user_policy.rb 1.9 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. class UserPolicy < ApplicationPolicy
  3. # Use 'nested_show' when looking at a user record that is part of an already
  4. # authenticated record, like the owner of a ticket that the user has access to.
  5. # In that case, customers should have permission to look at some fields even if they
  6. # don't have 'show?' permission.
  7. def nested_show?
  8. return true if user.permissions?('admin.*')
  9. return true if own_account? # TODO: check if a customer user may really see all their fields.
  10. return true if user.permissions?('ticket.agent')
  11. return false if !user.permissions?('ticket.customer')
  12. customer_field_scope
  13. end
  14. def show?
  15. return true if user.permissions?('admin.*')
  16. return true if own_account? # TODO: check if a customer user may really see all their fields.
  17. return true if user.permissions?('ticket.agent')
  18. # check same organization for customers
  19. return false if !user.permissions?('ticket.customer')
  20. same_organization? ? customer_field_scope : false
  21. end
  22. def update?
  23. # full access for admins
  24. return true if user.permissions?('admin.user')
  25. # forbid non-agents to change users
  26. return false if !user.permissions?('ticket.agent')
  27. # allow agents to change customers only
  28. return false if record.permissions?(['admin.user', 'ticket.agent'])
  29. record.permissions?('ticket.customer')
  30. end
  31. def destroy?
  32. user.permissions?('admin.user')
  33. end
  34. private
  35. def own_account?
  36. record.id == user.id
  37. end
  38. def same_organization?
  39. return false if record.organization_id.blank?
  40. return false if user.organization_id.blank?
  41. user.organization_id?(record.organization_id)
  42. end
  43. def customer_field_scope
  44. @customer_field_scope ||= ApplicationPolicy::FieldScope.new(allow: %i[id firstname lastname image image_source active])
  45. end
  46. end