mirror of
https://github.com/internetee/registry.git
synced 2025-07-02 17:23:34 +02:00
Merge branch 'master' of github.com:domify/registry
This commit is contained in:
commit
6725b3cadc
14 changed files with 96 additions and 33 deletions
|
@ -12,6 +12,10 @@ module Repp
|
|||
error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
|
||||
end
|
||||
|
||||
if @current_user.cannot?(:view, :repp)
|
||||
error! I18n.t('no_permission'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
|
||||
end
|
||||
|
||||
next if Rails.env.test? || Rails.env.development?
|
||||
message = 'Certificate mismatch! Cert common name should be:'
|
||||
request_name = env['HTTP_SSL_CLIENT_S_DN_CN']
|
||||
|
@ -22,7 +26,6 @@ module Repp
|
|||
else
|
||||
error! "#{message} #{@current_user.username}", 401 if @current_user.username != request_name
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
helpers do
|
||||
|
|
|
@ -55,6 +55,8 @@ class Admin::ApiUsersController < AdminController
|
|||
end
|
||||
|
||||
def api_user_params
|
||||
params.require(:api_user).permit(:username, :password, :active, :registrar_id, :registrar_typeahead, :identity_code)
|
||||
params.require(:api_user).permit(:username, :password, :active,
|
||||
:registrar_id, :registrar_typeahead,
|
||||
:identity_code, { roles: [] })
|
||||
end
|
||||
end
|
||||
|
|
|
@ -35,7 +35,7 @@ class Registrar::SessionsController < Devise::SessionsController
|
|||
@api_user = ApiUser.find_by(username: params[:depp_user][:tag])
|
||||
if @api_user.active?
|
||||
sign_in @api_user
|
||||
redirect_to registrar_root_url
|
||||
redirect_to role_base_root_url(@api_user)
|
||||
else
|
||||
@depp_user.errors.add(:base, :not_active)
|
||||
render 'login'
|
||||
|
@ -52,7 +52,7 @@ class Registrar::SessionsController < Devise::SessionsController
|
|||
|
||||
if @user
|
||||
sign_in(@user, event: :authentication)
|
||||
redirect_to registrar_root_url
|
||||
redirect_to role_base_root_url(@user)
|
||||
else
|
||||
flash[:alert] = t('no_such_user')
|
||||
redirect_to registrar_login_url
|
||||
|
@ -70,7 +70,7 @@ class Registrar::SessionsController < Devise::SessionsController
|
|||
if Rails.env.test? && phone == "123"
|
||||
@user = ApiUser.find_by(identity_code: "14212128025")
|
||||
sign_in(@user, event: :authentication)
|
||||
return redirect_to registrar_root_url
|
||||
return redirect_to role_base_root_url(@user)
|
||||
end
|
||||
|
||||
# country_codes = {'+372' => 'EST'}
|
||||
|
@ -112,7 +112,7 @@ class Registrar::SessionsController < Devise::SessionsController
|
|||
sign_in @user
|
||||
flash[:notice] = t(:welcome)
|
||||
flash.keep(:notice)
|
||||
render js: "window.location = '#{registrar_root_path}'"
|
||||
render js: "window.location = '#{role_base_root_url(@user)}'"
|
||||
when 'NOT_VALID'
|
||||
render json: { message: t(:user_signature_is_invalid) }, status: :bad_request
|
||||
when 'EXPIRED_TRANSACTION'
|
||||
|
@ -145,7 +145,16 @@ class Registrar::SessionsController < Devise::SessionsController
|
|||
private
|
||||
|
||||
def check_ip
|
||||
return if Rails.env.development?
|
||||
return if WhiteIp.registrar_ip_white?(request.ip)
|
||||
render text: t('access_denied') and return
|
||||
end
|
||||
|
||||
def role_base_root_url(user)
|
||||
if user.try(:roles) == ['billing']
|
||||
registrar_invoices_url
|
||||
else
|
||||
registrar_root_url
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -12,6 +12,11 @@ class RegistrarController < ApplicationController
|
|||
|
||||
def check_ip
|
||||
return unless current_user
|
||||
unless current_user.is_a? ApiUser
|
||||
sign_out(current_user)
|
||||
return
|
||||
end
|
||||
return if Rails.env.development?
|
||||
return if current_user.registrar.registrar_ip_white?(request.ip)
|
||||
flash[:alert] = t('access_denied')
|
||||
sign_out(current_user)
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
class Ability
|
||||
include CanCan::Ability
|
||||
|
||||
# rubocop: disable Metrics/CyclomaticComplexity
|
||||
# rubocop: disable Metrics/PerceivedComplexity
|
||||
# rubocop: disable Metrics/LineLength
|
||||
def initialize(user)
|
||||
alias_action :show, to: :view
|
||||
alias_action :show, :create, :update, :destroy, to: :crud
|
||||
|
||||
@user = user || AdminUser.new
|
||||
@user = user || User.new
|
||||
|
||||
case @user.class.to_s
|
||||
when 'AdminUser'
|
||||
@user.roles.each { |role| send(role) } if @user.roles
|
||||
when 'ApiUser'
|
||||
epp
|
||||
registrar
|
||||
registrant # refactor
|
||||
@user.roles.each { |role| send(role) } if @user.roles
|
||||
when 'RegistrantUser'
|
||||
registrant
|
||||
static_registrant
|
||||
end
|
||||
|
||||
# Public user
|
||||
|
@ -23,10 +23,7 @@ class Ability
|
|||
can :create, :registrant_domain_update_confirm
|
||||
end
|
||||
|
||||
# rubocop: disable Metrics/CyclomaticComplexity
|
||||
# rubocop: disable Metrics/PerceivedComplexity
|
||||
# rubocop: disable Metrics/LineLength
|
||||
def epp
|
||||
def static_epp
|
||||
# Epp::Domain
|
||||
can(:info, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
|
||||
can(:check, Epp::Domain)
|
||||
|
@ -46,14 +43,12 @@ class Ability
|
|||
can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
|
||||
can(:renew, Epp::Contact)
|
||||
can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
|
||||
end
|
||||
# rubocop: enable Metrics/LineLength
|
||||
# rubocop: enable Metrics/CyclomaticComplexity
|
||||
# rubocop: enable Metrics/PerceivedComplexity
|
||||
|
||||
def registrar
|
||||
can :manage, Invoice
|
||||
can :read, AccountActivity
|
||||
# REPP
|
||||
can(:manage, :repp)
|
||||
end
|
||||
|
||||
def static_registrar
|
||||
can :manage, Nameserver
|
||||
can :view, :registrar_dashboard
|
||||
can :delete, :registrar_poll
|
||||
|
@ -65,10 +60,9 @@ class Ability
|
|||
can :manage, Depp::Keyrelay
|
||||
can :confirm, :keyrelay
|
||||
can :confirm, :transfer
|
||||
can :manage, :deposit
|
||||
end
|
||||
|
||||
def registrant
|
||||
def static_registrant
|
||||
can :manage, :registrant_whois
|
||||
can :manage, Depp::Domain
|
||||
end
|
||||
|
@ -77,6 +71,28 @@ class Ability
|
|||
can :show, :dashboard
|
||||
end
|
||||
|
||||
# Registrar/api_user dynamic role
|
||||
def super
|
||||
static_registrar
|
||||
billing
|
||||
epp
|
||||
end
|
||||
|
||||
# Registrar/api_user dynamic role
|
||||
def epp
|
||||
static_registrar
|
||||
static_epp
|
||||
end
|
||||
|
||||
# Registrar/api_user dynamic role
|
||||
def billing
|
||||
can :view, :registrar_dashboard
|
||||
can :manage, Invoice
|
||||
can :manage, :deposit
|
||||
can :read, AccountActivity
|
||||
end
|
||||
|
||||
# Admin/admin_user dynamic role
|
||||
def customer_service
|
||||
user
|
||||
can :manage, Domain
|
||||
|
@ -84,6 +100,7 @@ class Ability
|
|||
can :manage, Registrar
|
||||
end
|
||||
|
||||
# Admin/admin_user dynamic role
|
||||
def admin
|
||||
customer_service
|
||||
can :manage, Setting
|
||||
|
@ -105,4 +122,7 @@ class Ability
|
|||
can :create, :zonefile
|
||||
can :access, :settings_menu
|
||||
end
|
||||
# rubocop: enable Metrics/LineLength
|
||||
# rubocop: enable Metrics/CyclomaticComplexity
|
||||
# rubocop: enable Metrics/PerceivedComplexity
|
||||
end
|
||||
|
|
|
@ -6,7 +6,7 @@ class AdminUser < User
|
|||
|
||||
validate :validate_identity_code, if: -> { country_code == 'EE' }
|
||||
|
||||
ROLES = %w(user customer_service admin)
|
||||
ROLES = %w(user customer_service admin) # should not match to api_users roles
|
||||
|
||||
devise :database_authenticatable, :rememberable, :trackable, :validatable, :lockable
|
||||
|
||||
|
|
|
@ -15,11 +15,13 @@ class ApiUser < User
|
|||
belongs_to :registrar
|
||||
has_many :certificates
|
||||
|
||||
validates :username, :password, :registrar, presence: true
|
||||
validates :username, :password, :registrar, :roles, presence: true
|
||||
validates :username, uniqueness: true
|
||||
|
||||
attr_accessor :registrar_typeahead
|
||||
|
||||
ROLES = %w(super epp billing) # should not match to admin roles
|
||||
|
||||
def ability
|
||||
@ability ||= Ability.new(self)
|
||||
end
|
||||
|
|
|
@ -29,11 +29,20 @@
|
|||
%span.glyphicon.glyphicon-ok.form-control-feedback.js-typeahead-ok.hidden
|
||||
%span.glyphicon.glyphicon-remove.form-control-feedback.js-typeahead-remove
|
||||
= f.hidden_field(:registrar_id, class: 'js-registrar-id')
|
||||
.checkbox
|
||||
%label{for: 'api_user_active'}
|
||||
= f.check_box(:active)
|
||||
= t(:active)
|
||||
.form-group
|
||||
.col-md-4.control-label
|
||||
= f.label :role
|
||||
.col-md-7
|
||||
= select_tag 'api_user[roles][]',
|
||||
options_for_select(ApiUser::ROLES.map {|x| [t(x), x] }, @api_user.roles.try(:first)),
|
||||
class: 'form-control selectize'
|
||||
.checkbox
|
||||
%label{for: 'api_user_active'}
|
||||
= f.check_box(:active)
|
||||
= t(:active)
|
||||
|
||||
%hr
|
||||
|
||||
.row
|
||||
.col-md-8.text-right
|
||||
= button_tag(t(:save), class: 'btn btn-primary')
|
||||
|
|
|
@ -26,6 +26,9 @@
|
|||
%dt= t(:registrar)
|
||||
%dd= link_to(@api_user.registrar, admin_registrar_path(@api_user.registrar))
|
||||
|
||||
%dt= t(:role)
|
||||
%dd= @api_user.roles.join(', ')
|
||||
|
||||
%dt= t(:active)
|
||||
%dd= @api_user.active
|
||||
.row
|
||||
|
|
|
@ -796,5 +796,6 @@ en:
|
|||
registrant_domain_verification_rejected: 'Domain owner change has been rejected successfully.'
|
||||
registrant_domain_verification_rejected_failed: 'Something went wrong'
|
||||
ip_is_not_whitelisted: 'IP is not whitelisted'
|
||||
no_permission: 'No permission'
|
||||
access_denied: 'Access denied'
|
||||
connection_limit_reached: 'Connection limit reached'
|
||||
|
|
7
db/migrate/20150520163237_add_defalut_role.rb
Normal file
7
db/migrate/20150520163237_add_defalut_role.rb
Normal file
|
@ -0,0 +1,7 @@
|
|||
class AddDefalutRole < ActiveRecord::Migration
|
||||
def change
|
||||
ApiUser.all.each do |u|
|
||||
u.update_column :roles, ['super'] if u.roles.blank?
|
||||
end
|
||||
end
|
||||
end
|
|
@ -11,7 +11,7 @@
|
|||
#
|
||||
# It's strongly recommended that you check this file into your version control system.
|
||||
|
||||
ActiveRecord::Schema.define(version: 20150520164507) do
|
||||
ActiveRecord::Schema.define(version: 20150520163237) do
|
||||
|
||||
# These are extensions that must be enabled in order to support this database
|
||||
enable_extension "plpgsql"
|
||||
|
|
|
@ -5,6 +5,7 @@ Fabricator(:api_user) do
|
|||
identity_code '14212128025'
|
||||
registrar
|
||||
active true
|
||||
roles ['super']
|
||||
end
|
||||
|
||||
# use dedicated fabricator for fixed one
|
||||
|
|
|
@ -13,7 +13,8 @@ describe ApiUser do
|
|||
@api_user.errors.full_messages.should match_array([
|
||||
"Password Password is missing",
|
||||
"Registrar Registrar is missing",
|
||||
"Username Username is missing"
|
||||
"Username Username is missing",
|
||||
"Roles is missing"
|
||||
])
|
||||
end
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue