| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 |
- # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
- class Token < ApplicationModel
- include CanBeAuthorized
- before_create :generate_token
- belongs_to :user, optional: true
- store :preferences
- =begin
- create new token
- token = Token.create(action: 'PasswordReset', user_id: user.id)
- returns
- the token
- create new persistent token
- token = Token.create(
- action: 'api',
- persistent: true,
- user_id: user.id,
- preferences: {
- permission: {
- 'user_preferences.calendar' => true,
- }
- }
- )
- in case if you use it via an controller, e. g. you can verify via "curl -H "Authorization: Token token=33562a00d7eda2a7c2fb639b91c6bcb8422067b6" http://...
- returns
- the token
- =end
- =begin
- check token
- user = Token.check(action: 'PasswordReset', name: '123abc12qweads')
- check api token with permissions
- user = Token.check(action: 'api', name: '123abc12qweads', permission: 'admin.session')
- user = Token.check(action: 'api', name: '123abc12qweads', permission: ['admin.session', 'ticket.agent'])
- returns
- user for who this token was created
- =end
- def self.check(data)
- # fetch token
- token = Token.find_by(action: data[:action], name: data[:name])
- return if !token
- # check if token is still valid
- if !token.persistent &&
- token.created_at < 1.day.ago
- # delete token
- token.delete
- token.save
- return
- end
- user = token.user
- # persistent token not valid if user is inactive
- return if !data[:inactive_user] && token.persistent && user.active == false
- # add permission check
- return if data[:permission] && !token.permissions?(data[:permission])
- # return token user
- user
- end
- =begin
- cleanup old token
- Token.cleanup
- =end
- def self.cleanup
- Token.where('persistent IS ? AND created_at < ?', nil, 30.days.ago).delete_all
- true
- end
- def permissions
- Permission.where(
- name: Array(preferences[:permission]),
- active: true,
- )
- end
- def permissions?(names)
- return false if !effective_user.permissions?(names)
- super(names)
- end
- # allows to evaluate token permissions in context of given user instead of owner
- # @param [User] user to use as context for the given block
- # @param block to evaluate in given context
- def with_context(user:, &block)
- @effective_user = user
- instance_eval(&block) if block
- ensure
- @effective_user = nil
- end
- private
- def generate_token
- loop do
- self.name = SecureRandom.urlsafe_base64(48)
- break if !Token.exists?(name: name)
- end
- true
- end
- # token owner or user set by #with_context
- def effective_user
- @effective_user || user
- end
- end
|
