From c6eaa8448741dd2eaa4990df5dc803f77de9f94b Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Wed, 17 Aug 2016 13:24:51 +0200 Subject: [PATCH] Added multi permission check to Token.check. --- README.md | 9 +++++---- app/controllers/application_controller.rb | 8 ++++---- app/controllers/user_access_token_controller.rb | 2 +- app/models/activity_stream.rb | 2 +- app/models/chat.rb | 4 ++-- app/models/http_log.rb | 2 +- app/models/recent_view.rb | 2 +- app/models/stats_store.rb | 2 +- app/models/token.rb | 12 +++++++++++- test/controllers/api_auth_controller_test.rb | 6 +++--- test/controllers/packages_controller_test.rb | 4 ++-- test/controllers/settings_controller_test.rb | 4 ++-- test/unit/token_test.rb | 10 ++++++++++ 13 files changed, 44 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 41cb97883..367724ed7 100644 --- a/README.md +++ b/README.md @@ -4,10 +4,11 @@ Welcome to Zammad ================= Zammad is a web based open source helpdesk/ticket system with many features -to manage customer telephone calls and e-mails. It is distributed under the -GNU AFFERO General Public License (AGPL) and tested on Linux, Solaris, AIX, -FreeBSD, OpenBSD and Mac OS 10.x. Do you receive many e-mails and -want to answer them with a team of agents? You're going to love Zammad! +to manage customer communication via several channels like telephone, facebook, +twitter, chat and e-mails. It is distributed under the GNU AFFERO General Public + License (AGPL) and tested on Linux, Solaris, AIX, FreeBSD, OpenBSD and Mac OS +10.x. Do you receive many e-mails and want to answer them with a team of agents? +You're going to love Zammad! Getting Started diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ec8833f97..22602885d 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -274,7 +274,7 @@ class ApplicationController < ActionController::Base permission: auth_param[:permission], inactive_user: true, ) - raise Exceptions::NotAuthorized, 'No permission!' if !user + raise Exceptions::NotAuthorized, 'No permission (token)!' if !user end @_token_auth = token # remember for permission_check return authentication_check_prerequesits(user, 'token_auth', auth_param) if user @@ -315,7 +315,7 @@ class ApplicationController < ActionController::Base # check scopes / permission check if auth_param[:permission] && !user.permissions?(auth_param[:permission]) - raise Exceptions::NotAuthorized, 'No permission!' + raise Exceptions::NotAuthorized, 'No permission (user)!' end current_user_set(user) @@ -360,11 +360,11 @@ class ApplicationController < ActionController::Base permission: key, ) return false if user - raise Exceptions::NotAuthorized, 'No permission!' + raise Exceptions::NotAuthorized, 'No permission (token)!' end return false if current_user && current_user.permissions?(key) - raise Exceptions::NotAuthorized, 'No permission!' + raise Exceptions::NotAuthorized, 'No permission (user)!' end def valid_session_with_user diff --git a/app/controllers/user_access_token_controller.rb b/app/controllers/user_access_token_controller.rb index 9f31e71e3..ce965d91a 100644 --- a/app/controllers/user_access_token_controller.rb +++ b/app/controllers/user_access_token_controller.rb @@ -27,7 +27,7 @@ class UserAccessTokenController < ApplicationController } permissions = [] Permission.all.order(:name).each { |permission| - next if !local_permissions_new.key?(permission.name) + next if !local_permissions_new.key?(permission.name) && !current_user.permissions?(permission.name) permission_attributes = permission.attributes if local_permissions_new[permission.name] == false permission_attributes['preferences']['disabled'] = true diff --git a/app/models/activity_stream.rb b/app/models/activity_stream.rb index bc31d2c56..6030d7866 100644 --- a/app/models/activity_stream.rb +++ b/app/models/activity_stream.rb @@ -133,7 +133,7 @@ cleanup old stream messages ActivityStream.cleanup -optional you can parse the max oldest stream entries +optional you can put the max oldest stream entries as argument ActivityStream.cleanup(3.months) diff --git a/app/models/chat.rb b/app/models/chat.rb index 8aadf00df..34158b0c0 100644 --- a/app/models/chat.rb +++ b/app/models/chat.rb @@ -220,7 +220,7 @@ cleanup old chat messages Chat.cleanup -optional you can parse the max oldest chat entries +optional you can put the max oldest chat entries Chat.cleanup(3.months) @@ -241,7 +241,7 @@ close chat sessions where participients are offline Chat.cleanup_close -optional you can parse the max oldest chat sessions +optional you can put the max oldest chat sessions as argument Chat.cleanup_close(5.minutes) diff --git a/app/models/http_log.rb b/app/models/http_log.rb index 364b9f9fa..3718ac374 100644 --- a/app/models/http_log.rb +++ b/app/models/http_log.rb @@ -10,7 +10,7 @@ cleanup old http logs HttpLog.cleanup -optional you can parse the max oldest chat entries +optional you can put the max oldest chat entries as argument HttpLog.cleanup(1.month) diff --git a/app/models/recent_view.rb b/app/models/recent_view.rb index 915e8d55f..2f7064c9e 100644 --- a/app/models/recent_view.rb +++ b/app/models/recent_view.rb @@ -105,7 +105,7 @@ cleanup old entries RecentView.cleanup -optional you can parse the max oldest entries +optional you can put the max oldest entries as argument RecentView.cleanup(1.month) diff --git a/app/models/stats_store.rb b/app/models/stats_store.rb index d3ec79bc4..fb440cd72 100644 --- a/app/models/stats_store.rb +++ b/app/models/stats_store.rb @@ -120,7 +120,7 @@ cleanup old stats store StatsStore.cleanup -optional you can parse the max oldest stats store entries +optional you can put the max oldest stats store entries as argument StatsStore.cleanup(3.months) diff --git a/app/models/token.rb b/app/models/token.rb index 258a421ba..6a0b6ce6c 100644 --- a/app/models/token.rb +++ b/app/models/token.rb @@ -79,7 +79,17 @@ returns if data[:permission] return if !user.permissions?(data[:permission]) return if !token.preferences[:permission] - return if !token.preferences[:permission].include?(data[:permission]) + local_permissions = data[:permission] + if data[:permission].class != Array + local_permissions = [data[:permission]] + end + match = false + local_permissions.each {|local_permission| + next if !token.preferences[:permission].include?(local_permission) + match = true + break + } + return if !match end # return token user diff --git a/test/controllers/api_auth_controller_test.rb b/test/controllers/api_auth_controller_test.rb index 155446f89..8763cb242 100644 --- a/test/controllers/api_auth_controller_test.rb +++ b/test/controllers/api_auth_controller_test.rb @@ -140,7 +140,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest assert_response(401) result = JSON.parse(@response.body) assert_equal(Hash, result.class) - assert_equal('No permission!', result['error']) + assert_equal('No permission (token)!', result['error']) admin_token.preferences[:permission] = [] admin_token.save! @@ -149,7 +149,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest assert_response(401) result = JSON.parse(@response.body) assert_equal(Hash, result.class) - assert_equal('No permission!', result['error']) + assert_equal('No permission (token)!', result['error']) @admin.active = false @admin.save! @@ -182,7 +182,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest assert_response(401) result = JSON.parse(@response.body) assert_equal(Hash, result.class) - assert_equal('No permission!', result['error']) + assert_equal('No permission (token)!', result['error']) admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role'] admin_token.save! diff --git a/test/controllers/packages_controller_test.rb b/test/controllers/packages_controller_test.rb index 7b31d8ee2..69f255982 100644 --- a/test/controllers/packages_controller_test.rb +++ b/test/controllers/packages_controller_test.rb @@ -111,7 +111,7 @@ class PackagesControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Hash, result.class) assert_not(result['packages']) - assert_equal('No permission!', result['error']) + assert_equal('No permission (user)!', result['error']) end test '06 packages index with customer' do @@ -125,7 +125,7 @@ class PackagesControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Hash, result.class) assert_not(result['packages']) - assert_equal('No permission!', result['error']) + assert_equal('No permission (user)!', result['error']) end end diff --git a/test/controllers/settings_controller_test.rb b/test/controllers/settings_controller_test.rb index b276bacbc..69026adf6 100644 --- a/test/controllers/settings_controller_test.rb +++ b/test/controllers/settings_controller_test.rb @@ -82,7 +82,7 @@ class SettingsControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Hash, result.class) assert_not(result['settings']) - assert_equal('No permission!', result['error']) + assert_equal('No permission (user)!', result['error']) end test 'settings index with customer' do @@ -95,7 +95,7 @@ class SettingsControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Hash, result.class) assert_not(result['settings']) - assert_equal('No permission!', result['error']) + assert_equal('No permission (user)!', result['error']) end end diff --git a/test/unit/token_test.rb b/test/unit/token_test.rb index ddf0ca338..df0921a17 100644 --- a/test/unit/token_test.rb +++ b/test/unit/token_test.rb @@ -114,6 +114,16 @@ class TokenTest < ActiveSupport::TestCase assert_equal('Agent1', user.lastname) assert_equal('token-agent1@example.com', user.email) + user = Token.check( + action: 'api', + name: token.name, + permission: ['ticket.agent', 'not_existing'], + ) + assert(user) + assert_equal('Token', user.firstname) + assert_equal('Agent1', user.lastname) + assert_equal('token-agent1@example.com', user.email) + end end