From 7fd539359db7ffe76b01c08eaf107777901c233f Mon Sep 17 00:00:00 2001 From: Mantas Date: Thu, 17 May 2018 18:20:17 +0300 Subject: [PATCH] Fixes #1339 deny ticket creation over web --- .../controllers/customer_ticket_create.coffee | 8 ++- .../app/controllers/navigation.coffee | 55 +++++++++-------- test/browser/customer_ticket_create_test.rb | 60 +++++++++++++++++++ 3 files changed, 94 insertions(+), 29 deletions(-) diff --git a/app/assets/javascripts/app/controllers/customer_ticket_create.coffee b/app/assets/javascripts/app/controllers/customer_ticket_create.coffee index 559c9da9a..d3ab6240d 100644 --- a/app/assets/javascripts/app/controllers/customer_ticket_create.coffee +++ b/app/assets/javascripts/app/controllers/customer_ticket_create.coffee @@ -21,6 +21,12 @@ class Index extends App.ControllerContent @bindId = App.TicketCreateCollection.one(load) render: (template = {}) -> + if !@Config.get('customer_ticket_create') + @renderScreenError( + detail: 'Your role cannot create new ticket. Please contact your administrator.' + objectName: 'Ticket' + ) + return # set defaults defaults = template['options'] || {} @@ -190,4 +196,4 @@ class Index extends App.ControllerContent ) App.Config.set('customer_ticket_new', Index, 'Routes') -App.Config.set('CustomerTicketNew', { prio: 8003, parent: '#new', name: 'New Ticket', translate: true, target: '#customer_ticket_new', permission: ['ticket.customer'], divider: true }, 'NavBarRight') +App.Config.set('CustomerTicketNew', { prio: 8003, parent: '#new', name: 'New Ticket', translate: true, target: '#customer_ticket_new', permission: ['ticket.customer'], setting: ['customer_ticket_create'], divider: true }, 'NavBarRight') diff --git a/app/assets/javascripts/app/controllers/navigation.coffee b/app/assets/javascripts/app/controllers/navigation.coffee index 171551886..55ad1234c 100644 --- a/app/assets/javascripts/app/controllers/navigation.coffee +++ b/app/assets/javascripts/app/controllers/navigation.coffee @@ -305,6 +305,31 @@ class App.Navigation extends App.ControllerWidgetPermanent @searchContainer.toggleClass('filled', !!@query) @globalSearch.search(query: @query) + filterNavbar: (values, user, parent = null) -> + return _.filter values, (item) => + if typeof item.callback is 'function' + data = item.callback() || {} + for key, value of data + item[key] = value + + if !parent? && !item.parent || item.parent is parent + return @filterNavbarPermissionOk(item, user) && + @filterNavbarSettingOk(item) + else + return false + + filterNavbarPermissionOk: (item, user) -> + return true unless item.permission + + return _.any item.permission, (permissionName) -> + return user && user.permission(permissionName) + + filterNavbarSettingOk: (item) -> + return true unless item.setting + + return _.any item.setting, (settingName) => + return @Config.get(settingName) + getItems: (data) -> navbar = _.values(data.navbar) @@ -315,38 +340,12 @@ class App.Navigation extends App.ControllerWidgetPermanent if App.Session.get('id') user = App.User.find(App.Session.get('id')) - for item in navbar - if typeof item.callback is 'function' - data = item.callback() || {} - for key, value of data - item[key] = value - if !item.parent - match = true - if item.permission - match = false - for permissionName in item.permission - if !match && user && user.permission(permissionName) - match = true - if match - level1.push item + level1 = @filterNavbar(navbar, user) for item in navbar if item.parent && !dropdown[ item.parent ] - dropdown[ item.parent ] = [] + dropdown[ item.parent ] = @filterNavbar(navbar, user, item.parent) - # find all childs and order - for itemSub in navbar - if itemSub.parent is item.parent - match = true - if itemSub.permission - match = false - for permissionName in itemSub.permission - if !match && user && user.permission(permissionName) - match = true - if match - dropdown[ item.parent ].push itemSub - - # find parent for itemLevel1 in level1 if itemLevel1.target is item.parent sub = @getOrder(dropdown[ item.parent ]) diff --git a/test/browser/customer_ticket_create_test.rb b/test/browser/customer_ticket_create_test.rb index 980cf5048..784cb0341 100644 --- a/test/browser/customer_ticket_create_test.rb +++ b/test/browser/customer_ticket_create_test.rb @@ -213,4 +213,64 @@ class CustomerTicketCreateTest < TestCase ) end + def test_customer_disable_ticket_creation + @browser = browser_instance + + # disable ticket creation + login( + username: 'master@example.com', + password: 'test', + url: browser_url, + ) + + click(css: 'a[href="#manage"]') + click(css: 'a[href="#channels/web"]') + + @browser.find_element(css: 'select[name=customer_ticket_create]').find_element(css: 'option[value=false]').click + click(css: '#customer_ticket_create .btn') + + sleep(1) + + logout() + + # check if new ticket button is not visible + + login( + username: 'nicole.braun@zammad.org', + password: 'test', + url: browser_url, + ) + + assert(exists_not(css: 'a[href="#customer_ticket_new"]')) + + logout() + + # enable ticket creation + + login( + username: 'master@example.com', + password: 'test', + url: browser_url, + ) + + click(css: 'a[href="#manage"]') + click(css: 'a[href="#channels/web"]') + + @browser.find_element(css: 'select[name=customer_ticket_create]').find_element(css: 'option[value=true]').click + click(css: '#customer_ticket_create .btn') + + sleep(1) + + logout() + + # check if new ticket button is visible + + login( + username: 'nicole.braun@zammad.org', + password: 'test', + url: browser_url, + ) + + assert(exists(css: 'a[href="#customer_ticket_new"]')) + end end