From 5835e719c647eb9c3e8762174839a3d11d0f43ea Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Wed, 14 Nov 2012 02:21:44 +0100 Subject: [PATCH] Added permission lookup. --- app/controllers/tickets_controller.rb | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb index 4a263e408..ec7698a0a 100644 --- a/app/controllers/tickets_controller.rb +++ b/app/controllers/tickets_controller.rb @@ -462,13 +462,23 @@ class TicketsController < ApplicationController query = params[:term] limit = params[:limit] || 15 + conditions = [] + if current_user.is_role('Agent') + group_ids = Group.select( 'groups.id' ).joins(:users). + where( 'groups_users.user_id = ?', current_user.id ). + where( 'groups.active = ?', true ). + map( &:id ) + conditions = [ 'group_id IN (?)', group_ids ] + else + if !current_user.organization || !current_user.organization.shared + conditions = [ 'customer_id = ?', current_user.id ] + else + conditions = [ '( customer_id = ? OR organization_id = ? )', current_user.id, current_user.organization.shared ] + end + end + # do query - tickets_all = Ticket.find( - :all, - :limit => limit, - :conditions => ['title LIKE ? OR number LIKE ?', "%#{query}%", "%#{query}%" ], - :order => 'created_at' - ) + tickets_all = Ticket.where(conditions).where( '( title LIKE ? OR number LIKE ? )', "%#{query}%", "%#{query}%" ).limit(limit).order(:created_at) # build result list tickets = []