trabajo-afectivo/app/controllers/settings_controller.rb

# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/

class SettingsController < ApplicationController
  prepend_before_action { authentication_check(permission: 'admin.*') }

  # GET /settings
  def index
    list = []
    Setting.all.each do |setting|
      next if setting.preferences[:permission] && !current_user.permissions?(setting.preferences[:permission])

      list.push setting
    end
    render json: list, status: :ok
  end

  # GET /settings/1
  def show
    check_access('read')
    model_show_render(Setting, params)
  end

  # POST /settings
  def create
    raise Exceptions::NotAuthorized, 'Not authorized (feature not possible)'
  end

  # PUT /settings/1
  def update
    check_access('write')
    clean_params = keep_certain_attributes
    model_update_render(Setting, clean_params)
  end

  # PUT /settings/image/:id
  def update_image
    check_access('write')
    clean_params = keep_certain_attributes

    if !clean_params[:logo]
      render json: {
        result:  'invalid',
        message: 'Need logo param',
      }
      return
    end

    # validate image
    if !clean_params[:logo].match?(/^data:image/i)
      render json: {
        result:  'invalid',
        message: 'Invalid payload, need data:image in logo param',
      }
      return
    end

    # process image
    file = StaticAssets.data_url_attributes(clean_params[:logo])
    if !file[:content] || !file[:mime_type]
      render json: {
        result:  'invalid',
        message: 'Unable to process image upload.',
      }
      return
    end

    # store image 1:1
    StaticAssets.store_raw(file[:content], file[:mime_type])

    # store resized image 1:1
    setting = Setting.lookup(name: 'product_logo')
    if params[:logo_resize] && params[:logo_resize] =~ /^data:image/i

      # data:image/png;base64
      file = StaticAssets.data_url_attributes(params[:logo_resize])

      # store image 1:1
      setting.state = StaticAssets.store(file[:content], file[:mime_type])
      setting.save!
    end

    render json: {
      result:   'ok',
      settings: [setting],
    }
  end

  # DELETE /settings/1
  def destroy
    raise Exceptions::NotAuthorized, 'Not authorized (feature not possible)'
  end

  private

  def keep_certain_attributes
    setting = Setting.find(params[:id])
    %i[name area state_initial frontend options].each do |key|
      params.delete(key)
    end
    if params[:preferences].present?
      %i[online_service_disable permission render].each do |key|
        params[:preferences].delete(key)
      end
      params[:preferences].merge!(setting.preferences)
    end
    params
  end

  def check_access(type)
    setting = Setting.lookup(id: params[:id])

    if setting.preferences[:permission] && !current_user.permissions?(setting.preferences[:permission])
      raise Exceptions::NotAuthorized, "Not authorized (required #{setting.preferences[:permission].inspect})"
    end

    if type == 'write'
      return true if !Setting.get('system_online_service')
      if setting.preferences && setting.preferences[:online_service_disable]
        raise Exceptions::NotAuthorized, 'Not authorized (service disabled)'
      end
    end
    true
  end
end
Updated copyright. 2016-10-19 03:11:36 +00:00			`# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/`
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00
Init version. 2012-04-10 14:06:46 +00:00			`class SettingsController < ApplicationController`
Improved session validation and usage of cors headers. 2017-02-15 12:29:25 +00:00			`prepend_before_action { authentication_check(permission: 'admin.*') }`
Init version. 2012-04-10 14:06:46 +00:00
			`# GET /settings`
			`def index`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`list = []`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`Setting.all.each do \|setting\|`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`next if setting.preferences[:permission] && !current_user.permissions?(setting.preferences[:permission])`
Updated rubocop to latest version (0.59.2) and applied required changes. 2018-10-09 06:17:41 +00:00
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`list.push setting`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`render json: list, status: :ok`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# GET /settings/1`
			`def show`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`check_access('read')`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`model_show_render(Setting, params)`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# POST /settings`
			`def create`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`raise Exceptions::NotAuthorized, 'Not authorized (feature not possible)'`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# PUT /settings/1`
			`def update`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`check_access('write')`
			`clean_params = keep_certain_attributes`
			`model_update_render(Setting, clean_params)`
Init version. 2012-04-10 14:06:46 +00:00			`end`

Added branding feature. 2015-07-12 01:32:40 +00:00			`# PUT /settings/image/:id`
			`def update_image`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`check_access('write')`
			`clean_params = keep_certain_attributes`
Added branding feature. 2015-07-12 01:32:40 +00:00
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`if !clean_params[:logo]`
Added branding feature. 2015-07-12 01:32:40 +00:00			`render json: {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`result: 'invalid',`
Added branding feature. 2015-07-12 01:32:40 +00:00			`message: 'Need logo param',`
			`}`
			`return`
			`end`

			`# validate image`
Replace unless with if ! (project-wide) 2018-05-04 14:05:10 +00:00			`if !clean_params[:logo].match?(/^data:image/i)`
Added branding feature. 2015-07-12 01:32:40 +00:00			`render json: {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`result: 'invalid',`
Added branding feature. 2015-07-12 01:32:40 +00:00			`message: 'Invalid payload, need data:image in logo param',`
			`}`
			`return`
			`end`

			`# process image`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`file = StaticAssets.data_url_attributes(clean_params[:logo])`
Added branding feature. 2015-07-12 01:32:40 +00:00			`if !file[:content] \|\| !file[:mime_type]`
			`render json: {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`result: 'invalid',`
Added branding feature. 2015-07-12 01:32:40 +00:00			`message: 'Unable to process image upload.',`
			`}`
			`return`
			`end`

			`# store image 1:1`
			`StaticAssets.store_raw(file[:content], file[:mime_type])`

			`# store resized image 1:1`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`setting = Setting.lookup(name: 'product_logo')`
Added branding feature. 2015-07-12 01:32:40 +00:00			`if params[:logo_resize] && params[:logo_resize] =~ /^data:image/i`

			`# data:image/png;base64`
Send inline images with cid (load images via http/https in src). 2016-05-10 13:06:51 +00:00			`file = StaticAssets.data_url_attributes(params[:logo_resize])`
Added branding feature. 2015-07-12 01:32:40 +00:00
			`# store image 1:1`
Reworked admin maintenance area (needed for restarting screen). 2016-05-25 07:19:45 +00:00			`setting.state = StaticAssets.store(file[:content], file[:mime_type])`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`setting.save!`
Added branding feature. 2015-07-12 01:32:40 +00:00			`end`

			`render json: {`
Updated rubocop - applied custom Layout/AlignHash style. 2018-12-19 17:31:51 +00:00			`result: 'ok',`
Added branding feature. 2015-07-12 01:32:40 +00:00			`settings: [setting],`
			`}`
			`end`

Init version. 2012-04-10 14:06:46 +00:00			`# DELETE /settings/1`
			`def destroy`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`raise Exceptions::NotAuthorized, 'Not authorized (feature not possible)'`
Init version. 2012-04-10 14:06:46 +00:00			`end`
Added preferences attribute to disable update of setting via rest if system is a online system. 2015-07-16 13:36:59 +00:00
			`private`

Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`def keep_certain_attributes`
Added preferences attribute to disable update of setting via rest if system is a online system. 2015-07-16 13:36:59 +00:00			`setting = Setting.find(params[:id])`
Applied changes for Rubocop 0.51. 2017-11-23 08:09:44 +00:00			`%i[name area state_initial frontend options].each do \|key\|`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`params.delete(key)`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Applied changes for Rubocop 0.51. 2017-11-23 08:09:44 +00:00			`if params[:preferences].present?`
			`%i[online_service_disable permission render].each do \|key\|`
Improved keep_certain_attributes check. 2016-08-26 15:08:49 +00:00			`params[:preferences].delete(key)`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Improved keep_certain_attributes check. 2016-08-26 15:08:49 +00:00			`params[:preferences].merge!(setting.preferences)`
			`end`
Added permission based/permission check setting api. 2016-08-26 10:06:27 +00:00			`params`
			`end`

			`def check_access(type)`
			`setting = Setting.lookup(id: params[:id])`

			`if setting.preferences[:permission] && !current_user.permissions?(setting.preferences[:permission])`
			`raise Exceptions::NotAuthorized, "Not authorized (required #{setting.preferences[:permission].inspect})"`
			`end`

			`if type == 'write'`
			`return true if !Setting.get('system_online_service')`
			`if setting.preferences && setting.preferences[:online_service_disable]`
			`raise Exceptions::NotAuthorized, 'Not authorized (service disabled)'`
			`end`
			`end`
			`true`
Added preferences attribute to disable update of setting via rest if system is a online system. 2015-07-16 13:36:59 +00:00			`end`
Init version. 2012-04-10 14:06:46 +00:00			`end`