43 lines
1 KiB
Ruby
43 lines
1 KiB
Ruby
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
|
|
|
|
class UserPolicy < ApplicationPolicy
|
|
|
|
def show?
|
|
return true if user.permissions?('admin.*')
|
|
return true if own_account?
|
|
return true if user.permissions?('ticket.agent')
|
|
# check same organization for customers
|
|
return false if !user.permissions?('ticket.customer')
|
|
|
|
same_organization?
|
|
end
|
|
|
|
def update?
|
|
# full access for admins
|
|
return true if user.permissions?('admin.user')
|
|
# forbid non-agents to change users
|
|
return false if !user.permissions?('ticket.agent')
|
|
|
|
# allow agents to change customers only
|
|
return false if record.permissions?(['admin.user', 'ticket.agent'])
|
|
|
|
record.permissions?('ticket.customer')
|
|
end
|
|
|
|
def destroy?
|
|
user.permissions?('admin.user')
|
|
end
|
|
|
|
private
|
|
|
|
def own_account?
|
|
record.id == user.id
|
|
end
|
|
|
|
def same_organization?
|
|
return false if record.organization_id.blank?
|
|
return false if user.organization_id.blank?
|
|
|
|
record.organization_id == user.organization_id
|
|
end
|
|
end
|