Fixes #3482 - read permission is not enough to display subscribed tickets in overviews.

2021-03-30 09:41:23 +02:00 · 2021-03-30 09:41:23 +02:00 · 32b30ced5e
commit 32b30ced5e
parent 76bb7f920e
2 changed files with 32 additions and 3 deletions
--- a/app/models/ticket/overviews.rb
+++ b/app/models/ticket/overviews.rb
@ -92,7 +92,8 @@ returns
    return [] if overviews.blank?

    # get only tickets with permissions
-    access_condition = Ticket.access_condition(user, 'overview')
+    access_condition      = Ticket.access_condition(user, 'overview')
+    access_condition_read = Ticket.access_condition(user, 'read')

    ticket_attributes = Ticket.new.attributes
    list = []
@ -127,8 +128,13 @@ returns
        end
      end

+      overview_access_condition = access_condition
+      if overview.condition['ticket.mention_user_ids'].present?
+        overview_access_condition = access_condition_read
+      end
+
      ticket_result = Ticket.distinct
-                            .where(access_condition)
+                            .where(overview_access_condition)
                            .where(query_condition, *bind_condition)
                            .joins(tables)
                            .order(Arel.sql("#{order_by} #{direction}"))
@ -142,7 +148,7 @@ returns
        }
      end

-      count = Ticket.distinct.where(access_condition).where(query_condition, *bind_condition).joins(tables).count()
+      count = Ticket.distinct.where(overview_access_condition).where(query_condition, *bind_condition).joins(tables).count()
      item = {
        overview: {
          name:       overview.name,
--- a/spec/models/ticket/overviews_spec.rb
+++ b/spec/models/ticket/overviews_spec.rb
@ -75,4 +75,27 @@ RSpec.describe Ticket::Overviews do
      expect(result[0][:tickets].count).to be == 2
    end
  end
+
+  describe 'Mentions:' do
+    let(:group_read) { create(:group) }
+    let(:user_read) { create(:agent) }
+    let(:ticket) { create(:ticket, group: group_read) }
+
+    before do
+      user_read.group_names_access_map = {
+        group_read.name => 'read',
+      }
+    end
+
+    it 'does show read only tickets in overview because user is mentioned' do
+      create(:mention, mentionable: ticket, user: user_read)
+      result = described_class.index(user_read, ['my_subscribed_tickets'])
+      expect(result.first[:tickets].pluck(:id)).to eq([ticket.id])
+    end
+
+    it 'does not show read only tickets in overview' do
+      result = described_class.index(user_read, ['my_subscribed_tickets'])
+      expect(result.first[:tickets]).to eq([])
+    end
+  end
 end