TT#44077 Disable subscriberadmin creation for subadmin in API

And add checking of used customer to limit subscriberadmin and reseller to own customers Change-Id: I979afe8d2babaa0df3ac7106cb9d423548d3634c
7 years ago · 49e9e49b74
parent f5117d3746
commit 49e9e49b74
3 changed files with 14 additions and 0 deletions
--- a/lib/NGCP/Panel/Form/Subscriber/SubscriberSubAdminAPI.pm
+++ b/lib/NGCP/Panel/Form/Subscriber/SubscriberSubAdminAPI.pm
@ -4,6 +4,8 @@ use HTML::FormHandler::Moose;
 extends 'HTML::FormHandler';
 use NGCP::Panel::Utils::Form qw();

+#e164 administrative timezone profile_set are absent in web ui
+
 has_field 'contract' => (
    type => '+NGCP::Panel::Field::CustomerContract',
    label => 'Customer',
@ -102,6 +104,7 @@ has_field 'administrative' => (
    type => 'Boolean',
    label => 'Administrative',
    required => 0,
+    readonly => 1,
    element_attr => {
        rel => ['tooltip'],
        title => ['Whether the subscriber can configure other subscribers within his Customer account.']
--- a/lib/NGCP/Panel/Role/API/Subscribers.pm
+++ b/lib/NGCP/Panel/Role/API/Subscribers.pm
@ -327,6 +327,8 @@ sub prepare_resource {
        }
        $resource->{customer_id} = $pilot->account_id;
        $resource->{status} = 'active';
+        #deny to create subscriberadmin, the same as in the web ui
+        $resource->{administrative} = $item ? $item->provisioning_voip_subscriber->admin : 0;
    }
    $resource->{e164} = delete $resource->{primary_number};
    $resource->{status} //= 'active';
--- a/lib/NGCP/Panel/Utils/Subscriber.pm
+++ b/lib/NGCP/Panel/Utils/Subscriber.pm
@ -219,6 +219,15 @@ sub create_subscriber {
        $c->log->warn("invalid license status: $status");
        # die("invalid license status: $status");
    }
+    if ($c->user->roles eq "reseller") {
+        if ($contract->contact->reseller_id ne $c->user->reseller_id) {
+            die("invalid contract id '".$contract->id."'");
+        }
+    } elsif ($c->user->roles eq "subscriberadmin" || $c->user->roles eq "subscriber") {#while we don't allow to create subscribers to subscriber role, of course
+        if ($contract->id ne $c->user->account_id) {
+            die("invalid contract id '".$contract->id."'");
+        }
+    }

    my ($profile_set, $profile);
    #as we don't allow to change customer (l. 624), so we shouldn't allow profile_set that belongs to other reseller