Fixed issue #902 - Can't use PUT on Organizations REST API with token.

2017-04-11 08:33:08 +02:00 · 2017-04-11 08:33:08 +02:00 · 9cc1f8b564
commit 9cc1f8b564
parent dbbcb5175e
5 changed files with 127 additions and 13 deletions
--- a/app/controllers/organizations_controller.rb
+++ b/app/controllers/organizations_controller.rb
@ -61,7 +61,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}

    # only allow customer to fetch his own organization
    organizations = []
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
      if current_user.organization_id
        organizations = Organization.where(id: current_user.organization_id).order(id: 'ASC').offset(offset).limit(per_page)
      end
@ -118,7 +118,7 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password}
  def show

    # only allow customer to fetch his own organization
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
      if !current_user.organization_id
        render json: {}
        return
@ -167,8 +167,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
 =end

  def create
-    permission_check('ticket.agent')
-    #permission_check('admin.organization')
+    permission_check(['admin.organization', 'ticket.agent'])
    model_create_render(Organization, params)
  end

@ -199,7 +198,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
 =end

  def update
-    permission_check('ticket.agent')
+    permission_check(['admin.organization', 'ticket.agent'])
    model_update_render(Organization, params)
  end

@ -217,7 +216,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
 =end

  def destroy
-    permission_check('ticket.agent')
+    permission_check(['admin.organization', 'ticket.agent'])
    model_references_check(Organization, params)
    model_destroy_render(Organization, params)
  end
@ -225,7 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
  # GET /api/v1/organizations/search
  def search

-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
      raise Exceptions::NotAuthorized
    end

@ -305,7 +304,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
  def history

    # permission check
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
      raise Exceptions::NotAuthorized
    end

--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -26,7 +26,7 @@ class UsersController < ApplicationController
    end

    # only allow customer to fetch him self
-    users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
+    users = if !current_user.permissions?(['admin.user', 'ticket.agent'])
              User.where(id: current_user.id).order(id: 'ASC').offset(offset).limit(per_page)
            else
              User.all.order(id: 'ASC').offset(offset).limit(per_page)
@ -352,7 +352,7 @@ class UsersController < ApplicationController
  # @response_message 401               Invalid session.
  def search

-    if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin.user')
+    if !current_user.permissions?(['ticket.agent', 'admin.user'])
      response_access_deny
      return
    end
@ -510,7 +510,7 @@ class UsersController < ApplicationController
  def history

    # permission check
-    if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.user', 'ticket.agent'])
      response_access_deny
      return
    end
--- a/app/models/token.rb
+++ b/app/models/token.rb
@ -46,6 +46,8 @@ check api token with permissions

  user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')

+  user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])
+
 returns

  user for who this token was created
@ -85,8 +87,13 @@ returns
      end
      match = false
      local_permissions.each { |local_permission|
-        next if !token.preferences[:permission].include?(local_permission)
-        match = true
+        local_permissions = Permission.with_parents(local_permission)
+        local_permissions.each { |local_permission_name|
+          next if !token.preferences[:permission].include?(local_permission_name)
+          match = true
+          break
+        }
+        next if !match
        break
      }
      return if !match
--- a/test/controllers/api_auth_controller_test.rb
+++ b/test/controllers/api_auth_controller_test.rb
@ -202,6 +202,81 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
    assert_equal(Array, result.class)
    assert(result)

+    admin_token.preferences[:permission] = ['ticket.agent']
+    admin_token.save!
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)} - 2"
+    put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    admin_token.preferences[:permission] = ['admin.organization']
+    admin_token.save!
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)} - 2"
+    put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    admin_token.preferences[:permission] = ['admin']
+    admin_token.save!
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)} - 2"
+    put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
  end

  test 'token auth - agent' do
@ -228,6 +303,17 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
    result = JSON.parse(@response.body)
    assert_equal(Array, result.class)
    assert(result)
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => agent_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => agent_credentials)
+    assert_response(401)
+
  end

  test 'token auth - customer' do
@ -254,6 +340,16 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
    result = JSON.parse(@response.body)
    assert_equal(Array, result.class)
    assert(result)
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => customer_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => customer_credentials)
+    assert_response(401)
  end

  test 'token auth - invalid user - admin' do
--- a/test/unit/token_test.rb
+++ b/test/unit/token_test.rb
@ -104,6 +104,18 @@ class TokenTest < ActiveSupport::TestCase
      permission: 'ticket',
    )
    assert_not(user)
+    user = Token.check(
+      action: 'api',
+      name: token.name,
+      permission: 'ticket.agent.sub',
+    )
+    assert(user)
+    user = Token.check(
+      action: 'api',
+      name: token.name,
+      permission: 'admin_not_extisting',
+    )
+    assert_not(user)
    user = Token.check(
      action: 'api',
      name: token.name,