From 386ed0f4f81a6684a2a22c77b99147f7366ed44f Mon Sep 17 00:00:00 2001 From: Rolf Schmidt Date: Fri, 13 Nov 2020 15:10:24 +0100 Subject: [PATCH] Fixes #2568 - Change-Right allows creation of new tickets. --- app/controllers/tickets_controller.rb | 2 ++ app/models/ticket/screen_options.rb | 6 +++++- app/policies/ticket_policy.rb | 7 ++++++ spec/requests/ticket_spec.rb | 31 +++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 1 deletion(-) diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb index 0630be08f..98c9a20df 100644 --- a/app/controllers/tickets_controller.rb +++ b/app/controllers/tickets_controller.rb @@ -143,6 +143,7 @@ class TicketsController < ApplicationController clean_params = Ticket.param_cleanup(clean_params, true) ticket = Ticket.new(clean_params) + authorize!(ticket, :create?) # check if article is given if !params[:article] @@ -432,6 +433,7 @@ class TicketsController < ApplicationController # get attributes to update attributes_to_change = Ticket::ScreenOptions.attributes_to_change( + view: 'ticket_create', current_user: current_user, ) render json: attributes_to_change diff --git a/app/models/ticket/screen_options.rb b/app/models/ticket/screen_options.rb index 3edf07851..6d5f8c393 100644 --- a/app/models/ticket/screen_options.rb +++ b/app/models/ticket/screen_options.rb @@ -100,7 +100,11 @@ returns filter[:group_id] = [] groups = if params[:current_user].permissions?('ticket.agent') - params[:current_user].groups_access(%w[create change]) + if params[:view] == 'ticket_create' + params[:current_user].groups_access(%w[create]) + else + params[:current_user].groups_access(%w[create change]) + end else Group.where(active: true) end diff --git a/app/policies/ticket_policy.rb b/app/policies/ticket_policy.rb index 956d79a62..87ab085fd 100644 --- a/app/policies/ticket_policy.rb +++ b/app/policies/ticket_policy.rb @@ -5,6 +5,7 @@ class TicketPolicy < ApplicationPolicy end def create? + ensure_group! access?('create') end @@ -26,6 +27,12 @@ class TicketPolicy < ApplicationPolicy access?('full') end + def ensure_group! + return if record.group_id + + raise Exceptions::UnprocessableEntity, "Group can't be blank" + end + def follow_up? return true if user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration return true if record.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled diff --git a/spec/requests/ticket_spec.rb b/spec/requests/ticket_spec.rb index d44aa6088..ff36205ca 100644 --- a/spec/requests/ticket_spec.rb +++ b/spec/requests/ticket_spec.rb @@ -5,12 +5,22 @@ RSpec.describe 'Ticket', type: :request do let!(:ticket_group) do create(:group, email_address: create(:email_address) ) end + let!(:ticket_group_without_create) do + create(:group, email_address: create(:email_address) ) + end let(:admin) do create(:admin, groups: Group.all, firstname: 'Tickets', lastname: 'Admin') end let!(:agent) do create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent') end + let!(:agent_change_only) do + user = create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent') + user.group_names_access_map = { + ticket_group_without_create.name => %w[read change], + } + user + end let!(:customer) do create( :customer, @@ -58,6 +68,27 @@ RSpec.describe 'Ticket', type: :request do expect(json_response['error']).to eq('No lookup value found for \'group\': "not_existing"') end + it 'does ticket create with agent - valid group but no create permissions (01.02a)' do + params = { + title: 'a new ticket #1', + group: ticket_group_without_create.name, + priority: '2 normal', + state: 'new', + customer_id: customer.id, + article: { + content_type: 'text/plain', # or text/html + body: 'some body', + sender: 'Customer', + type: 'note', + }, + } + authenticated_as(agent_change_only) + post '/api/v1/tickets', params: params, as: :json + expect(response).to have_http_status(:unauthorized) + expect(json_response).to be_a_kind_of(Hash) + expect(json_response['error']).to eq('Not authorized') + end + it 'does ticket create with agent - missing article.body (01.03)' do params = { title: 'a new ticket #3',