trabajo-afectivo/app/policies/ticket/article_policy.rb

class Ticket::ArticlePolicy < ApplicationPolicy

  def show?
    access?(__method__)
  end

  def create?
    access?(__method__)
  end

  def update?
    return false if !access?(__method__)
    return true if user.permissions?(['ticket.agent', 'admin'])

    not_authorized('ticket.agent or admin permission required')
  end

  def destroy?
    return false if !access?('show?')

    # agents can destroy articles of type 'note'
    # which were created by themselves within the last x minutes

    if !user.permissions?('ticket.agent')
      return not_authorized('agent permission required') if !user.permissions?('ticket.agent')
    end

    if record.created_by_id != user.id
      return not_authorized('you can only delete your own notes')
    end

    if record.type.communication?
      return not_authorized('communication articles cannot be deleted')
    end

    if deletable_timeframe? && record.created_at <= deletable_timeframe.ago
      return not_authorized('note is too old to be deleted')
    end

    true
  end

  private

  def deletable_timeframe_setting
    Setting.get('ui_ticket_zoom_article_delete_timeframe')
  end

  def deletable_timeframe?
    deletable_timeframe_setting&.positive?
  end

  def deletable_timeframe
    deletable_timeframe_setting.seconds
  end

  def access?(query)
    return false if record.internal == true && !user.permissions?('ticket.agent')

    ticket = Ticket.lookup(id: record.ticket_id)
    Pundit.authorize(user, ticket, query)
  end
end
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00			`class Ticket::ArticlePolicy < ApplicationPolicy`

			`def show?`
			`access?(__method__)`
			`end`

			`def create?`
			`access?(__method__)`
			`end`

			`def update?`
			`return false if !access?(__method__)`
			`return true if user.permissions?(['ticket.agent', 'admin'])`

			`not_authorized('ticket.agent or admin permission required')`
			`end`

			`def destroy?`
Fixes #3086 - Deletion of communication article works for admins 2020-07-13 09:14:15 +00:00			`return false if !access?('show?')`

Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00			`# agents can destroy articles of type 'note'`
Fixes #3086 - Deletion of communication article works for admins 2020-07-13 09:14:15 +00:00			`# which were created by themselves within the last x minutes`

			`if !user.permissions?('ticket.agent')`
			`return not_authorized('agent permission required') if !user.permissions?('ticket.agent')`
			`end`

			`if record.created_by_id != user.id`
			`return not_authorized('you can only delete your own notes')`
			`end`

			`if record.type.communication?`
			`return not_authorized('communication articles cannot be deleted')`
			`end`

			`if deletable_timeframe? && record.created_at <= deletable_timeframe.ago`
			`return not_authorized('note is too old to be deleted')`
			`end`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
			`true`
			`end`

			`private`

Fixes #2990 - Backward compatibility of deleting own notes 2020-04-13 20:26:09 +00:00			`def deletable_timeframe_setting`
			`Setting.get('ui_ticket_zoom_article_delete_timeframe')`
			`end`

			`def deletable_timeframe?`
			`deletable_timeframe_setting&.positive?`
			`end`

			`def deletable_timeframe`
			`deletable_timeframe_setting.seconds`
			`end`

Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00			`def access?(query)`
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`return false if record.internal == true && !user.permissions?('ticket.agent')`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
			`ticket = Ticket.lookup(id: record.ticket_id)`
			`Pundit.authorize(user, ticket, query)`
			`end`
			`end`