🎣 Open-Source Phishing Toolkit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

88 lines
3.0 KiB

  1. package models
  2. /*
  3. Design:
  4. Gophish implements simple Role-Based-Access-Control (RBAC) to control access to
  5. certain resources.
  6. By default, Gophish has two separate roles, with each user being assigned to
  7. a single role:
  8. * Admin - Can modify all objects as well as system-level configuration
  9. * User - Can modify all objects
  10. It's important to note that these are global roles. In the future, we'll likely
  11. add the concept of teams, which will include their own roles and permission
  12. system similar to these global permissions.
  13. Each role maps to one or more permissions, making it easy to add more granular
  14. permissions over time.
  15. This is supported through a simple API on a user object,
  16. `HasPermission(Permission)`, which returns a boolean and an error.
  17. This API checks the role associated with the user to see if that role has the
  18. requested permission.
  19. */
  20. const (
  21. // RoleAdmin is used for Gophish system administrators. Users with this
  22. // role have the ability to manage all objects within Gophish, as well as
  23. // system-level configuration, such as users and URLs.
  24. RoleAdmin = "admin"
  25. // RoleUser is used for standard Gophish users. Users with this role can
  26. // create, manage, and view Gophish objects and campaigns.
  27. RoleUser = "user"
  28. // PermissionViewObjects determines if a role can view standard Gophish
  29. // objects such as campaigns, groups, landing pages, etc.
  30. PermissionViewObjects = "view_objects"
  31. // PermissionModifyObjects determines if a role can create and modify
  32. // standard Gophish objects.
  33. PermissionModifyObjects = "modify_objects"
  34. // PermissionModifySystem determines if a role can manage system-level
  35. // configuration.
  36. PermissionModifySystem = "modify_system"
  37. )
  38. // Role represents a user role within Gophish. Each user has a single role
  39. // which maps to a set of permissions.
  40. type Role struct {
  41. ID int64 `json:"-"`
  42. Slug string `json:"slug"`
  43. Name string `json:"name"`
  44. Description string `json:"description"`
  45. Permissions []Permission `json:"-" gorm:"many2many:role_permissions;"`
  46. }
  47. // Permission determines what a particular role can do. Each role may have one
  48. // or more permissions.
  49. type Permission struct {
  50. ID int64 `json:"id"`
  51. Slug string `json:"slug"`
  52. Name string `json:"name"`
  53. Description string `json:"description"`
  54. }
  55. // GetRoleBySlug returns a role that can be assigned to a user.
  56. func GetRoleBySlug(slug string) (Role, error) {
  57. role := Role{}
  58. err := db.Where("slug=?", slug).First(&role).Error
  59. return role, err
  60. }
  61. // HasPermission checks to see if the user has a role with the requested
  62. // permission.
  63. func (u *User) HasPermission(slug string) (bool, error) {
  64. perm := []Permission{}
  65. err := db.Model(Role{ID: u.RoleID}).Where("slug=?", slug).Association("Permissions").Find(&perm).Error
  66. if err != nil {
  67. return false, err
  68. }
  69. // Gorm doesn't return an ErrRecordNotFound whe scanning into a slice, so
  70. // we need to check the length (ref jinzhu/gorm#228)
  71. if len(perm) == 0 {
  72. return false, nil
  73. }
  74. return true, nil
  75. }