2014-02-03 19:24:49 +00:00
|
|
|
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
|
2013-06-12 15:59:58 +00:00
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
class UsersController < ApplicationController
|
2015-11-12 09:37:24 +00:00
|
|
|
before_action :authentication_check, except: [:create, :password_reset_send, :password_reset_verify, :image]
|
2012-04-10 14:06:46 +00:00
|
|
|
|
2014-12-18 14:59:45 +00:00
|
|
|
# @path [GET] /users
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @summary Returns a list of User records.
|
|
|
|
# @notes The requester has to be in the role 'Admin' or 'Agent' to
|
|
|
|
# get a list of all Users. If the requester is in the
|
|
|
|
# role 'Customer' only just the own User record will be returned.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
|
|
|
# @response_message 200 [Array<User>] List of matching User records.
|
|
|
|
# @response_message 401 Invalid session.
|
2012-04-10 14:06:46 +00:00
|
|
|
def index
|
2013-07-19 14:21:44 +00:00
|
|
|
|
|
|
|
# only allow customer to fetch him self
|
2016-01-15 17:22:57 +00:00
|
|
|
users = if role?(Z_ROLENAME_CUSTOMER) && !role?(Z_ROLENAME_ADMIN) && !role?('Agent')
|
2016-01-20 01:48:54 +00:00
|
|
|
User.where(id: current_user.id)
|
2016-01-15 17:22:57 +00:00
|
|
|
else
|
|
|
|
User.all
|
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
users_all = []
|
|
|
|
users.each {|user|
|
2016-01-20 01:48:54 +00:00
|
|
|
users_all.push User.lookup(id: user.id).attributes_with_associations
|
2012-04-10 14:06:46 +00:00
|
|
|
}
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: users_all, status: :ok
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
2014-12-18 14:59:45 +00:00
|
|
|
# @path [GET] /users/{id}
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @summary Returns the User record with the requested identifier.
|
|
|
|
# @notes The requester has to be in the role 'Admin' or 'Agent' to
|
|
|
|
# access all User records. If the requester is in the
|
|
|
|
# role 'Customer' just the own User record is accessable.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
|
|
|
# @parameter id(required) [Integer] The identifier matching the requested User.
|
|
|
|
# @parameter full [Bool] If set a Asset structure with all connected Assets gets returned.
|
|
|
|
#
|
|
|
|
# @response_message 200 [User] User record matching the requested identifier.
|
|
|
|
# @response_message 401 Invalid session.
|
2012-04-10 14:06:46 +00:00
|
|
|
def show
|
2013-07-19 14:21:44 +00:00
|
|
|
|
|
|
|
# access deny
|
2014-12-01 07:32:35 +00:00
|
|
|
return if !permission_check
|
2014-08-13 00:12:38 +00:00
|
|
|
|
|
|
|
if params[:full]
|
2016-01-20 01:48:54 +00:00
|
|
|
full = User.full(params[:id])
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: full
|
2014-08-13 00:12:38 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2016-05-10 14:07:39 +00:00
|
|
|
user = User.find(params[:id]).attributes_with_associations
|
|
|
|
user.delete('password')
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: user
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
2014-12-18 14:59:45 +00:00
|
|
|
# @path [POST] /users
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @summary Creates a User record with the provided attribute values.
|
2014-12-18 14:59:45 +00:00
|
|
|
# @notes TODO.
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @parameter User(required,body) [User] The attribute value structure needed to create a User record.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
|
|
|
# @response_message 200 [User] Created User record.
|
|
|
|
# @response_message 401 Invalid session.
|
2012-04-10 14:06:46 +00:00
|
|
|
def create
|
2015-02-06 16:13:13 +00:00
|
|
|
user = User.new( User.param_cleanup(params, true) )
|
2013-01-08 00:43:07 +00:00
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
begin
|
2013-04-21 23:03:19 +00:00
|
|
|
# check if it's first user
|
|
|
|
count = User.all.count()
|
2012-04-10 14:06:46 +00:00
|
|
|
|
2012-04-12 11:27:01 +00:00
|
|
|
# if it's a signup, add user to customer role
|
2013-04-21 23:03:19 +00:00
|
|
|
if !current_user
|
|
|
|
user.updated_by_id = 1
|
|
|
|
user.created_by_id = 1
|
2012-08-10 07:43:36 +00:00
|
|
|
|
2013-01-08 00:43:07 +00:00
|
|
|
# check if feature is enabled
|
|
|
|
if !Setting.get('user_create_account')
|
2016-02-16 15:41:33 +00:00
|
|
|
render json: { error_human: 'Feature not enabled!' }, status: :unprocessable_entity
|
2013-01-08 00:43:07 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2013-04-21 23:03:19 +00:00
|
|
|
# add first user as admin/agent and to all groups
|
2012-04-13 13:51:10 +00:00
|
|
|
group_ids = []
|
|
|
|
role_ids = []
|
2012-04-12 11:27:01 +00:00
|
|
|
if count <= 2
|
2016-04-30 14:38:24 +00:00
|
|
|
Role.where(name: [ Z_ROLENAME_ADMIN, 'Agent', 'Chat']).each { |role|
|
2012-04-13 13:51:10 +00:00
|
|
|
role_ids.push role.id
|
|
|
|
}
|
|
|
|
Group.all().each { |group|
|
|
|
|
group_ids.push group.id
|
|
|
|
}
|
2012-08-10 07:43:36 +00:00
|
|
|
|
2013-06-12 15:59:58 +00:00
|
|
|
# everybody else will go as customer per default
|
2012-04-10 14:06:46 +00:00
|
|
|
else
|
2016-01-20 01:48:54 +00:00
|
|
|
role_ids.push Role.where(name: Z_ROLENAME_CUSTOMER).first.id
|
2012-04-12 11:27:01 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
user.role_ids = role_ids
|
|
|
|
user.group_ids = group_ids
|
2012-04-12 11:27:01 +00:00
|
|
|
|
2015-07-07 05:56:31 +00:00
|
|
|
# else do assignment as defined
|
2012-04-12 11:27:01 +00:00
|
|
|
else
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
# permission check by role
|
2016-02-17 18:36:33 +00:00
|
|
|
return if !permission_check_by_role(params)
|
2014-12-01 07:32:35 +00:00
|
|
|
|
2012-04-12 11:27:01 +00:00
|
|
|
if params[:role_ids]
|
2012-09-20 12:08:02 +00:00
|
|
|
user.role_ids = params[:role_ids]
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2012-04-12 11:27:01 +00:00
|
|
|
if params[:group_ids]
|
2012-09-20 12:08:02 +00:00
|
|
|
user.group_ids = params[:group_ids]
|
2012-04-12 11:27:01 +00:00
|
|
|
end
|
|
|
|
end
|
2012-08-10 07:43:36 +00:00
|
|
|
|
2013-01-20 01:27:47 +00:00
|
|
|
# check if user already exists
|
|
|
|
if user.email
|
2016-01-20 01:48:54 +00:00
|
|
|
exists = User.where(email: user.email.downcase).first
|
2013-01-20 01:27:47 +00:00
|
|
|
if exists
|
2016-02-16 15:41:33 +00:00
|
|
|
render json: { error_human: 'User already exists!' }, status: :unprocessable_entity
|
2013-01-20 01:27:47 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
2015-02-06 16:13:13 +00:00
|
|
|
user.save!
|
2012-11-06 21:43:13 +00:00
|
|
|
|
2014-11-04 09:06:41 +00:00
|
|
|
# if first user was added, set system init done
|
2013-03-19 00:46:49 +00:00
|
|
|
if count <= 2
|
2016-01-20 01:48:54 +00:00
|
|
|
Setting.set('system_init_done', true)
|
2015-07-07 05:56:31 +00:00
|
|
|
|
|
|
|
# fetch org logo
|
|
|
|
if user.email
|
2015-07-15 19:45:40 +00:00
|
|
|
Service::Image.organization_suggest(user.email)
|
2015-07-07 05:56:31 +00:00
|
|
|
end
|
2013-03-19 00:46:49 +00:00
|
|
|
end
|
|
|
|
|
2013-01-03 10:47:39 +00:00
|
|
|
# send inviteation if needed / only if session exists
|
|
|
|
if params[:invite] && current_user
|
2016-01-20 01:48:54 +00:00
|
|
|
token = Token.create(action: 'PasswordReset', user_id: user.id)
|
2016-04-13 23:40:37 +00:00
|
|
|
NotificationFactory::Mailer.notification(
|
2016-02-19 21:05:36 +00:00
|
|
|
template: 'user_invite',
|
|
|
|
user: user,
|
|
|
|
objects: {
|
|
|
|
token: token,
|
|
|
|
user: user,
|
|
|
|
current_user: current_user,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
end
|
2013-01-03 09:39:33 +00:00
|
|
|
|
2016-02-19 21:05:36 +00:00
|
|
|
# send email verify
|
|
|
|
if params[:signup] && !current_user
|
|
|
|
token = Token.create(action: 'EmailVerify', user_id: user.id)
|
2016-04-13 23:40:37 +00:00
|
|
|
NotificationFactory::Mailer.notification(
|
2016-02-19 21:05:36 +00:00
|
|
|
template: 'signup',
|
|
|
|
user: user,
|
|
|
|
objects: {
|
|
|
|
token: token,
|
|
|
|
user: user,
|
|
|
|
}
|
2013-01-03 09:39:33 +00:00
|
|
|
)
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2016-05-10 14:07:39 +00:00
|
|
|
user_new = User.find(user.id).attributes_with_associations
|
|
|
|
user_new.delete('password')
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: user_new, status: :created
|
2015-05-08 14:09:24 +00:00
|
|
|
rescue => e
|
2016-02-16 15:41:33 +00:00
|
|
|
render json: model_match_error(e.message), status: :unprocessable_entity
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-12-18 14:59:45 +00:00
|
|
|
# @path [PUT] /users/{id}
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @summary Updates the User record matching the identifier with the provided attribute values.
|
2014-12-18 14:59:45 +00:00
|
|
|
# @notes TODO.
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @parameter id(required) [Integer] The identifier matching the requested User record.
|
|
|
|
# @parameter User(required,body) [User] The attribute value structure needed to update a User record.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
|
|
|
# @response_message 200 [User] Updated User record.
|
|
|
|
# @response_message 401 Invalid session.
|
2012-04-10 14:06:46 +00:00
|
|
|
def update
|
2013-04-21 23:03:19 +00:00
|
|
|
|
2014-12-01 07:32:35 +00:00
|
|
|
# access deny
|
|
|
|
return if !permission_check
|
2013-04-21 23:03:19 +00:00
|
|
|
|
2016-01-20 01:48:54 +00:00
|
|
|
user = User.find(params[:id])
|
2012-04-10 14:06:46 +00:00
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
begin
|
2013-06-12 15:59:58 +00:00
|
|
|
|
2016-02-17 18:36:33 +00:00
|
|
|
# permission check by role
|
|
|
|
return if !permission_check_by_role(params)
|
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
user.update_attributes( User.param_cleanup(params) )
|
2013-04-21 23:03:19 +00:00
|
|
|
|
|
|
|
# only allow Admin's and Agent's
|
2015-05-08 08:15:45 +00:00
|
|
|
if role?(Z_ROLENAME_ADMIN) && role?('Agent') && params[:role_ids]
|
2012-09-20 12:08:02 +00:00
|
|
|
user.role_ids = params[:role_ids]
|
2012-04-12 11:27:01 +00:00
|
|
|
end
|
2013-04-21 23:03:19 +00:00
|
|
|
|
|
|
|
# only allow Admin's
|
2015-05-08 08:15:45 +00:00
|
|
|
if role?(Z_ROLENAME_ADMIN) && params[:group_ids]
|
2012-09-20 12:08:02 +00:00
|
|
|
user.group_ids = params[:group_ids]
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2013-04-21 23:03:19 +00:00
|
|
|
|
|
|
|
# only allow Admin's and Agent's
|
2015-05-08 08:15:45 +00:00
|
|
|
if role?(Z_ROLENAME_ADMIN) && role?('Agent') && params[:organization_ids]
|
2012-09-20 12:08:02 +00:00
|
|
|
user.organization_ids = params[:organization_ids]
|
2012-04-20 15:39:50 +00:00
|
|
|
end
|
2013-04-21 23:03:19 +00:00
|
|
|
|
|
|
|
# get new data
|
2016-05-10 14:07:39 +00:00
|
|
|
user_new = User.find(params[:id]).attributes_with_associations
|
|
|
|
user_new.delete('password')
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: user_new, status: :ok
|
2015-05-08 14:09:24 +00:00
|
|
|
rescue => e
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { error: e.message }, status: :unprocessable_entity
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-12-18 14:59:45 +00:00
|
|
|
# @path [DELETE] /users/{id}
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @summary Deletes the User record matching the given identifier.
|
|
|
|
# @notes The requester has to be in the role 'Admin' to be able to delete a User record.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @parameter id(required) [User] The identifier matching the requested User record.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
|
|
|
# @response_message 200 User successfully deleted.
|
|
|
|
# @response_message 401 Invalid session.
|
2012-04-10 14:06:46 +00:00
|
|
|
def destroy
|
2015-02-15 09:12:27 +00:00
|
|
|
return if deny_if_not_role(Z_ROLENAME_ADMIN)
|
2012-09-20 12:08:02 +00:00
|
|
|
model_destory_render(User, params)
|
|
|
|
end
|
2012-04-10 14:06:46 +00:00
|
|
|
|
2014-12-18 14:59:45 +00:00
|
|
|
# @path [GET] /users/search
|
|
|
|
#
|
|
|
|
# @tag Search
|
|
|
|
# @tag User
|
|
|
|
#
|
|
|
|
# @summary Searches the User matching the given expression(s).
|
|
|
|
# @notes TODO: It's possible to use the SOLR search syntax.
|
2014-12-18 15:24:09 +00:00
|
|
|
# The requester has to be in the role 'Admin' or 'Agent' to
|
|
|
|
# be able to search for User records.
|
2014-12-18 14:59:45 +00:00
|
|
|
#
|
2014-12-18 15:03:19 +00:00
|
|
|
# @parameter term [String] The search term.
|
|
|
|
# @parameter limit [Integer] The limit of search results.
|
2014-12-18 14:59:45 +00:00
|
|
|
# @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
|
2014-12-18 15:03:19 +00:00
|
|
|
# @parameter full [Boolean] Defines if the result should be
|
2014-12-18 14:59:45 +00:00
|
|
|
# true: { user_ids => [1,2,...], assets => {...} }
|
|
|
|
# or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @response_message 200 [Array<User>] A list of User records matching the search term.
|
2014-12-18 14:59:45 +00:00
|
|
|
# @response_message 401 Invalid session.
|
2012-09-20 12:08:02 +00:00
|
|
|
def search
|
2012-11-14 01:05:53 +00:00
|
|
|
|
2015-05-08 08:15:45 +00:00
|
|
|
if role?(Z_ROLENAME_CUSTOMER) && !role?(Z_ROLENAME_ADMIN) && !role?('Agent')
|
2013-07-19 14:21:44 +00:00
|
|
|
response_access_deny
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-09-24 23:12:23 +00:00
|
|
|
query_params = {
|
2015-04-27 13:42:53 +00:00
|
|
|
query: params[:term],
|
|
|
|
limit: params[:limit],
|
|
|
|
current_user: current_user,
|
2014-09-24 23:12:23 +00:00
|
|
|
}
|
|
|
|
if params[:role_ids] && !params[:role_ids].empty?
|
|
|
|
query_params[:role_ids] = params[:role_ids]
|
|
|
|
end
|
|
|
|
|
|
|
|
# do query
|
|
|
|
user_all = User.search(query_params)
|
2012-11-14 01:05:53 +00:00
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
# build result list
|
2014-09-24 23:12:23 +00:00
|
|
|
if !params[:full]
|
|
|
|
users = []
|
|
|
|
user_all.each { |user|
|
|
|
|
realname = user.firstname.to_s + ' ' + user.lastname.to_s
|
|
|
|
if user.email && user.email.to_s != ''
|
2015-04-27 14:41:03 +00:00
|
|
|
realname = realname + ' <' + user.email.to_s + '>'
|
2014-09-24 23:12:23 +00:00
|
|
|
end
|
2015-04-27 13:42:53 +00:00
|
|
|
a = { id: user.id, label: realname, value: realname }
|
2014-09-24 23:12:23 +00:00
|
|
|
users.push a
|
|
|
|
}
|
|
|
|
|
|
|
|
# return result
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: users
|
2014-09-24 23:12:23 +00:00
|
|
|
return
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
|
|
|
|
2014-09-24 23:12:23 +00:00
|
|
|
user_ids = []
|
|
|
|
assets = {}
|
|
|
|
user_all.each { |user|
|
|
|
|
assets = user.assets(assets)
|
|
|
|
user_ids.push user.id
|
|
|
|
}
|
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
# return result
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {
|
|
|
|
assets: assets,
|
|
|
|
user_ids: user_ids.uniq,
|
2014-09-24 23:12:23 +00:00
|
|
|
}
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2012-04-23 06:55:16 +00:00
|
|
|
|
2015-06-09 23:57:22 +00:00
|
|
|
# @path [GET] /users/recent
|
|
|
|
#
|
|
|
|
# @tag Search
|
|
|
|
# @tag User
|
|
|
|
#
|
|
|
|
# @summary Recent creates Users.
|
|
|
|
# @notes Recent creates Users.
|
|
|
|
#
|
|
|
|
# @parameter limit [Integer] The limit of search results.
|
|
|
|
# @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
|
|
|
|
# @parameter full [Boolean] Defines if the result should be
|
|
|
|
# true: { user_ids => [1,2,...], assets => {...} }
|
|
|
|
# or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
|
|
|
|
#
|
|
|
|
# @response_message 200 [Array<User>] A list of User records matching the search term.
|
|
|
|
# @response_message 401 Invalid session.
|
|
|
|
def recent
|
|
|
|
|
|
|
|
if role?(Z_ROLENAME_CUSTOMER) && !role?(Z_ROLENAME_ADMIN)
|
|
|
|
response_access_deny
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# do query
|
2016-01-15 17:22:57 +00:00
|
|
|
user_all = if params[:role_ids] && !params[:role_ids].empty?
|
|
|
|
User.joins(:roles).where( 'roles.id' => params[:role_ids] ).where('users.id != 1').order('users.created_at DESC').limit( params[:limit] || 20 )
|
|
|
|
else
|
|
|
|
User.where('id != 1').order('created_at DESC').limit( params[:limit] || 20 )
|
|
|
|
end
|
2015-06-09 23:57:22 +00:00
|
|
|
|
|
|
|
# build result list
|
|
|
|
if !params[:full]
|
|
|
|
users = []
|
|
|
|
user_all.each { |user|
|
|
|
|
realname = user.firstname.to_s + ' ' + user.lastname.to_s
|
|
|
|
if user.email && user.email.to_s != ''
|
|
|
|
realname = realname + ' <' + user.email.to_s + '>'
|
|
|
|
end
|
|
|
|
a = { id: user.id, label: realname, value: realname }
|
|
|
|
users.push a
|
|
|
|
}
|
|
|
|
|
|
|
|
# return result
|
|
|
|
render json: users
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
user_ids = []
|
|
|
|
assets = {}
|
|
|
|
user_all.each { |user|
|
|
|
|
assets = user.assets(assets)
|
|
|
|
user_ids.push user.id
|
|
|
|
}
|
|
|
|
|
|
|
|
# return result
|
|
|
|
render json: {
|
|
|
|
assets: assets,
|
|
|
|
user_ids: user_ids.uniq,
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2014-12-18 15:12:36 +00:00
|
|
|
# @path [GET] /users/history/{id}
|
|
|
|
#
|
|
|
|
# @tag History
|
|
|
|
# @tag User
|
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @summary Returns the History records of a User record matching the given identifier.
|
|
|
|
# @notes The requester has to be in the role 'Admin' or 'Agent' to
|
|
|
|
# get the History records of a User record.
|
2014-12-18 15:12:36 +00:00
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @parameter id(required) [Integer] The identifier matching the requested User record.
|
2014-12-18 15:12:36 +00:00
|
|
|
#
|
2014-12-18 15:24:09 +00:00
|
|
|
# @response_message 200 [History] The History records of the requested User record.
|
2014-12-18 15:12:36 +00:00
|
|
|
# @response_message 401 Invalid session.
|
2013-10-21 19:00:58 +00:00
|
|
|
def history
|
|
|
|
|
2016-01-27 18:26:10 +00:00
|
|
|
# permission check
|
2015-05-08 08:15:45 +00:00
|
|
|
if !role?(Z_ROLENAME_ADMIN) && !role?('Agent')
|
2013-10-21 19:00:58 +00:00
|
|
|
response_access_deny
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# get user data
|
2016-01-20 01:48:54 +00:00
|
|
|
user = User.find(params[:id])
|
2013-10-21 19:00:58 +00:00
|
|
|
|
|
|
|
# get history of user
|
|
|
|
history = user.history_get(true)
|
|
|
|
|
|
|
|
# return result
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: history
|
2013-10-21 19:00:58 +00:00
|
|
|
end
|
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
2013-08-06 22:10:28 +00:00
|
|
|
POST /api/v1/users/password_reset
|
2012-09-20 12:08:02 +00:00
|
|
|
|
|
|
|
Payload:
|
|
|
|
{
|
|
|
|
"username": "some user name"
|
|
|
|
}
|
|
|
|
|
|
|
|
Response:
|
|
|
|
{
|
|
|
|
:message => 'ok'
|
|
|
|
}
|
|
|
|
|
|
|
|
Test:
|
2013-08-06 22:10:28 +00:00
|
|
|
curl http://localhost/api/v1/users/password_reset.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"username": "some_username"}'
|
2012-09-20 12:08:02 +00:00
|
|
|
|
|
|
|
=end
|
|
|
|
|
2012-04-23 06:55:16 +00:00
|
|
|
def password_reset_send
|
2013-01-08 00:43:07 +00:00
|
|
|
|
|
|
|
# check if feature is enabled
|
|
|
|
if !Setting.get('user_lost_password')
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { error: 'Feature not enabled!' }, status: :unprocessable_entity
|
2013-01-08 00:43:07 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2016-02-19 21:05:36 +00:00
|
|
|
result = User.password_reset_new_token(params[:username])
|
|
|
|
if result && result[:token]
|
|
|
|
|
|
|
|
# send mail
|
|
|
|
user = result[:user]
|
2016-04-13 23:40:37 +00:00
|
|
|
NotificationFactory::Mailer.notification(
|
2016-02-19 21:05:36 +00:00
|
|
|
template: 'password_reset',
|
|
|
|
user: user,
|
|
|
|
objects: result
|
|
|
|
)
|
2014-12-31 09:04:14 +00:00
|
|
|
|
|
|
|
# only if system is in develop mode, send token back to browser for browser tests
|
|
|
|
if Setting.get('developer_mode') == true
|
2016-02-19 21:05:36 +00:00
|
|
|
render json: { message: 'ok', token: result[:token].name }, status: :ok
|
2014-12-31 09:04:14 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# token sent to user, send ok to browser
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'ok' }, status: :ok
|
2014-12-31 09:04:14 +00:00
|
|
|
return
|
2012-04-23 06:55:16 +00:00
|
|
|
end
|
2014-12-31 09:04:14 +00:00
|
|
|
|
|
|
|
# unable to generate token
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed' }, status: :ok
|
2012-04-23 06:55:16 +00:00
|
|
|
end
|
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
2013-08-06 22:10:28 +00:00
|
|
|
POST /api/v1/users/password_reset_verify
|
2012-09-20 12:08:02 +00:00
|
|
|
|
|
|
|
Payload:
|
|
|
|
{
|
|
|
|
"token": "SoMeToKeN",
|
2014-12-30 23:51:19 +00:00
|
|
|
"password": "new_password"
|
2012-09-20 12:08:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
Response:
|
|
|
|
{
|
|
|
|
:message => 'ok'
|
|
|
|
}
|
|
|
|
|
|
|
|
Test:
|
2013-08-06 22:10:28 +00:00
|
|
|
curl http://localhost/api/v1/users/password_reset_verify.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"token": "SoMeToKeN", "password" "new_password"}'
|
2012-09-20 12:08:02 +00:00
|
|
|
|
|
|
|
=end
|
|
|
|
|
2012-04-23 06:55:16 +00:00
|
|
|
def password_reset_verify
|
2012-04-23 16:59:35 +00:00
|
|
|
if params[:password]
|
2014-12-30 23:51:19 +00:00
|
|
|
|
|
|
|
# check password policy
|
|
|
|
result = password_policy(params[:password])
|
|
|
|
if result != true
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed', notice: result }, status: :ok
|
2014-12-30 23:51:19 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# set new password with token
|
2016-01-20 01:48:54 +00:00
|
|
|
user = User.password_reset_via_token(params[:token], params[:password])
|
2016-02-19 21:05:36 +00:00
|
|
|
|
|
|
|
# send mail
|
|
|
|
if user
|
2016-04-13 23:40:37 +00:00
|
|
|
NotificationFactory::Mailer.notification(
|
2016-02-19 21:05:36 +00:00
|
|
|
template: 'password_change',
|
|
|
|
user: user,
|
|
|
|
objects: {
|
|
|
|
user: user,
|
|
|
|
current_user: current_user,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2012-04-23 16:59:35 +00:00
|
|
|
else
|
2016-01-20 01:48:54 +00:00
|
|
|
user = User.password_reset_check(params[:token])
|
2012-04-23 16:59:35 +00:00
|
|
|
end
|
2013-01-03 12:00:55 +00:00
|
|
|
if user
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'ok', user_login: user.login }, status: :ok
|
2012-04-23 06:55:16 +00:00
|
|
|
else
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed' }, status: :ok
|
2012-04-23 06:55:16 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-10 21:38:35 +00:00
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
2013-08-06 22:10:28 +00:00
|
|
|
POST /api/v1/users/password_change
|
2013-02-10 21:38:35 +00:00
|
|
|
|
|
|
|
Payload:
|
|
|
|
{
|
|
|
|
"password_old": "some_password_old",
|
2013-02-12 00:56:23 +00:00
|
|
|
"password_new": "some_password_new"
|
2013-02-10 21:38:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
Response:
|
|
|
|
{
|
|
|
|
:message => 'ok'
|
|
|
|
}
|
|
|
|
|
|
|
|
Test:
|
2013-08-06 22:10:28 +00:00
|
|
|
curl http://localhost/api/v1/users/password_change.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"password_old": "password_old", "password_new": "password_new"}'
|
2013-02-10 21:38:35 +00:00
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
def password_change
|
|
|
|
|
|
|
|
# check old password
|
|
|
|
if !params[:password_old]
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed', notice: ['Current password needed!'] }, status: :ok
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-10 21:38:35 +00:00
|
|
|
end
|
|
|
|
user = User.authenticate( current_user.login, params[:password_old] )
|
|
|
|
if !user
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed', notice: ['Current password is wrong!'] }, status: :ok
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-10 21:38:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# set new password
|
|
|
|
if !params[:password_new]
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed', notice: ['Please supply your new password!'] }, status: :ok
|
2014-12-30 23:51:19 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# check password policy
|
|
|
|
result = password_policy(params[:password_new])
|
|
|
|
if result != true
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'failed', notice: result }, status: :ok
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-10 21:38:35 +00:00
|
|
|
end
|
2014-12-30 23:51:19 +00:00
|
|
|
|
2016-01-20 01:48:54 +00:00
|
|
|
user.update_attributes(password: params[:password_new])
|
2016-02-19 21:05:36 +00:00
|
|
|
|
2016-04-13 23:40:37 +00:00
|
|
|
NotificationFactory::Mailer.notification(
|
2016-02-19 21:05:36 +00:00
|
|
|
template: 'password_change',
|
|
|
|
user: user,
|
|
|
|
objects: {
|
|
|
|
user: user,
|
|
|
|
current_user: current_user,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'ok', user_login: user.login }, status: :ok
|
2013-02-10 21:38:35 +00:00
|
|
|
end
|
|
|
|
|
2013-02-12 00:56:23 +00:00
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
2013-08-06 22:10:28 +00:00
|
|
|
PUT /api/v1/users/preferences.json
|
2013-02-12 00:56:23 +00:00
|
|
|
|
|
|
|
Payload:
|
|
|
|
{
|
|
|
|
"language": "de",
|
|
|
|
"notification": true
|
|
|
|
}
|
|
|
|
|
|
|
|
Response:
|
|
|
|
{
|
|
|
|
:message => 'ok'
|
|
|
|
}
|
|
|
|
|
|
|
|
Test:
|
2013-08-06 22:10:28 +00:00
|
|
|
curl http://localhost/api/v1/users/preferences.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"language": "de", "notifications": true}'
|
2013-02-12 00:56:23 +00:00
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
def preferences
|
|
|
|
if !current_user
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'No current user!' }, status: :unprocessable_entity
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-12 00:56:23 +00:00
|
|
|
end
|
|
|
|
if params[:user]
|
2015-11-25 09:33:39 +00:00
|
|
|
user = User.find(current_user.id)
|
2013-02-12 00:56:23 +00:00
|
|
|
params[:user].each {|key, value|
|
2015-11-25 09:33:39 +00:00
|
|
|
user.preferences[key.to_sym] = value
|
2013-02-12 00:56:23 +00:00
|
|
|
}
|
2015-11-25 09:33:39 +00:00
|
|
|
user.save
|
2013-02-12 00:56:23 +00:00
|
|
|
end
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'ok' }, status: :ok
|
2013-02-12 00:56:23 +00:00
|
|
|
end
|
|
|
|
|
2013-02-12 22:37:04 +00:00
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
2013-08-06 22:10:28 +00:00
|
|
|
DELETE /api/v1/users/account.json
|
2013-02-12 22:37:04 +00:00
|
|
|
|
|
|
|
Payload:
|
|
|
|
{
|
|
|
|
"provider": "twitter",
|
|
|
|
"uid": 581482342942
|
|
|
|
}
|
|
|
|
|
|
|
|
Response:
|
|
|
|
{
|
|
|
|
:message => 'ok'
|
|
|
|
}
|
|
|
|
|
|
|
|
Test:
|
2013-08-06 22:10:28 +00:00
|
|
|
curl http://localhost/api/v1/users/account.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"provider": "twitter", "uid": 581482342942}'
|
2013-02-12 22:37:04 +00:00
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
def account_remove
|
|
|
|
if !current_user
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'No current user!' }, status: :unprocessable_entity
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-12 22:37:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# provider + uid to remove
|
|
|
|
if !params[:provider]
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'provider needed!' }, status: :unprocessable_entity
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-12 22:37:04 +00:00
|
|
|
end
|
|
|
|
if !params[:uid]
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'uid needed!' }, status: :unprocessable_entity
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-12 22:37:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# remove from database
|
|
|
|
record = Authorization.where(
|
2015-04-27 13:42:53 +00:00
|
|
|
user_id: current_user.id,
|
|
|
|
provider: params[:provider],
|
|
|
|
uid: params[:uid],
|
2013-02-12 22:37:04 +00:00
|
|
|
)
|
|
|
|
if !record.first
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'No record found!' }, status: :unprocessable_entity
|
2013-06-12 15:59:58 +00:00
|
|
|
return
|
2013-02-12 22:37:04 +00:00
|
|
|
end
|
|
|
|
record.destroy_all
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'ok' }, status: :ok
|
2013-02-12 22:37:04 +00:00
|
|
|
end
|
|
|
|
|
2013-11-02 21:32:00 +00:00
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
|
|
|
GET /api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7
|
|
|
|
|
|
|
|
Response:
|
|
|
|
<IMAGE>
|
|
|
|
|
|
|
|
Test:
|
|
|
|
curl http://localhost/api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7 -v -u #{login}:#{password}
|
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
def image
|
|
|
|
|
|
|
|
# cache image
|
2014-12-01 07:32:35 +00:00
|
|
|
response.headers['Expires'] = 1.year.from_now.httpdate
|
|
|
|
response.headers['Cache-Control'] = 'cache, store, max-age=31536000, must-revalidate'
|
|
|
|
response.headers['Pragma'] = 'cache'
|
2013-11-02 21:32:00 +00:00
|
|
|
|
2016-01-20 01:48:54 +00:00
|
|
|
file = Avatar.get_by_hash(params[:hash])
|
2014-12-01 07:32:35 +00:00
|
|
|
if file
|
2014-07-27 11:40:42 +00:00
|
|
|
send_data(
|
2014-12-01 07:32:35 +00:00
|
|
|
file.content,
|
2015-04-27 13:42:53 +00:00
|
|
|
filename: file.filename,
|
|
|
|
type: file.preferences['Content-Type'] || file.preferences['Mime-Type'],
|
|
|
|
disposition: 'inline'
|
2014-07-27 11:40:42 +00:00
|
|
|
)
|
|
|
|
return
|
2013-11-02 21:32:00 +00:00
|
|
|
end
|
|
|
|
|
2014-12-01 07:32:35 +00:00
|
|
|
# serve default image
|
|
|
|
image = 'R0lGODdhMAAwAOMAAMzMzJaWlr6+vqqqqqOjo8XFxbe3t7GxsZycnAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAMAAwAAAEcxDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru98TwuAA+KQAQqJK8EAgBAgMEqmkzUgBIeSwWGZtR5XhSqAULACCoGCJGwlm1MGQrq9RqgB8fm4ZTUgDBIEcRR9fz6HiImKi4yNjo+QkZKTlJWWkBEAOw=='
|
|
|
|
send_data(
|
|
|
|
Base64.decode64(image),
|
2015-04-27 13:42:53 +00:00
|
|
|
filename: 'image.gif',
|
|
|
|
type: 'image/gif',
|
|
|
|
disposition: 'inline'
|
2014-12-01 07:32:35 +00:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
|
|
|
Resource:
|
|
|
|
POST /api/v1/users/avatar
|
|
|
|
|
|
|
|
Payload:
|
|
|
|
{
|
|
|
|
"avatar_full": "base64 url",
|
|
|
|
}
|
|
|
|
|
|
|
|
Response:
|
|
|
|
{
|
2016-01-20 01:48:54 +00:00
|
|
|
message: 'ok'
|
2014-12-01 07:32:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
Test:
|
|
|
|
curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"avatar": "base64 url"}'
|
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
def avatar_new
|
|
|
|
return if !valid_session_with_user
|
|
|
|
|
|
|
|
# get & validate image
|
2016-01-20 01:48:54 +00:00
|
|
|
file_full = StaticAssets.data_url_attributes(params[:avatar_full])
|
|
|
|
file_resize = StaticAssets.data_url_attributes(params[:avatar_resize])
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
avatar = Avatar.add(
|
2015-04-27 13:42:53 +00:00
|
|
|
object: 'User',
|
|
|
|
o_id: current_user.id,
|
|
|
|
full: {
|
|
|
|
content: file_full[:content],
|
|
|
|
mime_type: file_full[:mime_type],
|
2014-12-01 07:32:35 +00:00
|
|
|
},
|
2015-04-27 13:42:53 +00:00
|
|
|
resize: {
|
|
|
|
content: file_resize[:content],
|
|
|
|
mime_type: file_resize[:mime_type],
|
2014-12-01 07:32:35 +00:00
|
|
|
},
|
2015-04-27 20:49:17 +00:00
|
|
|
source: 'upload ' + Time.zone.now.to_s,
|
2015-04-27 13:42:53 +00:00
|
|
|
deletable: true,
|
2014-12-01 07:32:35 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
# update user link
|
2016-05-18 22:06:55 +00:00
|
|
|
user = User.find(current_user.id)
|
|
|
|
user.update_attributes(image: avatar.store_hash)
|
2014-12-01 07:32:35 +00:00
|
|
|
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { avatar: avatar }, status: :ok
|
2014-12-01 07:32:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def avatar_set_default
|
|
|
|
return if !valid_session_with_user
|
|
|
|
|
|
|
|
# get & validate image
|
|
|
|
if !params[:id]
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'No id of avatar!' }, status: :unprocessable_entity
|
2014-12-01 07:32:35 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# set as default
|
2016-01-20 01:48:54 +00:00
|
|
|
avatar = Avatar.set_default('User', current_user.id, params[:id])
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
# update user link
|
2016-05-18 22:06:55 +00:00
|
|
|
user = User.find(current_user.id)
|
|
|
|
user.update_attributes(image: avatar.store_hash)
|
2014-12-01 07:32:35 +00:00
|
|
|
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {}, status: :ok
|
2014-12-01 07:32:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def avatar_destroy
|
|
|
|
return if !valid_session_with_user
|
|
|
|
|
|
|
|
# get & validate image
|
|
|
|
if !params[:id]
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { message: 'No id of avatar!' }, status: :unprocessable_entity
|
2014-12-01 07:32:35 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# remove avatar
|
2016-01-20 01:48:54 +00:00
|
|
|
Avatar.remove_one('User', current_user.id, params[:id])
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
# update user link
|
2016-01-20 01:48:54 +00:00
|
|
|
avatar = Avatar.get_default('User', current_user.id)
|
2016-05-18 22:06:55 +00:00
|
|
|
user = User.find(current_user.id)
|
|
|
|
user.update_attributes(image: avatar.store_hash)
|
2014-12-01 07:32:35 +00:00
|
|
|
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {}, status: :ok
|
2014-12-01 07:32:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def avatar_list
|
|
|
|
return if !valid_session_with_user
|
|
|
|
|
|
|
|
# list of avatars
|
2016-01-20 01:48:54 +00:00
|
|
|
result = Avatar.list('User', current_user.id)
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: { avatars: result }, status: :ok
|
2014-12-01 07:32:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
2014-12-30 23:51:19 +00:00
|
|
|
def password_policy(password)
|
2015-02-09 12:19:52 +00:00
|
|
|
if Setting.get('password_min_size').to_i > password.length
|
2014-12-30 23:51:19 +00:00
|
|
|
return ["Can\'t update password, it must be at least %s characters long!", Setting.get('password_min_size')]
|
|
|
|
end
|
|
|
|
if Setting.get('password_need_digit').to_i == 1 && password !~ /\d/
|
|
|
|
return ["Can't update password, it must contain at least 1 digit!"]
|
|
|
|
end
|
|
|
|
if Setting.get('password_min_2_lower_2_upper_characters').to_i == 1 && ( password !~ /[A-Z].*[A-Z]/ || password !~ /[a-z].*[a-z]/ )
|
|
|
|
return ["Can't update password, it must contain at least 2 lowercase and 2 uppercase characters!"]
|
|
|
|
end
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2016-02-17 18:36:33 +00:00
|
|
|
def permission_check_by_role(params)
|
2015-05-08 08:15:45 +00:00
|
|
|
return true if role?(Z_ROLENAME_ADMIN)
|
2016-02-17 18:36:33 +00:00
|
|
|
|
|
|
|
if !role?('Admin') && params[:role_ids]
|
2016-02-18 14:27:05 +00:00
|
|
|
if params[:role_ids].class != Array
|
|
|
|
params[:role_ids] = [params[:role_ids]]
|
|
|
|
end
|
2016-02-17 18:36:33 +00:00
|
|
|
params[:role_ids].each {|role_id|
|
2016-02-18 14:27:05 +00:00
|
|
|
role_local = Role.lookup(id: role_id)
|
|
|
|
if !role_local
|
|
|
|
render json: { error_human: 'Invalid role_ids!' }, status: :unauthorized
|
|
|
|
logger.info "Invalid role_ids for current_user_id: #{current_user.id} role_ids #{role_id}"
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
role_name = role_local.name
|
2016-02-17 18:36:33 +00:00
|
|
|
next if role_name != 'Admin' && role_name != 'Agent'
|
|
|
|
render json: { error_human: 'This role assignment is only allowed by admin!' }, status: :unauthorized
|
2016-02-18 14:27:05 +00:00
|
|
|
logger.info "This role assignment is only allowed by admin! current_user_id: #{current_user.id} assigned to #{role_name}"
|
2016-02-17 18:36:33 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2016-02-18 14:27:05 +00:00
|
|
|
if role?('Agent') && params[:group_ids]
|
|
|
|
if params[:group_ids].class != Array
|
|
|
|
params[:group_ids] = [params[:group_ids]]
|
|
|
|
end
|
|
|
|
if !params[:group_ids].empty?
|
2016-02-17 18:36:33 +00:00
|
|
|
render json: { error_human: 'Group relation is only allowed by admin!' }, status: :unauthorized
|
2016-02-18 14:27:05 +00:00
|
|
|
logger.info "Group relation is only allowed by admin! current_user_id: #{current_user.id} group_ids #{params[:group_ids].inspect}"
|
2016-02-17 18:36:33 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-05-08 08:15:45 +00:00
|
|
|
return true if role?('Agent')
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
response_access_deny
|
2015-04-27 20:49:17 +00:00
|
|
|
false
|
2014-12-01 07:32:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def permission_check
|
2015-05-08 08:15:45 +00:00
|
|
|
return true if role?(Z_ROLENAME_ADMIN)
|
|
|
|
return true if role?('Agent')
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
# allow to update customer by him self
|
2015-05-08 08:15:45 +00:00
|
|
|
return true if role?(Z_ROLENAME_CUSTOMER) && params[:id].to_i == current_user.id
|
2014-12-01 07:32:35 +00:00
|
|
|
|
|
|
|
response_access_deny
|
2015-04-27 20:49:17 +00:00
|
|
|
false
|
2013-11-02 21:32:00 +00:00
|
|
|
end
|
|
|
|
|
2015-04-27 14:15:29 +00:00
|
|
|
end
|