Improved permission check of personal tokens.

This commit is contained in:
Martin Edenhofer 2016-08-16 10:00:44 +02:00
parent e7960ab03b
commit 731c237d0c
6 changed files with 42 additions and 18 deletions

View file

@ -262,12 +262,20 @@ class ApplicationController < ActionController::Base
if Setting.get('api_token_access') == false
raise Exceptions::NotAuthorized, 'API token access disabled!'
end
user = Token.check(
action: 'api',
name: token,
inactive_user: true,
)
if user && auth_param[:permission]
user = Token.check(
action: 'api',
name: token,
permission: auth_param[:permission],
inactive_user: true,
)
raise Exceptions::NotAuthorized, 'No permission!' if !user
end
@_token_auth = token # remember for permission_check
return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
end

View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
class RolesController < ApplicationController
before_action :authentication_check
before_action { authentication_check(permission: 'admin.role') }
=begin
@ -95,7 +95,6 @@ curl http://localhost/api/v1/roles.json -v -u #{login}:#{password} -H "Content-T
=end
def create
permission_check('admin.role')
model_create_render(Role, params)
end
@ -124,7 +123,6 @@ curl http://localhost/api/v1/roles.json -v -u #{login}:#{password} -H "Content-T
=end
def update
permission_check('admin.role')
model_update_render(Role, params)
end
@ -139,7 +137,6 @@ Test:
=end
def destroy
permission_check('admin.role')
model_destory_render(Role, params)
end
end

View file

@ -17,14 +17,22 @@ class UserAccessTokenController < ApplicationController
local_permissions.each { |key, _value|
keys = Object.const_get('Permission').with_parents(key)
keys.each { |local_key|
next if local_permissions_new[local_key]
next if local_permissions_new.key?([local_key])
if local_permissions[local_key] == true
local_permissions_new[local_key] = true
next
end
local_permissions_new[local_key] = false
}
}
permissions = []
Permission.all.order(:name).each { |permission|
next if !local_permissions_new.key?(permission.name)
permissions.push permission
permission_attributes = permission.attributes
if local_permissions_new[permission.name] == false
permission_attributes['preferences']['disabled'] = true
end
permissions.push permission_attributes
}
render json: {

View file

@ -79,7 +79,7 @@ returns
if data[:permission]
return if !user.permissions?(data[:permission])
return if !token.preferences[:permission]
return if token.preferences[:permission][data[:permission]] != true
return if !token.preferences[:permission].include?(data[:permission])
end
# return token user

View file

@ -114,9 +114,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
persistent: true,
user_id: @admin.id,
preferences: {
permission: {
'admin.session' => true,
}
permission: ['admin.session'],
},
)
admin_credentials = "Token token=#{admin_token.name}"
@ -135,7 +133,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
assert_equal(Hash, result.class)
assert(result)
admin_token.preferences[:permission]['admin.session'] = false
admin_token.preferences[:permission] = ['admin.session_not_existing']
admin_token.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
@ -144,7 +142,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
assert_equal(Hash, result.class)
assert_equal('No permission!', result['error'])
admin_token.preferences[:permission] = {}
admin_token.preferences[:permission] = []
admin_token.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
@ -162,7 +160,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
assert_equal(Hash, result.class)
assert_equal('User is inactive!', result['error'])
admin_token.preferences[:permission]['admin.session'] = true
admin_token.preferences[:permission] = ['admin.session']
admin_token.save!
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
@ -179,6 +177,22 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert(result)
get '/api/v1/roles', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal('No permission!', result['error'])
admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
admin_token.save!
get '/api/v1/roles', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
end
test 'token auth - agent' do

View file

@ -83,10 +83,7 @@ class TokenTest < ActiveSupport::TestCase
persistent: true,
user_id: agent1.id,
preferences: {
permission: {
'admin' => true, # agent has no access to admin.*
'ticket.agent' => true,
}
permission: ['admin', 'ticket.agent'], # agent has no access to admin.*
}
)
user = Token.check(