diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb index cef3e43c0..18ed84415 100644 --- a/app/controllers/organizations_controller.rb +++ b/app/controllers/organizations_controller.rb @@ -61,7 +61,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} # only allow customer to fetch his own organization organizations = [] - if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent') + if !current_user.permissions?(['admin.organization', 'ticket.agent']) if current_user.organization_id organizations = Organization.where(id: current_user.organization_id).order(id: 'ASC').offset(offset).limit(per_page) end @@ -118,7 +118,7 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password} def show # only allow customer to fetch his own organization - if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent') + if !current_user.permissions?(['admin.organization', 'ticket.agent']) if !current_user.organization_id render json: {} return @@ -167,8 +167,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten =end def create - permission_check('ticket.agent') - #permission_check('admin.organization') + permission_check(['admin.organization', 'ticket.agent']) model_create_render(Organization, params) end @@ -199,7 +198,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten =end def update - permission_check('ticket.agent') + permission_check(['admin.organization', 'ticket.agent']) model_update_render(Organization, params) end @@ -217,7 +216,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co =end def destroy - permission_check('ticket.agent') + permission_check(['admin.organization', 'ticket.agent']) model_references_check(Organization, params) model_destroy_render(Organization, params) end @@ -225,7 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co # GET /api/v1/organizations/search def search - if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent') + if !current_user.permissions?(['admin.organization', 'ticket.agent']) raise Exceptions::NotAuthorized end @@ -305,7 +304,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co def history # permission check - if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent') + if !current_user.permissions?(['admin.organization', 'ticket.agent']) raise Exceptions::NotAuthorized end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index ee63a51a8..c29663960 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -26,7 +26,7 @@ class UsersController < ApplicationController end # only allow customer to fetch him self - users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent') + users = if !current_user.permissions?(['admin.user', 'ticket.agent']) User.where(id: current_user.id).order(id: 'ASC').offset(offset).limit(per_page) else User.all.order(id: 'ASC').offset(offset).limit(per_page) @@ -352,7 +352,7 @@ class UsersController < ApplicationController # @response_message 401 Invalid session. def search - if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin.user') + if !current_user.permissions?(['ticket.agent', 'admin.user']) response_access_deny return end @@ -510,7 +510,7 @@ class UsersController < ApplicationController def history # permission check - if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent') + if !current_user.permissions?(['admin.user', 'ticket.agent']) response_access_deny return end diff --git a/app/models/token.rb b/app/models/token.rb index c917ac2c9..de70a3d5d 100644 --- a/app/models/token.rb +++ b/app/models/token.rb @@ -46,6 +46,8 @@ check api token with permissions user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session') + user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent']) + returns user for who this token was created @@ -85,8 +87,13 @@ returns end match = false local_permissions.each { |local_permission| - next if !token.preferences[:permission].include?(local_permission) - match = true + local_permissions = Permission.with_parents(local_permission) + local_permissions.each { |local_permission_name| + next if !token.preferences[:permission].include?(local_permission_name) + match = true + break + } + next if !match break } return if !match diff --git a/test/controllers/api_auth_controller_test.rb b/test/controllers/api_auth_controller_test.rb index edf959925..6b180fcb8 100644 --- a/test/controllers/api_auth_controller_test.rb +++ b/test/controllers/api_auth_controller_test.rb @@ -202,6 +202,81 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest assert_equal(Array, result.class) assert(result) + admin_token.preferences[:permission] = ['ticket.agent'] + admin_token.save! + + get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Array, result.class) + assert(result) + + name = "some org name #{rand(999_999_999)}" + post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials) + assert_response(201) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(name, result['name']) + assert(result) + + name = "some org name #{rand(999_999_999)} - 2" + put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(name, result['name']) + assert(result) + + admin_token.preferences[:permission] = ['admin.organization'] + admin_token.save! + + get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Array, result.class) + assert(result) + + name = "some org name #{rand(999_999_999)}" + post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials) + assert_response(201) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(name, result['name']) + assert(result) + + name = "some org name #{rand(999_999_999)} - 2" + put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(name, result['name']) + assert(result) + + admin_token.preferences[:permission] = ['admin'] + admin_token.save! + + get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Array, result.class) + assert(result) + + name = "some org name #{rand(999_999_999)}" + post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials) + assert_response(201) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(name, result['name']) + assert(result) + + name = "some org name #{rand(999_999_999)} - 2" + put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(name, result['name']) + assert(result) + end test 'token auth - agent' do @@ -228,6 +303,17 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Array, result.class) assert(result) + + get '/api/v1/organizations', {}, @headers.merge('Authorization' => agent_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Array, result.class) + assert(result) + + name = "some org name #{rand(999_999_999)}" + post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => agent_credentials) + assert_response(401) + end test 'token auth - customer' do @@ -254,6 +340,16 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Array, result.class) assert(result) + + get '/api/v1/organizations', {}, @headers.merge('Authorization' => customer_credentials) + assert_response(200) + result = JSON.parse(@response.body) + assert_equal(Array, result.class) + assert(result) + + name = "some org name #{rand(999_999_999)}" + post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => customer_credentials) + assert_response(401) end test 'token auth - invalid user - admin' do diff --git a/test/unit/token_test.rb b/test/unit/token_test.rb index 19b015084..f2c1d990f 100644 --- a/test/unit/token_test.rb +++ b/test/unit/token_test.rb @@ -104,6 +104,18 @@ class TokenTest < ActiveSupport::TestCase permission: 'ticket', ) assert_not(user) + user = Token.check( + action: 'api', + name: token.name, + permission: 'ticket.agent.sub', + ) + assert(user) + user = Token.check( + action: 'api', + name: token.name, + permission: 'admin_not_extisting', + ) + assert_not(user) user = Token.check( action: 'api', name: token.name,