From 1b1cec1ee169c2192c8a5a8a312aa60eda0fc809 Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Tue, 19 Feb 2019 23:03:32 -0500
Subject: [PATCH] fix(permissions): default user role unable to login correctly
 #153

---
 src/controllers/api/v1/routes.js            |  6 ++---
 src/controllers/api/v1/settings.js          | 24 +++++++++++++++++
 src/helpers/hbs/helpers.js                  |  2 +-
 src/public/js/app.js                        |  1 +
 src/views/partials/settings/permissions.hbs |  2 +-
 src/views/subviews/profile.hbs              |  2 +-
 src/views/subviews/singleticket.hbs         | 30 ++++++++++-----------
 7 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/src/controllers/api/v1/routes.js b/src/controllers/api/v1/routes.js
index 681b3de57..bd6533c84 100644
--- a/src/controllers/api/v1/routes.js
+++ b/src/controllers/api/v1/routes.js
@@ -106,10 +106,10 @@ module.exports = function (middleware, router, controllers) {
   router.post('/api/v1/public/account/create', checkCaptcha, checkOrigin, apiCtrl.users.createPublicAccount)
 
   // Groups
-  router.get('/api/v1/groups', apiv1, canUser('groups:view'), apiCtrl.groups.get)
+  router.get('/api/v1/groups', apiv1, apiCtrl.groups.get)
   router.get('/api/v1/groups/all', apiv1, canUser('groups:view'), apiCtrl.groups.getAll)
   router.post('/api/v1/groups/create', apiv1, canUser('groups:create'), apiCtrl.groups.create)
-  router.get('/api/v1/groups/:id', apiv1, canUser('groups:view'), apiCtrl.groups.getSingleGroup)
+  router.get('/api/v1/groups/:id', apiv1, apiCtrl.groups.getSingleGroup)
   router.put('/api/v1/groups/:id', apiv1, canUser('groups:update'), apiCtrl.groups.updateGroup)
   router.delete('/api/v1/groups/:id', apiv1, canUser('groups:delete'), apiCtrl.groups.deleteGroup)
 
@@ -155,7 +155,7 @@ module.exports = function (middleware, router, controllers) {
   router.post(genBaseUrl + 'tickets_by_user', apiv1, canUser('reports:create'), reportsGenCtrl.ticketsByUser)
 
   // Settings
-  router.get('/api/v1/settings', apiv1, isAdmin, apiCtrl.settings.getSettings)
+  router.get('/api/v1/settings', apiv1, apiCtrl.settings.getSettings)
   router.put('/api/v1/settings', apiv1, isAdmin, apiCtrl.settings.updateSetting)
   router.post('/api/v1/settings/testmailer', apiv1, isAdmin, apiCtrl.settings.testMailer)
   router.put('/api/v1/settings/mailer/template/:id', apiv1, isAdmin, apiCtrl.settings.updateTemplateSubject)
diff --git a/src/controllers/api/v1/settings.js b/src/controllers/api/v1/settings.js
index 390f7e554..d904a53df 100644
--- a/src/controllers/api/v1/settings.js
+++ b/src/controllers/api/v1/settings.js
@@ -32,6 +32,30 @@ apiSettings.getSettings = function (req, res) {
   settingsUtil.getSettings(function (err, settings) {
     if (err) return res.status(400).json({ success: false, error: err })
 
+    // Sanitize
+    if (!req.user.role.isAdmin) {
+      delete settings.data.settings.mailerHost
+      delete settings.data.settings.mailerSSL
+      delete settings.data.settings.mailerPort
+      delete settings.data.settings.mailerUsername
+      delete settings.data.settings.mailerPassword
+      delete settings.data.settings.mailerFrom
+      delete settings.data.settings.mailerCheckEnabled
+      delete settings.data.settings.mailerCheckPolling
+      delete settings.data.settings.mailerCheckHost
+      delete settings.data.settings.mailerCheckPort
+      delete settings.data.settings.mailerCheckPassword
+      delete settings.data.settings.mailerCheckTicketType
+      delete settings.data.settings.mailerCheckTicketPriority
+      delete settings.data.settings.mailerCheckCreateAccount
+      delete settings.data.settings.mailerCheckDeleteMessage
+      delete settings.data.settings.tpsEnabled
+      delete settings.data.settings.tpsUsername
+      delete settings.data.settings.tpsApiKey
+
+      delete settings.data.mailTemplates
+    }
+
     return res.json({ success: true, settings: settings })
   })
 }
diff --git a/src/helpers/hbs/helpers.js b/src/helpers/hbs/helpers.js
index 2f81811f3..4bad268e0 100644
--- a/src/helpers/hbs/helpers.js
+++ b/src/helpers/hbs/helpers.js
@@ -693,7 +693,7 @@ var helpers = {
     var p = require('../../permissions')
     if (p.canThis(user.role, perm)) return options.fn(this)
 
-    options.inverse(this)
+    return options.inverse(this)
   },
 
   checkRole: function (role, perm, options) {
diff --git a/src/public/js/app.js b/src/public/js/app.js
index 8a069c3c2..55fee8055 100644
--- a/src/public/js/app.js
+++ b/src/public/js/app.js
@@ -36,6 +36,7 @@ require(['jquery', 'modules/helpers', 'angular', 'async', 'angularjs/services'],
         }
       ],
       function (err) {
+        if (err) console.log(err)
         if (err) throw new Error(err)
 
         require(['angularjs/main'], function () {
diff --git a/src/views/partials/settings/permissions.hbs b/src/views/partials/settings/permissions.hbs
index de245a19b..216d96827 100644
--- a/src/views/partials/settings/permissions.hbs
+++ b/src/views/partials/settings/permissions.hbs
@@ -232,7 +232,7 @@
                                                 <div class="md-switch md-green" style="margin: 18px 0 0 0;">
                                                     <label>
                                                         All
-                                                        <input type="checkbox" id="perm-accounts-all-{{id}}" name="perm-accounts-all" {{#canUserRole _id 'account:*'}} checked {{/canUserRole}}>
+                                                        <input type="checkbox" id="perm-accounts-all-{{id}}" name="perm-accounts-all" {{#canUserRole _id 'accounts:*'}} checked {{/canUserRole}}>
                                                         <span class="lever"></span>
                                                     </label>
                                                 </div>
diff --git a/src/views/subviews/profile.hbs b/src/views/subviews/profile.hbs
index c901472e1..35a22e07e 100644
--- a/src/views/subviews/profile.hbs
+++ b/src/views/subviews/profile.hbs
@@ -133,7 +133,7 @@
                                 <div class="panel-body2" style="padding: 20px 15px 15px 15px">
                                     <div class="uk-margin-medium-bottom">
                                         <label for="aApiKey" style="color: #727272;">API Token</label>
-                                        <input type="text" id="aApiKey" class="md-input" name="aApiKey" value="{{data.account.accessToken}}" disabled>
+                                        <input type="text" id="aApiKey" class="md-input" name="aApiKey" value="{{data.account.accessToken}}">
                                     </div>
                                 </div>
                             </div>
diff --git a/src/views/subviews/singleticket.hbs b/src/views/subviews/singleticket.hbs
index 25ce942c4..5a75c46ea 100644
--- a/src/views/subviews/singleticket.hbs
+++ b/src/views/subviews/singleticket.hbs
@@ -14,28 +14,28 @@
                     <div id="__ticketStatus" class="hide">{{data.ticket.status}}</div>
                     <div class="floating-ticket-status" data-ticketId="{{data.ticket._id}}">
                         {{#is data.ticket.status 0}}
-                            {{#canUserOrAdmin data.user "agent:*"}}
+                            {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                                 <div title="Change Status" class="ticket-status ticket-new cursor-pointer" ng-click="showStatusSelect()"><span>New</span></div>
                             {{else}}
                                 <div class="ticket-status ticket-new"><span>New</span></div>
                             {{/canUserOrAdmin}}
                         {{/is}}
                         {{#is data.ticket.status 1}}
-                            {{#canUserOrAdmin data.user "agent:*"}}
+                            {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                                 <div title="Change Status" class="ticket-status ticket-open cursor-pointer" ng-click="showStatusSelect()"><span>Open</span></div>
                             {{else}}
                                 <div class="ticket-status ticket-open"><span>Open</span></div>
                             {{/canUserOrAdmin}}
                         {{/is}}
                         {{#is data.ticket.status 2}}
-                            {{#canUserOrAdmin data.user "agent:*"}}
+                            {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                                 <div title="Change Status" class="ticket-status ticket-pending cursor-pointer" ng-click="showStatusSelect()"><span>Pending</span></div>
                             {{else}}
                                 <div class="ticket-status ticket-pending"><span>Pending</span></div>
                             {{/canUserOrAdmin}}
                         {{/is}}
                         {{#is data.ticket.status 3}}
-                            {{#canUserOrAdmin data.user "agent:*"}}
+                            {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                                 <div title="Change Status" class="ticket-status ticket-closed cursor-pointer" ng-click="showStatusSelect()"><span>Closed</span></div>
                             {{else}}
                                 <div class="ticket-status ticket-closed"><span>Closed</span></div>
@@ -59,7 +59,7 @@
                             {{#if data.ticket.assignee}}
                                 <div class="ticket-assignee uk-clearfix" data-ticketId="{{data.ticket._id}}">
                                     <a role="button"
-                                       {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}}
+                                       {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}}
                                            {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                                                 title="Set Assignee"
                                                 data-notifications="assigneeDropdown"
@@ -84,7 +84,7 @@
                             {{else}}
                                 <div class="ticket-assignee uk-clearfix" data-ticketId="{{data.ticket._id}}">
                                     <a role="button"
-                                        {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}}
+                                        {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}}
                                             {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                                                title="Set Assignee"
                                                data-notifications="assigneeDropdown"
@@ -121,7 +121,7 @@
                                 <div class="uk-width-1-2 uk-float-left nopadding">
                                     <div class="marginright5">
                                         <span>Type</span>
-                                        {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}}
+                                        {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}}
                                             <select name="tType" id="tType" class="chosen-select1"
                                                     ng-model="selectedType"
                                                     ng-options="t.name for t in types track by t._id"
@@ -136,7 +136,7 @@
                                 <div class="uk-width-1-2 uk-float-left nopadding">
                                     <div class="marginleft5">
                                         <span>Priority</span>
-                                        {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}}
+                                        {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}}
                                             <select name="tPriority" id="tPriority"
                                                     ng-model="selectedPriority"
                                                     ng-options="p.name for p in selectedType.priorities track by p._id"
@@ -152,7 +152,7 @@
 
                                 <div class="uk-width-1-1 nopadding uk-clearfix">
                                         <span>Group</span>
-                                        {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}}
+                                        {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}}
                                             <select name="tGroup" id="tGroup"
                                                     ng-model="selectedGroup"
                                                     ng-options="g.name for g in groups track by g._id"
@@ -166,7 +166,7 @@
                                 </div>
                                 <div class="uk-width-1-1 nopadding">
                                     <span>Tags
-                                        {{#hasPermOverRole data.ticket.owner.role data.user.role "tickets:update"}}
+                                        {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role "tickets:update"}}
                                             <div id="editTags" style="display: inline;" {{#compare data.ticket.status '==' 3}}class="hide"{{/compare}}>-
                                                 <a href="#" style="font-size: 11px;" class="no-ajaxy" ng-click="showTags($event)" data-uk-modal="{bgclose:false}">Edit Tags</a>
                                             </div>
@@ -190,7 +190,7 @@
                                 </div>
                             </div>
                         </div>
-                        {{#canUserOrAdmin data.user "agent:*"}}
+                        {{#canUserOrAdmin data.common.loggedInAccount "agent:*"}}
                             <div class="uk-width-1-1 padding-left-right-15">
                                 <div class="tru-card ticket-details" style="height: 250px; padding-right: 0 !important; padding-bottom: 0 !important;">
                                     Ticket History
@@ -261,7 +261,7 @@
                                     {{#each data.ticket.attachments}}
                                         <li>
                                             <a href="{{path}}" class="no-ajaxy" target="_blank">{{name}}</a>
-                                            {{#canUser ../data.user "tickets:removeAttachment"}}
+                                            {{#canUser ../data.common.loggedInAccount "tickets:removeAttachment"}}
                                                 <a href="#" class="remove-attachment" data-attachmentId="{{_id}}"><i class="fa fa-remove"></i></a>
                                             {{/canUser}}
                                         </li>
@@ -271,7 +271,7 @@
                                     {{{data.ticket.issue}}}
                                 </div>
                             </div>
-                            {{#canUserOrAdmin data.user "tickets:update"}}
+                            {{#canUserOrAdmin data.common.loggedInAccount "tickets:update"}}
                                 <div class="edit-issue {{#compare data.ticket.status '==' 3}}hide{{/compare}}" ng-click="showEditWindow('issue', true);"><i class="material-icons">&#xE254;</i></div>
                             {{else}}
                                 {{#canEditSelf data.user data.ticket.owner 'ticket'}}
@@ -282,7 +282,7 @@
                                 <div class="add-attachment {{#compare data.ticket.status '==' 3}}hide{{/compare}}" ng-click="showUploadAttachment($event)"><i class="material-icons">&#xE226;</i></div>
 
                                 <input type="hidden" name="ticketId" value="{{data.ticket._id}}" />
-                                <input type="hidden" name="ownerId" value="{{data.user._id}}" />
+                                <input type="hidden" name="ownerId" value="{{data.common.loggedInAccount._id}}" />
                                 <input class="attachmentInput hide" name="ticket_{{data.ticket.uid}}_attachment" type="file" value="" />
                             </form>
                         </div>
@@ -294,7 +294,7 @@
                                 <a id="tab-public-comments" href="#" class="tru-tab-selector no-ajaxy" data-tabid="1" data-ticketid="{{data.ticket._id}}">Comments
                                     <span class="uk-badge uk-badge-grey uk-badge-small">{{size data.ticket.comments}}</span>
                                 </a>
-                                {{#hasPermOverRole data.ticket.owner.role data.user.role 'tickets:notes'}}
+                                {{#hasPermOverRole data.ticket.owner.role data.common.loggedInAccount.role 'tickets:notes'}}
                                     <a id="tab-internal-notes" href="#" class="tru-tab-selector no-ajaxy" data-tabid="2" data-ticketid="{{data.ticket._id}}">Notes
                                         <span class="uk-badge uk-badge-grey uk-badge-small">{{size data.ticket.notes}}</span>
                                     </a>