TT#149459 enhance expand functionality with allowed_roles

* allowed_roles in the expand defintion restrict the field only to the roles in the allowed list, otherwise the field is not expanded. Change-Id: Ib6f776388457327f2fa85e71deb9591022cee2da
5 years ago · 78b80e7064
parent ad6467561f
commit 78b80e7064
3 changed files with 12 additions and 0 deletions
--- a/lib/NGCP/Panel/Form/Contract/ContractAPI.pm
+++ b/lib/NGCP/Panel/Form/Contract/ContractAPI.pm
@ -11,6 +11,7 @@ has_field 'contact_id' => (
        title => ['The contact id this contract belongs to.'],
        expand => {
            class => 'NGCP::Panel::Role::API::SystemContacts',
+            allowed_roles => [qw(admin)],
        },
    },
 );
--- a/lib/NGCP/Panel/Form/Expand.pm
+++ b/lib/NGCP/Panel/Form/Expand.pm
@ -12,6 +12,7 @@ has_field 'billing_profile_id' => (
    element_attr => {
        expand => {
            class => 'NGCP::Panel::Role::API::BillingProfiles',
+            allowed_roles => [qw(admin reseller)],
        },
    },
 );
@ -21,6 +22,7 @@ has_field 'contact_id' => (
    element_attr => {
        expand => {
            class => 'NGCP::Panel::Role::API::CustomerContacts',
+            allowed_roles => [qw(admin reseller)],
        },
    },
 );
@ -30,6 +32,7 @@ has_field 'contract_id' => (
    element_attr => {
        expand => {
            class => 'NGCP::Panel::Role::API::Contracts',
+            allowed_roles => [qw(admin)],
        },
    },
 );
@ -39,6 +42,7 @@ has_field 'customer_id' => (
    element_attr => {
        expand => {
            class => 'NGCP::Panel::Role::API::Customers',
+            allowed_roles => [qw(admin reseller ccareadmin ccare)],
        },
    },
 );
@ -48,6 +52,7 @@ has_field 'domain_id' => (
    element_attr => {
        expand => {
            class  => 'NGCP::Panel::Role::API::Domains',
+            allowed_roles => [qw(admin reseller ccareadmin ccare)],
        },
    },
 );
@ -57,6 +62,7 @@ has_field 'reseller_id' => (
    element_attr => {
        expand => {
            class => 'NGCP::Panel::Role::API::Resellers',
+            allowed_roles => [qw(admin)],
        },
    },
 );
@ -67,6 +73,7 @@ has_field 'subscriber_id' => (
        expand => {
            class => 'NGCP::Panel::Role::API::Subscribers',
            remove_fields => [qw(password webpassword)],
+            allowed_roles => [qw(admin reseller ccareadmin ccare)],
        },
    },
 );
--- a/lib/NGCP/Panel/Role/API.pm
+++ b/lib/NGCP/Panel/Role/API.pm
@ -26,6 +26,7 @@ use Data::HAL qw();
 use Data::HAL::Link qw();
 use NGCP::Panel::Utils::ValidateJSON qw();
 use NGCP::Panel::Utils::Journal qw();
+use List::Util qw(any);

 #It is expected to work for all our 3 common cases:
 #1. Body is the plain json data
@ -1350,6 +1351,9 @@ sub expand_field {
        $expand   = $attr->{expand} // return;
    }

+    return unless $expand->{allowed_roles};
+    return unless any { $c->user->roles eq $_ } @{$expand->{allowed_roles}};
+
    my $id    = $resource->{$field};
    my $to    = $expand->{to} // $field . '_expand';
    my $class = $expand->{class} // return;