role.rb 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
  2. class Role < ApplicationModel
  3. include CanBeImported
  4. include HasActivityStreamLog
  5. include ChecksClientNotification
  6. include ChecksHtmlSanitized
  7. include HasGroups
  8. include HasCollectionUpdate
  9. include Role::Assets
  10. has_and_belongs_to_many :users, after_add: :cache_update, after_remove: :cache_update
  11. has_and_belongs_to_many :permissions,
  12. before_add: %i[validate_agent_limit_by_permission validate_permissions],
  13. after_add: %i[cache_update cache_add_kb_permission],
  14. before_remove: :last_admin_check_by_permission,
  15. after_remove: %i[cache_update cache_remove_kb_permission]
  16. validates :name, presence: true
  17. store :preferences
  18. has_many :knowledge_base_permissions, class_name: 'KnowledgeBase::Permission', dependent: :destroy
  19. before_create :check_default_at_signup_permissions
  20. before_update :last_admin_check_by_attribute, :validate_agent_limit_by_attributes, :check_default_at_signup_permissions
  21. # ignore Users because this will lead to huge
  22. # results for e.g. the Customer role
  23. association_attributes_ignored :users
  24. activity_stream_permission 'admin.role'
  25. validates :note, length: { maximum: 250 }
  26. sanitized_html :note
  27. =begin
  28. grant permission to role
  29. role.permission_grant('permission.key')
  30. =end
  31. def permission_grant(key)
  32. permission = Permission.lookup(name: key)
  33. raise "Invalid permission #{key}" if !permission
  34. return true if permission_ids.include?(permission.id)
  35. self.permission_ids = permission_ids.push permission.id # rubocop:disable Style/RedundantSelfAssignment
  36. true
  37. end
  38. =begin
  39. revoke permission of role
  40. role.permission_revoke('permission.key')
  41. =end
  42. def permission_revoke(key)
  43. permission = Permission.lookup(name: key)
  44. raise "Invalid permission #{key}" if !permission
  45. return true if permission_ids.exclude?(permission.id)
  46. self.permission_ids = self.permission_ids -= [permission.id]
  47. true
  48. end
  49. =begin
  50. get signup roles
  51. Role.signup_roles
  52. returns
  53. [role1, role2, ...]
  54. =end
  55. def self.signup_roles
  56. Role.where(active: true, default_at_signup: true)
  57. end
  58. =begin
  59. get signup role ids
  60. Role.signup_role_ids
  61. returns
  62. [role1, role2, ...]
  63. =end
  64. def self.signup_role_ids
  65. signup_roles.map(&:id)
  66. end
  67. =begin
  68. get all roles with permission
  69. roles = Role.with_permissions('admin.session')
  70. get all roles with permission "admin.session" or "ticket.agent"
  71. roles = Role.with_permissions(['admin.session', 'ticket.agent'])
  72. returns
  73. [role1, role2, ...]
  74. =end
  75. def self.with_permissions(keys)
  76. permission_ids = Role.permission_ids_by_name(keys)
  77. Role.joins(:permissions_roles).joins(:permissions).where(
  78. 'permissions_roles.permission_id IN (?) AND roles.active = ? AND permissions.active = ?', permission_ids, true, true
  79. ).distinct
  80. end
  81. =begin
  82. check if roles is with permission
  83. role = Role.find(123)
  84. role.with_permission?('admin.session')
  85. get if role has permission of "admin.session" or "ticket.agent"
  86. role.with_permission?(['admin.session', 'ticket.agent'])
  87. returns
  88. true | false
  89. =end
  90. def with_permission?(keys)
  91. permission_ids = Role.permission_ids_by_name(keys)
  92. return true if Role.joins(:permissions_roles).joins(:permissions).where(
  93. 'roles.id = ? AND permissions_roles.permission_id IN (?) AND permissions.active = ?', id, permission_ids, true
  94. ).distinct.count.nonzero?
  95. false
  96. end
  97. def self.permission_ids_by_name(keys)
  98. Array(keys).each_with_object([]) do |key, result|
  99. ::Permission.with_parents(key).each do |local_key|
  100. permission = ::Permission.lookup(name: local_key)
  101. next if !permission
  102. result.push permission.id
  103. end
  104. end
  105. end
  106. private
  107. def validate_permissions(permission)
  108. Rails.logger.debug { "self permission: #{permission.id}" }
  109. raise "Permission #{permission.name} is disabled" if permission.preferences[:disabled]
  110. permission.preferences[:not]
  111. &.find { |name| name.in?(permissions.map(&:name)) }
  112. &.tap { |conflict| raise "Permission #{permission} conflicts with #{conflict}" }
  113. permissions.find { |p| p.preferences[:not]&.include?(permission.name) }
  114. &.tap { |conflict| raise "Permission #{permission} conflicts with #{conflict}" }
  115. end
  116. def last_admin_check_by_attribute
  117. return true if !will_save_change_to_attribute?('active')
  118. return true if active != false
  119. return true if !with_permission?(['admin', 'admin.user'])
  120. raise Exceptions::UnprocessableEntity, __('At least one user needs to have admin permissions.') if last_admin_check_admin_count < 1
  121. true
  122. end
  123. def last_admin_check_by_permission(permission)
  124. return true if Setting.get('import_mode')
  125. return true if permission.name != 'admin' && permission.name != 'admin.user'
  126. raise Exceptions::UnprocessableEntity, __('At least one user needs to have admin permissions.') if last_admin_check_admin_count < 1
  127. true
  128. end
  129. def last_admin_check_admin_count
  130. admin_role_ids = Role.joins(:permissions).where(permissions: { name: ['admin', 'admin.user'], active: true }, roles: { active: true }).where.not(id: id).pluck(:id)
  131. User.joins(:roles).where(roles: { id: admin_role_ids }, users: { active: true }).distinct.count
  132. end
  133. def validate_agent_limit_by_attributes
  134. return true if Setting.get('system_agent_limit').blank?
  135. return true if !will_save_change_to_attribute?('active')
  136. return true if active != true
  137. return true if !with_permission?('ticket.agent')
  138. ticket_agent_role_ids = Role.joins(:permissions).where(permissions: { name: 'ticket.agent', active: true }, roles: { active: true }).pluck(:id)
  139. currents = User.joins(:roles).where(roles: { id: ticket_agent_role_ids }, users: { active: true }).distinct.pluck(:id)
  140. news = User.joins(:roles).where(roles: { id: id }, users: { active: true }).distinct.pluck(:id)
  141. count = currents.concat(news).uniq.count
  142. raise Exceptions::UnprocessableEntity, __('Agent limit exceeded, please check your account settings.') if count > Setting.get('system_agent_limit').to_i
  143. true
  144. end
  145. def validate_agent_limit_by_permission(permission)
  146. return true if Setting.get('system_agent_limit').blank?
  147. return true if active != true
  148. return true if permission.active != true
  149. return true if permission.name != 'ticket.agent'
  150. ticket_agent_role_ids = Role.joins(:permissions).where(permissions: { name: 'ticket.agent' }, roles: { active: true }).pluck(:id)
  151. ticket_agent_role_ids.push(id)
  152. count = User.joins(:roles).where(roles: { id: ticket_agent_role_ids }, users: { active: true }).distinct.count
  153. raise Exceptions::UnprocessableEntity, __('Agent limit exceeded, please check your account settings.') if count > Setting.get('system_agent_limit').to_i
  154. true
  155. end
  156. def check_default_at_signup_permissions
  157. return true if !default_at_signup
  158. forbidden_permissions = permissions.reject(&:allow_signup)
  159. return true if forbidden_permissions.blank?
  160. raise Exceptions::UnprocessableEntity, "Cannot set default at signup when role has #{forbidden_permissions.join(', ')} permissions."
  161. end
  162. def cache_add_kb_permission(permission)
  163. return if !permission.name.starts_with? 'knowledge_base.'
  164. return if !KnowledgeBase.granular_permissions?
  165. KnowledgeBase::Category.all.each(&:touch)
  166. end
  167. def cache_remove_kb_permission(permission)
  168. return if !permission.name.starts_with? 'knowledge_base.'
  169. return if !KnowledgeBase.granular_permissions?
  170. has_editor = permissions.where(name: 'knowledge_base.editor').any?
  171. has_reader = permissions.where(name: 'knowledge_base.reader').any?
  172. KnowledgeBase::Permission
  173. .where(role: self)
  174. .each do |elem|
  175. if !has_editor && !has_reader
  176. elem.destroy!
  177. elsif !has_editor && has_reader
  178. elem.update!(access: 'reader') if permission.access == 'editor'
  179. end
  180. end
  181. KnowledgeBase::Category.all.each(&:touch)
  182. end
  183. end