Merge branch 'master' into PPT-685-concierge-room-availability-result…

…s-do-not-reflect-setup-breakdown-times-and-book-new-events-directly-over-them

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ### Feat
 
+- **current-user**: match options in rest-api
+- **events**: skip some checks when in delegated mode ([#294](https://github.com/PlaceOS/staff-api/pull/294))
 - add support for public.read and public.write scopes
 - improve permissions checks ([#292](https://github.com/PlaceOS/staff-api/pull/292))
 - **shard.lock**: bump opentelemetry-instrumentation.cr
@@ -63,6 +65,11 @@
 
 ### Fix
 
+- **events**: update guest details [PPT-910]
+- **bookings**: rejected / approved status [PPT-917]
+- **bookings**: missing save on approve and reject routes
+- unauthorized if delegated access has expired ([#296](https://github.com/PlaceOS/staff-api/pull/296)) [PPT-731]
+- **guests**: query where there are no bookings
 - **calendars**: availability status request
 - **calendar**: availability check ([#293](https://github.com/PlaceOS/staff-api/pull/293))
 - **guests**: invalid SQL generated when there were no meetings

shard.lock

@@ -75,7 +75,7 @@ shards:
 
   habitat:
     git: https://github.com/luckyframework/habitat.git
-    version: 0.4.7
+    version: 0.4.8
 
   hot_topic:
     git: https://github.com/jgaskins/hot_topic.git
@@ -103,15 +103,15 @@ shards:
 
   nbchannel:
     git: https://github.com/wyhaines/nbchannel.cr.git
-    version: 0.1.0+git.commit.ea6517a837270361695244d14c4b03d84660f113
+    version: 0.1.0+git.commit.a8f5be6aa198abfa9f1893e1156640b8ea526094
 
   neuroplastic:
     git: https://github.com/spider-gazelle/neuroplastic.git
     version: 1.13.0
 
   office365:
     git: https://github.com/placeos/office365.git
-    version: 1.22.0
+    version: 1.23.0
 
   open_api:
     git: https://github.com/elbywan/open_api.cr.git
@@ -131,7 +131,7 @@ shards:
 
   opentelemetry-instrumentation:
     git: https://github.com/wyhaines/opentelemetry-instrumentation.cr.git
-    version: 0.5.3+git.commit.5c0323d0046719bae4a7a325ca5ce0e7405bf803
+    version: 0.5.3+git.commit.cd3994b22d9f7a0d68752698974d3873a1b2fce2
 
   opentelemetry-sdk:
     git: https://github.com/wyhaines/opentelemetry-sdk.cr.git
@@ -171,7 +171,7 @@ shards:
 
   placeos-models:
     git: https://github.com/placeos/models.git
-    version: 9.17.0
+    version: 9.20.1
 
   pool:
     git: https://github.com/ysbaddaden/pool.git
@@ -187,15 +187,15 @@ shards:
 
   raven:
     git: https://github.com/sija/raven.cr.git
-    version: 1.9.3+git.commit.2fa8a119cfa15d6fb98f0d8e3924d8175e974103
+    version: 1.9.3+git.commit.78ab46f635208faf4a8f48e593de7c5e5490d543
 
   redis:
     git: https://github.com/stefanwille/crystal-redis.git
     version: 2.9.1
 
   retriable:
     git: https://github.com/sija/retriable.cr.git
-    version: 0.2.4
+    version: 0.2.5
 
   secrets-env:
     git: https://github.com/place-labs/secrets-env.git

src/controllers/bookings.cr

@@ -554,7 +554,6 @@ class Bookings < Application
     utm_source : String? = nil
   ) : Booking
     set_approver(booking, true)
-    booking.approved_at = Time.utc.to_unix
 
     clashing_bookings = check_clashing(booking)
     raise Error::BookingConflict.new(clashing_bookings) if clashing_bookings.size > 0
@@ -570,7 +569,6 @@ class Bookings < Application
     utm_source : String? = nil
   ) : Booking
     set_approver(booking, false)
-    booking.rejected_at = Time.utc.to_unix
     booking.utm_source = utm_source
     update_booking(booking, "rejected")
   end
@@ -787,8 +785,21 @@ class Bookings < Application
       approver_id: user_token.id,
       approver_email: user.email.downcase,
       approver_name: user.name,
-      approved: approved,
-      rejected: !approved,
     )
+
+    if approved
+      booking.approved = true
+      booking.approved_at = Time.utc.to_unix
+      booking.rejected = false
+      booking.rejected_at = nil
+    else
+      booking.approved = false
+      booking.approved_at = nil
+      booking.rejected = true
+      booking.rejected_at = Time.utc.to_unix
+    end
+
+    booking.save!
+    booking
   end
 end

src/controllers/events.cr

@@ -20,7 +20,7 @@ class Events < Application
       return if check_access(current_user.groups, system.zones || [] of String).can_manage?
     end
 
-    raise Error::Forbidden.new("user not in appropriate user group")
+    raise Error::Forbidden.new("user not in an appropriate user group or involved in the meeting")
   end
 
   # update includes a bunch of moving parts so we want to roll back if something fails
@@ -240,7 +240,9 @@ class Events < Application
           email = attendee.email.strip.downcase
 
           guest = if existing_guest = Guest.by_tenant(tenant.id).find_by?(email: email)
-                    existing_guest.name = attendee.name if existing_guest.name != attendee.name
+                    existing_guest.name = attendee.name if attendee.name.presence && existing_guest.name != attendee.name
+                    existing_guest.phone = attendee.phone if attendee.phone.presence && existing_guest.phone != attendee.phone
+                    existing_guest.organisation = attendee.organisation if attendee.organisation.presence && existing_guest.organisation != attendee.organisation
                     existing_guest
                   else
                     Guest.new(
@@ -364,7 +366,7 @@ class Events < Application
 
     # check permisions
     existing_attendees = event.attendees.try(&.map { |a| a.email.downcase }) || [] of String
-    unless user_email == host || user_email.in?(existing_attendees)
+    if !tenant.delegated && user_email != host && !user_email.in?(existing_attendees)
       # may be able to edit on behalf of the user
       raise Error::Forbidden.new("user #{user_email} not involved in meeting and no role is permitted to make this change") if !(system && !check_access(user.roles, [system.id] + system.zones).forbidden?)
     end
@@ -691,10 +693,11 @@ class Events < Application
                raise Error::Forbidden.new("guest #{user_token.id} attempting to edit an event they are not associated with") unless merge && guest_event_id.in?({original_id, event_id, event.recurring_event_id})
              else
                attendees = event.attendees.try(&.map { |a| a.email }) || [] of String
-               raise Error::Forbidden.new("user #{user_email} not involved in meeting and no role is permitted to make this change") unless is_support? || user_email == event.host || user_email.in?(attendees)
+               if user_email != event.host.try(&.downcase) && !user_email.in?(attendees)
+                 confirm_access(system_id)
+               end
              end
 
-             raise Error::BadRequest.new("system_id must be present") if system_id.nil?
              raise Error::BadUpstreamResponse.new("id must be present on system") unless upstream_system_id = system.id
              raise Error::BadUpstreamResponse.new("id must be present on event") unless upstream_event_id = event.id
              raise Error::BadUpstreamResponse.new("ical_uid must be present on event #{upstream_event_id}") unless event_ical_uid = event.ical_uid
@@ -885,6 +888,10 @@ class Events < Application
   end
 
   # deletes the event from the calendar, it will not appear as cancelled, it will be gone
+  #
+  # by default it assumes the event id exists on the users calendar
+  # you can clarify the calendar that the event belongs to by using the calendar param
+  # and specify a system id if there is event metadata or linked booking associated with the event
   @[AC::Route::DELETE("/:id", status_code: HTTP::Status::ACCEPTED)]
   def destroy(
     @[AC::Param::Info(name: "id", description: "the event id", example: "AAMkAGVmMDEzMTM4LTZmYWUtNDdkNC1hMDZe")]
@@ -900,6 +907,7 @@ class Events < Application
   end
 
   # cancels the meeting without deleting it
+  #
   # visually the event will remain on the calendar with a line through it
   # NOTE:: any body data you post will be used as the message body in the declined message
   @[AC::Route::POST("/:id/decline", status_code: HTTP::Status::ACCEPTED)]
@@ -948,15 +956,17 @@ class Events < Application
     host = event.host.try(&.downcase) || user_email
 
     # check permisions
-    existing_attendees = event.attendees.try(&.map { |a| a.email.downcase }) || [] of String
-    unless user_email == host || user_email.in?(existing_attendees)
-      # may be able to delete on behalf of the user
-      raise Error::Forbidden.new("user #{user_email} not involved in meeting and no role is permitted to make this change") if !(system && !check_access(user.roles, [system.id] + system.zones).forbidden?)
+    if !tenant.delegated
+      existing_attendees = event.attendees.try(&.map { |a| a.email.downcase }) || [] of String
+      unless user_email == host || user_email.in?(existing_attendees)
+        # may be able to delete on behalf of the user
+        raise Error::Forbidden.new("user #{user_email} not involved in meeting and no role is permitted to make this change") if !(system && !check_access(user.roles, [system.id] + system.zones).forbidden?)
+      end
     end
 
     # we don't need host details for delete / decline as we want it to occur on the calendar specified
     # unless using a service account and then we can only use the host calendar
-    if client.client_id == :office365 && event.host != cal_id && (srv_acct = tenant.service_account)
+    if (srv_acct = tenant.service_account) && client.client_id == :office365 && event.host != cal_id
       original_event = event
       event = get_hosts_event(event, tenant.service_account)
       raise Error::BadUpstreamResponse.new("id must be present on event") unless event_id = event.id

src/controllers/guests.cr

@@ -144,9 +144,11 @@ class Guests < Application
         end
       end
 
-      booking_attendees = Attendee.by_bookings(tenant.id, booking_ids.to_a)
-      booking_attendees.each do |attend|
-        attendees[attend.guest.not_nil!.email] = attend
+      if !booking_ids.empty?
+        booking_attendees = Attendee.by_bookings(tenant.id, booking_ids.to_a)
+        booking_attendees.each do |attend|
+          attendees[attend.guest.not_nil!.email] = attend
+        end
       end
 
       return [] of Guest | Attendee if attendees.empty?

src/controllers/utilities/current-user.cr

@@ -16,7 +16,7 @@ module Utils::CurrentUser
     return if @user_token
 
     # check for X-API-Key use
-    if token = request.headers["X-API-Key"]?
+    if token = request.headers["X-API-Key"]? || params["api-key"]? || cookies["api-key"]?.try(&.value)
       begin
         @user_token = user_token = get_placeos_client.apikeys.inspect_jwt
         return user_token
@@ -87,10 +87,12 @@ module Utils::CurrentUser
       token
     else
       @access_token = if token = request.headers["Authorization"]?
-                        token = token.lchop("Bearer ").rstrip
+                        token = token.lchop("Bearer ").lchop("Token ").rstrip
                         token unless token.empty?
                       elsif token = params["bearer_token"]?
                         token.strip
+                      elsif token = cookies["bearer_token"]?.try(&.value)
+                        token.strip
                       end
     end
   end

src/controllers/utilities/multi_tenant.cr

@@ -14,7 +14,7 @@ module Utils::MultiTenant
                        tenant.place_calendar_client token.token, token.expires
                      rescue error
                        Log.error(exception: error) { "error obtaining resource token" }
-                       raise Error::NotImplemented.new("no available delegated resource token for user #{user_token.user.email}")
+                       raise Error::Unauthorized.new("no available delegated resource token for user #{user_token.user.email}")
                      end
                    else
                      # Use the credentials in the database