Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: 49b6dda93a
Branches Tags
zammad
/
app
/
controllers
/
concerns
/
checks_user_attributes_by_current_user_permission.rb

checks_user_attributes_by_current_user_permission.rb 1.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738 
  1. # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. module ChecksUserAttributesByCurrentUserPermission
    4. 

  4.   extend ActiveSupport::Concern
    5. 

  5. 

  6.   private
    7. 

  7. 

  8.   def check_attributes_by_current_user_permission(params)
    9. 

  9.     authorize!
    10. 

  10. 

  11.     # admins can do whatever they want
    12. 

  12.     return true if current_user.permissions?('admin.user')
    13. 

  13. 

  14.     # regular agents are not allowed to set Groups and Roles
    15. 

  15.     suffixes = %w[_ids s]
    16. 

  16.     %w[Role Group].each do |model|
    17. 

  17. 

  18.       suffixes.each do |suffix|
    19. 

  19.         attribute = "#{model.downcase}#{suffix}"
    20. 

  20.         values    = params[attribute]
    21. 

  21. 

  22.         next if values.nil?
    23. 

  23. 

  24.         logger.warn "#{model} assignment is only allowed by admin! User with ID #{current_user.id} tried to assign #{values.inspect}"
    25. 

  25.         params.delete(attribute)
    26. 

  26.       end
    27. 

  27.     end
    28. 

  28. 

  29.     # check for create requests and set
    30. 

  30.     # signup roles if no other roles are given
    31. 

  31.     return true if params[:id].present?
    32. 

  32.     return true if params[:role_ids]
    33. 

  33.     return true if params[:roles]
    34. 

  34. 

  35.     params[:role_ids] = Role.signup_role_ids
    36. 

  36.     true
    37. 

  37.   end
    38. 

  38. end
    39.