Enhancement: Reflect current_user in ticket_customer lookup.

.rubocop_todo.rspec.yml

@@ -14,7 +14,9 @@
 # Configuration parameters: CountComments, ExcludedMethods.
 # ExcludedMethods: refine
 Metrics/BlockLength:
-  Max: 1987
+  Max: 1653
+  Exclude:
+    - 'spec/requests/ticket_spec.rb'
 
 # Offense count: 16
 RSpec/AnyInstance:

app/controllers/tickets_controller.rb

@@ -284,8 +284,9 @@ class TicketsController < ApplicationController
 
     # return result
     result = Ticket::ScreenOptions.list_by_customer(
-      customer_id: params[:customer_id],
+      current_user: current_user,
-      limit:       15,
+      customer_id:  params[:customer_id],
+      limit:        15,
     )
     render json: result
   end

app/models/ticket/screen_options.rb

@@ -180,11 +180,16 @@ returns
     state_id_list_open   = Ticket::State.by_category(:open).pluck(:id)
     state_id_list_closed = Ticket::State.by_category(:closed).pluck(:id)
 
+    # open tickets by customer
+    access_condition = Ticket.access_condition(data[:current_user], 'read')
+
     # get tickets
     tickets_open = Ticket.where(
       customer_id: data[:customer_id],
       state_id:    state_id_list_open
-    ).limit(data[:limit] || 15).order(created_at: :desc)
+    )
+    .where(access_condition)
+    .limit(data[:limit] || 15).order(created_at: :desc)
     assets = {}
     ticket_ids_open = []
     tickets_open.each do |ticket|
@@ -195,7 +200,9 @@ returns
     tickets_closed = Ticket.where(
       customer_id: data[:customer_id],
       state_id:    state_id_list_closed
-    ).limit(data[:limit] || 15).order(created_at: :desc)
+    )
+    .where(access_condition)
+    .limit(data[:limit] || 15).order(created_at: :desc)
     ticket_ids_closed = []
     tickets_closed.each do |ticket|
       ticket_ids_closed.push ticket.id

spec/requests/ticket_spec.rb

@@ -2154,4 +2154,59 @@ RSpec.describe 'Ticket', type: :request do
       end
     end
   end
+
+  describe 'GET /api/v1/ticket_customer' do
+
+    subject(:ticket) { create(:ticket, customer: customer_authorized) }
+
+    let(:organization_authorized) { create(:organization) }
+    let(:customer_authorized) { create(:customer_user, organization: organization_authorized) }
+
+    let(:organization_unauthorized) { create(:organization) }
+    let(:customer_unauthorized) { create(:customer_user, organization: organization_unauthorized) }
+
+    let(:agent) { create(:agent_user, groups: [ticket.group]) }
+
+    describe 'listing information' do
+
+      before do
+        ticket
+      end
+
+      shared_examples 'has access' do
+        it 'succeeds' do
+          get '/api/v1/ticket_customer',
+              params: { customer_id: customer_authorized.id },
+              as:     :json
+
+          expect(json_response['ticket_ids_open']).to include(ticket.id)
+          expect(json_response['ticket_ids_closed']).to be_blank
+        end
+      end
+
+      shared_examples 'has no access' do
+        it 'fails' do
+          get '/api/v1/ticket_customer',
+              params: { customer_id: customer_authorized.id },
+              as:     :json
+
+          expect(json_response['ticket_ids_open']).to be_blank
+          expect(json_response['ticket_ids_closed']).to be_blank
+          expect(json_response['assets']).to be_blank
+        end
+      end
+
+      context 'as agent', authenticated_as: -> { agent } do
+        include_examples 'has access'
+      end
+
+      context 'as authorized customer', authenticated_as: -> { customer_authorized } do
+        include_examples 'has access'
+      end
+
+      context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do
+        include_examples 'has no access'
+      end
+    end
+  end
 end