Fixes #2568 - Change-Right allows creation of new tickets.

app/controllers/tickets_controller.rb

@@ -143,6 +143,7 @@ class TicketsController < ApplicationController
 
     clean_params = Ticket.param_cleanup(clean_params, true)
     ticket = Ticket.new(clean_params)
+    authorize!(ticket, :create?)
 
     # check if article is given
     if !params[:article]
@@ -432,6 +433,7 @@ class TicketsController < ApplicationController
 
     # get attributes to update
     attributes_to_change = Ticket::ScreenOptions.attributes_to_change(
+      view:         'ticket_create',
       current_user: current_user,
     )
     render json: attributes_to_change

app/models/ticket/screen_options.rb

@@ -100,7 +100,11 @@ returns
 
     filter[:group_id] = []
     groups = if params[:current_user].permissions?('ticket.agent')
+               if params[:view] == 'ticket_create'
+                 params[:current_user].groups_access(%w[create])
+               else
                  params[:current_user].groups_access(%w[create change])
+               end
              else
                Group.where(active: true)
              end

app/policies/ticket_policy.rb

@@ -5,6 +5,7 @@ class TicketPolicy < ApplicationPolicy
   end
 
   def create?
+    ensure_group!
     access?('create')
   end
 
@@ -26,6 +27,12 @@ class TicketPolicy < ApplicationPolicy
     access?('full')
   end
 
+  def ensure_group!
+    return if record.group_id
+
+    raise Exceptions::UnprocessableEntity, "Group can't be blank"
+  end
+
   def follow_up?
     return true if user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration
     return true if record.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled

spec/requests/ticket_spec.rb

@@ -5,12 +5,22 @@ RSpec.describe 'Ticket', type: :request do
   let!(:ticket_group) do
     create(:group, email_address: create(:email_address) )
   end
+  let!(:ticket_group_without_create) do
+    create(:group, email_address: create(:email_address) )
+  end
   let(:admin) do
     create(:admin, groups: Group.all, firstname: 'Tickets', lastname: 'Admin')
   end
   let!(:agent) do
     create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent')
   end
+  let!(:agent_change_only) do
+    user = create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent')
+    user.group_names_access_map = {
+      ticket_group_without_create.name => %w[read change],
+    }
+    user
+  end
   let!(:customer) do
     create(
       :customer,
@@ -58,6 +68,27 @@ RSpec.describe 'Ticket', type: :request do
       expect(json_response['error']).to eq('No lookup value found for \'group\': "not_existing"')
     end
 
+    it 'does ticket create with agent - valid group but no create permissions (01.02a)' do
+      params = {
+        title:       'a new ticket #1',
+        group:       ticket_group_without_create.name,
+        priority:    '2 normal',
+        state:       'new',
+        customer_id: customer.id,
+        article:     {
+          content_type: 'text/plain', # or text/html
+          body:         'some body',
+          sender:       'Customer',
+          type:         'note',
+        },
+      }
+      authenticated_as(agent_change_only)
+      post '/api/v1/tickets', params: params, as: :json
+      expect(response).to have_http_status(:unauthorized)
+      expect(json_response).to be_a_kind_of(Hash)
+      expect(json_response['error']).to eq('Not authorized')
+    end
+
     it 'does ticket create with agent - missing article.body (01.03)' do
       params = {
         title:       'a new ticket #3',