Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit.

Browse source
This commit is contained in:
Ryan Lue 2020-03-19 10:39:51 +01:00 committed by Thorsten Eckel
parent 706e51d27b
commit becbdb1baa
153 changed files with 1168 additions and 939 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.rubocop.yml
View file

@ -220,7 +220,7 @@ Naming/MethodParameterName:
Checks for method parameter names that contain capital letters,
end in numbers, or do not meet a minimal length.
Enabled: true
AllowedNames: e, id, _, ip
AllowedNames: e, id, _, ip, to
Lint/BooleanSymbol:
Description: 'Check for `:true` and `:false` symbols.'

6
Gemfile
View file

@ -35,6 +35,9 @@ gem 'argon2'
# core - state machine
gem 'aasm'
# core - authorization
gem 'pundit'
# performance - Memcached
gem 'dalli'
@ -151,6 +154,9 @@ group :development, :test do
gem 'shoulda-matchers'
gem 'test-unit'
# for testing Pundit authorisation policies in RSpec
gem 'pundit-matchers'
# code coverage
gem 'coveralls', require: false
gem 'simplecov'

6
Gemfile.lock
View file

@ -378,6 +378,10 @@ GEM
pry (>= 0.9.11)
public_suffix (3.0.3)
puma (3.12.4)
pundit (2.0.1)
activesupport (>= 3.0.0)
pundit-matchers (1.6.0)
rspec-rails (>= 3.0.0)
rack (2.2.2)
rack-livereload (0.3.17)
rack
@ -627,6 +631,8 @@ DEPENDENCIES
pry-rescue
pry-stack_explorer
puma (~> 3.12)
pundit
pundit-matchers
rack-livereload
rails (= 5.2.4.1)
rails-controller-testing

2
app/assets/javascripts/app/models/user.coffee
View file

@ -303,7 +303,7 @@ class App.User extends App.Model
Checks if requester has given access level on requested.
Possible access levels are: read, update and delete
See backend method User#access?
See backend policy UserPolicy
requester = App.User.find(1)
requested = App.User.find(3)

47
app/controllers/application_channel_controller.rb
View file

@ -1,47 +0,0 @@
class ApplicationChannelController < ApplicationController
# Extending controllers has to define following constants:
# PERMISSION = "admin.channel_xyz"
# AREA = "XYZ::Account"
def index
render json: channels_data
end
def show
model_show_render(Channel, params)
end
def create
model_create_render(Channel, channel_params)
end
def update
model_update_render(Channel, channel_params)
end
def enable
channel.update!(active: true)
render json: channel
end
def disable
channel.update!(active: false)
render json: channel
end
def destroy
channel.destroy!
render json: {}
end
private
def channel
@channel ||= Channel.lookup(id: params[:id])
end
def channel_params
params.permit!.to_s
end
end

2
app/controllers/application_controller.rb
View file

@ -12,5 +12,5 @@ class ApplicationController < ActionController::Base
include ApplicationController::PreventsCsrf
include ApplicationController::HasSecureContentSecurityPolicyForDownloads
include ApplicationController::LogsHttpAccess
include ApplicationController::ChecksAccess
include ApplicationController::Authorizes
end

15
app/controllers/application_controller/authenticates.rb
View file

@ -4,6 +4,8 @@ module ApplicationController::Authenticates
private
def permission_check(key)
ActiveSupport::Deprecation.warn("Method 'permission_check' is deprecated. Use Pundit policy and `authorize!` instead.")
if @_token_auth
user = Token.check(
action: 'api',
@ -76,6 +78,8 @@ module ApplicationController::Authenticates
inactive_user: true,
)
if user && auth_param[:permission]
ActiveSupport::Deprecation.warn("Paramter ':permission' is deprecated. Use Pundit policy and `authorize!` instead.")
user = Token.check(
action: 'api',
name: token_string,
@ -95,6 +99,8 @@ module ApplicationController::Authenticates
Time.zone.today >= token.expires_at
raise Exceptions::NotAuthorized, 'Not authorized (token expired)!'
end
@_token = token # remember for Pundit authorization / permit!
end
@_token_auth = token_string # remember for permission_check
@ -152,7 +158,14 @@ module ApplicationController::Authenticates
def authentication_check_prerequesits(user, auth_type, auth_param)
raise Exceptions::NotAuthorized, 'Maintenance mode enabled!' if in_maintenance_mode?(user)
raise Exceptions::NotAuthorized, 'User is inactive!' if !user.active
raise Exceptions::NotAuthorized, 'Not authorized (user)!' if auth_param[:permission] && !user.permissions?(auth_param[:permission])
if auth_param[:permission]
ActiveSupport::Deprecation.warn("Parameter ':permission' is deprecated. Use Pundit policy and `authorize!` instead.")
if !user.permissions?(auth_param[:permission])
raise Exceptions::NotAuthorized, 'Not authorized (user)!'
end
end
current_user_set(user, auth_type)
user_device_log(user, auth_type)

61
app/controllers/application_controller/authorizes.rb Normal file
View file

@ -0,0 +1,61 @@
module ApplicationController::Authorizes
extend ActiveSupport::Concern
include Pundit
private
def authorize!(record = policy_record, query = nil)
authorize(record, query)
end
def authorized?(record = policy_record, query = nil)
authorize!(record, query)
true
rescue Exceptions::NotAuthorized, Pundit::NotAuthorizedError
false
end
def policy_record
# check permissions in matching Pundit policy
# Controllers namspace is used (See: https://github.com/varvet/pundit#policy-namespacing)
# [:controllers, self] => Controllers::RolesControllerPolicy
[:controllers, self]
end
# We need a special UserContext when authorizing in controller context
# because of Token authentication which has it's own permissions
# See: https://github.com/varvet/pundit#additional-context
# We use a Delegator here to have transparent / DuckType access
# to the underlying User instance in the Policy
class UserContext < Delegator
def initialize(user, token)
@user = user
@token = token
end
def __getobj__
@user
end
def permissions!(permissions)
raise Exceptions::NotAuthorized, 'authentication failed' if !@user
raise Exceptions::NotAuthorized, 'Not authorized (user)!' if !@user.permissions?(permissions)
return if !@token
return if @token.permissions?(permissions)
raise Exceptions::NotAuthorized, 'Not authorized (token)!'
end
def permissions?(permissions)
permissions!(permissions)
true
rescue Exceptions::NotAuthorized
false
end
end
def pundit_user
@pundit_user ||= UserContext.new(current_user, @_token)
end
end

9
app/controllers/application_controller/checks_access.rb
View file

@ -1,9 +0,0 @@
module ApplicationController::ChecksAccess
extend ActiveSupport::Concern
private
def access!(instance, access)
instance.access!(current_user, access)
end
end

11
app/controllers/application_controller/handles_errors.rb
View file

@ -11,6 +11,7 @@ module ApplicationController::HandlesErrors
rescue_from ArgumentError, with: :unprocessable_entity
rescue_from Exceptions::UnprocessableEntity, with: :unprocessable_entity
rescue_from Exceptions::NotAuthorized, with: :unauthorized
rescue_from Pundit::NotAuthorizedError, with: :pundit_not_authorized_error
end
def not_found(e)
@ -32,12 +33,22 @@ module ApplicationController::HandlesErrors
end
def unauthorized(e)
logger.info { e }
error = humanize_error(e)
response.headers['X-Failure'] = error.fetch(:error_human, error[:error])
respond_to_exception(e, :unauthorized)
http_log
end
def pundit_not_authorized_error(e)
logger.info { e }
# check if a special authorization_error should be shown in the result payload
# which was raised in one of the policies. Fall back to a simple "Not authorized"
# error to hide actual cause for security reasons.
exeption = e.policy.custom_exception || Exceptions::NotAuthorized.new
unauthorized(exeption)
end
private
def respond_to_exception(e, status)

6
app/controllers/application_controller/has_user.rb
View file

@ -95,10 +95,4 @@ module ApplicationController::HasUser
session[:user_agent] = request.env['HTTP_USER_AGENT']
end
def valid_session_with_user
return true if current_user
raise Exceptions::UnprocessableEntity, 'No session user!'
end
end

2
app/controllers/applications_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ApplicationsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.api') }
prepend_before_action { authentication_check && authorize! }
def index
all = Doorkeeper::Application.all

2
app/controllers/calendar_subscriptions_controller.rb
View file

@ -1,6 +1,6 @@
# Copyright (C) 2012-2015 Zammad Foundation, http://zammad-foundation.org/
class CalendarSubscriptionsController < ApplicationController
prepend_before_action { authentication_check( { basic_auth_promt: true, permission: 'user_preferences.calendar' } ) }
prepend_before_action { authentication_check(basic_auth_promt: true) && authorize! }
# @path [GET] /calendar_subscriptions
#

3
app/controllers/calendars_controller.rb
View file

@ -1,8 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class CalendarsController < ApplicationController
prepend_before_action -> { authentication_check(permission: 'admin.calendar') }, only: %i[init index show create update destroy]
prepend_before_action -> { authentication_check(permission: 'admin') }, only: %i[timezones]
prepend_before_action { authentication_check && authorize! }
def init
assets = {}

2
app/controllers/channels_email_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ChannelsEmailController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.channel_email') }
prepend_before_action { authentication_check && authorize! }
def index
system_online_service = Setting.get('system_online_service')

2
app/controllers/channels_facebook_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ChannelsFacebookController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.channel_facebook') }
prepend_before_action { authentication_check && authorize! }
def index
assets = {}

40
app/controllers/channels_sms_controller.rb
View file

@ -1,8 +1,5 @@
class ChannelsSmsController < ApplicationChannelController
PERMISSION = 'admin.channel_sms'.freeze
AREA = ['Sms::Notification'.freeze, 'Sms::Account'.freeze].freeze
prepend_before_action -> { authentication_check(permission: self.class::PERMISSION) }, except: [:webhook]
class ChannelsSmsController < ApplicationController
prepend_before_action -> { authentication_check && authorize! }, except: [:webhook]
skip_before_action :verify_csrf_token, only: [:webhook]
def index
@ -15,6 +12,33 @@ class ChannelsSmsController < ApplicationChannelController
}
end
def show
model_show_render(Channel, params)
end
def create
model_create_render(Channel, channel_params)
end
def update
model_update_render(Channel, channel_params)
end
def enable
channel.update!(active: true)
render json: channel
end
def disable
channel.update!(active: false)
render json: channel
end
def destroy
channel.destroy!
render json: {}
end
def test
raise 'Missing parameter options.adapter' if params[:options][:adapter].blank?
@ -49,13 +73,17 @@ class ChannelsSmsController < ApplicationChannelController
private
def channel
@channel ||= Channel.lookup(id: params[:id])
end
def test_options
params.permit(:recipient, :message)
end
def channel_params
raise 'Missing area params' if params[:area].blank?
if !self.class::AREA.include?(params[:area])
if ['Sms::Notification', 'Sms::Account'].exclude?(params[:area])
raise "Invalid area '#{params[:area]}'!"
end
raise 'Missing options params' if params[:options].blank?

2
app/controllers/channels_telegram_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ChannelsTelegramController < ApplicationController
prepend_before_action -> { authentication_check(permission: 'admin.channel_telegram') }, except: [:webhook]
prepend_before_action -> { authentication_check && authorize! }, except: [:webhook]
skip_before_action :verify_csrf_token, only: [:webhook]
def index

2
app/controllers/channels_twitter_controller.rb
View file

@ -2,7 +2,7 @@
require_dependency 'channel/driver/twitter'
class ChannelsTwitterController < ApplicationController
prepend_before_action -> { authentication_check(permission: 'admin.channel_twitter') }, except: %i[webhook_incoming webhook_verify]
prepend_before_action -> { authentication_check && authorize! }, except: %i[webhook_incoming webhook_verify]
skip_before_action :verify_csrf_token, only: %i[webhook_incoming webhook_verify]
before_action :validate_webhook_signature!, only: :webhook_incoming

2
app/controllers/chat_sessions_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ChatSessionsController < ApplicationController
prepend_before_action { authentication_check(permission: 'chat.agent') }
prepend_before_action { authentication_check && authorize! }
def show
model_show_render(Chat::Session, params)

2
app/controllers/chats_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ChatsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.channel_chat') }
prepend_before_action { authentication_check && authorize! }
def index
chat_ids = []

5
app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb
View file

@ -4,12 +4,11 @@ module ChecksUserAttributesByCurrentUserPermission
private
def check_attributes_by_current_user_permission(params)
authorize!
# admins can do whatever they want
return true if current_user.permissions?('admin.user')
# non-agents (customers) can't set anything
raise Exceptions::NotAuthorized if !current_user.permissions?('ticket.agent')
# regular agents are not allowed to set Groups and Roles
%w[Role Group].each do |model|

2
app/controllers/cti_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class CtiController < ApplicationController
prepend_before_action { authentication_check(permission: 'cti.agent') }
prepend_before_action { authentication_check && authorize! }
# list current caller log
# GET /api/v1/cti/log

7
app/controllers/email_addresses_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class EmailAddressesController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
=begin
@ -46,7 +46,6 @@ curl http://localhost/api/v1/email_addresses.json -v -u #{login}:#{password}
=end
def index
permission_check(['admin.channel_email', 'ticket.agent'])
model_index_render(EmailAddress, params)
end
@ -68,7 +67,6 @@ curl http://localhost/api/v1/email_addresses/#{id}.json -v -u #{login}:#{passwor
=end
def show
permission_check(['admin.channel_email', 'ticket.agent'])
model_show_render(EmailAddress, params)
end
@ -99,7 +97,6 @@ curl http://localhost/api/v1/email_addresses.json -v -u #{login}:#{password} -H
=end
def create
permission_check('admin.channel_email')
model_create_render(EmailAddress, params)
end
@ -130,7 +127,6 @@ curl http://localhost/api/v1/email_addresses/#{id}.json -v -u #{login}:#{passwor
=end
def update
permission_check('admin.channel_email')
model_update_render(EmailAddress, params)
end
@ -148,7 +144,6 @@ curl http://localhost/api/v1/email_addresses/#{id}.json -v -u #{login}:#{passwor
=end
def destroy
permission_check('admin.channel_email')
model_destroy_render(EmailAddress, params)
end
end

27
app/controllers/external_credentials_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ExternalCredentialsController < ApplicationController
prepend_before_action :permission_check
prepend_before_action { authentication_check && authorize! }
def index
model_index_render(ExternalCredential, params)
@ -53,29 +53,4 @@ class ExternalCredentialsController < ApplicationController
def app_url(provider, channel_id)
ExternalCredential.app_url(provider, channel_id)
end
def permission_check
if params[:id].present? && ExternalCredential.exists?(params[:id])
external_credential = ExternalCredential.find(params[:id])
raise 'No such ExternalCredential!' if !external_credential
authentication_check(permission: ["admin.channel_#{external_credential.name}"])
return
end
if params[:name].present? || params[:provider].present?
if params[:name].present?
name = params[:name].downcase
elsif params[:provider].present?
name = params[:provider].downcase
else
raise 'Missing name/provider!'
end
authentication_check(permission: ["admin.channel_#{name}"])
return
end
authentication_check(permission: ['admin'])
end
end

13
app/controllers/first_steps_controller.rb
View file

@ -3,9 +3,9 @@
class FirstStepsController < ApplicationController
prepend_before_action :authentication_check
def index
return if !access?
before_action -> { render json: [] }, if: -> { !authorized? }
def index
invite_agents = false
#if User.of_role('Agent').count > 2
# invite_agents = true
@ -169,8 +169,6 @@ class FirstStepsController < ApplicationController
end
def test_ticket
return if !access?
agent = current_user
customer = test_customer
from = "#{customer.fullname} <#{customer.email}>"
@ -221,13 +219,6 @@ class FirstStepsController < ApplicationController
User.find_by(login: 'nicole.braun@zammad.org')
end
def access?
return true if current_user.permissions?(['admin', 'ticket.agent'])
render json: []
false
end
def check_availability(result)
test_ticket_active = true
overview = test_overview

22
app/controllers/form_controller.rb
View file

@ -1,13 +1,14 @@
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
class FormController < ApplicationController
prepend_before_action -> { authorize! }, only: %i[configuration submit]
skip_before_action :verify_csrf_token
before_action :cors_preflight_check
after_action :set_access_control_headers_execute
skip_before_action :user_device_check
def configuration
return if !enabled?
return if !fingerprint_exists?
return if limit_reached?
@ -23,7 +24,7 @@ class FormController < ApplicationController
token: token_gen(params[:fingerprint])
}
if params[:test] && current_user && current_user.permissions?('admin.channel_formular')
if authorized?(policy_record, :test?)
result[:enabled] = true
end
@ -31,7 +32,6 @@ class FormController < ApplicationController
end
def submit
return if !enabled?
return if !fingerprint_exists?
return if !token_valid?(params[:token], params[:fingerprint])
return if limit_reached?
@ -144,6 +144,14 @@ class FormController < ApplicationController
private
# we don't wann to tell what the cause for the authorization error is
# so we capture the exception and raise an anonymized one
def authorize!(*)
super
rescue Pundit::NotAuthorizedError
raise Exceptions::NotAuthorized
end
def token_gen(fingerprint)
crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32])
fingerprint = "#{Base64.strict_encode64(Setting.get('fqdn'))}:#{Time.zone.now.to_i}:#{Base64.strict_encode64(fingerprint)}"
@ -216,12 +224,4 @@ class FormController < ApplicationController
Rails.logger.info 'No fingerprint given!'
raise Exceptions::NotAuthorized
end
def enabled?
return true if params[:test] && current_user && current_user.permissions?('admin.channel_formular')
return true if Setting.get('form_ticket_create')
raise Exceptions::NotAuthorized
end
end

5
app/controllers/getting_started_controller.rb
View file

@ -1,5 +1,6 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class GettingStartedController < ApplicationController
prepend_before_action -> { authorize! }, only: [:base]
=begin
@ -105,10 +106,6 @@ curl http://localhost/api/v1/getting_started -v -u #{login}:#{password}
end
def base
# check admin permissions
permission_check('admin.wizard')
# validate url
messages = {}
settings = {}

2
app/controllers/groups_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class GroupsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.group') }
prepend_before_action { authentication_check && authorize! }
=begin

4
app/controllers/http_logs_controller.rb
View file

@ -1,11 +1,10 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class HttpLogsController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
# GET /http_logs/:facility
def index
permission_check('admin.*')
list = if params[:facility]
HttpLog.where(facility: params[:facility]).order(created_at: :desc).limit(params[:limit] || 50)
else
@ -16,7 +15,6 @@ class HttpLogsController < ApplicationController
# POST /http_logs
def create
permission_check('admin.*')
model_create_render(HttpLog, params)
end

2
app/controllers/integration/exchange_controller.rb
View file

@ -3,7 +3,7 @@
class Integration::ExchangeController < ApplicationController
include Integration::ImportJobBase
prepend_before_action { authentication_check(permission: 'admin.integration.exchange') }
prepend_before_action { authentication_check && authorize! }
def autodiscover
answer_with do

6
app/controllers/integration/idoit_controller.rb
View file

@ -1,9 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class Integration::IdoitController < ApplicationController
prepend_before_action -> { authentication_check(permission: ['agent.integration.idoit', 'admin.integration.idoit']) }, except: %i[verify query update]
prepend_before_action -> { authentication_check(permission: ['admin.integration.idoit']) }, only: [:verify]
prepend_before_action -> { authentication_check(permission: ['ticket.agent']) }, only: %i[query update]
prepend_before_action { authentication_check && authorize! }
def verify
response = ::Idoit.verify(params[:api_token], params[:endpoint], params[:client_id])
@ -39,7 +37,7 @@ class Integration::IdoitController < ApplicationController
params[:object_ids] ||= []
ticket = Ticket.find(params[:ticket_id])
ticket.with_lock do
access!(ticket, 'read')
authorize!(ticket, :show?)
ticket.preferences[:idoit] ||= {}
ticket.preferences[:idoit][:object_ids] = Array(params[:object_ids]).uniq
ticket.save!

2
app/controllers/integration/ldap_controller.rb
View file

@ -6,7 +6,7 @@ require_dependency 'ldap/group'
class Integration::LdapController < ApplicationController
include Integration::ImportJobBase
prepend_before_action { authentication_check(permission: 'admin.integration.ldap') }
prepend_before_action { authentication_check && authorize! }
def discover
answer_with do

2
app/controllers/jobs_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class JobsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.scheduler') }
prepend_before_action { authentication_check && authorize! }
def index
model_index_render(Job, params)

2
app/controllers/knowledge_base/answer/attachments_controller.rb
View file

@ -2,7 +2,7 @@
class KnowledgeBase::Answer::AttachmentsController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { permission_check('knowledge_base.editor') }
prepend_before_action :authorize!
before_action :fetch_answer

13
app/controllers/knowledge_base/answers_controller.rb
View file

@ -3,8 +3,6 @@
class KnowledgeBase::AnswersController < KnowledgeBase::BaseController
include HasPublishing
before_action :check_reader_access, only: :show
# accessible outside of specific Knowledge Base
# /api/v1/knowledge_bases/recent_answers
def recent_answers
@ -83,15 +81,4 @@ class KnowledgeBase::AnswersController < KnowledgeBase::BaseController
render json: { id: object.id, assets: assets }, status: :created
end
private
def check_reader_access
return if current_user.permissions? 'knowledge_base.editor'
object = klass.find params[:id]
return if object.can_be_published_aasm.internal? || object.can_be_published_aasm.published?
raise ActiveRecord::RecordNotFound
end
end

15
app/controllers/knowledge_base/base_controller.rb
View file

@ -2,8 +2,7 @@
class KnowledgeBase::BaseController < ApplicationController
prepend_before_action :authentication_check
before_action :ensure_editor_or_reader
before_action :ensure_editor, only: %i[create update destroy]
before_action :authorize!
def show
model_show_render(klass, params_for_permission)
@ -21,21 +20,13 @@ class KnowledgeBase::BaseController < ApplicationController
model_destroy_render(klass, params_for_permission)
end
private
def klass
@klass ||= controller_path.classify.constantize
end
private
def params_for_permission
params.permit klass.agent_allowed_params
end
def ensure_editor
permission_check 'knowledge_base.editor'
end
def ensure_editor_or_reader
permission_check 'knowledge_base.*'
end
end

11
app/controllers/knowledge_base/categories_controller.rb
View file

@ -2,7 +2,6 @@
class KnowledgeBase::CategoriesController < KnowledgeBase::BaseController
before_action :load_knowledge_base, only: %i[reorder_root_categories reorder_categories reorder_answers]
before_action :check_reader_access, only: :show # rubocop:disable Rails/LexicallyScopedActionFilter
def reorder_root_categories
reorder @knowledge_base.categories.root, params[:ordered_ids], KnowledgeBase::Category
@ -46,14 +45,4 @@ class KnowledgeBase::CategoriesController < KnowledgeBase::BaseController
@knowledge_base = KnowledgeBase.find params[:knowledge_base_id]
@category = @knowledge_base.categories.find params[:id] if params.key? :id
end
def check_reader_access
return if current_user.permissions? 'knowledge_base.editor'
object = klass.find params[:id]
return if object.internal_content?
raise ActiveRecord::RecordNotFound
end
end

4
app/controllers/knowledge_base/manage_controller.rb
View file

@ -1,9 +1,5 @@
# Copyright (C) 2012-2017 Zammad Foundation, http://zammad-foundation.org/
class KnowledgeBase::ManageController < KnowledgeBase::BaseController
prepend_before_action { permission_check('admin.knowledge_base') }
skip_before_action :ensure_editor_or_reader
skip_before_action :ensure_editor
def init
render json: assets
end

10
app/controllers/knowledge_bases_controller.rb
View file

@ -1,20 +1,10 @@
# Copyright (C) 2012-2017 Zammad Foundation, http://zammad-foundation.org/
class KnowledgeBasesController < KnowledgeBase::BaseController
skip_before_action :ensure_editor_or_reader, only: :init
def init
render json: assets(params[:answer_translation_content_ids])
end
def create
raise Exceptions::NotAuthorized
end
def destroy
raise Exceptions::NotAuthorized
end
private
def assets(answer_translation_content_ids = nil)

31
app/controllers/monitoring_controller.rb
View file

@ -1,7 +1,10 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class MonitoringController < ApplicationController
prepend_before_action -> { authentication_check(permission: 'admin.monitoring') }, except: %i[health_check status amount_check]
prepend_before_action { authorize! }
prepend_before_action -> { authentication_check }, except: %i[health_check status amount_check]
prepend_before_action -> { authentication_check_only }, only: %i[health_check status amount_check]
skip_before_action :verify_csrf_token
=begin
@ -27,8 +30,6 @@ curl http://localhost/api/v1/monitoring/health_check?token=XXX
=end
def health_check
token_or_permission_check
issues = []
actions = Set.new
@ -210,8 +211,6 @@ curl http://localhost/api/v1/monitoring/status?token=XXX
=end
def status
token_or_permission_check
last_login = nil
last_login_user = User.where('last_login IS NOT NULL').order(last_login: :desc).limit(1).first
if last_login_user
@ -298,8 +297,6 @@ curl http://localhost/api/v1/monitoring/amount_check?token=XXX&periode=1h
=end
def amount_check
token_or_permission_check
raise Exceptions::UnprocessableEntity, 'periode is missing!' if params[:periode].blank?
scale = params[:periode][-1, 1]
@ -370,7 +367,6 @@ curl http://localhost/api/v1/monitoring/amount_check?token=XXX&periode=1h
end
def token
access_check
token = SecureRandom.urlsafe_base64(40)
Setting.set('monitoring_token', token)
@ -381,27 +377,8 @@ curl http://localhost/api/v1/monitoring/amount_check?token=XXX&periode=1h
end
def restart_failed_jobs
access_check
Scheduler.restart_failed_jobs
render json: {}, status: :ok
end
private
def token_or_permission_check
user = authentication_check_only(permission: 'admin.monitoring')
return if user
return if Setting.get('monitoring_token') == params[:token]
raise Exceptions::NotAuthorized
end
def access_check
return if Permission.find_by(name: 'admin.monitoring', active: true)
raise Exceptions::NotAuthorized
end
end

2
app/controllers/object_manager_attributes_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ObjectManagerAttributesController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.object') }
prepend_before_action { authentication_check && authorize! }
# GET /object_manager_attributes_list
def list

17
app/controllers/online_notifications_controller.rb
View file

@ -1,6 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class OnlineNotificationsController < ApplicationController
prepend_before_action -> { authorize! }, only: %i[show update destroy]
prepend_before_action :authentication_check
=begin
@ -102,8 +103,6 @@ curl http://localhost/api/v1/online_notifications/#{id} -v -u #{login}:#{passwor
=end
def show
return if !access?
model_show_render(OnlineNotification, params)
end
@ -131,8 +130,6 @@ curl http://localhost/api/v1/online_notifications -v -u #{login}:#{password} -H
=end
def update
return if !access?
model_update_render(OnlineNotification, params)
end
@ -150,8 +147,6 @@ curl http://localhost/api/v1/online_notifications/{id}.json -v -u #{login}:#{pas
=end
def destroy
return if !access?
model_destroy_render(OnlineNotification, params)
end
@ -180,14 +175,4 @@ curl http://localhost/api/v1/online_notifications/mark_all_as_read -v -u #{login
end
render json: {}, status: :ok
end
private
def access?
notification = OnlineNotification.find(params[:id])
return true if notification.user_id == current_user.id
raise Exceptions::NotAuthorized
end
end

39
app/controllers/organizations_controller.rb
View file

@ -1,7 +1,8 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class OrganizationsController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action -> { authorize! }, except: %i[index show]
prepend_before_action { authentication_check }
=begin
@ -59,15 +60,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
per_page = 500
end
# only allow customer to fetch his own organization
organizations = []
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
if current_user.organization_id
organizations = Organization.where(id: current_user.organization_id).order(id: :asc).offset(offset).limit(per_page)
end
else
organizations = Organization.all.order(id: :asc).offset(offset).limit(per_page)
end
organizations = policy_scope(Organization).order(id: :asc).offset(offset).limit(per_page)
if response_expand?
list = []
@ -117,14 +110,17 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password}
=end
def show
begin
authorize!
rescue Pundit::NotAuthorizedError
# we have a special case here where Users that have no
# organization can request any organization_id but get
# an empty response. However, users with an organization_id
# get that error
raise if current_user.organization_id
# only allow customer to fetch his own organization
if !current_user.permissions?(['admin.organization', 'ticket.agent'])
if !current_user.organization_id
render json: {}
return
end
raise Exceptions::NotAuthorized if params[:id].to_i != current_user.organization_id
render json: {}
return
end
if response_expand?
@ -168,7 +164,6 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
=end
def create
permission_check(['admin.organization', 'ticket.agent'])
model_create_render(Organization, params)
end
@ -199,7 +194,6 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password} -H "Conten
=end
def update
permission_check(['admin.organization', 'ticket.agent'])
model_update_render(Organization, params)
end
@ -217,15 +211,12 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
=end
def destroy
permission_check(['admin.organization', 'ticket.agent'])
model_references_check(Organization, params)
model_destroy_render(Organization, params)
end
# GET /api/v1/organizations/search
def search
raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.organization', 'ticket.agent'])
per_page = params[:per_page] || params[:limit] || 100
per_page = per_page.to_i
if per_page > 500
@ -301,8 +292,6 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
# GET /api/v1/organizations/history/1
def history
raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.organization', 'ticket.agent'])
# get organization data
organization = Organization.find(params[:id])
@ -319,7 +308,6 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
# @response_message 200 File download.
# @response_message 401 Invalid session.
def import_example
permission_check('admin.organization')
send_data(
Organization.csv_example,
filename: 'organization-example.csv',
@ -338,7 +326,6 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
# @response_message 201 Import started.
# @response_message 401 Invalid session.
def import_start
permission_check('admin.user')
string = params[:data]
if string.blank? && params[:file].present?
string = params[:file].read.force_encoding('utf-8')

2
app/controllers/overviews_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class OverviewsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.overview') }
prepend_before_action { authentication_check && authorize! }
=begin

2
app/controllers/packages_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class PackagesController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.package') }
prepend_before_action { authentication_check && authorize! }
# GET /api/v1/packages
def index

2
app/controllers/postmaster_filters_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class PostmasterFiltersController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.channel_email') }
prepend_before_action { authentication_check && authorize! }
=begin

2
app/controllers/proxy_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ProxyController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.system') }
prepend_before_action { authentication_check && authorize! }
# POST /api/v1/proxy
def test

2
app/controllers/report_profiles_controller.rb
View file

@ -1,5 +1,5 @@
class ReportProfilesController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.report_profile') }
prepend_before_action { authentication_check && authorize! }
=begin

2
app/controllers/reports_controller.rb
View file

@ -1,6 +1,6 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class ReportsController < ApplicationController
prepend_before_action { authentication_check(permission: 'report') }
prepend_before_action { authentication_check && authorize! }
# GET /api/reports/config
def reporting_config

2
app/controllers/roles_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class RolesController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.role') }
prepend_before_action { authentication_check && authorize! }
=begin

4
app/controllers/search_controller.rb
View file

@ -7,10 +7,6 @@ class SearchController < ApplicationController
# GET|POST /api/v1/search/:objects
def search_generic
# enable search only for users with valid session
raise Exceptions::NotAuthorized if !current_user
# get params
query = params[:query]
if query.respond_to?(:permit!)

6
app/controllers/sessions_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class SessionsController < ApplicationController
prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
prepend_before_action -> { authentication_check && authorize! }, only: %i[switch_to_user list delete]
skip_before_action :verify_csrf_token, only: %i[show destroy create_omniauth failure_omniauth]
skip_before_action :user_device_check, only: %i[create_sso]
@ -97,8 +97,6 @@ class SessionsController < ApplicationController
# "switch" to user
def switch_to_user
permission_check(['admin.session', 'admin.user'])
# check user
if !params[:id]
render(
@ -176,7 +174,6 @@ class SessionsController < ApplicationController
end
def list
permission_check('admin.session')
assets = {}
sessions_clean = []
SessionHelper.list.each do |session|
@ -197,7 +194,6 @@ class SessionsController < ApplicationController
end
def delete
permission_check('admin.session')
SessionHelper.destroy(params[:id])
render json: {}
end

23
app/controllers/settings_controller.rb
View file

@ -1,13 +1,13 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class SettingsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.*') }
prepend_before_action { authentication_check && authorize! }
# GET /settings
def index
list = []
Setting.all.each do |setting|
next if setting.preferences[:permission] && !current_user.permissions?(setting.preferences[:permission])
next if !authorized?(setting, :show?)
list.push setting
end
@ -16,7 +16,6 @@ class SettingsController < ApplicationController
# GET /settings/1
def show
check_access('read')
model_show_render(Setting, params)
end
@ -27,14 +26,12 @@ class SettingsController < ApplicationController
# PUT /settings/1
def update
check_access('write')
clean_params = keep_certain_attributes
model_update_render(Setting, clean_params)
end
# PUT /settings/image/:id
def update_image
check_access('write')
clean_params = keep_certain_attributes
if !clean_params[:logo]
@ -105,20 +102,4 @@ class SettingsController < ApplicationController
end
params
end
def check_access(type)
setting = Setting.lookup(id: params[:id])
if setting.preferences[:permission] && !current_user.permissions?(setting.preferences[:permission])
raise Exceptions::NotAuthorized, "Not authorized (required #{setting.preferences[:permission].inspect})"
end
if type == 'write'
return true if !Setting.get('system_online_service')
if setting.preferences && setting.preferences[:online_service_disable]
raise Exceptions::NotAuthorized, 'Not authorized (service disabled)'
end
end
true
end
end

7
app/controllers/signatures_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class SignaturesController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
=begin
@ -47,7 +47,6 @@ curl http://localhost/api/v1/signatures.json -v -u #{login}:#{password}
=end
def index
permission_check(['admin.channel_email', 'ticket.agent'])
model_index_render(Signature, params)
end
@ -69,7 +68,6 @@ curl http://localhost/api/v1/signatures/#{id}.json -v -u #{login}:#{password}
=end
def show
permission_check(['admin.channel_email', 'ticket.agent'])
model_show_render(Signature, params)
end
@ -98,7 +96,6 @@ curl http://localhost/api/v1/signatures.json -v -u #{login}:#{password} -H "Cont
=end
def create
permission_check(['admin.channel_email'])
model_create_render(Signature, params)
end
@ -127,7 +124,6 @@ curl http://localhost/api/v1/signatures.json -v -u #{login}:#{password} -H "Cont
=end
def update
permission_check(['admin.channel_email'])
model_update_render(Signature, params)
end
@ -142,7 +138,6 @@ Test:
=end
def destroy
permission_check(['admin.channel_email'])
model_destroy_render(Signature, params)
end
end

2
app/controllers/slas_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class SlasController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.sla') }
prepend_before_action { authentication_check && authorize! }
=begin

7
app/controllers/tags_controller.rb
View file

@ -1,7 +1,8 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TagsController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action -> { authorize! }, only: %i[admin_list admin_create admin_rename admin_delete]
prepend_before_action { authentication_check }
# GET /api/v1/tag_search?term=abc
def search
@ -60,7 +61,6 @@ class TagsController < ApplicationController
# GET /api/v1/tag_list
def admin_list
permission_check('admin.tag')
list = Tag::Item.order(name: :asc).limit(params[:limit] || 1000)
results = []
list.each do |item|
@ -76,14 +76,12 @@ class TagsController < ApplicationController
# POST /api/v1/tag_list
def admin_create
permission_check('admin.tag')
Tag::Item.lookup_by_name_and_create(params[:name])
render json: {}
end
# PUT /api/v1/tag_list/:id
def admin_rename
permission_check('admin.tag')
Tag::Item.rename(
id: params[:id],
name: params[:name],
@ -93,7 +91,6 @@ class TagsController < ApplicationController
# DELETE /api/v1/tag_list/:id
def admin_delete
permission_check('admin.tag')
Tag::Item.remove(params[:id])
render json: {}
end

18
app/controllers/taskbar_controller.rb
View file

@ -1,45 +1,35 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TaskbarController < ApplicationController
prepend_before_action -> { authorize! }, only: %i[show update destroy]
prepend_before_action :authentication_check
before_action :set_task_user_param, only: %i[create update]
def index
current_user_tasks = Taskbar.where(user_id: current_user.id)
model_index_render_result(current_user_tasks)
end
def show
taskbar = Taskbar.find(params[:id])
access_to_taskbar(taskbar)
model_create_render(Taskbar, params)
end
def create
task_user(params)
model_create_render(Taskbar, params)
end
def update
taskbar = Taskbar.find(params[:id])
access_to_taskbar(taskbar)
task_user(params)
model_update_render(Taskbar, params)
end
def destroy
taskbar = Taskbar.find(params[:id])
access_to_taskbar(taskbar)
model_destroy_render(Taskbar, params)
end
private
def access_to_taskbar(taskbar)
raise Exceptions::UnprocessableEntity, 'Not allowed to access this task.' if taskbar.user_id != current_user.id
end
def task_user(params)
def set_task_user_param
params[:user_id] = current_user.id
end
end

7
app/controllers/templates_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TemplatesController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
=begin
@ -47,7 +47,6 @@ curl http://localhost/api/v1/templates.json -v -u #{login}:#{password}
=end
def index
permission_check(['admin.template', 'ticket.agent'])
model_index_render(Template, params)
end
@ -69,7 +68,6 @@ curl http://localhost/api/v1/templates/#{id}.json -v -u #{login}:#{password}
=end
def show
permission_check(['admin.template', 'ticket.agent'])
model_show_render(Template, params)
end
@ -97,7 +95,6 @@ curl http://localhost/api/v1/templates.json -v -u #{login}:#{password} -H "Conte
=end
def create
permission_check(['admin.template', 'ticket.agent'])
model_create_render(Template, params)
end
@ -125,7 +122,6 @@ curl http://localhost/api/v1/templates.json -v -u #{login}:#{password} -H "Conte
=end
def update
permission_check(['admin.template', 'ticket.agent'])
model_update_render(Template, params)
end
@ -143,7 +139,6 @@ curl http://localhost/api/v1/templates.json -v -u #{login}:#{password} -H "Conte
=end
def destroy
permission_check(['admin.template', 'ticket.agent'])
model_destroy_render(Template, params)
end
end

9
app/controllers/text_modules_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TextModulesController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
=begin
@ -49,7 +49,6 @@ curl http://localhost/api/v1/text_modules.json -v -u #{login}:#{password}
=end
def index
permission_check(['admin.text_module', 'ticket.agent'])
model_index_render(TextModule, params)
end
@ -71,7 +70,6 @@ curl http://localhost/api/v1/text_modules/#{id}.json -v -u #{login}:#{password}
=end
def show
permission_check(['admin.text_module', 'ticket.agent'])
model_show_render(TextModule, params)
end
@ -101,7 +99,6 @@ curl http://localhost/api/v1/text_modules.json -v -u #{login}:#{password} -H "Co
=end
def create
permission_check('admin.text_module')
model_create_render(TextModule, params)
end
@ -131,7 +128,6 @@ curl http://localhost/api/v1/text_modules.json -v -u #{login}:#{password} -H "Co
=end
def update
permission_check('admin.text_module')
model_update_render(TextModule, params)
end
@ -149,7 +145,6 @@ curl http://localhost/api/v1/text_modules.json -v -u #{login}:#{password} -H "Co
=end
def destroy
permission_check('admin.text_module')
model_destroy_render(TextModule, params)
end
@ -162,7 +157,6 @@ curl http://localhost/api/v1/text_modules.json -v -u #{login}:#{password} -H "Co
# @response_message 200 File download.
# @response_message 401 Invalid session.
def import_example
permission_check('admin.text_module')
csv_string = TextModule.csv_example(
col_sep: params[:col_sep] || ',',
)
@ -185,7 +179,6 @@ curl http://localhost/api/v1/text_modules.json -v -u #{login}:#{password} -H "Co
# @response_message 201 Import started.
# @response_message 401 Invalid session.
def import_start
permission_check('admin.text_module')
string = params[:data]
if string.blank? && params[:file].present?
string = params[:file].read.force_encoding('utf-8')

61
app/controllers/ticket_articles_controller.rb
View file

@ -4,18 +4,18 @@ class TicketArticlesController < ApplicationController
include CreatesTicketArticles
include ClonesTicketArticleAttachments
prepend_before_action -> { authorize! }, only: %i[index import_example import_start]
prepend_before_action :authentication_check
# GET /articles
def index
permission_check('admin')
model_index_render(Ticket::Article, params)
end
# GET /articles/1
def show
article = Ticket::Article.find(params[:id])
access!(article, 'read')
authorize!(article)
if response_expand?
result = article.attributes_with_association_names
@ -35,15 +35,13 @@ class TicketArticlesController < ApplicationController
# GET /ticket_articles/by_ticket/1
def index_by_ticket
ticket = Ticket.find(params[:id])
access!(ticket, 'read')
authorize!(ticket, :show?)
articles = []
if response_expand?
ticket.articles.each do |article|
# ignore internal article if customer is requesting
next if article.internal == true && current_user.permissions?('ticket.customer')
next if !authorized?(article, :show?)
result = article.attributes_with_association_names
articles.push result
@ -57,9 +55,7 @@ class TicketArticlesController < ApplicationController
assets = {}
record_ids = []
ticket.articles.each do |article|
# ignore internal article if customer is requesting
next if article.internal == true && current_user.permissions?('ticket.customer')
next if !authorized?(article, :show?)
record_ids.push article.id
assets = article.assets({})
@ -72,9 +68,7 @@ class TicketArticlesController < ApplicationController
end
ticket.articles.each do |article|
# ignore internal article if customer is requesting
next if article.internal == true && current_user.permissions?('ticket.customer')
next if !authorized?(article, :show?)
articles.push article.attributes_with_association_names
end
@ -84,7 +78,7 @@ class TicketArticlesController < ApplicationController
# POST /articles
def create
ticket = Ticket.find(params[:ticket_id])
access!(ticket, 'create')
authorize!(ticket)
article = article_create(ticket, params)
if response_expand?
@ -105,11 +99,7 @@ class TicketArticlesController < ApplicationController
# PUT /articles/1
def update
article = Ticket::Article.find(params[:id])
access!(article, 'change')
if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin')
raise Exceptions::NotAuthorized, 'Not authorized (ticket.agent or admin permission required)!'
end
authorize!(article)
clean_params = Ticket::Article.association_name_to_id_convert(params)
clean_params = Ticket::Article.param_cleanup(clean_params, true)
@ -137,34 +127,15 @@ class TicketArticlesController < ApplicationController
# DELETE /api/v1/ticket_articles/:id
def destroy
article = Ticket::Article.find(params[:id])
access!(article, 'delete')
if current_user.permissions?('admin')
article.destroy!
render json: {}, status: :ok
return
end
article_deletable =
current_user.permissions?('ticket.agent') &&
article.created_by_id == current_user.id &&
!article.type.communication?
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' if !article_deletable
if article_deletable && article.created_at >= 10.minutes.ago
article.destroy!
render json: {}, status: :ok
return
end
raise Exceptions::NotAuthorized, 'Articles can only be deleted within 10 minutes after creation.'
authorize!(article)
article.destroy!
render json: {}, status: :ok
end
# POST /ticket_attachment_upload_clone_by_article
def ticket_attachment_upload_clone_by_article
article = Ticket::Article.find(params[:article_id])
access!(article.ticket, 'read')
authorize!(article.ticket, :show?)
render json: {
attachments: article_attachments_clone(article),
@ -174,7 +145,7 @@ class TicketArticlesController < ApplicationController
# GET /ticket_attachment/:ticket_id/:article_id/:id
def attachment
ticket = Ticket.lookup(id: params[:ticket_id])
access!(ticket, 'read')
authorize!(ticket, :show?)
article = Ticket::Article.find(params[:article_id])
if ticket.id != article.ticket_id
@ -185,7 +156,7 @@ class TicketArticlesController < ApplicationController
end
ticket = article.ticket
access!(ticket, 'read')
authorize!(ticket, :show?)
end
list = article.attachments || []
@ -226,7 +197,7 @@ class TicketArticlesController < ApplicationController
# GET /ticket_article_plain/1
def article_plain
article = Ticket::Article.find(params[:id])
access!(article, 'read')
authorize!(article, :show?)
file = article.as_raw
@ -250,7 +221,6 @@ class TicketArticlesController < ApplicationController
# @response_message 200 File download.
# @response_message 401 Invalid session.
def import_example
permission_check('admin')
csv_string = Ticket::Article.csv_example(
col_sep: ',',
)
@ -273,7 +243,6 @@ class TicketArticlesController < ApplicationController
# @response_message 201 Import started.
# @response_message 401 Invalid session.
def import_start
permission_check('admin')
if Setting.get('import_mode') != true
raise 'Only can import tickets if system is in import mode.'
end

7
app/controllers/ticket_priorities_controller.rb
View file

@ -1,35 +1,30 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TicketPrioritiesController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
# GET /ticket_priorities
def index
permission_check(['admin.object', 'ticket.agent', 'ticket.customer'])
model_index_render(Ticket::Priority, params)
end
# GET /ticket_priorities/1
def show
permission_check(['admin.object', 'ticket.agent', 'ticket.customer'])
model_show_render(Ticket::Priority, params)
end
# POST /ticket_priorities
def create
permission_check('admin.object')
model_create_render(Ticket::Priority, params)
end
# PUT /ticket_priorities/1
def update
permission_check('admin.object')
model_update_render(Ticket::Priority, params)
end
# DELETE /ticket_priorities/1
def destroy
permission_check('admin.object')
model_references_check(Ticket::Priority, params)
model_destroy_render(Ticket::Priority, params)
end

10
app/controllers/ticket_states_controller.rb
View file

@ -1,37 +1,31 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TicketStatesController < ApplicationController
prepend_before_action :authentication_check
prepend_before_action { authentication_check && authorize! }
# GET /ticket_states
def index
permission_check(['admin.object', 'ticket.agent', 'ticket.customer'])
model_index_render(Ticket::State, params)
end
# GET /ticket_states/1
def show
permission_check(['admin.object', 'ticket.agent', 'ticket.customer'])
model_show_render(Ticket::State, params)
end
# POST /ticket_states
def create
permission_check('admin.object')
model_create_render(Ticket::State, params)
end
# PUT /ticket_states/1
def update
permission_check('admin.object')
model_update_render(Ticket::State, params)
end
# DELETE /ticket_states/1
def destroy
permission_check('admin.object')
return if model_references_check(Ticket::State, params)
model_references_check(Ticket::State, params)
model_destroy_render(Ticket::State, params)
end
end

39
app/controllers/tickets_controller.rb
View file

@ -6,8 +6,8 @@ class TicketsController < ApplicationController
include ChecksUserAttributesByCurrentUserPermission
include TicketStats
prepend_before_action -> { authorize! }, only: %i[selector import_example import_start]
prepend_before_action :authentication_check
before_action :follow_up_possible_check, only: :update
# GET /api/v1/tickets
def index
@ -55,7 +55,7 @@ class TicketsController < ApplicationController
# GET /api/v1/tickets/1
def show
ticket = Ticket.find(params[:id])
access!(ticket, 'read')
authorize!(ticket)
if response_expand?
result = ticket.attributes_with_association_names
@ -221,7 +221,8 @@ class TicketsController < ApplicationController
# PUT /api/v1/tickets/1
def update
ticket = Ticket.find(params[:id])
access!(ticket, 'change')
authorize!(ticket, :follow_up?)
authorize!(ticket)
clean_params = Ticket.association_name_to_id_convert(params)
clean_params = Ticket.param_cleanup(clean_params, true)
@ -269,9 +270,7 @@ class TicketsController < ApplicationController
# DELETE /api/v1/tickets/1
def destroy
ticket = Ticket.find(params[:id])
access!(ticket, 'delete')
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' if !current_user.permissions?('admin')
authorize!(ticket)
ticket.destroy!
@ -296,7 +295,7 @@ class TicketsController < ApplicationController
# get ticket data
ticket = Ticket.find(params[:id])
access!(ticket, 'read')
authorize!(ticket, :show?)
# get history of ticket
render json: ticket.history_get(true)
@ -385,7 +384,7 @@ class TicketsController < ApplicationController
}
return
end
access!(ticket_master, 'change')
authorize!(ticket_master, :update?)
# check slave ticket
ticket_slave = Ticket.find_by(id: params[:slave_ticket_id])
@ -396,7 +395,7 @@ class TicketsController < ApplicationController
}
return
end
access!(ticket_slave, 'change')
authorize!(ticket_slave, :update?)
# merge ticket
ticket_slave.merge_to(
@ -415,11 +414,11 @@ class TicketsController < ApplicationController
# GET /api/v1/ticket_split
def ticket_split
ticket = Ticket.find(params[:ticket_id])
access!(ticket, 'read')
authorize!(ticket, :show?)
assets = ticket.assets({})
article = Ticket::Article.find(params[:article_id])
access!(article.ticket, 'read')
authorize!(article.ticket, :show?)
assets = article.assets(assets)
render json: {
@ -497,8 +496,6 @@ class TicketsController < ApplicationController
# GET /api/v1/tickets/selector
def selector
permission_check('admin.*')
ticket_count, tickets = Ticket.selectors(params[:condition], limit: 6, execution_time: true)
assets = {}
@ -627,7 +624,6 @@ class TicketsController < ApplicationController
# @response_message 200 File download.
# @response_message 401 Invalid session.
def import_example
permission_check('admin')
csv_string = Ticket.csv_example(
col_sep: ',',
)
@ -650,7 +646,6 @@ class TicketsController < ApplicationController
# @response_message 201 Import started.
# @response_message 401 Invalid session.
def import_start
permission_check('admin')
if Setting.get('import_mode') != true
raise 'Only can import tickets if system is in import mode.'
end
@ -673,16 +668,6 @@ class TicketsController < ApplicationController
private
def follow_up_possible_check
ticket = Ticket.find(params[:id])
return true if current_user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration
return true if ticket.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled
return true if ticket.state.name != 'closed' # check if the ticket state is already closed
raise Exceptions::UnprocessableEntity, 'Cannot follow-up on a closed ticket. Please create a new ticket.'
end
def ticket_all(ticket)
# get attributes to update
@ -698,9 +683,7 @@ class TicketsController < ApplicationController
# get related users
article_ids = []
ticket.articles.each do |article|
# ignore internal article if customer is requesting
next if article.internal == true && current_user.permissions?('ticket.customer')
next if !authorized?(article, :show?)
article_ids.push article.id
assets = article.assets(assets)

2
app/controllers/time_accountings_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TimeAccountingsController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.time_accounting') }
prepend_before_action { authentication_check && authorize! }
def by_ticket

11
app/controllers/translations_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TranslationsController < ApplicationController
prepend_before_action :authentication_check, except: [:lang]
prepend_before_action -> { authentication_check && authorize! }, except: [:lang]
# GET /translations/lang/:locale
def lang
@ -10,7 +10,6 @@ class TranslationsController < ApplicationController
# PUT /translations/push
def push
permission_check('admin.translation')
start = Time.zone.now
Translation.push(params[:locale])
if start > Time.zone.now - 4.seconds
@ -21,51 +20,43 @@ class TranslationsController < ApplicationController
# POST /translations/sync/:locale
def sync
permission_check('admin.translation')
Translation.load(params[:locale])
render json: { message: 'ok' }, status: :ok
end
# POST /translations/reset
def reset
permission_check('admin.translation')
Translation.reset(params[:locale])
render json: { message: 'ok' }, status: :ok
end
# GET /translations/admin/lang/:locale
def admin
permission_check('admin.translation')
render json: Translation.lang(params[:locale], true)
end
# GET /translations
def index
permission_check('admin.translation')
model_index_render(Translation, params)
end
# GET /translations/1
def show
permission_check('admin.translation')
model_show_render(Translation, params)
end
# POST /translations
def create
permission_check('admin.translation')
model_create_render(Translation, params)
end
# PUT /translations/1
def update
permission_check('admin.translation')
model_update_render(Translation, params)
end
# DELETE /translations/1
def destroy
permission_check('admin.translation')
model_destroy_render(Translation, params)
end
end

2
app/controllers/triggers_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class TriggersController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.trigger') }
prepend_before_action { authentication_check && authorize! }
def index
model_index_render(Trigger, params)

2
app/controllers/user_access_token_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class UserAccessTokenController < ApplicationController
prepend_before_action { authentication_check(permission: 'user_preferences.access_token') }
prepend_before_action { authentication_check && authorize! }
=begin

2
app/controllers/user_devices_controller.rb
View file

@ -1,7 +1,7 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class UserDevicesController < ApplicationController
prepend_before_action { authentication_check(permission: 'user_preferences.device') }
prepend_before_action { authentication_check && authorize! }
def index
devices = UserDevice.where(user_id: current_user.id).order(updated_at: :desc, name: :asc)

34
app/controllers/users_controller.rb
View file

@ -3,6 +3,7 @@
class UsersController < ApplicationController
include ChecksUserAttributesByCurrentUserPermission
prepend_before_action -> { authorize! }, only: %i[import_example import_start search history]
prepend_before_action :authentication_check, except: %i[create password_reset_send password_reset_verify image]
prepend_before_action :authentication_check_only, only: [:create]
@ -27,12 +28,7 @@ class UsersController < ApplicationController
per_page = 500
end
# only allow customer to fetch him self
users = if !current_user.permissions?(['admin.user', 'ticket.agent'])
User.where(id: current_user.id).order(id: :asc).offset(offset).limit(per_page)
else
User.all.order(id: :asc).offset(offset).limit(per_page)
end
users = policy_scope(User).order(id: :asc).offset(offset).limit(per_page)
if response_expand?
list = []
@ -78,7 +74,7 @@ class UsersController < ApplicationController
# @response_message 401 Invalid session.
def show
user = User.find(params[:id])
access!(user, 'read')
authorize!(user)
if response_expand?
result = user.attributes_with_association_names
@ -263,7 +259,7 @@ class UsersController < ApplicationController
# @response_message 401 Invalid session.
def update
user = User.find(params[:id])
access!(user, 'change')
authorize!(user)
# permission check
check_attributes_by_current_user_permission(params)
@ -312,7 +308,7 @@ class UsersController < ApplicationController
# @response_message 401 Invalid session.
def destroy
user = User.find(params[:id])
access!(user, 'delete')
authorize!(user)
model_references_check(User, params)
model_destroy_render(User, params)
@ -367,8 +363,6 @@ class UsersController < ApplicationController
# @response_message 200 [Array<User>] A list of User records matching the search term.
# @response_message 401 Invalid session.
def search
raise Exceptions::NotAuthorized if !current_user.permissions?(['ticket.agent', 'admin.user'])
per_page = params[:per_page] || params[:limit] || 100
per_page = per_page.to_i
if per_page > 500
@ -472,8 +466,6 @@ class UsersController < ApplicationController
# @response_message 200 [History] The History records of the requested User record.
# @response_message 401 Invalid session.
def history
raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.user', 'ticket.agent'])
# get user data
user = User.find(params[:id])
@ -775,8 +767,6 @@ curl http://localhost/api/v1/users/preferences -v -u #{login}:#{password} -H "Co
=end
def preferences
raise Exceptions::UnprocessableEntity, 'No current user!' if !current_user
preferences_params = params.except(:controller, :action)
if preferences_params.present?
@ -816,8 +806,6 @@ curl http://localhost/api/v1/users/out_of_office -v -u #{login}:#{password} -H "
=end
def out_of_office
raise Exceptions::UnprocessableEntity, 'No current user!' if !current_user
user = User.find(current_user.id)
user.with_lock do
user.assign_attributes(
@ -854,8 +842,6 @@ curl http://localhost/api/v1/users/account -v -u #{login}:#{password} -H "Conten
=end
def account_remove
raise Exceptions::UnprocessableEntity, 'No current user!' if !current_user
# provider + uid to remove
raise Exceptions::UnprocessableEntity, 'provider needed!' if !params[:provider]
raise Exceptions::UnprocessableEntity, 'uid needed!' if !params[:uid]
@ -934,8 +920,6 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
=end
def avatar_new
return if !valid_session_with_user
# get & validate image
file_full = StaticAssets.data_url_attributes(params[:avatar_full])
file_resize = StaticAssets.data_url_attributes(params[:avatar_resize])
@ -963,8 +947,6 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
end
def avatar_set_default
return if !valid_session_with_user
# get & validate image
raise Exceptions::UnprocessableEntity, 'No id of avatar!' if !params[:id]
@ -979,8 +961,6 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
end
def avatar_destroy
return if !valid_session_with_user
# get & validate image
raise Exceptions::UnprocessableEntity, 'No id of avatar!' if !params[:id]
@ -996,8 +976,6 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
end
def avatar_list
return if !valid_session_with_user
# list of avatars
result = Avatar.list('User', current_user.id)
render json: { avatars: result }, status: :ok
@ -1012,7 +990,6 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
# @response_message 200 File download.
# @response_message 401 Invalid session.
def import_example
permission_check('admin.user')
send_data(
User.csv_example,
filename: 'user-example.csv',
@ -1031,7 +1008,6 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
# @response_message 201 Import started.
# @response_message 401 Invalid session.
def import_start
permission_check('admin.user')
string = params[:data]
if string.blank? && params[:file].present?
string = params[:file].read.force_encoding('utf-8')

3
app/controllers/version_controller.rb
View file

@ -1,7 +1,8 @@
# Copyright (C) 2012-2017 Zammad Foundation, http://zammad-foundation.org/
class VersionController < ApplicationController
prepend_before_action { authentication_check(permission: 'admin.version') }
prepend_before_action { authentication_check && authorize! }
# GET /api/v1/version
def index

1
app/models/organization.rb
View file

@ -10,7 +10,6 @@ class Organization < ApplicationModel
include ChecksHtmlSanitized
include HasObjectManagerAttributesValidation
include Organization::ChecksAccess
include Organization::Assets
include Organization::Search
include Organization::SearchIndex

51
app/models/organization/checks_access.rb
View file

@ -1,51 +0,0 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class Organization
module ChecksAccess
extend ActiveSupport::Concern
# Checks the given access of a given user for an organization.
#
# @param [User] The user that will be checked for given access.
# @param [String] The access that should get checked.
#
# @example
# organization.access?(user, 'read')
# #=> true
#
# @return [Boolean]
def access?(user, access)
# check customer
if user.permissions?('ticket.customer')
# access ok if its own organization
return false if access != 'read'
return false if !user.organization_id
return id == user.organization_id
end
# check agent
return true if user.permissions?('admin')
return true if user.permissions?('ticket.agent')
false
end
# Checks the given access of a given user for an organization and fails with an exception.
#
# @param (see Organization#access?)
#
# @example
# organization.access!(user, 'read')
#
# @raise [NotAuthorized] Gets raised if given user doesn't have the given access.
#
# @return [nil]
def access!(user, access)
return if access?(user, access)
raise Exceptions::NotAuthorized
end
end
end

11
app/models/recent_view.rb
View file

@ -76,12 +76,11 @@ class RecentView < ApplicationModel
end
def self.access(object, o_id, user)
object.to_s
.constantize
.try(:lookup, { id: o_id })
.try(:access?, user, 'read')
rescue NameError
false
record = object.to_s
.safe_constantize
.try(:lookup, { id: o_id })
Pundit.policy(user, record).try(:show?)
end
=begin

1
app/models/ticket.rb
View file

@ -13,7 +13,6 @@ class Ticket < ApplicationModel
include HasOnlineNotifications
include HasKarmaActivityLog
include HasLinks
include Ticket::ChecksAccess
include HasObjectManagerAttributesValidation
include Ticket::Escalation

1
app/models/ticket/article.rb
View file

@ -8,7 +8,6 @@ class Ticket::Article < ApplicationModel
include CanCsvImport
include HasObjectManagerAttributesValidation
include Ticket::Article::ChecksAccess
include Ticket::Article::Assets
belongs_to :ticket, optional: true

43
app/models/ticket/article/checks_access.rb
View file

@ -1,43 +0,0 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class Ticket
class Article
module ChecksAccess
extend ActiveSupport::Concern
# Checks the given access of a given user for a ticket article.
#
# @param [User] The user that will be checked for given access.
# @param [String] The access that should get checked.
#
# @example
# article.access?(user, 'read')
# #=> true
#
# @return [Boolean]
def access?(user, access)
if user.permissions?('ticket.customer')
return false if internal == true
end
ticket = Ticket.lookup(id: ticket_id)
ticket.access?(user, access)
end
# Checks the given access of a given user for a ticket article and fails with an exception.
#
# @param (see Ticket::Article#access?)
#
# @example
# article.access!(user, 'read')
#
# @raise [NotAuthorized] Gets raised if given user doesn't have the given access.
#
# @return [nil]
def access!(user, access)
return if access?(user, access)
raise Exceptions::NotAuthorized
end
end
end
end

57
app/models/ticket/checks_access.rb
View file

@ -1,57 +0,0 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class Ticket
module ChecksAccess
extend ActiveSupport::Concern
# Checks the given access of a given user for a ticket.
#
# @param [User] The user that will be checked for given access.
# @param [String] The access that should get checked.
#
# @example
# ticket.access?(user, 'read')
# #=> true
#
# @return [Boolean]
def access?(user, access)
# check customer
if user.permissions?('ticket.customer')
# access ok if its own ticket
return true if customer_id == user.id
# check organization ticket access
return false if organization_id.blank?
return false if user.organization_id.blank?
return false if organization_id != user.organization_id
return organization.shared?
end
# check agent
# access if requestor is owner
return true if owner_id == user.id
# access if requestor is in group
user.group_access?(group.id, access)
end
# Checks the given access of a given user for a ticket and fails with an exception.
#
# @param (see Ticket#access?)
#
# @example
# ticket.access!(user, 'read')
#
# @raise [NotAuthorized] Gets raised if given user doesn't have the given access.
#
# @return [nil]
def access!(user, access)
return if access?(user, access)
raise Exceptions::NotAuthorized
end
end
end

33
app/models/token.rb
View file

@ -79,27 +79,7 @@ returns
# add permission check
if data[:permission]
return if !user.permissions?(data[:permission])
return if !token.preferences[:permission]
local_permissions = data[:permission]
if data[:permission].class != Array
local_permissions = [data[:permission]]
end
match = false
local_permissions.each do |local_permission|
local_permissions = Permission.with_parents(local_permission)
local_permissions.each do |local_permission_name|
next if !token.preferences[:permission].include?(local_permission_name)
match = true
break
end
next if !match
break
end
return if !match
return if !token.permissions?(data[:permission])
end
# return token user
@ -119,6 +99,17 @@ cleanup old token
true
end
def permissions?(permissions)
return false if !user.permissions?(permissions)
return false if preferences[:permission].blank?
Array(permissions).any? do |parentless|
Permission.with_parents(parentless).any? do |permission|
preferences[:permission].include?(permission)
end
end
end
private
def generate_token

9
app/models/user.rb
View file

@ -14,7 +14,6 @@ class User < ApplicationModel
include HasObjectManagerAttributesValidation
include HasTicketCreateScreenImpact
include User::HasTicketCreateScreenImpact
include User::ChecksAccess
include User::Assets
include User::Search
include User::SearchIndex
@ -421,14 +420,10 @@ returns
=end
def permissions?(key)
keys = key
if key.class == String
keys = [key]
end
keys.each do |local_key|
Array(key).each do |local_key|
list = []
if local_key.match?(/\.\*$/)
local_key.sub!('.*', '.%')
local_key = local_key.sub('.*', '.%')
permissions = ::Permission.with_parents(local_key)
list = ::Permission.select('preferences').joins(:roles).where('roles.id IN (?) AND roles.active = ? AND (permissions.name IN (?) OR permissions.name LIKE ?) AND permissions.active = ?', role_ids, true, permissions, local_key, true).pluck(:preferences)
else

74
app/models/user/checks_access.rb
View file

@ -1,74 +0,0 @@
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
class User
module ChecksAccess
extend ActiveSupport::Concern
# Checks the given access of a given user for another user.
#
# @param [User] The user that will be checked for given access.
# @param [String] The access that should get checked.
#
# @example
# user.access?(user, 'read')
# #=> true
#
# @return [Boolean]
def access?(requester, access)
# full admins can do whatever they want
return true if requester.permissions?('admin')
send("#{access}able_by?".to_sym, requester)
end
# Checks the given access of a given user for another user and fails with an exception.
#
# @param (see User#access?)
#
# @example
# user.access!(user, 'read')
#
# @raise [NotAuthorized] Gets raised if given user doesn't have the given access.
#
# @return [nil]
def access!(user, access)
return if access?(user, access)
raise Exceptions::NotAuthorized
end
private
def readable_by?(requester)
return true if own_account?(requester)
return true if requester.permissions?('admin.*')
return true if requester.permissions?('ticket.agent')
# check same organization for customers
return false if !requester.permissions?('ticket.customer')
same_organization?(requester)
end
def changeable_by?(requester)
return true if requester.permissions?('admin.user')
# allow agents to change customers
return false if !requester.permissions?('ticket.agent')
permissions?('ticket.customer')
end
def deleteable_by?(requester)
requester.permissions?('admin.user')
end
def own_account?(requester)
id == requester.id
end
def same_organization?(requester)
return false if organization_id.blank?
return false if requester.organization_id.blank?
organization_id == requester.organization_id
end
end
end

19
app/policies/application_policy.rb Normal file
View file

@ -0,0 +1,19 @@
class ApplicationPolicy
include PunditPolicy
attr_reader :record
def initialize_context(record)
@record = record
end
class Scope
include PunditPolicy
attr_reader :scope
def initialize_context(scope)
@scope = scope
end
end
end

33
app/policies/controllers/application_controller_policy.rb Normal file
View file

@ -0,0 +1,33 @@
class Controllers::ApplicationControllerPolicy < ApplicationPolicy
class_attribute(:action_permissions_map, default: {})
def self.inherited(subclass)
subclass.action_permissions_map = action_permissions_map.deep_dup
end
def self.default_permit!(permissions)
action_permissions_map.default = permissions
end
def self.permit!(actions, to:)
Array(actions).each do |action|
action_permissions_map[:"#{action}?"] = to
end
end
def method_missing(missing_method, *)
case (permission = action_permissions_map[missing_method])
when String, Array
user.permissions!(permission) || true
when Proc
user.permissions!(instance_exec(&permission)) || true
else
super
end
end
def respond_to_missing?(missing_method)
action_permissions_map[missing_method] || super
end
end

3
app/policies/controllers/applications_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ApplicationsControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.api')
end

3
app/policies/controllers/calendar_subscriptions_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::CalendarSubscriptionsControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('user_preferences.calendar')
end

4
app/policies/controllers/calendars_controller_policy.rb Normal file
View file

@ -0,0 +1,4 @@
class Controllers::CalendarsControllerPolicy < Controllers::ApplicationControllerPolicy
permit! :timezones, to: 'admin'
default_permit!('admin.calendar')
end

3
app/policies/controllers/channels_email_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChannelsEmailControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.channel_email')
end

3
app/policies/controllers/channels_facebook_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChannelsFacebookControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.channel_facebook')
end

3
app/policies/controllers/channels_sms_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChannelsSmsControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.channel_sms')
end

3
app/policies/controllers/channels_telegram_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChannelsTelegramControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.channel_telegram')
end

3
app/policies/controllers/channels_twitter_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChannelsTwitterControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.channel_twitter')
end

3
app/policies/controllers/chat_sessions_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChatSessionsControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('chat.agent')
end

3
app/policies/controllers/chats_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::ChatsControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.channel_chat')
end

3
app/policies/controllers/cti_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::CtiControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('cti.agent')
end

4
app/policies/controllers/email_addresses_controller_policy.rb Normal file
View file

@ -0,0 +1,4 @@
class Controllers::EmailAddressesControllerPolicy < Controllers::ApplicationControllerPolicy
permit! %i[index show], to: ['ticket.agent', 'admin.channel_email']
default_permit!('admin.channel_email')
end

16
app/policies/controllers/external_credentials_controller_policy.rb Normal file
View file

@ -0,0 +1,16 @@
class Controllers::ExternalCredentialsControllerPolicy < Controllers::ApplicationControllerPolicy
permit! :index, to: 'admin'
default_permit! -> { "admin.channel_#{provider_name}" }
private
def provider_name
@provider_name ||= begin
if record.params[:id].present?
ExternalCredential.find(record.params[:id]).name
else
record.params[:provider] || record.params[:name]
end
end
end
end

3
app/policies/controllers/first_steps_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::FirstStepsControllerPolicy < Controllers::ApplicationControllerPolicy
permit! %i[index test_ticket], to: ['ticket.agent', 'admin']
end

28
app/policies/controllers/form_controller_policy.rb Normal file
View file

@ -0,0 +1,28 @@
class Controllers::FormControllerPolicy < Controllers::ApplicationControllerPolicy
def configuration?
authorized?
end
def submit?
authorized?
end
def test?
record.params[:test] && user&.permissions?('admin.channel_formular')
end
private
def authorized?
test? || enabled?
end
def user_required?
false
end
def enabled?
Setting.get('form_ticket_create')
end
end

3
app/policies/controllers/getting_started_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::GettingStartedControllerPolicy < Controllers::ApplicationControllerPolicy
permit! :base, to: 'admin.wizard'
end

3
app/policies/controllers/groups_controller_policy.rb Normal file
View file

@ -0,0 +1,3 @@
class Controllers::GroupsControllerPolicy < Controllers::ApplicationControllerPolicy
default_permit!('admin.group')
end

Some files were not shown because too many files have changed in this diff Show more