diff --git a/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm b/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm index 45ae1cd8f7..3e8a31577e 100644 --- a/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm +++ b/lib/NGCP/Panel/Authentication/Store/RoleFromRealm.pm @@ -8,7 +8,9 @@ sub roles { if ($self->auth_realm) { for my $auth_type (qw/admin_bcrypt admin admin_jwt api_admin_cert api_admin_http api_admin api_admin_bcrypt api_admin_jwt/) { if ($auth_type eq $self->auth_realm) { - if ($self->_user->is_ccare) { + if ($self->_user->lawful_intercept) { + return "lintercept"; + } elsif ($self->_user->is_ccare) { $self->_user->is_superuser ? return "ccareadmin" : return "ccare"; } else { diff --git a/lib/NGCP/Panel/Controller/API/Admins.pm b/lib/NGCP/Panel/Controller/API/Admins.pm index 2dc3343053..4ed2fdb5c6 100644 --- a/lib/NGCP/Panel/Controller/API/Admins.pm +++ b/lib/NGCP/Panel/Controller/API/Admins.pm @@ -7,8 +7,6 @@ use parent qw/NGCP::Panel::Role::Entities NGCP::Panel::Role::API::Admins/; use HTTP::Status qw(:constants); -__PACKAGE__->set_config(); - sub api_description { return 'Defines admins to log into the system via panel or api.'; } @@ -17,6 +15,10 @@ sub allowed_methods{ return [qw/GET POST OPTIONS HEAD/]; } +__PACKAGE__->set_config({ + allowed_roles => [qw/admin reseller lintercept/], +}); + sub query_params { return [ { @@ -34,6 +36,10 @@ sub query_params { sub create_item { my ($self, $c, $resource, $form, $process_extras) = @_; + if ($c->user->roles eq 'lintercept') { + $self->error($c, HTTP_FORBIDDEN, "Cannot create admin users"); + return; + } unless($c->user->is_master) { $self->error($c, HTTP_FORBIDDEN, "Cannot create admin without master permissions"); return; diff --git a/lib/NGCP/Panel/Controller/API/AdminsItem.pm b/lib/NGCP/Panel/Controller/API/AdminsItem.pm index 780c1fba94..ccf324e057 100644 --- a/lib/NGCP/Panel/Controller/API/AdminsItem.pm +++ b/lib/NGCP/Panel/Controller/API/AdminsItem.pm @@ -21,7 +21,9 @@ sub get_journal_methods{ return [qw/handle_item_base_journal handle_journals_get handle_journalsitem_get handle_journals_options handle_journalsitem_options handle_journals_head handle_journalsitem_head/]; } -__PACKAGE__->set_config(); +__PACKAGE__->set_config({ + allowed_roles => [qw/admin reseller lintercept/], +}); sub PATCH :Allow { my ($self, $c, $id) = @_; diff --git a/lib/NGCP/Panel/Controller/API/Interceptions.pm b/lib/NGCP/Panel/Controller/API/Interceptions.pm index 2e24fa6d62..558160dc1a 100644 --- a/lib/NGCP/Panel/Controller/API/Interceptions.pm +++ b/lib/NGCP/Panel/Controller/API/Interceptions.pm @@ -61,7 +61,7 @@ sub relation{ } __PACKAGE__->set_config({ - allowed_roles => [qw/admin reseller/], + allowed_roles => [qw/lintercept/], }); sub auto :Private { diff --git a/lib/NGCP/Panel/Controller/API/Root.pm b/lib/NGCP/Panel/Controller/API/Root.pm index 055f6299b6..7808d87768 100644 --- a/lib/NGCP/Panel/Controller/API/Root.pm +++ b/lib/NGCP/Panel/Controller/API/Root.pm @@ -29,7 +29,7 @@ __PACKAGE__->config( action => { map { $_ => { ACLDetachTo => 'invalid_user', - AllowedRole => [qw/admin reseller ccareadmin ccare subscriberadmin subscriber/], + AllowedRole => [qw/admin reseller ccareadmin ccare lintercept subscriberadmin subscriber/], Args => 0, Does => [qw(ACL CheckTrailingSlash RequireSSL)], Method => $_, diff --git a/lib/NGCP/Panel/Controller/Administrator.pm b/lib/NGCP/Panel/Controller/Administrator.pm index 56d88aa10b..acb7cc53ca 100644 --- a/lib/NGCP/Panel/Controller/Administrator.pm +++ b/lib/NGCP/Panel/Controller/Administrator.pm @@ -9,7 +9,7 @@ use NGCP::Panel::Utils::Message; use NGCP::Panel::Utils::Navigation; use NGCP::Panel::Utils::Auth; -sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRole(reseller) { +sub auto :Does(ACL) :ACLDetachTo('/denied_page') :AllowedRole(admin) :AllowedRole(reseller) :AllowedRole(lintercept) { my ($self, $c) = @_; $c->log->debug(__PACKAGE__ . '::auto'); NGCP::Panel::Utils::Navigation::check_redirect_chain(c => $c); @@ -27,22 +27,24 @@ sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) { my $cols = [ { name => "id", search => 1, title => $c->loc("#") }, ]; - if($c->user->is_superuser) { + if($c->user->is_superuser && $c->user->roles ne 'lintercept') { @{ $cols } = (@{ $cols }, { name => "reseller.name", search => 1, title => $c->loc("Reseller") }); } @{ $cols } = (@{ $cols }, { name => "login", search => 1, title => $c->loc("Login") }, { name => "email", search => 1, title => $c->loc("Email") }, - { name => "is_master", title => $c->loc("Master") }, - { name => "is_ccare", title => $c->loc("Customer Care") }, - { name => "is_active", title => $c->loc("Active") }, - { name => "read_only", title => $c->loc("Read Only") }, - { name => "show_passwords", title => $c->loc("Show Passwords") }, - { name => "call_data", title => $c->loc("Show CDRs") }, - { name => "billing_data", title => $c->loc("Show Billing Info") }, - { name => "can_reset_password", title => $c->loc("Can Reset Password") }, + $c->user->roles eq 'admin' || $c->user->roles eq 'reseller' ? + ({ name => "is_master", title => $c->loc("Master") }, + { name => "is_ccare", title => $c->loc("Customer Care") }, + { name => "is_active", title => $c->loc("Active") }, + { name => "read_only", title => $c->loc("Read Only") }, + { name => "show_passwords", title => $c->loc("Show Passwords") }, + { name => "call_data", title => $c->loc("Show CDRs") }, + { name => "billing_data", title => $c->loc("Show Billing Info") }, + { name => "can_reset_password", title => $c->loc("Can Reset Password") }, + ) : () ); - if($c->user->is_superuser) { + if($c->user->is_superuser && $c->user->roles ne 'lintercept') { @{ $cols } = (@{ $cols }, { name => "lawful_intercept", title => $c->loc("Lawful Intercept") }); } $c->stash->{admin_dt_columns} = NGCP::Panel::Utils::Datatables::set_columns($c, $cols); @@ -62,6 +64,13 @@ sub _admin_resultset_reseller { }); } +sub _admin_resultset_lintercept { + my ($self, $c) = @_; + return $c->model('DB')->resultset('admins')->search({ + login => $c->user->login + }); +} + sub root :Chained('list_admin') :PathPart('') :Args(0) { my ($self, $c) = @_; return; @@ -75,7 +84,7 @@ sub ajax :Chained('list_admin') :PathPart('ajax') :Args(0) { return; } -sub create :Chained('list_admin') :PathPart('create') :Args(0) { +sub create :Chained('list_admin') :PathPart('create') :Args(0) :AllowedRole(admin) :AllowedRole(reseller) { my ($self, $c) = @_; $c->detach('/denied_page') @@ -165,9 +174,11 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) { my $params = { $c->stash->{administrator}->get_inflated_columns }; $params->{reseller}{id} = delete $params->{reseller_id}; $params = merge($params, $c->session->{created_objects}); - if($c->stash->{administrator}->login eq NGCP::Panel::Utils::Auth::get_special_admin_login()){ + if ($c->user->roles eq 'lintercept') { + $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::LIntercept", $c); + } elsif ($c->stash->{administrator}->login eq NGCP::Panel::Utils::Auth::get_special_admin_login()){ $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::AdminSpecial", $c); - }elsif($c->user->is_superuser) { + } elsif($c->user->is_superuser) { $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Admin", $c); } else { $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Reseller", $c); @@ -241,7 +252,7 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) { ); } -sub delete_admin :Chained('base') :PathPart('delete') :Args(0) { +sub delete_admin :Chained('base') :PathPart('delete') :Args(0) :AllowedRole(admin) :AllowedRole(reseller) { my ($self, $c) = @_; if($c->stash->{administrator}->id == $c->user->id) { diff --git a/lib/NGCP/Panel/Controller/Root.pm b/lib/NGCP/Panel/Controller/Root.pm index 790a8390ea..bfe9e94be2 100644 --- a/lib/NGCP/Panel/Controller/Root.pm +++ b/lib/NGCP/Panel/Controller/Root.pm @@ -103,6 +103,10 @@ sub auto :Private { my $reseller_id = $c->user->reseller_id; my $tz_row = $c->model('DB')->resultset('reseller_timezone')->find({reseller_id => $reseller_id}); _set_session_tz_from_row($c, $tz_row, 'reseller', $reseller_id); + } elsif($c->user->roles eq 'lintercept') { + my $reseller_id = $c->user->reseller_id; + my $tz_row = $c->model('DB')->resultset('reseller_timezone')->find({reseller_id => $reseller_id}); + _set_session_tz_from_row($c, $tz_row, 'reseller', $reseller_id); } else { # this should not happen } diff --git a/lib/NGCP/Panel/Form/Administrator/LIntercept.pm b/lib/NGCP/Panel/Form/Administrator/LIntercept.pm new file mode 100644 index 0000000000..af7c242b02 --- /dev/null +++ b/lib/NGCP/Panel/Form/Administrator/LIntercept.pm @@ -0,0 +1,32 @@ +package NGCP::Panel::Form::Administrator::LIntercept; +use HTML::FormHandler::Moose; +use HTML::FormHandler::Widget::Block::Bootstrap; +use NGCP::Panel::Utils::Form; +extends 'HTML::FormHandler'; + +has '+widget_wrapper' => (default => 'Bootstrap'); +has_field 'submitid' => ( type => 'Hidden' ); +sub build_render_list {[qw/submitid fields actions/]} +sub build_form_element_class {[qw(form-horizontal)]} + +has_field 'password' => (type => 'Password', required => 1, label => 'Password'); +has_field 'email' => (type => 'Email', required => 0, label => 'Email', maxlength => 255); +has_field 'save' => (type => 'Submit', element_class => [qw(btn btn-primary)],); +has_block 'fields' => ( + tag => 'div', + class => [qw(modal-body)], + render_list => [qw( + password email + )], +); +has_block 'actions' => (tag => 'div', class => [qw(modal-footer)], render_list => [qw(save)],); + +sub validate_password { + my ($self, $field) = @_; + my $c = $self->form->ctx; + return unless $c; + + NGCP::Panel::Utils::Form::validate_password(c => $c, field => $field); +} + +1; diff --git a/lib/NGCP/Panel/Role/API/Admins.pm b/lib/NGCP/Panel/Role/API/Admins.pm index 2ed1d4b79b..8107464fb6 100644 --- a/lib/NGCP/Panel/Role/API/Admins.pm +++ b/lib/NGCP/Panel/Role/API/Admins.pm @@ -38,7 +38,7 @@ sub _item_rs { }); } - if($c->user->is_master || $c->user->is_superuser) { + if ($c->user->roles ne 'lintercept' && ($c->user->is_master || $c->user->is_superuser)) { # return all (or all of reseller) admins } else { # otherwise, only return the own admin if master is not set @@ -52,7 +52,9 @@ sub _item_rs { sub get_form { my ($self, $c) = @_; my $form; - if($c->user->roles eq "admin") { + if ($c->user->roles eq "lintercept") { + $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::LIntercept", $c); + } elsif ($c->user->roles eq "admin") { $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Admin", $c); } else { $form = NGCP::Panel::Form::get("NGCP::Panel::Form::Administrator::Reseller", $c); diff --git a/lib/NGCP/Panel/Utils/API.pm b/lib/NGCP/Panel/Utils/API.pm index b08a4156f0..eba2ac2354 100644 --- a/lib/NGCP/Panel/Utils/API.pm +++ b/lib/NGCP/Panel/Utils/API.pm @@ -36,6 +36,8 @@ sub apply_resource_reseller_id { } } elsif($c->user->roles eq "reseller") { $reseller_id = $c->user->reseller_id; + } elsif($c->user->roles eq "lintercept") { + $reseller_id = $c->user->reseller_id; } $resource->{reseller_id} = $reseller_id; return $resource; diff --git a/share/layout/body.tt b/share/layout/body.tt index f79622bef7..00c1f11507 100644 --- a/share/layout/body.tt +++ b/share/layout/body.tt @@ -24,7 +24,7 @@