tyler.durden/opensupports
1
0
Fork 0
mirror of https://github.com/opensupports/opensupports.git synced 2025-07-29 00:34:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ivan - Fix issue #27, fix frontend<->backend data flow with staff editor, add 403 response

Browse Source
This commit is contained in:
ivan 2017-06-25 19:03:56 -03:00
parent fcb26fab60
commit 00801f3b61
9 changed files with 31 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/src/app/admin/panel/staff/staff-editor.js
View File

@ -290,7 +290,7 @@ class StaffEditor extends React.Component {
path: '/staff/edit', path: '/staff/edit',
data: { data: {
staffId: this.props.staffId, staffId: this.props.staffId,
sendEmailOnNewTicket: form.sendEmailOnNewTicket, sendEmailOnNewTicket: form.sendEmailOnNewTicket * 1,
email: form.email, email: form.email,
password: form.password, password: form.password,
level: (form.level !== undefined) ? form.level + 1 : null, level: (form.level !== undefined) ? form.level + 1 : null,

2
client/src/reducers/config-reducer.js
View File

@ -44,7 +44,7 @@ class ConfigReducer extends Reducer {
})); }));
return _.extend({}, state, payload.data, { return _.extend({}, state, payload.data, {
language: currentLanguage || payload.data.language, language: currentLanguage || payload.data.language || 'en',
registration: !!(payload.data.registration * 1), registration: !!(payload.data.registration * 1),
'user-system-enabled': !!(payload.data['user-system-enabled']* 1), 'user-system-enabled': !!(payload.data['user-system-enabled']* 1),
'allow-attachments': !!(payload.data['allow-attachments']* 1), 'allow-attachments': !!(payload.data['allow-attachments']* 1),

4
client/src/reducers/session-reducer.js
View File

@ -114,7 +114,7 @@ class SessionReducer extends Reducer {
userLevel: userData.level, userLevel: userData.level,
userDepartments: userData.departments, userDepartments: userData.departments,
userTickets: userData.tickets, userTickets: userData.tickets,
userSendEmailOnNewTicket: userData.sendEmailOnNewTicket userSendEmailOnNewTicket: userData.sendEmailOnNewTicket * 1
}); });
} }
@ -133,7 +133,7 @@ class SessionReducer extends Reducer {
userDepartments: userData.departments, userDepartments: userData.departments,
userTickets: userData.tickets, userTickets: userData.tickets,
userId: userId, userId: userId,
userSendEmailOnNewTicket: userData.sendEmailOnNewTicket userSendEmailOnNewTicket: userData.sendEmailOnNewTicket * 1
}); });
} }

8
server/controllers/staff/edit.php
View File

@ -75,7 +75,7 @@ class EditStaffController extends Controller {
$this->staffInstance->password = Hashing::hashPassword(Controller::request('password')); $this->staffInstance->password = Hashing::hashPassword(Controller::request('password'));
} }
if(Controller::request('level') && Controller::isStaffLogged(3) && Controller::request('staffId') !== Controller::getLoggedUser()->id) { if(Controller::request('level') && Controller::isStaffLogged(3) && !$this->isModifyingCurrentStaff()) {
$this->staffInstance->level = Controller::request('level'); $this->staffInstance->level = Controller::request('level');
} }
@ -87,7 +87,7 @@ class EditStaffController extends Controller {
$this->staffInstance->profilePic = ($fileUploader instanceof FileUploader) ? $fileUploader->getFileName() : null; $this->staffInstance->profilePic = ($fileUploader instanceof FileUploader) ? $fileUploader->getFileName() : null;
} }
if(Controller::request('sendEmailOnNewTicket') !== null && !Controller::request('staffId') ) { if(Controller::request('sendEmailOnNewTicket') !== null && $this->isModifyingCurrentStaff()) {
$this->staffInstance->sendEmailOnNewTicket = Controller::request('sendEmailOnNewTicket'); $this->staffInstance->sendEmailOnNewTicket = Controller::request('sendEmailOnNewTicket');
} }
@ -141,4 +141,8 @@ class EditStaffController extends Controller {
} }
} }
} }
private function isModifyingCurrentStaff() {
return Controller::request('staffId') === Controller::getLoggedUser()->id;
}
} }

3
server/controllers/staff/get.php
View File

@ -67,7 +67,8 @@ class GetStaffController extends Controller {
'level' => $user->level, 'level' => $user->level,
'staff' => true, 'staff' => true,
'departments' => $parsedDepartmentList, 'departments' => $parsedDepartmentList,
'tickets' => $user->sharedTicketList->toArray() 'tickets' => $user->sharedTicketList->toArray(),
'sendEmailOnNewTicket' => $user->sendEmailOnNewTicket
]); ]);
} }
} }

20
server/controllers/system/download.php
View File

@ -39,31 +39,31 @@ class DownloadController extends Controller {
public function handler() { public function handler() {
$fileName = Controller::request('file'); $fileName = Controller::request('file');
$staffUser = Staff::getDataStore($fileName, 'profilePic'); $isStaffProfilePic = !Staff::getDataStore($fileName, 'profilePic')->isNull();
if($staffUser->isNull()) { if(!$isStaffProfilePic) {
$session = Session::getInstance(); $session = Session::getInstance();
$loggedUser = Controller::getLoggedUser(); $loggedUser = Controller::getLoggedUser();
if(!$session->sessionExists()) { if(!$session->sessionExists()) {
print ''; Response::respond403();
return; return;
} }
$ticket = Ticket::getTicket($fileName, 'file'); $ticket = Ticket::getTicket($fileName, 'file');
if($ticket->isNull() || ($this->isNotAuthor($ticket, $loggedUser) && $this->isNotOwner($ticket, $loggedUser))) { if($ticket->isNull() || ($this->isNotAuthor($ticket, $loggedUser) && $this->isNotDepartmentOwner($ticket, $loggedUser))) {
$ticketEvent = Ticketevent::getDataStore($fileName, 'file'); $ticketEvent = Ticketevent::getDataStore($fileName, 'file');
if($ticketEvent->isNull()) { if($ticketEvent->isNull()) {
print ''; Response::respond403();
return; return;
} }
$ticket = $ticketEvent->ticket; $ticket = $ticketEvent->ticket;
if($this->isNotAuthor($ticket, $loggedUser) && $this->isNotOwner($ticket, $loggedUser)) { if($this->isNotAuthor($ticket, $loggedUser) && $this->isNotDepartmentOwner($ticket, $loggedUser)) {
print ''; Response::respond403();
return; return;
} }
} }
@ -80,17 +80,17 @@ class DownloadController extends Controller {
if($session->getTicketNumber()) { if($session->getTicketNumber()) {
return $session->getTicketNumber() !== $ticket->ticketNumber; return $session->getTicketNumber() !== $ticket->ticketNumber;
} else { } else {
return Controller::getLoggedUser()->level >= 1 || $ticket->author->id !== $loggedUser->id; return $loggedUser->level >= 1 || $ticket->author->id !== $loggedUser->id;
} }
} }
private function isNotOwner($ticket, $loggedUser) { private function isNotDepartmentOwner($ticket, $loggedUser) {
$session = Session::getInstance(); $session = Session::getInstance();
if($session->getTicketNumber()) { if($session->getTicketNumber()) {
return $session->getTicketNumber() !== $ticket->ticketNumber; return $session->getTicketNumber() !== $ticket->ticketNumber;
} else { } else {
return !(Controller::getLoggedUser()->level >= 1) || !$ticket->owner || $ticket->owner->id !== $loggedUser->id; return !($loggedUser->level >= 1) || !$loggedUser->sharedDepartmentList->includesId($ticket->department->id);
} }
} }
} }

6
server/models/Response.php
View File

@ -25,4 +25,10 @@ class Response {
$app->response->setBody(json_encode($response)); $app->response->setBody(json_encode($response));
$app->response->finalize(); $app->response->finalize();
} }
public static function respond403() {
$app = \Slim\Slim::getInstance();
$app->response->setStatus(403);
$app->response->finalize();
}
} }

2
tests/staff/get.rb
View File

@ -13,6 +13,7 @@ describe '/staff/get/' do
(result['data']['staff']).should.equal(true) (result['data']['staff']).should.equal(true)
(result['data']['email']).should.equal('staff@opensupports.com') (result['data']['email']).should.equal('staff@opensupports.com')
(result['data']['level']).should.equal('3') (result['data']['level']).should.equal('3')
(result['data']['sendEmailOnNewTicket']).should.equal('1')
end end
it 'should return staff member data with staff Id' do it 'should return staff member data with staff Id' do
result = request('/staff/get', { result = request('/staff/get', {
@ -26,5 +27,6 @@ describe '/staff/get/' do
(result['data']['staff']).should.equal(true) (result['data']['staff']).should.equal(true)
(result['data']['email']).should.equal('tyrion@opensupports.com') (result['data']['email']).should.equal('tyrion@opensupports.com')
(result['data']['level']).should.equal('2') (result['data']['level']).should.equal('2')
(result['data']['sendEmailOnNewTicket']).should.equal('0')
end end
end end

20
tests/system/file-upload-download.rb
View File

@ -37,31 +37,13 @@ describe 'File Upload and Download' do
(result.body).should.equal(file.read) (result.body).should.equal(file.read)
end end
it 'should not download if author is not logged' do it 'should download if department owner is logged' do
request('/user/logout') request('/user/logout')
Scripts.login('staff@opensupports.com', 'staff', true) Scripts.login('staff@opensupports.com', 'staff', true)
ticket = $database.getLastRow('ticket')
result = plainRequest('/system/download', {
'csrf_userid' => $csrf_userid,
'csrf_token' => $csrf_token,
'file' => ticket['file']
}, 'GET')
(result.body).should.equal('')
end
it 'should download if owner is logged' do
ticket = $database.getLastRow('ticket') ticket = $database.getLastRow('ticket')
file = File.open("../server/files/" + ticket['file']) file = File.open("../server/files/" + ticket['file'])
request('/staff/assign-ticket', {
'csrf_userid' => $csrf_userid,
'csrf_token' => $csrf_token,
'ticketNumber' => ticket['ticket_number']
})
result = plainRequest('/system/download', { result = plainRequest('/system/download', {
'csrf_userid' => $csrf_userid, 'csrf_userid' => $csrf_userid,
'csrf_token' => $csrf_token, 'csrf_token' => $csrf_token,