Fixes #2568 - Change-Right allows creation of new tickets.
This commit is contained in:
parent
e7039d7046
commit
386ed0f4f8
4 changed files with 45 additions and 1 deletions
|
@ -143,6 +143,7 @@ class TicketsController < ApplicationController
|
|||
|
||||
clean_params = Ticket.param_cleanup(clean_params, true)
|
||||
ticket = Ticket.new(clean_params)
|
||||
authorize!(ticket, :create?)
|
||||
|
||||
# check if article is given
|
||||
if !params[:article]
|
||||
|
@ -432,6 +433,7 @@ class TicketsController < ApplicationController
|
|||
|
||||
# get attributes to update
|
||||
attributes_to_change = Ticket::ScreenOptions.attributes_to_change(
|
||||
view: 'ticket_create',
|
||||
current_user: current_user,
|
||||
)
|
||||
render json: attributes_to_change
|
||||
|
|
|
@ -100,7 +100,11 @@ returns
|
|||
|
||||
filter[:group_id] = []
|
||||
groups = if params[:current_user].permissions?('ticket.agent')
|
||||
if params[:view] == 'ticket_create'
|
||||
params[:current_user].groups_access(%w[create])
|
||||
else
|
||||
params[:current_user].groups_access(%w[create change])
|
||||
end
|
||||
else
|
||||
Group.where(active: true)
|
||||
end
|
||||
|
|
|
@ -5,6 +5,7 @@ class TicketPolicy < ApplicationPolicy
|
|||
end
|
||||
|
||||
def create?
|
||||
ensure_group!
|
||||
access?('create')
|
||||
end
|
||||
|
||||
|
@ -26,6 +27,12 @@ class TicketPolicy < ApplicationPolicy
|
|||
access?('full')
|
||||
end
|
||||
|
||||
def ensure_group!
|
||||
return if record.group_id
|
||||
|
||||
raise Exceptions::UnprocessableEntity, "Group can't be blank"
|
||||
end
|
||||
|
||||
def follow_up?
|
||||
return true if user.permissions?('ticket.agent') # agents can always reopen tickets, regardless of group configuration
|
||||
return true if record.group.follow_up_possible != 'new_ticket' # check if the setting for follow_up_possible is disabled
|
||||
|
|
|
@ -5,12 +5,22 @@ RSpec.describe 'Ticket', type: :request do
|
|||
let!(:ticket_group) do
|
||||
create(:group, email_address: create(:email_address) )
|
||||
end
|
||||
let!(:ticket_group_without_create) do
|
||||
create(:group, email_address: create(:email_address) )
|
||||
end
|
||||
let(:admin) do
|
||||
create(:admin, groups: Group.all, firstname: 'Tickets', lastname: 'Admin')
|
||||
end
|
||||
let!(:agent) do
|
||||
create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent')
|
||||
end
|
||||
let!(:agent_change_only) do
|
||||
user = create(:agent, groups: Group.all, firstname: 'Tickets', lastname: 'Agent')
|
||||
user.group_names_access_map = {
|
||||
ticket_group_without_create.name => %w[read change],
|
||||
}
|
||||
user
|
||||
end
|
||||
let!(:customer) do
|
||||
create(
|
||||
:customer,
|
||||
|
@ -58,6 +68,27 @@ RSpec.describe 'Ticket', type: :request do
|
|||
expect(json_response['error']).to eq('No lookup value found for \'group\': "not_existing"')
|
||||
end
|
||||
|
||||
it 'does ticket create with agent - valid group but no create permissions (01.02a)' do
|
||||
params = {
|
||||
title: 'a new ticket #1',
|
||||
group: ticket_group_without_create.name,
|
||||
priority: '2 normal',
|
||||
state: 'new',
|
||||
customer_id: customer.id,
|
||||
article: {
|
||||
content_type: 'text/plain', # or text/html
|
||||
body: 'some body',
|
||||
sender: 'Customer',
|
||||
type: 'note',
|
||||
},
|
||||
}
|
||||
authenticated_as(agent_change_only)
|
||||
post '/api/v1/tickets', params: params, as: :json
|
||||
expect(response).to have_http_status(:unauthorized)
|
||||
expect(json_response).to be_a_kind_of(Hash)
|
||||
expect(json_response['error']).to eq('Not authorized')
|
||||
end
|
||||
|
||||
it 'does ticket create with agent - missing article.body (01.03)' do
|
||||
params = {
|
||||
title: 'a new ticket #3',
|
||||
|
|
Loading…
Reference in a new issue