Enhancement: Added authorization checks for ticket controller actions: ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split.

app/controllers/tickets_controller.rb

@@ -6,7 +6,7 @@ class TicketsController < ApplicationController
   include ChecksUserAttributesByCurrentUserPermission
   include TicketStats
 
-  prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start]
+  prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split]
   prepend_before_action :authentication_check
 
   # GET /api/v1/tickets

app/policies/controllers/tickets_controller_policy.rb

@@ -1,5 +1,6 @@
 class Controllers::TicketsControllerPolicy < Controllers::ApplicationControllerPolicy
   permit! %i[import_example import_start], to: 'admin'
   permit! :selector, to: 'admin.*'
+  permit! %i[ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split], to: 'ticket.agent'
   permit! :create, to: ['ticket.agent', 'ticket.customer']
 end

spec/requests/ticket_spec.rb

@@ -1793,6 +1793,10 @@ RSpec.describe 'Ticket', type: :request do
         created_by_id: 1,
       )
 
+      authenticated_as(customer_user)
+      get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json
+      expect(response).to have_http_status(:unauthorized)
+
       authenticated_as(agent_user)
       get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json
       expect(response).to have_http_status(:ok)
@@ -1918,6 +1922,10 @@ RSpec.describe 'Ticket', type: :request do
         customer_id: customer_user.id,
       )
 
+      authenticated_as(customer_user)
+      get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json
+      expect(response).to have_http_status(:unauthorized)
+
       authenticated_as(agent_user)
       get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json
       expect(response).to have_http_status(:ok)
@@ -2068,7 +2076,39 @@ RSpec.describe 'Ticket', type: :request do
       expect(json_response['assets'].class).to eq(Hash)
       expect(json_response['assets']['User'][customer_user.id.to_s]).not_to be_nil
       expect(json_response['assets']['Ticket'][ticket1.id.to_s]).not_to be_nil
+
+      authenticated_as(customer_user)
+      get "/api/v1/ticket_history/#{ticket1.id}", params: {}, as: :json
+      expect(response).to have_http_status(:unauthorized)
     end
+
+    it 'does ticket related' do
+      ticket1 = create(
+        :ticket,
+        title:       'some title',
+        group:       ticket_group,
+        customer_id: customer_user.id,
+      )
+
+      authenticated_as(agent_user)
+      get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json
+      expect(response).to have_http_status(:ok)
+
+      authenticated_as(customer_user)
+      get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'does ticket recent' do
+      authenticated_as(agent_user)
+      get '/api/v1/ticket_recent', params: {}, as: :json
+      expect(response).to have_http_status(:ok)
+
+      authenticated_as(customer_user)
+      get '/api/v1/ticket_recent', params: {}, as: :json
+      expect(response).to have_http_status(:unauthorized)
+    end
+
   end
 
   describe 'stats' do
@@ -2213,7 +2253,7 @@ RSpec.describe 'Ticket', type: :request do
       end
 
       context 'as authorized customer', authenticated_as: -> { customer_authorized } do
-        include_examples 'has access'
+        include_examples 'has no access'
       end
 
       context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do