Enhancement: Ticket#number should be read only for API requests.

2020-02-19 12:54:06 +01:00 · 2020-02-19 12:54:06 +01:00 · 047a3aba87
commit 047a3aba87
parent c7ab3e1fe2
2 changed files with 16 additions and 0 deletions
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@ -229,6 +229,9 @@ class TicketsController < ApplicationController
    # only apply preferences changes (keep not updated keys/values)
    clean_params = ticket.param_preferences_merge(clean_params)

+    # disable changes on ticket number
+    clean_params.delete('number')
+
    # overwrite params
    if !current_user.permissions?('ticket.agent')
      %i[owner owner_id customer customer_id organization organization_id preferences].each do |key|
--- a/spec/requests/ticket_spec.rb
+++ b/spec/requests/ticket_spec.rb
@ -1684,6 +1684,19 @@ RSpec.describe 'Ticket', type: :request do
      expect(json_response['assets']['User'][customer_user.id.to_s]['firstname']).to eq(customer_user.firstname)
      expect(json_response['assets']['User'][customer_user.id.to_s]['lastname']).to eq(customer_user.lastname)

+      # it should be not possible to modify the ticket number
+      expected_ticket_number = ticket.number
+      params = {
+        title:  'a update ticket #4',
+        number: '77777',
+      }
+      put "/api/v1/tickets/#{ticket.id}?full=true", params: params, as: :json
+      expect(response).to have_http_status(:ok)
+      expect(json_response).to be_a_kind_of(Hash)
+
+      ticket = Ticket.find(json_response['id'])
+      expect(json_response['assets']['Ticket'][ticket.id.to_s]['title']).to eq('a update ticket #4')
+      expect(json_response['assets']['Ticket'][ticket.id.to_s]['number']).to eq(expected_ticket_number)
    end

    it 'does ticket split with html - check attachments (05.01)' do