trabajo-afectivo/app/policies/ticket_policy.rb

class TicketPolicy < ApplicationPolicy

  def show?
    access?('read')
  end

  def create?
    access?('create')
  end

  def update?
    access?('change')
  end

  def destroy?
    return true if user.permissions?('admin')

    # This might look like a bug is actually just defining
    # what exception is being raised and shown to the user.
    return false if !access?('delete')

    not_authorized('admin permission required')
  end

  def full?
    access?('full')
  end

  def follow_up?
    return true if user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration
    return true if record.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled
    return true if record.state.name != 'closed' # check if the ticket state is already closed

    raise Exceptions::UnprocessableEntity, 'Cannot follow-up on a closed ticket. Please create a new ticket.'
  end

  private

  def access?(access)

    # agent - access if requester is owner
    return true if record.owner_id == user.id

    # agent - access if requester is in group
    return true if user.group_access?(record.group.id, access)

    # check customer
    return false if !user.permissions?('ticket.customer')

    # access ok if its own ticket
    return true if record.customer_id == user.id

    organization_access?
  end

  def organization_access?
    return false if record.organization_id.blank?
    return false if user.organization_id.blank?
    return false if record.organization_id != user.organization_id

    record.organization.shared?
  end
end
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00			`class TicketPolicy < ApplicationPolicy`

			`def show?`
			`access?('read')`
			`end`

			`def create?`
			`access?('create')`
			`end`

			`def update?`
			`access?('change')`
			`end`

			`def destroy?`
			`return true if user.permissions?('admin')`

			`# This might look like a bug is actually just defining`
			`# what exception is being raised and shown to the user.`
			`return false if !access?('delete')`

			`not_authorized('admin permission required')`
			`end`

			`def full?`
			`access?('full')`
			`end`

			`def follow_up?`
			`return true if user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration`
			`return true if record.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled`
			`return true if record.state.name != 'closed' # check if the ticket state is already closed`

			`raise Exceptions::UnprocessableEntity, 'Cannot follow-up on a closed ticket. Please create a new ticket.'`
			`end`

			`private`

			`def access?(access)`

Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`# agent - access if requester is owner`
			`return true if record.owner_id == user.id`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`# agent - access if requester is in group`
			`return true if user.group_access?(record.group.id, access)`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`# check customer`
			`return false if !user.permissions?('ticket.customer')`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`# access ok if its own ticket`
			`return true if record.customer_id == user.id`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`organization_access?`
			`end`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`def organization_access?`
			`return false if record.organization_id.blank?`
			`return false if user.organization_id.blank?`
			`return false if record.organization_id != user.organization_id`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00
Fixes #967 - Access to my own Tickets (where I'm customer of) in a Group im not Agent. 2020-08-20 07:10:08 +00:00			`record.organization.shared?`
Refactoring: Replaced home-rolled authorization logic in Controllers with Pundit. 2020-03-19 09:39:51 +00:00			`end`
			`end`