Improved session validation and usage of cors headers.
This commit is contained in:
parent
fc13598f79
commit
cd28e904ac
64 changed files with 195 additions and 121 deletions
|
@ -34,6 +34,8 @@ class App.UiElement.textarea
|
||||||
'<div class="btn btn-default qq-upload-icon2 qq-upload-button pull-right" style="">{uploadButtonText}</div>' +
|
'<div class="btn btn-default qq-upload-icon2 qq-upload-button pull-right" style="">{uploadButtonText}</div>' +
|
||||||
'<ul class="qq-upload-list span5" style="margin-top: 10px;"></ul>' +
|
'<ul class="qq-upload-list span5" style="margin-top: 10px;"></ul>' +
|
||||||
'</div>',
|
'</div>',
|
||||||
|
customHeaders:
|
||||||
|
'X-CSRF-Token': App.Ajax.token()
|
||||||
classes:
|
classes:
|
||||||
success: ''
|
success: ''
|
||||||
fail: ''
|
fail: ''
|
||||||
|
|
|
@ -40,16 +40,22 @@ class App.Ajax
|
||||||
_instance ?= new _ajaxSingleton
|
_instance ?= new _ajaxSingleton
|
||||||
_instance.current()
|
_instance.current()
|
||||||
|
|
||||||
|
@token: ->
|
||||||
|
if _instance == undefined
|
||||||
|
_instance ?= new _ajaxSingleton
|
||||||
|
_instance.token()
|
||||||
|
|
||||||
# The actual Singleton class
|
# The actual Singleton class
|
||||||
class _ajaxSingleton
|
class _ajaxSingleton
|
||||||
defaults:
|
defaults:
|
||||||
contentType: 'application/json'
|
contentType: 'application/json'
|
||||||
dataType: 'json'
|
dataType: 'json'
|
||||||
processData: false
|
processData: false
|
||||||
headers: {'X-Requested-With': 'XMLHttpRequest'}
|
headers:
|
||||||
|
'X-Requested-With': 'XMLHttpRequest'
|
||||||
cache: false
|
cache: false
|
||||||
async: true
|
async: true
|
||||||
|
currentToken: null
|
||||||
currentRequest: {}
|
currentRequest: {}
|
||||||
queueList: []
|
queueList: []
|
||||||
queueRunning: false
|
queueRunning: false
|
||||||
|
@ -63,8 +69,15 @@ class _ajaxSingleton
|
||||||
# bindings
|
# bindings
|
||||||
$(document).bind('ajaxSend', =>
|
$(document).bind('ajaxSend', =>
|
||||||
@_show_spinner()
|
@_show_spinner()
|
||||||
).bind('ajaxComplete', =>
|
).bind('ajaxComplete', (request, xhr, settings) =>
|
||||||
@_hide_spinner()
|
@_hide_spinner()
|
||||||
|
|
||||||
|
# remeber XSRF-TOKEN for later
|
||||||
|
CSRFToken = xhr.getResponseHeader('CSRF-TOKEN')
|
||||||
|
return if !CSRFToken
|
||||||
|
@currentToken = CSRFToken
|
||||||
|
@defaults.headers['X-CSRF-Token'] = CSRFToken
|
||||||
|
Spine.Ajax.defaults.headers['X-CSRF-Token'] = CSRFToken
|
||||||
)
|
)
|
||||||
|
|
||||||
# show error messages
|
# show error messages
|
||||||
|
@ -170,6 +183,9 @@ class _ajaxSingleton
|
||||||
current: =>
|
current: =>
|
||||||
@currentRequest
|
@currentRequest
|
||||||
|
|
||||||
|
token: =>
|
||||||
|
@currentToken
|
||||||
|
|
||||||
_show_spinner: =>
|
_show_spinner: =>
|
||||||
@count++
|
@count++
|
||||||
$('.spinner').show()
|
$('.spinner').show()
|
||||||
|
|
|
@ -155,9 +155,7 @@
|
||||||
uploadCancel: function () {
|
uploadCancel: function () {
|
||||||
var manager = this;
|
var manager = this;
|
||||||
//manager.uploadsQueue.shift()
|
//manager.uploadsQueue.shift()
|
||||||
console.log(99999, manager._xhrs)
|
|
||||||
_.each( manager._xhrs, function(xhr){
|
_.each( manager._xhrs, function(xhr){
|
||||||
console.log(888, xhr)
|
|
||||||
xhr.abort()
|
xhr.abort()
|
||||||
})
|
})
|
||||||
manager._xhrs = []
|
manager._xhrs = []
|
||||||
|
@ -198,6 +196,11 @@
|
||||||
|
|
||||||
xhr.open('POST', manager.uploadUrl);
|
xhr.open('POST', manager.uploadUrl);
|
||||||
|
|
||||||
|
// add csrf token
|
||||||
|
if (App.Ajax && App.Ajax.token) {
|
||||||
|
xhr.setRequestHeader('X-CSRF-Token', App.Ajax.token());
|
||||||
|
}
|
||||||
|
|
||||||
// Triggered when upload starts:
|
// Triggered when upload starts:
|
||||||
xhr.upload.onloadstart = function () {
|
xhr.upload.onloadstart = function () {
|
||||||
// File size is not reported during start!
|
// File size is not reported during start!
|
||||||
|
|
|
@ -1,16 +1,17 @@
|
||||||
<div class="page-header-title">
|
<div class="page-header-title">
|
||||||
<h1><%- @T( 'Package' ) %> <small><%- @T( 'Management' ) %></small></h1>
|
<h1><%- @T( 'Package' ) %> <small><%- @T('Management') %></small></h1>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="page-content">
|
<div class="page-content">
|
||||||
<!--
|
<!--
|
||||||
<ul class="nav nav-tabs nav-stacked">
|
<ul class="nav nav-tabs nav-stacked">
|
||||||
<li class=""><a data-type="" ><%- @T( 'Installed' ) %></a></li>
|
<li class=""><a data-type="" ><%- @T('Installed') %></a></li>
|
||||||
<li class=""><a data-type="" ><%- @T( 'Store' ) %></a></li>
|
<li class=""><a data-type="" ><%- @T('Store') %></a></li>
|
||||||
</ul>
|
</ul>
|
||||||
-->
|
-->
|
||||||
<p>
|
<p>
|
||||||
<form action="<%= App.Config.get('api_path') %>/packages" method="post" enctype="multipart/form-data" class="horizontal center">
|
<form action="<%= App.Config.get('api_path') %>/packages" method="post" enctype="multipart/form-data" class="horizontal center">
|
||||||
|
<input type="hidden" name="authenticity_token" value="<%= App.Ajax.token() %>"/>
|
||||||
<input type="file" name="file_upload"/>
|
<input type="file" name="file_upload"/>
|
||||||
<button class="align-right btn btn--primary" type="submit"><%- @T('Install Package') %></button>
|
<button class="align-right btn btn--primary" type="submit"><%- @T('Install Package') %></button>
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ActivityStreamController < ApplicationController
|
class ActivityStreamController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /api/v1/activity_stream
|
# GET /api/v1/activity_stream
|
||||||
def show
|
def show
|
||||||
|
|
|
@ -4,8 +4,6 @@ require 'exceptions'
|
||||||
class ApplicationController < ActionController::Base
|
class ApplicationController < ActionController::Base
|
||||||
include ErrorHandling
|
include ErrorHandling
|
||||||
|
|
||||||
# http_basic_authenticate_with :name => "test", :password => "ttt"
|
|
||||||
|
|
||||||
helper_method :current_user,
|
helper_method :current_user,
|
||||||
:authentication_check,
|
:authentication_check,
|
||||||
:config_frontend,
|
:config_frontend,
|
||||||
|
@ -17,36 +15,53 @@ class ApplicationController < ActionController::Base
|
||||||
:model_index_render
|
:model_index_render
|
||||||
|
|
||||||
skip_before_action :verify_authenticity_token
|
skip_before_action :verify_authenticity_token
|
||||||
before_action :transaction_begin, :set_user, :session_update, :user_device_check, :cors_preflight_check
|
before_action :verify_csrf_token, :transaction_begin, :set_user, :session_update, :user_device_check, :cors_preflight_check
|
||||||
after_action :transaction_end, :http_log, :set_access_control_headers
|
after_action :transaction_end, :http_log, :set_access_control_headers, :set_csrf_token_headers
|
||||||
|
|
||||||
# For all responses in this controller, return the CORS access control headers.
|
# For all responses in this controller, return the CORS access control headers.
|
||||||
def set_access_control_headers
|
def set_access_control_headers
|
||||||
|
return if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
|
||||||
|
set_access_control_headers_execute
|
||||||
|
end
|
||||||
|
|
||||||
|
def set_access_control_headers_execute
|
||||||
headers['Access-Control-Allow-Origin'] = '*'
|
headers['Access-Control-Allow-Origin'] = '*'
|
||||||
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
|
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
|
||||||
headers['Access-Control-Max-Age'] = '1728000'
|
headers['Access-Control-Max-Age'] = '1728000'
|
||||||
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
|
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
|
||||||
headers['Access-Control-Allow-Credentials'] = 'true'
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# If this is a preflight OPTIONS request, then short-circuit the
|
# If this is a preflight OPTIONS request, then short-circuit the
|
||||||
# request, return only the necessary headers and return an empty
|
# request, return only the necessary headers and return an empty
|
||||||
# text/plain.
|
# text/plain.
|
||||||
|
|
||||||
def cors_preflight_check
|
def cors_preflight_check
|
||||||
|
return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
|
||||||
|
cors_preflight_check_execute
|
||||||
|
end
|
||||||
|
|
||||||
return if request.method != 'OPTIONS'
|
def cors_preflight_check_execute
|
||||||
|
return true if request.method != 'OPTIONS'
|
||||||
headers['Access-Control-Allow-Origin'] = '*'
|
headers['Access-Control-Allow-Origin'] = '*'
|
||||||
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
|
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
|
||||||
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
|
headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
|
||||||
headers['Access-Control-Max-Age'] = '1728000'
|
headers['Access-Control-Max-Age'] = '1728000'
|
||||||
headers['Access-Control-Allow-Credentials'] = 'true'
|
|
||||||
render text: '', content_type: 'text/plain'
|
render text: '', content_type: 'text/plain'
|
||||||
|
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def set_csrf_token_headers
|
||||||
|
return true if @_auth_type.present? && @_auth_type != 'session'
|
||||||
|
headers['CSRF-TOKEN'] = form_authenticity_token
|
||||||
|
end
|
||||||
|
|
||||||
|
def verify_csrf_token
|
||||||
|
return true if request.method != 'POST' && request.method != 'PUT' && request.method != 'DELETE' && request.method != 'PATCH'
|
||||||
|
return true if @_auth_type == 'token_auth' || @_auth_type == 'basic_auth'
|
||||||
|
return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token'])
|
||||||
|
logger.info 'CSRF token verification failed'
|
||||||
|
raise Exceptions::NotAuthorized, 'CSRF token verification failed!'
|
||||||
|
end
|
||||||
|
|
||||||
def http_log_config(config)
|
def http_log_config(config)
|
||||||
@http_log_support = config
|
@http_log_support = config
|
||||||
end
|
end
|
||||||
|
@ -74,8 +89,9 @@ class ApplicationController < ActionController::Base
|
||||||
@_current_user = User.lookup(id: session[:user_id])
|
@_current_user = User.lookup(id: session[:user_id])
|
||||||
end
|
end
|
||||||
|
|
||||||
def current_user_set(user)
|
def current_user_set(user, auth_type = 'session')
|
||||||
session[:user_id] = user.id
|
session[:user_id] = user.id
|
||||||
|
@_auth_type = auth_type
|
||||||
@_current_user = user
|
@_current_user = user
|
||||||
set_user
|
set_user
|
||||||
end
|
end
|
||||||
|
@ -224,7 +240,7 @@ class ApplicationController < ActionController::Base
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authentication_check_only(auth_param)
|
def authentication_check_only(auth_param = {})
|
||||||
#logger.debug 'authentication_check'
|
#logger.debug 'authentication_check'
|
||||||
#logger.debug params.inspect
|
#logger.debug params.inspect
|
||||||
#logger.debug session.inspect
|
#logger.debug session.inspect
|
||||||
|
@ -336,7 +352,7 @@ class ApplicationController < ActionController::Base
|
||||||
raise Exceptions::NotAuthorized, 'Not authorized (user)!'
|
raise Exceptions::NotAuthorized, 'Not authorized (user)!'
|
||||||
end
|
end
|
||||||
|
|
||||||
current_user_set(user)
|
current_user_set(user, auth_type)
|
||||||
user_device_log(user, auth_type)
|
user_device_log(user, auth_type)
|
||||||
logger.debug "#{auth_type} for '#{user.login}'"
|
logger.debug "#{auth_type} for '#{user.login}'"
|
||||||
true
|
true
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ApplicationsController < ApplicationController
|
class ApplicationsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.api') }
|
prepend_before_action { authentication_check(permission: 'admin.api') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
all = Doorkeeper::Application.all
|
all = Doorkeeper::Application.all
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
require 'icalendar'
|
require 'icalendar'
|
||||||
|
|
||||||
class CalendarSubscriptionsController < ApplicationController
|
class CalendarSubscriptionsController < ApplicationController
|
||||||
before_action { authentication_check( { basic_auth_promt: true, permission: 'user_preferences.calendar' } ) }
|
prepend_before_action { authentication_check( { basic_auth_promt: true, permission: 'user_preferences.calendar' } ) }
|
||||||
|
|
||||||
# @path [GET] /calendar_subscriptions
|
# @path [GET] /calendar_subscriptions
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class CalendarsController < ApplicationController
|
class CalendarsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.calendar') }
|
prepend_before_action { authentication_check(permission: 'admin.calendar') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,9 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ChannelsEmailController < ApplicationController
|
class ChannelsEmailController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action { authentication_check(permission: 'admin.channel_email') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
permission_check('admin.channel_email')
|
|
||||||
system_online_service = Setting.get('system_online_service')
|
system_online_service = Setting.get('system_online_service')
|
||||||
account_channel_ids = []
|
account_channel_ids = []
|
||||||
notification_channel_ids = []
|
notification_channel_ids = []
|
||||||
|
@ -54,9 +53,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
|
|
||||||
def probe
|
def probe
|
||||||
|
|
||||||
# check admin permissions
|
|
||||||
permission_check('admin.channel_email')
|
|
||||||
|
|
||||||
# probe settings based on email and password
|
# probe settings based on email and password
|
||||||
result = EmailHelper::Probe.full(
|
result = EmailHelper::Probe.full(
|
||||||
email: params[:email],
|
email: params[:email],
|
||||||
|
@ -74,9 +70,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
|
|
||||||
def outbound
|
def outbound
|
||||||
|
|
||||||
# check admin permissions
|
|
||||||
permission_check('admin.channel_email')
|
|
||||||
|
|
||||||
# verify access
|
# verify access
|
||||||
return if params[:channel_id] && !check_access(params[:channel_id])
|
return if params[:channel_id] && !check_access(params[:channel_id])
|
||||||
|
|
||||||
|
@ -86,9 +79,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
|
|
||||||
def inbound
|
def inbound
|
||||||
|
|
||||||
# check admin permissions
|
|
||||||
permission_check('admin.channel_email')
|
|
||||||
|
|
||||||
# verify access
|
# verify access
|
||||||
return if params[:channel_id] && !check_access(params[:channel_id])
|
return if params[:channel_id] && !check_access(params[:channel_id])
|
||||||
|
|
||||||
|
@ -103,9 +93,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
|
|
||||||
def verify
|
def verify
|
||||||
|
|
||||||
# check admin permissions
|
|
||||||
permission_check('admin.channel_email')
|
|
||||||
|
|
||||||
email = params[:email] || params[:meta][:email]
|
email = params[:email] || params[:meta][:email]
|
||||||
email = email.downcase
|
email = email.downcase
|
||||||
channel_id = params[:channel_id]
|
channel_id = params[:channel_id]
|
||||||
|
@ -195,7 +182,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def enable
|
def enable
|
||||||
permission_check('admin.channel_email')
|
|
||||||
channel = Channel.find_by(id: params[:id], area: 'Email::Account')
|
channel = Channel.find_by(id: params[:id], area: 'Email::Account')
|
||||||
channel.active = true
|
channel.active = true
|
||||||
channel.save!
|
channel.save!
|
||||||
|
@ -203,7 +189,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def disable
|
def disable
|
||||||
permission_check('admin.channel_email')
|
|
||||||
channel = Channel.find_by(id: params[:id], area: 'Email::Account')
|
channel = Channel.find_by(id: params[:id], area: 'Email::Account')
|
||||||
channel.active = false
|
channel.active = false
|
||||||
channel.save!
|
channel.save!
|
||||||
|
@ -211,7 +196,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def destroy
|
def destroy
|
||||||
permission_check('admin.channel_email')
|
|
||||||
channel = Channel.find_by(id: params[:id], area: 'Email::Account')
|
channel = Channel.find_by(id: params[:id], area: 'Email::Account')
|
||||||
channel.destroy
|
channel.destroy
|
||||||
render json: {}
|
render json: {}
|
||||||
|
@ -229,9 +213,6 @@ class ChannelsEmailController < ApplicationController
|
||||||
|
|
||||||
check_online_service
|
check_online_service
|
||||||
|
|
||||||
# check admin permissions
|
|
||||||
permission_check('admin.channel_email')
|
|
||||||
|
|
||||||
adapter = params[:adapter].downcase
|
adapter = params[:adapter].downcase
|
||||||
|
|
||||||
email = Setting.get('notification_sender')
|
email = Setting.get('notification_sender')
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ChannelsFacebookController < ApplicationController
|
class ChannelsFacebookController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.channel_facebook') }
|
prepend_before_action { authentication_check(permission: 'admin.channel_facebook') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
assets = {}
|
assets = {}
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ChannelsTelegramController < ApplicationController
|
class ChannelsTelegramController < ApplicationController
|
||||||
before_action -> { authentication_check(permission: 'admin.channel_telegram') }, except: [:webhook]
|
prepend_before_action -> { authentication_check(permission: 'admin.channel_telegram') }, except: [:webhook]
|
||||||
|
skip_before_action :verify_csrf_token, only: [:webhook]
|
||||||
|
|
||||||
def index
|
def index
|
||||||
assets = {}
|
assets = {}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ChannelsTwitterController < ApplicationController
|
class ChannelsTwitterController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.channel_twitter') }
|
prepend_before_action { authentication_check(permission: 'admin.channel_twitter') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
assets = {}
|
assets = {}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ChatsController < ApplicationController
|
class ChatsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.chat') }
|
prepend_before_action { authentication_check(permission: 'admin.chat') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
chat_ids = []
|
chat_ids = []
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class CtiController < ApplicationController
|
class CtiController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'cti.agent') }
|
prepend_before_action { authentication_check(permission: 'cti.agent') }
|
||||||
|
|
||||||
# list current caller log
|
# list current caller log
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class EmailAddressesController < ApplicationController
|
class EmailAddressesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ExternalCredentialsController < ApplicationController
|
class ExternalCredentialsController < ApplicationController
|
||||||
before_action { authentication_check(permission: ['admin.channel_twitter', 'admin.channel_facebook']) }
|
prepend_before_action { authentication_check(permission: ['admin.channel_twitter', 'admin.channel_facebook']) }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
model_index_render(ExternalCredential, params)
|
model_index_render(ExternalCredential, params)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class FirstStepsController < ApplicationController
|
class FirstStepsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
def index
|
def index
|
||||||
return if !access?
|
return if !access?
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class FormController < ApplicationController
|
class FormController < ApplicationController
|
||||||
|
skip_before_action :verify_csrf_token
|
||||||
|
before_action :cors_preflight_check_execute
|
||||||
|
after_action :set_access_control_headers_execute
|
||||||
|
|
||||||
def config
|
def config
|
||||||
return if !enabled?
|
return if !enabled?
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class GroupsController < ApplicationController
|
class GroupsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.group') }
|
prepend_before_action { authentication_check(permission: 'admin.group') }
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class HttpLogsController < ApplicationController
|
class HttpLogsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /http_logs/:facility
|
# GET /http_logs/:facility
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
require 'builder'
|
require 'builder'
|
||||||
|
|
||||||
class Integration::SipgateController < ApplicationController
|
class Integration::SipgateController < ApplicationController
|
||||||
|
skip_before_action :verify_csrf_token
|
||||||
before_action :check_configured
|
before_action :check_configured
|
||||||
|
|
||||||
# notify about inbound call / block inbound call
|
# notify about inbound call / block inbound call
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class JobsController < ApplicationController
|
class JobsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.scheduler') }
|
prepend_before_action { authentication_check(permission: 'admin.scheduler') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
model_index_render(Job, params)
|
model_index_render(Job, params)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class KarmaController < ApplicationController
|
class KarmaController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
def index
|
def index
|
||||||
render json: {
|
render json: {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class LinksController < ApplicationController
|
class LinksController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /api/v1/links
|
# GET /api/v1/links
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class MacrosController < ApplicationController
|
class MacrosController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class MonitoringController < ApplicationController
|
class MonitoringController < ApplicationController
|
||||||
before_action -> { authentication_check(permission: 'admin.monitoring') }, except: [:health_check, :status]
|
prepend_before_action -> { authentication_check(permission: 'admin.monitoring') }, except: [:health_check, :status]
|
||||||
|
skip_before_action :verify_csrf_token
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class NetworksController < ApplicationController
|
class NetworksController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /networks
|
# GET /networks
|
||||||
# GET /networks.json
|
# GET /networks.json
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class OnlineNotificationsController < ApplicationController
|
class OnlineNotificationsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class OrganizationsController < ApplicationController
|
class OrganizationsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class OverviewsController < ApplicationController
|
class OverviewsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.overview') }
|
prepend_before_action { authentication_check(permission: 'admin.overview') }
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class PackagesController < ApplicationController
|
class PackagesController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.package') }
|
prepend_before_action { authentication_check(permission: 'admin.package') }
|
||||||
|
|
||||||
# GET /api/v1/packages
|
# GET /api/v1/packages
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class PostmasterFiltersController < ApplicationController
|
class PostmasterFiltersController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.channel_email') }
|
prepend_before_action { authentication_check(permission: 'admin.channel_email') }
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class ProxyController < ApplicationController
|
class ProxyController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.system') }
|
prepend_before_action { authentication_check(permission: 'admin.system') }
|
||||||
|
|
||||||
# POST /api/v1/proxy
|
# POST /api/v1/proxy
|
||||||
def test
|
def test
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class RecentViewController < ApplicationController
|
class RecentViewController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
class ReportProfilesController < ApplicationController
|
class ReportProfilesController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.report_profile') }
|
prepend_before_action { authentication_check(permission: 'admin.report_profile') }
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
require 'tempfile'
|
require 'tempfile'
|
||||||
|
|
||||||
class ReportsController < ApplicationController
|
class ReportsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'report') }
|
prepend_before_action { authentication_check(permission: 'report') }
|
||||||
|
|
||||||
# GET /api/reports/config
|
# GET /api/reports/config
|
||||||
def reporting_config
|
def reporting_config
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class RolesController < ApplicationController
|
class RolesController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.role') }
|
prepend_before_action { authentication_check(permission: 'admin.role') }
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class SearchController < ApplicationController
|
class SearchController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET|POST /api/v1/search
|
# GET|POST /api/v1/search
|
||||||
# GET|POST /api/v1/search/:objects
|
# GET|POST /api/v1/search/:objects
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class SessionsController < ApplicationController
|
class SessionsController < ApplicationController
|
||||||
|
prepend_before_action :authentication_check, only: [:switch_to_user, :list, :delete]
|
||||||
|
skip_before_action :verify_csrf_token, only: [:create, :show, :destroy, :create_omniauth, :create_sso]
|
||||||
|
|
||||||
# "Create" a login, aka "log the user in"
|
# "Create" a login, aka "log the user in"
|
||||||
def create
|
def create
|
||||||
|
@ -18,12 +20,11 @@ class SessionsController < ApplicationController
|
||||||
raise Exceptions::NotAuthorized, 'Wrong Username and Password combination.' if !user
|
raise Exceptions::NotAuthorized, 'Wrong Username and Password combination.' if !user
|
||||||
|
|
||||||
# remember me - set session cookie to expire later
|
# remember me - set session cookie to expire later
|
||||||
request.env['rack.session.options'][:expire_after] = if params[:remember_me]
|
expire_after = nil
|
||||||
1.year
|
if params[:remember_me]
|
||||||
end
|
expire_after = 1.year
|
||||||
# both not needed to set :expire_after works fine
|
end
|
||||||
# request.env['rack.session.options'][:renew] = true
|
env['rack.session.options'][:expire_after] = expire_after
|
||||||
# reset_session
|
|
||||||
|
|
||||||
# set session user
|
# set session user
|
||||||
current_user_set(user)
|
current_user_set(user)
|
||||||
|
@ -114,11 +115,11 @@ class SessionsController < ApplicationController
|
||||||
def destroy
|
def destroy
|
||||||
|
|
||||||
# Remove the user id from the session
|
# Remove the user id from the session
|
||||||
@_current_user = session[:user_id] = nil
|
@_current_user = nil
|
||||||
|
|
||||||
# reset session cookie (reset :expire_after in case remember_me is active)
|
# reset session
|
||||||
request.env['rack.session.options'][:expire_after] = -1.years
|
request.env['rack.session.options'][:expire_after] = nil
|
||||||
request.env['rack.session.options'][:renew] = true
|
session.clear
|
||||||
|
|
||||||
render json: {}
|
render json: {}
|
||||||
end
|
end
|
||||||
|
@ -195,7 +196,6 @@ class SessionsController < ApplicationController
|
||||||
|
|
||||||
# "switch" to user
|
# "switch" to user
|
||||||
def switch_to_user
|
def switch_to_user
|
||||||
authentication_check
|
|
||||||
permission_check('admin.session')
|
permission_check('admin.session')
|
||||||
|
|
||||||
# check user
|
# check user
|
||||||
|
@ -278,7 +278,6 @@ class SessionsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def list
|
def list
|
||||||
authentication_check
|
|
||||||
permission_check('admin.session')
|
permission_check('admin.session')
|
||||||
assets = {}
|
assets = {}
|
||||||
sessions_clean = []
|
sessions_clean = []
|
||||||
|
@ -297,7 +296,6 @@ class SessionsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def delete
|
def delete
|
||||||
authentication_check
|
|
||||||
permission_check('admin.session')
|
permission_check('admin.session')
|
||||||
SessionHelper.destroy(params[:id])
|
SessionHelper.destroy(params[:id])
|
||||||
render json: {}
|
render json: {}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class SettingsController < ApplicationController
|
class SettingsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.*') }
|
prepend_before_action { authentication_check(permission: 'admin.*') }
|
||||||
|
|
||||||
# GET /settings
|
# GET /settings
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class SignaturesController < ApplicationController
|
class SignaturesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class SlasController < ApplicationController
|
class SlasController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.sla') }
|
prepend_before_action { authentication_check(permission: 'admin.sla') }
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TagsController < ApplicationController
|
class TagsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /api/v1/tag_search?term=abc
|
# GET /api/v1/tag_search?term=abc
|
||||||
def search
|
def search
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TaskbarController < ApplicationController
|
class TaskbarController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
def index
|
def index
|
||||||
current_user_tasks = Taskbar.where(user_id: current_user.id)
|
current_user_tasks = Taskbar.where(user_id: current_user.id)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TemplatesController < ApplicationController
|
class TemplatesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TextModulesController < ApplicationController
|
class TextModulesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TicketArticlesController < ApplicationController
|
class TicketArticlesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /articles
|
# GET /articles
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
require 'ticket/overviews'
|
require 'ticket/overviews'
|
||||||
|
|
||||||
class TicketOverviewsController < ApplicationController
|
class TicketOverviewsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /api/v1/ticket_overviews
|
# GET /api/v1/ticket_overviews
|
||||||
def show
|
def show
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TicketPrioritiesController < ApplicationController
|
class TicketPrioritiesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /ticket_priorities
|
# GET /ticket_priorities
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TicketStatesController < ApplicationController
|
class TicketStatesController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /ticket_states
|
# GET /ticket_states
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TicketsController < ApplicationController
|
class TicketsController < ApplicationController
|
||||||
before_action :authentication_check
|
prepend_before_action :authentication_check
|
||||||
|
|
||||||
# GET /api/v1/tickets
|
# GET /api/v1/tickets
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TimeAccountingsController < ApplicationController
|
class TimeAccountingsController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.time_accounting') }
|
prepend_before_action { authentication_check(permission: 'admin.time_accounting') }
|
||||||
|
|
||||||
def by_ticket
|
def by_ticket
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TranslationsController < ApplicationController
|
class TranslationsController < ApplicationController
|
||||||
before_action :authentication_check, except: [:lang]
|
prepend_before_action :authentication_check, except: [:lang]
|
||||||
|
|
||||||
# GET /translations/lang/:locale
|
# GET /translations/lang/:locale
|
||||||
def lang
|
def lang
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class TriggersController < ApplicationController
|
class TriggersController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.trigger') }
|
prepend_before_action { authentication_check(permission: 'admin.trigger') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
model_index_render(Trigger, params)
|
model_index_render(Trigger, params)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class UserAccessTokenController < ApplicationController
|
class UserAccessTokenController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'user_preferences.access_token') }
|
prepend_before_action { authentication_check(permission: 'user_preferences.access_token') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
tokens = Token.where(action: 'api', persistent: true, user_id: current_user.id).order('updated_at DESC, label ASC')
|
tokens = Token.where(action: 'api', persistent: true, user_id: current_user.id).order('updated_at DESC, label ASC')
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class UserDevicesController < ApplicationController
|
class UserDevicesController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'user_preferences.device') }
|
prepend_before_action { authentication_check(permission: 'user_preferences.device') }
|
||||||
|
|
||||||
def index
|
def index
|
||||||
devices = UserDevice.where(user_id: current_user.id).order('updated_at DESC, name ASC')
|
devices = UserDevice.where(user_id: current_user.id).order('updated_at DESC, name ASC')
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class UsersController < ApplicationController
|
class UsersController < ApplicationController
|
||||||
before_action :authentication_check, except: [:create, :password_reset_send, :password_reset_verify, :image]
|
prepend_before_action :authentication_check, except: [:create, :password_reset_send, :password_reset_verify, :image]
|
||||||
|
prepend_before_action :authentication_check_only, only: [:create]
|
||||||
|
|
||||||
# @path [GET] /users
|
# @path [GET] /users
|
||||||
#
|
#
|
||||||
|
@ -105,10 +106,6 @@ class UsersController < ApplicationController
|
||||||
# @response_message 200 [User] Created User record.
|
# @response_message 200 [User] Created User record.
|
||||||
# @response_message 401 Invalid session.
|
# @response_message 401 Invalid session.
|
||||||
def create
|
def create
|
||||||
|
|
||||||
# in case of authentication, set current_user to access later
|
|
||||||
authentication_check_only({})
|
|
||||||
|
|
||||||
clean_params = User.association_name_to_id_convert(params)
|
clean_params = User.association_name_to_id_convert(params)
|
||||||
clean_params = User.param_cleanup(clean_params, true)
|
clean_params = User.param_cleanup(clean_params, true)
|
||||||
user = User.new(clean_params)
|
user = User.new(clean_params)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Copyright (C) 2012-2017 Zammad Foundation, http://zammad-foundation.org/
|
# Copyright (C) 2012-2017 Zammad Foundation, http://zammad-foundation.org/
|
||||||
|
|
||||||
class VersionController < ApplicationController
|
class VersionController < ApplicationController
|
||||||
before_action { authentication_check(permission: 'admin.version') }
|
prepend_before_action { authentication_check(permission: 'admin.version') }
|
||||||
|
|
||||||
# GET /api/v1/version
|
# GET /api/v1/version
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -93,7 +93,7 @@ get all roles with permission "admin.session" or "ticket.agent"
|
||||||
|
|
||||||
returns
|
returns
|
||||||
|
|
||||||
[user1, user2, ...]
|
[role1, role2, ...]
|
||||||
|
|
||||||
=end
|
=end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
class ReloadOnlineBrowserAfterCorsCsrfChanges < ActiveRecord::Migration
|
||||||
|
def up
|
||||||
|
|
||||||
|
# return if it's a new setup
|
||||||
|
return if !Setting.find_by(name: 'system_init_done')
|
||||||
|
AppVersion.set(true, 'app_version')
|
||||||
|
end
|
||||||
|
end
|
|
@ -77,9 +77,11 @@ class AuthTest < TestCase
|
||||||
logout()
|
logout()
|
||||||
|
|
||||||
# verify session cookie
|
# verify session cookie
|
||||||
|
sleep 2
|
||||||
cookie(
|
cookie(
|
||||||
name: '^_zammad.+?',
|
name: '^_zammad.+?',
|
||||||
should_not_exist: true,
|
value: '.+?',
|
||||||
|
expires: '',
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -57,6 +57,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_password_access', false)
|
Setting.set('api_password_access', false)
|
||||||
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API password access disabled!', result['error'])
|
assert_equal('API password access disabled!', result['error'])
|
||||||
|
@ -64,6 +65,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_password_access', true)
|
Setting.set('api_password_access', true)
|
||||||
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -76,6 +78,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_password_access', false)
|
Setting.set('api_password_access', false)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API password access disabled!', result['error'])
|
assert_equal('API password access disabled!', result['error'])
|
||||||
|
@ -83,6 +86,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_password_access', true)
|
Setting.set('api_password_access', true)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -95,6 +99,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_password_access', false)
|
Setting.set('api_password_access', false)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API password access disabled!', result['error'])
|
assert_equal('API password access disabled!', result['error'])
|
||||||
|
@ -102,6 +107,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_password_access', true)
|
Setting.set('api_password_access', true)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -122,6 +128,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', false)
|
Setting.set('api_token_access', false)
|
||||||
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API token access disabled!', result['error'])
|
assert_equal('API token access disabled!', result['error'])
|
||||||
|
@ -129,6 +136,8 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', true)
|
Setting.set('api_token_access', true)
|
||||||
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
|
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -207,6 +216,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', false)
|
Setting.set('api_token_access', false)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API token access disabled!', result['error'])
|
assert_equal('API token access disabled!', result['error'])
|
||||||
|
@ -214,6 +224,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', true)
|
Setting.set('api_token_access', true)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => agent_credentials)
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -231,12 +242,14 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', false)
|
Setting.set('api_token_access', false)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API token access disabled!', result['error'])
|
assert_equal('API token access disabled!', result['error'])
|
||||||
|
|
||||||
Setting.set('api_token_access', true)
|
Setting.set('api_token_access', true)
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => customer_credentials)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
|
@ -258,6 +271,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', false)
|
Setting.set('api_token_access', false)
|
||||||
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('API token access disabled!', result['error'])
|
assert_equal('API token access disabled!', result['error'])
|
||||||
|
@ -265,6 +279,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
Setting.set('api_token_access', true)
|
Setting.set('api_token_access', true)
|
||||||
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/sessions', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('User is inactive!', result['error'])
|
assert_equal('User is inactive!', result['error'])
|
||||||
|
@ -284,6 +299,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
|
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Hash, result.class)
|
assert_equal(Hash, result.class)
|
||||||
assert_equal('Not authorized (token expired)!', result['error'])
|
assert_equal('Not authorized (token expired)!', result['error'])
|
||||||
|
@ -306,6 +322,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
|
|
||||||
get '/api/v1/tickets', {}, @headers.merge('Authorization' => admin_credentials)
|
get '/api/v1/tickets', {}, @headers.merge('Authorization' => admin_credentials)
|
||||||
assert_response(200)
|
assert_response(200)
|
||||||
|
assert_equal('*', @response.header['Access-Control-Allow-Origin'])
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal(Array, result.class)
|
assert_equal(Array, result.class)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -314,4 +331,18 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
|
||||||
assert_in_delta(admin_token.last_used_at, Time.zone.now, 1.second)
|
assert_in_delta(admin_token.last_used_at, Time.zone.now, 1.second)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test 'session auth - admin' do
|
||||||
|
|
||||||
|
post '/api/v1/signin', { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
|
assert_response(201)
|
||||||
|
|
||||||
|
get '/api/v1/sessions', {}
|
||||||
|
assert_response(200)
|
||||||
|
assert_not(@response.header.key?('Access-Control-Allow-Origin'))
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert_equal(Hash, result.class)
|
||||||
|
assert(result)
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -75,20 +75,34 @@ class UserOrganizationControllerTest < ActionDispatch::IntegrationTest
|
||||||
|
|
||||||
test 'user create tests - no user' do
|
test 'user create tests - no user' do
|
||||||
|
|
||||||
|
post '/api/v1/signshow', {}, @headers
|
||||||
|
|
||||||
# create user with disabled feature
|
# create user with disabled feature
|
||||||
Setting.set('user_create_account', false)
|
Setting.set('user_create_account', false)
|
||||||
params = { email: 'some_new_customer@example.com' }
|
token = @response.headers['CSRF-TOKEN']
|
||||||
|
|
||||||
|
# token based on form
|
||||||
|
params = { email: 'some_new_customer@example.com', authenticity_token: token }
|
||||||
post '/api/v1/users', params.to_json, @headers
|
post '/api/v1/users', params.to_json, @headers
|
||||||
assert_response(422)
|
assert_response(422)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert(result['error'])
|
assert(result['error'])
|
||||||
assert_equal('Feature not enabled!', result['error'])
|
assert_equal('Feature not enabled!', result['error'])
|
||||||
|
|
||||||
|
# token based on headers
|
||||||
|
headers = @headers.merge('X-CSRF-Token' => token)
|
||||||
|
params = { email: 'some_new_customer@example.com' }
|
||||||
|
post '/api/v1/users', params.to_json, headers
|
||||||
|
assert_response(422)
|
||||||
|
result = JSON.parse(@response.body)
|
||||||
|
assert(result['error'])
|
||||||
|
assert_equal('Feature not enabled!', result['error'])
|
||||||
|
|
||||||
Setting.set('user_create_account', true)
|
Setting.set('user_create_account', true)
|
||||||
|
|
||||||
# no signup param with enabled feature
|
# no signup param with enabled feature
|
||||||
params = { email: 'some_new_customer@example.com' }
|
params = { email: 'some_new_customer@example.com' }
|
||||||
post '/api/v1/users', params.to_json, @headers
|
post '/api/v1/users', params.to_json, headers
|
||||||
assert_response(422)
|
assert_response(422)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert(result['error'])
|
assert(result['error'])
|
||||||
|
@ -96,7 +110,7 @@ class UserOrganizationControllerTest < ActionDispatch::IntegrationTest
|
||||||
|
|
||||||
# already existing user with enabled feature
|
# already existing user with enabled feature
|
||||||
params = { email: 'rest-customer1@example.com', signup: true }
|
params = { email: 'rest-customer1@example.com', signup: true }
|
||||||
post '/api/v1/users', params.to_json, @headers
|
post '/api/v1/users', params.to_json, headers
|
||||||
assert_response(422)
|
assert_response(422)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert(result['error'])
|
assert(result['error'])
|
||||||
|
@ -104,7 +118,7 @@ class UserOrganizationControllerTest < ActionDispatch::IntegrationTest
|
||||||
|
|
||||||
# create user with enabled feature (take customer role)
|
# create user with enabled feature (take customer role)
|
||||||
params = { firstname: 'Me First', lastname: 'Me Last', email: 'new_here@example.com', signup: true }
|
params = { firstname: 'Me First', lastname: 'Me Last', email: 'new_here@example.com', signup: true }
|
||||||
post '/api/v1/users', params.to_json, @headers
|
post '/api/v1/users', params.to_json, headers
|
||||||
assert_response(201)
|
assert_response(201)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -121,7 +135,7 @@ class UserOrganizationControllerTest < ActionDispatch::IntegrationTest
|
||||||
# create user with admin role (not allowed for signup, take customer role)
|
# create user with admin role (not allowed for signup, take customer role)
|
||||||
role = Role.lookup(name: 'Admin')
|
role = Role.lookup(name: 'Admin')
|
||||||
params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin@example.com', role_ids: [ role.id ], signup: true }
|
params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin@example.com', role_ids: [ role.id ], signup: true }
|
||||||
post '/api/v1/users', params.to_json, @headers
|
post '/api/v1/users', params.to_json, headers
|
||||||
assert_response(201)
|
assert_response(201)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -133,7 +147,7 @@ class UserOrganizationControllerTest < ActionDispatch::IntegrationTest
|
||||||
# create user with agent role (not allowed for signup, take customer role)
|
# create user with agent role (not allowed for signup, take customer role)
|
||||||
role = Role.lookup(name: 'Agent')
|
role = Role.lookup(name: 'Agent')
|
||||||
params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', role_ids: [ role.id ], signup: true }
|
params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', role_ids: [ role.id ], signup: true }
|
||||||
post '/api/v1/users', params.to_json, @headers
|
post '/api/v1/users', params.to_json, headers
|
||||||
assert_response(201)
|
assert_response(201)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert(result)
|
assert(result)
|
||||||
|
@ -143,13 +157,13 @@ class UserOrganizationControllerTest < ActionDispatch::IntegrationTest
|
||||||
assert(user.role?('Customer'))
|
assert(user.role?('Customer'))
|
||||||
|
|
||||||
# no user (because of no session)
|
# no user (because of no session)
|
||||||
get '/api/v1/users', {}, @headers
|
get '/api/v1/users', {}, headers
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal('authentication failed', result['error'])
|
assert_equal('authentication failed', result['error'])
|
||||||
|
|
||||||
# me
|
# me
|
||||||
get '/api/v1/users/me', {}, @headers
|
get '/api/v1/users/me', {}, headers
|
||||||
assert_response(401)
|
assert_response(401)
|
||||||
result = JSON.parse(@response.body)
|
result = JSON.parse(@response.body)
|
||||||
assert_equal('authentication failed', result['error'])
|
assert_equal('authentication failed', result['error'])
|
||||||
|
|
Loading…
Reference in a new issue