From 11a6930c44bfe8b46e1afd9366204f5c3358fb27 Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Thu, 5 Jan 2017 16:38:12 +0100 Subject: [PATCH] Fixed issue #588 - API Call crashes webinterface - or search? --- app/controllers/tickets_controller.rb | 12 ++- app/models/application_model.rb | 11 +++ test/controllers/tickets_controller_test.rb | 96 ++++++++++++++++++++- 3 files changed, 114 insertions(+), 5 deletions(-) diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb index 0484da350..49c7272c9 100644 --- a/app/controllers/tickets_controller.rb +++ b/app/controllers/tickets_controller.rb @@ -76,7 +76,6 @@ class TicketsController < ApplicationController # POST /api/v1/tickets def create clean_params = Ticket.param_association_lookup(params) - clean_params = Ticket.param_cleanup(clean_params, true) # overwrite params if !current_user.permissions?('ticket.agent') @@ -108,6 +107,7 @@ class TicketsController < ApplicationController clean_params[:customer_id] = customer.id end + clean_params = Ticket.param_cleanup(clean_params, true) ticket = Ticket.new(clean_params) # check if article is given @@ -283,6 +283,8 @@ class TicketsController < ApplicationController ticket_lists = Ticket .where( customer_id: ticket.customer_id, + ).where.not( + state_id: Ticket::State.by_category('merged') ) .where(access_condition) .where('id != ?', [ ticket.id ]) @@ -303,7 +305,8 @@ class TicketsController < ApplicationController next if recent_view['object'] != 'Ticket' ticket_ids_recent_viewed.push recent_view['o_id'] recent_view_ticket = Ticket.find(recent_view['o_id']) - assets = recent_view_ticket.assets(assets) + next if recent_view_ticket.state.state_type.name == 'merged' + assets = recent_view_ticket.assets(assets) } # return result @@ -491,6 +494,9 @@ class TicketsController < ApplicationController user_ticket_volume_by_year = [] if params[:user_id] user = User.lookup(id: params[:user_id]) + if !user + raise "No such user with id #{params[:user_id]}" + end condition = { 'ticket.state_id' => { operator: 'is', @@ -661,7 +667,7 @@ class TicketsController < ApplicationController # get related users article_ids = [] - ticket.articles.order('created_at ASC, id ASC').each { |article| + ticket.articles.each { |article| # ignore internal article if customer is requesting next if article.internal == true && current_user.permissions?('ticket.customer') diff --git a/app/models/application_model.rb b/app/models/application_model.rb index 27920c755..d7f0bdafd 100644 --- a/app/models/application_model.rb +++ b/app/models/application_model.rb @@ -93,6 +93,17 @@ returns clean_params = {} new.attributes.each { |attribute, _value| next if !data.key?(attribute.to_sym) + + # check reference records, referenced by _id attributes + reflect_on_all_associations.map { |assoc| + class_name = assoc.options[:class_name] + next if !class_name + name = "#{assoc.name}_id".to_sym + next if !data.key?(name) + next if data[name].blank? + next if assoc.klass.lookup(id: data[name]) + raise ArgumentError, "Invalid value for param '#{name}': #{data[name].inspect}" + } clean_params[attribute.to_sym] = data[attribute.to_sym] } diff --git a/test/controllers/tickets_controller_test.rb b/test/controllers/tickets_controller_test.rb index ef9bc478f..8621fc9d1 100644 --- a/test/controllers/tickets_controller_test.rb +++ b/test/controllers/tickets_controller_test.rb @@ -127,12 +127,104 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest assert_equal(@agent.id, result['created_by_id']) end - test '01.04 ticket create with agent - minimal article with guess customer' do + test '01.04 ticket create with agent - wrong owner_id - 0' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw') params = { title: 'a new ticket #4', group: 'Users', priority: '2 normal', + owner_id: 0, + state: 'new', + customer_id: @customer_without_org.id, + article: { + body: 'some test 123', + }, + } + post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials) + assert_response(422) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal('Invalid value for param \'owner_id\': 0', result['error']) + end + + test '01.05 ticket create with agent - wrong owner_id - ""' do + credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw') + params = { + title: 'a new ticket #5', + group: 'Users', + priority: '2 normal', + owner_id: '', + state: 'new', + customer_id: @customer_without_org.id, + article: { + body: 'some test 123', + }, + } + post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials) + #assert_response(422) + #result = JSON.parse(@response.body) + #assert_equal(Hash, result.class) + #assert_equal('Invalid value for param \'owner_id\': ""', result['error']) + assert_response(201) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id']) + assert_equal('a new ticket #5', result['title']) + assert_equal(@customer_without_org.id, result['customer_id']) + assert_equal(@agent.id, result['updated_by_id']) + assert_equal(@agent.id, result['created_by_id']) + end + + test '01.06 ticket create with agent - wrong owner_id - 99999' do + credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw') + params = { + title: 'a new ticket #6', + group: 'Users', + priority: '2 normal', + owner_id: 99_999, + state: 'new', + customer_id: @customer_without_org.id, + article: { + body: 'some test 123', + }, + } + post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials) + assert_response(422) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal('Invalid value for param \'owner_id\': 99999', result['error']) + end + + test '01.07 ticket create with agent - wrong owner_id - nil' do + credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw') + params = { + title: 'a new ticket #7', + group: 'Users', + priority: '2 normal', + owner_id: nil, + state: 'new', + customer_id: @customer_without_org.id, + article: { + body: 'some test 123', + }, + } + post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials) + assert_response(201) + result = JSON.parse(@response.body) + assert_equal(Hash, result.class) + assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id']) + assert_equal('a new ticket #7', result['title']) + assert_equal(@customer_without_org.id, result['customer_id']) + assert_equal(@agent.id, result['updated_by_id']) + assert_equal(@agent.id, result['created_by_id']) + end + + test '01.08 ticket create with agent - minimal article with guess customer' do + credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw') + params = { + title: 'a new ticket #8', + group: 'Users', + priority: '2 normal', state: 'new', customer_id: 'guess:some_new_customer@example.com', article: { @@ -144,7 +236,7 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest result = JSON.parse(@response.body) assert_equal(Hash, result.class) assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id']) - assert_equal('a new ticket #4', result['title']) + assert_equal('a new ticket #8', result['title']) assert_equal(User.lookup(email: 'some_new_customer@example.com').id, result['customer_id']) assert_equal(@agent.id, result['updated_by_id']) assert_equal(@agent.id, result['created_by_id'])