Fixes #3615 - Mentions/Subscribe with read permissions.

2021-06-17 07:47:53 +00:00 · 2021-06-17 07:47:53 +00:00 · bc898f7bea
commit bc898f7bea
parent c7ea22abf2
2 changed files with 25 additions and 1 deletions
--- a/app/controllers/mentions_controller.rb
+++ b/app/controllers/mentions_controller.rb
@ -63,7 +63,7 @@ class MentionsController < ApplicationController
    ensure_mentionable_type!

    object = params[:mentionable_type].constantize.find(params[:mentionable_id])
-    authorize!(object, :update?)
+    authorize!(object, :agent_read_access?)
    object
  end

--- a/spec/requests/mention_spec.rb
+++ b/spec/requests/mention_spec.rb
@ -56,6 +56,18 @@ RSpec.describe 'Mention', type: :request, authenticated_as: -> { user } do
    it 'updates mention count' do
      expect { post '/api/v1/mentions', params: params, as: :json }.to change(Mention, :count).from(0).to(1)
    end
+
+    describe 'when agent with read permissions' do
+      before do
+        user.group_names_access_map = {
+          ticket1.group.name => 'read',
+        }
+      end
+
+      it 'updates mention count of read only agent' do
+        expect { post '/api/v1/mentions', params: params, as: :json }.to change(Mention, :count).from(0).to(1)
+      end
+    end
  end

  describe 'DELETE /api/v1/mentions/:id' do
@ -70,5 +82,17 @@ RSpec.describe 'Mention', type: :request, authenticated_as: -> { user } do
    it 'clears mention count' do
      expect { delete "/api/v1/mentions/#{mention.id}", params: {}, as: :json }.to change(Mention, :count).from(1).to(0)
    end
+
+    describe 'when agent with read permissions' do
+      before do
+        user.group_names_access_map = {
+          ticket1.group.name => 'read',
+        }
+      end
+
+      it 'clears mention count for read only agent' do
+        expect { delete "/api/v1/mentions/#{mention.id}", params: {}, as: :json }.to change(Mention, :count).from(1).to(0)
+      end
+    end
  end
 end