MT#62180 /api/subscribers prevent subscribers from POST/DELETE

* regular subscribers should not be able to use POST as they are not allowed to create other subscribers, nor other PBX groups. resource. * they should not be able to use DELETE as they cannot delete themselves nor other subscribers, nor PBX groups. Change-Id: Idaacb344b65ff8c5da9f4c3649a9b4089938a82c
2 months ago · 4eace822b5
parent 015ee893d9
commit 4eace822b5
2 changed files with 8 additions and 4 deletions
--- a/lib/NGCP/Panel/Controller/API/Subscribers.pm
+++ b/lib/NGCP/Panel/Controller/API/Subscribers.pm
@ -18,14 +18,17 @@ use NGCP::Panel::Utils::ProfilePackages qw();
 use NGCP::Panel::Utils::Events qw();
 use UUID;

-__PACKAGE__->set_config({
-    allowed_roles => [qw/admin reseller ccareadmin ccare subscriberadmin subscriber/],
-});
-
 sub allowed_methods{
    return [qw/GET POST OPTIONS HEAD/];
 }

+__PACKAGE__->set_config({
+    allowed_roles => {
+        Default => [qw/admin reseller ccareadmin ccare subscriberadmin subscriber/],
+        POST    => [qw/admin reseller ccareadmin ccare subscriberadmin/],
+    }
+});
+
 sub api_description {
    return 'Defines an actual user who can log into the web panel, register devices via SIP and/or '.
        'XMPP and place and receive calls via SIP. A subscriber always belongs to a '.
--- a/lib/NGCP/Panel/Controller/API/SubscribersItem.pm
+++ b/lib/NGCP/Panel/Controller/API/SubscribersItem.pm
@ -24,6 +24,7 @@ use parent qw/NGCP::Panel::Role::EntitiesItem NGCP::Panel::Role::API::Subscriber
 __PACKAGE__->set_config({
    allowed_roles => {
        Default => [qw/admin reseller ccareadmin ccare subscriberadmin subscriber/],
+        DELETE  => [qw/admin reseller ccareadmin ccare subscriberadmin/],
        Journal => [qw/admin reseller ccareadmin ccare/],
    }
 });