Fixes #3468: Not authorized error using Im X-On-Behalf-Of.

This commit is contained in:
Thorsten Eckel 2021-04-01 15:14:25 +00:00
parent d2a0997475
commit a56245defa
5 changed files with 62 additions and 10 deletions

View file

@ -23,6 +23,12 @@ module ApplicationController::Authorizes
end
def pundit_user
@pundit_user ||= UserContext.new(current_user, @_token)
@pundit_user ||= begin
if current_user_on_behalf
UserContext.new(current_user_on_behalf)
else
UserContext.new(current_user_real, @_token)
end
end
end
end

View file

@ -5,7 +5,7 @@
# to the underlying User instance in the Policy
class UserContext < Delegator
def initialize(user, token) # rubocop:disable Lint/MissingSuper
def initialize(user, token = nil) # rubocop:disable Lint/MissingSuper
@user = user
@token = token
end

View file

@ -3,6 +3,20 @@ FactoryBot.define do
user
action { 'api' }
persistent { true }
preferences do
permission_hash = permissions.each_with_object({}) do |permission, result|
result[permission] = true
end
{
permission: permission_hash
}
end
transient do
permissions { [] }
end
factory :token_password_reset, aliases: %i[password_reset_token] do
action { 'PasswordReset' }

View file

@ -9,7 +9,7 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
create(:agent)
end
let(:customer) do
create(:customer)
create(:customer, firstname: 'Behalf of')
end
describe 'request handling' do
@ -180,5 +180,34 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
expect(json_response).to be_a_kind_of(Hash)
expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')
end
context 'when Token Admin has no ticket.* permission' do
let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }
let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }
let(:admin_user_role) do
create(:role).tap { |role| role.permission_grant('admin.user') }
end
it 'creates Ticket because of behalf of user permission' do
params = {
title: 'a new ticket #3',
group: 'Users',
priority: '2 normal',
state: 'new',
customer_id: customer.id,
article: {
body: 'some test 123',
},
}
authenticated_as(admin, on_behalf_of: customer.email, token: token)
post '/api/v1/tickets', params: params, as: :json
expect(response).to have_http_status(:created)
expect(json_response).to be_a_kind_of(Hash)
expect(customer.id).to eq(json_response['created_by_id'])
end
end
end
end

View file

@ -76,15 +76,18 @@ module ZammadSpecSupportRequest
case via
when :api_client
# ensure that always the correct header value is set
# otherwise previous header configurations will be re-used
add_headers('X-On-Behalf-Of' => options[:on_behalf_of])
# if we want to authenticate by token
if options[:token].present?
credentials = "Token token=#{options[:token].name}"
credentials = if options[:token].present?
"Token token=#{options[:token].name}"
else
ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
end
return add_headers('Authorization' => credentials)
end
credentials = ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
add_headers('Authorization' => credentials, 'X-On-Behalf-Of' => options[:on_behalf_of])
add_headers('Authorization' => credentials)
when :browser
post '/api/v1/signin', params: { username: login, password: password, fingerprint: Faker::Number.number(9) }
end