Fixes #1339 deny ticket creation over web

This commit is contained in:
Mantas 2018-05-17 18:20:17 +03:00
parent 8f708b75ea
commit 7fd539359d
3 changed files with 94 additions and 29 deletions

View file

@ -21,6 +21,12 @@ class Index extends App.ControllerContent
@bindId = App.TicketCreateCollection.one(load) @bindId = App.TicketCreateCollection.one(load)
render: (template = {}) -> render: (template = {}) ->
if !@Config.get('customer_ticket_create')
@renderScreenError(
detail: 'Your role cannot create new ticket. Please contact your administrator.'
objectName: 'Ticket'
)
return
# set defaults # set defaults
defaults = template['options'] || {} defaults = template['options'] || {}
@ -190,4 +196,4 @@ class Index extends App.ControllerContent
) )
App.Config.set('customer_ticket_new', Index, 'Routes') App.Config.set('customer_ticket_new', Index, 'Routes')
App.Config.set('CustomerTicketNew', { prio: 8003, parent: '#new', name: 'New Ticket', translate: true, target: '#customer_ticket_new', permission: ['ticket.customer'], divider: true }, 'NavBarRight') App.Config.set('CustomerTicketNew', { prio: 8003, parent: '#new', name: 'New Ticket', translate: true, target: '#customer_ticket_new', permission: ['ticket.customer'], setting: ['customer_ticket_create'], divider: true }, 'NavBarRight')

View file

@ -305,6 +305,31 @@ class App.Navigation extends App.ControllerWidgetPermanent
@searchContainer.toggleClass('filled', !!@query) @searchContainer.toggleClass('filled', !!@query)
@globalSearch.search(query: @query) @globalSearch.search(query: @query)
filterNavbar: (values, user, parent = null) ->
return _.filter values, (item) =>
if typeof item.callback is 'function'
data = item.callback() || {}
for key, value of data
item[key] = value
if !parent? && !item.parent || item.parent is parent
return @filterNavbarPermissionOk(item, user) &&
@filterNavbarSettingOk(item)
else
return false
filterNavbarPermissionOk: (item, user) ->
return true unless item.permission
return _.any item.permission, (permissionName) ->
return user && user.permission(permissionName)
filterNavbarSettingOk: (item) ->
return true unless item.setting
return _.any item.setting, (settingName) =>
return @Config.get(settingName)
getItems: (data) -> getItems: (data) ->
navbar = _.values(data.navbar) navbar = _.values(data.navbar)
@ -315,38 +340,12 @@ class App.Navigation extends App.ControllerWidgetPermanent
if App.Session.get('id') if App.Session.get('id')
user = App.User.find(App.Session.get('id')) user = App.User.find(App.Session.get('id'))
for item in navbar level1 = @filterNavbar(navbar, user)
if typeof item.callback is 'function'
data = item.callback() || {}
for key, value of data
item[key] = value
if !item.parent
match = true
if item.permission
match = false
for permissionName in item.permission
if !match && user && user.permission(permissionName)
match = true
if match
level1.push item
for item in navbar for item in navbar
if item.parent && !dropdown[ item.parent ] if item.parent && !dropdown[ item.parent ]
dropdown[ item.parent ] = [] dropdown[ item.parent ] = @filterNavbar(navbar, user, item.parent)
# find all childs and order
for itemSub in navbar
if itemSub.parent is item.parent
match = true
if itemSub.permission
match = false
for permissionName in itemSub.permission
if !match && user && user.permission(permissionName)
match = true
if match
dropdown[ item.parent ].push itemSub
# find parent
for itemLevel1 in level1 for itemLevel1 in level1
if itemLevel1.target is item.parent if itemLevel1.target is item.parent
sub = @getOrder(dropdown[ item.parent ]) sub = @getOrder(dropdown[ item.parent ])

View file

@ -213,4 +213,64 @@ class CustomerTicketCreateTest < TestCase
) )
end end
def test_customer_disable_ticket_creation
@browser = browser_instance
# disable ticket creation
login(
username: 'master@example.com',
password: 'test',
url: browser_url,
)
click(css: 'a[href="#manage"]')
click(css: 'a[href="#channels/web"]')
@browser.find_element(css: 'select[name=customer_ticket_create]').find_element(css: 'option[value=false]').click
click(css: '#customer_ticket_create .btn')
sleep(1)
logout()
# check if new ticket button is not visible
login(
username: 'nicole.braun@zammad.org',
password: 'test',
url: browser_url,
)
assert(exists_not(css: 'a[href="#customer_ticket_new"]'))
logout()
# enable ticket creation
login(
username: 'master@example.com',
password: 'test',
url: browser_url,
)
click(css: 'a[href="#manage"]')
click(css: 'a[href="#channels/web"]')
@browser.find_element(css: 'select[name=customer_ticket_create]').find_element(css: 'option[value=true]').click
click(css: '#customer_ticket_create .btn')
sleep(1)
logout()
# check if new ticket button is visible
login(
username: 'nicole.braun@zammad.org',
password: 'test',
url: browser_url,
)
assert(exists(css: 'a[href="#customer_ticket_new"]'))
end
end end