Fixes #3468: Not authorized error using Im X-On-Behalf-Of.
This commit is contained in:
parent
d2a0997475
commit
a56245defa
5 changed files with 62 additions and 10 deletions
|
@ -23,6 +23,12 @@ module ApplicationController::Authorizes
|
|||
end
|
||||
|
||||
def pundit_user
|
||||
@pundit_user ||= UserContext.new(current_user, @_token)
|
||||
@pundit_user ||= begin
|
||||
if current_user_on_behalf
|
||||
UserContext.new(current_user_on_behalf)
|
||||
else
|
||||
UserContext.new(current_user_real, @_token)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# to the underlying User instance in the Policy
|
||||
class UserContext < Delegator
|
||||
|
||||
def initialize(user, token) # rubocop:disable Lint/MissingSuper
|
||||
def initialize(user, token = nil) # rubocop:disable Lint/MissingSuper
|
||||
@user = user
|
||||
@token = token
|
||||
end
|
||||
|
|
|
@ -3,6 +3,20 @@ FactoryBot.define do
|
|||
user
|
||||
action { 'api' }
|
||||
persistent { true }
|
||||
preferences do
|
||||
|
||||
permission_hash = permissions.each_with_object({}) do |permission, result|
|
||||
result[permission] = true
|
||||
end
|
||||
|
||||
{
|
||||
permission: permission_hash
|
||||
}
|
||||
end
|
||||
|
||||
transient do
|
||||
permissions { [] }
|
||||
end
|
||||
|
||||
factory :token_password_reset, aliases: %i[password_reset_token] do
|
||||
action { 'PasswordReset' }
|
||||
|
|
|
@ -9,7 +9,7 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
|
|||
create(:agent)
|
||||
end
|
||||
let(:customer) do
|
||||
create(:customer)
|
||||
create(:customer, firstname: 'Behalf of')
|
||||
end
|
||||
|
||||
describe 'request handling' do
|
||||
|
@ -180,5 +180,34 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
|
|||
expect(json_response).to be_a_kind_of(Hash)
|
||||
expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')
|
||||
end
|
||||
|
||||
context 'when Token Admin has no ticket.* permission' do
|
||||
|
||||
let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }
|
||||
|
||||
let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }
|
||||
|
||||
let(:admin_user_role) do
|
||||
create(:role).tap { |role| role.permission_grant('admin.user') }
|
||||
end
|
||||
|
||||
it 'creates Ticket because of behalf of user permission' do
|
||||
params = {
|
||||
title: 'a new ticket #3',
|
||||
group: 'Users',
|
||||
priority: '2 normal',
|
||||
state: 'new',
|
||||
customer_id: customer.id,
|
||||
article: {
|
||||
body: 'some test 123',
|
||||
},
|
||||
}
|
||||
authenticated_as(admin, on_behalf_of: customer.email, token: token)
|
||||
post '/api/v1/tickets', params: params, as: :json
|
||||
expect(response).to have_http_status(:created)
|
||||
expect(json_response).to be_a_kind_of(Hash)
|
||||
expect(customer.id).to eq(json_response['created_by_id'])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -76,15 +76,18 @@ module ZammadSpecSupportRequest
|
|||
|
||||
case via
|
||||
when :api_client
|
||||
# ensure that always the correct header value is set
|
||||
# otherwise previous header configurations will be re-used
|
||||
add_headers('X-On-Behalf-Of' => options[:on_behalf_of])
|
||||
|
||||
# if we want to authenticate by token
|
||||
if options[:token].present?
|
||||
credentials = "Token token=#{options[:token].name}"
|
||||
credentials = if options[:token].present?
|
||||
"Token token=#{options[:token].name}"
|
||||
else
|
||||
ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
|
||||
end
|
||||
|
||||
return add_headers('Authorization' => credentials)
|
||||
end
|
||||
|
||||
credentials = ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
|
||||
add_headers('Authorization' => credentials, 'X-On-Behalf-Of' => options[:on_behalf_of])
|
||||
add_headers('Authorization' => credentials)
|
||||
when :browser
|
||||
post '/api/v1/signin', params: { username: login, password: password, fingerprint: Faker::Number.number(9) }
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue