users_controller.rb 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008
  1. # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
  2. class UsersController < ApplicationController
  3. before_action :authentication_check, except: [:create, :password_reset_send, :password_reset_verify, :image]
  4. # @path [GET] /users
  5. #
  6. # @summary Returns a list of User records.
  7. # @notes The requester has to be in the role 'Admin' or 'Agent' to
  8. # get a list of all Users. If the requester is in the
  9. # role 'Customer' only just the own User record will be returned.
  10. #
  11. # @response_message 200 [Array<User>] List of matching User records.
  12. # @response_message 401 Invalid session.
  13. def index
  14. offset = 0
  15. per_page = 500
  16. if params[:page] && params[:per_page]
  17. offset = (params[:page].to_i - 1) * params[:per_page].to_i
  18. per_page = params[:per_page].to_i
  19. end
  20. # only allow customer to fetch him self
  21. users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
  22. User.where(id: current_user.id).offset(offset).limit(per_page)
  23. else
  24. User.all.offset(offset).limit(per_page)
  25. end
  26. if params[:expand]
  27. list = []
  28. users.each { |user|
  29. list.push user.attributes_with_relation_names
  30. }
  31. render json: list, status: :ok
  32. return
  33. end
  34. if params[:full]
  35. assets = {}
  36. item_ids = []
  37. users.each { |item|
  38. item_ids.push item.id
  39. assets = item.assets(assets)
  40. }
  41. render json: {
  42. record_ids: item_ids,
  43. assets: assets,
  44. }, status: :ok
  45. return
  46. end
  47. users_all = []
  48. users.each { |user|
  49. users_all.push User.lookup(id: user.id).attributes_with_associations
  50. }
  51. render json: users_all, status: :ok
  52. end
  53. # @path [GET] /users/{id}
  54. #
  55. # @summary Returns the User record with the requested identifier.
  56. # @notes The requester has to be in the role 'Admin' or 'Agent' to
  57. # access all User records. If the requester is in the
  58. # role 'Customer' just the own User record is accessable.
  59. #
  60. # @parameter id(required) [Integer] The identifier matching the requested User.
  61. # @parameter full [Bool] If set a Asset structure with all connected Assets gets returned.
  62. #
  63. # @response_message 200 [User] User record matching the requested identifier.
  64. # @response_message 401 Invalid session.
  65. def show
  66. # access deny
  67. permission_check_local
  68. if params[:expand]
  69. user = User.find(params[:id]).attributes_with_relation_names
  70. render json: user, status: :ok
  71. return
  72. end
  73. if params[:full]
  74. full = User.full(params[:id])
  75. render json: full
  76. return
  77. end
  78. user = User.find(params[:id]).attributes_with_associations
  79. user.delete('password')
  80. render json: user
  81. end
  82. # @path [POST] /users
  83. #
  84. # @summary Creates a User record with the provided attribute values.
  85. # @notes TODO.
  86. #
  87. # @parameter User(required,body) [User] The attribute value structure needed to create a User record.
  88. #
  89. # @response_message 200 [User] Created User record.
  90. # @response_message 401 Invalid session.
  91. def create
  92. # in case of authentication, set current_user to access later
  93. authentication_check_only({})
  94. clean_params = User.param_association_lookup(params)
  95. clean_params = User.param_cleanup(clean_params, true)
  96. user = User.new(clean_params)
  97. user.param_set_associations(params)
  98. # check if it's first user, the admin user
  99. # inital admin account
  100. count = User.all.count()
  101. admin_account_exists = true
  102. if count <= 2
  103. admin_account_exists = false
  104. end
  105. # if it's a signup, add user to customer role
  106. if !current_user
  107. # check if feature is enabled
  108. if admin_account_exists && !Setting.get('user_create_account')
  109. raise Exceptions::UnprocessableEntity, 'Feature not enabled!'
  110. end
  111. # check signup option only after admin account is created
  112. if admin_account_exists && !params[:signup]
  113. raise Exceptions::UnprocessableEntity, 'Only signup with not authenticate user possible!'
  114. end
  115. user.updated_by_id = 1
  116. user.created_by_id = 1
  117. # add first user as admin/agent and to all groups
  118. group_ids = []
  119. role_ids = []
  120. if count <= 2
  121. Role.where(name: %w(Admin Agent)).each { |role|
  122. role_ids.push role.id
  123. }
  124. Group.all().each { |group|
  125. group_ids.push group.id
  126. }
  127. # everybody else will go as customer per default
  128. else
  129. role_ids = Role.signup_role_ids
  130. end
  131. user.role_ids = role_ids
  132. user.group_ids = group_ids
  133. # remember source (in case show email verify banner)
  134. # if not inital user creation
  135. if admin_account_exists
  136. user.source = 'signup'
  137. end
  138. # else do assignment as defined
  139. else
  140. # permission check
  141. permission_check_by_permission(params)
  142. if params[:role_ids]
  143. user.role_ids = params[:role_ids]
  144. end
  145. if params[:group_ids]
  146. user.group_ids = params[:group_ids]
  147. end
  148. end
  149. # check if user already exists
  150. if user.email
  151. exists = User.where(email: user.email.downcase).first
  152. raise Exceptions::UnprocessableEntity, 'User already exists!' if exists
  153. end
  154. user.save!
  155. # if first user was added, set system init done
  156. if !admin_account_exists
  157. Setting.set('system_init_done', true)
  158. # fetch org logo
  159. if user.email
  160. Service::Image.organization_suggest(user.email)
  161. end
  162. # load calendar
  163. Calendar.init_setup(request.remote_ip)
  164. # load text modules
  165. begin
  166. TextModule.load(request.env['HTTP_ACCEPT_LANGUAGE'] || 'en-us')
  167. rescue => e
  168. logger.error "Unable to load text modules #{request.env['HTTP_ACCEPT_LANGUAGE'] || 'en-us'}: #{e.message}"
  169. end
  170. end
  171. # send inviteation if needed / only if session exists
  172. if params[:invite] && current_user
  173. token = Token.create(action: 'PasswordReset', user_id: user.id)
  174. NotificationFactory::Mailer.notification(
  175. template: 'user_invite',
  176. user: user,
  177. objects: {
  178. token: token,
  179. user: user,
  180. current_user: current_user,
  181. }
  182. )
  183. end
  184. # send email verify
  185. if params[:signup] && !current_user
  186. result = User.signup_new_token(user)
  187. NotificationFactory::Mailer.notification(
  188. template: 'signup',
  189. user: user,
  190. objects: result,
  191. )
  192. end
  193. if params[:expand]
  194. user = User.find(user.id).attributes_with_relation_names
  195. render json: user, status: :created
  196. return
  197. end
  198. user_new = User.find(user.id).attributes_with_associations
  199. user_new.delete('password')
  200. render json: user_new, status: :created
  201. end
  202. # @path [PUT] /users/{id}
  203. #
  204. # @summary Updates the User record matching the identifier with the provided attribute values.
  205. # @notes TODO.
  206. #
  207. # @parameter id(required) [Integer] The identifier matching the requested User record.
  208. # @parameter User(required,body) [User] The attribute value structure needed to update a User record.
  209. #
  210. # @response_message 200 [User] Updated User record.
  211. # @response_message 401 Invalid session.
  212. def update
  213. # access deny
  214. permission_check_local
  215. user = User.find(params[:id])
  216. clean_params = User.param_association_lookup(params)
  217. clean_params = User.param_cleanup(clean_params, true)
  218. # permission check
  219. permission_check_by_permission(params)
  220. user.update_attributes(clean_params)
  221. # only allow Admin's
  222. if current_user.permissions?('admin.user') && (params[:role_ids] || params[:roles])
  223. user.role_ids = params[:role_ids]
  224. user.param_set_associations({ role_ids: params[:role_ids], roles: params[:roles] })
  225. end
  226. # only allow Admin's
  227. if current_user.permissions?('admin.user') && (params[:group_ids] || params[:groups])
  228. user.group_ids = params[:group_ids]
  229. user.param_set_associations({ group_ids: params[:group_ids], groups: params[:groups] })
  230. end
  231. # only allow Admin's and Agent's
  232. if current_user.permissions?(['admin.user', 'ticket.agent']) && (params[:organization_ids] || params[:organizations])
  233. user.param_set_associations({ organization_ids: params[:organization_ids], organizations: params[:organizations] })
  234. end
  235. if params[:expand]
  236. user = User.find(user.id).attributes_with_relation_names
  237. render json: user, status: :ok
  238. return
  239. end
  240. # get new data
  241. user_new = User.find(user.id).attributes_with_associations
  242. user_new.delete('password')
  243. render json: user_new, status: :ok
  244. end
  245. # @path [DELETE] /users/{id}
  246. #
  247. # @summary Deletes the User record matching the given identifier.
  248. # @notes The requester has to be in the role 'Admin' to be able to delete a User record.
  249. #
  250. # @parameter id(required) [User] The identifier matching the requested User record.
  251. #
  252. # @response_message 200 User successfully deleted.
  253. # @response_message 401 Invalid session.
  254. def destroy
  255. permission_check('admin.user')
  256. model_references_check(User, params)
  257. model_destory_render(User, params)
  258. end
  259. # @path [GET] /users/search
  260. #
  261. # @tag Search
  262. # @tag User
  263. #
  264. # @summary Searches the User matching the given expression(s).
  265. # @notes TODO: It's possible to use the SOLR search syntax.
  266. # The requester has to be in the role 'Admin' or 'Agent' to
  267. # be able to search for User records.
  268. #
  269. # @parameter term [String] The search term.
  270. # @parameter limit [Integer] The limit of search results.
  271. # @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
  272. # @parameter full [Boolean] Defines if the result should be
  273. # true: { user_ids => [1,2,...], assets => {...} }
  274. # or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
  275. #
  276. # @response_message 200 [Array<User>] A list of User records matching the search term.
  277. # @response_message 401 Invalid session.
  278. def search
  279. if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin.user')
  280. response_access_deny
  281. return
  282. end
  283. # set limit for pagination if needed
  284. if params[:page] && params[:per_page]
  285. params[:limit] = params[:page].to_i * params[:per_page].to_i
  286. end
  287. query_params = {
  288. query: params[:term],
  289. limit: params[:limit],
  290. current_user: current_user,
  291. }
  292. if params[:role_ids] && !params[:role_ids].empty?
  293. query_params[:role_ids] = params[:role_ids]
  294. end
  295. # do query
  296. user_all = User.search(query_params)
  297. # do pagination if needed
  298. if params[:page] && params[:per_page]
  299. offset = (params[:page].to_i - 1) * params[:per_page].to_i
  300. user_all = user_all.slice(offset, params[:per_page].to_i) || []
  301. end
  302. if params[:expand]
  303. list = []
  304. user_all.each { |user|
  305. list.push user.attributes_with_relation_names
  306. }
  307. render json: list, status: :ok
  308. return
  309. end
  310. # build result list
  311. if !params[:full]
  312. users = []
  313. user_all.each { |user|
  314. realname = user.firstname.to_s + ' ' + user.lastname.to_s
  315. if user.email && user.email.to_s != ''
  316. realname = realname + ' <' + user.email.to_s + '>'
  317. end
  318. a = { id: user.id, label: realname, value: realname }
  319. users.push a
  320. }
  321. # return result
  322. render json: users
  323. return
  324. end
  325. user_ids = []
  326. assets = {}
  327. user_all.each { |user|
  328. assets = user.assets(assets)
  329. user_ids.push user.id
  330. }
  331. # return result
  332. render json: {
  333. assets: assets,
  334. user_ids: user_ids.uniq,
  335. }
  336. end
  337. # @path [GET] /users/recent
  338. #
  339. # @tag Search
  340. # @tag User
  341. #
  342. # @summary Recent creates Users.
  343. # @notes Recent creates Users.
  344. #
  345. # @parameter limit [Integer] The limit of search results.
  346. # @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
  347. # @parameter full [Boolean] Defines if the result should be
  348. # true: { user_ids => [1,2,...], assets => {...} }
  349. # or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
  350. #
  351. # @response_message 200 [Array<User>] A list of User records matching the search term.
  352. # @response_message 401 Invalid session.
  353. def recent
  354. if !current_user.permissions?('admin.user')
  355. response_access_deny
  356. return
  357. end
  358. # do query
  359. user_all = if params[:role_ids] && !params[:role_ids].empty?
  360. User.joins(:roles).where( 'roles.id' => params[:role_ids] ).where('users.id != 1').order('users.created_at DESC').limit( params[:limit] || 20 )
  361. else
  362. User.where('id != 1').order('created_at DESC').limit( params[:limit] || 20 )
  363. end
  364. # build result list
  365. if !params[:full]
  366. users = []
  367. user_all.each { |user|
  368. realname = user.firstname.to_s + ' ' + user.lastname.to_s
  369. if user.email && user.email.to_s != ''
  370. realname = realname + ' <' + user.email.to_s + '>'
  371. end
  372. a = { id: user.id, label: realname, value: realname }
  373. users.push a
  374. }
  375. # return result
  376. render json: users
  377. return
  378. end
  379. user_ids = []
  380. assets = {}
  381. user_all.each { |user|
  382. assets = user.assets(assets)
  383. user_ids.push user.id
  384. }
  385. # return result
  386. render json: {
  387. assets: assets,
  388. user_ids: user_ids.uniq,
  389. }
  390. end
  391. # @path [GET] /users/history/{id}
  392. #
  393. # @tag History
  394. # @tag User
  395. #
  396. # @summary Returns the History records of a User record matching the given identifier.
  397. # @notes The requester has to be in the role 'Admin' or 'Agent' to
  398. # get the History records of a User record.
  399. #
  400. # @parameter id(required) [Integer] The identifier matching the requested User record.
  401. #
  402. # @response_message 200 [History] The History records of the requested User record.
  403. # @response_message 401 Invalid session.
  404. def history
  405. # permission check
  406. if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
  407. response_access_deny
  408. return
  409. end
  410. # get user data
  411. user = User.find(params[:id])
  412. # get history of user
  413. history = user.history_get(true)
  414. # return result
  415. render json: history
  416. end
  417. =begin
  418. Resource:
  419. POST /api/v1/users/email_verify
  420. Payload:
  421. {
  422. "token": "SoMeToKeN",
  423. }
  424. Response:
  425. {
  426. :message => 'ok'
  427. }
  428. Test:
  429. curl http://localhost/api/v1/users/email_verify.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"token": "SoMeToKeN"}'
  430. =end
  431. def email_verify
  432. raise Exceptions::UnprocessableEntity, 'No token!' if !params[:token]
  433. user = User.signup_verify_via_token(params[:token], current_user)
  434. raise Exceptions::UnprocessableEntity, 'Invalid token!' if !user
  435. render json: { message: 'ok', user_email: user.email }, status: :ok
  436. end
  437. =begin
  438. Resource:
  439. POST /api/v1/users/email_verify_send
  440. Payload:
  441. {
  442. "email": "some_email@example.com"
  443. }
  444. Response:
  445. {
  446. :message => 'ok'
  447. }
  448. Test:
  449. curl http://localhost/api/v1/users/email_verify_send.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"email": "some_email@example.com"}'
  450. =end
  451. def email_verify_send
  452. raise Exceptions::UnprocessableEntity, 'No email!' if !params[:email]
  453. # check is verify is possible to send
  454. user = User.find_by(email: params[:email].downcase)
  455. raise Exceptions::UnprocessableEntity, 'No such user!' if !user
  456. #if user.verified == true
  457. # render json: { error: 'Already verified!' }, status: :unprocessable_entity
  458. # return
  459. #end
  460. token = Token.create(action: 'Signup', user_id: user.id)
  461. result = User.signup_new_token(user)
  462. if result && result[:token]
  463. user = result[:user]
  464. NotificationFactory::Mailer.notification(
  465. template: 'signup',
  466. user: user,
  467. objects: result
  468. )
  469. # only if system is in develop mode, send token back to browser for browser tests
  470. if Setting.get('developer_mode') == true
  471. render json: { message: 'ok', token: result[:token].name }, status: :ok
  472. return
  473. end
  474. # token sent to user, send ok to browser
  475. render json: { message: 'ok' }, status: :ok
  476. return
  477. end
  478. # unable to generate token
  479. render json: { message: 'failed' }, status: :ok
  480. end
  481. =begin
  482. Resource:
  483. POST /api/v1/users/password_reset
  484. Payload:
  485. {
  486. "username": "some user name"
  487. }
  488. Response:
  489. {
  490. :message => 'ok'
  491. }
  492. Test:
  493. curl http://localhost/api/v1/users/password_reset.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"username": "some_username"}'
  494. =end
  495. def password_reset_send
  496. # check if feature is enabled
  497. raise Exceptions::UnprocessableEntity, 'Feature not enabled!' if !Setting.get('user_lost_password')
  498. result = User.password_reset_new_token(params[:username])
  499. if result && result[:token]
  500. # send mail
  501. user = result[:user]
  502. NotificationFactory::Mailer.notification(
  503. template: 'password_reset',
  504. user: user,
  505. objects: result
  506. )
  507. # only if system is in develop mode, send token back to browser for browser tests
  508. if Setting.get('developer_mode') == true
  509. render json: { message: 'ok', token: result[:token].name }, status: :ok
  510. return
  511. end
  512. # token sent to user, send ok to browser
  513. render json: { message: 'ok' }, status: :ok
  514. return
  515. end
  516. # unable to generate token
  517. render json: { message: 'failed' }, status: :ok
  518. end
  519. =begin
  520. Resource:
  521. POST /api/v1/users/password_reset_verify
  522. Payload:
  523. {
  524. "token": "SoMeToKeN",
  525. "password": "new_password"
  526. }
  527. Response:
  528. {
  529. :message => 'ok'
  530. }
  531. Test:
  532. curl http://localhost/api/v1/users/password_reset_verify.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"token": "SoMeToKeN", "password" "new_password"}'
  533. =end
  534. def password_reset_verify
  535. if params[:password]
  536. # check password policy
  537. result = password_policy(params[:password])
  538. if result != true
  539. render json: { message: 'failed', notice: result }, status: :ok
  540. return
  541. end
  542. # set new password with token
  543. user = User.password_reset_via_token(params[:token], params[:password])
  544. # send mail
  545. if user
  546. NotificationFactory::Mailer.notification(
  547. template: 'password_change',
  548. user: user,
  549. objects: {
  550. user: user,
  551. current_user: current_user,
  552. }
  553. )
  554. end
  555. else
  556. user = User.password_reset_check(params[:token])
  557. end
  558. if user
  559. render json: { message: 'ok', user_login: user.login }, status: :ok
  560. else
  561. render json: { message: 'failed' }, status: :ok
  562. end
  563. end
  564. =begin
  565. Resource:
  566. POST /api/v1/users/password_change
  567. Payload:
  568. {
  569. "password_old": "some_password_old",
  570. "password_new": "some_password_new"
  571. }
  572. Response:
  573. {
  574. :message => 'ok'
  575. }
  576. Test:
  577. curl http://localhost/api/v1/users/password_change.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"password_old": "password_old", "password_new": "password_new"}'
  578. =end
  579. def password_change
  580. # check old password
  581. if !params[:password_old]
  582. render json: { message: 'failed', notice: ['Current password needed!'] }, status: :ok
  583. return
  584. end
  585. user = User.authenticate( current_user.login, params[:password_old] )
  586. if !user
  587. render json: { message: 'failed', notice: ['Current password is wrong!'] }, status: :ok
  588. return
  589. end
  590. # set new password
  591. if !params[:password_new]
  592. render json: { message: 'failed', notice: ['Please supply your new password!'] }, status: :ok
  593. return
  594. end
  595. # check password policy
  596. result = password_policy(params[:password_new])
  597. if result != true
  598. render json: { message: 'failed', notice: result }, status: :ok
  599. return
  600. end
  601. user.update_attributes(password: params[:password_new])
  602. NotificationFactory::Mailer.notification(
  603. template: 'password_change',
  604. user: user,
  605. objects: {
  606. user: user,
  607. current_user: current_user,
  608. }
  609. )
  610. render json: { message: 'ok', user_login: user.login }, status: :ok
  611. end
  612. =begin
  613. Resource:
  614. PUT /api/v1/users/preferences.json
  615. Payload:
  616. {
  617. "language": "de",
  618. "notification": true
  619. }
  620. Response:
  621. {
  622. :message => 'ok'
  623. }
  624. Test:
  625. curl http://localhost/api/v1/users/preferences.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"language": "de", "notifications": true}'
  626. =end
  627. def preferences
  628. raise Exceptions::UnprocessableEntity, 'No current user!' if !current_user
  629. if params[:user]
  630. user = User.find(current_user.id)
  631. params[:user].each { |key, value|
  632. user.preferences[key.to_sym] = value
  633. }
  634. user.save
  635. end
  636. render json: { message: 'ok' }, status: :ok
  637. end
  638. =begin
  639. Resource:
  640. DELETE /api/v1/users/account.json
  641. Payload:
  642. {
  643. "provider": "twitter",
  644. "uid": 581482342942
  645. }
  646. Response:
  647. {
  648. :message => 'ok'
  649. }
  650. Test:
  651. curl http://localhost/api/v1/users/account.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"provider": "twitter", "uid": 581482342942}'
  652. =end
  653. def account_remove
  654. raise Exceptions::UnprocessableEntity, 'No current user!' if !current_user
  655. # provider + uid to remove
  656. raise Exceptions::UnprocessableEntity, 'provider needed!' if !params[:provider]
  657. raise Exceptions::UnprocessableEntity, 'uid needed!' if !params[:uid]
  658. # remove from database
  659. record = Authorization.where(
  660. user_id: current_user.id,
  661. provider: params[:provider],
  662. uid: params[:uid],
  663. )
  664. raise Exceptions::UnprocessableEntity, 'No record found!' if !record.first
  665. record.destroy_all
  666. render json: { message: 'ok' }, status: :ok
  667. end
  668. =begin
  669. Resource:
  670. GET /api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7
  671. Response:
  672. <IMAGE>
  673. Test:
  674. curl http://localhost/api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7 -v -u #{login}:#{password}
  675. =end
  676. def image
  677. # cache image
  678. response.headers['Expires'] = 1.year.from_now.httpdate
  679. response.headers['Cache-Control'] = 'cache, store, max-age=31536000, must-revalidate'
  680. response.headers['Pragma'] = 'cache'
  681. file = Avatar.get_by_hash(params[:hash])
  682. if file
  683. send_data(
  684. file.content,
  685. filename: file.filename,
  686. type: file.preferences['Content-Type'] || file.preferences['Mime-Type'],
  687. disposition: 'inline'
  688. )
  689. return
  690. end
  691. # serve default image
  692. image = 'R0lGODdhMAAwAOMAAMzMzJaWlr6+vqqqqqOjo8XFxbe3t7GxsZycnAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAMAAwAAAEcxDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru98TwuAA+KQAQqJK8EAgBAgMEqmkzUgBIeSwWGZtR5XhSqAULACCoGCJGwlm1MGQrq9RqgB8fm4ZTUgDBIEcRR9fz6HiImKi4yNjo+QkZKTlJWWkBEAOw=='
  693. send_data(
  694. Base64.decode64(image),
  695. filename: 'image.gif',
  696. type: 'image/gif',
  697. disposition: 'inline'
  698. )
  699. end
  700. =begin
  701. Resource:
  702. POST /api/v1/users/avatar
  703. Payload:
  704. {
  705. "avatar_full": "base64 url",
  706. }
  707. Response:
  708. {
  709. message: 'ok'
  710. }
  711. Test:
  712. curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"avatar": "base64 url"}'
  713. =end
  714. def avatar_new
  715. return if !valid_session_with_user
  716. # get & validate image
  717. file_full = StaticAssets.data_url_attributes(params[:avatar_full])
  718. file_resize = StaticAssets.data_url_attributes(params[:avatar_resize])
  719. avatar = Avatar.add(
  720. object: 'User',
  721. o_id: current_user.id,
  722. full: {
  723. content: file_full[:content],
  724. mime_type: file_full[:mime_type],
  725. },
  726. resize: {
  727. content: file_resize[:content],
  728. mime_type: file_resize[:mime_type],
  729. },
  730. source: 'upload ' + Time.zone.now.to_s,
  731. deletable: true,
  732. )
  733. # update user link
  734. user = User.find(current_user.id)
  735. user.update_attributes(image: avatar.store_hash)
  736. render json: { avatar: avatar }, status: :ok
  737. end
  738. def avatar_set_default
  739. return if !valid_session_with_user
  740. # get & validate image
  741. raise Exceptions::UnprocessableEntity, 'No id of avatar!' if !params[:id]
  742. # set as default
  743. avatar = Avatar.set_default('User', current_user.id, params[:id])
  744. # update user link
  745. user = User.find(current_user.id)
  746. user.update_attributes(image: avatar.store_hash)
  747. render json: {}, status: :ok
  748. end
  749. def avatar_destroy
  750. return if !valid_session_with_user
  751. # get & validate image
  752. raise Exceptions::UnprocessableEntity, 'No id of avatar!' if !params[:id]
  753. # remove avatar
  754. Avatar.remove_one('User', current_user.id, params[:id])
  755. # update user link
  756. avatar = Avatar.get_default('User', current_user.id)
  757. user = User.find(current_user.id)
  758. user.update_attributes(image: avatar.store_hash)
  759. render json: {}, status: :ok
  760. end
  761. def avatar_list
  762. return if !valid_session_with_user
  763. # list of avatars
  764. result = Avatar.list('User', current_user.id)
  765. render json: { avatars: result }, status: :ok
  766. end
  767. private
  768. def password_policy(password)
  769. if Setting.get('password_min_size').to_i > password.length
  770. return ["Can\'t update password, it must be at least %s characters long!", Setting.get('password_min_size')]
  771. end
  772. if Setting.get('password_need_digit').to_i == 1 && password !~ /\d/
  773. return ["Can't update password, it must contain at least 1 digit!"]
  774. end
  775. if Setting.get('password_min_2_lower_2_upper_characters').to_i == 1 && ( password !~ /[A-Z].*[A-Z]/ || password !~ /[a-z].*[a-z]/ )
  776. return ["Can't update password, it must contain at least 2 lowercase and 2 uppercase characters!"]
  777. end
  778. true
  779. end
  780. def permission_check_by_permission(params)
  781. return true if current_user.permissions?('admin.user')
  782. if !current_user.permissions?('admin.user') && params[:role_ids]
  783. if params[:role_ids].class != Array
  784. params[:role_ids] = [params[:role_ids]]
  785. end
  786. params[:role_ids].each { |role_id|
  787. role_local = Role.lookup(id: role_id)
  788. if !role_local
  789. logger.info "Invalid role_ids for current_user_id: #{current_user.id} role_ids #{role_id}"
  790. raise Exceptions::NotAuthorized, 'Invalid role_ids!'
  791. end
  792. role_name = role_local.name
  793. # TODO: check role permissions
  794. next if role_name != 'Admin' && role_name != 'Agent'
  795. logger.info "This role assignment is only allowed by admin! current_user_id: #{current_user.id} assigned to #{role_name}"
  796. raise Exceptions::NotAuthorized, 'This role assignment is only allowed by admin!'
  797. }
  798. end
  799. if !current_user.permissions?('admin.user') && params[:group_ids]
  800. if params[:group_ids].class != Array
  801. params[:group_ids] = [params[:group_ids]]
  802. end
  803. if !params[:group_ids].empty?
  804. logger.info "Group relation is only allowed by admin! current_user_id: #{current_user.id} group_ids #{params[:group_ids].inspect}"
  805. raise Exceptions::NotAuthorized, 'Group relation is only allowed by admin!'
  806. end
  807. end
  808. return true if current_user.permissions?('ticket.agent')
  809. response_access_deny
  810. false
  811. end
  812. def permission_check_local
  813. return true if current_user.permissions?('admin.user')
  814. return true if current_user.permissions?('ticket.agent')
  815. # allow to update any by him self
  816. # TODO check certain attributes like roles_ids and group_ids
  817. return true if params[:id].to_i == current_user.id
  818. raise Exceptions::NotAuthorized
  819. end
  820. end