Enhancement: Added authorization checks for ticket controller actions: ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split.

This commit is contained in:
Rolf Schmidt 2020-05-05 10:50:03 +02:00 committed by Thorsten Eckel
parent 4014839242
commit 6e56aee254
3 changed files with 43 additions and 2 deletions

View file

@ -6,7 +6,7 @@ class TicketsController < ApplicationController
include ChecksUserAttributesByCurrentUserPermission include ChecksUserAttributesByCurrentUserPermission
include TicketStats include TicketStats
prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start] prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split]
prepend_before_action :authentication_check prepend_before_action :authentication_check
# GET /api/v1/tickets # GET /api/v1/tickets

View file

@ -1,5 +1,6 @@
class Controllers::TicketsControllerPolicy < Controllers::ApplicationControllerPolicy class Controllers::TicketsControllerPolicy < Controllers::ApplicationControllerPolicy
permit! %i[import_example import_start], to: 'admin' permit! %i[import_example import_start], to: 'admin'
permit! :selector, to: 'admin.*' permit! :selector, to: 'admin.*'
permit! %i[ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split], to: 'ticket.agent'
permit! :create, to: ['ticket.agent', 'ticket.customer'] permit! :create, to: ['ticket.agent', 'ticket.customer']
end end

View file

@ -1793,6 +1793,10 @@ RSpec.describe 'Ticket', type: :request do
created_by_id: 1, created_by_id: 1,
) )
authenticated_as(customer_user)
get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json
expect(response).to have_http_status(:unauthorized)
authenticated_as(agent_user) authenticated_as(agent_user)
get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json
expect(response).to have_http_status(:ok) expect(response).to have_http_status(:ok)
@ -1918,6 +1922,10 @@ RSpec.describe 'Ticket', type: :request do
customer_id: customer_user.id, customer_id: customer_user.id,
) )
authenticated_as(customer_user)
get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json
expect(response).to have_http_status(:unauthorized)
authenticated_as(agent_user) authenticated_as(agent_user)
get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json
expect(response).to have_http_status(:ok) expect(response).to have_http_status(:ok)
@ -2068,7 +2076,39 @@ RSpec.describe 'Ticket', type: :request do
expect(json_response['assets'].class).to eq(Hash) expect(json_response['assets'].class).to eq(Hash)
expect(json_response['assets']['User'][customer_user.id.to_s]).not_to be_nil expect(json_response['assets']['User'][customer_user.id.to_s]).not_to be_nil
expect(json_response['assets']['Ticket'][ticket1.id.to_s]).not_to be_nil expect(json_response['assets']['Ticket'][ticket1.id.to_s]).not_to be_nil
authenticated_as(customer_user)
get "/api/v1/ticket_history/#{ticket1.id}", params: {}, as: :json
expect(response).to have_http_status(:unauthorized)
end end
it 'does ticket related' do
ticket1 = create(
:ticket,
title: 'some title',
group: ticket_group,
customer_id: customer_user.id,
)
authenticated_as(agent_user)
get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json
expect(response).to have_http_status(:ok)
authenticated_as(customer_user)
get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json
expect(response).to have_http_status(:unauthorized)
end
it 'does ticket recent' do
authenticated_as(agent_user)
get '/api/v1/ticket_recent', params: {}, as: :json
expect(response).to have_http_status(:ok)
authenticated_as(customer_user)
get '/api/v1/ticket_recent', params: {}, as: :json
expect(response).to have_http_status(:unauthorized)
end
end end
describe 'stats' do describe 'stats' do
@ -2213,7 +2253,7 @@ RSpec.describe 'Ticket', type: :request do
end end
context 'as authorized customer', authenticated_as: -> { customer_authorized } do context 'as authorized customer', authenticated_as: -> { customer_authorized } do
include_examples 'has access' include_examples 'has no access'
end end
context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do