2019-02-20 02:33:50 +00:00
|
|
|
package models
|
|
|
|
|
|
|
|
/*
|
|
|
|
Design:
|
|
|
|
|
|
|
|
Gophish implements simple Role-Based-Access-Control (RBAC) to control access to
|
|
|
|
certain resources.
|
|
|
|
|
|
|
|
By default, Gophish has two separate roles, with each user being assigned to
|
|
|
|
a single role:
|
|
|
|
|
|
|
|
* Admin - Can modify all objects as well as system-level configuration
|
|
|
|
* User - Can modify all objects
|
|
|
|
|
|
|
|
It's important to note that these are global roles. In the future, we'll likely
|
|
|
|
add the concept of teams, which will include their own roles and permission
|
|
|
|
system similar to these global permissions.
|
|
|
|
|
|
|
|
Each role maps to one or more permissions, making it easy to add more granular
|
|
|
|
permissions over time.
|
|
|
|
|
|
|
|
This is supported through a simple API on a user object,
|
|
|
|
`HasPermission(Permission)`, which returns a boolean and an error.
|
|
|
|
This API checks the role associated with the user to see if that role has the
|
|
|
|
requested permission.
|
|
|
|
*/
|
|
|
|
|
|
|
|
const (
|
|
|
|
// RoleAdmin is used for Gophish system administrators. Users with this
|
|
|
|
// role have the ability to manage all objects within Gophish, as well as
|
|
|
|
// system-level configuration, such as users and URLs.
|
|
|
|
RoleAdmin = "admin"
|
|
|
|
// RoleUser is used for standard Gophish users. Users with this role can
|
|
|
|
// create, manage, and view Gophish objects and campaigns.
|
|
|
|
RoleUser = "user"
|
|
|
|
|
|
|
|
// PermissionViewObjects determines if a role can view standard Gophish
|
|
|
|
// objects such as campaigns, groups, landing pages, etc.
|
|
|
|
PermissionViewObjects = "view_objects"
|
|
|
|
// PermissionModifyObjects determines if a role can create and modify
|
|
|
|
// standard Gophish objects.
|
|
|
|
PermissionModifyObjects = "modify_objects"
|
|
|
|
// PermissionModifySystem determines if a role can manage system-level
|
|
|
|
// configuration.
|
|
|
|
PermissionModifySystem = "modify_system"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Role represents a user role within Gophish. Each user has a single role
|
|
|
|
// which maps to a set of permissions.
|
|
|
|
type Role struct {
|
2019-05-31 18:58:18 +00:00
|
|
|
ID int64 `json:"-"`
|
2019-02-20 02:33:50 +00:00
|
|
|
Slug string `json:"slug"`
|
|
|
|
Name string `json:"name"`
|
|
|
|
Description string `json:"description"`
|
|
|
|
Permissions []Permission `json:"-" gorm:"many2many:role_permissions;"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// Permission determines what a particular role can do. Each role may have one
|
|
|
|
// or more permissions.
|
|
|
|
type Permission struct {
|
|
|
|
ID int64 `json:"id"`
|
|
|
|
Slug string `json:"slug"`
|
|
|
|
Name string `json:"name"`
|
|
|
|
Description string `json:"description"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetRoleBySlug returns a role that can be assigned to a user.
|
|
|
|
func GetRoleBySlug(slug string) (Role, error) {
|
|
|
|
role := Role{}
|
|
|
|
err := db.Where("slug=?", slug).First(&role).Error
|
|
|
|
return role, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// HasPermission checks to see if the user has a role with the requested
|
|
|
|
// permission.
|
|
|
|
func (u *User) HasPermission(slug string) (bool, error) {
|
|
|
|
perm := []Permission{}
|
|
|
|
err := db.Model(Role{ID: u.RoleID}).Where("slug=?", slug).Association("Permissions").Find(&perm).Error
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
// Gorm doesn't return an ErrRecordNotFound whe scanning into a slice, so
|
|
|
|
// we need to check the length (ref jinzhu/gorm#228)
|
|
|
|
if len(perm) == 0 {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
return true, nil
|
|
|
|
}
|