6 years ago · e48256c130
--- a/.gitignore
+++ b/.gitignore
@@ -84,3 +84,6 @@
 
				 
			
 
				 # RDoc / YARD
			
 
				 /doc
			
 
				+
			
 
				+# Backup files
			
 
				+*~
			
--- a/app/controllers/application_controller/authenticates.rb
+++ b/app/controllers/application_controller/authenticates.rb
@@ -3,10 +3,6 @@ module ApplicationController::Authenticates
 
				 
			
 
				   private
			
 
				 
			
 
				-  def response_access_deny
			
 
				-    raise Exceptions::NotAuthorized
			
 
				-  end
			
 
				-
			
 
				   def permission_check(key)
			
 
				     if @_token_auth
			
 
				       user = Token.check(
			
@@ -121,9 +117,7 @@ module ApplicationController::Authenticates
 
				       logger.debug { "oauth2 token auth check '#{token}'" }
			
 
				       access_token = Doorkeeper::AccessToken.by_token(token)
			
 
				 
			
 
				-      if !access_token
			
 
				-        raise Exceptions::NotAuthorized, 'Invalid token!'
			
 
				-      end
			
 
				+      raise Exceptions::NotAuthorized, 'Invalid token!' if !access_token
			
 
				 
			
 
				       # check expire
			
 
				       if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
			
@@ -146,9 +140,7 @@ module ApplicationController::Authenticates
 
				       raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
			
 
				     end
			
 
				 
			
 
				-    if user.active == false
			
 
				-      raise Exceptions::NotAuthorized, 'User is inactive!'
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized, 'User is inactive!' if !user.active
			
 
				 
			
 
				     # check scopes / permission check
			
 
				     if auth_param[:permission] && !user.permissions?(auth_param[:permission])
			
--- a/app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb
+++ b/app/controllers/concerns/checks_user_attributes_by_current_user_permission.rb
@@ -8,7 +8,7 @@ module ChecksUserAttributesByCurrentUserPermission
 
				     return true if current_user.permissions?('admin.user')
			
 
				 
			
 
				     # non-agents (customers) can't set anything
			
 
				-    response_access_deny if !current_user.permissions?('ticket.agent')
			
 
				+    raise Exceptions::NotAuthorized if !current_user.permissions?('ticket.agent')
			
 
				 
			
 
				     # regular agents are not allowed to set Groups and Roles
			
 
				     %w[Role Group].each do |model|
			
--- a/app/controllers/form_controller.rb
+++ b/app/controllers/form_controller.rb
@@ -159,44 +159,37 @@ class FormController < ApplicationController
 
				   def token_valid?(token, fingerprint)
			
 
				     if token.blank?
			
 
				       Rails.logger.info 'No token for form!'
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     begin
			
 
				       crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32])
			
 
				       result = crypt.decrypt_and_verify(Base64.decode64(token))
			
 
				     rescue
			
 
				       Rails.logger.info 'Invalid token for form!'
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     if result.blank?
			
 
				       Rails.logger.info 'Invalid token for form!'
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     parts = result.split(/:/)
			
 
				     if parts.count != 3
			
 
				       Rails.logger.info "Invalid token for form (need to have 3 parts, only #{parts.count} found)!"
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     fqdn_local = Base64.decode64(parts[0])
			
 
				     if fqdn_local != Setting.get('fqdn')
			
 
				       Rails.logger.info "Invalid token for form (invalid fqdn found #{fqdn_local} != #{Setting.get('fqdn')})!"
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     fingerprint_local = Base64.decode64(parts[2])
			
 
				     if fingerprint_local != fingerprint
			
 
				       Rails.logger.info "Invalid token for form (invalid fingerprint found #{fingerprint_local} != #{fingerprint})!"
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     if parts[1].to_i < (Time.zone.now.to_i - 60 * 60 * 24)
			
 
				       Rails.logger.info 'Invalid token for form (token expired})!'
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				+      raise Exceptions::NotAuthorized
			
 
				     end
			
 
				     true
			
 
				   end
			
@@ -206,24 +199,15 @@ class FormController < ApplicationController
 
				 
			
 
				     form_limit_by_ip_per_hour = Setting.get('form_ticket_create_by_ip_per_hour') || 20
			
 
				     result = SearchIndexBackend.search("preferences.form.remote_ip:'#{request.remote_ip}' AND created_at:>now-1h", 'Ticket', limit: form_limit_by_ip_per_hour)
			
 
				-    if result.count >= form_limit_by_ip_per_hour.to_i
			
 
				-      response_access_deny
			
 
				-      return true
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if result.count >= form_limit_by_ip_per_hour.to_i
			
 
				 
			
 
				     form_limit_by_ip_per_day = Setting.get('form_ticket_create_by_ip_per_day') || 240
			
 
				     result = SearchIndexBackend.search("preferences.form.remote_ip:'#{request.remote_ip}' AND created_at:>now-1d", 'Ticket', limit: form_limit_by_ip_per_day)
			
 
				-    if result.count >= form_limit_by_ip_per_day.to_i
			
 
				-      response_access_deny
			
 
				-      return true
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if result.count >= form_limit_by_ip_per_day.to_i
			
 
				 
			
 
				     form_limit_per_day = Setting.get('form_ticket_create_per_day') || 5000
			
 
				     result = SearchIndexBackend.search('preferences.form.remote_ip:* AND created_at:>now-1d', 'Ticket', limit: form_limit_per_day)
			
 
				-    if result.count >= form_limit_per_day.to_i
			
 
				-      response_access_deny
			
 
				-      return true
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if result.count >= form_limit_per_day.to_i
			
 
				 
			
 
				     false
			
 
				   end
			
@@ -232,16 +216,14 @@ class FormController < ApplicationController
 
				     return true if params[:fingerprint].present? && params[:fingerprint].length > 30
			
 
				 
			
 
				     Rails.logger.info 'No fingerprint given!'
			
 
				-    response_access_deny
			
 
				-    false
			
 
				+    raise Exceptions::NotAuthorized
			
 
				   end
			
 
				 
			
 
				   def enabled?
			
 
				     return true if params[:test] && current_user && current_user.permissions?('admin.channel_formular')
			
 
				     return true if Setting.get('form_ticket_create')
			
 
				 
			
 
				-    response_access_deny
			
 
				-    false
			
 
				+    raise Exceptions::NotAuthorized
			
 
				   end
			
 
				 
			
 
				 end
			
--- a/app/controllers/online_notifications_controller.rb
+++ b/app/controllers/online_notifications_controller.rb
@@ -185,11 +185,9 @@ curl http://localhost/api/v1/online_notifications/mark_all_as_read -v -u #{login
 
				 
			
 
				   def access?
			
 
				     notification = OnlineNotification.find(params[:id])
			
 
				-    if notification.user_id != current_user.id
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				-    end
			
 
				-    true
			
 
				+    return true if notification.user_id == current_user.id
			
 
				+
			
 
				+    raise Exceptions::NotAuthorized
			
 
				   end
			
 
				 
			
 
				 end
			
--- a/app/controllers/organizations_controller.rb
+++ b/app/controllers/organizations_controller.rb
@@ -224,10 +224,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
 
				 
			
 
				   # GET /api/v1/organizations/search
			
 
				   def search
			
 
				-
			
 
				-    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
			
 
				-      raise Exceptions::NotAuthorized
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.organization', 'ticket.agent'])
			
 
				 
			
 
				     per_page = params[:per_page] || params[:limit] || 100
			
 
				     per_page = per_page.to_i
			
@@ -304,11 +301,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
 
				 
			
 
				   # GET /api/v1/organizations/history/1
			
 
				   def history
			
 
				-
			
 
				-    # permission check
			
 
				-    if !current_user.permissions?(['admin.organization', 'ticket.agent'])
			
 
				-      raise Exceptions::NotAuthorized
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.organization', 'ticket.agent'])
			
 
				 
			
 
				     # get organization data
			
 
				     organization = Organization.find(params[:id])
			
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -9,10 +9,7 @@ class SearchController < ApplicationController
 
				   def search_generic
			
 
				 
			
 
				     # enable search only for users with valid session
			
 
				-    if !current_user
			
 
				-      response_access_deny
			
 
				-      return true
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if !current_user
			
 
				 
			
 
				     # get params
			
 
				     query = params[:query]
			
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -242,10 +242,7 @@ class SessionsController < ApplicationController
 
				   def switch_back_to_user
			
 
				 
			
 
				     # check if it's a swich back
			
 
				-    if !session[:switched_from_user_id]
			
 
				-      response_access_deny
			
 
				-      return false
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if !session[:switched_from_user_id]
			
 
				 
			
 
				     user = User.lookup(id: session[:switched_from_user_id])
			
 
				     if !user
			
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -367,11 +367,7 @@ class UsersController < ApplicationController
 
				   # @response_message 200 [Array<User>] A list of User records matching the search term.
			
 
				   # @response_message 401               Invalid session.
			
 
				   def search
			
 
				-
			
 
				-    if !current_user.permissions?(['ticket.agent', 'admin.user'])
			
 
				-      response_access_deny
			
 
				-      return
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if !current_user.permissions?(['ticket.agent', 'admin.user'])
			
 
				 
			
 
				     per_page = params[:per_page] || params[:limit] || 100
			
 
				     per_page = per_page.to_i
			
@@ -491,12 +487,7 @@ class UsersController < ApplicationController
 
				   # @response_message 200 [History] The History records of the requested User record.
			
 
				   # @response_message 401           Invalid session.
			
 
				   def history
			
 
				-
			
 
				-    # permission check
			
 
				-    if !current_user.permissions?(['admin.user', 'ticket.agent'])
			
 
				-      response_access_deny
			
 
				-      return
			
 
				-    end
			
 
				+    raise Exceptions::NotAuthorized if !current_user.permissions?(['admin.user', 'ticket.agent'])
			
 
				 
			
 
				     # get user data
			
 
				     user = User.find(params[:id])