role.rb 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
  1. # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
  2. class Role < ApplicationModel
  3. include HasActivityStreamLog
  4. include ChecksClientNotification
  5. include ChecksLatestChangeObserved
  6. include HasGroups
  7. load 'role/assets.rb'
  8. include Role::Assets
  9. has_and_belongs_to_many :users, after_add: :cache_update, after_remove: :cache_update
  10. has_and_belongs_to_many :permissions, after_add: :cache_update, after_remove: :cache_update, before_update: :cache_update, after_update: :cache_update, before_add: :validate_agent_limit_by_permission, before_remove: :last_admin_check_by_permission
  11. validates :name, presence: true
  12. store :preferences
  13. before_create :validate_permissions, :check_default_at_signup_permissions
  14. before_update :validate_permissions, :last_admin_check_by_attribute, :validate_agent_limit_by_attributes, :check_default_at_signup_permissions
  15. association_attributes_ignored :users
  16. activity_stream_permission 'admin.role'
  17. =begin
  18. grant permission to role
  19. role.permission_grant('permission.key')
  20. =end
  21. def permission_grant(key)
  22. permission = Permission.lookup(name: key)
  23. raise "Invalid permission #{key}" if !permission
  24. return true if permission_ids.include?(permission.id)
  25. self.permission_ids = permission_ids.push permission.id
  26. true
  27. end
  28. =begin
  29. revoke permission of role
  30. role.permission_revoke('permission.key')
  31. =end
  32. def permission_revoke(key)
  33. permission = Permission.lookup(name: key)
  34. raise "Invalid permission #{key}" if !permission
  35. return true if !permission_ids.include?(permission.id)
  36. self.permission_ids = self.permission_ids -= [permission.id]
  37. true
  38. end
  39. =begin
  40. get signup roles
  41. Role.signup_roles
  42. returns
  43. [role1, role2, ...]
  44. =end
  45. def self.signup_roles
  46. Role.where(active: true, default_at_signup: true)
  47. end
  48. =begin
  49. get signup role ids
  50. Role.signup_role_ids
  51. returns
  52. [role1, role2, ...]
  53. =end
  54. def self.signup_role_ids
  55. signup_roles.map(&:id)
  56. end
  57. =begin
  58. get all roles with permission
  59. roles = Role.with_permissions('admin.session')
  60. get all roles with permission "admin.session" or "ticket.agent"
  61. roles = Role.with_permissions(['admin.session', 'ticket.agent'])
  62. returns
  63. [role1, role2, ...]
  64. =end
  65. def self.with_permissions(keys)
  66. permission_ids = Role.permission_ids_by_name(keys)
  67. Role.joins(:roles_permissions).joins(:permissions).where(
  68. 'permissions_roles.permission_id IN (?) AND roles.active = ? AND permissions.active = ?', permission_ids, true, true
  69. ).distinct()
  70. end
  71. =begin
  72. check if roles is with permission
  73. role = Role.find(123)
  74. role.with_permission?('admin.session')
  75. get if role has permission of "admin.session" or "ticket.agent"
  76. role.with_permission?(['admin.session', 'ticket.agent'])
  77. returns
  78. true | false
  79. =end
  80. def with_permission?(keys)
  81. permission_ids = Role.permission_ids_by_name(keys)
  82. return true if Role.joins(:roles_permissions).joins(:permissions).where(
  83. 'roles.id = ? AND permissions_roles.permission_id IN (?) AND permissions.active = ?', id, permission_ids, true
  84. ).distinct().count.nonzero?
  85. false
  86. end
  87. private_class_method
  88. def self.permission_ids_by_name(keys)
  89. Array(keys).each_with_object([]) do |key, result|
  90. ::Permission.with_parents(key).each do |local_key|
  91. permission = ::Permission.lookup(name: local_key)
  92. next if !permission
  93. result.push permission.id
  94. end
  95. end
  96. end
  97. private
  98. def validate_permissions
  99. Rails.logger.debug { "self permission: #{self.permission_ids}" }
  100. return true if !self.permission_ids
  101. permission_ids.each do |permission_id|
  102. permission = Permission.lookup(id: permission_id)
  103. raise "Unable to find permission for id #{permission_id}" if !permission
  104. raise "Permission #{permission.name} is disabled" if permission.preferences[:disabled] == true
  105. next unless permission.preferences[:not]
  106. permission.preferences[:not].each do |local_permission_name|
  107. local_permission = Permission.lookup(name: local_permission_name)
  108. next if !local_permission
  109. raise "Permission #{permission.name} conflicts with #{local_permission.name}" if permission_ids.include?(local_permission.id)
  110. end
  111. end
  112. true
  113. end
  114. def last_admin_check_by_attribute
  115. return true if !will_save_change_to_attribute?('active')
  116. return true if active != false
  117. return true if !with_permission?(['admin', 'admin.user'])
  118. raise Exceptions::UnprocessableEntity, 'Minimum one user needs to have admin permissions.' if last_admin_check_admin_count < 1
  119. true
  120. end
  121. def last_admin_check_by_permission(permission)
  122. return true if Setting.get('import_mode')
  123. return true if permission.name != 'admin' && permission.name != 'admin.user'
  124. raise Exceptions::UnprocessableEntity, 'Minimum one user needs to have admin permissions.' if last_admin_check_admin_count < 1
  125. true
  126. end
  127. def last_admin_check_admin_count
  128. admin_role_ids = Role.joins(:permissions).where(permissions: { name: ['admin', 'admin.user'], active: true }, roles: { active: true }).where.not(id: id).pluck(:id)
  129. User.joins(:roles).where(roles: { id: admin_role_ids }, users: { active: true }).distinct().count
  130. end
  131. def validate_agent_limit_by_attributes
  132. return true if !Setting.get('system_agent_limit')
  133. return true if !will_save_change_to_attribute?('active')
  134. return true if active != true
  135. return true if !with_permission?('ticket.agent')
  136. ticket_agent_role_ids = Role.joins(:permissions).where(permissions: { name: 'ticket.agent', active: true }, roles: { active: true }).pluck(:id)
  137. currents = User.joins(:roles).where(roles: { id: ticket_agent_role_ids }, users: { active: true }).distinct().pluck(:id)
  138. news = User.joins(:roles).where(roles: { id: id }, users: { active: true }).distinct().pluck(:id)
  139. count = currents.concat(news).uniq.count
  140. raise Exceptions::UnprocessableEntity, 'Agent limit exceeded, please check your account settings.' if count > Setting.get('system_agent_limit')
  141. true
  142. end
  143. def validate_agent_limit_by_permission(permission)
  144. return true if !Setting.get('system_agent_limit')
  145. return true if active != true
  146. return true if permission.active != true
  147. return true if permission.name != 'ticket.agent'
  148. ticket_agent_role_ids = Role.joins(:permissions).where(permissions: { name: 'ticket.agent' }, roles: { active: true }).pluck(:id)
  149. ticket_agent_role_ids.push(id)
  150. count = User.joins(:roles).where(roles: { id: ticket_agent_role_ids }, users: { active: true }).distinct().count
  151. raise Exceptions::UnprocessableEntity, 'Agent limit exceeded, please check your account settings.' if count > Setting.get('system_agent_limit')
  152. true
  153. end
  154. def check_default_at_signup_permissions
  155. all_permissions = Permission.all.pluck(:id)
  156. admin_permissions = Permission.where('name LIKE ? OR name = ?', 'admin%', 'ticket.agent').pluck(:id) # admin.*/ticket.agent permissions
  157. normal_permissions = (all_permissions - admin_permissions) | (admin_permissions - all_permissions) # all other permissions besides admin.*/ticket.agent
  158. return true if default_at_signup != true # means if default_at_signup = false, no need further checks
  159. return true if self.permission_ids.all? { |i| normal_permissions.include? i } # allow user to choose only normal permissions
  160. raise Exceptions::UnprocessableEntity, 'Cannot set default at signup when role has admin or ticket.agent permissions.'
  161. end
  162. end