From b0c4c0cb3fa913cc8b11b442775092507bf364d0 Mon Sep 17 00:00:00 2001
From: Thorsten Eckel <te@zammad.com>
Date: Thu, 13 Feb 2020 12:53:09 +0100
Subject: [PATCH] Enhancement: Reflect current_user in ticket_customer lookup.

---
 .rubocop_todo.rspec.yml               |  4 +-
 app/controllers/tickets_controller.rb |  5 ++-
 app/models/ticket/screen_options.rb   | 11 +++++-
 spec/requests/ticket_spec.rb          | 55 +++++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/.rubocop_todo.rspec.yml b/.rubocop_todo.rspec.yml
index 5ebe0d2d0..638f35dd9 100644
--- a/.rubocop_todo.rspec.yml
+++ b/.rubocop_todo.rspec.yml
@@ -14,7 +14,9 @@
 # Configuration parameters: CountComments, ExcludedMethods.
 # ExcludedMethods: refine
 Metrics/BlockLength:
-  Max: 1987
+  Max: 1653
+  Exclude:
+    - 'spec/requests/ticket_spec.rb'
 
 # Offense count: 16
 RSpec/AnyInstance:
diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb
index b39092f7d..134c42613 100644
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@@ -284,8 +284,9 @@ class TicketsController < ApplicationController
 
     # return result
     result = Ticket::ScreenOptions.list_by_customer(
-      customer_id: params[:customer_id],
-      limit:       15,
+      current_user: current_user,
+      customer_id:  params[:customer_id],
+      limit:        15,
     )
     render json: result
   end
diff --git a/app/models/ticket/screen_options.rb b/app/models/ticket/screen_options.rb
index 3e52f2a3a..5d901811a 100644
--- a/app/models/ticket/screen_options.rb
+++ b/app/models/ticket/screen_options.rb
@@ -180,11 +180,16 @@ returns
     state_id_list_open   = Ticket::State.by_category(:open).pluck(:id)
     state_id_list_closed = Ticket::State.by_category(:closed).pluck(:id)
 
+    # open tickets by customer
+    access_condition = Ticket.access_condition(data[:current_user], 'read')
+
     # get tickets
     tickets_open = Ticket.where(
       customer_id: data[:customer_id],
       state_id:    state_id_list_open
-    ).limit(data[:limit] || 15).order(created_at: :desc)
+    )
+    .where(access_condition)
+    .limit(data[:limit] || 15).order(created_at: :desc)
     assets = {}
     ticket_ids_open = []
     tickets_open.each do |ticket|
@@ -195,7 +200,9 @@ returns
     tickets_closed = Ticket.where(
       customer_id: data[:customer_id],
       state_id:    state_id_list_closed
-    ).limit(data[:limit] || 15).order(created_at: :desc)
+    )
+    .where(access_condition)
+    .limit(data[:limit] || 15).order(created_at: :desc)
     ticket_ids_closed = []
     tickets_closed.each do |ticket|
       ticket_ids_closed.push ticket.id
diff --git a/spec/requests/ticket_spec.rb b/spec/requests/ticket_spec.rb
index 146e38435..8b4628cb7 100644
--- a/spec/requests/ticket_spec.rb
+++ b/spec/requests/ticket_spec.rb
@@ -2154,4 +2154,59 @@ RSpec.describe 'Ticket', type: :request do
       end
     end
   end
+
+  describe 'GET /api/v1/ticket_customer' do
+
+    subject(:ticket) { create(:ticket, customer: customer_authorized) }
+
+    let(:organization_authorized) { create(:organization) }
+    let(:customer_authorized) { create(:customer_user, organization: organization_authorized) }
+
+    let(:organization_unauthorized) { create(:organization) }
+    let(:customer_unauthorized) { create(:customer_user, organization: organization_unauthorized) }
+
+    let(:agent) { create(:agent_user, groups: [ticket.group]) }
+
+    describe 'listing information' do
+
+      before do
+        ticket
+      end
+
+      shared_examples 'has access' do
+        it 'succeeds' do
+          get '/api/v1/ticket_customer',
+              params: { customer_id: customer_authorized.id },
+              as:     :json
+
+          expect(json_response['ticket_ids_open']).to include(ticket.id)
+          expect(json_response['ticket_ids_closed']).to be_blank
+        end
+      end
+
+      shared_examples 'has no access' do
+        it 'fails' do
+          get '/api/v1/ticket_customer',
+              params: { customer_id: customer_authorized.id },
+              as:     :json
+
+          expect(json_response['ticket_ids_open']).to be_blank
+          expect(json_response['ticket_ids_closed']).to be_blank
+          expect(json_response['assets']).to be_blank
+        end
+      end
+
+      context 'as agent', authenticated_as: -> { agent } do
+        include_examples 'has access'
+      end
+
+      context 'as authorized customer', authenticated_as: -> { customer_authorized } do
+        include_examples 'has access'
+      end
+
+      context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do
+        include_examples 'has no access'
+      end
+    end
+  end
 end