From 1b1cec1ee169c2192c8a5a8a312aa60eda0fc809 Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Tue, 19 Feb 2019 23:03:32 -0500 Subject: [PATCH] fix(permissions): default user role unable to login correctly #153 --- src/controllers/api/v1/routes.js | 6 ++--- src/controllers/api/v1/settings.js | 24 +++++++++++++++++ src/helpers/hbs/helpers.js | 2 +- src/public/js/app.js | 1 + src/views/partials/settings/permissions.hbs | 2 +- src/views/subviews/profile.hbs | 2 +- src/views/subviews/singleticket.hbs | 30 ++++++++++----------- 7 files changed, 46 insertions(+), 21 deletions(-) diff --git a/src/controllers/api/v1/routes.js b/src/controllers/api/v1/routes.js index 681b3de57..bd6533c84 100644 --- a/src/controllers/api/v1/routes.js +++ b/src/controllers/api/v1/routes.js @@ -106,10 +106,10 @@ module.exports = function (middleware, router, controllers) { router.post('/api/v1/public/account/create', checkCaptcha, checkOrigin, apiCtrl.users.createPublicAccount) // Groups - router.get('/api/v1/groups', apiv1, canUser('groups:view'), apiCtrl.groups.get) + router.get('/api/v1/groups', apiv1, apiCtrl.groups.get) router.get('/api/v1/groups/all', apiv1, canUser('groups:view'), apiCtrl.groups.getAll) router.post('/api/v1/groups/create', apiv1, canUser('groups:create'), apiCtrl.groups.create) - router.get('/api/v1/groups/:id', apiv1, canUser('groups:view'), apiCtrl.groups.getSingleGroup) + router.get('/api/v1/groups/:id', apiv1, apiCtrl.groups.getSingleGroup) router.put('/api/v1/groups/:id', apiv1, canUser('groups:update'), apiCtrl.groups.updateGroup) router.delete('/api/v1/groups/:id', apiv1, canUser('groups:delete'), apiCtrl.groups.deleteGroup) @@ -155,7 +155,7 @@ module.exports = function (middleware, router, controllers) { router.post(genBaseUrl + 'tickets_by_user', apiv1, canUser('reports:create'), reportsGenCtrl.ticketsByUser) // Settings - router.get('/api/v1/settings', apiv1, isAdmin, apiCtrl.settings.getSettings) + router.get('/api/v1/settings', apiv1, apiCtrl.settings.getSettings) router.put('/api/v1/settings', apiv1, isAdmin, apiCtrl.settings.updateSetting) router.post('/api/v1/settings/testmailer', apiv1, isAdmin, apiCtrl.settings.testMailer) router.put('/api/v1/settings/mailer/template/:id', apiv1, isAdmin, apiCtrl.settings.updateTemplateSubject) diff --git a/src/controllers/api/v1/settings.js b/src/controllers/api/v1/settings.js index 390f7e554..d904a53df 100644 --- a/src/controllers/api/v1/settings.js +++ b/src/controllers/api/v1/settings.js @@ -32,6 +32,30 @@ apiSettings.getSettings = function (req, res) { settingsUtil.getSettings(function (err, settings) { if (err) return res.status(400).json({ success: false, error: err }) + // Sanitize + if (!req.user.role.isAdmin) { + delete settings.data.settings.mailerHost + delete settings.data.settings.mailerSSL + delete settings.data.settings.mailerPort + delete settings.data.settings.mailerUsername + delete settings.data.settings.mailerPassword + delete settings.data.settings.mailerFrom + delete settings.data.settings.mailerCheckEnabled + delete settings.data.settings.mailerCheckPolling + delete settings.data.settings.mailerCheckHost + delete settings.data.settings.mailerCheckPort + delete settings.data.settings.mailerCheckPassword + delete settings.data.settings.mailerCheckTicketType + delete settings.data.settings.mailerCheckTicketPriority + delete settings.data.settings.mailerCheckCreateAccount + delete settings.data.settings.mailerCheckDeleteMessage + delete settings.data.settings.tpsEnabled + delete settings.data.settings.tpsUsername + delete settings.data.settings.tpsApiKey + + delete settings.data.mailTemplates + } + return res.json({ success: true, settings: settings }) }) } diff --git a/src/helpers/hbs/helpers.js b/src/helpers/hbs/helpers.js index 2f81811f3..4bad268e0 100644 --- a/src/helpers/hbs/helpers.js +++ b/src/helpers/hbs/helpers.js @@ -693,7 +693,7 @@ var helpers = { var p = require('../../permissions') if (p.canThis(user.role, perm)) return options.fn(this) - options.inverse(this) + return options.inverse(this) }, checkRole: function (role, perm, options) { diff --git a/src/public/js/app.js b/src/public/js/app.js index 8a069c3c2..55fee8055 100644 --- a/src/public/js/app.js +++ b/src/public/js/app.js @@ -36,6 +36,7 @@ require(['jquery', 'modules/helpers', 'angular', 'async', 'angularjs/services'], } ], function (err) { + if (err) console.log(err) if (err) throw new Error(err) require(['angularjs/main'], function () { diff --git a/src/views/partials/settings/permissions.hbs b/src/views/partials/settings/permissions.hbs index de245a19b..216d96827 100644 --- a/src/views/partials/settings/permissions.hbs +++ b/src/views/partials/settings/permissions.hbs @@ -232,7 +232,7 @@
diff --git a/src/views/subviews/profile.hbs b/src/views/subviews/profile.hbs index c901472e1..35a22e07e 100644 --- a/src/views/subviews/profile.hbs +++ b/src/views/subviews/profile.hbs @@ -133,7 +133,7 @@
- +
diff --git a/src/views/subviews/singleticket.hbs b/src/views/subviews/singleticket.hbs index 25ce942c4..5a75c46ea 100644 --- a/src/views/subviews/singleticket.hbs +++ b/src/views/subviews/singleticket.hbs @@ -14,28 +14,28 @@
{{data.ticket.status}}
{{#is data.ticket.status 0}} - {{#canUserOrAdmin data.user "agent:*"}} + {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
New
{{else}}
New
{{/canUserOrAdmin}} {{/is}} {{#is data.ticket.status 1}} - {{#canUserOrAdmin data.user "agent:*"}} + {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
Open
{{else}}
Open
{{/canUserOrAdmin}} {{/is}} {{#is data.ticket.status 2}} - {{#canUserOrAdmin data.user "agent:*"}} + {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
Pending
{{else}}
Pending
{{/canUserOrAdmin}} {{/is}} {{#is data.ticket.status 3}} - {{#canUserOrAdmin data.user "agent:*"}} + {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
Closed
{{else}}
Closed
@@ -59,7 +59,7 @@ {{#if data.ticket.assignee}}
Type - {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}} + {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}} Group - {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}} + {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}} - +
@@ -294,7 +294,7 @@
Comments {{size data.ticket.comments}} - {{#hasPermOverRole data.ticket.owner.role data.user.role 'tickets:notes'}} + {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role 'tickets:notes'}} Notes {{size data.ticket.notes}}