From 551c8b39f908d0e31277bee79e0303830ea17def Mon Sep 17 00:00:00 2001 From: Flaviu Mates Date: Thu, 26 Nov 2020 20:52:54 +0200 Subject: [PATCH] TT#103401 Allow subscriber access to /api/mailtofaxsettings/{id} * Add subscriber roles to MailToFaxSettingsItem and allow them to only access their settings * Don't return the 'active' field on subsciber requests; instead, return 403 if mail2fax is not active Change-Id: I773df0c21fcba29f9e7b5172160178ff99482964 --- .../Controller/API/MailToFaxSettingsItem.pm | 9 ++++--- lib/NGCP/Panel/Role/API/MailToFaxSettings.pm | 25 ++++++++++++++++++- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/lib/NGCP/Panel/Controller/API/MailToFaxSettingsItem.pm b/lib/NGCP/Panel/Controller/API/MailToFaxSettingsItem.pm index ddeaddea2a..d74de42e6d 100644 --- a/lib/NGCP/Panel/Controller/API/MailToFaxSettingsItem.pm +++ b/lib/NGCP/Panel/Controller/API/MailToFaxSettingsItem.pm @@ -37,8 +37,8 @@ sub journal_query_params { __PACKAGE__->set_config({ allowed_roles => { - Default => [qw/admin reseller ccareadmin ccare/], - Journal => [qw/admin reseller ccareadmin ccare/], + Default => [qw/admin reseller ccareadmin ccare subscriber subscriberadmin/], + Journal => [qw/admin reseller ccareadmin ccare subscriber subscriberadmin/], } }); @@ -50,6 +50,7 @@ sub GET :Allow { last unless $self->resource_exists($c, mailtofaxsettings => $subs); my $hal = $self->hal_from_item($c, $subs); + last unless $hal; my $response = HTTP::Response->new(HTTP_OK, undef, HTTP::Headers->new( (map { # XXX Data::HAL must be able to generate links with multiple relations @@ -81,7 +82,9 @@ sub PATCH :Allow { my $item = $self->item_by_id($c, $id); last unless $self->resource_exists($c, mailtofaxsettings => $item); - my $old_resource = $self->hal_from_item($c, $item)->resource; + my $old_hal = $self->hal_from_item($c, $item); + last unless $old_hal; + my $old_resource = $old_hal->resource; my $resource = $self->apply_patch($c, $old_resource, $json); last unless $resource; diff --git a/lib/NGCP/Panel/Role/API/MailToFaxSettings.pm b/lib/NGCP/Panel/Role/API/MailToFaxSettings.pm index 8266baf7a0..534130f1a5 100644 --- a/lib/NGCP/Panel/Role/API/MailToFaxSettings.pm +++ b/lib/NGCP/Panel/Role/API/MailToFaxSettings.pm @@ -38,6 +38,11 @@ sub hal_from_item { }; } + if ($mtf_preference->active == 0 && ($c->user->roles eq 'subscriber' || $c->user->roles eq 'subscriberadmin')) { + $self->error($c, HTTP_FORBIDDEN, "Forbidden!"); + return; + } + my %resource = ( $mtf_preference ? $mtf_preference->get_inflated_columns : (), subscriber_id => $item->id, @@ -80,7 +85,7 @@ sub hal_from_item { resource => \%resource, run => 0, ); - + $self->post_process_hal_resource($c, $item, \%resource, $form); $hal->resource(\%resource); return $hal; } @@ -100,6 +105,10 @@ sub _item_rs { }, { join => { 'contract' => 'contact' }, }); + } elsif ($c->user->roles eq 'subscriber' || $c->user->roles eq 'subscriberadmin') { + $item_rs = $item_rs->search({ + 'provisioning_voip_subscriber.id' => $c->user->id, + }); } return $item_rs; @@ -128,6 +137,14 @@ sub update_item { resource => $resource, run => 1, ); + if ($c->user->roles eq 'subscriber' || $c->user->roles eq 'subscriberadmin') { + #subscriber's can't change the 'active' field + $resource->{active} = $prov_subs->voip_mail_to_fax_preference->active; + if ($prov_subs->voip_mail_to_fax_preference->active == 0) { + $self->error($c, HTTP_FORBIDDEN, "Forbidden!"); + return; + } + } if (! exists $resource->{secret_renew_notify} ) { $resource->{secret_renew_notify} = []; @@ -171,5 +188,11 @@ sub update_item { return $item; } +sub post_process_hal_resource { + my ($self, $c, $item, $resource, $form) = @_; + delete $resource->{active} if ($c->user->roles eq 'subscriber' || $c->user->roles eq 'subscriberadmin'); + return $resource; +} + 1; # vim: set tabstop=4 expandtab: