Fixed permission check.

2016-02-18 15:27:05 +01:00 · 2016-02-18 15:27:05 +01:00 · f9298d1174
commit f9298d1174
parent 19a15dd804
1 changed files with 17 additions and 3 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -786,17 +786,31 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
    return true if role?(Z_ROLENAME_ADMIN)

    if !role?('Admin') && params[:role_ids]
+      if params[:role_ids].class != Array
+        params[:role_ids] = [params[:role_ids]]
+      end
      params[:role_ids].each {|role_id|
-        role_name = Role.find(role_id).name
+        role_local = Role.lookup(id: role_id)
+        if !role_local
+          render json: { error_human: 'Invalid role_ids!' }, status: :unauthorized
+          logger.info "Invalid role_ids for current_user_id: #{current_user.id} role_ids #{role_id}"
+          return false
+        end
+        role_name = role_local.name
        next if role_name != 'Admin' && role_name != 'Agent'
        render json: { error_human: 'This role assignment is only allowed by admin!' }, status: :unauthorized
+        logger.info "This role assignment is only allowed by admin! current_user_id: #{current_user.id} assigned to #{role_name}"
        return false
      }
    end

-    if role?('Agent')
-      if params[:group_ids] && !params[:group_ids].empty?
+    if role?('Agent') && params[:group_ids]
+      if params[:group_ids].class != Array
+        params[:group_ids] = [params[:group_ids]]
+      end
+      if !params[:group_ids].empty?
        render json: { error_human: 'Group relation is only allowed by admin!' }, status: :unauthorized
+        logger.info "Group relation is only allowed by admin! current_user_id: #{current_user.id} group_ids #{params[:group_ids].inspect}"
        return false
      end
    end