From f9298d1174b527afad40e6d3ec6a71a6d91e442d Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Thu, 18 Feb 2016 15:27:05 +0100 Subject: [PATCH] Fixed permission check. --- app/controllers/users_controller.rb | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 77223239c..4f1f5279b 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -786,17 +786,31 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content return true if role?(Z_ROLENAME_ADMIN) if !role?('Admin') && params[:role_ids] + if params[:role_ids].class != Array + params[:role_ids] = [params[:role_ids]] + end params[:role_ids].each {|role_id| - role_name = Role.find(role_id).name + role_local = Role.lookup(id: role_id) + if !role_local + render json: { error_human: 'Invalid role_ids!' }, status: :unauthorized + logger.info "Invalid role_ids for current_user_id: #{current_user.id} role_ids #{role_id}" + return false + end + role_name = role_local.name next if role_name != 'Admin' && role_name != 'Agent' render json: { error_human: 'This role assignment is only allowed by admin!' }, status: :unauthorized + logger.info "This role assignment is only allowed by admin! current_user_id: #{current_user.id} assigned to #{role_name}" return false } end - if role?('Agent') - if params[:group_ids] && !params[:group_ids].empty? + if role?('Agent') && params[:group_ids] + if params[:group_ids].class != Array + params[:group_ids] = [params[:group_ids]] + end + if !params[:group_ids].empty? render json: { error_human: 'Group relation is only allowed by admin!' }, status: :unauthorized + logger.info "Group relation is only allowed by admin! current_user_id: #{current_user.id} group_ids #{params[:group_ids].inspect}" return false end end