1 year ago · eb0e2f0ade
--- a/app/policies/controllers/monitoring_controller_policy.rb
+++ b/app/policies/controllers/monitoring_controller_policy.rb
@@ -29,9 +29,7 @@ class Controllers::MonitoringControllerPolicy < Controllers::ApplicationControll
 
				   end
			
 
				 
			
 
				   def token_or_permission?
			
 
				-    return monitoring_admin? if user.present?
			
 
				-
			
 
				-    valid_token_param?
			
 
				+    monitoring_admin? || valid_token_param?
			
 
				   end
			
 
				 
			
 
				   def valid_token_param?
			
@@ -39,6 +37,6 @@ class Controllers::MonitoringControllerPolicy < Controllers::ApplicationControll
 
				   end
			
 
				 
			
 
				   def monitoring_admin?
			
 
				-    user&.permissions?('admin.monitoring')
			
 
				+    user.present? && user.permissions?('admin.monitoring')
			
 
				   end
			
 
				 end
			
--- a/spec/policies/controllers/monitoring_controller_policy_spec.rb
+++ b/spec/policies/controllers/monitoring_controller_policy_spec.rb
@@ -126,8 +126,8 @@ describe Controllers::MonitoringControllerPolicy do
 
				       context 'when token given' do
			
 
				         let(:token) { Setting.get('monitoring_token') }
			
 
				 
			
 
				-        it 'returns false' do
			
 
				-          expect(instance.send(:token_or_permission?)).to be_falsey
			
 
				+        it 'returns true' do
			
 
				+          expect(instance.send(:token_or_permission?)).to be_truthy
			
 
				         end
			
 
				       end
			
 
				     end
			
--- a/spec/requests/monitoring_spec.rb
+++ b/spec/requests/monitoring_spec.rb
@@ -0,0 +1,36 @@
 
				+# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
			
 
				+
			
 
				+require 'rails_helper'
			
 
				+
			
 
				+RSpec.describe 'Monitoring', type: :request do
			
 
				+  let(:token) { Setting.get('monitoring_token') }
			
 
				+
			
 
				+  describe 'Health check API not working when logged in as non-admin #5029' do
			
 
				+    let(:admin) { create(:admin) }
			
 
				+    let(:customer) { create(:customer) }
			
 
				+
			
 
				+    context 'when admin', authenticated_as: :admin do
			
 
				+      it 'does return results via token' do
			
 
				+        get "/api/v1/monitoring/health_check?token=#{token}", as: :json
			
 
				+        expect(response).to have_http_status(:ok)
			
 
				+      end
			
 
				+
			
 
				+      it 'does return results without token' do
			
 
				+        get '/api/v1/monitoring/health_check', as: :json
			
 
				+        expect(response).to have_http_status(:ok)
			
 
				+      end
			
 
				+    end
			
 
				+
			
 
				+    context 'when customer', authenticated_as: :customer do
			
 
				+      it 'does return results via token' do
			
 
				+        get "/api/v1/monitoring/health_check?token=#{token}", as: :json
			
 
				+        expect(response).to have_http_status(:ok)
			
 
				+      end
			
 
				+
			
 
				+      it 'does not return results without token' do
			
 
				+        get '/api/v1/monitoring/health_check', as: :json
			
 
				+        expect(response).to have_http_status(:forbidden)
			
 
				+      end
			
 
				+    end
			
 
				+  end
			
 
				+end