Fixed issue #839 - Dont allow "none" admin user.

This commit is contained in:
Rolf Schmidt 2017-04-18 17:20:40 +02:00
parent 7db9f5e3c0
commit 9f1a2e902c
3 changed files with 91 additions and 1 deletions

View file

@ -87,6 +87,7 @@ class App.ControllerGenericEdit extends App.ControllerModal
ui.close() ui.close()
fail: (settings, details) -> fail: (settings, details) ->
App[ ui.genericObject ].fetch(id: @id)
ui.log 'errors' ui.log 'errors'
ui.formEnable(e) ui.formEnable(e)
ui.controller.showAlert(details.error_human || details.error || 'Unable to update object!') ui.controller.showAlert(details.error_human || details.error || 'Unable to update object!')

View file

@ -45,7 +45,7 @@ class User < ApplicationModel
after_destroy :avatar_destroy after_destroy :avatar_destroy
has_and_belongs_to_many :groups, after_add: :cache_update, after_remove: :cache_update, class_name: 'Group' has_and_belongs_to_many :groups, after_add: :cache_update, after_remove: :cache_update, class_name: 'Group'
has_and_belongs_to_many :roles, after_add: [:cache_update, :check_notifications], after_remove: :cache_update, before_add: :validate_agent_limit, class_name: 'Role' has_and_belongs_to_many :roles, after_add: [:cache_update, :check_notifications], after_remove: :cache_update, before_add: :validate_agent_limit, before_remove: :last_admin_check, class_name: 'Role'
has_and_belongs_to_many :organizations, after_add: :cache_update, after_remove: :cache_update, class_name: 'Organization' has_and_belongs_to_many :organizations, after_add: :cache_update, after_remove: :cache_update, class_name: 'Organization'
#has_many :permissions, class_name: 'Permission', through: :roles, class_name: 'Role' #has_many :permissions, class_name: 'Permission', through: :roles, class_name: 'Role'
has_many :tokens, after_add: :cache_update, after_remove: :cache_update has_many :tokens, after_add: :cache_update, after_remove: :cache_update
@ -860,6 +860,27 @@ returns
} }
end end
=begin
checks if the current user is the last one
with admin permissions.
Raises
raise 'Minimum one user need to have admin permissions'
=end
def last_admin_check(role)
ticket_admin_role_ids = Role.joins(:permissions).where(permissions: { name: ['admin', 'admin.user'] }).pluck(:id)
count = User.joins(:roles).where(roles: { id: ticket_admin_role_ids }, users: { active: true }).count
if ticket_admin_role_ids.include?(role.id)
count -= 1
end
raise Exceptions::UnprocessableEntity, 'Minimum one user needs to have admin permissions.' if count < 1
end
def validate_agent_limit(role) def validate_agent_limit(role)
return if !Setting.get('system_agent_limit') return if !Setting.get('system_agent_limit')

View file

@ -544,4 +544,72 @@ class UserTest < ActiveSupport::TestCase
end end
test 'min admin permission check' do
User.with_permissions('admin').each(&:destroy)
# store current admin count
admin_count_inital = User.with_permissions('admin').count
assert_equal(0, admin_count_inital)
# create two admin users
random = rand(999_999_999)
admin1 = User.create_or_update(
login: "1admin-role#{random}@example.com",
firstname: 'Role',
lastname: "Admin#{random}",
email: "admin-role#{random}@example.com",
password: 'adminpw',
active: true,
roles: Role.where(name: %w(Admin Agent)),
updated_by_id: 1,
created_by_id: 1,
)
random = rand(999_999_999)
admin2 = User.create_or_update(
login: "2admin-role#{random}@example.com",
firstname: 'Role',
lastname: "Admin#{random}",
email: "admin-role#{random}@example.com",
password: 'adminpw',
active: true,
roles: Role.where(name: %w(Admin Agent)),
updated_by_id: 1,
created_by_id: 1,
)
random = rand(999_999_999)
admin3 = User.create_or_update(
login: "2admin-role#{random}@example.com",
firstname: 'Role',
lastname: "Admin#{random}",
email: "admin-role#{random}@example.com",
password: 'adminpw',
active: true,
roles: Role.where(name: %w(Admin Agent)),
updated_by_id: 1,
created_by_id: 1,
)
admin_count_inital = User.with_permissions('admin').count
assert_equal(3, admin_count_inital)
admin1.update_attribute(:roles, Role.where(name: %w(Agent)))
admin_count_inital = User.with_permissions('admin').count
assert_equal(2, admin_count_inital)
admin2.update_attribute(:roles, Role.where(name: %w(Agent)))
admin_count_inital = User.with_permissions('admin').count
assert_equal(1, admin_count_inital)
assert_raises(Exceptions::UnprocessableEntity) {
admin3.update_attribute(:roles, Role.where(name: %w(Agent)))
}
admin_count_inital = User.with_permissions('admin').count
assert_equal(1, admin_count_inital)
end
end end