Fixed issue #902 - Can't use PUT on Organizations REST API with token.

This commit is contained in:
Martin Edenhofer 2017-04-11 08:33:08 +02:00
parent dbbcb5175e
commit 9cc1f8b564
5 changed files with 127 additions and 13 deletions

View file

@ -61,7 +61,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
# only allow customer to fetch his own organization
organizations = []
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
if current_user.organization_id
organizations = Organization.where(id: current_user.organization_id).order(id: 'ASC').offset(offset).limit(per_page)
end
@ -118,7 +118,7 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password}
def show
# only allow customer to fetch his own organization
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
if !current_user.organization_id
render json: {}
return
@ -167,8 +167,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
=end
def create
permission_check('ticket.agent')
#permission_check('admin.organization')
permission_check(['admin.organization', 'ticket.agent'])
model_create_render(Organization, params)
end
@ -199,7 +198,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
=end
def update
permission_check('ticket.agent')
permission_check(['admin.organization', 'ticket.agent'])
model_update_render(Organization, params)
end
@ -217,7 +216,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
=end
def destroy
permission_check('ticket.agent')
permission_check(['admin.organization', 'ticket.agent'])
model_references_check(Organization, params)
model_destroy_render(Organization, params)
end
@ -225,7 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
# GET /api/v1/organizations/search
def search
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
raise Exceptions::NotAuthorized
end
@ -305,7 +304,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
def history
# permission check
if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
raise Exceptions::NotAuthorized
end

View file

@ -26,7 +26,7 @@ class UsersController < ApplicationController
end
# only allow customer to fetch him self
users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
users = if !current_user.permissions?(['admin.user', 'ticket.agent'])
User.where(id: current_user.id).order(id: 'ASC').offset(offset).limit(per_page)
else
User.all.order(id: 'ASC').offset(offset).limit(per_page)
@ -352,7 +352,7 @@ class UsersController < ApplicationController
# @response_message 401 Invalid session.
def search
if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin.user')
if !current_user.permissions?(['ticket.agent', 'admin.user'])
response_access_deny
return
end
@ -510,7 +510,7 @@ class UsersController < ApplicationController
def history
# permission check
if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
if !current_user.permissions?(['admin.user', 'ticket.agent'])
response_access_deny
return
end

View file

@ -46,6 +46,8 @@ check api token with permissions
user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')
user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])
returns
user for who this token was created
@ -85,8 +87,13 @@ returns
end
match = false
local_permissions.each { |local_permission|
next if !token.preferences[:permission].include?(local_permission)
match = true
local_permissions = Permission.with_parents(local_permission)
local_permissions.each { |local_permission_name|
next if !token.preferences[:permission].include?(local_permission_name)
match = true
break
}
next if !match
break
}
return if !match

View file

@ -202,6 +202,81 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
assert_equal(Array, result.class)
assert(result)
admin_token.preferences[:permission] = ['ticket.agent']
admin_token.save!
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(201)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
name = "some org name #{rand(999_999_999)} - 2"
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
admin_token.preferences[:permission] = ['admin.organization']
admin_token.save!
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(201)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
name = "some org name #{rand(999_999_999)} - 2"
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
admin_token.preferences[:permission] = ['admin']
admin_token.save!
get '/api/v1/organizations', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(201)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
name = "some org name #{rand(999_999_999)} - 2"
put "/api/v1/organizations/#{result['id']}", { name: name }.to_json, @headers.merge('Authorization' => admin_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Hash, result.class)
assert_equal(name, result['name'])
assert(result)
end
test 'token auth - agent' do
@ -228,6 +303,17 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
get '/api/v1/organizations', {}, @headers.merge('Authorization' => agent_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => agent_credentials)
assert_response(401)
end
test 'token auth - customer' do
@ -254,6 +340,16 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
get '/api/v1/organizations', {}, @headers.merge('Authorization' => customer_credentials)
assert_response(200)
result = JSON.parse(@response.body)
assert_equal(Array, result.class)
assert(result)
name = "some org name #{rand(999_999_999)}"
post '/api/v1/organizations', { name: name }.to_json, @headers.merge('Authorization' => customer_credentials)
assert_response(401)
end
test 'token auth - invalid user - admin' do

View file

@ -104,6 +104,18 @@ class TokenTest < ActiveSupport::TestCase
permission: 'ticket',
)
assert_not(user)
user = Token.check(
action: 'api',
name: token.name,
permission: 'ticket.agent.sub',
)
assert(user)
user = Token.check(
action: 'api',
name: token.name,
permission: 'admin_not_extisting',
)
assert_not(user)
user = Token.check(
action: 'api',
name: token.name,