From 32b30ced5e2fc1bfe2eebcdf08a2c16250c6a3f3 Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@zammad.com>
Date: Tue, 30 Mar 2021 09:41:23 +0200
Subject: [PATCH] Fixes #3482 - read permission is not enough to display
 subscribed tickets in overviews.

---
 app/models/ticket/overviews.rb       | 12 +++++++++---
 spec/models/ticket/overviews_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/app/models/ticket/overviews.rb b/app/models/ticket/overviews.rb
index 5e87aa1a3..7e7072213 100644
--- a/app/models/ticket/overviews.rb
+++ b/app/models/ticket/overviews.rb
@@ -92,7 +92,8 @@ returns
     return [] if overviews.blank?
 
     # get only tickets with permissions
-    access_condition = Ticket.access_condition(user, 'overview')
+    access_condition      = Ticket.access_condition(user, 'overview')
+    access_condition_read = Ticket.access_condition(user, 'read')
 
     ticket_attributes = Ticket.new.attributes
     list = []
@@ -127,8 +128,13 @@ returns
         end
       end
 
+      overview_access_condition = access_condition
+      if overview.condition['ticket.mention_user_ids'].present?
+        overview_access_condition = access_condition_read
+      end
+
       ticket_result = Ticket.distinct
-                            .where(access_condition)
+                            .where(overview_access_condition)
                             .where(query_condition, *bind_condition)
                             .joins(tables)
                             .order(Arel.sql("#{order_by} #{direction}"))
@@ -142,7 +148,7 @@ returns
         }
       end
 
-      count = Ticket.distinct.where(access_condition).where(query_condition, *bind_condition).joins(tables).count()
+      count = Ticket.distinct.where(overview_access_condition).where(query_condition, *bind_condition).joins(tables).count()
       item = {
         overview: {
           name:       overview.name,
diff --git a/spec/models/ticket/overviews_spec.rb b/spec/models/ticket/overviews_spec.rb
index d3bb73612..b52d2f96d 100644
--- a/spec/models/ticket/overviews_spec.rb
+++ b/spec/models/ticket/overviews_spec.rb
@@ -75,4 +75,27 @@ RSpec.describe Ticket::Overviews do
       expect(result[0][:tickets].count).to be == 2
     end
   end
+
+  describe 'Mentions:' do
+    let(:group_read) { create(:group) }
+    let(:user_read) { create(:agent) }
+    let(:ticket) { create(:ticket, group: group_read) }
+
+    before do
+      user_read.group_names_access_map = {
+        group_read.name => 'read',
+      }
+    end
+
+    it 'does show read only tickets in overview because user is mentioned' do
+      create(:mention, mentionable: ticket, user: user_read)
+      result = described_class.index(user_read, ['my_subscribed_tickets'])
+      expect(result.first[:tickets].pluck(:id)).to eq([ticket.id])
+    end
+
+    it 'does not show read only tickets in overview' do
+      result = described_class.index(user_read, ['my_subscribed_tickets'])
+      expect(result.first[:tickets]).to eq([])
+    end
+  end
 end