Improved rest permission checks.

app/controllers/application_controller.rb

@@ -83,15 +83,10 @@ class ApplicationController < ActionController::Base
     # check http basic auth
     authenticate_with_http_basic do |username, password|
       puts 'http basic auth check'
-      userdata = User.lookup( :login => username )
+      userdata = User.authenticate( username, password )
       message = ''
       if !userdata
-        message = 'authentication failed, user'
+        message = 'authentication failed'
-      else
-        success = User.authenticate( username, password )
-        if !success
-          message = 'authentication failed, pw'
-        end
       end
 
       # return auth ok
@@ -183,8 +178,11 @@ class ApplicationController < ActionController::Base
   end
 
   def is_not_role( role_name )
+    deny_if_not_role( role_name )
+  end
+  def deny_if_not_role( role_name )
     return false if is_role( role_name )
-    response_access_deny()
+    response_access_deny
     return true
   end
 

app/controllers/channels_controller.rb

@@ -94,7 +94,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password}
 =end
 
   def index
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_index_render(Channel, params)
   end
 
@@ -117,7 +117,7 @@ curl http://localhost/api/channels/#{id}.json -v -u #{login}:#{password}
 =end
 
   def show
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_show_render(Channel, params)
   end
 
@@ -153,7 +153,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Channel, params)
   end
 
@@ -190,7 +190,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Channel, params)
   end
 
@@ -208,7 +208,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Channel, params)
   end
 end

app/controllers/email_addresses_controller.rb

@@ -97,7 +97,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(EmailAddress, params)
   end
 
@@ -128,7 +128,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(EmailAddress, params)
   end
 
@@ -143,7 +143,7 @@ Test:
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(EmailAddress, params)
   end
 end

app/controllers/groups_controller.rb

@@ -101,7 +101,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Group, params)
   end
 
@@ -133,7 +133,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Group, params)
   end
 
@@ -148,7 +148,7 @@ Test:
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Group, params)
   end
 end

app/controllers/organizations_controller.rb

@@ -47,7 +47,17 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password}
 =end
 
   def index
-    model_index_render(Organization, params)
+
+    # only allow customer to fetch his own organization
+    organizations = []
+    if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
+      if current_user.organization_id
+        organizations = Organization.where( :id => current_user.organization_id )
+      end
+    else
+      organizations = Organization.all
+    end
+    render :json => organizations
   end
 
 =begin
@@ -68,6 +78,18 @@ curl http://localhost/api/organizations/#{id}.json -v -u #{login}:#{password}
 =end
 
   def show
+
+    # only allow customer to fetch his own organization
+    if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
+      if !current_user.organization_id
+        render :json => {}
+        return
+      end
+      if params[:id].to_i != current_user.organization_id
+        response_access_deny
+        return
+      end
+    end
     model_show_render(Organization, params)
   end
 
@@ -97,7 +119,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont
 =end
 
   def create
-    return if is_not_role('Agent')
+    return if deny_if_not_role('Agent')
     model_create_render(Organization, params)
   end
 
@@ -128,7 +150,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont
 =end
 
   def update
-    return if is_not_role('Agent')
+    return if deny_if_not_role('Agent')
     model_update_render(Organization, params)
   end
 
@@ -143,7 +165,7 @@ Test:
 =end
 
   def destroy
-    return if is_not_role('Agent')
+    return if deny_if_not_role('Agent')
     model_destory_render(Organization, params)
   end
 end

app/controllers/overviews_controller.rb

@@ -52,7 +52,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password}
 =end
 
   def index
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_index_render(Overview, params)
   end
 
@@ -74,7 +74,7 @@ curl http://localhost/api/overviews/#{id}.json -v -u #{login}:#{password}
 =end
 
   def show
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_show_render(Overview, params)
   end
 
@@ -108,7 +108,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Overview, params)
   end
 
@@ -142,7 +142,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Overview, params)
   end
 
@@ -160,7 +160,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Overview, params)
   end
 end

app/controllers/packages_controller.rb

@@ -5,7 +5,7 @@ class PackagesController < ApplicationController
 
   # GET /api/packages
   def index
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     packages = Package.all( :order => 'name' )
     render :json => {
       :packages => packages
@@ -14,7 +14,7 @@ class PackagesController < ApplicationController
 
   # POST /api/packages
   def install
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
 
     Package.install( :string => params[:file_upload].read )
 
@@ -23,7 +23,7 @@ class PackagesController < ApplicationController
 
   # DELETE /api/packages
   def uninstall
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
 
     package = Package.find( params[:id] )
 

app/controllers/postmaster_filters_controller.rb

@@ -54,7 +54,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password}
 =end
 
   def index
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_index_render(PostmasterFilter, params)
   end
 
@@ -76,7 +76,7 @@ curl http://localhost/api/postmaster_filters/#{id}.json -v -u #{login}:#{passwor
 =end
 
   def show
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_show_render(PostmasterFilter, params)
   end
 
@@ -121,7 +121,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(PostmasterFilter, params)
   end
 
@@ -164,7 +164,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(PostmasterFilter, params)
   end
 
@@ -179,7 +179,7 @@ Test:
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(PostmasterFilter, params)
   end
 end

app/controllers/roles_controller.rb

@@ -95,7 +95,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Role, params)
   end
 
@@ -124,7 +124,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Role, params)
   end
 
@@ -139,7 +139,7 @@ Test:
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Role, params)
   end
 end

app/controllers/sessions/collection_base.rb

@@ -10,6 +10,10 @@ module ExtraCollection
 
     if !user.is_role('Customer')
       collections['Organization']  = Organization.all
+    else
+      if user.organization_id
+        collections['Organization']  = Organization.find( user.organization_id )
+      end
     end
   end
   def push( collections, user )
@@ -20,6 +24,10 @@ module ExtraCollection
 
     if !user.is_role('Customer')
       collections['Organization']  = Organization.all
+    else
+      if user.organization_id
+        collections['Organization']  = Organization.find( user.organization_id )
+      end
     end
   end
   module_function :session, :push

app/controllers/settings_controller.rb

@@ -5,29 +5,31 @@ class SettingsController < ApplicationController
 
   # GET /settings
   def index
+    return if deny_if_not_role('Admin')
     model_index_render(Setting, params)
   end
 
   # GET /settings/1
   def show
+    return if deny_if_not_role('Admin')
     model_show_render(Setting, params)
   end
 
   # POST /settings
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Setting, params)
   end
 
   # PUT /settings/1
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Setting, params)
   end
 
   # DELETE /settings/1
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Setting, params)
   end
 end

app/controllers/signatures_controller.rb

@@ -96,7 +96,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Signature, params)
   end
 
@@ -125,7 +125,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Signature, params)
   end
 
@@ -140,7 +140,7 @@ Test:
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Signature, params)
   end
 end

app/controllers/slas_controller.rb

@@ -47,7 +47,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password}
 =end
 
   def index
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_index_render(Sla, params)
   end
 
@@ -69,7 +69,7 @@ curl http://localhost/api/slas/#{id}.json -v -u #{login}:#{password}
 =end
 
   def show
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_show_render(Sla, params)
   end
 
@@ -98,7 +98,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
 =end
 
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Sla, params)
   end
 
@@ -127,7 +127,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
 =end
 
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Sla, params)
   end
 
@@ -145,7 +145,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
 =end
 
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Sla, params)
   end
 end

app/controllers/ticket_priorities_controller.rb

@@ -15,19 +15,19 @@ class TicketPrioritiesController < ApplicationController
 
   # POST /ticket_priorities
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Ticket::Priority, params)
   end
 
   # PUT /ticket_priorities/1
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Ticket::Priority, params)
   end
 
   # DELETE /ticket_priorities/1
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Ticket::Priority, params)
   end
 end

app/controllers/ticket_states_controller.rb

@@ -15,19 +15,19 @@ class TicketStatesController < ApplicationController
 
   # POST /ticket_states
   def create
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_create_render(Ticket::State, params)
   end
 
   # PUT /ticket_states/1
   def update
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_update_render(Ticket::State, params)
   end
 
   # DELETE /ticket_states/1
   def destroy
-    return if is_not_role('Admin')
+    return if deny_if_not_role('Admin')
     model_destory_render(Ticket::State, params)
   end
 end

app/controllers/users_controller.rb

@@ -61,12 +61,18 @@ curl http://localhost/api/users.json -v -u #{login}:#{password}
 =end
 
   def index
-    users = User.all
+
+    # only allow customer to fetch him self
+    if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
+      users = User.where( :id => current_user.id )
+    else
+      users = User.all
+    end
     users_all = []
     users.each {|user|
       users_all.push User.user_data_full( user.id )
     }
-    render :json => users_all
+    render :json => users_all, :status => :ok
   end
 
 =begin
@@ -87,6 +93,14 @@ curl http://localhost/api/users/#{id}.json -v -u #{login}:#{password}
 =end
 
   def show
+
+    # access deny
+    if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
+      if params[:id].to_i != current_user.id
+        response_access_deny
+        return
+      end
+    end
     user = User.user_data_full( params[:id] )
     render :json => user
   end
@@ -267,7 +281,10 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty
 
     # allow user to update him self
     if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
-      return if params[:id] != current_user.id
+      if params[:id] != current_user.id
+        response_access_deny
+        return
+      end
     end
 
     user = User.find( params[:id] )
@@ -301,13 +318,21 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty
 
   # DELETE /api/users/1
   def destroy
-    return if !is_role('Admin')
+    if !is_role('Admin')
+      response_access_deny
+      return
+    end
     model_destory_render(User, params)
   end
 
   # GET /api/users/search
   def search
 
+    if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
+      response_access_deny
+      return
+    end
+
     # do query
     user_all = User.search(
       :query        => params[:term],
@@ -529,5 +554,4 @@ curl http://localhost/api/users/account.json -v -u #{login}:#{password} -H "Cont
     render :json => { :message => 'ok' }, :status => :ok
   end
 
-
 end

app/models/application_model.rb

@@ -203,8 +203,19 @@ class ApplicationModel < ActiveRecord::Base
       record = self.new( data )
       record.save
       return record
+    elsif data[:login]
+      records = self.where( :login => data[:login] )
+      records.each {|record|
+        if record.login.downcase == data[:login].downcase
+          record.update_attributes( data )
+          return record
+        end
+      }
+      record = self.new( data )
+      record.save
+      return record
     else
-      raise "Need name for create_or_update()"
+      raise "Need name or login for create_or_update()"
     end
   end