Fixes #2568 - Change-Right allows creation of new tickets.

2020-11-13 15:10:24 +01:00 · 2020-11-13 15:10:24 +01:00 · 386ed0f4f8
commit 386ed0f4f8
parent e7039d7046
4 changed files with 45 additions and 1 deletions
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@ -143,6 +143,7 @@ class TicketsController < ApplicationController

    clean_params = Ticket.param_cleanup(clean_params, true)
    ticket = Ticket.new(clean_params)
+    authorize!(ticket, :create?)

    # check if article is given
    if !params[:article]
@ -432,6 +433,7 @@ class TicketsController < ApplicationController

    # get attributes to update
    attributes_to_change = Ticket::ScreenOptions.attributes_to_change(
+      view:         'ticket_create',
      current_user: current_user,
    )
    render json: attributes_to_change
--- a/app/models/ticket/screen_options.rb
+++ b/app/models/ticket/screen_options.rb
@ -100,7 +100,11 @@ returns

    filter[:group_id] = []
    groups = if params[:current_user].permissions?('ticket.agent')
-               params[:current_user].groups_access(%w[create change])
+               if params[:view] == 'ticket_create'
+                 params[:current_user].groups_access(%w[create])
+               else
+                 params[:current_user].groups_access(%w[create change])
+               end
             else
               Group.where(active: true)
             end
--- a/app/policies/ticket_policy.rb
+++ b/app/policies/ticket_policy.rb
@ -5,6 +5,7 @@ class TicketPolicy < ApplicationPolicy
  end

  def create?
+    ensure_group!
    access?('create')
  end

@ -26,6 +27,12 @@ class TicketPolicy < ApplicationPolicy
    access?('full')
  end

+  def ensure_group!
+    return if record.group_id
+
+    raise Exceptions::UnprocessableEntity, "Group can't be blank"
+  end
+
  def follow_up?
    return true if user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration
    return true if record.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled
--- a/spec/requests/ticket_spec.rb
+++ b/spec/requests/ticket_spec.rb
@ -5,12 +5,22 @@ RSpec.describe 'Ticket', type: :request do
  let!(:ticket_group) do
    create(:group, email_address: create(:email_address) )
  end
+  let!(:ticket_group_without_create) do
+    create(:group, email_address: create(:email_address) )
+  end
  let(:admin) do
    create(:admin, groups: Group.all, firstname: 'Tickets', lastname: 'Admin')
  end
  let!(:agent) do
    create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent')
  end
+  let!(:agent_change_only) do
+    user = create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent')
+    user.group_names_access_map = {
+      ticket_group_without_create.name => %w[read change],
+    }
+    user
+  end
  let!(:customer) do
    create(
      :customer,
@ -58,6 +68,27 @@ RSpec.describe 'Ticket', type: :request do
      expect(json_response['error']).to eq('No lookup value found for \'group\': "not_existing"')
    end

+    it 'does ticket create with agent - valid group but no create permissions (01.02a)' do
+      params = {
+        title:       'a new ticket #1',
+        group:       ticket_group_without_create.name,
+        priority:    '2 normal',
+        state:       'new',
+        customer_id: customer.id,
+        article:     {
+          content_type: 'text/plain', # or text/html
+          body:         'some body',
+          sender:       'Customer',
+          type:         'note',
+        },
+      }
+      authenticated_as(agent_change_only)
+      post '/api/v1/tickets', params: params, as: :json
+      expect(response).to have_http_status(:unauthorized)
+      expect(json_response).to be_a_kind_of(Hash)
+      expect(json_response['error']).to eq('Not authorized')
+    end
+
    it 'does ticket create with agent - missing article.body (01.03)' do
      params = {
        title:       'a new ticket #3',