Fixed issue #902 - Can't use PUT on Organizations REST API with token.

app/controllers/organizations_controller.rb

@@ -61,7 +61,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
 
     # only allow customer to fetch his own organization
     organizations = []
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
       if current_user.organization_id
         organizations = Organization.where(id: current_user.organization_id).order(id: 'ASC').offset(offset).limit(per_page)
       end
@@ -118,7 +118,7 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password}
   def show
 
     # only allow customer to fetch his own organization
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
       if !current_user.organization_id
         render json: {}
         return
@@ -167,8 +167,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
 =end
 
   def create
-    permission_check('ticket.agent')
-    #permission_check('admin.organization')
+    permission_check(['admin.organization', 'ticket.agent'])
     model_create_render(Organization, params)
   end
 
@@ -199,7 +198,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
 =end
 
   def update
-    permission_check('ticket.agent')
+    permission_check(['admin.organization', 'ticket.agent'])
     model_update_render(Organization, params)
   end
 
@@ -217,7 +216,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
 =end
 
   def destroy
-    permission_check('ticket.agent')
+    permission_check(['admin.organization', 'ticket.agent'])
     model_references_check(Organization, params)
     model_destroy_render(Organization, params)
   end
@@ -225,7 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
   # GET /api/v1/organizations/search
   def search
 
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
       raise Exceptions::NotAuthorized
     end
 
@@ -305,7 +304,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
   def history
 
     # permission check
-    if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
       raise Exceptions::NotAuthorized
     end
 

app/controllers/users_controller.rb

@@ -26,7 +26,7 @@ class UsersController < ApplicationController
     end
 
     # only allow customer to fetch him self
-    users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
+    users = if !current_user.permissions?(['admin.user', 'ticket.agent'])
               User.where(id: current_user.id).order(id: 'ASC').offset(offset).limit(per_page)
             else
               User.all.order(id: 'ASC').offset(offset).limit(per_page)
@@ -352,7 +352,7 @@ class UsersController < ApplicationController
   # @response_message 401               Invalid session.
   def search
 
-    if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin.user')
+    if !current_user.permissions?(['ticket.agent', 'admin.user'])
       response_access_deny
       return
     end
@@ -510,7 +510,7 @@ class UsersController < ApplicationController
   def history
 
     # permission check
-    if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
+    if !current_user.permissions?(['admin.user', 'ticket.agent'])
       response_access_deny
       return
     end

app/models/token.rb

@@ -46,6 +46,8 @@ check api token with permissions
 
   user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')
 
+  user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])
+
 returns
 
   user for who this token was created
@@ -85,10 +87,15 @@ returns
       end
       match = false
       local_permissions.each { |local_permission|
-        next if !token.preferences[:permission].include?(local_permission)
+        local_permissions = Permission.with_parents(local_permission)
+        local_permissions.each { |local_permission_name|
+          next if !token.preferences[:permission].include?(local_permission_name)
           match = true
           break
         }
+        next if !match
+        break
+      }
       return if !match
     end
 

test/controllers/api_auth_controller_test.rb

@@ -202,6 +202,81 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_equal(Array, result.class)
     assert(result)
 
+    admin_token.preferences[:permission] = ['ticket.agent']
+    admin_token.save!
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)} - 2"
+    put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    admin_token.preferences[:permission] = ['admin.organization']
+    admin_token.save!
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)} - 2"
+    put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    admin_token.preferences[:permission] = ['admin']
+    admin_token.save!
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)} - 2"
+    put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(name, result['name'])
+    assert(result)
+
   end
 
   test 'token auth - agent' do
@@ -228,6 +303,17 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Array, result.class)
     assert(result)
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => agent_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => agent_credentials)
+    assert_response(401)
+
   end
 
   test 'token auth - customer' do
@@ -254,6 +340,16 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Array, result.class)
     assert(result)
+
+    get '/api/v1/organizations', {}, @headers.merge('Authorization' => customer_credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert(result)
+
+    name = "some org name #{rand(999_999_999)}"
+    post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => customer_credentials)
+    assert_response(401)
   end
 
   test 'token auth - invalid user - admin' do

test/unit/token_test.rb

@@ -104,6 +104,18 @@ class TokenTest < ActiveSupport::TestCase
       permission: 'ticket',
     )
     assert_not(user)
+    user = Token.check(
+      action: 'api',
+      name: token.name,
+      permission: 'ticket.agent.sub',
+    )
+    assert(user)
+    user = Token.check(
+      action: 'api',
+      name: token.name,
+      permission: 'admin_not_extisting',
+    )
+    assert_not(user)
     user = Token.check(
       action: 'api',
       name: token.name,