Fixed issue #902 - Can't use PUT on Organizations REST API with token.
This commit is contained in:
parent
dbbcb5175e
commit
9cc1f8b564
5 changed files with 127 additions and 13 deletions
|
@ -61,7 +61,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
|
||||||
|
|
||||||
# only allow customer to fetch his own organization
|
# only allow customer to fetch his own organization
|
||||||
organizations = []
|
organizations = []
|
||||||
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
|
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
|
||||||
if current_user.organization_id
|
if current_user.organization_id
|
||||||
organizations = Organization.where(id: current_user.organization_id).order(id: 'ASC').offset(offset).limit(per_page)
|
organizations = Organization.where(id: current_user.organization_id).order(id: 'ASC').offset(offset).limit(per_page)
|
||||||
end
|
end
|
||||||
|
@ -118,7 +118,7 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password}
|
||||||
def show
|
def show
|
||||||
|
|
||||||
# only allow customer to fetch his own organization
|
# only allow customer to fetch his own organization
|
||||||
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
|
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
|
||||||
if !current_user.organization_id
|
if !current_user.organization_id
|
||||||
render json: {}
|
render json: {}
|
||||||
return
|
return
|
||||||
|
@ -167,8 +167,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
|
||||||
=end
|
=end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
permission_check('ticket.agent')
|
permission_check(['admin.organization', 'ticket.agent'])
|
||||||
#permission_check('admin.organization')
|
|
||||||
model_create_render(Organization, params)
|
model_create_render(Organization, params)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -199,7 +198,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
|
||||||
=end
|
=end
|
||||||
|
|
||||||
def update
|
def update
|
||||||
permission_check('ticket.agent')
|
permission_check(['admin.organization', 'ticket.agent'])
|
||||||
model_update_render(Organization, params)
|
model_update_render(Organization, params)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -217,7 +216,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
|
||||||
=end
|
=end
|
||||||
|
|
||||||
def destroy
|
def destroy
|
||||||
permission_check('ticket.agent')
|
permission_check(['admin.organization', 'ticket.agent'])
|
||||||
model_references_check(Organization, params)
|
model_references_check(Organization, params)
|
||||||
model_destroy_render(Organization, params)
|
model_destroy_render(Organization, params)
|
||||||
end
|
end
|
||||||
|
@ -225,7 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
|
||||||
# GET /api/v1/organizations/search
|
# GET /api/v1/organizations/search
|
||||||
def search
|
def search
|
||||||
|
|
||||||
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
|
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
|
||||||
raise Exceptions::NotAuthorized
|
raise Exceptions::NotAuthorized
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -305,7 +304,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
|
||||||
def history
|
def history
|
||||||
|
|
||||||
# permission check
|
# permission check
|
||||||
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
|
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
|
||||||
raise Exceptions::NotAuthorized
|
raise Exceptions::NotAuthorized
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ class UsersController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
# only allow customer to fetch him self
|
# only allow customer to fetch him self
|
||||||
users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
|
users = if !current_user.permissions?(['admin.user', 'ticket.agent'])
|
||||||
User.where(id: current_user.id).order(id: 'ASC').offset(offset).limit(per_page)
|
User.where(id: current_user.id).order(id: 'ASC').offset(offset).limit(per_page)
|
||||||
else
|
else
|
||||||
User.all.order(id: 'ASC').offset(offset).limit(per_page)
|
User.all.order(id: 'ASC').offset(offset).limit(per_page)
|
||||||
|
@ -352,7 +352,7 @@ class UsersController < ApplicationController
|
||||||
# @response_message 401 Invalid session.
|
# @response_message 401 Invalid session.
|
||||||
def search
|
def search
|
||||||
|
|
||||||
if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin.user')
|
if !current_user.permissions?(['ticket.agent', 'admin.user'])
|
||||||
response_access_deny
|
response_access_deny
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -510,7 +510,7 @@ class UsersController < ApplicationController
|
||||||
def history
|
def history
|
||||||
|
|
||||||
# permission check
|
# permission check
|
||||||
if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
|
if !current_user.permissions?(['admin.user', 'ticket.agent'])
|
||||||
response_access_deny
|
response_access_deny
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
|
@ -46,6 +46,8 @@ check api token with permissions
|
||||||
|
|
||||||
user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')
|
user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')
|
||||||
|
|
||||||
|
user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])
|
||||||
|
|
||||||
returns
|
returns
|
||||||
|
|
||||||
user for who this token was created
|
user for who this token was created
|
||||||
|
@ -85,10 +87,15 @@ returns
|
||||||
end
|
end
|
||||||
match = false
|
match = false
|
||||||
local_permissions.each { |local_permission|
|
local_permissions.each { |local_permission|
|
||||||
next if !token.preferences[:permission].include?(local_permission)
|
local_permissions = Permission.with_parents(local_permission)
|
||||||
|
local_permissions.each { |local_permission_name|
|
||||||
|
next if !token.preferences[:permission].include?(local_permission_name)
|
||||||
match = true
|
match = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
next if !match
|
||||||
|
break
|
||||||
|
}
|
||||||
return if !match
|
return if !match
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -202,6 +202,81 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
|
||||||
|
admin_token.preferences[:permission] = ['ticket.agent']
|
||||||
|
admin_token.save!
|
||||||
|
|
||||||
|
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Array, result.class)
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)}"
|
||||||
|
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(201)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert_equal(name, result['name'])
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)} - 2"
|
||||||
|
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert_equal(name, result['name'])
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
admin_token.preferences[:permission] = ['admin.organization']
|
||||||
|
admin_token.save!
|
||||||
|
|
||||||
|
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Array, result.class)
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)}"
|
||||||
|
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(201)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert_equal(name, result['name'])
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)} - 2"
|
||||||
|
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert_equal(name, result['name'])
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
admin_token.preferences[:permission] = ['admin']
|
||||||
|
admin_token.save!
|
||||||
|
|
||||||
|
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Array, result.class)
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)}"
|
||||||
|
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(201)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert_equal(name, result['name'])
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)} - 2"
|
||||||
|
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert_equal(name, result['name'])
|
||||||
|
assert(result)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test 'token auth - agent' do
|
test 'token auth - agent' do
|
||||||
|
@ -228,6 +303,17 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
|
||||||
|
get '/api/v1/organizations', {}, @headers.merge('Authorization' => agent_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Array, result.class)
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)}"
|
||||||
|
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => agent_credentials)
|
||||||
|
assert_response(401)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test 'token auth - customer' do
|
test 'token auth - customer' do
|
||||||
|
@ -254,6 +340,16 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
|
||||||
|
get '/api/v1/organizations', {}, @headers.merge('Authorization' => customer_credentials)
|
||||||
|
assert_response(200)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Array, result.class)
|
||||||
|
assert(result)
|
||||||
|
|
||||||
|
name = "some org name #{rand(999_999_999)}"
|
||||||
|
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => customer_credentials)
|
||||||
|
assert_response(401)
|
||||||
end
|
end
|
||||||
|
|
||||||
test 'token auth - invalid user - admin' do
|
test 'token auth - invalid user - admin' do
|
||||||
|
|
|
@ -104,6 +104,18 @@ class TokenTest < ActiveSupport::TestCase
|
||||||
permission: 'ticket',
|
permission: 'ticket',
|
||||||
)
|
)
|
||||||
assert_not(user)
|
assert_not(user)
|
||||||
|
user = Token.check(
|
||||||
|
action: 'api',
|
||||||
|
name: token.name,
|
||||||
|
permission: 'ticket.agent.sub',
|
||||||
|
)
|
||||||
|
assert(user)
|
||||||
|
user = Token.check(
|
||||||
|
action: 'api',
|
||||||
|
name: token.name,
|
||||||
|
permission: 'admin_not_extisting',
|
||||||
|
)
|
||||||
|
assert_not(user)
|
||||||
user = Token.check(
|
user = Token.check(
|
||||||
action: 'api',
|
action: 'api',
|
||||||
name: token.name,
|
name: token.name,
|
||||||
|
|
Loading…
Reference in a new issue