# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/ class Role < ApplicationModel include LogsActivityStream include NotifiesClients include LatestChangeObserved has_and_belongs_to_many :users, after_add: :cache_update, after_remove: :cache_update has_and_belongs_to_many :permissions, after_add: :cache_update, after_remove: :cache_update, before_add: :validate_agent_limit validates :name, presence: true store :preferences before_create :validate_permissions before_update :validate_permissions association_attributes_ignored :user_ids activity_stream_permission 'admin.role' =begin grant permission to role role.permission_grant('permission.key') =end def permission_grant(key) permission = Permission.lookup(name: key) raise "Invalid permission #{key}" if !permission return true if permission_ids.include?(permission.id) self.permission_ids = permission_ids.push permission.id true end =begin revoke permission of role role.permission_revoke('permission.key') =end def permission_revoke(key) permission = Permission.lookup(name: key) raise "Invalid permission #{key}" if !permission return true if !permission_ids.include?(permission.id) self.permission_ids = self.permission_ids -= [permission.id] true end =begin get signup roles Role.signup_roles returns [role1, role2, ...] =end def self.signup_roles Role.where(active: true, default_at_signup: true) end =begin get signup role ids Role.signup_role_ids returns [role1, role2, ...] =end def self.signup_role_ids Role.where(active: true, default_at_signup: true).map(&:id) end =begin get all roles with permission roles = Role.with_permissions('admin.session') get all roles with permission "admin.session" or "ticket.agent" roles = Role.with_permissions(['admin.session', 'ticket.agent']) returns [role1, role2, ...] =end def self.with_permissions(keys) if keys.class != Array keys = [keys] end roles = [] permission_ids = [] keys.each { |key| Object.const_get('Permission').with_parents(key).each { |local_key| permission = Object.const_get('Permission').lookup(name: local_key) next if !permission permission_ids.push permission.id } next if permission_ids.empty? Role.joins(:roles_permissions).joins(:permissions).where('permissions_roles.permission_id IN (?) AND roles.active = ? AND permissions.active = ?', permission_ids, true, true).uniq().each { |role| roles.push role } } return [] if roles.empty? roles end private def validate_permissions return if !self.permission_ids permission_ids.each { |permission_id| permission = Permission.lookup(id: permission_id) raise "Unable to find permission for id #{permission_id}" if !permission raise "Permission #{permission.name} is disabled" if permission.preferences[:disabled] == true next unless permission.preferences[:not] permission.preferences[:not].each { |local_permission_name| local_permission = Permission.lookup(name: local_permission_name) next if !local_permission raise "Permission #{permission.name} conflicts with #{local_permission.name}" if permission_ids.include?(local_permission.id) } } end def validate_agent_limit(permission) return if !Setting.get('system_agent_limit') return if permission.name != 'ticket.agent' ticket_agent_role_ids = Role.joins(:permissions).where(permissions: { name: 'ticket.agent' }).pluck(:id) ticket_agent_role_ids.push(id) count = User.joins(:roles).where(roles: { id: ticket_agent_role_ids }, users: { active: true }).count raise Exceptions::UnprocessableEntity, 'Agent limit exceeded, please check your account settings.' if count > Setting.get('system_agent_limit') end end