From 0242c05165e5680f41803140b3da8dda38e2dbe0 Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@znuny.com>
Date: Tue, 8 Dec 2020 13:32:52 +0100
Subject: [PATCH] Fixes #2605 - Deletion via API impossible when user logged in
 at some point.

---
 app/controllers/organizations_controller.rb   |  1 -
 app/controllers/users_controller.rb           |  1 -
 .../organizations_controller_policy.rb        |  4 +--
 spec/requests/organization_spec.rb            | 30 ++++++++++++-------
 spec/requests/user_spec.rb                    |  9 ++++++
 5 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb
index d94687946..16ff6ebc5 100644
--- a/app/controllers/organizations_controller.rb
+++ b/app/controllers/organizations_controller.rb
@@ -170,7 +170,6 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
 =end
 
   def destroy
-    model_references_check(Organization, params)
     model_destroy_render(Organization, params)
   end
 
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 4eea0d051..6975cc8e3 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -174,7 +174,6 @@ class UsersController < ApplicationController
     user = User.find(params[:id])
     authorize!(user)
 
-    model_references_check(User, params)
     model_destroy_render(User, params)
   end
 
diff --git a/app/policies/controllers/organizations_controller_policy.rb b/app/policies/controllers/organizations_controller_policy.rb
index 2530cb618..d45c0b04a 100644
--- a/app/policies/controllers/organizations_controller_policy.rb
+++ b/app/policies/controllers/organizations_controller_policy.rb
@@ -1,7 +1,7 @@
 class Controllers::OrganizationsControllerPolicy < Controllers::ApplicationControllerPolicy
-  permit! :import_example, to: 'admin.organization'
+  permit! %i[destroy import_example], to: 'admin.organization'
   permit! :import_start, to: 'admin.user'
-  permit! %i[create update destroy search history], to: ['ticket.agent', 'admin.organization']
+  permit! %i[create update search history], to: ['ticket.agent', 'admin.organization']
 
   def show?
     return true if user.permissions?(['ticket.agent', 'admin.organization'])
diff --git a/spec/requests/organization_spec.rb b/spec/requests/organization_spec.rb
index c91c2f8ed..babc13e7d 100644
--- a/spec/requests/organization_spec.rb
+++ b/spec/requests/organization_spec.rb
@@ -1,6 +1,6 @@
 require 'rails_helper'
 
-RSpec.describe 'Organization', type: :request, searchindex: true do
+RSpec.describe 'Organization', type: :request do
 
   let!(:admin) do
     create(:admin, groups: Group.all)
@@ -39,21 +39,20 @@ RSpec.describe 'Organization', type: :request, searchindex: true do
     create(:customer, organization: organization)
   end
 
-  before do
-    configure_elasticsearch do
+  describe 'request handling', searchindex: true do
+    before do
+      configure_elasticsearch do
 
-      travel 1.minute
+        travel 1.minute
 
-      rebuild_searchindex
+        rebuild_searchindex
 
-      # execute background jobs
-      Scheduler.worker(true)
+        # execute background jobs
+        Scheduler.worker(true)
 
-      sleep 6
+        sleep 6
+      end
     end
-  end
-
-  describe 'request handling' do
 
     it 'does index with agent' do
 
@@ -570,4 +569,13 @@ RSpec.describe 'Organization', type: :request, searchindex: true do
       expect(organization2.active).to eq(false)
     end
   end
+
+  describe 'DELETE /api/v1/organizations', authenticated_as: -> { create(:admin) }, searchindex: false do
+    it 'does organization deletion' do
+      organization = create(:organization)
+      delete "/api/v1/organizations/#{organization.id}", params: {}, as: :json
+      expect(response).to have_http_status(:ok)
+      expect { organization.reload }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+  end
 end
diff --git a/spec/requests/user_spec.rb b/spec/requests/user_spec.rb
index 0e96ffcf5..871de4543 100644
--- a/spec/requests/user_spec.rb
+++ b/spec/requests/user_spec.rb
@@ -1142,6 +1142,15 @@ RSpec.describe 'User', type: :request do
     end
   end
 
+  describe 'DELETE /api/v1/users', authenticated_as: -> { create(:admin) }, searchindex: false do
+    it 'does user deletion' do
+      customer = create(:customer)
+      delete "/api/v1/users/#{customer.id}", params: {}, as: :json
+      expect(response).to have_http_status(:ok)
+      expect { customer.reload }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+  end
+
   describe 'POST /api/v1/users', authenticated_as: -> { create(:admin) }, searchindex: false do
     def make_request(params)
       post '/api/v1/users', params: params, as: :json