users_controller.rb 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848
  1. # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
  2. class UsersController < ApplicationController
  3. before_action :authentication_check, except: [:create, :password_reset_send, :password_reset_verify, :image]
  4. # @path [GET] /users
  5. #
  6. # @summary Returns a list of User records.
  7. # @notes The requester has to be in the role 'Admin' or 'Agent' to
  8. # get a list of all Users. If the requester is in the
  9. # role 'Customer' only just the own User record will be returned.
  10. #
  11. # @response_message 200 [Array<User>] List of matching User records.
  12. # @response_message 401 Invalid session.
  13. def index
  14. # only allow customer to fetch him self
  15. users = if role?(Z_ROLENAME_CUSTOMER) && !role?(Z_ROLENAME_ADMIN) && !role?('Agent')
  16. User.where(id: current_user.id)
  17. else
  18. User.all
  19. end
  20. users_all = []
  21. users.each {|user|
  22. users_all.push User.lookup(id: user.id).attributes_with_associations
  23. }
  24. render json: users_all, status: :ok
  25. end
  26. # @path [GET] /users/{id}
  27. #
  28. # @summary Returns the User record with the requested identifier.
  29. # @notes The requester has to be in the role 'Admin' or 'Agent' to
  30. # access all User records. If the requester is in the
  31. # role 'Customer' just the own User record is accessable.
  32. #
  33. # @parameter id(required) [Integer] The identifier matching the requested User.
  34. # @parameter full [Bool] If set a Asset structure with all connected Assets gets returned.
  35. #
  36. # @response_message 200 [User] User record matching the requested identifier.
  37. # @response_message 401 Invalid session.
  38. def show
  39. # access deny
  40. return if !permission_check
  41. if params[:full]
  42. full = User.full(params[:id])
  43. render json: full
  44. return
  45. end
  46. user = User.find(params[:id])
  47. render json: user
  48. end
  49. # @path [POST] /users
  50. #
  51. # @summary Creates a User record with the provided attribute values.
  52. # @notes TODO.
  53. #
  54. # @parameter User(required,body) [User] The attribute value structure needed to create a User record.
  55. #
  56. # @response_message 200 [User] Created User record.
  57. # @response_message 401 Invalid session.
  58. def create
  59. user = User.new( User.param_cleanup(params, true) )
  60. begin
  61. # check if it's first user
  62. count = User.all.count()
  63. # if it's a signup, add user to customer role
  64. if !current_user
  65. user.updated_by_id = 1
  66. user.created_by_id = 1
  67. # check if feature is enabled
  68. if !Setting.get('user_create_account')
  69. render json: { error_human: 'Feature not enabled!' }, status: :unprocessable_entity
  70. return
  71. end
  72. # add first user as admin/agent and to all groups
  73. group_ids = []
  74. role_ids = []
  75. if count <= 2
  76. Role.where(name: [ Z_ROLENAME_ADMIN, 'Agent', 'Chat']).each { |role|
  77. role_ids.push role.id
  78. }
  79. Group.all().each { |group|
  80. group_ids.push group.id
  81. }
  82. # everybody else will go as customer per default
  83. else
  84. role_ids.push Role.where(name: Z_ROLENAME_CUSTOMER).first.id
  85. end
  86. user.role_ids = role_ids
  87. user.group_ids = group_ids
  88. # else do assignment as defined
  89. else
  90. # permission check by role
  91. return if !permission_check_by_role(params)
  92. if params[:role_ids]
  93. user.role_ids = params[:role_ids]
  94. end
  95. if params[:group_ids]
  96. user.group_ids = params[:group_ids]
  97. end
  98. end
  99. # check if user already exists
  100. if user.email
  101. exists = User.where(email: user.email.downcase).first
  102. if exists
  103. render json: { error_human: 'User already exists!' }, status: :unprocessable_entity
  104. return
  105. end
  106. end
  107. user.save!
  108. # if first user was added, set system init done
  109. if count <= 2
  110. Setting.set('system_init_done', true)
  111. # fetch org logo
  112. if user.email
  113. Service::Image.organization_suggest(user.email)
  114. end
  115. end
  116. # send inviteation if needed / only if session exists
  117. if params[:invite] && current_user
  118. token = Token.create(action: 'PasswordReset', user_id: user.id)
  119. NotificationFactory.notification(
  120. template: 'user_invite',
  121. user: user,
  122. objects: {
  123. token: token,
  124. user: user,
  125. current_user: current_user,
  126. }
  127. )
  128. end
  129. # send email verify
  130. if params[:signup] && !current_user
  131. token = Token.create(action: 'EmailVerify', user_id: user.id)
  132. NotificationFactory.notification(
  133. template: 'signup',
  134. user: user,
  135. objects: {
  136. token: token,
  137. user: user,
  138. }
  139. )
  140. end
  141. user_new = User.find(user.id)
  142. render json: user_new, status: :created
  143. rescue => e
  144. render json: model_match_error(e.message), status: :unprocessable_entity
  145. end
  146. end
  147. # @path [PUT] /users/{id}
  148. #
  149. # @summary Updates the User record matching the identifier with the provided attribute values.
  150. # @notes TODO.
  151. #
  152. # @parameter id(required) [Integer] The identifier matching the requested User record.
  153. # @parameter User(required,body) [User] The attribute value structure needed to update a User record.
  154. #
  155. # @response_message 200 [User] Updated User record.
  156. # @response_message 401 Invalid session.
  157. def update
  158. # access deny
  159. return if !permission_check
  160. user = User.find(params[:id])
  161. begin
  162. # permission check by role
  163. return if !permission_check_by_role(params)
  164. user.update_attributes( User.param_cleanup(params) )
  165. # only allow Admin's and Agent's
  166. if role?(Z_ROLENAME_ADMIN) && role?('Agent') && params[:role_ids]
  167. user.role_ids = params[:role_ids]
  168. end
  169. # only allow Admin's
  170. if role?(Z_ROLENAME_ADMIN) && params[:group_ids]
  171. user.group_ids = params[:group_ids]
  172. end
  173. # only allow Admin's and Agent's
  174. if role?(Z_ROLENAME_ADMIN) && role?('Agent') && params[:organization_ids]
  175. user.organization_ids = params[:organization_ids]
  176. end
  177. # get new data
  178. user_new = User.find( params[:id] )
  179. render json: user_new, status: :ok
  180. rescue => e
  181. render json: { error: e.message }, status: :unprocessable_entity
  182. end
  183. end
  184. # @path [DELETE] /users/{id}
  185. #
  186. # @summary Deletes the User record matching the given identifier.
  187. # @notes The requester has to be in the role 'Admin' to be able to delete a User record.
  188. #
  189. # @parameter id(required) [User] The identifier matching the requested User record.
  190. #
  191. # @response_message 200 User successfully deleted.
  192. # @response_message 401 Invalid session.
  193. def destroy
  194. return if deny_if_not_role(Z_ROLENAME_ADMIN)
  195. model_destory_render(User, params)
  196. end
  197. # @path [GET] /users/search
  198. #
  199. # @tag Search
  200. # @tag User
  201. #
  202. # @summary Searches the User matching the given expression(s).
  203. # @notes TODO: It's possible to use the SOLR search syntax.
  204. # The requester has to be in the role 'Admin' or 'Agent' to
  205. # be able to search for User records.
  206. #
  207. # @parameter term [String] The search term.
  208. # @parameter limit [Integer] The limit of search results.
  209. # @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
  210. # @parameter full [Boolean] Defines if the result should be
  211. # true: { user_ids => [1,2,...], assets => {...} }
  212. # or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
  213. #
  214. # @response_message 200 [Array<User>] A list of User records matching the search term.
  215. # @response_message 401 Invalid session.
  216. def search
  217. if role?(Z_ROLENAME_CUSTOMER) && !role?(Z_ROLENAME_ADMIN) && !role?('Agent')
  218. response_access_deny
  219. return
  220. end
  221. query_params = {
  222. query: params[:term],
  223. limit: params[:limit],
  224. current_user: current_user,
  225. }
  226. if params[:role_ids] && !params[:role_ids].empty?
  227. query_params[:role_ids] = params[:role_ids]
  228. end
  229. # do query
  230. user_all = User.search(query_params)
  231. # build result list
  232. if !params[:full]
  233. users = []
  234. user_all.each { |user|
  235. realname = user.firstname.to_s + ' ' + user.lastname.to_s
  236. if user.email && user.email.to_s != ''
  237. realname = realname + ' <' + user.email.to_s + '>'
  238. end
  239. a = { id: user.id, label: realname, value: realname }
  240. users.push a
  241. }
  242. # return result
  243. render json: users
  244. return
  245. end
  246. user_ids = []
  247. assets = {}
  248. user_all.each { |user|
  249. assets = user.assets(assets)
  250. user_ids.push user.id
  251. }
  252. # return result
  253. render json: {
  254. assets: assets,
  255. user_ids: user_ids.uniq,
  256. }
  257. end
  258. # @path [GET] /users/recent
  259. #
  260. # @tag Search
  261. # @tag User
  262. #
  263. # @summary Recent creates Users.
  264. # @notes Recent creates Users.
  265. #
  266. # @parameter limit [Integer] The limit of search results.
  267. # @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
  268. # @parameter full [Boolean] Defines if the result should be
  269. # true: { user_ids => [1,2,...], assets => {...} }
  270. # or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
  271. #
  272. # @response_message 200 [Array<User>] A list of User records matching the search term.
  273. # @response_message 401 Invalid session.
  274. def recent
  275. if role?(Z_ROLENAME_CUSTOMER) && !role?(Z_ROLENAME_ADMIN)
  276. response_access_deny
  277. return
  278. end
  279. # do query
  280. user_all = if params[:role_ids] && !params[:role_ids].empty?
  281. User.joins(:roles).where( 'roles.id' => params[:role_ids] ).where('users.id != 1').order('users.created_at DESC').limit( params[:limit] || 20 )
  282. else
  283. User.where('id != 1').order('created_at DESC').limit( params[:limit] || 20 )
  284. end
  285. # build result list
  286. if !params[:full]
  287. users = []
  288. user_all.each { |user|
  289. realname = user.firstname.to_s + ' ' + user.lastname.to_s
  290. if user.email && user.email.to_s != ''
  291. realname = realname + ' <' + user.email.to_s + '>'
  292. end
  293. a = { id: user.id, label: realname, value: realname }
  294. users.push a
  295. }
  296. # return result
  297. render json: users
  298. return
  299. end
  300. user_ids = []
  301. assets = {}
  302. user_all.each { |user|
  303. assets = user.assets(assets)
  304. user_ids.push user.id
  305. }
  306. # return result
  307. render json: {
  308. assets: assets,
  309. user_ids: user_ids.uniq,
  310. }
  311. end
  312. # @path [GET] /users/history/{id}
  313. #
  314. # @tag History
  315. # @tag User
  316. #
  317. # @summary Returns the History records of a User record matching the given identifier.
  318. # @notes The requester has to be in the role 'Admin' or 'Agent' to
  319. # get the History records of a User record.
  320. #
  321. # @parameter id(required) [Integer] The identifier matching the requested User record.
  322. #
  323. # @response_message 200 [History] The History records of the requested User record.
  324. # @response_message 401 Invalid session.
  325. def history
  326. # permission check
  327. if !role?(Z_ROLENAME_ADMIN) && !role?('Agent')
  328. response_access_deny
  329. return
  330. end
  331. # get user data
  332. user = User.find(params[:id])
  333. # get history of user
  334. history = user.history_get(true)
  335. # return result
  336. render json: history
  337. end
  338. =begin
  339. Resource:
  340. POST /api/v1/users/password_reset
  341. Payload:
  342. {
  343. "username": "some user name"
  344. }
  345. Response:
  346. {
  347. :message => 'ok'
  348. }
  349. Test:
  350. curl http://localhost/api/v1/users/password_reset.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"username": "some_username"}'
  351. =end
  352. def password_reset_send
  353. # check if feature is enabled
  354. if !Setting.get('user_lost_password')
  355. render json: { error: 'Feature not enabled!' }, status: :unprocessable_entity
  356. return
  357. end
  358. result = User.password_reset_new_token(params[:username])
  359. if result && result[:token]
  360. # send mail
  361. user = result[:user]
  362. NotificationFactory.notification(
  363. template: 'password_reset',
  364. user: user,
  365. objects: result
  366. )
  367. # only if system is in develop mode, send token back to browser for browser tests
  368. if Setting.get('developer_mode') == true
  369. render json: { message: 'ok', token: result[:token].name }, status: :ok
  370. return
  371. end
  372. # token sent to user, send ok to browser
  373. render json: { message: 'ok' }, status: :ok
  374. return
  375. end
  376. # unable to generate token
  377. render json: { message: 'failed' }, status: :ok
  378. end
  379. =begin
  380. Resource:
  381. POST /api/v1/users/password_reset_verify
  382. Payload:
  383. {
  384. "token": "SoMeToKeN",
  385. "password": "new_password"
  386. }
  387. Response:
  388. {
  389. :message => 'ok'
  390. }
  391. Test:
  392. curl http://localhost/api/v1/users/password_reset_verify.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"token": "SoMeToKeN", "password" "new_password"}'
  393. =end
  394. def password_reset_verify
  395. if params[:password]
  396. # check password policy
  397. result = password_policy(params[:password])
  398. if result != true
  399. render json: { message: 'failed', notice: result }, status: :ok
  400. return
  401. end
  402. # set new password with token
  403. user = User.password_reset_via_token(params[:token], params[:password])
  404. # send mail
  405. if user
  406. NotificationFactory.notification(
  407. template: 'password_change',
  408. user: user,
  409. objects: {
  410. user: user,
  411. current_user: current_user,
  412. }
  413. )
  414. end
  415. else
  416. user = User.password_reset_check(params[:token])
  417. end
  418. if user
  419. render json: { message: 'ok', user_login: user.login }, status: :ok
  420. else
  421. render json: { message: 'failed' }, status: :ok
  422. end
  423. end
  424. =begin
  425. Resource:
  426. POST /api/v1/users/password_change
  427. Payload:
  428. {
  429. "password_old": "some_password_old",
  430. "password_new": "some_password_new"
  431. }
  432. Response:
  433. {
  434. :message => 'ok'
  435. }
  436. Test:
  437. curl http://localhost/api/v1/users/password_change.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"password_old": "password_old", "password_new": "password_new"}'
  438. =end
  439. def password_change
  440. # check old password
  441. if !params[:password_old]
  442. render json: { message: 'failed', notice: ['Current password needed!'] }, status: :ok
  443. return
  444. end
  445. user = User.authenticate( current_user.login, params[:password_old] )
  446. if !user
  447. render json: { message: 'failed', notice: ['Current password is wrong!'] }, status: :ok
  448. return
  449. end
  450. # set new password
  451. if !params[:password_new]
  452. render json: { message: 'failed', notice: ['Please supply your new password!'] }, status: :ok
  453. return
  454. end
  455. # check password policy
  456. result = password_policy(params[:password_new])
  457. if result != true
  458. render json: { message: 'failed', notice: result }, status: :ok
  459. return
  460. end
  461. user.update_attributes(password: params[:password_new])
  462. NotificationFactory.notification(
  463. template: 'password_change',
  464. user: user,
  465. objects: {
  466. user: user,
  467. current_user: current_user,
  468. }
  469. )
  470. render json: { message: 'ok', user_login: user.login }, status: :ok
  471. end
  472. =begin
  473. Resource:
  474. PUT /api/v1/users/preferences.json
  475. Payload:
  476. {
  477. "language": "de",
  478. "notification": true
  479. }
  480. Response:
  481. {
  482. :message => 'ok'
  483. }
  484. Test:
  485. curl http://localhost/api/v1/users/preferences.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"language": "de", "notifications": true}'
  486. =end
  487. def preferences
  488. if !current_user
  489. render json: { message: 'No current user!' }, status: :unprocessable_entity
  490. return
  491. end
  492. if params[:user]
  493. user = User.find(current_user.id)
  494. params[:user].each {|key, value|
  495. user.preferences[key.to_sym] = value
  496. }
  497. user.save
  498. end
  499. render json: { message: 'ok' }, status: :ok
  500. end
  501. =begin
  502. Resource:
  503. DELETE /api/v1/users/account.json
  504. Payload:
  505. {
  506. "provider": "twitter",
  507. "uid": 581482342942
  508. }
  509. Response:
  510. {
  511. :message => 'ok'
  512. }
  513. Test:
  514. curl http://localhost/api/v1/users/account.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"provider": "twitter", "uid": 581482342942}'
  515. =end
  516. def account_remove
  517. if !current_user
  518. render json: { message: 'No current user!' }, status: :unprocessable_entity
  519. return
  520. end
  521. # provider + uid to remove
  522. if !params[:provider]
  523. render json: { message: 'provider needed!' }, status: :unprocessable_entity
  524. return
  525. end
  526. if !params[:uid]
  527. render json: { message: 'uid needed!' }, status: :unprocessable_entity
  528. return
  529. end
  530. # remove from database
  531. record = Authorization.where(
  532. user_id: current_user.id,
  533. provider: params[:provider],
  534. uid: params[:uid],
  535. )
  536. if !record.first
  537. render json: { message: 'No record found!' }, status: :unprocessable_entity
  538. return
  539. end
  540. record.destroy_all
  541. render json: { message: 'ok' }, status: :ok
  542. end
  543. =begin
  544. Resource:
  545. GET /api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7
  546. Response:
  547. <IMAGE>
  548. Test:
  549. curl http://localhost/api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7 -v -u #{login}:#{password}
  550. =end
  551. def image
  552. # cache image
  553. response.headers['Expires'] = 1.year.from_now.httpdate
  554. response.headers['Cache-Control'] = 'cache, store, max-age=31536000, must-revalidate'
  555. response.headers['Pragma'] = 'cache'
  556. file = Avatar.get_by_hash(params[:hash])
  557. if file
  558. send_data(
  559. file.content,
  560. filename: file.filename,
  561. type: file.preferences['Content-Type'] || file.preferences['Mime-Type'],
  562. disposition: 'inline'
  563. )
  564. return
  565. end
  566. # serve default image
  567. image = 'R0lGODdhMAAwAOMAAMzMzJaWlr6+vqqqqqOjo8XFxbe3t7GxsZycnAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAMAAwAAAEcxDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru98TwuAA+KQAQqJK8EAgBAgMEqmkzUgBIeSwWGZtR5XhSqAULACCoGCJGwlm1MGQrq9RqgB8fm4ZTUgDBIEcRR9fz6HiImKi4yNjo+QkZKTlJWWkBEAOw=='
  568. send_data(
  569. Base64.decode64(image),
  570. filename: 'image.gif',
  571. type: 'image/gif',
  572. disposition: 'inline'
  573. )
  574. end
  575. =begin
  576. Resource:
  577. POST /api/v1/users/avatar
  578. Payload:
  579. {
  580. "avatar_full": "base64 url",
  581. }
  582. Response:
  583. {
  584. message: 'ok'
  585. }
  586. Test:
  587. curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"avatar": "base64 url"}'
  588. =end
  589. def avatar_new
  590. return if !valid_session_with_user
  591. # get & validate image
  592. file_full = StaticAssets.data_url_attributes(params[:avatar_full])
  593. file_resize = StaticAssets.data_url_attributes(params[:avatar_resize])
  594. avatar = Avatar.add(
  595. object: 'User',
  596. o_id: current_user.id,
  597. full: {
  598. content: file_full[:content],
  599. mime_type: file_full[:mime_type],
  600. },
  601. resize: {
  602. content: file_resize[:content],
  603. mime_type: file_resize[:mime_type],
  604. },
  605. source: 'upload ' + Time.zone.now.to_s,
  606. deletable: true,
  607. )
  608. # update user link
  609. current_user.update_attributes(image: avatar.store_hash)
  610. render json: { avatar: avatar }, status: :ok
  611. end
  612. def avatar_set_default
  613. return if !valid_session_with_user
  614. # get & validate image
  615. if !params[:id]
  616. render json: { message: 'No id of avatar!' }, status: :unprocessable_entity
  617. return
  618. end
  619. # set as default
  620. avatar = Avatar.set_default('User', current_user.id, params[:id])
  621. # update user link
  622. current_user.update_attributes(image: avatar.store_hash)
  623. render json: {}, status: :ok
  624. end
  625. def avatar_destroy
  626. return if !valid_session_with_user
  627. # get & validate image
  628. if !params[:id]
  629. render json: { message: 'No id of avatar!' }, status: :unprocessable_entity
  630. return
  631. end
  632. # remove avatar
  633. Avatar.remove_one('User', current_user.id, params[:id])
  634. # update user link
  635. avatar = Avatar.get_default('User', current_user.id)
  636. current_user.update_attributes(image: avatar.store_hash)
  637. render json: {}, status: :ok
  638. end
  639. def avatar_list
  640. return if !valid_session_with_user
  641. # list of avatars
  642. result = Avatar.list('User', current_user.id)
  643. render json: { avatars: result }, status: :ok
  644. end
  645. private
  646. def password_policy(password)
  647. if Setting.get('password_min_size').to_i > password.length
  648. return ["Can\'t update password, it must be at least %s characters long!", Setting.get('password_min_size')]
  649. end
  650. if Setting.get('password_need_digit').to_i == 1 && password !~ /\d/
  651. return ["Can't update password, it must contain at least 1 digit!"]
  652. end
  653. if Setting.get('password_min_2_lower_2_upper_characters').to_i == 1 && ( password !~ /[A-Z].*[A-Z]/ || password !~ /[a-z].*[a-z]/ )
  654. return ["Can't update password, it must contain at least 2 lowercase and 2 uppercase characters!"]
  655. end
  656. true
  657. end
  658. def permission_check_by_role(params)
  659. return true if role?(Z_ROLENAME_ADMIN)
  660. if !role?('Admin') && params[:role_ids]
  661. if params[:role_ids].class != Array
  662. params[:role_ids] = [params[:role_ids]]
  663. end
  664. params[:role_ids].each {|role_id|
  665. role_local = Role.lookup(id: role_id)
  666. if !role_local
  667. render json: { error_human: 'Invalid role_ids!' }, status: :unauthorized
  668. logger.info "Invalid role_ids for current_user_id: #{current_user.id} role_ids #{role_id}"
  669. return false
  670. end
  671. role_name = role_local.name
  672. next if role_name != 'Admin' && role_name != 'Agent'
  673. render json: { error_human: 'This role assignment is only allowed by admin!' }, status: :unauthorized
  674. logger.info "This role assignment is only allowed by admin! current_user_id: #{current_user.id} assigned to #{role_name}"
  675. return false
  676. }
  677. end
  678. if role?('Agent') && params[:group_ids]
  679. if params[:group_ids].class != Array
  680. params[:group_ids] = [params[:group_ids]]
  681. end
  682. if !params[:group_ids].empty?
  683. render json: { error_human: 'Group relation is only allowed by admin!' }, status: :unauthorized
  684. logger.info "Group relation is only allowed by admin! current_user_id: #{current_user.id} group_ids #{params[:group_ids].inspect}"
  685. return false
  686. end
  687. end
  688. return true if role?('Agent')
  689. response_access_deny
  690. false
  691. end
  692. def permission_check
  693. return true if role?(Z_ROLENAME_ADMIN)
  694. return true if role?('Agent')
  695. # allow to update customer by him self
  696. return true if role?(Z_ROLENAME_CUSTOMER) && params[:id].to_i == current_user.id
  697. response_access_deny
  698. false
  699. end
  700. end