Maintenance: Add assets level to have different data sets based on pe…

…rmissions
burstw0w · Oct 5, 2021 · 867b36b · 867b36b
1 parent acc93a2
commit 867b36b
Show file tree

Hide file tree

Showing 11 changed files with 284 additions and 6 deletions.
diff --git a/app/models/application_model/can_associations.rb b/app/models/application_model/can_associations.rb
@@ -121,7 +121,7 @@ def attributes_with_association_ids
 
     key = "#{self.class}::aws::#{id}"
     cache = Cache.read(key)
-    return cache if cache
+    return filter_unauthorized_attributes(cache) if cache
 
     attributes = self.attributes
     relevant   = %i[has_and_belongs_to_many has_many]
@@ -160,7 +160,7 @@ def attributes_with_association_ids
     filter_attributes(attributes)
 
     Cache.write(key, attributes)
-    attributes
+    filter_unauthorized_attributes(attributes)
   end
 
 =begin
@@ -234,15 +234,18 @@ def attributes_with_association_names(empty_keys: false)
     end
 
     filter_attributes(attributes)
-
-    attributes
+    filter_unauthorized_attributes(attributes)
   end
 
   def filter_attributes(attributes)
     # remove forbidden attributes
     attributes.except!('password', 'token', 'tokens', 'token_ids')
   end
 
+  def filter_unauthorized_attributes(attributes)
+    attributes
+  end
+
 =begin
 
 reference if association id check

diff --git a/app/models/group.rb b/app/models/group.rb
@@ -12,6 +12,8 @@ class Group < ApplicationModel
   include HasTicketCreateScreenImpact
   include HasSearchIndexBackend
 
+  include Group::Assets
+
   belongs_to :email_address, optional: true
   belongs_to :signature, optional: true
 

diff --git a/app/models/group/assets.rb b/app/models/group/assets.rb
@@ -0,0 +1,14 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class Group
+  module Assets
+    extend ActiveSupport::Concern
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      attributes = super
+      attributes.slice('id', 'name', 'active')
+    end
+  end
+end
diff --git a/app/models/object_manager/element/backend.rb b/app/models/object_manager/element/backend.rb
@@ -43,7 +43,7 @@ def default_data
   end
 
   def screens
-    attribute.screens.transform_values do |permission_options|
+    @screens ||= attribute.screens.transform_values do |permission_options|
       screen_value(permission_options)
     end
   end

diff --git a/app/models/organization/assets.rb b/app/models/organization/assets.rb
@@ -70,5 +70,12 @@ def assets(data)
       end
       data
     end
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      attributes = super
+      attributes.slice('id', 'name', 'active')
+    end
   end
 end
diff --git a/app/models/role/assets.rb b/app/models/role/assets.rb
@@ -60,5 +60,13 @@ def assets(data)
       end
       data
     end
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      attributes = super
+      attributes['name'] = "Role_#{id}"
+      attributes.slice('id', 'name', 'group_ids', 'permission_ids', 'active')
+    end
   end
 end
diff --git a/app/models/user/assets.rb b/app/models/user/assets.rb
@@ -110,5 +110,20 @@ def assets(data)
       end
       data
     end
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      # customer assets for the user session
+      if UserInfo.current_user_id == id
+        attributes = super
+        attributes.except!('web', 'phone', 'mobile', 'fax', 'department', 'street', 'zip', 'city', 'country', 'address', 'note')
+        return attributes
+      end
+
+      # customer assets for other user
+      attributes = super
+      attributes.slice('id', 'firstname', 'lastname', 'image', 'image_source', 'active')
+    end
   end
 end
diff --git a/lib/session_helper.rb b/lib/session_helper.rb
@@ -4,7 +4,7 @@ module SessionHelper
   def self.json_hash(user)
     collections, assets = default_collections(user)
     {
-      session:     user.filter_attributes(user.attributes),
+      session:     user.filter_unauthorized_attributes(user.filter_attributes(user.attributes)),
       models:      models(user),
       collections: collections,
       assets:      assets,

diff --git a/lib/user_info.rb b/lib/user_info.rb
@@ -7,6 +7,11 @@ def self.current_user_id
 
   def self.current_user_id=(user_id)
     Thread.current[:user_id] = user_id
+    Thread.current[:assets]  = UserInfo::Assets.new(user_id)
+  end
+
+  def self.assets
+    Thread.current[:assets]
   end
 
   def self.ensure_current_user_id

diff --git a/lib/user_info/assets.rb b/lib/user_info/assets.rb
@@ -0,0 +1,52 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class UserInfo::Assets
+  LEVEL_CUSTOMER = 1
+  LEVEL_AGENT    = 2
+  LEVEL_ADMIN    = 3
+
+  attr_accessor :current_user_id, :level, :filter_attributes, :user
+
+  def initialize(current_user_id)
+    @current_user_id = current_user_id
+    @user = User.find_by(id: current_user_id) if current_user_id.present?
+
+    set_level
+  end
+
+  def admin?
+    check_level?(UserInfo::Assets::LEVEL_ADMIN)
+  end
+
+  def agent?
+    check_level?(UserInfo::Assets::LEVEL_AGENT)
+  end
+
+  def customer?
+    check_level?(UserInfo::Assets::LEVEL_CUSTOMER)
+  end
+
+  def set_level
+    if user.blank?
+      self.level = nil
+      return
+    end
+
+    self.level = UserInfo::Assets::LEVEL_CUSTOMER
+    Permission.where(id: user.permissions_with_child_ids).each do |permission|
+      case permission.name
+      when %r{^admin\.}
+        self.level = UserInfo::Assets::LEVEL_ADMIN
+        break
+      when 'ticket.agent'
+        self.level = UserInfo::Assets::LEVEL_AGENT
+      end
+    end
+  end
+
+  def check_level?(check)
+    return true if user.blank?
+
+    level >= check
+  end
+end
diff --git a/spec/system/basic/assets_spec.rb b/spec/system/basic/assets_spec.rb
@@ -0,0 +1,172 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+require 'rails_helper'
+
+RSpec.describe 'Assets', type: :system, db_strategy: :reset do
+  let(:organization) { create(:organization, note: 'hello') }
+  let(:customer) { create(:customer, organization: organization, note: 'hello', last_login: Time.zone.now, login_failed: 1) }
+  let(:agent) { create(:agent, groups: [Group.find_by(name: 'Users')], note: 'hello', last_login: Time.zone.now, login_failed: 1) }
+  let(:admin) { create(:admin, groups: [Group.find_by(name: 'Users')], note: 'hello', last_login: Time.zone.now, login_failed: 1) }
+  let(:ticket) { create(:ticket, owner: agent, group: Group.find_by(name: 'Users'), customer: customer, created_by: admin) }
+
+  context 'groups' do
+    def group_note
+      page.execute_script('return App.Group.first().note')
+    end
+
+    describe 'when customer', authenticated_as: :customer do
+      it 'can not access group details' do
+        expect(group_note).to be nil
+      end
+    end
+
+    describe 'when agent', authenticated_as: :agent do
+      it 'can access group details' do
+        expect(group_note).not_to be nil
+      end
+    end
+
+    describe 'when admin', authenticated_as: :admin do
+      it 'can access group details' do
+        expect(group_note).not_to be nil
+      end
+    end
+  end
+
+  context 'organizations' do
+    def organization_note
+      page.execute_script("return App.Organization.find(#{organization.id}).note")
+    end
+
+    before do
+      visit "#ticket/zoom/#{ticket.id}"
+    end
+
+    describe 'when customer', authenticated_as: :customer do
+      it 'can not access organization details' do
+        expect(organization_note).to be nil
+      end
+    end
+
+    describe 'when agent', authenticated_as: :agent do
+      it 'can access organization details' do
+        expect(organization_note).not_to be nil
+      end
+    end
+
+    describe 'when admin', authenticated_as: :admin do
+      it 'can access organization details' do
+        expect(organization_note).not_to be nil
+      end
+    end
+  end
+
+  context 'roles' do
+    def role_name
+      page.execute_script('return App.Role.first().name')
+    end
+
+    before do
+      visit "#ticket/zoom/#{ticket.id}"
+    end
+
+    describe 'when customer', authenticated_as: :customer do
+      it 'can not access role details' do
+        expect(role_name).to eq('Role_1')
+      end
+    end
+
+    describe 'when agent', authenticated_as: :agent do
+      it 'can access role details' do
+        expect(role_name).not_to eq('Role_1')
+      end
+    end
+
+    describe 'when admin', authenticated_as: :admin do
+      it 'can access role details' do
+        expect(role_name).not_to eq('Role_1')
+      end
+    end
+  end
+
+  context 'users' do
+    def customer_email
+      page.execute_script("return App.User.find(#{customer.id}).email")
+    end
+
+    def customer_note
+      page.execute_script("return App.User.find(#{customer.id}).note")
+    end
+
+    def owner_firstname
+      page.execute_script("return App.User.find(#{agent.id}).firstname")
+    end
+
+    def owner_details
+      [
+        page.execute_script("return App.User.find(#{agent.id}).last_login"),
+        page.execute_script("return App.User.find(#{agent.id}).login_failed"),
+        page.execute_script("return App.User.find(#{agent.id}).email"),
+        page.execute_script("return App.User.find(#{agent.id}).note"),
+      ].compact
+    end
+
+    before do
+      visit "#ticket/zoom/#{ticket.id}"
+    end
+
+    describe 'when customer', authenticated_as: :customer do
+      it 'can access customer email' do
+        expect(customer_email).not_to be nil
+      end
+
+      it 'can not access customer note' do
+        expect(customer_note).to be nil
+      end
+
+      it 'can not access owner details' do
+        expect(owner_details).to be_empty
+      end
+
+      it 'can access owner firstname' do
+        expect(owner_firstname).not_to be nil
+      end
+    end
+
+    describe 'when agent', authenticated_as: :agent do
+      it 'can access customer email' do
+        expect(customer_email).not_to be nil
+      end
+
+      it 'can access customer note' do
+        expect(customer_note).not_to be nil
+      end
+
+      it 'can access owner details' do
+        expect(owner_details).not_to be_empty
+      end
+
+      it 'can access owner firstname' do
+        expect(owner_firstname).not_to be nil
+      end
+    end
+
+    describe 'when admin', authenticated_as: :admin do
+      it 'can access customer email' do
+        expect(customer_email).not_to be nil
+      end
+
+      it 'can access customer note' do
+        expect(customer_note).not_to be nil
+      end
+
+      it 'can access owner details' do
+        expect(owner_details).not_to be_empty
+      end
+
+      it 'can access owner firstname' do
+        expect(owner_firstname).not_to be nil
+      end
+    end
+  end
+end