Maintenance: Improved test coverage of link requests.

This commit is contained in:
Thorsten Eckel 2021-04-27 10:17:15 +02:00
parent b49046c597
commit 4f6aed1856
7 changed files with 113 additions and 3 deletions

View file

@ -285,6 +285,7 @@ RSpec/ExampleLength:
- 'spec/requests/integration/twilio_sms_spec.rb' - 'spec/requests/integration/twilio_sms_spec.rb'
- 'spec/requests/integration/user_device_spec.rb' - 'spec/requests/integration/user_device_spec.rb'
- 'spec/requests/knowledge_base/answer_attachments_cloning_spec.rb' - 'spec/requests/knowledge_base/answer_attachments_cloning_spec.rb'
- 'spec/requests/links_spec.rb'
- 'spec/requests/long_polling_spec.rb' - 'spec/requests/long_polling_spec.rb'
- 'spec/requests/o_auth_spec.rb' - 'spec/requests/o_auth_spec.rb'
- 'spec/requests/organization_spec.rb' - 'spec/requests/organization_spec.rb'
@ -567,6 +568,7 @@ RSpec/MultipleExpectations:
- 'spec/requests/integration/telegram_spec.rb' - 'spec/requests/integration/telegram_spec.rb'
- 'spec/requests/integration/twilio_sms_spec.rb' - 'spec/requests/integration/twilio_sms_spec.rb'
- 'spec/requests/integration/user_device_spec.rb' - 'spec/requests/integration/user_device_spec.rb'
- 'spec/requests/links_spec.rb'
- 'spec/requests/long_polling_spec.rb' - 'spec/requests/long_polling_spec.rb'
- 'spec/requests/o_auth_spec.rb' - 'spec/requests/o_auth_spec.rb'
- 'spec/requests/organization_spec.rb' - 'spec/requests/organization_spec.rb'
@ -610,6 +612,7 @@ RSpec/NamedSubject:
RSpec/NestedGroups: RSpec/NestedGroups:
Exclude: Exclude:
- 'app/models/user/avatar.rb'
- 'spec/lib/secure_mailing/smime_spec.rb' - 'spec/lib/secure_mailing/smime_spec.rb'
- 'spec/models/channel/driver/twitter_spec.rb' - 'spec/models/channel/driver/twitter_spec.rb'
- 'spec/models/channel/email_parser_spec.rb' - 'spec/models/channel/email_parser_spec.rb'
@ -618,6 +621,7 @@ RSpec/NestedGroups:
- 'spec/models/trigger_spec.rb' - 'spec/models/trigger_spec.rb'
- 'spec/models/user/has_ticket_create_screen_impact_examples.rb' - 'spec/models/user/has_ticket_create_screen_impact_examples.rb'
- 'spec/models/user_spec.rb' - 'spec/models/user_spec.rb'
- 'spec/requests/links_spec.rb'
- 'spec/system/ticket/create_spec.rb' - 'spec/system/ticket/create_spec.rb'
RSpec/RepeatedDescription: RSpec/RepeatedDescription:

View file

@ -8,6 +8,7 @@ class LinksController < ApplicationController
links = Link.list( links = Link.list(
link_object: params[:link_object], link_object: params[:link_object],
link_object_value: params[:link_object_value], link_object_value: params[:link_object_value],
user: current_user,
) )
linked_objects = links linked_objects = links

View file

@ -703,6 +703,7 @@ class TicketsController < ApplicationController
links = Link.list( links = Link.list(
link_object: 'Ticket', link_object: 'Ticket',
link_object_value: ticket.id, link_object_value: ticket.id,
user: current_user,
) )
assets = Link.reduce_assets(assets, links) assets = Link.reduce_assets(assets, links)

View file

@ -53,7 +53,11 @@ class Link < ApplicationModel
items.push link items.push link
end end
items return items if data[:user].blank?
items.select do |item|
authorized_item?(data[:user], item)
end
end end
=begin =begin
@ -272,4 +276,18 @@ class Link < ApplicationModel
', object1_id, object2_id, object1_value, object2_value, object1_id, object2_id, object1_value, object2_value) ', object1_id, object2_id, object1_value, object2_value, object1_id, object2_id, object1_value, object2_value)
end end
def self.authorized_item?(user, item)
record = item['link_object'].constantize.lookup(id: item['link_object_value'])
# non-ID records are not checked for authorization
return true if record.blank?
Pundit.authorize(user, record, :show?).present?
rescue Pundit::NotAuthorizedError
false
rescue NameError, Pundit::NotDefinedError
# NameError: no Model means no authorization check possible
# Pundit::NotDefinedError: no Policy means no authorization check necessary
true
end
end end

View file

@ -4,8 +4,8 @@ FactoryBot.define do
factory :link do factory :link do
transient do transient do
link_type { 'normal' } link_type { 'normal' }
link_object_source { 'Ticket' } link_object_source { from.class.name }
link_object_target { 'Ticket' } link_object_target { to.class.name }
from { Ticket.first } from { Ticket.first }
to { Ticket.last } to { Ticket.last }
end end

View file

@ -0,0 +1,49 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
require 'rails_helper'
RSpec.describe 'Link', type: :request do
describe 'GET /api/v1/links' do
context 'when requesting links of Ticket', authenticated_as: -> { agent } do
subject!(:ticket) { create(:ticket) }
let(:agent) { create(:agent, groups: [ticket.group]) }
let(:params) do
{
link_object: ticket.class.name,
link_object_value: ticket.id,
}
end
let(:linked) { create(:ticket, group: ticket.group) }
before do
create(:link, from: ticket, to: linked)
get '/api/v1/links', params: params, as: :json
end
it 'is present in response' do
expect(response).to have_http_status(:ok)
expect(json_response['links']).to eq([
{
'link_type' => 'normal',
'link_object' => 'Ticket',
'link_object_value' => linked.id
}
])
end
context 'without permission to linked Ticket Group' do
let(:linked) { create(:ticket) }
it 'is not present in response' do
expect(response).to have_http_status(:ok)
expect(json_response['links']).to be_blank
end
end
end
end
end

View file

@ -2339,6 +2339,43 @@ RSpec.describe 'Ticket', type: :request do
end end
end end
describe 'GET /api/v1/tickets/:id' do
subject!(:ticket) { create(:ticket) }
let(:agent) { create(:agent, groups: [ticket.group]) }
context 'links present', authenticated_as: -> { agent } do
before do
create(:link, from: ticket, to: linked)
get "/api/v1/tickets/#{ticket.id}", params: { all: 'true' }, as: :json
end
let(:linked) { create(:ticket, group: ticket.group) }
it 'is present in response' do
expect(response).to have_http_status(:ok)
expect(json_response['links']).to eq([
{
'link_type' => 'normal',
'link_object' => 'Ticket',
'link_object_value' => linked.id
}
])
end
context 'no permission to linked Ticket Group' do
let(:linked) { create(:ticket) }
it 'is not present in response' do
expect(response).to have_http_status(:ok)
expect(json_response['links']).to be_blank
end
end
end
end
describe 'GET /api/v1/ticket_customer' do describe 'GET /api/v1/ticket_customer' do
subject(:ticket) { create(:ticket, customer: customer_authorized) } subject(:ticket) { create(:ticket, customer: customer_authorized) }