53 lines
1.4 KiB
Ruby
53 lines
1.4 KiB
Ruby
|
class Ticket::ArticlePolicy < ApplicationPolicy
|
||
|
|
|
||
|
|
def show?
|
||
|
|
access?(__method__)
|
||
|
|
end
|
||
|
|
|
||
|
|
def create?
|
||
|
|
access?(__method__)
|
||
|
|
end
|
||
|
|
|
||
|
|
def update?
|
||
|
|
return false if !access?(__method__)
|
||
|
|
return true if user.permissions?(['ticket.agent', 'admin'])
|
||
|
|
|
||
|
|
not_authorized('ticket.agent or admin permission required')
|
||
|
|
end
|
||
|
|
|
||
|
|
def destroy?
|
||
|
|
return true if user.permissions?('admin')
|
||
|
|
return false if !access?(__method__)
|
||
|
|
# don't let edge case exceptions raised in the TicketPolicy stop
|
||
|
|
# other possible positive authorization checks
|
||
|
|
rescue Pundit::NotAuthorizedError
|
||
|
|
# agents can destroy articles of type 'note'
|
||
|
|
# which were created by themselves within the last 10 minutes
|
||
|
|
return missing_admin_permission if !user.permissions?('ticket.agent')
|
||
|
|
return missing_admin_permission if record.created_by_id != user.id
|
||
|
|
return missing_admin_permission if record.type.communication?
|
||
|
|
return too_old_to_undo if record.created_at <= 10.minutes.ago
|
||
|
|
|
||
|
|
true
|
||
|
|
end
|
||
|
|
|
||
|
|
private
|
||
|
|
|
||
|
|
def access?(query)
|
||
|
|
if record.internal == true && user.permissions?('ticket.customer')
|
||
|
|
return false
|
||
|
|
end
|
||
|
|
|
||
|
|
ticket = Ticket.lookup(id: record.ticket_id)
|
||
|
|
Pundit.authorize(user, ticket, query)
|
||
|
|
end
|
||
|
|
|
||
|
|
def missing_admin_permission
|
||
|
|
not_authorized('admin permission required')
|
||
|
|
end
|
||
|
|
|
||
|
|
def too_old_to_undo
|
||
|
|
not_authorized('articles more than 10 minutes old may not be deleted')
|
||
|
|
end
|
||
|
|
end
|