diff --git a/.gitignore b/.gitignore index 0e99e2666..0566fc79f 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,6 @@ # RDoc / YARD /doc + +# Backup files +*~ diff --git a/app/controllers/application_controller/authenticates.rb b/app/controllers/application_controller/authenticates.rb index 1d1936613..6df649d19 100644 --- a/app/controllers/application_controller/authenticates.rb +++ b/app/controllers/application_controller/authenticates.rb @@ -3,10 +3,6 @@ module ApplicationController::Authenticates private - def response_access_deny - raise Exceptions::NotAuthorized - end - def permission_check(key) if @_token_auth user = Token.check( @@ -121,9 +117,7 @@ module ApplicationController::Authenticates logger.debug { "oauth2 token auth check '#{token}'" } access_token = Doorkeeper::AccessToken.by_token(token) - if !access_token - raise Exceptions::NotAuthorized, 'Invalid token!' - end + raise Exceptions::NotAuthorized, 'Invalid token!' if !access_token # check expire if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now @@ -146,9 +140,7 @@ module ApplicationController::Authenticates raise Exceptions::NotAuthorized, 'Maintenance mode enabled!' end - if user.active == false - raise Exceptions::NotAuthorized, 'User is inactive!' - end + raise Exceptions::NotAuthorized, 'User is inactive!' if !user.active # check scopes / permission check if auth_param[:permission] && !user.permissions?(auth_param[:permission]) diff --git a/app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb b/app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb index 5d6308f4d..ab8b5e3da 100644 --- a/app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb +++ b/app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb @@ -8,7 +8,7 @@ module ChecksUserAttributesByCurrentUserPermission return true if current_user.permissions?('admin.user') # non-agents (customers) can't set anything - response_access_deny if !current_user.permissions?('ticket.agent') + raise Exceptions::NotAuthorized if !current_user.permissions?('ticket.agent') # regular agents are not allowed to set Groups and Roles %w[Role Group].each do |model| diff --git a/app/controllers/form_controller.rb b/app/controllers/form_controller.rb index 41d7b58b3..2ebce3036 100644 --- a/app/controllers/form_controller.rb +++ b/app/controllers/form_controller.rb @@ -159,44 +159,37 @@ class FormController < ApplicationController def token_valid?(token, fingerprint) if token.blank? Rails.logger.info 'No token for form!' - response_access_deny - return false + raise Exceptions::NotAuthorized end begin crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32]) result = crypt.decrypt_and_verify(Base64.decode64(token)) rescue Rails.logger.info 'Invalid token for form!' - response_access_deny - return false + raise Exceptions::NotAuthorized end if result.blank? Rails.logger.info 'Invalid token for form!' - response_access_deny - return false + raise Exceptions::NotAuthorized end parts = result.split(/:/) if parts.count != 3 Rails.logger.info "Invalid token for form (need to have 3 parts, only #{parts.count} found)!" - response_access_deny - return false + raise Exceptions::NotAuthorized end fqdn_local = Base64.decode64(parts[0]) if fqdn_local != Setting.get('fqdn') Rails.logger.info "Invalid token for form (invalid fqdn found #{fqdn_local} != #{Setting.get('fqdn')})!" - response_access_deny - return false + raise Exceptions::NotAuthorized end fingerprint_local = Base64.decode64(parts[2]) if fingerprint_local != fingerprint Rails.logger.info "Invalid token for form (invalid fingerprint found #{fingerprint_local} != #{fingerprint})!" - response_access_deny - return false + raise Exceptions::NotAuthorized end if parts[1].to_i < (Time.zone.now.to_i - 60 * 60 * 24) Rails.logger.info 'Invalid token for form (token expired})!' - response_access_deny - return false + raise Exceptions::NotAuthorized end true end @@ -206,24 +199,15 @@ class FormController < ApplicationController form_limit_by_ip_per_hour = Setting.get('form_ticket_create_by_ip_per_hour') || 20 result = SearchIndexBackend.search("preferences.form.remote_ip:'#{request.remote_ip}' AND created_at:>now-1h", 'Ticket', limit: form_limit_by_ip_per_hour) - if result.count >= form_limit_by_ip_per_hour.to_i - response_access_deny - return true - end + raise Exceptions::NotAuthorized if result.count >= form_limit_by_ip_per_hour.to_i form_limit_by_ip_per_day = Setting.get('form_ticket_create_by_ip_per_day') || 240 result = SearchIndexBackend.search("preferences.form.remote_ip:'#{request.remote_ip}' AND created_at:>now-1d", 'Ticket', limit: form_limit_by_ip_per_day) - if result.count >= form_limit_by_ip_per_day.to_i - response_access_deny - return true - end + raise Exceptions::NotAuthorized if result.count >= form_limit_by_ip_per_day.to_i form_limit_per_day = Setting.get('form_ticket_create_per_day') || 5000 result = SearchIndexBackend.search('preferences.form.remote_ip:* AND created_at:>now-1d', 'Ticket', limit: form_limit_per_day) - if result.count >= form_limit_per_day.to_i - response_access_deny - return true - end + raise Exceptions::NotAuthorized if result.count >= form_limit_per_day.to_i false end @@ -232,16 +216,14 @@ class FormController < ApplicationController return true if params[:fingerprint].present? && params[:fingerprint].length > 30 Rails.logger.info 'No fingerprint given!' - response_access_deny - false + raise Exceptions::NotAuthorized end def enabled? return true if params[:test] && current_user && current_user.permissions?('admin.channel_formular') return true if Setting.get('form_ticket_create') - response_access_deny - false + raise Exceptions::NotAuthorized end end diff --git a/app/controllers/online_notifications_controller.rb b/app/controllers/online_notifications_controller.rb index 17bdcbdb2..05412e7e1 100644 --- a/app/controllers/online_notifications_controller.rb +++ b/app/controllers/online_notifications_controller.rb @@ -185,11 +185,9 @@ curl http://localhost/api/v1/online_notifications/mark_all_as_read -v -u #{login def access? notification = OnlineNotification.find(params[:id]) - if notification.user_id != current_user.id - response_access_deny - return false - end - true + return true if notification.user_id == current_user.id + + raise Exceptions::NotAuthorized end end diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb index 930a97b8e..8aefac109 100644 --- a/app/controllers/organizations_controller.rb +++ b/app/controllers/organizations_controller.rb @@ -224,10 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co # GET /api/v1/organizations/search def search - - if !current_user.permissions?(['admin.organization', 'ticket.agent']) - raise Exceptions::NotAuthorized - end + raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.organization', 'ticket.agent']) per_page = params[:per_page] || params[:limit] || 100 per_page = per_page.to_i @@ -304,11 +301,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co # GET /api/v1/organizations/history/1 def history - - # permission check - if !current_user.permissions?(['admin.organization', 'ticket.agent']) - raise Exceptions::NotAuthorized - end + raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.organization', 'ticket.agent']) # get organization data organization = Organization.find(params[:id]) diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 1a2aba132..1abddf88f 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -9,10 +9,7 @@ class SearchController < ApplicationController def search_generic # enable search only for users with valid session - if !current_user - response_access_deny - return true - end + raise Exceptions::NotAuthorized if !current_user # get params query = params[:query] diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index ee2944184..5ae438bbf 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -242,10 +242,7 @@ class SessionsController < ApplicationController def switch_back_to_user # check if it's a swich back - if !session[:switched_from_user_id] - response_access_deny - return false - end + raise Exceptions::NotAuthorized if !session[:switched_from_user_id] user = User.lookup(id: session[:switched_from_user_id]) if !user diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index fbb0cded5..91671df4b 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -367,11 +367,7 @@ class UsersController < ApplicationController # @response_message 200 [Array] A list of User records matching the search term. # @response_message 401 Invalid session. def search - - if !current_user.permissions?(['ticket.agent', 'admin.user']) - response_access_deny - return - end + raise Exceptions::NotAuthorized if !current_user.permissions?(['ticket.agent', 'admin.user']) per_page = params[:per_page] || params[:limit] || 100 per_page = per_page.to_i @@ -491,12 +487,7 @@ class UsersController < ApplicationController # @response_message 200 [History] The History records of the requested User record. # @response_message 401 Invalid session. def history - - # permission check - if !current_user.permissions?(['admin.user', 'ticket.agent']) - response_access_deny - return - end + raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.user', 'ticket.agent']) # get user data user = User.find(params[:id])