trabajo-afectivo/app/controllers/ticket_articles_controller.rb

# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/

class TicketArticlesController < ApplicationController
  include CreatesTicketArticles

  prepend_before_action :authentication_check

  # GET /articles
  def index
    permission_check('admin')
    model_index_render(Ticket::Article, params)
  end

  # GET /articles/1
  def show
    article = Ticket::Article.find(params[:id])
    access!(article, 'read')

    if params[:expand]
      result = article.attributes_with_association_names
      render json: result, status: :ok
      return
    end

    if params[:full]
      full = Ticket::Article.full(params[:id])
      render json: full
      return
    end

    render json: article.attributes_with_association_names
  end

  # GET /ticket_articles/by_ticket/1
  def index_by_ticket
    ticket = Ticket.find(params[:id])
    access!(ticket, 'read')

    articles = []

    if params[:expand]
      ticket.articles.each do |article|

        # ignore internal article if customer is requesting
        next if article.internal == true && current_user.permissions?('ticket.customer')
        result = article.attributes_with_association_names
        articles.push result
      end

      render json: articles, status: :ok
      return
    end

    if params[:full]
      assets = {}
      record_ids = []
      ticket.articles.each do |article|

        # ignore internal article if customer is requesting
        next if article.internal == true && current_user.permissions?('ticket.customer')

        record_ids.push article.id
        assets = article.assets({})
      end
      render json: {
        record_ids: record_ids,
        assets: assets,
      }
      return
    end

    ticket.articles.each do |article|

      # ignore internal article if customer is requesting
      next if article.internal == true && current_user.permissions?('ticket.customer')
      articles.push article.attributes_with_association_names
    end
    render json: articles
  end

  # POST /articles
  def create
    ticket = Ticket.find(params[:ticket_id])
    access!(ticket, 'create')
    article = article_create(ticket, params)

    if params[:expand]
      result = article.attributes_with_association_names
      render json: result, status: :created
      return
    end

    if params[:full]
      full = Ticket::Article.full(params[:id])
      render json: full, status: :created
      return
    end

    render json: article.attributes_with_association_names, status: :created
  end

  # PUT /articles/1
  def update
    article = Ticket::Article.find(params[:id])
    access!(article, 'change')

    if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin')
      raise Exceptions::NotAuthorized, 'Not authorized (ticket.agent or admin permission required)!'
    end

    clean_params = Ticket::Article.association_name_to_id_convert(params)
    clean_params = Ticket::Article.param_cleanup(clean_params, true)

    article.update!(clean_params)

    if params[:expand]
      result = article.attributes_with_association_names
      render json: result, status: :ok
      return
    end

    if params[:full]
      full = Ticket::Article.full(params[:id])
      render json: full, status: :ok
      return
    end

    render json: article.attributes_with_association_names, status: :ok
  end

  # DELETE /articles/1
  def destroy
    article = Ticket::Article.find(params[:id])
    access!(article, 'delete')

    if current_user.permissions?('admin')
      article.destroy!
      head :ok
      return
    end

    if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note'
      article.destroy!
      head :ok
      return
    end

    raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!'
  end

  # DELETE /ticket_attachment_upload
  def ticket_attachment_upload_delete
    if params[:store_id]
      Store.remove_item(params[:store_id])
      render json: {
        success: true,
      }
      return
    elsif params[:form_id]
      Store.remove(
        object: 'UploadCache',
        o_id:   params[:form_id],
      )
      render json: {
        success: true,
      }
      return
    end

    render json: { message: 'No such store_id or form_id!' }, status: :unprocessable_entity
  end

  # POST /ticket_attachment_upload
  def ticket_attachment_upload_add

    # store file
    file = params[:File]
    content_type = file.content_type
    if !content_type || content_type == 'application/octet-stream'
      content_type = if MIME::Types.type_for(file.original_filename).first
                       MIME::Types.type_for(file.original_filename).first.content_type
                     else
                       'application/octet-stream'
                     end
    end
    headers_store = {
      'Content-Type' => content_type
    }
    store = Store.add(
      object: 'UploadCache',
      o_id: params[:form_id],
      data: file.read,
      filename: file.original_filename,
      preferences: headers_store
    )

    # return result
    render json: {
      success: true,
      data: {
        store_id: store.id,
        filename: file.original_filename,
        size: store.size,
      }
    }
  end

  # GET /ticket_attachment/:ticket_id/:article_id/:id
  def attachment
    ticket = Ticket.lookup(id: params[:ticket_id])
    access!(ticket, 'read')

    article = Ticket::Article.find(params[:article_id])
    if ticket.id != article.ticket_id

      # check if requested ticket got merged
      if ticket.state.state_type.name != 'merged'
        raise Exceptions::NotAuthorized, 'No access, article_id/ticket_id is not matching.'
      end

      ticket = article.ticket
      access!(ticket, 'read')
    end

    list = article.attachments || []
    access = false
    list.each do |item|
      if item.id.to_i == params[:id].to_i
        access = true
      end
    end
    raise Exceptions::NotAuthorized, 'Requested file id is not linked with article_id.' if !access

    # find file
    file = Store.find(params[:id])

    disposition = sanitized_disposition

    send_data(
      file.content,
      filename: file.filename,
      type: file.preferences['Content-Type'] || file.preferences['Mime-Type'],
      disposition: disposition
    )
  end

  # GET /ticket_article_plain/1
  def article_plain
    article = Ticket::Article.find(params[:id])
    access!(article, 'read')

    file = article.as_raw

    # find file
    return if !file

    send_data(
      file.content,
      filename: file.filename,
      type: 'message/rfc822',
      disposition: 'inline'
    )
  end

  private

  def sanitized_disposition
    disposition = params.fetch(:disposition, 'inline')
    valid_disposition = %w(inline attachment)
    return disposition if valid_disposition.include?(disposition)
    raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
  end
end
Updated copyright. 2016-10-19 03:11:36 +00:00			`# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/`
Code reformattingand code layout beautying. 2013-06-12 15:59:58 +00:00
Init version. 2012-04-10 14:06:46 +00:00			`class TicketArticlesController < ApplicationController`
Refactoring: Splitted ApplicationController functionality into separat modules and concerns. 2017-03-09 11:44:51 +00:00			`include CreatesTicketArticles`

Improved session validation and usage of cors headers. 2017-02-15 12:29:25 +00:00			`prepend_before_action :authentication_check`
Init version. 2012-04-10 14:06:46 +00:00
			`# GET /articles`
			`def index`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`permission_check('admin')`
Added expanded 2016-06-20 12:13:00 +00:00			`model_index_render(Ticket::Article, params)`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# GET /articles/1`
			`def show`
Added expanded 2016-06-20 12:13:00 +00:00			`article = Ticket::Article.find(params[:id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(article, 'read')`
Added expanded 2016-06-20 12:13:00 +00:00
			`if params[:expand]`
Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`result = article.attributes_with_association_names`
Added expanded 2016-06-20 12:13:00 +00:00			`render json: result, status: :ok`
			`return`
			`end`

			`if params[:full]`
			`full = Ticket::Article.full(params[:id])`
			`render json: full`
			`return`
			`end`

Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`render json: article.attributes_with_association_names`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00			`end`

			`# GET /ticket_articles/by_ticket/1`
			`def index_by_ticket`
			`ticket = Ticket.find(params[:id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(ticket, 'read')`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00
			`articles = []`

			`if params[:expand]`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`ticket.articles.each do \|article\|`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00
			`# ignore internal article if customer is requesting`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`next if article.internal == true && current_user.permissions?('ticket.customer')`
Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`result = article.attributes_with_association_names`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00			`articles.push result`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00
			`render json: articles, status: :ok`
			`return`
			`end`

			`if params[:full]`
			`assets = {}`
			`record_ids = []`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`ticket.articles.each do \|article\|`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00
			`# ignore internal article if customer is requesting`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`next if article.internal == true && current_user.permissions?('ticket.customer')`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00
			`record_ids.push article.id`
			`assets = article.assets({})`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00			`render json: {`
			`record_ids: record_ids,`
			`assets: assets,`
			`}`
			`return`
			`end`

Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`ticket.articles.each do \|article\|`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00
			`# ignore internal article if customer is requesting`
Moved from to new permission management. 2016-08-12 16:39:09 +00:00			`next if article.internal == true && current_user.permissions?('ticket.customer')`
Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`articles.push article.attributes_with_association_names`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Added /ticket_articles/by_ticket/1 to retrieve all article of a ticket. 2016-06-21 20:59:03 +00:00			`render json: articles`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# POST /articles`
			`def create`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`ticket = Ticket.find(params[:ticket_id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(ticket, 'create')`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`article = article_create(ticket, params)`
Added shared organization feature. Customers will be able to watch organization ticket. 2012-11-13 10:34:45 +00:00
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`if params[:expand]`
Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`result = article.attributes_with_association_names`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`render json: result, status: :created`
			`return`
Added general support of attachments. 2012-12-02 10:18:55 +00:00			`end`
Init version. 2012-04-10 14:06:46 +00:00
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`if params[:full]`
			`full = Ticket::Article.full(params[:id])`
			`render json: full, status: :created`
			`return`
Init version. 2012-04-10 14:06:46 +00:00			`end`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00
Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`render json: article.attributes_with_association_names, status: :created`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# PUT /articles/1`
			`def update`
Refactoring of ticket zoom (less rerendering, just rerender particular area's instant of whole view). Added live broadcasting of tag and links. 2016-06-07 19:22:08 +00:00			`article = Ticket::Article.find(params[:id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(article, 'change')`
Refactoring of ticket zoom (less rerendering, just rerender particular area's instant of whole view). Added live broadcasting of tag and links. 2016-06-07 19:22:08 +00:00
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin')`
			`raise Exceptions::NotAuthorized, 'Not authorized (ticket.agent or admin permission required)!'`
			`end`

Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`clean_params = Ticket::Article.association_name_to_id_convert(params)`
Refactoring of ticket zoom (less rerendering, just rerender particular area's instant of whole view). Added live broadcasting of tag and links. 2016-06-07 19:22:08 +00:00			`clean_params = Ticket::Article.param_cleanup(clean_params, true)`

Refactoring: Prefer .update! over .update, .update_attributes and .update_attribute - see http://www.davidverhasselt.com/set-attributes-in-activerecord/ . 2017-09-11 11:16:08 +00:00			`article.update!(clean_params)`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00
			`if params[:expand]`
Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`result = article.attributes_with_association_names`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`render json: result, status: :ok`
			`return`
Init version. 2012-04-10 14:06:46 +00:00			`end`
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00
			`if params[:full]`
			`full = Ticket::Article.full(params[:id])`
			`render json: full, status: :ok`
			`return`
			`end`

Refactoring: Splitted ApplicationModel into multiple concerns. Notice: Includes object some method name changes. 2017-01-31 17:13:45 +00:00			`render json: article.attributes_with_association_names, status: :ok`
Init version. 2012-04-10 14:06:46 +00:00			`end`

			`# DELETE /articles/1`
			`def destroy`
Refactoring of ticket zoom (less rerendering, just rerender particular area's instant of whole view). Added live broadcasting of tag and links. 2016-06-07 19:22:08 +00:00			`article = Ticket::Article.find(params[:id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(article, 'delete')`
Init version. 2012-04-10 14:06:46 +00:00
Improved validation messages of controllers. 2016-08-24 11:42:22 +00:00			`if current_user.permissions?('admin')`
			`article.destroy!`
			`head :ok`
			`return`
			`end`

			`if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note'`
			`article.destroy!`
			`head :ok`
			`return`
			`end`

			`raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!'`
Init version. 2012-04-10 14:06:46 +00:00			`end`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00
Added delete attachment feature. 2014-10-06 20:24:21 +00:00			`# DELETE /ticket_attachment_upload`
			`def ticket_attachment_upload_delete`
Mark ticket as changed if only one attachment is uploaded. Delete uploaded attachments on form rest. 2015-11-04 11:42:57 +00:00			`if params[:store_id]`
			`Store.remove_item(params[:store_id])`
			`render json: {`
			`success: true,`
			`}`
			`return`
			`elsif params[:form_id]`
			`Store.remove(`
			`object: 'UploadCache',`
			`o_id: params[:form_id],`
			`)`
			`render json: {`
			`success: true,`
			`}`
			`return`
			`end`
Added delete attachment feature. 2014-10-06 20:24:21 +00:00
Mark ticket as changed if only one attachment is uploaded. Delete uploaded attachments on form rest. 2015-11-04 11:42:57 +00:00			`render json: { message: 'No such store_id or form_id!' }, status: :unprocessable_entity`
Added delete attachment feature. 2014-10-06 20:24:21 +00:00			`end`

			`# POST /ticket_attachment_upload`
			`def ticket_attachment_upload_add`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00
			`# store file`
Added delete attachment feature. 2014-10-06 20:24:21 +00:00			`file = params[:File]`
			`content_type = file.content_type`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`if !content_type \|\| content_type == 'application/octet-stream'`
Updated dependencies and applied new rubocop rules. 2016-01-15 17:22:57 +00:00			`content_type = if MIME::Types.type_for(file.original_filename).first`
			`MIME::Types.type_for(file.original_filename).first.content_type`
			`else`
			`'application/octet-stream'`
			`end`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`end`
			`headers_store = {`
			`'Content-Type' => content_type`
			`}`
Added delete attachment feature. 2014-10-06 20:24:21 +00:00			`store = Store.add(`
Corrected with rubocop cop 'Style/HashSyntax'. 2015-04-27 13:42:53 +00:00			`object: 'UploadCache',`
			`o_id: params[:form_id],`
			`data: file.read,`
			`filename: file.original_filename,`
			`preferences: headers_store`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`)`

			`# return result`
Corrected with rubocop cop 'Style/HashSyntax'. 2015-04-27 13:42:53 +00:00			`render json: {`
			`success: true,`
			`data: {`
			`store_id: store.id,`
			`filename: file.original_filename,`
			`size: store.size,`
Added delete attachment feature. 2014-10-06 20:24:21 +00:00			`}`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`}`
			`end`
Added general support of attachments. 2012-12-02 10:18:55 +00:00
Refactoring of ticket zoom (less rerendering, just rerender particular area's instant of whole view). Added live broadcasting of tag and links. 2016-06-07 19:22:08 +00:00			`# GET /ticket_attachment/:ticket_id/:article_id/:id`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`def attachment`
Improved code layout. 2016-05-10 22:09:10 +00:00			`ticket = Ticket.lookup(id: params[:ticket_id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(ticket, 'read')`

Improved code layout. 2016-05-10 22:09:10 +00:00			`article = Ticket::Article.find(params[:article_id])`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`if ticket.id != article.ticket_id`
Allow accessing attachments of merged tickets by old ticket_id of merged ticket. 2017-04-04 16:15:29 +00:00
			`# check if requested ticket got merged`
			`if ticket.state.state_type.name != 'merged'`
			`raise Exceptions::NotAuthorized, 'No access, article_id/ticket_id is not matching.'`
			`end`

			`ticket = article.ticket`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(ticket, 'read')`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`end`

Moved attachment support to any model (object.attachments & object.attachments=). 2014-02-05 12:22:14 +00:00			`list = article.attachments \|\| []`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`access = false`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`list.each do \|item\|`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`if item.id.to_i == params[:id].to_i`
			`access = true`
			`end`
Applied RuboCop Style/BlockDelimiters to improve readability. 2017-10-01 12:25:52 +00:00			`end`
Improved error handling for json requests. 2016-06-30 08:24:03 +00:00			`raise Exceptions::NotAuthorized, 'Requested file id is not linked with article_id.' if !access`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00
			`# find file`
			`file = Store.find(params[:id])`
Fixed issue #617 - Prevent attachment preview in browser attachment download. 2017-01-31 16:55:12 +00:00
			`disposition = sanitized_disposition`

Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`send_data(`
Improved storage backend. 2014-04-28 07:44:36 +00:00			`file.content,`
Corrected with rubocop cop 'Style/HashSyntax'. 2015-04-27 13:42:53 +00:00			`filename: file.filename,`
			`type: file.preferences['Content-Type'] \|\| file.preferences['Mime-Type'],`
Fixed issue #617 - Prevent attachment preview in browser attachment download. 2017-01-31 16:55:12 +00:00			`disposition: disposition`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`)`
			`end`

			`# GET /ticket_article_plain/1`
			`def article_plain`
Improved code layout. 2016-05-10 22:09:10 +00:00			`article = Ticket::Article.find(params[:id])`
Added enhanced Group access functionality. 2017-06-16 20:43:09 +00:00			`access!(article, 'read')`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00
Added content validation to x-zammad mail headers and postmaster filters. 2016-12-20 23:07:47 +00:00			`file = article.as_raw`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00
			`# find file`
Added content validation to x-zammad mail headers and postmaster filters. 2016-12-20 23:07:47 +00:00			`return if !file`
Corrected with rubocop cop 'Style/GuardClause'. 2015-04-30 15:25:04 +00:00
			`send_data(`
			`file.content,`
			`filename: file.filename,`
			`type: 'message/rfc822',`
			`disposition: 'inline'`
			`)`
Rewrite for form generation. Added REST docu. Moved api to /api/*. 2012-09-20 12:08:02 +00:00			`end`

Fixed issue #617 - Prevent attachment preview in browser attachment download. 2017-01-31 16:55:12 +00:00			`private`

			`def sanitized_disposition`
			`disposition = params.fetch(:disposition, 'inline')`
			`valid_disposition = %w(inline attachment)`
			`return disposition if valid_disposition.include?(disposition)`
			`raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."`
			`end`
Init version. 2012-04-10 14:06:46 +00:00			`end`