diff --git a/.rubocop_todo.rspec.yml b/.rubocop_todo.rspec.yml index 5ebe0d2d0..638f35dd9 100644 --- a/.rubocop_todo.rspec.yml +++ b/.rubocop_todo.rspec.yml @@ -14,7 +14,9 @@ # Configuration parameters: CountComments, ExcludedMethods. # ExcludedMethods: refine Metrics/BlockLength: - Max: 1987 + Max: 1653 + Exclude: + - 'spec/requests/ticket_spec.rb' # Offense count: 16 RSpec/AnyInstance: diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb index b39092f7d..134c42613 100644 --- a/app/controllers/tickets_controller.rb +++ b/app/controllers/tickets_controller.rb @@ -284,8 +284,9 @@ class TicketsController < ApplicationController # return result result = Ticket::ScreenOptions.list_by_customer( - customer_id: params[:customer_id], - limit: 15, + current_user: current_user, + customer_id: params[:customer_id], + limit: 15, ) render json: result end diff --git a/app/models/ticket/screen_options.rb b/app/models/ticket/screen_options.rb index 3e52f2a3a..5d901811a 100644 --- a/app/models/ticket/screen_options.rb +++ b/app/models/ticket/screen_options.rb @@ -180,11 +180,16 @@ returns state_id_list_open = Ticket::State.by_category(:open).pluck(:id) state_id_list_closed = Ticket::State.by_category(:closed).pluck(:id) + # open tickets by customer + access_condition = Ticket.access_condition(data[:current_user], 'read') + # get tickets tickets_open = Ticket.where( customer_id: data[:customer_id], state_id: state_id_list_open - ).limit(data[:limit] || 15).order(created_at: :desc) + ) + .where(access_condition) + .limit(data[:limit] || 15).order(created_at: :desc) assets = {} ticket_ids_open = [] tickets_open.each do |ticket| @@ -195,7 +200,9 @@ returns tickets_closed = Ticket.where( customer_id: data[:customer_id], state_id: state_id_list_closed - ).limit(data[:limit] || 15).order(created_at: :desc) + ) + .where(access_condition) + .limit(data[:limit] || 15).order(created_at: :desc) ticket_ids_closed = [] tickets_closed.each do |ticket| ticket_ids_closed.push ticket.id diff --git a/spec/requests/ticket_spec.rb b/spec/requests/ticket_spec.rb index 146e38435..8b4628cb7 100644 --- a/spec/requests/ticket_spec.rb +++ b/spec/requests/ticket_spec.rb @@ -2154,4 +2154,59 @@ RSpec.describe 'Ticket', type: :request do end end end + + describe 'GET /api/v1/ticket_customer' do + + subject(:ticket) { create(:ticket, customer: customer_authorized) } + + let(:organization_authorized) { create(:organization) } + let(:customer_authorized) { create(:customer_user, organization: organization_authorized) } + + let(:organization_unauthorized) { create(:organization) } + let(:customer_unauthorized) { create(:customer_user, organization: organization_unauthorized) } + + let(:agent) { create(:agent_user, groups: [ticket.group]) } + + describe 'listing information' do + + before do + ticket + end + + shared_examples 'has access' do + it 'succeeds' do + get '/api/v1/ticket_customer', + params: { customer_id: customer_authorized.id }, + as: :json + + expect(json_response['ticket_ids_open']).to include(ticket.id) + expect(json_response['ticket_ids_closed']).to be_blank + end + end + + shared_examples 'has no access' do + it 'fails' do + get '/api/v1/ticket_customer', + params: { customer_id: customer_authorized.id }, + as: :json + + expect(json_response['ticket_ids_open']).to be_blank + expect(json_response['ticket_ids_closed']).to be_blank + expect(json_response['assets']).to be_blank + end + end + + context 'as agent', authenticated_as: -> { agent } do + include_examples 'has access' + end + + context 'as authorized customer', authenticated_as: -> { customer_authorized } do + include_examples 'has access' + end + + context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do + include_examples 'has no access' + end + end + end end