Fixed issue #588 - API Call crashes webinterface - or search?

2017-01-05 16:38:12 +01:00 · 2017-01-05 16:38:12 +01:00 · 11a6930c44
commit 11a6930c44
parent cec2a051da
3 changed files with 114 additions and 5 deletions
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@ -76,7 +76,6 @@ class TicketsController < ApplicationController
  # POST /api/v1/tickets
  def create
    clean_params = Ticket.param_association_lookup(params)
-    clean_params = Ticket.param_cleanup(clean_params, true)

    # overwrite params
    if !current_user.permissions?('ticket.agent')
@ -108,6 +107,7 @@ class TicketsController < ApplicationController
      clean_params[:customer_id] = customer.id
    end

+    clean_params = Ticket.param_cleanup(clean_params, true)
    ticket = Ticket.new(clean_params)

    # check if article is given
@ -283,6 +283,8 @@ class TicketsController < ApplicationController
      ticket_lists = Ticket
                     .where(
                       customer_id: ticket.customer_id,
+                     ).where.not(
+                       state_id: Ticket::State.by_category('merged')
                     )
                     .where(access_condition)
                     .where('id != ?', [ ticket.id ])
@ -303,7 +305,8 @@ class TicketsController < ApplicationController
      next if recent_view['object'] != 'Ticket'
      ticket_ids_recent_viewed.push recent_view['o_id']
      recent_view_ticket = Ticket.find(recent_view['o_id'])
-      assets             = recent_view_ticket.assets(assets)
+      next if recent_view_ticket.state.state_type.name == 'merged'
+      assets = recent_view_ticket.assets(assets)
    }

    # return result
@ -491,6 +494,9 @@ class TicketsController < ApplicationController
    user_ticket_volume_by_year = []
    if params[:user_id]
      user = User.lookup(id: params[:user_id])
+      if !user
+        raise "No such user with id #{params[:user_id]}"
+      end
      condition = {
        'ticket.state_id' => {
          operator: 'is',
@ -661,7 +667,7 @@ class TicketsController < ApplicationController

    # get related users
    article_ids = []
-    ticket.articles.order('created_at ASC, id ASC').each { |article|
+    ticket.articles.each { |article|

      # ignore internal article if customer is requesting
      next if article.internal == true && current_user.permissions?('ticket.customer')
--- a/app/models/application_model.rb
+++ b/app/models/application_model.rb
@ -93,6 +93,17 @@ returns
    clean_params = {}
    new.attributes.each { |attribute, _value|
      next if !data.key?(attribute.to_sym)
+
+      # check reference records, referenced by _id attributes
+      reflect_on_all_associations.map { |assoc|
+        class_name = assoc.options[:class_name]
+        next if !class_name
+        name = "#{assoc.name}_id".to_sym
+        next if !data.key?(name)
+        next if data[name].blank?
+        next if assoc.klass.lookup(id: data[name])
+        raise ArgumentError, "Invalid value for param '#{name}': #{data[name].inspect}"
+      }
      clean_params[attribute.to_sym] = data[attribute.to_sym]
    }

--- a/test/controllers/tickets_controller_test.rb
+++ b/test/controllers/tickets_controller_test.rb
@ -127,12 +127,104 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest
    assert_equal(@agent.id, result['created_by_id'])
  end

-  test '01.04 ticket create with agent - minimal article with guess customer' do
+  test '01.04 ticket create with agent - wrong owner_id - 0' do
    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
    params = {
      title: 'a new ticket #4',
      group: 'Users',
      priority: '2 normal',
+      owner_id: 0,
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal('Invalid value for param \'owner_id\': 0', result['error'])
+  end
+
+  test '01.05 ticket create with agent - wrong owner_id - ""' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #5',
+      group: 'Users',
+      priority: '2 normal',
+      owner_id: '',
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    #assert_response(422)
+    #result = JSON.parse(@response.body)
+    #assert_equal(Hash, result.class)
+    #assert_equal('Invalid value for param \'owner_id\': ""', result['error'])
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id'])
+    assert_equal('a new ticket #5', result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+  end
+
+  test '01.06 ticket create with agent - wrong owner_id - 99999' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #6',
+      group: 'Users',
+      priority: '2 normal',
+      owner_id: 99_999,
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal('Invalid value for param \'owner_id\': 99999', result['error'])
+  end
+
+  test '01.07 ticket create with agent - wrong owner_id - nil' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #7',
+      group: 'Users',
+      priority: '2 normal',
+      owner_id: nil,
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id'])
+    assert_equal('a new ticket #7', result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+  end
+
+  test '01.08 ticket create with agent - minimal article with guess customer' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #8',
+      group: 'Users',
+      priority: '2 normal',
      state: 'new',
      customer_id: 'guess:some_new_customer@example.com',
      article: {
@ -144,7 +236,7 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id'])
-    assert_equal('a new ticket #4', result['title'])
+    assert_equal('a new ticket #8', result['title'])
    assert_equal(User.lookup(email: 'some_new_customer@example.com').id, result['customer_id'])
    assert_equal(@agent.id, result['updated_by_id'])
    assert_equal(@agent.id, result['created_by_id'])