From 047a3aba876155c76f1d76741427489412cd0818 Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@znuny.com>
Date: Wed, 19 Feb 2020 12:54:06 +0100
Subject: [PATCH] Enhancement: Ticket#number should be read only for API
 requests.

---
 app/controllers/tickets_controller.rb |  3 +++
 spec/requests/ticket_spec.rb          | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb
index 65f04f0b9..7abc93768 100644
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@@ -229,6 +229,9 @@ class TicketsController < ApplicationController
     # only apply preferences changes (keep not updated keys/values)
     clean_params = ticket.param_preferences_merge(clean_params)
 
+    # disable changes on ticket number
+    clean_params.delete('number')
+
     # overwrite params
     if !current_user.permissions?('ticket.agent')
       %i[owner owner_id customer customer_id organization organization_id preferences].each do |key|
diff --git a/spec/requests/ticket_spec.rb b/spec/requests/ticket_spec.rb
index 4d3d79d1f..146e38435 100644
--- a/spec/requests/ticket_spec.rb
+++ b/spec/requests/ticket_spec.rb
@@ -1684,6 +1684,19 @@ RSpec.describe 'Ticket', type: :request do
       expect(json_response['assets']['User'][customer_user.id.to_s]['firstname']).to eq(customer_user.firstname)
       expect(json_response['assets']['User'][customer_user.id.to_s]['lastname']).to eq(customer_user.lastname)
 
+      # it should be not possible to modify the ticket number
+      expected_ticket_number = ticket.number
+      params = {
+        title:  'a update ticket #4',
+        number: '77777',
+      }
+      put "/api/v1/tickets/#{ticket.id}?full=true", params: params, as: :json
+      expect(response).to have_http_status(:ok)
+      expect(json_response).to be_a_kind_of(Hash)
+
+      ticket = Ticket.find(json_response['id'])
+      expect(json_response['assets']['Ticket'][ticket.id.to_s]['title']).to eq('a update ticket #4')
+      expect(json_response['assets']['Ticket'][ticket.id.to_s]['number']).to eq(expected_ticket_number)
     end
 
     it 'does ticket split with html - check attachments (05.01)' do