Improved rest permission checks.

This commit is contained in:
Martin Edenhofer 2013-07-19 16:21:44 +02:00
parent a74fec3366
commit 2db0959477
17 changed files with 127 additions and 62 deletions

View file

@ -83,15 +83,10 @@ class ApplicationController < ActionController::Base
# check http basic auth # check http basic auth
authenticate_with_http_basic do |username, password| authenticate_with_http_basic do |username, password|
puts 'http basic auth check' puts 'http basic auth check'
userdata = User.lookup( :login => username ) userdata = User.authenticate( username, password )
message = '' message = ''
if !userdata if !userdata
message = 'authentication failed, user' message = 'authentication failed'
else
success = User.authenticate( username, password )
if !success
message = 'authentication failed, pw'
end
end end
# return auth ok # return auth ok
@ -183,8 +178,11 @@ class ApplicationController < ActionController::Base
end end
def is_not_role( role_name ) def is_not_role( role_name )
deny_if_not_role( role_name )
end
def deny_if_not_role( role_name )
return false if is_role( role_name ) return false if is_role( role_name )
response_access_deny() response_access_deny
return true return true
end end

View file

@ -94,7 +94,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password}
=end =end
def index def index
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_index_render(Channel, params) model_index_render(Channel, params)
end end
@ -117,7 +117,7 @@ curl http://localhost/api/channels/#{id}.json -v -u #{login}:#{password}
=end =end
def show def show
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_show_render(Channel, params) model_show_render(Channel, params)
end end
@ -153,7 +153,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Channel, params) model_create_render(Channel, params)
end end
@ -190,7 +190,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Channel, params) model_update_render(Channel, params)
end end
@ -208,7 +208,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Channel, params) model_destory_render(Channel, params)
end end
end end

View file

@ -97,7 +97,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(EmailAddress, params) model_create_render(EmailAddress, params)
end end
@ -128,7 +128,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(EmailAddress, params) model_update_render(EmailAddress, params)
end end
@ -143,7 +143,7 @@ Test:
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(EmailAddress, params) model_destory_render(EmailAddress, params)
end end
end end

View file

@ -101,7 +101,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Group, params) model_create_render(Group, params)
end end
@ -133,7 +133,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Group, params) model_update_render(Group, params)
end end
@ -148,7 +148,7 @@ Test:
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Group, params) model_destory_render(Group, params)
end end
end end

View file

@ -47,7 +47,17 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password}
=end =end
def index def index
model_index_render(Organization, params)
# only allow customer to fetch his own organization
organizations = []
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
if current_user.organization_id
organizations = Organization.where( :id => current_user.organization_id )
end
else
organizations = Organization.all
end
render :json => organizations
end end
=begin =begin
@ -68,6 +78,18 @@ curl http://localhost/api/organizations/#{id}.json -v -u #{login}:#{password}
=end =end
def show def show
# only allow customer to fetch his own organization
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
if !current_user.organization_id
render :json => {}
return
end
if params[:id].to_i != current_user.organization_id
response_access_deny
return
end
end
model_show_render(Organization, params) model_show_render(Organization, params)
end end
@ -97,7 +119,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont
=end =end
def create def create
return if is_not_role('Agent') return if deny_if_not_role('Agent')
model_create_render(Organization, params) model_create_render(Organization, params)
end end
@ -128,7 +150,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont
=end =end
def update def update
return if is_not_role('Agent') return if deny_if_not_role('Agent')
model_update_render(Organization, params) model_update_render(Organization, params)
end end
@ -143,7 +165,7 @@ Test:
=end =end
def destroy def destroy
return if is_not_role('Agent') return if deny_if_not_role('Agent')
model_destory_render(Organization, params) model_destory_render(Organization, params)
end end
end end

View file

@ -52,7 +52,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password}
=end =end
def index def index
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_index_render(Overview, params) model_index_render(Overview, params)
end end
@ -74,7 +74,7 @@ curl http://localhost/api/overviews/#{id}.json -v -u #{login}:#{password}
=end =end
def show def show
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_show_render(Overview, params) model_show_render(Overview, params)
end end
@ -108,7 +108,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Overview, params) model_create_render(Overview, params)
end end
@ -142,7 +142,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Overview, params) model_update_render(Overview, params)
end end
@ -160,7 +160,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Overview, params) model_destory_render(Overview, params)
end end
end end

View file

@ -5,7 +5,7 @@ class PackagesController < ApplicationController
# GET /api/packages # GET /api/packages
def index def index
return if is_not_role('Admin') return if deny_if_not_role('Admin')
packages = Package.all( :order => 'name' ) packages = Package.all( :order => 'name' )
render :json => { render :json => {
:packages => packages :packages => packages
@ -14,7 +14,7 @@ class PackagesController < ApplicationController
# POST /api/packages # POST /api/packages
def install def install
return if is_not_role('Admin') return if deny_if_not_role('Admin')
Package.install( :string => params[:file_upload].read ) Package.install( :string => params[:file_upload].read )
@ -23,7 +23,7 @@ class PackagesController < ApplicationController
# DELETE /api/packages # DELETE /api/packages
def uninstall def uninstall
return if is_not_role('Admin') return if deny_if_not_role('Admin')
package = Package.find( params[:id] ) package = Package.find( params[:id] )

View file

@ -54,7 +54,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password}
=end =end
def index def index
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_index_render(PostmasterFilter, params) model_index_render(PostmasterFilter, params)
end end
@ -76,7 +76,7 @@ curl http://localhost/api/postmaster_filters/#{id}.json -v -u #{login}:#{passwor
=end =end
def show def show
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_show_render(PostmasterFilter, params) model_show_render(PostmasterFilter, params)
end end
@ -121,7 +121,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(PostmasterFilter, params) model_create_render(PostmasterFilter, params)
end end
@ -164,7 +164,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(PostmasterFilter, params) model_update_render(PostmasterFilter, params)
end end
@ -179,7 +179,7 @@ Test:
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(PostmasterFilter, params) model_destory_render(PostmasterFilter, params)
end end
end end

View file

@ -95,7 +95,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Role, params) model_create_render(Role, params)
end end
@ -124,7 +124,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Role, params) model_update_render(Role, params)
end end
@ -139,7 +139,7 @@ Test:
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Role, params) model_destory_render(Role, params)
end end
end end

View file

@ -10,6 +10,10 @@ module ExtraCollection
if !user.is_role('Customer') if !user.is_role('Customer')
collections['Organization'] = Organization.all collections['Organization'] = Organization.all
else
if user.organization_id
collections['Organization'] = Organization.find( user.organization_id )
end
end end
end end
def push( collections, user ) def push( collections, user )
@ -20,6 +24,10 @@ module ExtraCollection
if !user.is_role('Customer') if !user.is_role('Customer')
collections['Organization'] = Organization.all collections['Organization'] = Organization.all
else
if user.organization_id
collections['Organization'] = Organization.find( user.organization_id )
end
end end
end end
module_function :session, :push module_function :session, :push

View file

@ -5,29 +5,31 @@ class SettingsController < ApplicationController
# GET /settings # GET /settings
def index def index
return if deny_if_not_role('Admin')
model_index_render(Setting, params) model_index_render(Setting, params)
end end
# GET /settings/1 # GET /settings/1
def show def show
return if deny_if_not_role('Admin')
model_show_render(Setting, params) model_show_render(Setting, params)
end end
# POST /settings # POST /settings
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Setting, params) model_create_render(Setting, params)
end end
# PUT /settings/1 # PUT /settings/1
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Setting, params) model_update_render(Setting, params)
end end
# DELETE /settings/1 # DELETE /settings/1
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Setting, params) model_destory_render(Setting, params)
end end
end end

View file

@ -96,7 +96,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Signature, params) model_create_render(Signature, params)
end end
@ -125,7 +125,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Signature, params) model_update_render(Signature, params)
end end
@ -140,7 +140,7 @@ Test:
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Signature, params) model_destory_render(Signature, params)
end end
end end

View file

@ -47,7 +47,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password}
=end =end
def index def index
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_index_render(Sla, params) model_index_render(Sla, params)
end end
@ -69,7 +69,7 @@ curl http://localhost/api/slas/#{id}.json -v -u #{login}:#{password}
=end =end
def show def show
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_show_render(Sla, params) model_show_render(Sla, params)
end end
@ -98,7 +98,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
=end =end
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Sla, params) model_create_render(Sla, params)
end end
@ -127,7 +127,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
=end =end
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Sla, params) model_update_render(Sla, params)
end end
@ -145,7 +145,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
=end =end
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Sla, params) model_destory_render(Sla, params)
end end
end end

View file

@ -15,19 +15,19 @@ class TicketPrioritiesController < ApplicationController
# POST /ticket_priorities # POST /ticket_priorities
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Ticket::Priority, params) model_create_render(Ticket::Priority, params)
end end
# PUT /ticket_priorities/1 # PUT /ticket_priorities/1
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Ticket::Priority, params) model_update_render(Ticket::Priority, params)
end end
# DELETE /ticket_priorities/1 # DELETE /ticket_priorities/1
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Ticket::Priority, params) model_destory_render(Ticket::Priority, params)
end end
end end

View file

@ -15,19 +15,19 @@ class TicketStatesController < ApplicationController
# POST /ticket_states # POST /ticket_states
def create def create
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_create_render(Ticket::State, params) model_create_render(Ticket::State, params)
end end
# PUT /ticket_states/1 # PUT /ticket_states/1
def update def update
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_update_render(Ticket::State, params) model_update_render(Ticket::State, params)
end end
# DELETE /ticket_states/1 # DELETE /ticket_states/1
def destroy def destroy
return if is_not_role('Admin') return if deny_if_not_role('Admin')
model_destory_render(Ticket::State, params) model_destory_render(Ticket::State, params)
end end
end end

View file

@ -61,12 +61,18 @@ curl http://localhost/api/users.json -v -u #{login}:#{password}
=end =end
def index def index
users = User.all
# only allow customer to fetch him self
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
users = User.where( :id => current_user.id )
else
users = User.all
end
users_all = [] users_all = []
users.each {|user| users.each {|user|
users_all.push User.user_data_full( user.id ) users_all.push User.user_data_full( user.id )
} }
render :json => users_all render :json => users_all, :status => :ok
end end
=begin =begin
@ -87,6 +93,14 @@ curl http://localhost/api/users/#{id}.json -v -u #{login}:#{password}
=end =end
def show def show
# access deny
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
if params[:id].to_i != current_user.id
response_access_deny
return
end
end
user = User.user_data_full( params[:id] ) user = User.user_data_full( params[:id] )
render :json => user render :json => user
end end
@ -267,7 +281,10 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty
# allow user to update him self # allow user to update him self
if is_role('Customer') && !is_role('Admin') && !is_role('Agent') if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
return if params[:id] != current_user.id if params[:id] != current_user.id
response_access_deny
return
end
end end
user = User.find( params[:id] ) user = User.find( params[:id] )
@ -301,13 +318,21 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty
# DELETE /api/users/1 # DELETE /api/users/1
def destroy def destroy
return if !is_role('Admin') if !is_role('Admin')
response_access_deny
return
end
model_destory_render(User, params) model_destory_render(User, params)
end end
# GET /api/users/search # GET /api/users/search
def search def search
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
response_access_deny
return
end
# do query # do query
user_all = User.search( user_all = User.search(
:query => params[:term], :query => params[:term],
@ -529,5 +554,4 @@ curl http://localhost/api/users/account.json -v -u #{login}:#{password} -H "Cont
render :json => { :message => 'ok' }, :status => :ok render :json => { :message => 'ok' }, :status => :ok
end end
end end

View file

@ -203,8 +203,19 @@ class ApplicationModel < ActiveRecord::Base
record = self.new( data ) record = self.new( data )
record.save record.save
return record return record
elsif data[:login]
records = self.where( :login => data[:login] )
records.each {|record|
if record.login.downcase == data[:login].downcase
record.update_attributes( data )
return record
end
}
record = self.new( data )
record.save
return record
else else
raise "Need name for create_or_update()" raise "Need name or login for create_or_update()"
end end
end end