Improved rest permission checks.
This commit is contained in:
Martin Edenhofer
parent
a74fec3366
commit
2db0959477
17 changed files with 127 additions and 62 deletions
|
|
@ -83,15 +83,10 @@ class ApplicationController < ActionController::Base
|
|||
# check http basic auth
|
||||
authenticate_with_http_basic do |username, password|
|
||||
puts 'http basic auth check'
|
||||
userdata = User.lookup( :login => username )
|
||||
userdata = User.authenticate( username, password )
|
||||
message = ''
|
||||
if !userdata
|
||||
message = 'authentication failed, user'
|
||||
else
|
||||
success = User.authenticate( username, password )
|
||||
if !success
|
||||
message = 'authentication failed, pw'
|
||||
end
|
||||
message = 'authentication failed'
|
||||
end
|
||||
|
||||
# return auth ok
|
||||
|
|
@ -183,8 +178,11 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
|
||||
def is_not_role( role_name )
|
||||
deny_if_not_role( role_name )
|
||||
end
|
||||
def deny_if_not_role( role_name )
|
||||
return false if is_role( role_name )
|
||||
response_access_deny()
|
||||
response_access_deny
|
||||
return true
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def index
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_index_render(Channel, params)
|
||||
end
|
||||
|
||||
|
|
@ -117,7 +117,7 @@ curl http://localhost/api/channels/#{id}.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def show
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_show_render(Channel, params)
|
||||
end
|
||||
|
||||
|
|
@ -153,7 +153,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Channel, params)
|
||||
end
|
||||
|
||||
|
|
@ -190,7 +190,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Channel, params)
|
||||
end
|
||||
|
||||
|
|
@ -208,7 +208,7 @@ curl http://localhost/api/channels.json -v -u #{login}:#{password} -H "Content-T
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Channel, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(EmailAddress, params)
|
||||
end
|
||||
|
||||
|
|
@ -128,7 +128,7 @@ curl http://localhost/api/email_addresses.json -v -u #{login}:#{password} -H "Co
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(EmailAddress, params)
|
||||
end
|
||||
|
||||
|
|
@ -143,7 +143,7 @@ Test:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(EmailAddress, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Group, params)
|
||||
end
|
||||
|
||||
|
|
@ -133,7 +133,7 @@ curl http://localhost/api/groups.json -v -u #{login}:#{password} -H "Content-Typ
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Group, params)
|
||||
end
|
||||
|
||||
|
|
@ -148,7 +148,7 @@ Test:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Group, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -47,7 +47,17 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def index
|
||||
model_index_render(Organization, params)
|
||||
|
||||
# only allow customer to fetch his own organization
|
||||
organizations = []
|
||||
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
|
||||
if current_user.organization_id
|
||||
organizations = Organization.where( :id => current_user.organization_id )
|
||||
end
|
||||
else
|
||||
organizations = Organization.all
|
||||
end
|
||||
render :json => organizations
|
||||
end
|
||||
|
||||
=begin
|
||||
|
|
@ -68,6 +78,18 @@ curl http://localhost/api/organizations/#{id}.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def show
|
||||
|
||||
# only allow customer to fetch his own organization
|
||||
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
|
||||
if !current_user.organization_id
|
||||
render :json => {}
|
||||
return
|
||||
end
|
||||
if params[:id].to_i != current_user.organization_id
|
||||
response_access_deny
|
||||
return
|
||||
end
|
||||
end
|
||||
model_show_render(Organization, params)
|
||||
end
|
||||
|
||||
|
|
@ -97,7 +119,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Agent')
|
||||
return if deny_if_not_role('Agent')
|
||||
model_create_render(Organization, params)
|
||||
end
|
||||
|
||||
|
|
@ -128,7 +150,7 @@ curl http://localhost/api/organizations.json -v -u #{login}:#{password} -H "Cont
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Agent')
|
||||
return if deny_if_not_role('Agent')
|
||||
model_update_render(Organization, params)
|
||||
end
|
||||
|
||||
|
|
@ -143,7 +165,7 @@ Test:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Agent')
|
||||
return if deny_if_not_role('Agent')
|
||||
model_destory_render(Organization, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def index
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_index_render(Overview, params)
|
||||
end
|
||||
|
||||
|
|
@ -74,7 +74,7 @@ curl http://localhost/api/overviews/#{id}.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def show
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_show_render(Overview, params)
|
||||
end
|
||||
|
||||
|
|
@ -108,7 +108,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Overview, params)
|
||||
end
|
||||
|
||||
|
|
@ -142,7 +142,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Overview, params)
|
||||
end
|
||||
|
||||
|
|
@ -160,7 +160,7 @@ curl http://localhost/api/overviews.json -v -u #{login}:#{password} -H "Content-
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Overview, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ class PackagesController < ApplicationController
|
|||
|
||||
# GET /api/packages
|
||||
def index
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
packages = Package.all( :order => 'name' )
|
||||
render :json => {
|
||||
:packages => packages
|
||||
|
|
@ -14,7 +14,7 @@ class PackagesController < ApplicationController
|
|||
|
||||
# POST /api/packages
|
||||
def install
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
|
||||
Package.install( :string => params[:file_upload].read )
|
||||
|
||||
|
|
@ -23,7 +23,7 @@ class PackagesController < ApplicationController
|
|||
|
||||
# DELETE /api/packages
|
||||
def uninstall
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
|
||||
package = Package.find( params[:id] )
|
||||
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def index
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_index_render(PostmasterFilter, params)
|
||||
end
|
||||
|
||||
|
|
@ -76,7 +76,7 @@ curl http://localhost/api/postmaster_filters/#{id}.json -v -u #{login}:#{passwor
|
|||
=end
|
||||
|
||||
def show
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_show_render(PostmasterFilter, params)
|
||||
end
|
||||
|
||||
|
|
@ -121,7 +121,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(PostmasterFilter, params)
|
||||
end
|
||||
|
||||
|
|
@ -164,7 +164,7 @@ curl http://localhost/api/postmaster_filters.json -v -u #{login}:#{password} -H
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(PostmasterFilter, params)
|
||||
end
|
||||
|
||||
|
|
@ -179,7 +179,7 @@ Test:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(PostmasterFilter, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Role, params)
|
||||
end
|
||||
|
||||
|
|
@ -124,7 +124,7 @@ curl http://localhost/api/roles.json -v -u #{login}:#{password} -H "Content-Type
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Role, params)
|
||||
end
|
||||
|
||||
|
|
@ -139,7 +139,7 @@ Test:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Role, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -10,6 +10,10 @@ module ExtraCollection
|
|||
|
||||
if !user.is_role('Customer')
|
||||
collections['Organization'] = Organization.all
|
||||
else
|
||||
if user.organization_id
|
||||
collections['Organization'] = Organization.find( user.organization_id )
|
||||
end
|
||||
end
|
||||
end
|
||||
def push( collections, user )
|
||||
|
|
@ -20,6 +24,10 @@ module ExtraCollection
|
|||
|
||||
if !user.is_role('Customer')
|
||||
collections['Organization'] = Organization.all
|
||||
else
|
||||
if user.organization_id
|
||||
collections['Organization'] = Organization.find( user.organization_id )
|
||||
end
|
||||
end
|
||||
end
|
||||
module_function :session, :push
|
||||
|
|
|
|||
|
|
@ -5,29 +5,31 @@ class SettingsController < ApplicationController
|
|||
|
||||
# GET /settings
|
||||
def index
|
||||
return if deny_if_not_role('Admin')
|
||||
model_index_render(Setting, params)
|
||||
end
|
||||
|
||||
# GET /settings/1
|
||||
def show
|
||||
return if deny_if_not_role('Admin')
|
||||
model_show_render(Setting, params)
|
||||
end
|
||||
|
||||
# POST /settings
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Setting, params)
|
||||
end
|
||||
|
||||
# PUT /settings/1
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Setting, params)
|
||||
end
|
||||
|
||||
# DELETE /settings/1
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Setting, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Signature, params)
|
||||
end
|
||||
|
||||
|
|
@ -125,7 +125,7 @@ curl http://localhost/api/signatures.json -v -u #{login}:#{password} -H "Content
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Signature, params)
|
||||
end
|
||||
|
||||
|
|
@ -140,7 +140,7 @@ Test:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Signature, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def index
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_index_render(Sla, params)
|
||||
end
|
||||
|
||||
|
|
@ -69,7 +69,7 @@ curl http://localhost/api/slas/#{id}.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def show
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_show_render(Sla, params)
|
||||
end
|
||||
|
||||
|
|
@ -98,7 +98,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
|
|||
=end
|
||||
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Sla, params)
|
||||
end
|
||||
|
||||
|
|
@ -127,7 +127,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
|
|||
=end
|
||||
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Sla, params)
|
||||
end
|
||||
|
||||
|
|
@ -145,7 +145,7 @@ curl http://localhost/api/slas.json -v -u #{login}:#{password} -H "Content-Type:
|
|||
=end
|
||||
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Sla, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -15,19 +15,19 @@ class TicketPrioritiesController < ApplicationController
|
|||
|
||||
# POST /ticket_priorities
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Ticket::Priority, params)
|
||||
end
|
||||
|
||||
# PUT /ticket_priorities/1
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Ticket::Priority, params)
|
||||
end
|
||||
|
||||
# DELETE /ticket_priorities/1
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Ticket::Priority, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -15,19 +15,19 @@ class TicketStatesController < ApplicationController
|
|||
|
||||
# POST /ticket_states
|
||||
def create
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_create_render(Ticket::State, params)
|
||||
end
|
||||
|
||||
# PUT /ticket_states/1
|
||||
def update
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_update_render(Ticket::State, params)
|
||||
end
|
||||
|
||||
# DELETE /ticket_states/1
|
||||
def destroy
|
||||
return if is_not_role('Admin')
|
||||
return if deny_if_not_role('Admin')
|
||||
model_destory_render(Ticket::State, params)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -61,12 +61,18 @@ curl http://localhost/api/users.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def index
|
||||
users = User.all
|
||||
|
||||
# only allow customer to fetch him self
|
||||
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
|
||||
users = User.where( :id => current_user.id )
|
||||
else
|
||||
users = User.all
|
||||
end
|
||||
users_all = []
|
||||
users.each {|user|
|
||||
users_all.push User.user_data_full( user.id )
|
||||
}
|
||||
render :json => users_all
|
||||
render :json => users_all, :status => :ok
|
||||
end
|
||||
|
||||
=begin
|
||||
|
|
@ -87,6 +93,14 @@ curl http://localhost/api/users/#{id}.json -v -u #{login}:#{password}
|
|||
=end
|
||||
|
||||
def show
|
||||
|
||||
# access deny
|
||||
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
|
||||
if params[:id].to_i != current_user.id
|
||||
response_access_deny
|
||||
return
|
||||
end
|
||||
end
|
||||
user = User.user_data_full( params[:id] )
|
||||
render :json => user
|
||||
end
|
||||
|
|
@ -267,7 +281,10 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty
|
|||
|
||||
# allow user to update him self
|
||||
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
|
||||
return if params[:id] != current_user.id
|
||||
if params[:id] != current_user.id
|
||||
response_access_deny
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
user = User.find( params[:id] )
|
||||
|
|
@ -301,13 +318,21 @@ curl http://localhost/api/users/2.json -v -u #{login}:#{password} -H "Content-Ty
|
|||
|
||||
# DELETE /api/users/1
|
||||
def destroy
|
||||
return if !is_role('Admin')
|
||||
if !is_role('Admin')
|
||||
response_access_deny
|
||||
return
|
||||
end
|
||||
model_destory_render(User, params)
|
||||
end
|
||||
|
||||
# GET /api/users/search
|
||||
def search
|
||||
|
||||
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
|
||||
response_access_deny
|
||||
return
|
||||
end
|
||||
|
||||
# do query
|
||||
user_all = User.search(
|
||||
:query => params[:term],
|
||||
|
|
@ -529,5 +554,4 @@ curl http://localhost/api/users/account.json -v -u #{login}:#{password} -H "Cont
|
|||
render :json => { :message => 'ok' }, :status => :ok
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -203,8 +203,19 @@ class ApplicationModel < ActiveRecord::Base
|
|||
record = self.new( data )
|
||||
record.save
|
||||
return record
|
||||
elsif data[:login]
|
||||
records = self.where( :login => data[:login] )
|
||||
records.each {|record|
|
||||
if record.login.downcase == data[:login].downcase
|
||||
record.update_attributes( data )
|
||||
return record
|
||||
end
|
||||
}
|
||||
record = self.new( data )
|
||||
record.save
|
||||
return record
|
||||
else
|
||||
raise "Need name for create_or_update()"
|
||||
raise "Need name or login for create_or_update()"
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue