From bc898f7bea16f3bc43a4589d3ce2f4e70caaf1c6 Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@zammad.com>
Date: Thu, 17 Jun 2021 07:47:53 +0000
Subject: [PATCH] Fixes #3615 - Mentions/Subscribe with read permissions.

---
 app/controllers/mentions_controller.rb |  2 +-
 spec/requests/mention_spec.rb          | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/app/controllers/mentions_controller.rb b/app/controllers/mentions_controller.rb
index e3b67525d..e20e4f324 100644
--- a/app/controllers/mentions_controller.rb
+++ b/app/controllers/mentions_controller.rb
@@ -63,7 +63,7 @@ class MentionsController < ApplicationController
     ensure_mentionable_type!
 
     object = params[:mentionable_type].constantize.find(params[:mentionable_id])
-    authorize!(object, :update?)
+    authorize!(object, :agent_read_access?)
     object
   end
 
diff --git a/spec/requests/mention_spec.rb b/spec/requests/mention_spec.rb
index d330446b6..cd8a075cc 100644
--- a/spec/requests/mention_spec.rb
+++ b/spec/requests/mention_spec.rb
@@ -56,6 +56,18 @@ RSpec.describe 'Mention', type: :request, authenticated_as: -> { user } do
     it 'updates mention count' do
       expect { post '/api/v1/mentions', params: params, as: :json }.to change(Mention, :count).from(0).to(1)
     end
+
+    describe 'when agent with read permissions' do
+      before do
+        user.group_names_access_map = {
+          ticket1.group.name => 'read',
+        }
+      end
+
+      it 'updates mention count of read only agent' do
+        expect { post '/api/v1/mentions', params: params, as: :json }.to change(Mention, :count).from(0).to(1)
+      end
+    end
   end
 
   describe 'DELETE /api/v1/mentions/:id' do
@@ -70,5 +82,17 @@ RSpec.describe 'Mention', type: :request, authenticated_as: -> { user } do
     it 'clears mention count' do
       expect { delete "/api/v1/mentions/#{mention.id}", params: {}, as: :json }.to change(Mention, :count).from(1).to(0)
     end
+
+    describe 'when agent with read permissions' do
+      before do
+        user.group_names_access_map = {
+          ticket1.group.name => 'read',
+        }
+      end
+
+      it 'clears mention count for read only agent' do
+        expect { delete "/api/v1/mentions/#{mention.id}", params: {}, as: :json }.to change(Mention, :count).from(1).to(0)
+      end
+    end
   end
 end