Added existing and permission check for recent viewed.

This commit is contained in:
Martin Edenhofer 2014-12-31 14:56:37 +01:00
parent 4561849bc1
commit 39ec771676
8 changed files with 254 additions and 25 deletions

View file

@ -106,6 +106,10 @@ class App.TicketZoom extends App.Controller
@load(data, force) @load(data, force)
App.Store.write( @key, data ) App.Store.write( @key, data )
if !@doNotLog
@doNotLog = 1
@recentView( 'Ticket', ticket_id )
error: (xhr, status, error) => error: (xhr, status, error) =>
# do not close window if request is aborted # do not close window if request is aborted
@ -118,9 +122,6 @@ class App.TicketZoom extends App.Controller
App.TaskManager.remove( @task_key ) App.TaskManager.remove( @task_key )
) )
if !@doNotLog
@doNotLog = 1
@recentView( 'Ticket', ticket_id )
load: (data, force) => load: (data, force) =>

View file

@ -1,6 +1,7 @@
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/ # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
class Organization < ApplicationModel class Organization < ApplicationModel
include Organization::Permission
load 'organization/assets.rb' load 'organization/assets.rb'
include Organization::Assets include Organization::Assets
extend Organization::Search extend Organization::Search

View file

@ -0,0 +1,38 @@
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
module Organization::Permission
=begin
check if user has access to user
user = Organization.find(123)
result = Organization.permission( :type => 'rw', :current_user => User.find(123) )
returns
result = true|false
=end
def permission (data)
# check customer
if data[:current_user].is_role('Customer')
# access ok if its own organization
return false if data[:type] != 'ro'
return false if !data[:current_user].organization_id
return true if self.id == data[:current_user].organization_id
# no access
return false
end
# check agent
return true if data[:current_user].is_role('Admin')
return true if data[:current_user].is_role('Agent')
return false
end
end

View file

@ -9,14 +9,17 @@ class RecentView < ApplicationModel
def self.log( object, o_id, user ) def self.log( object, o_id, user )
# access check
return if !access( object, o_id, user )
# lookups # lookups
object_lookup_id = ObjectLookup.by_name( object ) object_lookup_id = ObjectLookup.by_name( object )
# create entry # create entry
record = { record = {
:o_id => o_id, :o_id => o_id,
:recent_view_object_id => object_lookup_id.to_i, :recent_view_object_id => object_lookup_id.to_i,
:created_by_id => user.id, :created_by_id => user.id,
} }
RecentView.create(record) RecentView.create(record)
end end
@ -45,9 +48,14 @@ class RecentView < ApplicationModel
list = [] list = []
recent_views.each { |item| recent_views.each { |item|
data = item.attributes data = item.attributes
data['object'] = ObjectLookup.by_id( data['recent_view_object_id'] ) data['object'] = ObjectLookup.by_id( data['recent_view_object_id'] )
data.delete( 'recent_view_object_id' ) data.delete( 'recent_view_object_id' )
# access check
next if !access( data['object'], data['o_id'], user )
# add to result list
list.push data list.push data
} }
list list
@ -70,11 +78,26 @@ class RecentView < ApplicationModel
self.created_by_id, self.created_by_id,
{ {
:event => 'RecentView::changed', :event => 'RecentView::changed',
:data => {} :data => {}
} }
) )
end end
class Object < ApplicationModel private
def self.access(object, o_id, user)
# check if object exists
begin
return if !Kernel.const_get( object )
record = Kernel.const_get( object ).where( :id => o_id ).first
return if !record
rescue
return
end
# check permission
return if !record.respond_to?(:permission)
record.permission( :current_user => user )
end end
end end

View file

@ -24,6 +24,7 @@ require 'digest/md5'
# @property active [Boolean] The flag that shows the active state of the User. # @property active [Boolean] The flag that shows the active state of the User.
# @property note [String] The note or comment stored to the User. # @property note [String] The note or comment stored to the User.
class User < ApplicationModel class User < ApplicationModel
include User::Permission
load 'user/assets.rb' load 'user/assets.rb'
include User::Assets include User::Assets
extend User::Search extend User::Search

View file

@ -0,0 +1,36 @@
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
module User::Permission
=begin
check if user has access to user
user = User.find(123)
result = user.permission( :type => 'rw', :current_user => User.find(123) )
returns
result = true|false
=end
def permission (data)
# check customer
if data[:current_user].is_role('Customer')
# access ok if its own user
return true if self.id == data[:current_user].id
# no access
return false
end
# check agent
return true if data[:current_user].is_role('Admin')
return true if data[:current_user].is_role('Agent')
return false
end
end

View file

@ -6,23 +6,23 @@ class RecentViewTest < ActiveSupport::TestCase
test 'simple tests' do test 'simple tests' do
ticket1 = Ticket.create( ticket1 = Ticket.create(
:title => 'RecentViewTest 1 some title äöüß', :title => 'RecentViewTest 1 some title äöüß',
:group => Group.lookup( :name => 'Users'), :group => Group.lookup( :name => 'Users'),
:customer_id => 2, :customer_id => 2,
:state => Ticket::State.lookup( :name => 'new' ), :state => Ticket::State.lookup( :name => 'new' ),
:priority => Ticket::Priority.lookup( :name => '2 normal' ), :priority => Ticket::Priority.lookup( :name => '2 normal' ),
:updated_by_id => 1, :updated_by_id => 1,
:created_by_id => 1, :created_by_id => 1,
) )
assert( ticket1, "ticket created" ) assert( ticket1, "ticket created" )
ticket2 = Ticket.create( ticket2 = Ticket.create(
:title => 'RecentViewTest 2 some title äöüß', :title => 'RecentViewTest 2 some title äöüß',
:group => Group.lookup( :name => 'Users'), :group => Group.lookup( :name => 'Users'),
:customer_id => 2, :customer_id => 2,
:state => Ticket::State.lookup( :name => 'new' ), :state => Ticket::State.lookup( :name => 'new' ),
:priority => Ticket::Priority.lookup( :name => '2 normal' ), :priority => Ticket::Priority.lookup( :name => '2 normal' ),
:updated_by_id => 1, :updated_by_id => 1,
:created_by_id => 1, :created_by_id => 1,
) )
assert( ticket2, "ticket created" ) assert( ticket2, "ticket created" )
user1 = User.find(2) user1 = User.find(2)
@ -56,4 +56,133 @@ class RecentViewTest < ActiveSupport::TestCase
list = RecentView.list( user1 ) list = RecentView.list( user1 )
assert( !list[0], 'check if recent view list is empty' ) assert( !list[0], 'check if recent view list is empty' )
end end
test 'existing tests' do
user = User.find(2)
# log entry of not existing object
RecentView.user_log_destroy(user)
RecentView.log( 'ObjectNotExisting', 1, user )
# check if list is empty
list = RecentView.list( user )
assert( !list[0], 'check if recent view list is empty' )
# log entry of not existing record
RecentView.user_log_destroy(user)
RecentView.log( 'User', 99999999, user )
# check if list is empty
list = RecentView.list( user )
assert( !list[0], 'check if recent view list is empty' )
# log entry of not existing model with permission check
RecentView.user_log_destroy(user)
RecentView.log( 'Overview', 99999999, user )
# check if list is empty
list = RecentView.list( user )
assert( !list[0], 'check if recent view list is empty' )
end
test 'permission tests' do
customer = User.find(2)
groups = Group.where( :name => 'Users' )
roles = Role.where( :name => 'Agent' )
agent = User.create_or_update(
:login => 'recent-viewed-agent@example.com',
:firstname => 'RecentViewed',
:lastname => 'Agent',
:email => 'recent-viewed-agent@example.com',
:password => 'agentpw',
:active => true,
:roles => roles,
:groups => groups,
:updated_by_id => 1,
:created_by_id => 1,
)
Group.create_if_not_exists(
:name => 'WithoutAccess',
:note => 'Test for not access check.',
:updated_by_id => 1,
:created_by_id => 1
)
# no access for customer
ticket1 = Ticket.create(
:title => 'RecentViewTest 1 some title äöüß',
:group => Group.lookup( :name => 'WithoutAccess'),
:customer_id => 1,
:state => Ticket::State.lookup( :name => 'new' ),
:priority => Ticket::Priority.lookup( :name => '2 normal' ),
:updated_by_id => 1,
:created_by_id => 1,
)
assert( ticket1, "ticket created" )
# log entry of not existing object
RecentView.user_log_destroy(customer)
RecentView.log( ticket1.class.to_s, ticket1.id, customer )
# check if list is empty
list = RecentView.list( customer )
assert( !list[0], 'check if recent view list is empty' )
# log entry of not existing object
RecentView.user_log_destroy(agent)
RecentView.log( ticket1.class.to_s, ticket1.id, agent )
# check if list is empty
list = RecentView.list( agent )
assert( !list[0], 'check if recent view list is empty' )
# access for customer via customer id
ticket1 = Ticket.create(
:title => 'RecentViewTest 1 some title äöüß',
:group => Group.lookup( :name => 'WithoutAccess'),
:customer_id => 2,
:state => Ticket::State.lookup( :name => 'new' ),
:priority => Ticket::Priority.lookup( :name => '2 normal' ),
:updated_by_id => 1,
:created_by_id => 1,
)
assert( ticket1, "ticket created" )
# log entry
RecentView.user_log_destroy(customer)
RecentView.log( ticket1.class.to_s, ticket1.id, customer )
# check if list is empty
list = RecentView.list( customer )
assert( list[0]['o_id'], ticket1.id )
assert( list[0]['object'], 'Ticket' )
assert( !list[1], 'check if recent view list is empty' )
# log entry
organization = Organization.find(1)
RecentView.user_log_destroy(customer)
RecentView.log( organization.class.to_s, organization.id, customer )
# check if list is empty
list = RecentView.list( customer )
assert( !list[0], 'check if recent view list is empty' )
# log entry
organization = Organization.find(1)
RecentView.user_log_destroy(agent)
RecentView.log( organization.class.to_s, organization.id, agent )
# check if list is empty
list = RecentView.list( agent )
assert( list[0]['o_id'], organization.id )
assert( list[0]['object'], 'Organization' )
assert( !list[1], 'check if recent view list is empty' )
end
end end