From 6e56aee25439b7a3211a6704a9d60453ad623ae4 Mon Sep 17 00:00:00 2001 From: Rolf Schmidt Date: Tue, 5 May 2020 10:50:03 +0200 Subject: [PATCH] Enhancement: Added authorization checks for ticket controller actions: ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split. --- app/controllers/tickets_controller.rb | 2 +- .../controllers/tickets_controller_policy.rb | 1 + spec/requests/ticket_spec.rb | 42 ++++++++++++++++++- 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb index d7e02f84b..60edd6fc9 100644 --- a/app/controllers/tickets_controller.rb +++ b/app/controllers/tickets_controller.rb @@ -6,7 +6,7 @@ class TicketsController < ApplicationController include ChecksUserAttributesByCurrentUserPermission include TicketStats - prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start] + prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split] prepend_before_action :authentication_check # GET /api/v1/tickets diff --git a/app/policies/controllers/tickets_controller_policy.rb b/app/policies/controllers/tickets_controller_policy.rb index 2aadda786..b7d5ca676 100644 --- a/app/policies/controllers/tickets_controller_policy.rb +++ b/app/policies/controllers/tickets_controller_policy.rb @@ -1,5 +1,6 @@ class Controllers::TicketsControllerPolicy < Controllers::ApplicationControllerPolicy permit! %i[import_example import_start], to: 'admin' permit! :selector, to: 'admin.*' + permit! %i[ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split], to: 'ticket.agent' permit! :create, to: ['ticket.agent', 'ticket.customer'] end diff --git a/spec/requests/ticket_spec.rb b/spec/requests/ticket_spec.rb index e2cc32b51..7e7169675 100644 --- a/spec/requests/ticket_spec.rb +++ b/spec/requests/ticket_spec.rb @@ -1793,6 +1793,10 @@ RSpec.describe 'Ticket', type: :request do created_by_id: 1, ) + authenticated_as(customer_user) + get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json + expect(response).to have_http_status(:unauthorized) + authenticated_as(agent_user) get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json expect(response).to have_http_status(:ok) @@ -1918,6 +1922,10 @@ RSpec.describe 'Ticket', type: :request do customer_id: customer_user.id, ) + authenticated_as(customer_user) + get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json + expect(response).to have_http_status(:unauthorized) + authenticated_as(agent_user) get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json expect(response).to have_http_status(:ok) @@ -2068,7 +2076,39 @@ RSpec.describe 'Ticket', type: :request do expect(json_response['assets'].class).to eq(Hash) expect(json_response['assets']['User'][customer_user.id.to_s]).not_to be_nil expect(json_response['assets']['Ticket'][ticket1.id.to_s]).not_to be_nil + + authenticated_as(customer_user) + get "/api/v1/ticket_history/#{ticket1.id}", params: {}, as: :json + expect(response).to have_http_status(:unauthorized) end + + it 'does ticket related' do + ticket1 = create( + :ticket, + title: 'some title', + group: ticket_group, + customer_id: customer_user.id, + ) + + authenticated_as(agent_user) + get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json + expect(response).to have_http_status(:ok) + + authenticated_as(customer_user) + get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json + expect(response).to have_http_status(:unauthorized) + end + + it 'does ticket recent' do + authenticated_as(agent_user) + get '/api/v1/ticket_recent', params: {}, as: :json + expect(response).to have_http_status(:ok) + + authenticated_as(customer_user) + get '/api/v1/ticket_recent', params: {}, as: :json + expect(response).to have_http_status(:unauthorized) + end + end describe 'stats' do @@ -2213,7 +2253,7 @@ RSpec.describe 'Ticket', type: :request do end context 'as authorized customer', authenticated_as: -> { customer_authorized } do - include_examples 'has access' + include_examples 'has no access' end context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do