From 2db0959477593c53f383d19f35146f175e6ffb91 Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Fri, 19 Jul 2013 16:21:44 +0200 Subject: [PATCH] Improved rest permission checks. --- app/controllers/application_controller.rb | 14 ++++---- app/controllers/channels_controller.rb | 10 +++--- app/controllers/email_addresses_controller.rb | 6 ++-- app/controllers/groups_controller.rb | 6 ++-- app/controllers/organizations_controller.rb | 30 +++++++++++++--- app/controllers/overviews_controller.rb | 10 +++--- app/controllers/packages_controller.rb | 6 ++-- .../postmaster_filters_controller.rb | 10 +++--- app/controllers/roles_controller.rb | 6 ++-- app/controllers/sessions/collection_base.rb | 8 +++++ app/controllers/settings_controller.rb | 8 +++-- app/controllers/signatures_controller.rb | 6 ++-- app/controllers/slas_controller.rb | 10 +++--- .../ticket_priorities_controller.rb | 6 ++-- app/controllers/ticket_states_controller.rb | 6 ++-- app/controllers/users_controller.rb | 34 ++++++++++++++++--- app/models/application_model.rb | 13 ++++++- 17 files changed, 127 insertions(+), 62 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ef04abf9c..c6632ee0f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -83,15 +83,10 @@ class ApplicationController < ActionController::Base # check http basic auth authenticate_with_http_basic do |username, password| puts 'http basic auth check' - userdata = User.lookup( :login => username ) + userdata = User.authenticate( username, password ) message = '' if !userdata - message = 'authentication failed, user' - else - success = User.authenticate( username, password ) - if !success - message = 'authentication failed, pw' - end + message = 'authentication failed' end # return auth ok @@ -183,8 +178,11 @@ class ApplicationController < ActionController::Base end def is_not_role( role_name ) + deny_if_not_role( role_name ) + end + def deny_if_not_role( role_name ) return false if is_role( role_name ) - response_access_deny() + response_access_deny return true end diff --git a/app/controllers/channels_controller.rb b/app/controllers/channels_controller.rb index 486337c65..7b59fb0bf 100644 --- a/app/controllers/channels_controller.rb +++ b/app/controllers/channels_controller.rb @@ -94,7 +94,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} =end def index - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_index_render(Channel, params) end @@ -117,7 +117,7 @@ curl http://localhost/api/channels/#{id}.json -v -u #{login}:#{password} =end def show - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_show_render(Channel, params) end @@ -153,7 +153,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Channel, params) end @@ -190,7 +190,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Channel, params) end @@ -208,7 +208,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Channel, params) end end diff --git a/app/controllers/email_addresses_controller.rb b/app/controllers/email_addresses_controller.rb index 621502678..52a395c92 100644 --- a/app/controllers/email_addresses_controller.rb +++ b/app/controllers/email_addresses_controller.rb @@ -97,7 +97,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(EmailAddress, params) end @@ -128,7 +128,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(EmailAddress, params) end @@ -143,7 +143,7 @@ Test: =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(EmailAddress, params) end end diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 5f51141c8..32cf1686c 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -101,7 +101,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Group, params) end @@ -133,7 +133,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Group, params) end @@ -148,7 +148,7 @@ Test: =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Group, params) end end diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb index 3825fc5be..38b2faf40 100644 --- a/app/controllers/organizations_controller.rb +++ b/app/controllers/organizations_controller.rb @@ -47,7 +47,17 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} =end def index - model_index_render(Organization, params) + + # only allow customer to fetch his own organization + organizations = [] + if is_role('Customer') && !is_role('Admin') && !is_role('Agent') + if current_user.organization_id + organizations = Organization.where( :id => current_user.organization_id ) + end + else + organizations = Organization.all + end + render :json => organizations end =begin @@ -68,6 +78,18 @@ curl http://localhost/api/organizations/#{id}.json -v -u #{login}:#{password} =end def show + + # only allow customer to fetch his own organization + if is_role('Customer') && !is_role('Admin') && !is_role('Agent') + if !current_user.organization_id + render :json => {} + return + end + if params[:id].to_i != current_user.organization_id + response_access_deny + return + end + end model_show_render(Organization, params) end @@ -97,7 +119,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont =end def create - return if is_not_role('Agent') + return if deny_if_not_role('Agent') model_create_render(Organization, params) end @@ -128,7 +150,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont =end def update - return if is_not_role('Agent') + return if deny_if_not_role('Agent') model_update_render(Organization, params) end @@ -143,7 +165,7 @@ Test: =end def destroy - return if is_not_role('Agent') + return if deny_if_not_role('Agent') model_destory_render(Organization, params) end end diff --git a/app/controllers/overviews_controller.rb b/app/controllers/overviews_controller.rb index ea1cb6f42..300a09b47 100644 --- a/app/controllers/overviews_controller.rb +++ b/app/controllers/overviews_controller.rb @@ -52,7 +52,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} =end def index - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_index_render(Overview, params) end @@ -74,7 +74,7 @@ curl http://localhost/api/overviews/#{id}.json -v -u #{login}:#{password} =end def show - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_show_render(Overview, params) end @@ -108,7 +108,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content- =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Overview, params) end @@ -142,7 +142,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content- =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Overview, params) end @@ -160,7 +160,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content- =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Overview, params) end end diff --git a/app/controllers/packages_controller.rb b/app/controllers/packages_controller.rb index 535cd9bfa..5abf5066a 100644 --- a/app/controllers/packages_controller.rb +++ b/app/controllers/packages_controller.rb @@ -5,7 +5,7 @@ class PackagesController < ApplicationController # GET /api/packages def index - return if is_not_role('Admin') + return if deny_if_not_role('Admin') packages = Package.all( :order => 'name' ) render :json => { :packages => packages @@ -14,7 +14,7 @@ class PackagesController < ApplicationController # POST /api/packages def install - return if is_not_role('Admin') + return if deny_if_not_role('Admin') Package.install( :string => params[:file_upload].read ) @@ -23,7 +23,7 @@ class PackagesController < ApplicationController # DELETE /api/packages def uninstall - return if is_not_role('Admin') + return if deny_if_not_role('Admin') package = Package.find( params[:id] ) diff --git a/app/controllers/postmaster_filters_controller.rb b/app/controllers/postmaster_filters_controller.rb index 25c2e2fa8..23b1d164b 100644 --- a/app/controllers/postmaster_filters_controller.rb +++ b/app/controllers/postmaster_filters_controller.rb @@ -54,7 +54,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} =end def index - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_index_render(PostmasterFilter, params) end @@ -76,7 +76,7 @@ curl http://localhost/api/postmaster_filters/#{id}.json -v -u #{login}:#{passwor =end def show - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_show_render(PostmasterFilter, params) end @@ -121,7 +121,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(PostmasterFilter, params) end @@ -164,7 +164,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(PostmasterFilter, params) end @@ -179,7 +179,7 @@ Test: =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(PostmasterFilter, params) end end diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb index f19ee2a1c..a6724beff 100644 --- a/app/controllers/roles_controller.rb +++ b/app/controllers/roles_controller.rb @@ -95,7 +95,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Role, params) end @@ -124,7 +124,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Role, params) end @@ -139,7 +139,7 @@ Test: =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Role, params) end end diff --git a/app/controllers/sessions/collection_base.rb b/app/controllers/sessions/collection_base.rb index a9d8f9408..15d4c0c83 100644 --- a/app/controllers/sessions/collection_base.rb +++ b/app/controllers/sessions/collection_base.rb @@ -10,6 +10,10 @@ module ExtraCollection if !user.is_role('Customer') collections['Organization'] = Organization.all + else + if user.organization_id + collections['Organization'] = Organization.find( user.organization_id ) + end end end def push( collections, user ) @@ -20,6 +24,10 @@ module ExtraCollection if !user.is_role('Customer') collections['Organization'] = Organization.all + else + if user.organization_id + collections['Organization'] = Organization.find( user.organization_id ) + end end end module_function :session, :push diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb index 4f8f7d3e3..5d60afec3 100644 --- a/app/controllers/settings_controller.rb +++ b/app/controllers/settings_controller.rb @@ -5,29 +5,31 @@ class SettingsController < ApplicationController # GET /settings def index + return if deny_if_not_role('Admin') model_index_render(Setting, params) end # GET /settings/1 def show + return if deny_if_not_role('Admin') model_show_render(Setting, params) end # POST /settings def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Setting, params) end # PUT /settings/1 def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Setting, params) end # DELETE /settings/1 def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Setting, params) end end diff --git a/app/controllers/signatures_controller.rb b/app/controllers/signatures_controller.rb index b79482e26..f7a238449 100644 --- a/app/controllers/signatures_controller.rb +++ b/app/controllers/signatures_controller.rb @@ -96,7 +96,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Signature, params) end @@ -125,7 +125,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Signature, params) end @@ -140,7 +140,7 @@ Test: =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Signature, params) end end diff --git a/app/controllers/slas_controller.rb b/app/controllers/slas_controller.rb index c6d961938..790ca83f9 100644 --- a/app/controllers/slas_controller.rb +++ b/app/controllers/slas_controller.rb @@ -47,7 +47,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} =end def index - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_index_render(Sla, params) end @@ -69,7 +69,7 @@ curl http://localhost/api/slas/#{id}.json -v -u #{login}:#{password} =end def show - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_show_render(Sla, params) end @@ -98,7 +98,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type: =end def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Sla, params) end @@ -127,7 +127,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type: =end def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Sla, params) end @@ -145,7 +145,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type: =end def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Sla, params) end end diff --git a/app/controllers/ticket_priorities_controller.rb b/app/controllers/ticket_priorities_controller.rb index 9e064cd53..fd9dadcd6 100644 --- a/app/controllers/ticket_priorities_controller.rb +++ b/app/controllers/ticket_priorities_controller.rb @@ -15,19 +15,19 @@ class TicketPrioritiesController < ApplicationController # POST /ticket_priorities def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Ticket::Priority, params) end # PUT /ticket_priorities/1 def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Ticket::Priority, params) end # DELETE /ticket_priorities/1 def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Ticket::Priority, params) end end diff --git a/app/controllers/ticket_states_controller.rb b/app/controllers/ticket_states_controller.rb index 9af36f0ef..8ecf55f44 100644 --- a/app/controllers/ticket_states_controller.rb +++ b/app/controllers/ticket_states_controller.rb @@ -15,19 +15,19 @@ class TicketStatesController < ApplicationController # POST /ticket_states def create - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_create_render(Ticket::State, params) end # PUT /ticket_states/1 def update - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_update_render(Ticket::State, params) end # DELETE /ticket_states/1 def destroy - return if is_not_role('Admin') + return if deny_if_not_role('Admin') model_destory_render(Ticket::State, params) end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 37a24d660..653470bd4 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -61,12 +61,18 @@ curl http://localhost/api/users.json -v -u #{login}:#{password} =end def index - users = User.all + + # only allow customer to fetch him self + if is_role('Customer') && !is_role('Admin') && !is_role('Agent') + users = User.where( :id => current_user.id ) + else + users = User.all + end users_all = [] users.each {|user| users_all.push User.user_data_full( user.id ) } - render :json => users_all + render :json => users_all, :status => :ok end =begin @@ -87,6 +93,14 @@ curl http://localhost/api/users/#{id}.json -v -u #{login}:#{password} =end def show + + # access deny + if is_role('Customer') && !is_role('Admin') && !is_role('Agent') + if params[:id].to_i != current_user.id + response_access_deny + return + end + end user = User.user_data_full( params[:id] ) render :json => user end @@ -267,7 +281,10 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty # allow user to update him self if is_role('Customer') && !is_role('Admin') && !is_role('Agent') - return if params[:id] != current_user.id + if params[:id] != current_user.id + response_access_deny + return + end end user = User.find( params[:id] ) @@ -301,13 +318,21 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty # DELETE /api/users/1 def destroy - return if !is_role('Admin') + if !is_role('Admin') + response_access_deny + return + end model_destory_render(User, params) end # GET /api/users/search def search + if is_role('Customer') && !is_role('Admin') && !is_role('Agent') + response_access_deny + return + end + # do query user_all = User.search( :query => params[:term], @@ -529,5 +554,4 @@ curl http://localhost/api/users/account.json -v -u #{login}:#{password} -H "Cont render :json => { :message => 'ok' }, :status => :ok end - end diff --git a/app/models/application_model.rb b/app/models/application_model.rb index 2519cfa26..79fc64f05 100644 --- a/app/models/application_model.rb +++ b/app/models/application_model.rb @@ -203,8 +203,19 @@ class ApplicationModel < ActiveRecord::Base record = self.new( data ) record.save return record + elsif data[:login] + records = self.where( :login => data[:login] ) + records.each {|record| + if record.login.downcase == data[:login].downcase + record.update_attributes( data ) + return record + end + } + record = self.new( data ) + record.save + return record else - raise "Need name for create_or_update()" + raise "Need name or login for create_or_update()" end end