trabajo-afectivo/app/policies/ticket_policy/base_scope.rb

# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/

# Abstract base class for various "types" of ticket access.
#
# Do NOT instantiate directly; instead,
# choose the appropriate subclass from below
# (see commit message for details).
class TicketPolicy < ApplicationPolicy
  class BaseScope < ApplicationPolicy::Scope

    # overwrite PunditPolicy#initialize to make `context` optional and use Ticket as default
    def initialize(user, context = Ticket)
      super
    end

    def resolve # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
      raise NoMethodError, <<~ERR.chomp if instance_of?(TicketPolicy::BaseScope)
        specify an access type using a subclass of TicketPolicy::BaseScope
      ERR

      sql  = []
      bind = []

      if user.permissions?('ticket.agent')
        sql.push('group_id IN (?)')
        bind.push(user.group_ids_access(self.class::ACCESS_TYPE))
      end

      if user.permissions?('ticket.customer')
        if user.organization&.shared
          sql.push('(tickets.customer_id = ? OR tickets.organization_id = ?)')
          bind.push(user.id, user.organization.id)
        else
          sql.push('tickets.customer_id = ?')
          bind.push(user.id)
        end
      end

      # The report permission can access all tickets.
      if sql.empty? && !user.permissions?('report')
        sql.push '0 = 1' # Forbid unlimited access for all other permissions.
      end

      scope.where sql.join(' OR '), *bind
    end

    # #resolve is UNDEFINED BEHAVIOR for the abstract base class (but not its subclasses)
    def respond_to?(*args)
      return false if args.first.to_s == 'resolve' && instance_of?(TicketPolicy::BaseScope)

      super(*args)
    end
  end
end
Maintenance: Update copyright header. 2022-01-01 13:38:12 +00:00			`# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/`
Refactoring: Drop Ticket.access_condition in favor of using Pundit scopes. 2021-07-20 17:35:02 +00:00
			`# Abstract base class for various "types" of ticket access.`
			`#`
			`# Do NOT instantiate directly; instead,`
			`# choose the appropriate subclass from below`
			`# (see commit message for details).`
			`class TicketPolicy < ApplicationPolicy`
			`class BaseScope < ApplicationPolicy::Scope`

			# overwrite PunditPolicy#initialize to make `context` optional and use Ticket as default
			`def initialize(user, context = Ticket)`
			`super`
			`end`

Follow-up: 276c45b2e9 - Improved ticket policy scope handling. 2021-10-07 14:37:57 +00:00			`def resolve # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity`
Refactoring: Drop Ticket.access_condition in favor of using Pundit scopes. 2021-07-20 17:35:02 +00:00			`raise NoMethodError, <<~ERR.chomp if instance_of?(TicketPolicy::BaseScope)`
			`specify an access type using a subclass of TicketPolicy::BaseScope`
			`ERR`

			`sql = []`
			`bind = []`

			`if user.permissions?('ticket.agent')`
			`sql.push('group_id IN (?)')`
Refactoring: Use ticket scope policies more consistently, various small optimizations. 2021-07-21 14:04:17 +00:00			`bind.push(user.group_ids_access(self.class::ACCESS_TYPE))`
Refactoring: Drop Ticket.access_condition in favor of using Pundit scopes. 2021-07-20 17:35:02 +00:00			`end`

Follow-up: 276c45b2e9 - Improved ticket policy scope handling. 2021-10-07 14:37:57 +00:00			`if user.permissions?('ticket.customer')`
			`if user.organization&.shared`
			`sql.push('(tickets.customer_id = ? OR tickets.organization_id = ?)')`
			`bind.push(user.id, user.organization.id)`
			`else`
			`sql.push('tickets.customer_id = ?')`
			`bind.push(user.id)`
			`end`
			`end`

			`# The report permission can access all tickets.`
			`if sql.empty? && !user.permissions?('report')`
			`sql.push '0 = 1' # Forbid unlimited access for all other permissions.`
Refactoring: Drop Ticket.access_condition in favor of using Pundit scopes. 2021-07-20 17:35:02 +00:00			`end`

			`scope.where sql.join(' OR '), *bind`
			`end`

			`# #resolve is UNDEFINED BEHAVIOR for the abstract base class (but not its subclasses)`
			`def respond_to?(*args)`
			`return false if args.first.to_s == 'resolve' && instance_of?(TicketPolicy::BaseScope)`

			`super(*args)`
			`end`
			`end`
			`end`