2021-06-01 12:20:20 +00:00
|
|
|
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
|
|
|
|
|
2020-03-19 09:39:51 +00:00
|
|
|
class UserPolicy < ApplicationPolicy
|
|
|
|
|
|
|
|
def show?
|
|
|
|
return true if user.permissions?('admin.*')
|
|
|
|
return true if own_account?
|
|
|
|
return true if user.permissions?('ticket.agent')
|
|
|
|
# check same organization for customers
|
|
|
|
return false if !user.permissions?('ticket.customer')
|
|
|
|
|
|
|
|
same_organization?
|
|
|
|
end
|
|
|
|
|
|
|
|
def update?
|
|
|
|
return true if user.permissions?('admin.user')
|
|
|
|
# forbid non-agents to change users
|
|
|
|
return false if !user.permissions?('ticket.agent')
|
|
|
|
|
|
|
|
# allow agents to change customers
|
|
|
|
record.permissions?('ticket.customer')
|
|
|
|
end
|
|
|
|
|
|
|
|
def destroy?
|
|
|
|
user.permissions?('admin.user')
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def own_account?
|
|
|
|
record.id == user.id
|
|
|
|
end
|
|
|
|
|
|
|
|
def same_organization?
|
|
|
|
return false if record.organization_id.blank?
|
|
|
|
return false if user.organization_id.blank?
|
|
|
|
|
|
|
|
record.organization_id == user.organization_id
|
|
|
|
end
|
|
|
|
end
|