Enhancement: Reflect current_user in ticket_customer lookup.

2020-02-13 12:53:09 +01:00 · 2020-02-13 12:53:09 +01:00 · b0c4c0cb3f
commit b0c4c0cb3f
parent 1cbb139476
4 changed files with 70 additions and 5 deletions
--- a/.rubocop_todo.rspec.yml
+++ b/.rubocop_todo.rspec.yml
@ -14,7 +14,9 @@
 # Configuration parameters: CountComments, ExcludedMethods.
 # ExcludedMethods: refine
 Metrics/BlockLength:
-  Max: 1987
+  Max: 1653
+  Exclude:
+    - 'spec/requests/ticket_spec.rb'

 # Offense count: 16
 RSpec/AnyInstance:
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@ -284,8 +284,9 @@ class TicketsController < ApplicationController

    # return result
    result = Ticket::ScreenOptions.list_by_customer(
-      customer_id: params[:customer_id],
-      limit:       15,
+      current_user: current_user,
+      customer_id:  params[:customer_id],
+      limit:        15,
    )
    render json: result
  end
--- a/app/models/ticket/screen_options.rb
+++ b/app/models/ticket/screen_options.rb
@ -180,11 +180,16 @@ returns
    state_id_list_open   = Ticket::State.by_category(:open).pluck(:id)
    state_id_list_closed = Ticket::State.by_category(:closed).pluck(:id)

+    # open tickets by customer
+    access_condition = Ticket.access_condition(data[:current_user], 'read')
+
    # get tickets
    tickets_open = Ticket.where(
      customer_id: data[:customer_id],
      state_id:    state_id_list_open
-    ).limit(data[:limit] || 15).order(created_at: :desc)
+    )
+    .where(access_condition)
+    .limit(data[:limit] || 15).order(created_at: :desc)
    assets = {}
    ticket_ids_open = []
    tickets_open.each do |ticket|
@ -195,7 +200,9 @@ returns
    tickets_closed = Ticket.where(
      customer_id: data[:customer_id],
      state_id:    state_id_list_closed
-    ).limit(data[:limit] || 15).order(created_at: :desc)
+    )
+    .where(access_condition)
+    .limit(data[:limit] || 15).order(created_at: :desc)
    ticket_ids_closed = []
    tickets_closed.each do |ticket|
      ticket_ids_closed.push ticket.id
--- a/spec/requests/ticket_spec.rb
+++ b/spec/requests/ticket_spec.rb
@ -2154,4 +2154,59 @@ RSpec.describe 'Ticket', type: :request do
      end
    end
  end
+
+  describe 'GET /api/v1/ticket_customer' do
+
+    subject(:ticket) { create(:ticket, customer: customer_authorized) }
+
+    let(:organization_authorized) { create(:organization) }
+    let(:customer_authorized) { create(:customer_user, organization: organization_authorized) }
+
+    let(:organization_unauthorized) { create(:organization) }
+    let(:customer_unauthorized) { create(:customer_user, organization: organization_unauthorized) }
+
+    let(:agent) { create(:agent_user, groups: [ticket.group]) }
+
+    describe 'listing information' do
+
+      before do
+        ticket
+      end
+
+      shared_examples 'has access' do
+        it 'succeeds' do
+          get '/api/v1/ticket_customer',
+              params: { customer_id: customer_authorized.id },
+              as:     :json
+
+          expect(json_response['ticket_ids_open']).to include(ticket.id)
+          expect(json_response['ticket_ids_closed']).to be_blank
+        end
+      end
+
+      shared_examples 'has no access' do
+        it 'fails' do
+          get '/api/v1/ticket_customer',
+              params: { customer_id: customer_authorized.id },
+              as:     :json
+
+          expect(json_response['ticket_ids_open']).to be_blank
+          expect(json_response['ticket_ids_closed']).to be_blank
+          expect(json_response['assets']).to be_blank
+        end
+      end
+
+      context 'as agent', authenticated_as: -> { agent } do
+        include_examples 'has access'
+      end
+
+      context 'as authorized customer', authenticated_as: -> { customer_authorized } do
+        include_examples 'has access'
+      end
+
+      context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do
+        include_examples 'has no access'
+      end
+    end
+  end
 end