Added multi permission check to Token.check.

README.md

@@ -4,10 +4,11 @@ Welcome to Zammad
 =================
 
 Zammad is a web based open source helpdesk/ticket system with many features
-to manage customer telephone calls and e-mails. It is distributed under the
+to manage customer communication via several channels like telephone, facebook,
-GNU AFFERO General Public License (AGPL) and tested on Linux, Solaris, AIX,
+twitter, chat and e-mails. It is distributed under the GNU AFFERO General Public
-FreeBSD, OpenBSD and Mac OS 10.x. Do you receive many e-mails and
+ License (AGPL) and tested on Linux, Solaris, AIX, FreeBSD, OpenBSD and Mac OS
-want to answer them with a team of agents? You're going to love Zammad!
+10.x. Do you receive many e-mails and want to answer them with a team of agents?
+You're going to love Zammad!
 
 
 Getting Started

app/controllers/application_controller.rb

@@ -274,7 +274,7 @@ class ApplicationController < ActionController::Base
           permission: auth_param[:permission],
           inactive_user: true,
         )
-        raise Exceptions::NotAuthorized, 'No permission!' if !user
+        raise Exceptions::NotAuthorized, 'No permission (token)!' if !user
       end
       @_token_auth = token # remember for permission_check
       return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
@@ -315,7 +315,7 @@ class ApplicationController < ActionController::Base
 
     # check scopes / permission check
     if auth_param[:permission] && !user.permissions?(auth_param[:permission])
-      raise Exceptions::NotAuthorized, 'No permission!'
+      raise Exceptions::NotAuthorized, 'No permission (user)!'
     end
 
     current_user_set(user)
@@ -360,11 +360,11 @@ class ApplicationController < ActionController::Base
         permission: key,
       )
       return false if user
-      raise Exceptions::NotAuthorized, 'No permission!'
+      raise Exceptions::NotAuthorized, 'No permission (token)!'
     end
 
     return false if current_user && current_user.permissions?(key)
-    raise Exceptions::NotAuthorized, 'No permission!'
+    raise Exceptions::NotAuthorized, 'No permission (user)!'
   end
 
   def valid_session_with_user

app/controllers/user_access_token_controller.rb

@@ -27,7 +27,7 @@ class UserAccessTokenController < ApplicationController
     }
     permissions = []
     Permission.all.order(:name).each { |permission|
-      next if !local_permissions_new.key?(permission.name)
+      next if !local_permissions_new.key?(permission.name) && !current_user.permissions?(permission.name)
       permission_attributes = permission.attributes
       if local_permissions_new[permission.name] == false
         permission_attributes['preferences']['disabled'] = true

app/models/activity_stream.rb

@@ -133,7 +133,7 @@ cleanup old stream messages
 
   ActivityStream.cleanup
 
-optional you can parse the max oldest stream entries
+optional you can put the max oldest stream entries as argument
 
   ActivityStream.cleanup(3.months)
 

app/models/chat.rb

@@ -220,7 +220,7 @@ cleanup old chat messages
 
   Chat.cleanup
 
-optional you can parse the max oldest chat entries
+optional you can put the max oldest chat entries
 
   Chat.cleanup(3.months)
 
@@ -241,7 +241,7 @@ close chat sessions where participients are offline
 
   Chat.cleanup_close
 
-optional you can parse the max oldest chat sessions
+optional you can put the max oldest chat sessions as argument
 
   Chat.cleanup_close(5.minutes)
 

app/models/http_log.rb

@@ -10,7 +10,7 @@ cleanup old http logs
 
   HttpLog.cleanup
 
-optional you can parse the max oldest chat entries
+optional you can put the max oldest chat entries as argument
 
   HttpLog.cleanup(1.month)
 

app/models/recent_view.rb

@@ -105,7 +105,7 @@ cleanup old entries
 
   RecentView.cleanup
 
-optional you can parse the max oldest entries
+optional you can put the max oldest entries as argument
 
   RecentView.cleanup(1.month)
 

app/models/stats_store.rb

@@ -120,7 +120,7 @@ cleanup old stats store
 
   StatsStore.cleanup
 
-optional you can parse the max oldest stats store entries
+optional you can put the max oldest stats store entries as argument
 
   StatsStore.cleanup(3.months)
 

app/models/token.rb

@@ -79,7 +79,17 @@ returns
     if data[:permission]
       return if !user.permissions?(data[:permission])
       return if !token.preferences[:permission]
-      return if !token.preferences[:permission].include?(data[:permission])
+      local_permissions = data[:permission]
+      if data[:permission].class != Array
+        local_permissions = [data[:permission]]
+      end
+      match = false
+      local_permissions.each {|local_permission|
+        next if !token.preferences[:permission].include?(local_permission)
+        match = true
+        break
+      }
+      return if !match
     end
 
     # return token user

test/controllers/api_auth_controller_test.rb

@@ -140,7 +140,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_response(401)
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (token)!', result['error'])
 
     admin_token.preferences[:permission] = []
     admin_token.save!
@@ -149,7 +149,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_response(401)
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (token)!', result['error'])
 
     @admin.active = false
     @admin.save!
@@ -182,7 +182,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_response(401)
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (token)!', result['error'])
 
     admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
     admin_token.save!

test/controllers/packages_controller_test.rb

@@ -111,7 +111,7 @@ class PackagesControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_not(result['packages'])
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (user)!', result['error'])
   end
 
   test '06 packages index with customer' do
@@ -125,7 +125,7 @@ class PackagesControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_not(result['packages'])
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (user)!', result['error'])
   end
 
 end

test/controllers/settings_controller_test.rb

@@ -82,7 +82,7 @@ class SettingsControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_not(result['settings'])
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (user)!', result['error'])
   end
 
   test 'settings index with customer' do
@@ -95,7 +95,7 @@ class SettingsControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_not(result['settings'])
-    assert_equal('No permission!', result['error'])
+    assert_equal('No permission (user)!', result['error'])
   end
 
 end

test/unit/token_test.rb

@@ -114,6 +114,16 @@ class TokenTest < ActiveSupport::TestCase
     assert_equal('Agent1', user.lastname)
     assert_equal('token-agent1@example.com', user.email)
 
+    user = Token.check(
+      action: 'api',
+      name: token.name,
+      permission: ['ticket.agent', 'not_existing'],
+    )
+    assert(user)
+    assert_equal('Token', user.firstname)
+    assert_equal('Agent1', user.lastname)
+    assert_equal('token-agent1@example.com', user.email)
+
   end
 
 end