2016-10-19 03:11:36 +00:00
|
|
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
2016-06-30 08:24:03 +00:00
|
|
|
require 'exceptions'
|
2013-06-12 15:59:58 +00:00
|
|
|
|
2012-04-10 13:31:21 +00:00
|
|
|
class ApplicationController < ActionController::Base
|
2017-01-20 09:45:19 +00:00
|
|
|
include ErrorHandling
|
|
|
|
|
2013-06-12 15:59:58 +00:00
|
|
|
# http_basic_authenticate_with :name => "test", :password => "ttt"
|
2012-04-10 14:06:46 +00:00
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
helper_method :current_user,
|
2015-02-22 18:10:54 +00:00
|
|
|
:authentication_check,
|
|
|
|
:config_frontend,
|
2016-04-21 07:36:25 +00:00
|
|
|
:http_log_config,
|
2015-02-22 18:10:54 +00:00
|
|
|
:model_create_render,
|
|
|
|
:model_update_render,
|
|
|
|
:model_restory_render,
|
|
|
|
:mode_show_rendeder,
|
|
|
|
:model_index_render
|
2012-04-19 09:51:24 +00:00
|
|
|
|
2015-05-07 11:23:55 +00:00
|
|
|
skip_before_action :verify_authenticity_token
|
2016-09-04 21:24:19 +00:00
|
|
|
before_action :transaction_begin, :set_user, :session_update, :user_device_check, :cors_preflight_check
|
|
|
|
after_action :transaction_end, :http_log, :set_access_control_headers
|
2012-04-10 14:06:46 +00:00
|
|
|
|
|
|
|
# For all responses in this controller, return the CORS access control headers.
|
2013-06-12 15:59:58 +00:00
|
|
|
def set_access_control_headers
|
2012-04-19 09:51:24 +00:00
|
|
|
headers['Access-Control-Allow-Origin'] = '*'
|
|
|
|
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
|
|
|
|
headers['Access-Control-Max-Age'] = '1728000'
|
2013-08-11 15:45:38 +00:00
|
|
|
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
|
2012-04-10 14:06:46 +00:00
|
|
|
headers['Access-Control-Allow-Credentials'] = 'true'
|
|
|
|
end
|
2012-07-29 18:55:51 +00:00
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
# If this is a preflight OPTIONS request, then short-circuit the
|
|
|
|
# request, return only the necessary headers and return an empty
|
|
|
|
# text/plain.
|
2012-07-29 18:55:51 +00:00
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
def cors_preflight_check
|
2015-04-30 15:25:04 +00:00
|
|
|
|
|
|
|
return if request.method != 'OPTIONS'
|
|
|
|
|
|
|
|
headers['Access-Control-Allow-Origin'] = '*'
|
|
|
|
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
|
|
|
|
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
|
|
|
|
headers['Access-Control-Max-Age'] = '1728000'
|
|
|
|
headers['Access-Control-Allow-Credentials'] = 'true'
|
|
|
|
render text: '', content_type: 'text/plain'
|
|
|
|
|
|
|
|
false
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2012-07-29 18:55:51 +00:00
|
|
|
|
2016-04-21 07:36:25 +00:00
|
|
|
def http_log_config(config)
|
|
|
|
@http_log_support = config
|
|
|
|
end
|
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
private
|
|
|
|
|
2016-09-04 21:24:19 +00:00
|
|
|
def transaction_begin
|
2016-08-20 19:29:22 +00:00
|
|
|
ApplicationHandleInfo.current = 'application_server'
|
2016-09-04 21:24:19 +00:00
|
|
|
PushMessages.init
|
2016-08-20 19:29:22 +00:00
|
|
|
end
|
|
|
|
|
2016-09-04 21:24:19 +00:00
|
|
|
def transaction_end
|
2016-04-14 07:17:13 +00:00
|
|
|
Observer::Transaction.commit
|
2016-09-04 21:24:19 +00:00
|
|
|
PushMessages.finish
|
|
|
|
ActiveSupport::Dependencies::Reference.clear!
|
2012-04-16 14:35:10 +00:00
|
|
|
end
|
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
# Finds the User with the ID stored in the session with the key
|
|
|
|
# :current_user_id This is a common way to handle user login in
|
|
|
|
# a Rails application; logging in sets the session value and
|
|
|
|
# logging out removes it.
|
|
|
|
def current_user
|
2013-04-20 08:52:17 +00:00
|
|
|
return @_current_user if @_current_user
|
|
|
|
return if !session[:user_id]
|
2015-11-30 10:50:02 +00:00
|
|
|
@_current_user = User.lookup(id: session[:user_id])
|
2012-04-19 12:32:12 +00:00
|
|
|
end
|
2015-05-07 10:27:12 +00:00
|
|
|
|
2012-04-19 12:32:12 +00:00
|
|
|
def current_user_set(user)
|
2013-09-30 23:37:45 +00:00
|
|
|
session[:user_id] = user.id
|
2012-04-19 12:32:12 +00:00
|
|
|
@_current_user = user
|
|
|
|
set_user
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
2013-04-20 08:52:17 +00:00
|
|
|
# Sets the current user into a named Thread location so that it can be accessed
|
|
|
|
# by models and observers
|
|
|
|
def set_user
|
2016-04-13 07:32:49 +00:00
|
|
|
if !current_user
|
|
|
|
UserInfo.current_user_id = 1
|
|
|
|
return
|
|
|
|
end
|
2013-04-20 08:52:17 +00:00
|
|
|
UserInfo.current_user_id = current_user.id
|
|
|
|
end
|
|
|
|
|
2013-07-26 21:45:16 +00:00
|
|
|
# update session updated_at
|
|
|
|
def session_update
|
2014-08-13 00:12:38 +00:00
|
|
|
#sleep 0.6
|
2013-08-25 21:34:54 +00:00
|
|
|
|
2015-05-08 10:20:33 +00:00
|
|
|
session[:ping] = Time.zone.now.iso8601
|
2013-07-26 21:45:16 +00:00
|
|
|
|
2015-03-22 11:59:39 +00:00
|
|
|
# check if remote ip need to be updated
|
2016-01-05 12:46:43 +00:00
|
|
|
if !session[:remote_ip] || session[:remote_ip] != request.remote_ip
|
|
|
|
session[:remote_ip] = request.remote_ip
|
2015-11-30 10:50:02 +00:00
|
|
|
session[:geo] = Service::GeoIp.location(request.remote_ip)
|
2013-07-26 21:45:16 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# fill user agent
|
2015-04-30 15:25:04 +00:00
|
|
|
return if session[:user_agent]
|
|
|
|
|
|
|
|
session[:user_agent] = request.env['HTTP_USER_AGENT']
|
2013-07-26 21:45:16 +00:00
|
|
|
end
|
|
|
|
|
2016-04-21 07:36:25 +00:00
|
|
|
# log http access
|
|
|
|
def http_log
|
|
|
|
return if !@http_log_support
|
|
|
|
|
|
|
|
# request
|
|
|
|
request_data = {
|
|
|
|
content: '',
|
|
|
|
content_type: request.headers['Content-Type'],
|
|
|
|
content_encoding: request.headers['Content-Encoding'],
|
|
|
|
source: request.headers['User-Agent'] || request.headers['Server'],
|
|
|
|
}
|
2016-06-30 20:04:48 +00:00
|
|
|
request.headers.each { |key, value|
|
2016-04-21 07:36:25 +00:00
|
|
|
next if key[0, 5] != 'HTTP_'
|
|
|
|
request_data[:content] += if key == 'HTTP_COOKIE'
|
|
|
|
"#{key}: xxxxx\n"
|
|
|
|
else
|
|
|
|
"#{key}: #{value}\n"
|
|
|
|
end
|
|
|
|
}
|
|
|
|
body = request.body.read
|
|
|
|
if body
|
|
|
|
request_data[:content] += "\n" + body
|
|
|
|
end
|
|
|
|
request_data[:content] = request_data[:content].slice(0, 8000)
|
|
|
|
|
|
|
|
# response
|
|
|
|
response_data = {
|
|
|
|
code: response.status = response.code,
|
|
|
|
content: '',
|
|
|
|
content_type: nil,
|
|
|
|
content_encoding: nil,
|
|
|
|
source: nil,
|
|
|
|
}
|
2016-06-30 20:04:48 +00:00
|
|
|
response.headers.each { |key, value|
|
2016-04-21 07:36:25 +00:00
|
|
|
response_data[:content] += "#{key}: #{value}\n"
|
|
|
|
}
|
|
|
|
body = response.body
|
|
|
|
if body
|
|
|
|
response_data[:content] += "\n" + body
|
|
|
|
end
|
|
|
|
response_data[:content] = response_data[:content].slice(0, 8000)
|
|
|
|
record = {
|
|
|
|
direction: 'in',
|
|
|
|
facility: @http_log_support[:facility],
|
|
|
|
url: url_for(only_path: false, overwrite_params: {}),
|
|
|
|
status: response.status,
|
|
|
|
ip: request.remote_ip,
|
|
|
|
request: request_data,
|
|
|
|
response: response_data,
|
|
|
|
method: request.method,
|
|
|
|
}
|
|
|
|
HttpLog.create(record)
|
|
|
|
end
|
|
|
|
|
2016-06-14 07:37:46 +00:00
|
|
|
def user_device_check
|
|
|
|
return false if !user_device_log(current_user, 'session')
|
|
|
|
true
|
|
|
|
end
|
2015-08-17 16:14:44 +00:00
|
|
|
|
2016-06-14 07:37:46 +00:00
|
|
|
def user_device_log(user, type)
|
|
|
|
switched_from_user_id = ENV['SWITCHED_FROM_USER_ID'] || session[:switched_from_user_id]
|
2017-01-10 19:58:33 +00:00
|
|
|
return true if params[:controller] == 'init' # do no device logging on static inital page
|
2016-06-14 07:37:46 +00:00
|
|
|
return true if switched_from_user_id
|
|
|
|
return true if !user
|
2016-08-12 16:39:09 +00:00
|
|
|
return true if !user.permissions?('user_preferences.device')
|
2016-06-14 07:37:46 +00:00
|
|
|
|
|
|
|
time_to_check = true
|
|
|
|
user_device_updated_at = session[:user_device_updated_at]
|
|
|
|
if ENV['USER_DEVICE_UPDATED_AT']
|
|
|
|
user_device_updated_at = Time.zone.parse(ENV['USER_DEVICE_UPDATED_AT'])
|
|
|
|
end
|
2015-08-17 13:25:41 +00:00
|
|
|
|
2016-06-14 07:37:46 +00:00
|
|
|
if user_device_updated_at
|
|
|
|
# check if entry exists / only if write action
|
|
|
|
diff = Time.zone.now - 10.minutes
|
|
|
|
method = request.method
|
|
|
|
if method == 'GET' || method == 'OPTIONS' || method == 'HEAD'
|
|
|
|
diff = Time.zone.now - 30.minutes
|
2015-08-18 22:36:58 +00:00
|
|
|
end
|
|
|
|
|
2016-06-14 07:37:46 +00:00
|
|
|
# only update if needed
|
|
|
|
if user_device_updated_at > diff
|
|
|
|
time_to_check = false
|
|
|
|
end
|
2016-03-25 13:28:45 +00:00
|
|
|
end
|
2015-08-17 13:25:41 +00:00
|
|
|
|
2016-06-14 07:37:46 +00:00
|
|
|
# if ip has not changed and ttl in still valid
|
|
|
|
remote_ip = ENV['TEST_REMOTE_IP'] || request.remote_ip
|
|
|
|
return true if time_to_check == false && session[:user_device_remote_ip] == remote_ip
|
|
|
|
session[:user_device_remote_ip] = remote_ip
|
2015-08-19 00:13:38 +00:00
|
|
|
|
2015-08-18 22:36:58 +00:00
|
|
|
# for sessions we need the fingperprint
|
2016-06-14 07:37:46 +00:00
|
|
|
if type == 'session'
|
|
|
|
if !session[:user_device_updated_at] && !params[:fingerprint] && !session[:user_device_fingerprint]
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::UnprocessableEntity, 'Need fingerprint param!'
|
2016-06-14 07:37:46 +00:00
|
|
|
end
|
|
|
|
if params[:fingerprint]
|
|
|
|
session[:user_device_fingerprint] = params[:fingerprint]
|
|
|
|
end
|
2015-08-17 16:14:44 +00:00
|
|
|
end
|
2015-08-18 22:36:58 +00:00
|
|
|
|
2016-06-14 07:37:46 +00:00
|
|
|
session[:user_device_updated_at] = Time.zone.now
|
|
|
|
|
2016-03-30 08:00:21 +00:00
|
|
|
# add device if needed
|
2016-06-14 07:37:46 +00:00
|
|
|
http_user_agent = ENV['HTTP_USER_AGENT'] || request.env['HTTP_USER_AGENT']
|
|
|
|
Delayed::Job.enqueue(
|
|
|
|
Observer::UserDeviceLogJob.new(
|
|
|
|
http_user_agent,
|
|
|
|
remote_ip,
|
|
|
|
user.id,
|
|
|
|
session[:user_device_fingerprint],
|
|
|
|
type,
|
|
|
|
)
|
2015-08-18 22:36:58 +00:00
|
|
|
)
|
2015-08-17 13:25:41 +00:00
|
|
|
end
|
|
|
|
|
2015-06-22 11:19:56 +00:00
|
|
|
def authentication_check_only(auth_param)
|
2015-10-20 08:48:43 +00:00
|
|
|
#logger.debug 'authentication_check'
|
2015-05-04 18:58:28 +00:00
|
|
|
#logger.debug params.inspect
|
|
|
|
#logger.debug session.inspect
|
|
|
|
#logger.debug cookies.inspect
|
2013-06-25 11:54:13 +00:00
|
|
|
|
2015-06-24 08:48:48 +00:00
|
|
|
# already logged in, early exit
|
|
|
|
if session.id && session[:user_id]
|
2016-03-25 13:28:45 +00:00
|
|
|
logger.debug 'session based auth check'
|
2016-07-31 23:30:25 +00:00
|
|
|
user = User.lookup(id: session[:user_id])
|
2016-08-12 16:39:09 +00:00
|
|
|
return authentication_check_prerequesits(user, 'session', auth_param) if user
|
2015-06-24 08:48:48 +00:00
|
|
|
end
|
2012-04-10 14:06:46 +00:00
|
|
|
|
2015-08-23 20:15:10 +00:00
|
|
|
# check sso based authentication
|
2016-07-31 23:30:25 +00:00
|
|
|
sso_user = User.sso(params)
|
|
|
|
if sso_user
|
2016-08-12 16:39:09 +00:00
|
|
|
if authentication_check_prerequesits(sso_user, 'session', auth_param)
|
|
|
|
session[:persistent] = true
|
|
|
|
return sso_user
|
2016-05-25 07:19:45 +00:00
|
|
|
end
|
2012-04-20 06:45:22 +00:00
|
|
|
end
|
|
|
|
|
2015-08-23 20:15:10 +00:00
|
|
|
# check http basic based authentication
|
2015-06-24 08:48:48 +00:00
|
|
|
authenticate_with_http_basic do |username, password|
|
2016-07-31 23:30:25 +00:00
|
|
|
request.session_options[:skip] = true # do not send a session cookie
|
2015-06-24 08:48:48 +00:00
|
|
|
logger.debug "http basic auth check '#{username}'"
|
2016-07-28 10:09:32 +00:00
|
|
|
if Setting.get('api_password_access') == false
|
2016-08-12 16:39:09 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'API password access disabled!'
|
2016-07-28 10:09:32 +00:00
|
|
|
end
|
2016-07-31 23:30:25 +00:00
|
|
|
user = User.authenticate(username, password)
|
2016-08-12 16:39:09 +00:00
|
|
|
return authentication_check_prerequesits(user, 'basic_auth', auth_param) if user
|
2015-06-22 11:19:56 +00:00
|
|
|
end
|
|
|
|
|
2016-07-28 10:09:32 +00:00
|
|
|
# check http token based authentication
|
2016-08-30 14:26:27 +00:00
|
|
|
authenticate_with_http_token do |token_string, _options|
|
|
|
|
logger.debug "http token auth check '#{token_string}'"
|
2016-07-31 23:30:25 +00:00
|
|
|
request.session_options[:skip] = true # do not send a session cookie
|
2016-07-28 10:09:32 +00:00
|
|
|
if Setting.get('api_token_access') == false
|
2016-08-12 16:39:09 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'API token access disabled!'
|
2016-07-28 10:09:32 +00:00
|
|
|
end
|
2016-07-31 23:30:25 +00:00
|
|
|
user = Token.check(
|
2016-07-28 10:09:32 +00:00
|
|
|
action: 'api',
|
2016-08-30 14:26:27 +00:00
|
|
|
name: token_string,
|
2016-08-12 16:39:09 +00:00
|
|
|
inactive_user: true,
|
2016-07-28 10:09:32 +00:00
|
|
|
)
|
2016-08-16 08:00:44 +00:00
|
|
|
if user && auth_param[:permission]
|
|
|
|
user = Token.check(
|
|
|
|
action: 'api',
|
2016-08-30 14:26:27 +00:00
|
|
|
name: token_string,
|
2016-08-16 08:00:44 +00:00
|
|
|
permission: auth_param[:permission],
|
|
|
|
inactive_user: true,
|
|
|
|
)
|
2016-08-23 18:46:04 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'Not authorized (token)!' if !user
|
2016-08-16 08:00:44 +00:00
|
|
|
end
|
2016-08-30 14:26:27 +00:00
|
|
|
|
|
|
|
if user
|
|
|
|
token = Token.find_by(name: token_string)
|
|
|
|
|
|
|
|
token.last_used_at = Time.zone.now
|
|
|
|
token.save!
|
|
|
|
|
|
|
|
if token.expires_at &&
|
|
|
|
Time.zone.today >= token.expires_at
|
|
|
|
raise Exceptions::NotAuthorized, 'Not authorized (token expired)!'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
@_token_auth = token_string # remember for permission_check
|
2016-08-12 16:39:09 +00:00
|
|
|
return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
|
2016-07-28 10:09:32 +00:00
|
|
|
end
|
|
|
|
|
2016-07-31 23:30:25 +00:00
|
|
|
# check oauth2 token based authentication
|
|
|
|
token = Doorkeeper::OAuth::Token.from_bearer_authorization(request)
|
|
|
|
if token
|
|
|
|
request.session_options[:skip] = true # do not send a session cookie
|
|
|
|
logger.debug "oauth2 token auth check '#{token}'"
|
|
|
|
access_token = Doorkeeper::AccessToken.by_token(token)
|
|
|
|
|
2016-11-13 21:16:17 +00:00
|
|
|
if !access_token
|
|
|
|
raise Exceptions::NotAuthorized, 'Invalid token!'
|
|
|
|
end
|
|
|
|
|
2016-07-31 23:30:25 +00:00
|
|
|
# check expire
|
|
|
|
if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
|
2016-08-12 16:39:09 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'OAuth2 token is expired!'
|
2016-07-31 23:30:25 +00:00
|
|
|
end
|
|
|
|
|
2016-11-01 16:16:04 +00:00
|
|
|
# if access_token.scopes.empty?
|
|
|
|
# raise Exceptions::NotAuthorized, 'OAuth2 scope missing for token!'
|
|
|
|
# end
|
2016-07-31 23:30:25 +00:00
|
|
|
|
2016-08-12 16:39:09 +00:00
|
|
|
user = User.find(access_token.resource_owner_id)
|
|
|
|
return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
|
2016-07-31 23:30:25 +00:00
|
|
|
end
|
2016-11-01 16:16:04 +00:00
|
|
|
|
2016-08-12 16:39:09 +00:00
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
def authentication_check_prerequesits(user, auth_type, auth_param)
|
|
|
|
if check_maintenance_only(user)
|
|
|
|
raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
|
|
|
|
end
|
|
|
|
|
|
|
|
if user.active == false
|
|
|
|
raise Exceptions::NotAuthorized, 'User is inactive!'
|
|
|
|
end
|
|
|
|
|
|
|
|
# check scopes / permission check
|
|
|
|
if auth_param[:permission] && !user.permissions?(auth_param[:permission])
|
2016-08-23 18:46:04 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'Not authorized (user)!'
|
2016-08-12 16:39:09 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
current_user_set(user)
|
|
|
|
user_device_log(user, auth_type)
|
|
|
|
logger.debug "#{auth_type} for '#{user.login}'"
|
|
|
|
true
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
|
|
|
|
2016-04-23 09:04:33 +00:00
|
|
|
def authentication_check(auth_param = {})
|
2016-08-12 16:39:09 +00:00
|
|
|
user = authentication_check_only(auth_param)
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2015-06-22 10:56:09 +00:00
|
|
|
# check if basic_auth fallback is possible
|
2016-08-12 16:39:09 +00:00
|
|
|
if auth_param[:basic_auth_promt] && !user
|
2015-06-22 10:56:09 +00:00
|
|
|
return request_http_basic_authentication
|
|
|
|
end
|
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
# return auth not ok
|
2016-08-12 16:39:09 +00:00
|
|
|
if !user
|
|
|
|
raise Exceptions::NotAuthorized, 'authentication failed'
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
2012-04-19 09:51:24 +00:00
|
|
|
# return auth ok
|
2014-12-01 07:32:35 +00:00
|
|
|
true
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
2012-09-04 21:28:49 +00:00
|
|
|
def ticket_permission(ticket)
|
2015-11-30 10:50:02 +00:00
|
|
|
return true if ticket.permission(current_user: current_user)
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::NotAuthorized
|
2012-11-12 09:34:22 +00:00
|
|
|
end
|
|
|
|
|
2016-06-07 19:22:08 +00:00
|
|
|
def article_permission(article)
|
|
|
|
ticket = Ticket.lookup(id: article.ticket_id)
|
|
|
|
return true if ticket.permission(current_user: current_user)
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::NotAuthorized
|
2016-06-07 19:22:08 +00:00
|
|
|
end
|
|
|
|
|
2016-08-24 11:42:22 +00:00
|
|
|
def article_create(ticket, params)
|
|
|
|
|
|
|
|
# create article if given
|
|
|
|
form_id = params[:form_id]
|
|
|
|
params.delete(:form_id)
|
|
|
|
|
|
|
|
# check min. params
|
2016-09-09 11:29:33 +00:00
|
|
|
raise Exceptions::UnprocessableEntity, 'Need at least article: { body: "some text" }' if !params[:body]
|
2016-08-24 11:42:22 +00:00
|
|
|
|
|
|
|
# fill default values
|
|
|
|
if params[:type_id].empty? && params[:type].empty?
|
|
|
|
params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
|
|
|
|
end
|
|
|
|
if params[:sender_id].empty? && params[:sender].empty?
|
|
|
|
sender = 'Customer'
|
|
|
|
if current_user.permissions?('ticket.agent')
|
|
|
|
sender = 'Agent'
|
|
|
|
end
|
|
|
|
params[:sender_id] = Ticket::Article::Sender.lookup(name: sender).id
|
|
|
|
end
|
|
|
|
|
2017-01-16 13:34:44 +00:00
|
|
|
# remember time accounting
|
|
|
|
time_unit = params[:time_unit]
|
|
|
|
|
2017-01-31 17:13:45 +00:00
|
|
|
clean_params = Ticket::Article.association_name_to_id_convert(params)
|
2016-08-24 11:42:22 +00:00
|
|
|
clean_params = Ticket::Article.param_cleanup(clean_params, true)
|
|
|
|
|
|
|
|
# overwrite params
|
|
|
|
if !current_user.permissions?('ticket.agent')
|
|
|
|
clean_params[:sender_id] = Ticket::Article::Sender.lookup(name: 'Customer').id
|
|
|
|
clean_params.delete(:sender)
|
|
|
|
type = Ticket::Article::Type.lookup(id: clean_params[:type_id])
|
|
|
|
if type.name !~ /^(note|web)$/
|
|
|
|
clean_params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
|
|
|
|
end
|
|
|
|
clean_params.delete(:type)
|
|
|
|
clean_params[:internal] = false
|
|
|
|
end
|
|
|
|
|
|
|
|
article = Ticket::Article.new(clean_params)
|
|
|
|
article.ticket_id = ticket.id
|
|
|
|
|
|
|
|
# store dataurl images to store
|
|
|
|
if form_id && article.body && article.content_type =~ %r{text/html}i
|
|
|
|
article.body.gsub!( %r{(<img\s.+?src=")(data:image/(jpeg|png);base64,.+?)">}i ) { |_item|
|
|
|
|
file_attributes = StaticAssets.data_url_attributes($2)
|
|
|
|
cid = "#{ticket.id}.#{form_id}.#{rand(999_999)}@#{Setting.get('fqdn')}"
|
|
|
|
headers_store = {
|
|
|
|
'Content-Type' => file_attributes[:mime_type],
|
|
|
|
'Mime-Type' => file_attributes[:mime_type],
|
|
|
|
'Content-ID' => cid,
|
|
|
|
'Content-Disposition' => 'inline',
|
|
|
|
}
|
|
|
|
store = Store.add(
|
|
|
|
object: 'UploadCache',
|
|
|
|
o_id: form_id,
|
|
|
|
data: file_attributes[:content],
|
|
|
|
filename: cid,
|
|
|
|
preferences: headers_store
|
|
|
|
)
|
|
|
|
"#{$1}cid:#{cid}\">"
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# find attachments in upload cache
|
|
|
|
if form_id
|
|
|
|
article.attachments = Store.list(
|
|
|
|
object: 'UploadCache',
|
|
|
|
o_id: form_id,
|
|
|
|
)
|
|
|
|
end
|
|
|
|
article.save!
|
|
|
|
|
2017-01-16 13:34:44 +00:00
|
|
|
# account time
|
|
|
|
if time_unit.present?
|
|
|
|
Ticket::TimeAccounting.create!(
|
|
|
|
ticket_id: article.ticket_id,
|
|
|
|
ticket_article_id: article.id,
|
|
|
|
time_unit: time_unit
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2016-08-24 11:42:22 +00:00
|
|
|
# remove attachments from upload cache
|
|
|
|
return article if !form_id
|
|
|
|
|
|
|
|
Store.remove(
|
|
|
|
object: 'UploadCache',
|
|
|
|
o_id: form_id,
|
|
|
|
)
|
|
|
|
|
|
|
|
article
|
|
|
|
end
|
|
|
|
|
2016-08-12 16:39:09 +00:00
|
|
|
def permission_check(key)
|
|
|
|
if @_token_auth
|
|
|
|
user = Token.check(
|
|
|
|
action: 'api',
|
|
|
|
name: @_token_auth,
|
|
|
|
permission: key,
|
|
|
|
)
|
|
|
|
return false if user
|
2016-08-23 18:46:04 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'Not authorized (token)!'
|
2016-08-12 16:39:09 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return false if current_user && current_user.permissions?(key)
|
2016-08-23 18:46:04 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'Not authorized (user)!'
|
2014-12-01 07:32:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def valid_session_with_user
|
|
|
|
return true if current_user
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::UnprocessableEntity, 'No session user!'
|
2012-12-27 20:17:33 +00:00
|
|
|
end
|
|
|
|
|
2012-11-12 09:34:22 +00:00
|
|
|
def response_access_deny
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::NotAuthorized
|
2012-09-04 16:39:23 +00:00
|
|
|
end
|
|
|
|
|
2012-04-11 06:37:54 +00:00
|
|
|
def config_frontend
|
2013-06-06 07:34:09 +00:00
|
|
|
|
2012-04-11 06:37:54 +00:00
|
|
|
# config
|
|
|
|
config = {}
|
2016-08-17 22:37:06 +00:00
|
|
|
Setting.select('name, preferences').where(frontend: true).each { |setting|
|
|
|
|
next if setting.preferences[:authentication] == true && !current_user
|
|
|
|
value = Setting.get(setting.name)
|
|
|
|
next if !current_user && (value == false || value.nil?)
|
|
|
|
config[setting.name] = value
|
2012-04-11 06:37:54 +00:00
|
|
|
}
|
2013-06-06 07:34:09 +00:00
|
|
|
|
2015-08-18 08:50:12 +00:00
|
|
|
# remember if we can to swich back to user
|
2014-09-15 20:55:06 +00:00
|
|
|
if session[:switched_from_user_id]
|
|
|
|
config['switch_back_to_possible'] = true
|
|
|
|
end
|
|
|
|
|
2015-08-18 08:50:12 +00:00
|
|
|
# remember session_id for websocket logon
|
2016-08-17 22:37:06 +00:00
|
|
|
if current_user
|
|
|
|
config['session_id'] = session.id
|
|
|
|
end
|
2015-08-18 08:50:12 +00:00
|
|
|
|
2014-09-15 20:55:06 +00:00
|
|
|
config
|
2012-04-11 06:37:54 +00:00
|
|
|
end
|
|
|
|
|
2012-09-20 12:08:02 +00:00
|
|
|
# model helper
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_create_render(object, params)
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2017-01-31 17:13:45 +00:00
|
|
|
clean_params = object.association_name_to_id_convert(params)
|
2016-06-06 15:26:37 +00:00
|
|
|
clean_params = object.param_cleanup(clean_params, true)
|
|
|
|
|
2015-05-07 10:20:52 +00:00
|
|
|
# create object
|
2016-06-06 15:26:37 +00:00
|
|
|
generic_object = object.new(clean_params)
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2015-05-07 10:20:52 +00:00
|
|
|
# save object
|
|
|
|
generic_object.save!
|
2013-05-29 16:09:02 +00:00
|
|
|
|
2015-05-07 10:20:52 +00:00
|
|
|
# set relations
|
2017-01-31 17:13:45 +00:00
|
|
|
generic_object.associations_from_param(params)
|
2013-09-30 23:37:45 +00:00
|
|
|
|
2016-06-08 04:56:05 +00:00
|
|
|
if params[:expand]
|
2017-01-31 17:13:45 +00:00
|
|
|
render json: generic_object.attributes_with_association_names, status: :created
|
2016-06-08 04:56:05 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-05-07 10:20:52 +00:00
|
|
|
model_create_render_item(generic_object)
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
2015-05-07 10:27:12 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_create_render_item(generic_object)
|
2017-01-31 17:13:45 +00:00
|
|
|
render json: generic_object.attributes_with_association_ids, status: :created
|
2012-11-12 09:34:22 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_update_render(object, params)
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2015-05-07 10:20:52 +00:00
|
|
|
# find object
|
2015-11-30 10:50:02 +00:00
|
|
|
generic_object = object.find(params[:id])
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2017-01-31 17:13:45 +00:00
|
|
|
clean_params = object.association_name_to_id_convert(params)
|
2016-06-06 15:26:37 +00:00
|
|
|
clean_params = object.param_cleanup(clean_params, true)
|
|
|
|
|
2016-09-08 19:18:26 +00:00
|
|
|
generic_object.with_lock do
|
2013-09-30 23:37:45 +00:00
|
|
|
|
2016-09-08 19:18:26 +00:00
|
|
|
# set attributes
|
|
|
|
generic_object.update_attributes!(clean_params)
|
|
|
|
|
|
|
|
# set relations
|
2017-01-31 17:13:45 +00:00
|
|
|
generic_object.associations_from_param(params)
|
2016-09-08 19:18:26 +00:00
|
|
|
end
|
2013-09-30 23:37:45 +00:00
|
|
|
|
2016-06-08 04:56:05 +00:00
|
|
|
if params[:expand]
|
2017-01-31 17:13:45 +00:00
|
|
|
render json: generic_object.attributes_with_association_names, status: :ok
|
2016-06-08 04:56:05 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-11-30 10:50:02 +00:00
|
|
|
model_update_render_item(generic_object)
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
2015-05-07 10:27:12 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_update_render_item(generic_object)
|
2017-01-31 17:13:45 +00:00
|
|
|
render json: generic_object.attributes_with_association_ids, status: :ok
|
2012-11-12 09:34:22 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2016-11-30 10:30:03 +00:00
|
|
|
def model_destroy_render(object, params)
|
2015-11-30 10:50:02 +00:00
|
|
|
generic_object = object.find(params[:id])
|
2016-07-31 23:30:25 +00:00
|
|
|
generic_object.destroy!
|
2016-11-30 10:30:03 +00:00
|
|
|
model_destroy_render_item()
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
2015-05-07 10:27:12 +00:00
|
|
|
|
2016-11-30 10:30:03 +00:00
|
|
|
def model_destroy_render_item ()
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {}, status: :ok
|
2012-11-12 09:34:22 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2016-06-30 08:24:03 +00:00
|
|
|
def model_show_render(object, params)
|
2014-08-13 00:12:38 +00:00
|
|
|
|
2016-06-07 19:22:08 +00:00
|
|
|
if params[:expand]
|
|
|
|
generic_object = object.find(params[:id])
|
2017-01-31 17:13:45 +00:00
|
|
|
render json: generic_object.attributes_with_association_names, status: :ok
|
2016-06-07 19:22:08 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-05-07 10:20:52 +00:00
|
|
|
if params[:full]
|
2015-11-30 10:50:02 +00:00
|
|
|
generic_object_full = object.full(params[:id])
|
2015-05-07 10:20:52 +00:00
|
|
|
render json: generic_object_full, status: :ok
|
|
|
|
return
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
2015-05-07 10:20:52 +00:00
|
|
|
|
2015-11-30 10:50:02 +00:00
|
|
|
generic_object = object.find(params[:id])
|
2015-05-07 10:20:52 +00:00
|
|
|
model_show_render_item(generic_object)
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
2015-05-07 10:27:12 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_show_render_item(generic_object)
|
2017-01-31 17:13:45 +00:00
|
|
|
render json: generic_object.attributes_with_association_ids, status: :ok
|
2012-11-12 09:34:22 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_index_render(object, params)
|
2016-06-06 15:26:37 +00:00
|
|
|
offset = 0
|
2016-06-30 09:57:07 +00:00
|
|
|
per_page = 500
|
2016-06-06 06:34:15 +00:00
|
|
|
if params[:page] && params[:per_page]
|
|
|
|
offset = (params[:page].to_i - 1) * params[:per_page].to_i
|
2016-06-06 15:26:37 +00:00
|
|
|
limit = params[:per_page].to_i
|
2016-06-06 06:34:15 +00:00
|
|
|
end
|
2016-09-14 07:21:17 +00:00
|
|
|
|
|
|
|
if per_page > 500
|
|
|
|
per_page = 500
|
|
|
|
end
|
|
|
|
|
2016-10-24 21:59:18 +00:00
|
|
|
generic_objects = if offset.positive?
|
2016-09-21 17:42:47 +00:00
|
|
|
object.limit(params[:per_page]).order(id: 'ASC').offset(offset).limit(limit)
|
2016-06-06 15:26:37 +00:00
|
|
|
else
|
2016-09-21 17:42:47 +00:00
|
|
|
object.all.order(id: 'ASC').offset(offset).limit(limit)
|
2016-06-06 15:26:37 +00:00
|
|
|
end
|
2016-03-20 19:09:52 +00:00
|
|
|
|
2016-06-08 04:56:05 +00:00
|
|
|
if params[:expand]
|
|
|
|
list = []
|
2016-06-30 20:04:48 +00:00
|
|
|
generic_objects.each { |generic_object|
|
2017-01-31 17:13:45 +00:00
|
|
|
list.push generic_object.attributes_with_association_names
|
2016-06-08 04:56:05 +00:00
|
|
|
}
|
|
|
|
render json: list, status: :ok
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2016-03-20 19:09:52 +00:00
|
|
|
if params[:full]
|
|
|
|
assets = {}
|
|
|
|
item_ids = []
|
2016-06-30 20:04:48 +00:00
|
|
|
generic_objects.each { |item|
|
2016-03-20 19:09:52 +00:00
|
|
|
item_ids.push item.id
|
|
|
|
assets = item.assets(assets)
|
|
|
|
}
|
|
|
|
render json: {
|
|
|
|
record_ids: item_ids,
|
|
|
|
assets: assets,
|
|
|
|
}, status: :ok
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2016-03-14 13:34:35 +00:00
|
|
|
generic_objects_with_associations = []
|
2016-06-30 20:04:48 +00:00
|
|
|
generic_objects.each { |item|
|
2017-01-31 17:13:45 +00:00
|
|
|
generic_objects_with_associations.push item.attributes_with_association_ids
|
2016-03-14 13:34:35 +00:00
|
|
|
}
|
|
|
|
model_index_render_result(generic_objects_with_associations)
|
2012-09-20 12:08:02 +00:00
|
|
|
end
|
2015-05-07 10:27:12 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_index_render_result(generic_objects)
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: generic_objects, status: :ok
|
2012-11-12 09:34:22 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2016-06-06 06:34:15 +00:00
|
|
|
def model_references_check(object, params)
|
|
|
|
generic_object = object.find(params[:id])
|
|
|
|
result = Models.references(object, generic_object.id)
|
|
|
|
return false if result.empty?
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::UnprocessableEntity, 'Can\'t delete, object has references.'
|
2016-06-06 06:34:15 +00:00
|
|
|
rescue => e
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::UnprocessableEntity, e
|
|
|
|
end
|
|
|
|
|
2016-05-25 07:19:45 +00:00
|
|
|
# check maintenance mode
|
|
|
|
def check_maintenance_only(user)
|
|
|
|
return false if Setting.get('maintenance_mode') != true
|
2016-08-12 16:39:09 +00:00
|
|
|
return false if user.permissions?('admin.maintenance')
|
2016-05-25 07:19:45 +00:00
|
|
|
Rails.logger.info "Maintenance mode enabled, denied login for user #{user.login}, it's no admin user."
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_maintenance(user)
|
|
|
|
return false if !check_maintenance_only(user)
|
2016-06-30 08:24:03 +00:00
|
|
|
raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
|
2016-05-25 07:19:45 +00:00
|
|
|
end
|
|
|
|
|
2012-04-10 13:31:21 +00:00
|
|
|
end
|