trabajo-afectivo/app/policies/ticket/article_policy.rb

64 lines
1.4 KiB
Ruby
Raw Normal View History

class Ticket::ArticlePolicy < ApplicationPolicy
def show?
access?(__method__)
end
def create?
access?(__method__)
end
def update?
return false if !access?(__method__)
return true if user.permissions?(['ticket.agent', 'admin'])
not_authorized('ticket.agent or admin permission required')
end
def destroy?
return false if !access?('show?')
# agents can destroy articles of type 'note'
# which were created by themselves within the last x minutes
if !user.permissions?('ticket.agent')
return not_authorized('agent permission required')
end
if record.created_by_id != user.id
return not_authorized('you can only delete your own notes')
end
if record.type.communication?
return not_authorized('communication articles cannot be deleted')
end
if deletable_timeframe? && record.created_at <= deletable_timeframe.ago
return not_authorized('note is too old to be deleted')
end
true
end
private
def deletable_timeframe_setting
Setting.get('ui_ticket_zoom_article_delete_timeframe')
end
def deletable_timeframe?
deletable_timeframe_setting&.positive?
end
def deletable_timeframe
deletable_timeframe_setting.seconds
end
def access?(query)
ticket = Ticket.lookup(id: record.ticket_id)
return false if record.internal == true && !TicketPolicy.new(user, ticket).agent_read_access?
Pundit.authorize(user, ticket, query)
end
end