metrics-core/metrics-core.cabal +++ b/libs/metrics-core/metrics-core.cabal @@ -19,7 +19,6 @@ library other-modules: Paths_metrics_core hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -43,6 +42,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/metrics-wai/metrics-wai.cabal b/libs/metrics-wai/metrics-wai.cabal index e544feb15ce..5ea237e1964 100644 --- a/libs/metrics-wai/metrics-wai.cabal +++ b/libs/metrics-wai/metrics-wai.cabal @@ -22,7 +22,6 @@ library other-modules: Paths_metrics_wai hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -46,6 +45,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -95,7 +95,6 @@ test-suite unit hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -119,6 +118,7 @@ test-suite unit MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/polysemy-wire-zoo/polysemy-wire-zoo.cabal b/libs/polysemy-wire-zoo/polysemy-wire-zoo.cabal index 337db0270ce..5e346eb0ea2 100644 --- a/libs/polysemy-wire-zoo/polysemy-wire-zoo.cabal +++ b/libs/polysemy-wire-zoo/polysemy-wire-zoo.cabal @@ -34,7 +34,6 @@ library other-modules: Paths_polysemy_wire_zoo hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -58,6 +57,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -112,7 +112,6 @@ test-suite spec hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -136,6 +135,7 @@ test-suite spec MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/ropes/ropes.cabal b/libs/ropes/ropes.cabal index 2daebfbccf9..0a5e9457039 100644 --- a/libs/ropes/ropes.cabal +++ b/libs/ropes/ropes.cabal @@ -18,7 +18,6 @@ library other-modules: Paths_ropes hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -42,6 +41,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/schema-profunctor/schema-profunctor.cabal b/libs/schema-profunctor/schema-profunctor.cabal index 236a68a841b..4fae5985548 100644 --- a/libs/schema-profunctor/schema-profunctor.cabal +++ b/libs/schema-profunctor/schema-profunctor.cabal @@ -15,7 +15,6 @@ library other-modules: Paths_schema_profunctor hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -39,6 +38,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -86,7 +86,6 @@ test-suite schemas-tests hs-source-dirs: test/unit default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -110,6 +109,7 @@ test-suite schemas-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/sodium-crypto-sign/sodium-crypto-sign.cabal b/libs/sodium-crypto-sign/sodium-crypto-sign.cabal index 075b0949ddb..06fff7151fd 100644 --- a/libs/sodium-crypto-sign/sodium-crypto-sign.cabal +++ b/libs/sodium-crypto-sign/sodium-crypto-sign.cabal @@ -18,7 +18,6 @@ library other-modules: Paths_sodium_crypto_sign hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -42,6 +41,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/ssl-util/ssl-util.cabal b/libs/ssl-util/ssl-util.cabal index b011750f93b..9c306e564e9 100644 --- a/libs/ssl-util/ssl-util.cabal +++ b/libs/ssl-util/ssl-util.cabal @@ -16,7 +16,6 @@ library other-modules: Paths_ssl_util hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -40,6 +39,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/tasty-cannon/tasty-cannon.cabal b/libs/tasty-cannon/tasty-cannon.cabal index e3e732e9294..1eeb206ab63 100644 --- a/libs/tasty-cannon/tasty-cannon.cabal +++ b/libs/tasty-cannon/tasty-cannon.cabal @@ -15,7 +15,6 @@ library other-modules: Paths_tasty_cannon hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -39,6 +38,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/types-common-aws/types-common-aws.cabal b/libs/types-common-aws/types-common-aws.cabal index 8af2b0ddd4f..1893dbcb0f4 100644 --- a/libs/types-common-aws/types-common-aws.cabal +++ b/libs/types-common-aws/types-common-aws.cabal @@ -29,7 +29,6 @@ library other-modules: Paths_types_common_aws hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -53,6 +52,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/types-common-journal/types-common-journal.cabal b/libs/types-common-journal/types-common-journal.cabal index 5d80ce4d4a4..d0dc0986382 100644 --- a/libs/types-common-journal/types-common-journal.cabal +++ b/libs/types-common-journal/types-common-journal.cabal @@ -32,7 +32,6 @@ library other-modules: Paths_types_common_journal hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -56,6 +55,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/types-common/types-common.cabal b/libs/types-common/types-common.cabal index 070721fdc82..96cdb25e9bf 100644 --- a/libs/types-common/types-common.cabal +++ b/libs/types-common/types-common.cabal @@ -42,7 +42,6 @@ library other-modules: Paths_types_common hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -66,6 +65,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -154,7 +154,6 @@ test-suite tests hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -178,6 +177,7 @@ test-suite tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/wai-utilities/wai-utilities.cabal b/libs/wai-utilities/wai-utilities.cabal index 1c1ae75cbcc..6105387dddb 100644 --- a/libs/wai-utilities/wai-utilities.cabal +++ b/libs/wai-utilities/wai-utilities.cabal @@ -26,7 +26,6 @@ library other-modules: Paths_wai_utilities hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -50,6 +49,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/wire-api-federation/wire-api-federation.cabal b/libs/wire-api-federation/wire-api-federation.cabal index e6722543b2c..75c7abada44 100644 --- a/libs/wire-api-federation/wire-api-federation.cabal +++ b/libs/wire-api-federation/wire-api-federation.cabal @@ -35,7 +35,6 @@ library other-modules: Paths_wire_api_federation hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -59,6 +58,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -141,7 +141,6 @@ test-suite spec hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -165,6 +164,7 @@ test-suite spec MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/wire-api/wire-api.cabal b/libs/wire-api/wire-api.cabal index 1f3b5154484..41292a5d483 100644 --- a/libs/wire-api/wire-api.cabal +++ b/libs/wire-api/wire-api.cabal @@ -18,7 +18,6 @@ common common-all -Wredundant-constraints default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -43,6 +42,7 @@ common common-all MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedLabels OverloadedRecordDot diff --git a/libs/wire-message-proto-lens/wire-message-proto-lens.cabal b/libs/wire-message-proto-lens/wire-message-proto-lens.cabal index abe89c009c1..3caba005121 100644 --- a/libs/wire-message-proto-lens/wire-message-proto-lens.cabal +++ b/libs/wire-message-proto-lens/wire-message-proto-lens.cabal @@ -29,7 +29,6 @@ library other-modules: Paths_wire_message_proto_lens hs-source-dirs: ./. default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -53,6 +52,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/libs/zauth/zauth.cabal b/libs/zauth/zauth.cabal index 00a2baa85dd..d8bb187a3cc 100644 --- a/libs/zauth/zauth.cabal +++ b/libs/zauth/zauth.cabal @@ -22,7 +22,6 @@ library other-modules: Paths_zauth hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -46,6 +45,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -92,7 +92,6 @@ executable zauth other-modules: Paths_zauth hs-source-dirs: main default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -116,6 +115,7 @@ executable zauth MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -163,7 +163,6 @@ test-suite zauth-unit hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -187,6 +186,7 @@ test-suite zauth-unit MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/background-worker/background-worker.cabal b/services/background-worker/background-worker.cabal index 377e7487ae5..1eb4df1229d 100644 --- a/services/background-worker/background-worker.cabal +++ b/services/background-worker/background-worker.cabal @@ -52,7 +52,6 @@ library , wire-api-federation default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -76,6 +75,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedRecordDot OverloadedStrings @@ -111,7 +111,6 @@ executable background-worker -threaded -with-rtsopts=-N -with-rtsopts=-T -rtsopts default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -135,6 +134,7 @@ executable background-worker MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -199,7 +199,6 @@ test-suite background-worker-test , wire-api-federation default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -223,6 +222,7 @@ test-suite background-worker-test MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/brig/brig.cabal b/services/brig/brig.cabal index 05a39d7d548..2d38131f70d 100644 --- a/services/brig/brig.cabal +++ b/services/brig/brig.cabal @@ -25,7 +25,6 @@ common common-all -Wredundant-constraints default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns BlockArguments @@ -51,6 +50,7 @@ common common-all MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedLabels OverloadedRecordDot diff --git a/services/cannon/cannon.cabal b/services/cannon/cannon.cabal index 27429695a74..74e985f3b89 100644 --- a/services/cannon/cannon.cabal +++ b/services/cannon/cannon.cabal @@ -30,7 +30,6 @@ library other-modules: Paths_cannon hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -54,6 +53,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -122,7 +122,6 @@ executable cannon main-is: exec/Main.hs other-modules: Paths_cannon default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -146,6 +145,7 @@ executable cannon MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -190,7 +190,6 @@ test-suite cannon-tests hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -214,6 +213,7 @@ test-suite cannon-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -263,7 +263,6 @@ benchmark cannon-bench hs-source-dirs: bench default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -287,6 +286,7 @@ benchmark cannon-bench MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/cargohold/cargohold.cabal b/services/cargohold/cargohold.cabal index f7ae9eb5bbe..ab78542f214 100644 --- a/services/cargohold/cargohold.cabal +++ b/services/cargohold/cargohold.cabal @@ -37,7 +37,6 @@ library other-modules: Paths_cargohold hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -61,6 +60,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -145,7 +145,6 @@ executable cargohold main-is: exec/Main.hs other-modules: Paths_cargohold default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -169,6 +168,7 @@ executable cargohold MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -218,7 +218,6 @@ executable cargohold-integration hs-source-dirs: test/integration default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -242,6 +241,7 @@ executable cargohold-integration MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/federator/federator.cabal b/services/federator/federator.cabal index 76f746e3a8c..fe902eace90 100644 --- a/services/federator/federator.cabal +++ b/services/federator/federator.cabal @@ -58,7 +58,6 @@ library other-modules: Paths_federator hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -82,6 +81,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -160,7 +160,6 @@ executable federator other-modules: Paths_federator hs-source-dirs: exec default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -184,6 +183,7 @@ executable federator MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -227,7 +227,6 @@ executable federator-integration hs-source-dirs: test/integration default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -251,6 +250,7 @@ executable federator-integration MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -330,7 +330,6 @@ test-suite federator-tests hs-source-dirs: test/unit default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -354,6 +353,7 @@ test-suite federator-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/galley/galley.cabal b/services/galley/galley.cabal index 016ebba4fa0..ff78401f388 100644 --- a/services/galley/galley.cabal +++ b/services/galley/galley.cabal @@ -23,7 +23,6 @@ common common-all -Wredundant-constraints -Wunused-packages default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -48,6 +47,7 @@ common common-all MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedLabels OverloadedRecordDot @@ -416,7 +416,6 @@ executable galley-integration hs-source-dirs: test/integration hs-source-dirs: test/integration default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -440,6 +439,7 @@ executable galley-integration MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude NumericUnderscores OverloadedRecordDot OverloadedStrings diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index 387875269ef..9cf07c667a0 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -91,6 +91,7 @@ import Galley.Env (Env) import Galley.Intra.Push import Galley.Options import Galley.Types.Conversations.Members +import Galley.Types.Teams (IsPerm (hasPermission)) import Galley.Types.UserList import Galley.Validation import Imports hiding ((\\)) @@ -122,6 +123,7 @@ import Wire.API.Routes.Internal.Brig.Connection import Wire.API.Team.Feature import Wire.API.Team.LegalHold import Wire.API.Team.Member +import Wire.API.Team.Permission (Perm (DoNotUseDeprecatedAddRemoveConvMember)) import Wire.API.User qualified as User data NoChanges = NoChanges @@ -520,7 +522,7 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do checkLHPolicyConflictsLocal (ulLocals newMembers) checkLHPolicyConflictsRemote (FutureWork (ulRemotes newMembers)) checkRemoteBackendsConnected lusr - + checkTeamMemberAddPermissions lusr newMembers addMembersToLocalConversation (fmap (.convId) lconv) newMembers role where checkRemoteBackendsConnected :: Local x -> Sem r () @@ -609,6 +611,22 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do Sem r () checkLHPolicyConflictsRemote _remotes = pure () + -- In teams we don't have 1:1 conversations, only regular conversations. We want + -- users without the 'AddRemoveConvMember' permission to still be able to create + -- regular conversations, therefore we check for 'AddRemoveConvMember' only if + -- there are going to be more than two users in the conversation. + checkTeamMemberAddPermissions :: Local UserId -> UserList a -> Sem r () + checkTeamMemberAddPermissions lusr newMembers = do + zusrMembership <- join <$> forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (tUnqualified lusr)) + case zusrMembership of + Nothing -> pure () + Just tm -> do + let total = length (ulAll lusr newMembers) + length (convLocalMembers conv) + length (convRemoteMembers conv) + when (total > 2) $ + if tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember + then pure () + else throwS @'InvalidOperation + performConversationAccessData :: ( HasConversationActionEffects 'ConversationAccessDataTag r, Member (Error FederationError) r, diff --git a/services/gundeck/gundeck.cabal b/services/gundeck/gundeck.cabal index b90bc99c681..2681cb45359 100644 --- a/services/gundeck/gundeck.cabal +++ b/services/gundeck/gundeck.cabal @@ -63,7 +63,6 @@ library other-modules: Paths_gundeck hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -87,6 +86,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -171,7 +171,6 @@ executable gundeck main-is: exec/Main.hs other-modules: Paths_gundeck default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -195,6 +194,7 @@ executable gundeck MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -241,7 +241,6 @@ executable gundeck-integration hs-source-dirs: test/integration default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -265,6 +264,7 @@ executable gundeck-integration MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -333,7 +333,6 @@ executable gundeck-schema main-is: Main.hs hs-source-dirs: schema default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -357,6 +356,7 @@ executable gundeck-schema MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -403,7 +403,6 @@ test-suite gundeck-tests hs-source-dirs: test/unit default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -427,6 +426,7 @@ test-suite gundeck-tests MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -490,7 +490,6 @@ benchmark gundeck-bench other-modules: Paths_gundeck hs-source-dirs: test/bench default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -514,6 +513,7 @@ benchmark gundeck-bench MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/proxy/proxy.cabal b/services/proxy/proxy.cabal index 3cf6c0ec13f..6d4578bb102 100644 --- a/services/proxy/proxy.cabal +++ b/services/proxy/proxy.cabal @@ -27,7 +27,6 @@ library other-modules: Paths_proxy hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -51,6 +50,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -107,7 +107,6 @@ executable proxy main-is: exec/Main.hs other-modules: Paths_proxy default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -131,6 +130,7 @@ executable proxy MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/services/spar/spar.cabal b/services/spar/spar.cabal index 4f4dfdaf319..962e503e4d2 100644 --- a/services/spar/spar.cabal +++ b/services/spar/spar.cabal @@ -99,7 +99,6 @@ library other-modules: Paths_spar hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -123,6 +122,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -203,7 +203,6 @@ executable spar other-modules: Paths_spar hs-source-dirs: exec default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -227,6 +226,7 @@ executable spar MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -281,7 +281,6 @@ executable spar-integration hs-source-dirs: test-integration default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -305,6 +304,7 @@ executable spar-integration MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -407,7 +407,6 @@ executable spar-migrate-data hs-source-dirs: migrate-data/src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -431,6 +430,7 @@ executable spar-migrate-data MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -477,7 +477,6 @@ executable spar-schema main-is: Main.hs hs-source-dirs: schema/ default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -501,6 +500,7 @@ executable spar-schema MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -550,7 +550,6 @@ test-suite spec hs-source-dirs: test default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -574,6 +573,7 @@ test-suite spec MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/assets/assets.cabal b/tools/db/assets/assets.cabal index 2de50c48c6c..1d054cecf82 100644 --- a/tools/db/assets/assets.cabal +++ b/tools/db/assets/assets.cabal @@ -35,7 +35,6 @@ library , wire-api default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -59,6 +58,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/auto-whitelist/auto-whitelist.cabal b/tools/db/auto-whitelist/auto-whitelist.cabal index c97af928b70..f62ee357952 100644 --- a/tools/db/auto-whitelist/auto-whitelist.cabal +++ b/tools/db/auto-whitelist/auto-whitelist.cabal @@ -18,7 +18,6 @@ executable auto-whitelist hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -42,6 +41,7 @@ executable auto-whitelist MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/find-undead/find-undead.cabal b/tools/db/find-undead/find-undead.cabal index 9ff7261facd..4d80aabac45 100644 --- a/tools/db/find-undead/find-undead.cabal +++ b/tools/db/find-undead/find-undead.cabal @@ -18,7 +18,6 @@ executable find-undead hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -42,6 +41,7 @@ executable find-undead MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/inconsistencies/inconsistencies.cabal b/tools/db/inconsistencies/inconsistencies.cabal index 1ac852a6c35..0c0a76d1a4d 100644 --- a/tools/db/inconsistencies/inconsistencies.cabal +++ b/tools/db/inconsistencies/inconsistencies.cabal @@ -21,7 +21,6 @@ executable inconsistencies hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -45,6 +44,7 @@ executable inconsistencies MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/migrate-sso-feature-flag/migrate-sso-feature-flag.cabal b/tools/db/migrate-sso-feature-flag/migrate-sso-feature-flag.cabal index 99aaa13eefc..aca192a3aa1 100644 --- a/tools/db/migrate-sso-feature-flag/migrate-sso-feature-flag.cabal +++ b/tools/db/migrate-sso-feature-flag/migrate-sso-feature-flag.cabal @@ -20,7 +20,6 @@ executable migrate-sso-feature-flag hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -44,6 +43,7 @@ executable migrate-sso-feature-flag MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/move-team/move-team.cabal b/tools/db/move-team/move-team.cabal index 0e33e33dc6b..ba3abc5a288 100644 --- a/tools/db/move-team/move-team.cabal +++ b/tools/db/move-team/move-team.cabal @@ -21,7 +21,6 @@ library other-modules: Paths_move_team hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -45,6 +44,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -100,7 +100,6 @@ executable move-team other-modules: Paths_move_team hs-source-dirs: move-team default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -124,6 +123,7 @@ executable move-team MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -166,7 +166,6 @@ executable move-team-generate other-modules: Paths_move_team hs-source-dirs: move-team-generate default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -190,6 +189,7 @@ executable move-team-generate MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/repair-brig-clients-table/repair-brig-clients-table.cabal b/tools/db/repair-brig-clients-table/repair-brig-clients-table.cabal index 5347b11d73a..c8cfd818ad5 100644 --- a/tools/db/repair-brig-clients-table/repair-brig-clients-table.cabal +++ b/tools/db/repair-brig-clients-table/repair-brig-clients-table.cabal @@ -20,7 +20,6 @@ executable repair-brig-clients-table hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -44,6 +43,7 @@ executable repair-brig-clients-table MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/repair-handles/repair-handles.cabal b/tools/db/repair-handles/repair-handles.cabal index a43aee8ffb4..79393d75a68 100644 --- a/tools/db/repair-handles/repair-handles.cabal +++ b/tools/db/repair-handles/repair-handles.cabal @@ -19,7 +19,6 @@ executable repair-handles hs-source-dirs: repair-handles src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -43,6 +42,7 @@ executable repair-handles MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/db/service-backfill/service-backfill.cabal b/tools/db/service-backfill/service-backfill.cabal index 69f2b260a38..e725bbb75d3 100644 --- a/tools/db/service-backfill/service-backfill.cabal +++ b/tools/db/service-backfill/service-backfill.cabal @@ -18,7 +18,6 @@ executable service-backfill hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -42,6 +41,7 @@ executable service-backfill MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/fedcalls/fedcalls.cabal b/tools/fedcalls/fedcalls.cabal index 25c9d5c1af2..56f14407a56 100644 --- a/tools/fedcalls/fedcalls.cabal +++ b/tools/fedcalls/fedcalls.cabal @@ -15,7 +15,6 @@ executable fedcalls main-is: Main.hs hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -39,6 +38,7 @@ executable fedcalls MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/mlsstats/mlsstats.cabal b/tools/mlsstats/mlsstats.cabal index eca13c03d34..72450ba0d02 100644 --- a/tools/mlsstats/mlsstats.cabal +++ b/tools/mlsstats/mlsstats.cabal @@ -23,7 +23,6 @@ library other-modules: Paths_mlsstats hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -47,6 +46,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -96,7 +96,6 @@ executable mlsstats main-is: exec/Main.hs other-modules: Paths_mlsstats default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -120,6 +119,7 @@ executable mlsstats MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/rabbitmq-consumer/rabbitmq-consumer.cabal b/tools/rabbitmq-consumer/rabbitmq-consumer.cabal index 81eb049de12..b7b6f2f079d 100644 --- a/tools/rabbitmq-consumer/rabbitmq-consumer.cabal +++ b/tools/rabbitmq-consumer/rabbitmq-consumer.cabal @@ -40,7 +40,6 @@ library , wire-api-federation default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -65,6 +64,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedLabels OverloadedRecordDot PackageImports diff --git a/tools/stern/stern.cabal b/tools/stern/stern.cabal index 2b293afa246..6a783ae0723 100644 --- a/tools/stern/stern.cabal +++ b/tools/stern/stern.cabal @@ -26,7 +26,6 @@ library other-modules: Paths_stern hs-source-dirs: src default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -50,6 +49,7 @@ library MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -116,7 +116,6 @@ executable stern main-is: exec/Main.hs other-modules: Paths_stern default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -140,6 +139,7 @@ executable stern MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports @@ -200,7 +200,6 @@ executable stern-integration hs-source-dirs: test/integration default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -224,6 +223,7 @@ executable stern-integration MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports diff --git a/tools/test-stats/test-stats.cabal b/tools/test-stats/test-stats.cabal index 7106a8ef46a..d8d0e3d5952 100644 --- a/tools/test-stats/test-stats.cabal +++ b/tools/test-stats/test-stats.cabal @@ -29,7 +29,6 @@ executable test-stats , xml default-extensions: - NoImplicitPrelude AllowAmbiguousTypes BangPatterns ConstraintKinds @@ -53,6 +52,7 @@ executable test-stats MultiParamTypeClasses MultiWayIf NamedFieldPuns + NoImplicitPrelude OverloadedRecordDot OverloadedStrings PackageImports From 40a491cb84efb3ce7443f00713b5352745910728 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Wed, 20 Dec 2023 10:24:54 +0000 Subject: [PATCH 02/18] cu --- services/galley/src/Galley/API/Action.hs | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index 9cf07c667a0..de931045dc1 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -621,11 +621,9 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do case zusrMembership of Nothing -> pure () Just tm -> do - let total = length (ulAll lusr newMembers) + length (convLocalMembers conv) + length (convRemoteMembers conv) - when (total > 2) $ - if tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember - then pure () - else throwS @'InvalidOperation + unless (tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember) $ do + let total = length (ulAll lusr newMembers) + length (convLocalMembers conv) + length (convRemoteMembers conv) + when (total > 2) $ throwS @'InvalidOperation performConversationAccessData :: ( HasConversationActionEffects 'ConversationAccessDataTag r, From e998a9018e266b637bd5f17354390fe692ad7e35 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Wed, 20 Dec 2023 10:59:40 +0000 Subject: [PATCH 03/18] external partner cannot rename conv --- integration/test/API/Galley.hs | 1 + integration/test/Test/ExternalPartner.hs | 11 +++++++++++ services/galley/src/Galley/API/Action.hs | 10 ++++++++-- services/galley/src/Galley/API/Update.hs | 9 ++++++--- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/integration/test/API/Galley.hs b/integration/test/API/Galley.hs index 4a5822115ed..0e8fc98db40 100644 --- a/integration/test/API/Galley.hs +++ b/integration/test/API/Galley.hs @@ -416,6 +416,7 @@ getConversationCode user conv mbZHost = do & maybe id zHost mbZHost ) +-- https://staging-nginz-https.zinfra.io/v5/api/swagger-ui/#/default/put_conversations__cnv_domain___cnv__name changeConversationName :: (HasCallStack, MakesValue user, MakesValue conv, MakesValue name) => user -> diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 171d8ccd314..4ff6db5f79c 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -55,3 +55,14 @@ testExternalPartnerPermissions = do -- FUTUREWORK: handle deletion of members -- deleteUser u3 + +testExternalPartnerPermissionsConvName :: HasCallStack => App () +testExternalPartnerPermissionsConvName = do + (owner, tid, u1 : _) <- createTeam OwnDomain 2 + + partner <- createTeamMemberWithRole owner tid "partner" + + conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 + + bindResponse (changeConversationName partner conv "new name") $ \resp -> do + resp.status `shouldMatchInt` 403 diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index de931045dc1..ccb43f6154a 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -123,7 +123,7 @@ import Wire.API.Routes.Internal.Brig.Connection import Wire.API.Team.Feature import Wire.API.Team.LegalHold import Wire.API.Team.Member -import Wire.API.Team.Permission (Perm (DoNotUseDeprecatedAddRemoveConvMember)) +import Wire.API.Team.Permission (Perm (DoNotUseDeprecatedAddRemoveConvMember, DoNotUseDeprecatedModifyConvName)) import Wire.API.User qualified as User data NoChanges = NoChanges @@ -204,7 +204,9 @@ type family HasConversationActionEffects (tag :: ConversationActionTag) r :: Con ) HasConversationActionEffects 'ConversationRenameTag r = ( Member (Error InvalidInput) r, - Member ConversationStore r + Member ConversationStore r, + Member TeamStore r, + Member (ErrorS InvalidOperation) r ) HasConversationActionEffects 'ConversationAccessDataTag r = ( Member BotAccess r, @@ -466,6 +468,10 @@ performAction tag origUser lconv action = do pure (mempty, action) SConversationRenameTag -> do + zusrMembership <- join <$> forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (qUnqualified origUser)) + case zusrMembership of + Just tm -> unless (tm `hasPermission` DoNotUseDeprecatedModifyConvName) $ throwS @'InvalidOperation + Nothing -> pure () cn <- rangeChecked (cupName action) E.setConversationName (tUnqualified lcnv) cn pure (mempty, action) diff --git a/services/galley/src/Galley/API/Update.hs b/services/galley/src/Galley/API/Update.hs index 174e6ee985a..f571617def6 100644 --- a/services/galley/src/Galley/API/Update.hs +++ b/services/galley/src/Galley/API/Update.hs @@ -1375,7 +1375,8 @@ updateConversationName :: Member ExternalAccess r, Member GundeckAccess r, Member (Input UTCTime) r, - Member (Logger (Msg -> Msg)) r + Member (Logger (Msg -> Msg)) r, + Member TeamStore r ) => Local UserId -> ConnId -> @@ -1401,7 +1402,8 @@ updateUnqualifiedConversationName :: Member ExternalAccess r, Member GundeckAccess r, Member (Input UTCTime) r, - Member (Logger (Msg -> Msg)) r + Member (Logger (Msg -> Msg)) r, + Member TeamStore r ) => Local UserId -> ConnId -> @@ -1423,7 +1425,8 @@ updateLocalConversationName :: Member ExternalAccess r, Member GundeckAccess r, Member (Input UTCTime) r, - Member (Logger (Msg -> Msg)) r + Member (Logger (Msg -> Msg)) r, + Member TeamStore r ) => Local UserId -> ConnId -> From de9bc6d556ce678b10d61ea6c0d830c8be9bc067 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Wed, 20 Dec 2023 13:04:07 +0000 Subject: [PATCH 04/18] make external partner to member as soon as total of 2 members --- integration/test/Test/ExternalPartner.hs | 17 ++++++++++--- services/galley/src/Galley/API/Action.hs | 3 ++- services/galley/src/Galley/API/Create.hs | 25 ++++++++++++++++---- services/galley/src/Galley/Types/UserList.hs | 4 ++++ 4 files changed, 41 insertions(+), 8 deletions(-) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 4ff6db5f79c..0455add5d9b 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -42,6 +42,13 @@ testExternalPartnerPermissions = do bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do resp.status `shouldMatchInt` 403 + -- the other member in the conversation gets deleted + deleteUser u1 + + -- now they still should not be able to add another member + bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do + resp.status `shouldMatchInt` 403 + -- they should be able to create an empty conversation and add a member -- because this is the conversation creation flow for MLS conversations do @@ -50,11 +57,15 @@ testExternalPartnerPermissions = do resp.status `shouldMatchInt` 200 -- now they should not be able to add another member - bindResponse (addMembers partner conv def {users = [u1]}) $ \resp -> do + bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do resp.status `shouldMatchInt` 403 --- FUTUREWORK: handle deletion of members --- deleteUser u3 + -- the other member in the conversation gets deleted + deleteUser u3 + + -- now they still should not be able to add another member + bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do + resp.status `shouldMatchInt` 403 testExternalPartnerPermissionsConvName :: HasCallStack => App () testExternalPartnerPermissionsConvName = do diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index ccb43f6154a..293c3316da9 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -628,8 +628,9 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do Nothing -> pure () Just tm -> do unless (tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember) $ do - let total = length (ulAll lusr newMembers) + length (convLocalMembers conv) + length (convRemoteMembers conv) + let total = ulLength newMembers + length (convLocalMembers conv) + length (convRemoteMembers conv) when (total > 2) $ throwS @'InvalidOperation + when (total == 2) $ void $ E.setOtherMember (fmap (.convId) lconv) qusr (OtherMemberUpdate (Just roleNameWireMember)) performConversationAccessData :: ( HasConversationActionEffects 'ConversationAccessDataTag r, diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index 23c6681db41..1b1d477a758 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -60,7 +60,7 @@ import Galley.Effects.TeamStore qualified as E import Galley.Intra.Push import Galley.Options import Galley.Types.Conversations.Members -import Galley.Types.Teams (notTeamMember) +import Galley.Types.Teams (IsPerm (hasPermission), notTeamMember) import Galley.Types.ToUserRole import Galley.Types.UserList import Galley.Validation @@ -70,6 +70,7 @@ import Polysemy.Error import Polysemy.Input import Polysemy.TinyLog qualified as P import Wire.API.Conversation hiding (Conversation, Member) +import Wire.API.Conversation.Role (roleNameWireMember) import Wire.API.Error import Wire.API.Error.Galley import Wire.API.Event.Conversation @@ -194,8 +195,12 @@ createGroupConversationGeneric :: NewConv -> Sem r Conversation createGroupConversationGeneric lusr conn newConv = do - (nc, fromConvSize -> allUsers) <- newRegularConversation lusr newConv let tinfo = newConvTeam newConv + hasAddMembersPermission <- do + join <$> forM (cnvTeamId <$> tinfo) (flip E.getTeamMember (tUnqualified lusr)) <&> \case + Just tm -> tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember + Nothing -> True + (nc, fromConvSize -> allUsers) <- newRegularConversation lusr newConv hasAddMembersPermission checkCreateConvPermissions lusr newConv tinfo allUsers ensureNoLegalholdConflicts allUsers @@ -590,8 +595,9 @@ newRegularConversation :: ) => Local UserId -> NewConv -> + Bool -> Sem r (NewConversation, ConvSizeChecked UserList UserId) -newRegularConversation lusr newConv = do +newRegularConversation lusr newConv hasTeamAddMemberPermission = do o <- input let uncheckedUsers = newConvMembers lusr newConv users <- case newConvProtocol newConv of @@ -599,6 +605,17 @@ newRegularConversation lusr newConv = do BaseProtocolMLSTag -> do unless (null uncheckedUsers) $ throwS @'MLSNonEmptyMemberList pure mempty + let creatorWithRole = + -- In case the creator has no permission to add members (e.g. external partner) + -- we set their conversation role to 'member' to ensure they can't add/remove any members from the conversation + -- even if the other members got removed (e.g. because they were deleted by the team admin). + -- If the conversation is empty, we don't set the role to 'member' + -- because we want to allow the creator to add at least one member to the conversation later. + -- This is due to the fact that in teams we do not have 1:1 conversations, + -- only regular conversations that are interpreted as 1:1 conversations. + if not hasTeamAddMemberPermission && ulLength (fromConvSize users) > 0 + then (tUnqualified lusr, roleNameWireMember) + else (toUserRole (tUnqualified lusr)) let nc = NewConversation { ncMetadata = @@ -612,7 +629,7 @@ newRegularConversation lusr newConv = do cnvmReceiptMode = newConvReceiptMode newConv, cnvmTeam = fmap cnvTeamId (newConvTeam newConv) }, - ncUsers = ulAddLocal (toUserRole (tUnqualified lusr)) (fmap (,newConvUsersRole newConv) (fromConvSize users)), + ncUsers = ulAddLocal creatorWithRole (fmap (,newConvUsersRole newConv) (fromConvSize users)), ncProtocol = newConvProtocol newConv } pure (nc, users) diff --git a/services/galley/src/Galley/Types/UserList.hs b/services/galley/src/Galley/Types/UserList.hs index 3dbc81444de..8b930a516f8 100644 --- a/services/galley/src/Galley/Types/UserList.hs +++ b/services/galley/src/Galley/Types/UserList.hs @@ -23,6 +23,7 @@ module Galley.Types.UserList ulFromLocals, ulFromRemotes, ulDiff, + ulLength, ) where @@ -64,3 +65,6 @@ ulDiff (UserList lA rA) (UserList lB rB) = UserList (filter (`notElem` lB) lA) (filter (`notElem` rB) rA) + +ulLength :: UserList a -> Int +ulLength (UserList locals remotes) = length locals + length remotes From 7b88634bd905339f7935fc58fa92d9dd67594b08 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Wed, 20 Dec 2023 14:30:57 +0000 Subject: [PATCH 05/18] changelog --- changelog.d/3-bug-fixes/WPB-5695 | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/3-bug-fixes/WPB-5695 diff --git a/changelog.d/3-bug-fixes/WPB-5695 b/changelog.d/3-bug-fixes/WPB-5695 new file mode 100644 index 00000000000..efd7fdb31b2 --- /dev/null +++ b/changelog.d/3-bug-fixes/WPB-5695 @@ -0,0 +1 @@ +Enforce external partner permissions on the backend From f52f1a65d04d0f04968d5cf47629d2257c54ffea Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 21 Dec 2023 14:23:36 +0000 Subject: [PATCH 06/18] do not allow external partner to add conv members at all --- integration/test/Test/ExternalPartner.hs | 17 ++-------------- services/galley/src/Galley/API/Action.hs | 21 ++++++-------------- services/galley/src/Galley/API/Create.hs | 25 ++++-------------------- 3 files changed, 12 insertions(+), 51 deletions(-) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 0455add5d9b..dcc50dfaf28 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -19,7 +19,6 @@ module Test.ExternalPartner where --- import API.Brig (getConnection) import API.Galley import GHC.Stack import SetupHelpers @@ -34,8 +33,8 @@ testExternalPartnerPermissions = do -- a partner should not be able to create conversation with more than 2 users void $ postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1, u2]}) >>= getJSON 403 - -- a partner can create a one to one conversation with a user from the same team do + -- a partner can create a one to one conversation with a user from the same team conv <- postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1]}) >>= getJSON 201 -- they should not be able to add another team member to the one to one conversation @@ -49,22 +48,10 @@ testExternalPartnerPermissions = do bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do resp.status `shouldMatchInt` 403 - -- they should be able to create an empty conversation and add a member - -- because this is the conversation creation flow for MLS conversations do + -- also an external partner cannot add someone to a conversation, even if it is empty conv <- postConversation partner (defProteus {team = Just tid}) >>= getJSON 201 bindResponse (addMembers partner conv def {users = [u3]}) $ \resp -> do - resp.status `shouldMatchInt` 200 - - -- now they should not be able to add another member - bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do - resp.status `shouldMatchInt` 403 - - -- the other member in the conversation gets deleted - deleteUser u3 - - -- now they still should not be able to add another member - bindResponse (addMembers partner conv def {users = [u2]}) $ \resp -> do resp.status `shouldMatchInt` 403 testExternalPartnerPermissionsConvName :: HasCallStack => App () diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index 293c3316da9..e8ccd0303ae 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -528,7 +528,7 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do checkLHPolicyConflictsLocal (ulLocals newMembers) checkLHPolicyConflictsRemote (FutureWork (ulRemotes newMembers)) checkRemoteBackendsConnected lusr - checkTeamMemberAddPermissions lusr newMembers + checkTeamMemberAddPermissions lusr addMembersToLocalConversation (fmap (.convId) lconv) newMembers role where checkRemoteBackendsConnected :: Local x -> Sem r () @@ -617,20 +617,11 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do Sem r () checkLHPolicyConflictsRemote _remotes = pure () - -- In teams we don't have 1:1 conversations, only regular conversations. We want - -- users without the 'AddRemoveConvMember' permission to still be able to create - -- regular conversations, therefore we check for 'AddRemoveConvMember' only if - -- there are going to be more than two users in the conversation. - checkTeamMemberAddPermissions :: Local UserId -> UserList a -> Sem r () - checkTeamMemberAddPermissions lusr newMembers = do - zusrMembership <- join <$> forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (tUnqualified lusr)) - case zusrMembership of - Nothing -> pure () - Just tm -> do - unless (tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember) $ do - let total = ulLength newMembers + length (convLocalMembers conv) + length (convRemoteMembers conv) - when (total > 2) $ throwS @'InvalidOperation - when (total == 2) $ void $ E.setOtherMember (fmap (.convId) lconv) qusr (OtherMemberUpdate (Just roleNameWireMember)) + checkTeamMemberAddPermissions :: Local UserId -> Sem r () + checkTeamMemberAddPermissions lusr = + forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (tUnqualified lusr)) + >>= (maybe (pure ()) (\tm -> unless (tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember) $ throwS @'InvalidOperation)) + . join performConversationAccessData :: ( HasConversationActionEffects 'ConversationAccessDataTag r, diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index 1b1d477a758..23c6681db41 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -60,7 +60,7 @@ import Galley.Effects.TeamStore qualified as E import Galley.Intra.Push import Galley.Options import Galley.Types.Conversations.Members -import Galley.Types.Teams (IsPerm (hasPermission), notTeamMember) +import Galley.Types.Teams (notTeamMember) import Galley.Types.ToUserRole import Galley.Types.UserList import Galley.Validation @@ -70,7 +70,6 @@ import Polysemy.Error import Polysemy.Input import Polysemy.TinyLog qualified as P import Wire.API.Conversation hiding (Conversation, Member) -import Wire.API.Conversation.Role (roleNameWireMember) import Wire.API.Error import Wire.API.Error.Galley import Wire.API.Event.Conversation @@ -195,12 +194,8 @@ createGroupConversationGeneric :: NewConv -> Sem r Conversation createGroupConversationGeneric lusr conn newConv = do + (nc, fromConvSize -> allUsers) <- newRegularConversation lusr newConv let tinfo = newConvTeam newConv - hasAddMembersPermission <- do - join <$> forM (cnvTeamId <$> tinfo) (flip E.getTeamMember (tUnqualified lusr)) <&> \case - Just tm -> tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember - Nothing -> True - (nc, fromConvSize -> allUsers) <- newRegularConversation lusr newConv hasAddMembersPermission checkCreateConvPermissions lusr newConv tinfo allUsers ensureNoLegalholdConflicts allUsers @@ -595,9 +590,8 @@ newRegularConversation :: ) => Local UserId -> NewConv -> - Bool -> Sem r (NewConversation, ConvSizeChecked UserList UserId) -newRegularConversation lusr newConv hasTeamAddMemberPermission = do +newRegularConversation lusr newConv = do o <- input let uncheckedUsers = newConvMembers lusr newConv users <- case newConvProtocol newConv of @@ -605,17 +599,6 @@ newRegularConversation lusr newConv hasTeamAddMemberPermission = do BaseProtocolMLSTag -> do unless (null uncheckedUsers) $ throwS @'MLSNonEmptyMemberList pure mempty - let creatorWithRole = - -- In case the creator has no permission to add members (e.g. external partner) - -- we set their conversation role to 'member' to ensure they can't add/remove any members from the conversation - -- even if the other members got removed (e.g. because they were deleted by the team admin). - -- If the conversation is empty, we don't set the role to 'member' - -- because we want to allow the creator to add at least one member to the conversation later. - -- This is due to the fact that in teams we do not have 1:1 conversations, - -- only regular conversations that are interpreted as 1:1 conversations. - if not hasTeamAddMemberPermission && ulLength (fromConvSize users) > 0 - then (tUnqualified lusr, roleNameWireMember) - else (toUserRole (tUnqualified lusr)) let nc = NewConversation { ncMetadata = @@ -629,7 +612,7 @@ newRegularConversation lusr newConv hasTeamAddMemberPermission = do cnvmReceiptMode = newConvReceiptMode newConv, cnvmTeam = fmap cnvTeamId (newConvTeam newConv) }, - ncUsers = ulAddLocal creatorWithRole (fmap (,newConvUsersRole newConv) (fromConvSize users)), + ncUsers = ulAddLocal (toUserRole (tUnqualified lusr)) (fmap (,newConvUsersRole newConv) (fromConvSize users)), ncProtocol = newConvProtocol newConv } pure (nc, users) From 8dc090d0c12dfa43afd78b77380e7b227df3b9ff Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 21 Dec 2023 15:39:36 +0000 Subject: [PATCH 07/18] do not allow ext partner to create group conv --- integration/test/Test/ExternalPartner.hs | 10 ++++++++++ services/galley/src/Galley/API/Create.hs | 14 ++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index dcc50dfaf28..9a74268d34c 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -21,6 +21,7 @@ module Test.ExternalPartner where import API.Galley import GHC.Stack +import MLS.Util import SetupHelpers import Testlib.Prelude @@ -54,6 +55,15 @@ testExternalPartnerPermissions = do bindResponse (addMembers partner conv def {users = [u3]}) $ \resp -> do resp.status `shouldMatchInt` 403 +testExternalPartnerPermissionsMls :: HasCallStack => App () +testExternalPartnerPermissionsMls = do + -- external partners should not be able to create MLS conversations + (owner, tid, _) <- createTeam OwnDomain 2 + bobExt <- createTeamMemberWithRole owner tid "partner" + bobExtClient <- createMLSClient def bobExt + bindResponse (postConversation bobExtClient defMLS) $ \resp -> do + resp.status `shouldMatchInt` 403 + testExternalPartnerPermissionsConvName :: HasCallStack => App () testExternalPartnerPermissionsConvName = do (owner, tid, u1 : _) <- createTeam OwnDomain 2 diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index 23c6681db41..4a7ef105c94 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -31,6 +31,7 @@ module Galley.API.Create ) where +import Control.Error (headMay) import Control.Lens hiding ((??)) import Data.Id import Data.List1 (list1) @@ -244,10 +245,15 @@ checkCreateConvPermissions :: checkCreateConvPermissions lusr _newConv Nothing allUsers = do activated <- listToMaybe <$> lookupActivatedUsers [tUnqualified lusr] void $ noteS @OperationDenied activated + -- an external partner is not allowed to create group conversations (except 1:1 team conversations that are handled below) + zusrMembership <- getTeamMember (tUnqualified lusr) Nothing + case zusrMembership of + Just tm -> void $ permissionCheck DoNotUseDeprecatedAddRemoveConvMember (Just tm) + Nothing -> pure () ensureConnected lusr allUsers checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do let convTeam = cnvTeamId tinfo - zusrMembership <- E.getTeamMember convTeam (tUnqualified lusr) + zusrMembership <- getTeamMember (tUnqualified lusr) (Just convTeam) void $ permissionCheck CreateConversation zusrMembership convLocalMemberships <- mapM (E.getTeamMember convTeam) (ulLocals allUsers) ensureAccessRole (accessRoles newConv) (zip (ulLocals allUsers) convLocalMemberships) @@ -261,7 +267,7 @@ checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do -- Not sure at the moment how to best solve this but it is unlikely -- we can ever get rid of the team permission model anyway - the only thing I can -- think of is that 'partners' can create convs but not be admins... - when (length allUsers > 1) $ do + when (length allUsers > 1 || newConv.newConvProtocol == BaseProtocolMLSTag) $ do void $ permissionCheck DoNotUseDeprecatedAddRemoveConvMember zusrMembership -- Team members are always considered to be connected, so we only check @@ -269,6 +275,10 @@ checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do ensureConnectedToLocals (tUnqualified lusr) (notTeamMember (ulLocals allUsers) (catMaybes convLocalMemberships)) ensureConnectedToRemotes lusr (ulRemotes allUsers) +getTeamMember :: Member TeamStore r => UserId -> Maybe TeamId -> Sem r (Maybe TeamMember) +getTeamMember uid (Just tid) = E.getTeamMember tid uid +getTeamMember uid Nothing = E.getUserTeams uid >>= maybe (pure Nothing) (flip E.getTeamMember uid) . headMay + ---------------------------------------------------------------------------- -- Other kinds of conversations From 3dd8d6ccf18124f01903e8670a5dac1561731e66 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 21 Dec 2023 15:43:53 +0000 Subject: [PATCH 08/18] comment --- integration/test/Test/ExternalPartner.hs | 2 +- services/galley/src/Galley/API/Create.hs | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 9a74268d34c..84cda75287f 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -57,7 +57,7 @@ testExternalPartnerPermissions = do testExternalPartnerPermissionsMls :: HasCallStack => App () testExternalPartnerPermissionsMls = do - -- external partners should not be able to create MLS conversations + -- external partners should not be able to create (MLS) conversations (owner, tid, _) <- createTeam OwnDomain 2 bobExt <- createTeamMemberWithRole owner tid "partner" bobExtClient <- createMLSClient def bobExt diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index 4a7ef105c94..d92b92e7b78 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -267,6 +267,8 @@ checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do -- Not sure at the moment how to best solve this but it is unlikely -- we can ever get rid of the team permission model anyway - the only thing I can -- think of is that 'partners' can create convs but not be admins... + -- this only applies to proteus conversations, because in MLS we have proper 1:1 conversations, + -- so we don't allow an external partner to create an MLS group conversation at all when (length allUsers > 1 || newConv.newConvProtocol == BaseProtocolMLSTag) $ do void $ permissionCheck DoNotUseDeprecatedAddRemoveConvMember zusrMembership From 899f2ece31dd4ba44be9e127d8883450ede9b313 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 11:01:48 +0000 Subject: [PATCH 09/18] verify 1:1 MLS works for external partner --- integration/test/Test/ExternalPartner.hs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 84cda75287f..2f4149ff3b6 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -64,6 +64,12 @@ testExternalPartnerPermissionsMls = do bindResponse (postConversation bobExtClient defMLS) $ \resp -> do resp.status `shouldMatchInt` 403 +testExternalPartnerPermissionMlsOne2One :: HasCallStack => App () +testExternalPartnerPermissionMlsOne2One = do + (owner, tid, alice : _) <- createTeam OwnDomain 2 + bobExternal <- createTeamMemberWithRole owner tid "partner" + void $ getMLSOne2OneConversation alice bobExternal >>= getJSON 200 + testExternalPartnerPermissionsConvName :: HasCallStack => App () testExternalPartnerPermissionsConvName = do (owner, tid, u1 : _) <- createTeam OwnDomain 2 From 9fa990e65944d5e810941f756c8422206eb7c2c3 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 11:05:55 +0000 Subject: [PATCH 10/18] removed redundant code --- services/galley/src/Galley/Types/UserList.hs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/services/galley/src/Galley/Types/UserList.hs b/services/galley/src/Galley/Types/UserList.hs index 8b930a516f8..3dbc81444de 100644 --- a/services/galley/src/Galley/Types/UserList.hs +++ b/services/galley/src/Galley/Types/UserList.hs @@ -23,7 +23,6 @@ module Galley.Types.UserList ulFromLocals, ulFromRemotes, ulDiff, - ulLength, ) where @@ -65,6 +64,3 @@ ulDiff (UserList lA rA) (UserList lB rB) = UserList (filter (`notElem` lB) lA) (filter (`notElem` rB) rA) - -ulLength :: UserList a -> Int -ulLength (UserList locals remotes) = length locals + length remotes From 4cac27e445b79c84c049fd667611e811955c96b3 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 14:59:16 +0100 Subject: [PATCH 11/18] Update integration/test/SetupHelpers.hs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marko Dimjašević --- integration/test/SetupHelpers.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration/test/SetupHelpers.hs b/integration/test/SetupHelpers.hs index cbd76282e83..8c72d3f0524 100644 --- a/integration/test/SetupHelpers.hs +++ b/integration/test/SetupHelpers.hs @@ -26,7 +26,7 @@ deleteUser :: (HasCallStack, MakesValue user) => user -> App () deleteUser user = bindResponse (API.Brig.deleteUser user) $ \resp -> do resp.status `shouldMatchInt` 200 --- | returns (user, team id, members) +-- | returns (owner, team id, members) createTeam :: (HasCallStack, MakesValue domain) => domain -> Int -> App (Value, String, [Value]) createTeam domain memberCount = do res <- createUser domain def {team = True} From f638a7603bacad2dd641e61d5f38609c5c68b190 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 14:59:39 +0100 Subject: [PATCH 12/18] Update integration/test/Test/ExternalPartner.hs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marko Dimjašević --- integration/test/Test/ExternalPartner.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 2f4149ff3b6..8af0837083e 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -31,7 +31,7 @@ testExternalPartnerPermissions = do partner <- createTeamMemberWithRole owner tid "partner" - -- a partner should not be able to create conversation with more than 2 users + -- a partner should not be able to create conversation with 2 additional users or more void $ postConversation partner (defProteus {team = Just tid, qualifiedUsers = [u1, u2]}) >>= getJSON 403 do From c2e99be84132169de89c60e34b19021c74e359aa Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 15:00:36 +0100 Subject: [PATCH 13/18] Update integration/test/Test/ExternalPartner.hs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marko Dimjašević --- integration/test/Test/ExternalPartner.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration/test/Test/ExternalPartner.hs b/integration/test/Test/ExternalPartner.hs index 8af0837083e..a35522140b2 100644 --- a/integration/test/Test/ExternalPartner.hs +++ b/integration/test/Test/ExternalPartner.hs @@ -27,7 +27,7 @@ import Testlib.Prelude testExternalPartnerPermissions :: HasCallStack => App () testExternalPartnerPermissions = do - (owner, tid, u1 : u2 : u3 : _) <- createTeam OwnDomain 6 + (owner, tid, u1 : u2 : u3 : _) <- createTeam OwnDomain 4 partner <- createTeamMemberWithRole owner tid "partner" From e2993320c40557f16bfbfb4fe6062e86491c8544 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 15:01:13 +0100 Subject: [PATCH 14/18] Update services/galley/src/Galley/API/Action.hs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marko Dimjašević --- services/galley/src/Galley/API/Action.hs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index e8ccd0303ae..439c0b35605 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -469,9 +469,7 @@ performAction tag origUser lconv action = do pure (mempty, action) SConversationRenameTag -> do zusrMembership <- join <$> forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (qUnqualified origUser)) - case zusrMembership of - Just tm -> unless (tm `hasPermission` DoNotUseDeprecatedModifyConvName) $ throwS @'InvalidOperation - Nothing -> pure () + for_ zusrMembership $ \tm -> unless (tm `hasPermission` DoNotUseDeprecatedModifyConvName) $ throwS @'InvalidOperation cn <- rangeChecked (cupName action) E.setConversationName (tUnqualified lcnv) cn pure (mempty, action) From dfe65c884c3dcb5bc8d40baff22a45c3e5b5fdfe Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 15:01:26 +0100 Subject: [PATCH 15/18] Update services/galley/src/Galley/API/Create.hs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marko Dimjašević --- services/galley/src/Galley/API/Create.hs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index d92b92e7b78..784bc2b1564 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -246,10 +246,8 @@ checkCreateConvPermissions lusr _newConv Nothing allUsers = do activated <- listToMaybe <$> lookupActivatedUsers [tUnqualified lusr] void $ noteS @OperationDenied activated -- an external partner is not allowed to create group conversations (except 1:1 team conversations that are handled below) - zusrMembership <- getTeamMember (tUnqualified lusr) Nothing - case zusrMembership of - Just tm -> void $ permissionCheck DoNotUseDeprecatedAddRemoveConvMember (Just tm) - Nothing -> pure () + forM_ (getTeamMember (tUnqualified lusr) Nothing) $ + void . permissionCheck DoNotUseDeprecatedAddRemoveConvMember . Just ensureConnected lusr allUsers checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do let convTeam = cnvTeamId tinfo From d203365dd664262370d9998a4288a4a331111349 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Thu, 4 Jan 2024 14:13:46 +0000 Subject: [PATCH 16/18] fix --- services/galley/src/Galley/API/Create.hs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index 784bc2b1564..ee9e2f6ebad 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -246,8 +246,9 @@ checkCreateConvPermissions lusr _newConv Nothing allUsers = do activated <- listToMaybe <$> lookupActivatedUsers [tUnqualified lusr] void $ noteS @OperationDenied activated -- an external partner is not allowed to create group conversations (except 1:1 team conversations that are handled below) - forM_ (getTeamMember (tUnqualified lusr) Nothing) $ - void . permissionCheck DoNotUseDeprecatedAddRemoveConvMember . Just + tm <- getTeamMember (tUnqualified lusr) Nothing + for_ tm $ + permissionCheck DoNotUseDeprecatedAddRemoveConvMember . Just ensureConnected lusr allUsers checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do let convTeam = cnvTeamId tinfo From 073d7584004ade9fc3126ef49d811e0dfcf74fd3 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Fri, 5 Jan 2024 13:19:00 +0000 Subject: [PATCH 17/18] remove prefix from team permissions --- libs/galley-types/src/Galley/Types/Teams.hs | 6 +- libs/wire-api/src/Wire/API/Team/Permission.hs | 29 ++-- .../Wire/API/Golden/Generated/Event_team.hs | 22 +-- .../Golden/Generated/NewTeamMember_team.hs | 42 +++--- .../API/Golden/Generated/Permissions_team.hs | 140 +++++++++--------- .../API/Golden/Generated/TeamMember_team.hs | 50 +++---- services/galley/src/Galley/API/Action.hs | 6 +- services/galley/src/Galley/API/Create.hs | 4 +- services/galley/src/Galley/API/Teams.hs | 4 +- services/galley/test/integration/API/Teams.hs | 14 +- 10 files changed, 163 insertions(+), 154 deletions(-) diff --git a/libs/galley-types/src/Galley/Types/Teams.hs b/libs/galley-types/src/Galley/Types/Teams.hs index e77b04951b0..e1887cee9f0 100644 --- a/libs/galley-types/src/Galley/Types/Teams.hs +++ b/libs/galley-types/src/Galley/Types/Teams.hs @@ -133,9 +133,9 @@ rolePerms RoleAdmin = rolePerms RoleMember = rolePerms RoleExternalPartner <> Set.fromList - [ DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + [ DeleteConversation, + AddRemoveConvMember, + ModifyConvName, GetMemberPermissions ] rolePerms RoleExternalPartner = diff --git a/libs/wire-api/src/Wire/API/Team/Permission.hs b/libs/wire-api/src/Wire/API/Team/Permission.hs index 7ed42a29e03..3b108391eda 100644 --- a/libs/wire-api/src/Wire/API/Team/Permission.hs +++ b/libs/wire-api/src/Wire/API/Team/Permission.hs @@ -117,7 +117,7 @@ serviceWhitelistPermissions = Set.fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetTeamData ] @@ -127,11 +127,20 @@ serviceWhitelistPermissions = -- | Team-level permission. Analog to conversation-level 'Action'. data Perm = CreateConversation - | DoNotUseDeprecatedDeleteConversation -- NOTE: This gets now overruled by conv level checks + | -- NOTE: This may get overruled by conv level checks in case those are more restrictive + -- We currently cannot get rid of this team-level permission in favor of the conv-level action + -- because it is used for e.g. for the team role 'RoleExternalPartner' + DeleteConversation | AddTeamMember | RemoveTeamMember - | DoNotUseDeprecatedAddRemoveConvMember -- NOTE: This gets now overruled by conv level checks - | DoNotUseDeprecatedModifyConvName -- NOTE: This gets now overruled by conv level checks + | -- NOTE: This may get overruled by conv level checks in case those are more restrictive + -- We currently cannot get rid of this team-level permission in favor of the conv-level action + -- because it is used for e.g. for the team role 'RoleExternalPartner' + AddRemoveConvMember + | -- NOTE: This may get overruled by conv level checks in case those are more restrictive + -- We currently cannot get rid of this team-level permission in favor of the conv-level action + -- because it is used for e.g. for the team role 'RoleExternalPartner' + ModifyConvName | GetBilling | SetBilling | SetTeamData @@ -159,11 +168,11 @@ intToPerms n = permToInt :: Perm -> Word64 permToInt CreateConversation = 0x0001 -permToInt DoNotUseDeprecatedDeleteConversation = 0x0002 +permToInt DeleteConversation = 0x0002 permToInt AddTeamMember = 0x0004 permToInt RemoveTeamMember = 0x0008 -permToInt DoNotUseDeprecatedAddRemoveConvMember = 0x0010 -permToInt DoNotUseDeprecatedModifyConvName = 0x0020 +permToInt AddRemoveConvMember = 0x0010 +permToInt ModifyConvName = 0x0020 permToInt GetBilling = 0x0040 permToInt SetBilling = 0x0080 permToInt SetTeamData = 0x0100 @@ -174,11 +183,11 @@ permToInt SetMemberPermissions = 0x1000 intToPerm :: Word64 -> Maybe Perm intToPerm 0x0001 = Just CreateConversation -intToPerm 0x0002 = Just DoNotUseDeprecatedDeleteConversation +intToPerm 0x0002 = Just DeleteConversation intToPerm 0x0004 = Just AddTeamMember intToPerm 0x0008 = Just RemoveTeamMember -intToPerm 0x0010 = Just DoNotUseDeprecatedAddRemoveConvMember -intToPerm 0x0020 = Just DoNotUseDeprecatedModifyConvName +intToPerm 0x0010 = Just AddRemoveConvMember +intToPerm 0x0020 = Just ModifyConvName intToPerm 0x0040 = Just GetBilling intToPerm 0x0080 = Just SetBilling intToPerm 0x0100 = Just SetTeamData diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs index f3c56c53990..c80d19bea0e 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Event_team.hs @@ -233,11 +233,11 @@ testObject_Event_team_18 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -249,11 +249,11 @@ testObject_Event_team_18 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, GetMemberPermissions, SetMemberPermissions, @@ -275,10 +275,10 @@ testObject_Event_team_19 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, GetMemberPermissions, @@ -286,9 +286,9 @@ testObject_Event_team_19 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, GetBilling, SetBilling, GetMemberPermissions, diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs index a2c41fd3f50..7424aefea39 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs @@ -30,9 +30,9 @@ import Wire.API.Team.Permission ( AddTeamMember, CreateConversation, DeleteTeam, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + DeleteConversation, + ModifyConvName, GetBilling, GetMemberPermissions, GetTeamConversations, @@ -63,13 +63,13 @@ testObject_NewTeamMember_team_2 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName + AddRemoveConvMember, + ModifyConvName ], - _copy = fromList [DoNotUseDeprecatedDeleteConversation, DoNotUseDeprecatedAddRemoveConvMember] + _copy = fromList [DeleteConversation, AddRemoveConvMember] } ) ( Just @@ -85,8 +85,8 @@ testObject_NewTeamMember_team_3 = ( Permissions { _self = fromList - [CreateConversation, DoNotUseDeprecatedDeleteConversation, RemoveTeamMember, GetBilling, DeleteTeam], - _copy = fromList [CreateConversation, DoNotUseDeprecatedDeleteConversation, GetBilling] + [CreateConversation, DeleteConversation, RemoveTeamMember, GetBilling, DeleteTeam], + _copy = fromList [CreateConversation, DeleteConversation, GetBilling] } ) ( Just @@ -124,7 +124,7 @@ testObject_NewTeamMember_team_6 = ( Permissions { _self = fromList - [CreateConversation, DoNotUseDeprecatedDeleteConversation, GetBilling, SetTeamData, SetMemberPermissions], + [CreateConversation, DeleteConversation, GetBilling, SetTeamData, SetMemberPermissions], _copy = fromList [CreateConversation, GetBilling] } ) @@ -141,7 +141,7 @@ testObject_NewTeamMember_team_7 = ( Permissions { _self = fromList - [AddTeamMember, RemoveTeamMember, DoNotUseDeprecatedModifyConvName, GetTeamConversations, DeleteTeam], + [AddTeamMember, RemoveTeamMember, ModifyConvName, GetTeamConversations, DeleteTeam], _copy = fromList [AddTeamMember] } ) @@ -156,8 +156,8 @@ testObject_NewTeamMember_team_8 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000008-0000-0003-0000-000200000003"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedModifyConvName], - _copy = fromList [DoNotUseDeprecatedModifyConvName] + { _self = fromList [ModifyConvName], + _copy = fromList [ModifyConvName] } ) ( Just @@ -193,7 +193,7 @@ testObject_NewTeamMember_team_11 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000006-0000-0005-0000-000000000002"))) ( Permissions - { _self = fromList [CreateConversation, DoNotUseDeprecatedModifyConvName, SetTeamData], + { _self = fromList [CreateConversation, ModifyConvName, SetTeamData], _copy = fromList [] } ) @@ -215,8 +215,8 @@ testObject_NewTeamMember_team_13 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000002-0000-0004-0000-000600000001"))) ( Permissions - { _self = fromList [AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, SetTeamData, GetTeamConversations], - _copy = fromList [AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, GetTeamConversations] + { _self = fromList [AddTeamMember, AddRemoveConvMember, SetTeamData, GetTeamConversations], + _copy = fromList [AddTeamMember, AddRemoveConvMember, GetTeamConversations] } ) Nothing @@ -228,7 +228,7 @@ testObject_NewTeamMember_team_14 = ( Permissions { _self = fromList - [CreateConversation, DoNotUseDeprecatedDeleteConversation, DoNotUseDeprecatedModifyConvName, GetBilling], + [CreateConversation, DeleteConversation, ModifyConvName, GetBilling], _copy = fromList [] } ) @@ -291,8 +291,8 @@ testObject_NewTeamMember_team_19 = mkNewTeamMember (Id (fromJust (UUID.fromString "00000004-0000-0005-0000-000100000008"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedDeleteConversation, RemoveTeamMember, SetBilling, SetMemberPermissions], - _copy = fromList [DoNotUseDeprecatedDeleteConversation, SetBilling] + { _self = fromList [DeleteConversation, RemoveTeamMember, SetBilling, SetMemberPermissions], + _copy = fromList [DeleteConversation, SetBilling] } ) Nothing @@ -305,8 +305,8 @@ testObject_NewTeamMember_team_20 = { _self = fromList [ AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, GetMemberPermissions, GetTeamConversations diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs index 1d6e451f5a5..b3179f897b5 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs @@ -25,9 +25,9 @@ import Wire.API.Team.Permission ( AddTeamMember, CreateConversation, DeleteTeam, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + DeleteConversation, + ModifyConvName, GetBilling, GetMemberPermissions, GetTeamConversations, @@ -47,11 +47,11 @@ testObject_Permissions_team_2 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, SetMemberPermissions, @@ -60,11 +60,11 @@ testObject_Permissions_team_2 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, SetMemberPermissions, @@ -77,10 +77,10 @@ testObject_Permissions_team_3 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, GetMemberPermissions, SetMemberPermissions, @@ -91,7 +91,7 @@ testObject_Permissions_team_3 = fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, GetMemberPermissions, SetMemberPermissions, GetTeamConversations, @@ -104,9 +104,9 @@ testObject_Permissions_team_4 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, GetBilling, SetBilling, GetMemberPermissions, @@ -124,7 +124,7 @@ testObject_Permissions_team_5 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetTeamData, GetMemberPermissions, @@ -135,7 +135,7 @@ testObject_Permissions_team_5 = fromList [ CreateConversation, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, GetMemberPermissions, DeleteTeam @@ -150,8 +150,8 @@ testObject_Permissions_team_6 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -163,8 +163,8 @@ testObject_Permissions_team_6 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, GetMemberPermissions, @@ -179,14 +179,14 @@ testObject_Permissions_team_7 = fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, GetTeamConversations, DeleteTeam ], - _copy = fromList [DoNotUseDeprecatedAddRemoveConvMember, GetBilling, DeleteTeam] + _copy = fromList [AddRemoveConvMember, GetBilling, DeleteTeam] } testObject_Permissions_team_8 :: Permissions @@ -195,11 +195,11 @@ testObject_Permissions_team_8 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -211,8 +211,8 @@ testObject_Permissions_team_8 = fromList [ AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, GetMemberPermissions, SetMemberPermissions @@ -225,11 +225,11 @@ testObject_Permissions_team_9 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, + DeleteConversation, + AddRemoveConvMember, GetMemberPermissions ], - _copy = fromList [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember, GetMemberPermissions] + _copy = fromList [CreateConversation, AddRemoveConvMember, GetMemberPermissions] } testObject_Permissions_team_10 :: Permissions @@ -238,10 +238,10 @@ testObject_Permissions_team_10 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations, @@ -250,10 +250,10 @@ testObject_Permissions_team_10 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations, @@ -266,7 +266,7 @@ testObject_Permissions_team_11 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, RemoveTeamMember, GetBilling, GetMemberPermissions, @@ -283,10 +283,10 @@ testObject_Permissions_team_12 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -298,10 +298,10 @@ testObject_Permissions_team_12 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -319,7 +319,7 @@ testObject_Permissions_team_13 = [ CreateConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetTeamData, SetMemberPermissions @@ -333,10 +333,10 @@ testObject_Permissions_team_14 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, SetTeamData, GetMemberPermissions, @@ -345,10 +345,10 @@ testObject_Permissions_team_14 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, SetTeamData, GetMemberPermissions, @@ -361,11 +361,11 @@ testObject_Permissions_team_15 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, GetMemberPermissions, SetMemberPermissions, @@ -379,8 +379,8 @@ testObject_Permissions_team_16 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, + [ DeleteConversation, + AddRemoveConvMember, GetBilling, SetTeamData, SetMemberPermissions, @@ -388,7 +388,7 @@ testObject_Permissions_team_16 = ], _copy = fromList - [DoNotUseDeprecatedDeleteConversation, GetBilling, SetTeamData, SetMemberPermissions, GetTeamConversations] + [DeleteConversation, GetBilling, SetTeamData, SetMemberPermissions, GetTeamConversations] } testObject_Permissions_team_17 :: Permissions @@ -396,10 +396,10 @@ testObject_Permissions_team_17 = Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, SetTeamData, GetMemberPermissions, SetMemberPermissions, @@ -408,10 +408,10 @@ testObject_Permissions_team_17 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, SetTeamData, GetMemberPermissions, SetMemberPermissions, @@ -427,7 +427,7 @@ testObject_Permissions_team_18 = fromList [ CreateConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, GetMemberPermissions, SetMemberPermissions, @@ -437,7 +437,7 @@ testObject_Permissions_team_18 = fromList [ CreateConversation, AddTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, GetMemberPermissions, DeleteTeam @@ -450,11 +450,11 @@ testObject_Permissions_team_19 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + ModifyConvName, SetBilling, SetTeamData, GetMemberPermissions, @@ -465,10 +465,10 @@ testObject_Permissions_team_19 = _copy = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, RemoveTeamMember, - DoNotUseDeprecatedAddRemoveConvMember, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations, @@ -482,9 +482,9 @@ testObject_Permissions_team_20 = { _self = fromList [ CreateConversation, - DoNotUseDeprecatedDeleteConversation, + DeleteConversation, AddTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetBilling, SetTeamData, @@ -493,9 +493,9 @@ testObject_Permissions_team_20 = ], _copy = fromList - [ DoNotUseDeprecatedDeleteConversation, + [ DeleteConversation, AddTeamMember, - DoNotUseDeprecatedModifyConvName, + ModifyConvName, GetBilling, SetBilling, SetTeamData, diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs index 03c976ffd9c..5002a512249 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs @@ -37,9 +37,9 @@ import Wire.API.Team.Permission ( AddTeamMember, CreateConversation, DeleteTeam, - DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedModifyConvName, + AddRemoveConvMember, + DeleteConversation, + ModifyConvName, GetBilling, GetMemberPermissions, GetTeamConversations, @@ -71,7 +71,7 @@ testObject_TeamMember_team_2 :: TeamMember testObject_TeamMember_team_2 = mkTeamMember (Id (fromJust (UUID.fromString "00000003-0000-0000-0000-000500000005"))) - (Permissions {_self = fromList [DoNotUseDeprecatedModifyConvName, SetMemberPermissions], _copy = fromList []}) + (Permissions {_self = fromList [ModifyConvName, SetMemberPermissions], _copy = fromList []}) ( Just ( Id (fromJust (UUID.fromString "00000000-0000-0000-0000-000000000004")), fromJust (readUTCTimeMillis "1864-05-03T14:56:52.508Z") @@ -86,7 +86,7 @@ testObject_TeamMember_team_3 = ( Permissions { _self = fromList - [DoNotUseDeprecatedDeleteConversation, AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, GetBilling], + [DeleteConversation, AddTeamMember, AddRemoveConvMember, GetBilling], _copy = fromList [GetBilling] } ) @@ -102,7 +102,7 @@ testObject_TeamMember_team_4 = mkTeamMember (Id (fromJust (UUID.fromString "00000008-0000-0005-0000-000100000006"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedModifyConvName, SetMemberPermissions], + { _self = fromList [ModifyConvName, SetMemberPermissions], _copy = fromList [SetMemberPermissions] } ) @@ -118,8 +118,8 @@ testObject_TeamMember_team_5 = mkTeamMember (Id (fromJust (UUID.fromString "00000007-0000-0000-0000-000200000001"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedDeleteConversation, GetBilling, SetBilling, GetMemberPermissions], - _copy = fromList [DoNotUseDeprecatedDeleteConversation, GetMemberPermissions] + { _self = fromList [DeleteConversation, GetBilling, SetBilling, GetMemberPermissions], + _copy = fromList [DeleteConversation, GetMemberPermissions] } ) ( Just @@ -136,7 +136,7 @@ testObject_TeamMember_team_6 = ( Permissions { _self = fromList - [CreateConversation, AddTeamMember, DoNotUseDeprecatedAddRemoveConvMember, SetBilling, SetTeamData], + [CreateConversation, AddTeamMember, AddRemoveConvMember, SetBilling, SetTeamData], _copy = fromList [] } ) @@ -154,8 +154,8 @@ testObject_TeamMember_team_7 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedDeleteConversation, - DoNotUseDeprecatedAddRemoveConvMember, + [ DeleteConversation, + AddRemoveConvMember, SetBilling, SetMemberPermissions, GetTeamConversations @@ -173,8 +173,8 @@ testObject_TeamMember_team_8 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + [ AddRemoveConvMember, + ModifyConvName, SetTeamData, SetMemberPermissions, DeleteTeam @@ -194,8 +194,8 @@ testObject_TeamMember_team_9 = mkTeamMember (Id (fromJust (UUID.fromString "00000008-0000-0006-0000-000300000003"))) ( Permissions - { _self = fromList [AddTeamMember, DoNotUseDeprecatedModifyConvName], - _copy = fromList [DoNotUseDeprecatedModifyConvName] + { _self = fromList [AddTeamMember, ModifyConvName], + _copy = fromList [ModifyConvName] } ) Nothing @@ -205,7 +205,7 @@ testObject_TeamMember_team_10 :: TeamMember testObject_TeamMember_team_10 = mkTeamMember (Id (fromJust (UUID.fromString "00000002-0000-0000-0000-000100000006"))) - (Permissions {_self = fromList [DoNotUseDeprecatedDeleteConversation, AddTeamMember], _copy = fromList []}) + (Permissions {_self = fromList [DeleteConversation, AddTeamMember], _copy = fromList []}) ( Just ( Id (fromJust (UUID.fromString "00000008-0000-0005-0000-000000000002")), fromJust (readUTCTimeMillis "1864-05-03T19:02:13.669Z") @@ -219,7 +219,7 @@ testObject_TeamMember_team_11 = (Id (fromJust (UUID.fromString "00000004-0000-0001-0000-000400000007"))) ( Permissions { _self = - fromList [CreateConversation, DoNotUseDeprecatedDeleteConversation, SetTeamData, SetMemberPermissions], + fromList [CreateConversation, DeleteConversation, SetTeamData, SetMemberPermissions], _copy = fromList [] } ) @@ -259,7 +259,7 @@ testObject_TeamMember_team_14 = mkTeamMember (Id (fromJust (UUID.fromString "00000004-0000-0000-0000-000300000007"))) ( Permissions - { _self = fromList [DoNotUseDeprecatedDeleteConversation, AddTeamMember, GetBilling, GetMemberPermissions], + { _self = fromList [DeleteConversation, AddTeamMember, GetBilling, GetMemberPermissions], _copy = fromList [GetBilling, GetMemberPermissions] } ) @@ -286,7 +286,7 @@ testObject_TeamMember_team_16 :: TeamMember testObject_TeamMember_team_16 = mkTeamMember (Id (fromJust (UUID.fromString "00000000-0000-0008-0000-000200000008"))) - (Permissions {_self = fromList [DoNotUseDeprecatedDeleteConversation, GetTeamConversations], _copy = fromList []}) + (Permissions {_self = fromList [DeleteConversation, GetTeamConversations], _copy = fromList []}) ( Just ( Id (fromJust (UUID.fromString "00000006-0000-0000-0000-000400000002")), fromJust (readUTCTimeMillis "1864-05-10T04:27:37.101Z") @@ -301,13 +301,13 @@ testObject_TeamMember_team_17 = ( Permissions { _self = fromList - [ DoNotUseDeprecatedAddRemoveConvMember, - DoNotUseDeprecatedModifyConvName, + [ AddRemoveConvMember, + ModifyConvName, GetBilling, SetTeamData, GetTeamConversations ], - _copy = fromList [DoNotUseDeprecatedAddRemoveConvMember] + _copy = fromList [AddRemoveConvMember] } ) ( Just @@ -323,7 +323,7 @@ testObject_TeamMember_team_18 = (Id (fromJust (UUID.fromString "00000005-0000-0005-0000-000200000008"))) ( Permissions { _self = - fromList [RemoveTeamMember, DoNotUseDeprecatedModifyConvName, GetMemberPermissions, SetMemberPermissions], + fromList [RemoveTeamMember, ModifyConvName, GetMemberPermissions, SetMemberPermissions], _copy = fromList [SetMemberPermissions] } ) @@ -340,7 +340,7 @@ testObject_TeamMember_team_19 = (Id (fromJust (UUID.fromString "00000003-0000-0002-0000-000200000008"))) ( Permissions { _self = - fromList [AddTeamMember, DoNotUseDeprecatedModifyConvName, GetBilling, SetBilling, SetMemberPermissions], + fromList [AddTeamMember, ModifyConvName, GetBilling, SetBilling, SetMemberPermissions], _copy = fromList [SetMemberPermissions] } ) @@ -356,7 +356,7 @@ testObject_TeamMember_team_20 = mkTeamMember (Id (fromJust (UUID.fromString "00000005-0000-0007-0000-000100000005"))) ( Permissions - { _self = fromList [CreateConversation, AddTeamMember, DoNotUseDeprecatedModifyConvName, GetBilling], + { _self = fromList [CreateConversation, AddTeamMember, ModifyConvName, GetBilling], _copy = fromList [] } ) diff --git a/services/galley/src/Galley/API/Action.hs b/services/galley/src/Galley/API/Action.hs index 439c0b35605..c3a3448f77d 100644 --- a/services/galley/src/Galley/API/Action.hs +++ b/services/galley/src/Galley/API/Action.hs @@ -123,7 +123,7 @@ import Wire.API.Routes.Internal.Brig.Connection import Wire.API.Team.Feature import Wire.API.Team.LegalHold import Wire.API.Team.Member -import Wire.API.Team.Permission (Perm (DoNotUseDeprecatedAddRemoveConvMember, DoNotUseDeprecatedModifyConvName)) +import Wire.API.Team.Permission (Perm (AddRemoveConvMember, ModifyConvName)) import Wire.API.User qualified as User data NoChanges = NoChanges @@ -469,7 +469,7 @@ performAction tag origUser lconv action = do pure (mempty, action) SConversationRenameTag -> do zusrMembership <- join <$> forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (qUnqualified origUser)) - for_ zusrMembership $ \tm -> unless (tm `hasPermission` DoNotUseDeprecatedModifyConvName) $ throwS @'InvalidOperation + for_ zusrMembership $ \tm -> unless (tm `hasPermission` ModifyConvName) $ throwS @'InvalidOperation cn <- rangeChecked (cupName action) E.setConversationName (tUnqualified lcnv) cn pure (mempty, action) @@ -618,7 +618,7 @@ performConversationJoin qusr lconv (ConversationJoin invited role) = do checkTeamMemberAddPermissions :: Local UserId -> Sem r () checkTeamMemberAddPermissions lusr = forM (cnvmTeam (convMetadata conv)) (flip E.getTeamMember (tUnqualified lusr)) - >>= (maybe (pure ()) (\tm -> unless (tm `hasPermission` DoNotUseDeprecatedAddRemoveConvMember) $ throwS @'InvalidOperation)) + >>= (maybe (pure ()) (\tm -> unless (tm `hasPermission` AddRemoveConvMember) $ throwS @'InvalidOperation)) . join performConversationAccessData :: diff --git a/services/galley/src/Galley/API/Create.hs b/services/galley/src/Galley/API/Create.hs index ee9e2f6ebad..182e96fbc5b 100644 --- a/services/galley/src/Galley/API/Create.hs +++ b/services/galley/src/Galley/API/Create.hs @@ -248,7 +248,7 @@ checkCreateConvPermissions lusr _newConv Nothing allUsers = do -- an external partner is not allowed to create group conversations (except 1:1 team conversations that are handled below) tm <- getTeamMember (tUnqualified lusr) Nothing for_ tm $ - permissionCheck DoNotUseDeprecatedAddRemoveConvMember . Just + permissionCheck AddRemoveConvMember . Just ensureConnected lusr allUsers checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do let convTeam = cnvTeamId tinfo @@ -269,7 +269,7 @@ checkCreateConvPermissions lusr newConv (Just tinfo) allUsers = do -- this only applies to proteus conversations, because in MLS we have proper 1:1 conversations, -- so we don't allow an external partner to create an MLS group conversation at all when (length allUsers > 1 || newConv.newConvProtocol == BaseProtocolMLSTag) $ do - void $ permissionCheck DoNotUseDeprecatedAddRemoveConvMember zusrMembership + void $ permissionCheck AddRemoveConvMember zusrMembership -- Team members are always considered to be connected, so we only check -- 'ensureConnected' for non-team-members. diff --git a/services/galley/src/Galley/API/Teams.hs b/services/galley/src/Galley/API/Teams.hs index 03f8cf65203..e907e4883d8 100644 --- a/services/galley/src/Galley/API/Teams.hs +++ b/services/galley/src/Galley/API/Teams.hs @@ -124,7 +124,7 @@ import SAML2.WebSSO qualified as SAML import System.Logger (Msg) import System.Logger qualified as Log import Wire.API.Conversation (ConversationRemoveMembers (..)) -import Wire.API.Conversation.Role (Action (DeleteConversation), wireConvRoles) +import Wire.API.Conversation.Role (wireConvRoles) import Wire.API.Conversation.Role qualified as Public import Wire.API.Error import Wire.API.Error.Galley @@ -1109,7 +1109,7 @@ deleteTeamConversation :: Member (ErrorS 'ConvNotFound) r, Member (ErrorS 'InvalidOperation) r, Member (ErrorS 'NotATeamMember) r, - Member (ErrorS ('ActionDenied 'DeleteConversation)) r, + Member (ErrorS ('ActionDenied 'Public.DeleteConversation)) r, Member FederatorAccess r, Member MemberStore r, Member ProposalStore r, diff --git a/services/galley/test/integration/API/Teams.hs b/services/galley/test/integration/API/Teams.hs index 0b95dd4c4d9..a213949cb27 100644 --- a/services/galley/test/integration/API/Teams.hs +++ b/services/galley/test/integration/API/Teams.hs @@ -89,7 +89,7 @@ import Wire.API.Team.Member import Wire.API.Team.Member qualified as Member import Wire.API.Team.Member qualified as TM import Wire.API.Team.Member qualified as Teams -import Wire.API.Team.Permission +import Wire.API.Team.Permission as P import Wire.API.Team.Role import Wire.API.Team.SearchVisibility import Wire.API.User qualified as Public @@ -473,8 +473,8 @@ testEnableTeamSearchVisibilityPerTeam = do testCreateOne2OneFailForNonTeamMembers :: TestM () testCreateOne2OneFailForNonTeamMembers = do owner <- Util.randomUser - let p1 = Util.symmPermissions [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember] - let p2 = Util.symmPermissions [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember, AddTeamMember] + let p1 = Util.symmPermissions [CreateConversation, AddRemoveConvMember] + let p2 = Util.symmPermissions [CreateConversation, AddRemoveConvMember, AddTeamMember] mem1 <- newTeamMember' p1 <$> Util.randomUser mem2 <- newTeamMember' p2 <$> Util.randomUser Util.connectUsers owner (list1 (mem1 ^. userId) [mem2 ^. userId]) @@ -732,7 +732,7 @@ testAddTeamConvLegacy = do c <- view tsCannon (owner, tid) <- Util.createBindingTeam extern <- Util.randomUser - let p = Util.symmPermissions [CreateConversation, DoNotUseDeprecatedAddRemoveConvMember] + let p = Util.symmPermissions [CreateConversation, AddRemoveConvMember] mem1 <- newTeamMember' p <$> Util.randomUser mem2 <- newTeamMember' p <$> Util.randomUser Util.connectUsers owner (list1 (mem1 ^. userId) [extern, mem2 ^. userId]) @@ -826,7 +826,7 @@ testAddTeamMemberToConv :: TestM () testAddTeamMemberToConv = do personalUser <- Util.randomUser (ownerT1, qOwnerT1) <- Util.randomUserTuple - let p = Util.symmPermissions [DoNotUseDeprecatedAddRemoveConvMember] + let p = Util.symmPermissions [AddRemoveConvMember] mem1T1 <- Util.randomUser qMem1T1 <- Qualified mem1T1 <$> viewFederationDomain mem2T1 <- Util.randomUser @@ -858,7 +858,7 @@ testAddTeamMemberToConv = do qcidPersonal <- Qualified cidPersonal <$> viewFederationDomain -- NOTE: This functionality was _changed_ as there was no need for it... -- mem1T1 (who is *not* a member of the new conversation) can *not* add other team members - -- despite being a team member and having the permission `DoNotUseDeprecatedAddRemoveConvMember`. + -- despite being a team member and having the permission `AddRemoveConvMember`. Util.assertNotConvMember mem1T1 cidT1 Util.postMembers mem1T1 (pure qMem2T1) qcidT1 !!! const 404 === statusCode Util.assertNotConvMember mem2T1 cidT1 @@ -1235,7 +1235,7 @@ testDeleteTeamConv = do c <- view tsCannon (tid, owner, _) <- Util.createBindingTeamWithMembers 2 qOwner <- Qualified owner <$> viewFederationDomain - let p = Util.symmPermissions [DoNotUseDeprecatedDeleteConversation] + let p = Util.symmPermissions [P.DeleteConversation] member <- newTeamMember' p <$> Util.randomUser qMember <- Qualified (member ^. userId) <$> viewFederationDomain Util.addTeamMemberInternal tid (member ^. userId) (member ^. permissions) Nothing From aba9ad1a9c86d02e2ded96e6533c9fa873ef8244 Mon Sep 17 00:00:00 2001 From: Leif Battermann Date: Fri, 5 Jan 2024 13:32:08 +0000 Subject: [PATCH 18/18] linting --- .../Test/Wire/API/Golden/Generated/NewTeamMember_team.hs | 8 ++++---- .../Test/Wire/API/Golden/Generated/Permissions_team.hs | 8 ++++---- .../Test/Wire/API/Golden/Generated/TeamMember_team.hs | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs index 7424aefea39..34294b4bd00 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/NewTeamMember_team.hs @@ -27,15 +27,15 @@ import Imports (Maybe (Just, Nothing), fromJust) import Wire.API.Team.Member (NewTeamMember, mkNewTeamMember) import Wire.API.Team.Permission ( Perm - ( AddTeamMember, + ( AddRemoveConvMember, + AddTeamMember, CreateConversation, - DeleteTeam, - AddRemoveConvMember, DeleteConversation, - ModifyConvName, + DeleteTeam, GetBilling, GetMemberPermissions, GetTeamConversations, + ModifyConvName, RemoveTeamMember, SetBilling, SetMemberPermissions, diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs index b3179f897b5..fd47570ce6c 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/Permissions_team.hs @@ -22,15 +22,15 @@ module Test.Wire.API.Golden.Generated.Permissions_team where import GHC.Exts (IsList (fromList)) import Wire.API.Team.Permission ( Perm - ( AddTeamMember, + ( AddRemoveConvMember, + AddTeamMember, CreateConversation, - DeleteTeam, - AddRemoveConvMember, DeleteConversation, - ModifyConvName, + DeleteTeam, GetBilling, GetMemberPermissions, GetTeamConversations, + ModifyConvName, RemoveTeamMember, SetBilling, SetMemberPermissions, diff --git a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs index 5002a512249..358b5cf8810 100644 --- a/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs +++ b/libs/wire-api/test/golden/Test/Wire/API/Golden/Generated/TeamMember_team.hs @@ -34,15 +34,15 @@ import Imports (Maybe (Just, Nothing), fromJust) import Wire.API.Team.Member (TeamMember, mkTeamMember) import Wire.API.Team.Permission ( Perm - ( AddTeamMember, + ( AddRemoveConvMember, + AddTeamMember, CreateConversation, - DeleteTeam, - AddRemoveConvMember, DeleteConversation, - ModifyConvName, + DeleteTeam, GetBilling, GetMemberPermissions, GetTeamConversations, + ModifyConvName, RemoveTeamMember, SetBilling, SetMemberPermissions,