Introduced REST expand=true/false/1/0, full=true/false/1/0 and all=true/false/1/0 options. Improved controller tests. @hanneshal

.gitlab-ci.yml

@@ -310,7 +310,8 @@ test:integration:es_mysql:
     - ruby -I test/ test/controllers/search_controller_test.rb
     - ruby -I test/ test/integration/report_test.rb
     - ruby -I test/ test/controllers/form_controller_test.rb
-    - ruby -I test/ test/controllers/user_organization_controller_test.rb
+    - ruby -I test/ test/controllers/user_controller_test.rb
+    - ruby -I test/ test/controllers/organization_controller_test.rb
     - rake db:drop
 
 test:integration:es_postgresql:
@@ -328,7 +329,8 @@ test:integration:es_postgresql:
     - ruby -I test/ test/controllers/search_controller_test.rb
     - ruby -I test/ test/integration/report_test.rb
     - ruby -I test/ test/controllers/form_controller_test.rb
-    - ruby -I test/ test/controllers/user_organization_controller_test.rb
+    - ruby -I test/ test/controllers/user_controller_test.rb
+    - ruby -I test/ test/controllers/organization_controller_test.rb
     - rake db:drop
 
 test:integration:zendesk_mysql:

app/assets/javascripts/app/controllers/users.coffee

@@ -145,7 +145,7 @@ class Index extends App.ControllerSubContent
         query: @query
         limit: 140
         role_ids: role_ids
-        full:  1
+        full:  true
       processData: true,
       success: (data, status, xhr) =>
         App.Collection.loadAssets(data.assets)
@@ -167,7 +167,7 @@ class Index extends App.ControllerSubContent
       data:
         limit: 50
         role_ids: role_ids
-        full: 1
+        full: true
       processData: true
       success: (data, status, xhr) =>
         App.Collection.loadAssets(data.assets)

app/controllers/application_controller.rb

@@ -10,6 +10,7 @@ class ApplicationController < ActionController::Base
   include ApplicationController::ChecksMaintainance
   include ApplicationController::RendersModels
   include ApplicationController::HasUser
+  include ApplicationController::HasResponseExtentions
   include ApplicationController::PreventsCsrf
   include ApplicationController::LogsHttpAccess
   include ApplicationController::ChecksAccess

app/controllers/application_controller/has_response_extentions.rb

@@ -0,0 +1,31 @@
+module ApplicationController::HasResponseExtentions
+  extend ActiveSupport::Concern
+
+  private
+
+  def response_expand?
+    return true if params[:expand] == true
+    return true if params[:expand] == 'true'
+    return true if params[:expand] == 1
+    return true if params[:expand] == '1'
+
+    false
+  end
+
+  def response_full?
+    return true if params[:full] == true
+    return true if params[:full] == 'true'
+    return true if params[:full] == 1
+    return true if params[:full] == '1'
+    false
+  end
+
+  def response_all?
+    return true if params[:all] == true
+    return true if params[:all] == 'true'
+    return true if params[:all] == 1
+    return true if params[:all] == '1'
+    false
+  end
+
+end

app/controllers/application_controller/renders_models.rb

@@ -18,11 +18,16 @@ module ApplicationController::RendersModels
     # set relations
     generic_object.associations_from_param(params)
 
-    if params[:expand]
+    if response_expand?
       render json: generic_object.attributes_with_association_names, status: :created
       return
     end
 
+    if response_full?
+      render json: generic_object.class.full(generic_object.id), status: :created
+      return
+    end
+
     model_create_render_item(generic_object)
   end
 
@@ -47,11 +52,16 @@ module ApplicationController::RendersModels
       generic_object.associations_from_param(params)
     end
 
-    if params[:expand]
+    if response_expand?
       render json: generic_object.attributes_with_association_names, status: :ok
       return
     end
 
+    if response_full?
+      render json: generic_object.class.full(generic_object.id), status: :ok
+      return
+    end
+
     model_update_render_item(generic_object)
   end
 
@@ -71,20 +81,18 @@ module ApplicationController::RendersModels
 
   def model_show_render(object, params)
 
-    if params[:expand]
+    if response_expand?
       generic_object = object.find(params[:id])
       render json: generic_object.attributes_with_association_names, status: :ok
       return
     end
 
-    if params[:full]
-      generic_object_full = object.full(params[:id])
-      render json: generic_object_full, status: :ok
+    if response_full?
+      render json: object.full(params[:id]), status: :ok
       return
     end
 
-    generic_object = object.find(params[:id])
-    model_show_render_item(generic_object)
+    model_show_render_item(object.find(params[:id]))
   end
 
   def model_show_render_item(generic_object)
@@ -109,7 +117,7 @@ module ApplicationController::RendersModels
                         object.all.order(id: 'ASC').offset(offset).limit(limit)
                       end
 
-    if params[:expand]
+    if response_expand?
       list = []
       generic_objects.each do |generic_object|
         list.push generic_object.attributes_with_association_names
@@ -118,7 +126,7 @@ module ApplicationController::RendersModels
       return
     end
 
-    if params[:full]
+    if response_full?
       assets = {}
       item_ids = []
       generic_objects.each do |item|

app/controllers/applications_controller.rb

@@ -5,7 +5,7 @@ class ApplicationsController < ApplicationController
 
   def index
     all = Doorkeeper::Application.all
-    if params[:full]
+    if response_full?
       assets = {}
       item_ids = []
       all.each do |item|

app/controllers/online_notifications_controller.rb

@@ -47,7 +47,7 @@ curl http://localhost/api/v1/online_notifications.json -v -u #{login}:#{password
 =end
 
   def index
-    if params[:full]
+    if response_full?
       render json: OnlineNotification.list_full(current_user, 200)
       return
     end
@@ -149,7 +149,7 @@ curl http://localhost/api/v1/online_notifications/mark_all_as_read -v -u #{login
     notifications = OnlineNotification.list(current_user, 200)
     notifications.each do |notification|
       if !notification['seen']
-        OnlineNotification.seen( id: notification['id'] )
+        OnlineNotification.seen(id: notification['id'])
       end
     end
     render json: {}, status: :ok

app/controllers/organizations_controller.rb

@@ -69,7 +69,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
       organizations = Organization.all.order(id: 'ASC').offset(offset).limit(per_page)
     end
 
-    if params[:expand]
+    if response_expand?
       list = []
       organizations.each do |organization|
         list.push organization.attributes_with_association_names
@@ -78,7 +78,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
       return
     end
 
-    if params[:full]
+    if response_full?
       assets = {}
       item_ids = []
       organizations.each do |item|
@@ -91,6 +91,7 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
       }, status: :ok
       return
     end
+
     list = []
     organizations.each do |organization|
       list.push organization.attributes_with_association_ids
@@ -126,15 +127,15 @@ curl http://localhost/api/v1/organizations/#{id} -v -u #{login}:#{password}
       raise Exceptions::NotAuthorized if params[:id].to_i != current_user.organization_id
     end
 
-    if params[:expand]
+    if response_expand?
       organization = Organization.find(params[:id]).attributes_with_association_names
       render json: organization, status: :ok
       return
     end
 
-    if params[:full]
+    if response_full?
       full = Organization.full(params[:id])
-      render json: full
+      render json: full, status: :ok
       return
     end
 
@@ -259,7 +260,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
       organization_all = organization_all[offset, params[:per_page].to_i] || []
     end
 
-    if params[:expand]
+    if response_expand?
       list = []
       organization_all.each do |organization|
         list.push organization.attributes_with_association_names
@@ -281,7 +282,7 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
       return
     end
 
-    if params[:full]
+    if response_full?
       organization_ids = []
       assets = {}
       organization_all.each do |organization|

app/controllers/slas_controller.rb

@@ -48,7 +48,7 @@ curl http://localhost/api/v1/slas.json -v -u #{login}:#{password}
 
   def index
 
-    if params[:full]
+    if response_full?
 
       # calendars
       assets = {}

app/controllers/ticket_articles_controller.rb

@@ -17,13 +17,13 @@ class TicketArticlesController < ApplicationController
     article = Ticket::Article.find(params[:id])
     access!(article, 'read')
 
-    if params[:expand]
+    if response_expand?
       result = article.attributes_with_association_names
       render json: result, status: :ok
       return
     end
 
-    if params[:full]
+    if response_full?
       full = Ticket::Article.full(params[:id])
       render json: full
       return
@@ -39,7 +39,7 @@ class TicketArticlesController < ApplicationController
 
     articles = []
 
-    if params[:expand]
+    if response_expand?
       ticket.articles.each do |article|
 
         # ignore internal article if customer is requesting
@@ -52,7 +52,7 @@ class TicketArticlesController < ApplicationController
       return
     end
 
-    if params[:full]
+    if response_full?
       assets = {}
       record_ids = []
       ticket.articles.each do |article|
@@ -66,7 +66,7 @@ class TicketArticlesController < ApplicationController
       render json: {
         record_ids: record_ids,
         assets: assets,
-      }
+      }, status: :ok
       return
     end
 
@@ -76,7 +76,7 @@ class TicketArticlesController < ApplicationController
       next if article.internal == true && current_user.permissions?('ticket.customer')
       articles.push article.attributes_with_association_names
     end
-    render json: articles
+    render json: articles, status: :ok
   end
 
   # POST /articles
@@ -85,13 +85,13 @@ class TicketArticlesController < ApplicationController
     access!(ticket, 'create')
     article = article_create(ticket, params)
 
-    if params[:expand]
+    if response_expand?
       result = article.attributes_with_association_names
       render json: result, status: :created
       return
     end
 
-    if params[:full]
+    if response_full?
       full = Ticket::Article.full(params[:id])
       render json: full, status: :created
       return
@@ -114,13 +114,13 @@ class TicketArticlesController < ApplicationController
 
     article.update!(clean_params)
 
-    if params[:expand]
+    if response_expand?
       result = article.attributes_with_association_names
       render json: result, status: :ok
       return
     end
 
-    if params[:full]
+    if response_full?
       full = Ticket::Article.full(params[:id])
       render json: full, status: :ok
       return

app/controllers/tickets_controller.rb

@@ -24,7 +24,7 @@ class TicketsController < ApplicationController
     access_condition = Ticket.access_condition(current_user, 'read')
     tickets = Ticket.where(access_condition).order(id: 'ASC').offset(offset).limit(per_page)
 
-    if params[:expand]
+    if response_expand?
       list = []
       tickets.each do |ticket|
         list.push ticket.attributes_with_association_names
@@ -33,7 +33,7 @@ class TicketsController < ApplicationController
       return
     end
 
-    if params[:full]
+    if response_full?
       assets = {}
       item_ids = []
       tickets.each do |item|
@@ -55,19 +55,19 @@ class TicketsController < ApplicationController
     ticket = Ticket.find(params[:id])
     access!(ticket, 'read')
 
-    if params[:expand]
+    if response_expand?
       result = ticket.attributes_with_association_names
       render json: result, status: :ok
       return
     end
 
-    if params[:full]
+    if response_full?
       full = Ticket.full(params[:id])
       render json: full
       return
     end
 
-    if params[:all]
+    if response_all?
       render json: ticket_all(ticket)
       return
     end
@@ -163,18 +163,24 @@ class TicketsController < ApplicationController
       end
     end
 
-    if params[:expand]
+    if response_expand?
       result = ticket.reload.attributes_with_association_names
       render json: result, status: :created
       return
     end
 
-    if params[:all]
-      render json: ticket_all(ticket.reload)
+    if response_full?
+      full = Ticket.full(ticket.id)
+      render json: full, status: :created
       return
     end
 
-    render json: ticket.reload, status: :created
+    if response_all?
+      render json: ticket_all(ticket.reload), status: :created
+      return
+    end
+
+    render json: ticket.reload.attributes_with_association_ids, status: :created
   end
 
   # PUT /api/v1/tickets/1
@@ -199,18 +205,24 @@ class TicketsController < ApplicationController
       end
     end
 
-    if params[:expand]
+    if response_expand?
       result = ticket.reload.attributes_with_association_names
       render json: result, status: :ok
       return
     end
 
-    if params[:all]
-      render json: ticket_all(ticket.reload)
+    if response_full?
+      full = Ticket.full(params[:id])
+      render json: full, status: :ok
       return
     end
 
-    render json: ticket.reload, status: :ok
+    if response_all?
+      render json: ticket_all(ticket.reload), status: :ok
+      return
+    end
+
+    render json: ticket.reload.attributes_with_association_ids, status: :ok
   end
 
   # DELETE /api/v1/tickets/1
@@ -410,7 +422,7 @@ class TicketsController < ApplicationController
       tickets = tickets[offset, params[:per_page].to_i] || []
     end
 
-    if params[:expand]
+    if response_expand?
       list = []
       tickets.each do |ticket|
         list.push ticket.attributes_with_association_names

app/controllers/users_controller.rb

@@ -32,7 +32,7 @@ class UsersController < ApplicationController
               User.all.order(id: 'ASC').offset(offset).limit(per_page)
             end
 
-    if params[:expand]
+    if response_expand?
       list = []
       users.each do |user|
         list.push user.attributes_with_association_names
@@ -41,7 +41,7 @@ class UsersController < ApplicationController
       return
     end
 
-    if params[:full]
+    if response_full?
       assets = {}
       item_ids = []
       users.each do |item|
@@ -78,18 +78,24 @@ class UsersController < ApplicationController
     user = User.find(params[:id])
     access!(user, 'read')
 
-    if params[:expand]
+    if response_expand?
       result = user.attributes_with_association_names
-    elsif params[:full]
-      result = {
-        id:     params[:id],
-        assets: user.assets({}),
-      }
-    else
-      result = user.attributes_with_association_ids
       result.delete('password')
+      render json: result
+      return
     end
 
+    if response_full?
+      result = {
+        id:     user.id,
+        assets: user.assets({}),
+      }
+      render json: result
+      return
+    end
+
+    result = user.attributes_with_association_ids
+    result.delete('password')
     render json: result
   end
 
@@ -198,7 +204,7 @@ class UsersController < ApplicationController
     end
 
     # send inviteation if needed / only if session exists
-    if params[:invite] && current_user
+    if params[:invite].present? && current_user
       token = Token.create(action: 'PasswordReset', user_id: user.id)
       NotificationFactory::Mailer.notification(
         template: 'user_invite',
@@ -212,7 +218,7 @@ class UsersController < ApplicationController
     end
 
     # send email verify
-    if params[:signup] && !current_user
+    if params[:signup].present? && !current_user
       result = User.signup_new_token(user)
       NotificationFactory::Mailer.notification(
         template: 'signup',
@@ -221,15 +227,25 @@ class UsersController < ApplicationController
       )
     end
 
-    if params[:expand]
-      user = User.find(user.id).attributes_with_association_names
+    if response_expand?
+      user = user.reload.attributes_with_association_names
+      user.delete('password')
       render json: user, status: :created
       return
     end
 
-    user_new = User.find(user.id).attributes_with_association_ids
-    user_new.delete('password')
-    render json: user_new, status: :created
+    if response_full?
+      result = {
+        id:     user.id,
+        assets: user.assets({}),
+      }
+      render json: result, status: :created
+      return
+    end
+
+    user = user.reload.attributes_with_association_ids
+    user.delete('password')
+    render json: user, status: :created
   end
 
   # @path       [PUT] /users/{id}
@@ -269,18 +285,27 @@ class UsersController < ApplicationController
       if current_user.permissions?(['admin.user', 'ticket.agent']) && (params[:organization_ids] || params[:organizations])
         user.associations_from_param(organization_ids: params[:organization_ids], organizations: params[:organizations])
       end
-
-      if params[:expand]
-        user = User.find(user.id).attributes_with_association_names
-        render json: user, status: :ok
-        return
-      end
     end
 
-    # get new data
-    user_new = User.find(user.id).attributes_with_association_ids
-    user_new.delete('password')
-    render json: user_new, status: :ok
+    if response_expand?
+      user = user.reload.attributes_with_association_names
+      user.delete('password')
+      render json: user, status: :ok
+      return
+    end
+
+    if response_full?
+      result = {
+        id:     user.id,
+        assets: user.assets({}),
+      }
+      render json: result, status: :ok
+      return
+    end
+
+    user = user.reload.attributes_with_association_ids
+    user.delete('password')
+    render json: user, status: :ok
   end
 
   # @path    [DELETE] /users/{id}
@@ -311,13 +336,14 @@ class UsersController < ApplicationController
   # @response_message 401        Invalid session.
   def me
 
-    if params[:expand]
+    if response_expand?
       user = current_user.attributes_with_association_names
+      user.delete('password')
       render json: user, status: :ok
       return
     end
 
-    if params[:full]
+    if response_full?
       full = User.full(current_user.id)
       render json: full
       return
@@ -387,7 +413,7 @@ class UsersController < ApplicationController
       user_all = user_all[offset, params[:per_page].to_i] || []
     end
 
-    if params[:expand]
+    if response_expand?
       list = []
       user_all.each do |user|
         list.push user.attributes_with_association_names
@@ -413,7 +439,7 @@ class UsersController < ApplicationController
       return
     end
 
-    if params[:full]
+    if response_full?
       user_ids = []
       assets   = {}
       user_all.each do |user|
@@ -467,7 +493,7 @@ class UsersController < ApplicationController
                end
 
     # build result list
-    if !params[:full]
+    if !response_full?
       users = []
       user_all.each do |user|
         realname = user.firstname.to_s + ' ' + user.lastname.to_s

app/models/application_model/can_assets.rb

@@ -109,7 +109,7 @@ return object and assets
       object = find(id)
       assets = object.assets({})
       {
-        id: id,
+        id: object.id,
         assets: assets,
       }
     end

app/models/ticket/search.rb

@@ -94,7 +94,7 @@ returns
     limit        = params[:limit] || 12
     current_user = params[:current_user]
     full         = false
-    if params[:full] || !params.key?(:full)
+    if params[:full] == true || params[:full] == 'true' || !params.key?(:full)
       full = true
     end
 

db/seeds/community_user_resources.rb

@@ -16,29 +16,31 @@ user_community = User.create_or_update(
 
 UserInfo.current_user_id = user_community.id
 
-ticket = Ticket.create!(
-  group_id: Group.find_by(name: 'Users').id,
-  customer_id: User.find_by(login: 'nicole.braun@zammad.org').id,
-  title: 'Welcome to Zammad!',
-)
-Ticket::Article.create!(
-  ticket_id: ticket.id,
-  type_id: Ticket::Article::Type.find_by(name: 'phone').id,
-  sender_id: Ticket::Article::Sender.find_by(name: 'Customer').id,
-  from: 'Zammad Feedback <feedback@zammad.org>',
-  body: 'Welcome!
+if Ticket.count.zero?
+  ticket = Ticket.create!(
+    group_id: Group.find_by(name: 'Users').id,
+    customer_id: User.find_by(login: 'nicole.braun@zammad.org').id,
+    title: 'Welcome to Zammad!',
+  )
+  Ticket::Article.create!(
+    ticket_id: ticket.id,
+    type_id: Ticket::Article::Type.find_by(name: 'phone').id,
+    sender_id: Ticket::Article::Sender.find_by(name: 'Customer').id,
+    from: 'Zammad Feedback <feedback@zammad.org>',
+    body: 'Welcome!
 
-Thank you for choosing Zammad.
+  Thank you for choosing Zammad.
 
-You will find updates and patches at https://zammad.org/. Online
-documentation is available at https://zammad.org/documentation. Get
-involved (discussions, contributing, ...) at https://zammad.org/participate.
+  You will find updates and patches at https://zammad.org/. Online
+  documentation is available at https://zammad.org/documentation. Get
+  involved (discussions, contributing, ...) at https://zammad.org/participate.
 
-Regards,
+  Regards,
 
-Your Zammad Team
-',
-  internal: false,
-)
+  Your Zammad Team
+  ',
+    internal: false,
+  )
+end
 
 UserInfo.current_user_id = 1

test/controllers/organization_controller_test.rb

@@ -0,0 +1,513 @@
+
+require 'test_helper'
+require 'rake'
+
+class OrganizationControllerTest < ActionDispatch::IntegrationTest
+  setup do
+
+    # set accept header
+    @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' }
+
+    # create agent
+    roles  = Role.where(name: %w[Admin Agent])
+    groups = Group.all
+
+    UserInfo.current_user_id = 1
+
+    @backup_admin = User.create_or_update(
+      login: 'backup-admin',
+      firstname: 'Backup',
+      lastname: 'Agent',
+      email: 'backup-admin@example.com',
+      password: 'adminpw',
+      active: true,
+      roles: roles,
+      groups: groups,
+    )
+
+    @admin = User.create_or_update(
+      login: 'rest-admin',
+      firstname: 'Rest',
+      lastname: 'Agent',
+      email: 'rest-admin@example.com',
+      password: 'adminpw',
+      active: true,
+      roles: roles,
+      groups: groups,
+    )
+
+    # create agent
+    roles = Role.where(name: 'Agent')
+    @agent = User.create_or_update(
+      login: 'rest-agent@example.com',
+      firstname: 'Rest',
+      lastname: 'Agent',
+      email: 'rest-agent@example.com',
+      password: 'agentpw',
+      active: true,
+      roles: roles,
+      groups: groups,
+    )
+
+    # create customer without org
+    roles = Role.where(name: 'Customer')
+    @customer_without_org = User.create_or_update(
+      login: 'rest-customer1@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer1',
+      email: 'rest-customer1@example.com',
+      password: 'customer1pw',
+      active: true,
+      roles: roles,
+    )
+
+    # create orgs
+    @organization = Organization.create_or_update(
+      name: 'Rest Org',
+    )
+    @organization2 = Organization.create_or_update(
+      name: 'Rest Org #2',
+    )
+    @organization3 = Organization.create_or_update(
+      name: 'Rest Org #3',
+    )
+
+    # create customer with org
+    @customer_with_org = User.create_or_update(
+      login: 'rest-customer2@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer2',
+      email: 'rest-customer2@example.com',
+      password: 'customer2pw',
+      active: true,
+      roles: roles,
+      organization_id: @organization.id,
+    )
+
+    # configure es
+    if ENV['ES_URL'].present?
+      #fail "ERROR: Need ES_URL - hint ES_URL='http://127.0.0.1:9200'"
+      Setting.set('es_url', ENV['ES_URL'])
+
+      # Setting.set('es_url', 'http://127.0.0.1:9200')
+      # Setting.set('es_index', 'estest.local_zammad')
+      # Setting.set('es_user', 'elasticsearch')
+      # Setting.set('es_password', 'zammad')
+
+      if ENV['ES_INDEX_RAND'].present?
+        ENV['ES_INDEX'] = "es_index_#{rand(999_999_999)}"
+      end
+      if ENV['ES_INDEX'].blank?
+        raise "ERROR: Need ES_INDEX - hint ES_INDEX='estest.local_zammad'"
+      end
+      Setting.set('es_index', ENV['ES_INDEX'])
+
+      travel 1.minute
+
+      # drop/create indexes
+      Rake::Task.clear
+      Zammad::Application.load_tasks
+      #Rake::Task["searchindex:drop"].execute
+      #Rake::Task["searchindex:create"].execute
+      Rake::Task['searchindex:rebuild'].execute
+
+      # execute background jobs
+      Scheduler.worker(true)
+
+      sleep 6
+    end
+
+    UserInfo.current_user_id = nil
+  end
+
+  test 'organization index with agent' do
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-agent@example.com', 'agentpw')
+
+    # index
+    get '/api/v1/organizations', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Array)
+    assert_equal(result[0]['member_ids'].class, Array)
+    assert(result.length >= 3)
+
+    get '/api/v1/organizations?limit=40&page=1&per_page=2', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    organizations = Organization.order(:id).limit(2)
+    assert_equal(organizations[0].id, result[0]['id'])
+    assert_equal(organizations[0].member_ids, result[0]['member_ids'])
+    assert_equal(organizations[1].id, result[1]['id'])
+    assert_equal(organizations[1].member_ids, result[1]['member_ids'])
+    assert_equal(2, result.count)
+
+    get '/api/v1/organizations?limit=40&page=2&per_page=2', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    organizations = Organization.order(:id).limit(4)
+    assert_equal(organizations[2].id, result[0]['id'])
+    assert_equal(organizations[2].member_ids, result[0]['member_ids'])
+    assert_equal(organizations[3].id, result[1]['id'])
+    assert_equal(organizations[3].member_ids, result[1]['member_ids'])
+
+    assert_equal(2, result.count)
+
+    # show/:id
+    get "/api/v1/organizations/#{@organization.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_equal(result['member_ids'].class, Array)
+    assert_not(result['members'])
+    assert_equal(result['name'], 'Rest Org')
+
+    get "/api/v1/organizations/#{@organization2.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_equal(result['member_ids'].class, Array)
+    assert_not(result['members'])
+    assert_equal(result['name'], 'Rest Org #2')
+
+    # search as agent
+    Scheduler.worker(true)
+    get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal('Zammad Foundation', result[0]['name'])
+    assert(result[0]['member_ids'])
+    assert_not(result[0]['members'])
+
+    get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}&expand=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal('Zammad Foundation', result[0]['name'])
+    assert(result[0]['member_ids'])
+    assert(result[0]['members'])
+
+    get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}&label=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal('Zammad Foundation', result[0]['label'])
+    assert_equal('Zammad Foundation', result[0]['value'])
+    assert_not(result[0]['member_ids'])
+    assert_not(result[0]['members'])
+  end
+
+  test 'organization index with customer1' do
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer1@example.com', 'customer1pw')
+
+    # index
+    get '/api/v1/organizations', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Array)
+    assert_equal(result.length, 0)
+
+    # show/:id
+    get "/api/v1/organizations/#{@organization.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_nil(result['name'])
+
+    get "/api/v1/organizations/#{@organization2.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_nil(result['name'])
+
+    # search
+    Scheduler.worker(true)
+    get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+  end
+
+  test 'organization index with customer2' do
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer2@example.com', 'customer2pw')
+
+    # index
+    get '/api/v1/organizations', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Array)
+    assert_equal(result.length, 1)
+
+    # show/:id
+    get "/api/v1/organizations/#{@organization.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_equal(result['name'], 'Rest Org')
+
+    get "/api/v1/organizations/#{@organization2.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_nil(result['name'])
+
+    # search
+    Scheduler.worker(true)
+    get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+  end
+
+  test '04.01 organization show and response format' do
+    organization = Organization.create_or_update(
+      name: 'Rest Org NEW',
+      members: [@customer_without_org],
+      updated_by_id: @admin.id,
+      created_by_id: @admin.id,
+    )
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+    get "/api/v1/organizations/#{organization.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(organization.id, result['id'])
+    assert_equal(organization.name, result['name'])
+    assert_not(result['members'])
+    assert_equal([@customer_without_org.id], result['member_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    get "/api/v1/organizations/#{organization.id}?expand=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(organization.id, result['id'])
+    assert_equal(organization.name, result['name'])
+    assert(result['members'])
+    assert_equal([@customer_without_org.id], result['member_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    get "/api/v1/organizations/#{organization.id}?expand=false", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(organization.id, result['id'])
+    assert_equal(organization.name, result['name'])
+    assert_not(result['members'])
+    assert_equal([@customer_without_org.id], result['member_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    get "/api/v1/organizations/#{organization.id}?full=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Hash, result.class)
+    assert_equal(organization.id, result['id'])
+    assert(result['assets'])
+    assert(result['assets']['Organization'])
+    assert(result['assets']['Organization'][organization.id.to_s])
+    assert_equal(organization.id, result['assets']['Organization'][organization.id.to_s]['id'])
+    assert_equal(organization.name, result['assets']['Organization'][organization.id.to_s]['name'])
+    assert_equal(organization.member_ids, result['assets']['Organization'][organization.id.to_s]['member_ids'])
+    assert_not(result['assets']['Organization'][organization.id.to_s]['members'])
+
+    get "/api/v1/organizations/#{organization.id}?full=false", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(organization.id, result['id'])
+    assert_equal(organization.name, result['name'])
+    assert_not(result['members'])
+    assert_equal([@customer_without_org.id], result['member_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+  end
+
+  test '04.02 organization index and response format' do
+    organization = Organization.create_or_update(
+      name: 'Rest Org NEW',
+      members: [@customer_without_org],
+      updated_by_id: @admin.id,
+      created_by_id: @admin.id,
+    )
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+    get '/api/v1/organizations', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(organization.id, result.last['id'])
+    assert_equal(organization.name, result.last['name'])
+    assert_not(result.last['members'])
+    assert_equal(organization.member_ids, result.last['member_ids'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+
+    get '/api/v1/organizations?expand=true', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(organization.id, result.last['id'])
+    assert_equal(organization.name, result.last['name'])
+    assert_equal(organization.member_ids, result.last['member_ids'])
+    assert_equal(organization.members.pluck(:login), [@customer_without_org.login])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+
+    get '/api/v1/organizations?expand=false', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(organization.id, result.last['id'])
+    assert_equal(organization.name, result.last['name'])
+    assert_not(result.last['members'])
+    assert_equal(organization.member_ids, result.last['member_ids'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+
+    get '/api/v1/organizations?full=true', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Hash, result.class)
+    assert_equal(Array, result['record_ids'].class)
+    assert_equal(1, result['record_ids'][0])
+    assert_equal(organization.id, result['record_ids'].last)
+    assert(result['assets'])
+    assert(result['assets']['Organization'])
+    assert(result['assets']['Organization'][organization.id.to_s])
+    assert_equal(organization.id, result['assets']['Organization'][organization.id.to_s]['id'])
+    assert_equal(organization.name, result['assets']['Organization'][organization.id.to_s]['name'])
+    assert_equal(organization.member_ids, result['assets']['Organization'][organization.id.to_s]['member_ids'])
+    assert_not(result['assets']['Organization'][organization.id.to_s]['members'])
+
+    get '/api/v1/organizations?full=false', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(organization.id, result.last['id'])
+    assert_equal(organization.name, result.last['name'])
+    assert_not(result.last['members'])
+    assert_equal(organization.member_ids, result.last['member_ids'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+  end
+
+  test '04.03 ticket create and response format' do
+    params = {
+      name: 'Rest Org NEW',
+      members: [@customer_without_org.login],
+    }
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+
+    post '/api/v1/organizations', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    organization = Organization.find(result['id'])
+    assert_equal(organization.name, result['name'])
+    assert_equal(organization.member_ids, result['member_ids'])
+    assert_not(result['members'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    params[:name] = 'Rest Org NEW #2'
+    post '/api/v1/organizations?expand=true', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    organization = Organization.find(result['id'])
+    assert_equal(organization.name, result['name'])
+    assert_equal(organization.member_ids, result['member_ids'])
+    assert_equal(organization.members.pluck(:login), result['members'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    params[:name] = 'Rest Org NEW #3'
+    post '/api/v1/organizations?full=true', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    organization = Organization.find(result['id'])
+    assert(result['assets'])
+    assert(result['assets']['Organization'])
+    assert(result['assets']['Organization'][organization.id.to_s])
+    assert_equal(organization.id, result['assets']['Organization'][organization.id.to_s]['id'])
+    assert_equal(organization.name, result['assets']['Organization'][organization.id.to_s]['name'])
+    assert_equal(organization.member_ids, result['assets']['Organization'][organization.id.to_s]['member_ids'])
+    assert_not(result['assets']['Organization'][organization.id.to_s]['members'])
+
+  end
+
+  test '04.04 ticket update and response formats' do
+    organization = Organization.create_or_update(
+      name: 'Rest Org NEW',
+      members: [@customer_without_org],
+      updated_by_id: @admin.id,
+      created_by_id: @admin.id,
+    )
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+
+    params = {
+      name: 'a update name #1',
+    }
+    put "/api/v1/organizations/#{organization.id}", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    organization = Organization.find(result['id'])
+    assert_equal(params[:name], result['name'])
+    assert_equal(organization.member_ids, result['member_ids'])
+    assert_not(result['members'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    params = {
+      name: 'a update name #2',
+    }
+    put "/api/v1/organizations/#{organization.id}?expand=true", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    organization = Organization.find(result['id'])
+    assert_equal(params[:name], result['name'])
+    assert_equal(organization.member_ids, result['member_ids'])
+    assert_equal(organization.members.pluck(:login), [@customer_without_org.login])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    params = {
+      name: 'a update name #3',
+    }
+    put "/api/v1/organizations/#{organization.id}?full=true", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    organization = Organization.find(result['id'])
+    assert(result['assets'])
+    assert(result['assets']['Organization'])
+    assert(result['assets']['Organization'][organization.id.to_s])
+    assert_equal(organization.id, result['assets']['Organization'][organization.id.to_s]['id'])
+    assert_equal(params[:name], result['assets']['Organization'][organization.id.to_s]['name'])
+    assert_equal(organization.member_ids, result['assets']['Organization'][organization.id.to_s]['member_ids'])
+    assert_not(result['assets']['Organization'][organization.id.to_s]['members'])
+
+  end
+
+end

test/controllers/tickets_controller_test.rb

@@ -47,7 +47,7 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest
       active: true,
       roles: roles,
     )
-
+    UserInfo.current_user_id = nil
   end
 
   test '01.01 ticket create with agent - missing group' do
@@ -1107,4 +1107,353 @@ AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
     assert_equal('Not authorized (admin permission required)!', result['error'])
   end
 
+  test '04.01 ticket show and response format' do
+    title = "ticket testagent#{rand(999_999_999)}"
+    ticket = Ticket.create!(
+      title: title,
+      group: Group.lookup(name: 'Users'),
+      customer_id: @customer_without_org.id,
+      state: Ticket::State.lookup(name: 'new'),
+      priority: Ticket::Priority.lookup(name: '2 normal'),
+      updated_by_id: @agent.id,
+      created_by_id: @agent.id,
+    )
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    get "/api/v1/tickets/#{ticket.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(ticket.id, result['id'])
+    assert_equal(ticket.title, result['title'])
+    assert_not(result['group'])
+    assert_not(result['priority'])
+    assert_not(result['owner'])
+    assert_equal(ticket.customer_id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    get "/api/v1/tickets/#{ticket.id}?expand=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(ticket.id, result['id'])
+    assert_equal(ticket.title, result['title'])
+    assert_equal(ticket.customer_id, result['customer_id'])
+    assert_equal(ticket.group.name, result['group'])
+    assert_equal(ticket.priority.name, result['priority'])
+    assert_equal(ticket.owner.login, result['owner'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    get "/api/v1/tickets/#{ticket.id}?expand=false", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(ticket.id, result['id'])
+    assert_equal(ticket.title, result['title'])
+    assert_not(result['group'])
+    assert_not(result['priority'])
+    assert_not(result['owner'])
+    assert_equal(ticket.customer_id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    get "/api/v1/tickets/#{ticket.id}?full=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Hash, result.class)
+    assert_equal(ticket.id, result['id'])
+    assert(result['assets'])
+    assert(result['assets']['Ticket'])
+    assert(result['assets']['Ticket'][ticket.id.to_s])
+    assert_equal(ticket.id, result['assets']['Ticket'][ticket.id.to_s]['id'])
+    assert_equal(ticket.title, result['assets']['Ticket'][ticket.id.to_s]['title'])
+    assert_equal(ticket.customer_id, result['assets']['Ticket'][ticket.id.to_s]['customer_id'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@agent.id.to_s])
+    assert_equal(@agent.id, result['assets']['User'][@agent.id.to_s]['id'])
+    assert_equal(@agent.firstname, result['assets']['User'][@agent.id.to_s]['firstname'])
+    assert_equal(@agent.lastname, result['assets']['User'][@agent.id.to_s]['lastname'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@customer_without_org.id.to_s])
+    assert_equal(@customer_without_org.id, result['assets']['User'][@customer_without_org.id.to_s]['id'])
+    assert_equal(@customer_without_org.firstname, result['assets']['User'][@customer_without_org.id.to_s]['firstname'])
+    assert_equal(@customer_without_org.lastname, result['assets']['User'][@customer_without_org.id.to_s]['lastname'])
+
+    get "/api/v1/tickets/#{ticket.id}?full=false", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(ticket.id, result['id'])
+    assert_equal(ticket.title, result['title'])
+    assert_not(result['group'])
+    assert_not(result['priority'])
+    assert_not(result['owner'])
+    assert_equal(ticket.customer_id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+  end
+
+  test '04.02 ticket index and response format' do
+    title = "ticket testagent#{rand(999_999_999)}"
+    ticket = Ticket.create!(
+      title: title,
+      group: Group.lookup(name: 'Users'),
+      customer_id: @customer_without_org.id,
+      state: Ticket::State.lookup(name: 'new'),
+      priority: Ticket::Priority.lookup(name: '2 normal'),
+      updated_by_id: @agent.id,
+      created_by_id: @agent.id,
+    )
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    get '/api/v1/tickets', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(1, result[0]['id'])
+    assert_equal(ticket.id, result[1]['id'])
+    assert_equal(ticket.title, result[1]['title'])
+    assert_not(result[1]['group'])
+    assert_not(result[1]['priority'])
+    assert_not(result[1]['owner'])
+    assert_equal(ticket.customer_id, result[1]['customer_id'])
+    assert_equal(@agent.id, result[1]['updated_by_id'])
+    assert_equal(@agent.id, result[1]['created_by_id'])
+
+    get '/api/v1/tickets?expand=true', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(1, result[0]['id'])
+    assert_equal(ticket.id, result[1]['id'])
+    assert_equal(ticket.title, result[1]['title'])
+    assert_equal(ticket.customer_id, result[1]['customer_id'])
+    assert_equal(ticket.group.name, result[1]['group'])
+    assert_equal(ticket.priority.name, result[1]['priority'])
+    assert_equal(ticket.owner.login, result[1]['owner'])
+    assert_equal(@agent.id, result[1]['updated_by_id'])
+    assert_equal(@agent.id, result[1]['created_by_id'])
+
+    get '/api/v1/tickets?expand=false', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(1, result[0]['id'])
+    assert_equal(ticket.id, result[1]['id'])
+    assert_equal(ticket.title, result[1]['title'])
+    assert_not(result[1]['group'])
+    assert_not(result[1]['priority'])
+    assert_not(result[1]['owner'])
+    assert_equal(ticket.customer_id, result[1]['customer_id'])
+    assert_equal(@agent.id, result[1]['updated_by_id'])
+    assert_equal(@agent.id, result[1]['created_by_id'])
+
+    get '/api/v1/tickets?full=true', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Hash, result.class)
+    assert_equal(Array, result['record_ids'].class)
+    assert_equal(1, result['record_ids'][0])
+    assert_equal(ticket.id, result['record_ids'][1])
+    assert(result['assets'])
+    assert(result['assets']['Ticket'])
+    assert(result['assets']['Ticket'][ticket.id.to_s])
+    assert_equal(ticket.id, result['assets']['Ticket'][ticket.id.to_s]['id'])
+    assert_equal(ticket.title, result['assets']['Ticket'][ticket.id.to_s]['title'])
+    assert_equal(ticket.customer_id, result['assets']['Ticket'][ticket.id.to_s]['customer_id'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@agent.id.to_s])
+    assert_equal(@agent.id, result['assets']['User'][@agent.id.to_s]['id'])
+    assert_equal(@agent.firstname, result['assets']['User'][@agent.id.to_s]['firstname'])
+    assert_equal(@agent.lastname, result['assets']['User'][@agent.id.to_s]['lastname'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@customer_without_org.id.to_s])
+    assert_equal(@customer_without_org.id, result['assets']['User'][@customer_without_org.id.to_s]['id'])
+    assert_equal(@customer_without_org.firstname, result['assets']['User'][@customer_without_org.id.to_s]['firstname'])
+    assert_equal(@customer_without_org.lastname, result['assets']['User'][@customer_without_org.id.to_s]['lastname'])
+
+    get '/api/v1/tickets?full=false', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(1, result[0]['id'])
+    assert_equal(ticket.id, result[1]['id'])
+    assert_equal(ticket.title, result[1]['title'])
+    assert_not(result[1]['group'])
+    assert_not(result[1]['priority'])
+    assert_not(result[1]['owner'])
+    assert_equal(ticket.customer_id, result[1]['customer_id'])
+    assert_equal(@agent.id, result[1]['updated_by_id'])
+    assert_equal(@agent.id, result[1]['created_by_id'])
+  end
+
+  test '04.03 ticket create and response format' do
+    title = "ticket testagent#{rand(999_999_999)}"
+    params = {
+      title: title,
+      group: 'Users',
+      customer_id: @customer_without_org.id,
+      state: 'new',
+      priority: '2 normal',
+      article: {
+        body: 'some test 123',
+      },
+    }
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+
+    post '/api/v1/tickets', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    ticket = Ticket.find(result['id'])
+    assert_equal(ticket.state_id, result['state_id'])
+    assert_not(result['state'])
+    assert_equal(ticket.priority_id, result['priority_id'])
+    assert_not(result['priority'])
+    assert_equal(ticket.group_id, result['group_id'])
+    assert_not(result['group'])
+    assert_equal(title, result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    post '/api/v1/tickets?expand=true', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    ticket = Ticket.find(result['id'])
+    assert_equal(ticket.state_id, result['state_id'])
+    assert_equal(ticket.state.name, result['state'])
+    assert_equal(ticket.priority_id, result['priority_id'])
+    assert_equal(ticket.priority.name, result['priority'])
+    assert_equal(ticket.group_id, result['group_id'])
+    assert_equal(ticket.group.name, result['group'])
+    assert_equal(title, result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    post '/api/v1/tickets?full=true', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    ticket = Ticket.find(result['id'])
+    assert(result['assets'])
+    assert(result['assets']['Ticket'])
+    assert(result['assets']['Ticket'][ticket.id.to_s])
+    assert_equal(ticket.id, result['assets']['Ticket'][ticket.id.to_s]['id'])
+    assert_equal(title, result['assets']['Ticket'][ticket.id.to_s]['title'])
+    assert_equal(ticket.customer_id, result['assets']['Ticket'][ticket.id.to_s]['customer_id'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@agent.id.to_s])
+    assert_equal(@agent.id, result['assets']['User'][@agent.id.to_s]['id'])
+    assert_equal(@agent.firstname, result['assets']['User'][@agent.id.to_s]['firstname'])
+    assert_equal(@agent.lastname, result['assets']['User'][@agent.id.to_s]['lastname'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@customer_without_org.id.to_s])
+    assert_equal(@customer_without_org.id, result['assets']['User'][@customer_without_org.id.to_s]['id'])
+    assert_equal(@customer_without_org.firstname, result['assets']['User'][@customer_without_org.id.to_s]['firstname'])
+    assert_equal(@customer_without_org.lastname, result['assets']['User'][@customer_without_org.id.to_s]['lastname'])
+
+  end
+
+  test '04.04 ticket update and response formats' do
+    title = "ticket testagent#{rand(999_999_999)}"
+    ticket = Ticket.create!(
+      title: title,
+      group: Group.lookup(name: 'Users'),
+      customer_id: @customer_without_org.id,
+      state: Ticket::State.lookup(name: 'new'),
+      priority: Ticket::Priority.lookup(name: '2 normal'),
+      updated_by_id: @agent.id,
+      created_by_id: @agent.id,
+    )
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+
+    params = {
+      title: 'a update ticket #1',
+    }
+    put "/api/v1/tickets/#{ticket.id}", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    ticket = Ticket.find(result['id'])
+    assert_equal(ticket.state_id, result['state_id'])
+    assert_not(result['state'])
+    assert_equal(ticket.priority_id, result['priority_id'])
+    assert_not(result['priority'])
+    assert_equal(ticket.group_id, result['group_id'])
+    assert_not(result['group'])
+    assert_equal('a update ticket #1', result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    params = {
+      title: 'a update ticket #2',
+    }
+    put "/api/v1/tickets/#{ticket.id}?expand=true", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    ticket = Ticket.find(result['id'])
+    assert_equal(ticket.state_id, result['state_id'])
+    assert_equal(ticket.state.name, result['state'])
+    assert_equal(ticket.priority_id, result['priority_id'])
+    assert_equal(ticket.priority.name, result['priority'])
+    assert_equal(ticket.group_id, result['group_id'])
+    assert_equal(ticket.group.name, result['group'])
+    assert_equal('a update ticket #2', result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+
+    params = {
+      title: 'a update ticket #3',
+    }
+    put "/api/v1/tickets/#{ticket.id}?full=true", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    ticket = Ticket.find(result['id'])
+    assert(result['assets'])
+    assert(result['assets']['Ticket'])
+    assert(result['assets']['Ticket'][ticket.id.to_s])
+    assert_equal(ticket.id, result['assets']['Ticket'][ticket.id.to_s]['id'])
+    assert_equal('a update ticket #3', result['assets']['Ticket'][ticket.id.to_s]['title'])
+    assert_equal(ticket.customer_id, result['assets']['Ticket'][ticket.id.to_s]['customer_id'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@agent.id.to_s])
+    assert_equal(@agent.id, result['assets']['User'][@agent.id.to_s]['id'])
+    assert_equal(@agent.firstname, result['assets']['User'][@agent.id.to_s]['firstname'])
+    assert_equal(@agent.lastname, result['assets']['User'][@agent.id.to_s]['lastname'])
+
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][@customer_without_org.id.to_s])
+    assert_equal(@customer_without_org.id, result['assets']['User'][@customer_without_org.id.to_s]['id'])
+    assert_equal(@customer_without_org.firstname, result['assets']['User'][@customer_without_org.id.to_s]['firstname'])
+    assert_equal(@customer_without_org.lastname, result['assets']['User'][@customer_without_org.id.to_s]['lastname'])
+
+  end
+
 end

test/controllers/user_controller_test.rb

@@ -0,0 +1,960 @@
+
+require 'test_helper'
+require 'rake'
+
+class UserControllerTest < ActionDispatch::IntegrationTest
+  setup do
+
+    # set accept header
+    @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' }
+
+    # create agent
+    roles  = Role.where(name: %w[Admin Agent])
+    groups = Group.all
+
+    UserInfo.current_user_id = 1
+
+    @backup_admin = User.create_or_update(
+      login: 'backup-admin',
+      firstname: 'Backup',
+      lastname: 'Agent',
+      email: 'backup-admin@example.com',
+      password: 'adminpw',
+      active: true,
+      roles: roles,
+      groups: groups,
+    )
+
+    @admin = User.create_or_update(
+      login: 'rest-admin',
+      firstname: 'Rest',
+      lastname: 'Agent',
+      email: 'rest-admin@example.com',
+      password: 'adminpw',
+      active: true,
+      roles: roles,
+      groups: groups,
+    )
+
+    # create agent
+    roles = Role.where(name: 'Agent')
+    @agent = User.create_or_update(
+      login: 'rest-agent@example.com',
+      firstname: 'Rest',
+      lastname: 'Agent',
+      email: 'rest-agent@example.com',
+      password: 'agentpw',
+      active: true,
+      roles: roles,
+      groups: groups,
+    )
+
+    # create customer without org
+    roles = Role.where(name: 'Customer')
+    @customer_without_org = User.create_or_update(
+      login: 'rest-customer1@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer1',
+      email: 'rest-customer1@example.com',
+      password: 'customer1pw',
+      active: true,
+      roles: roles,
+    )
+
+    # create orgs
+    @organization = Organization.create_or_update(
+      name: 'Rest Org',
+    )
+    @organization2 = Organization.create_or_update(
+      name: 'Rest Org #2',
+    )
+    @organization3 = Organization.create_or_update(
+      name: 'Rest Org #3',
+    )
+
+    # create customer with org
+    @customer_with_org = User.create_or_update(
+      login: 'rest-customer2@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer2',
+      email: 'rest-customer2@example.com',
+      password: 'customer2pw',
+      active: true,
+      roles: roles,
+      organization_id: @organization.id,
+    )
+
+    # configure es
+    if ENV['ES_URL'].present?
+      #fail "ERROR: Need ES_URL - hint ES_URL='http://127.0.0.1:9200'"
+      Setting.set('es_url', ENV['ES_URL'])
+
+      # Setting.set('es_url', 'http://127.0.0.1:9200')
+      # Setting.set('es_index', 'estest.local_zammad')
+      # Setting.set('es_user', 'elasticsearch')
+      # Setting.set('es_password', 'zammad')
+
+      if ENV['ES_INDEX_RAND'].present?
+        ENV['ES_INDEX'] = "es_index_#{rand(999_999_999)}"
+      end
+      if ENV['ES_INDEX'].blank?
+        raise "ERROR: Need ES_INDEX - hint ES_INDEX='estest.local_zammad'"
+      end
+      Setting.set('es_index', ENV['ES_INDEX'])
+
+      travel 1.minute
+
+      # drop/create indexes
+      Rake::Task.clear
+      Zammad::Application.load_tasks
+      #Rake::Task["searchindex:drop"].execute
+      #Rake::Task["searchindex:create"].execute
+      Rake::Task['searchindex:rebuild'].execute
+
+      # execute background jobs
+      Scheduler.worker(true)
+
+      sleep 6
+    end
+    UserInfo.current_user_id = nil
+
+  end
+
+  test 'user create tests - no user' do
+
+    post '/api/v1/signshow', params: {}, headers: @headers
+
+    # create user with disabled feature
+    Setting.set('user_create_account', false)
+    token = @response.headers['CSRF-TOKEN']
+
+    # token based on form
+    params = { email: 'some_new_customer@example.com', authenticity_token: token }
+    post '/api/v1/users', params: params.to_json, headers: @headers
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result['error'])
+    assert_equal('Feature not enabled!', result['error'])
+
+    # token based on headers
+    headers = @headers.merge('X-CSRF-Token' => token)
+    params = { email: 'some_new_customer@example.com' }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result['error'])
+    assert_equal('Feature not enabled!', result['error'])
+
+    Setting.set('user_create_account', true)
+
+    # no signup param with enabled feature
+    params = { email: 'some_new_customer@example.com' }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result['error'])
+    assert_equal('Only signup with not authenticate user possible!', result['error'])
+
+    # already existing user with enabled feature
+    params = { email: 'rest-customer1@example.com', signup: true }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result['error'])
+    assert_equal('Email address is already used for other user.', result['error'])
+
+    # email missing with enabled feature
+    params = { firstname: 'some firstname', signup: true }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result['error'])
+    assert_equal('Attribute \'email\' required!', result['error'])
+
+    # email missing with enabled feature
+    params = { firstname: 'some firstname', signup: true }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result['error'])
+    assert_equal('Attribute \'email\' required!', result['error'])
+
+    # create user with enabled feature (take customer role)
+    params = { firstname: 'Me First', lastname: 'Me Last', email: 'new_here@example.com', signup: true }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+
+    assert_equal('Me First', result['firstname'])
+    assert_equal('Me Last', result['lastname'])
+    assert_equal('new_here@example.com', result['login'])
+    assert_equal('new_here@example.com', result['email'])
+    user = User.find(result['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+
+    # create user with admin role (not allowed for signup, take customer role)
+    role = Role.lookup(name: 'Admin')
+    params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin@example.com', role_ids: [ role.id ], signup: true }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+    user = User.find(result['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+
+    # create user with agent role (not allowed for signup, take customer role)
+    role = Role.lookup(name: 'Agent')
+    params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', role_ids: [ role.id ], signup: true }
+    post '/api/v1/users', params: params.to_json, headers: headers
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+    user = User.find(result['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+
+    # no user (because of no session)
+    get '/api/v1/users', params: {}, headers: headers
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal('authentication failed', result['error'])
+
+    # me
+    get '/api/v1/users/me', params: {}, headers: headers
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal('authentication failed', result['error'])
+  end
+
+  test 'auth tests - not existing user' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('not_existing@example.com', 'adminpw')
+
+    # me
+    get '/api/v1/users/me', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal('authentication failed', result['error'])
+
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal('authentication failed', result['error'])
+  end
+
+  test 'auth tests - username auth, wrong pw' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin', 'not_existing')
+
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal('authentication failed', result['error'])
+  end
+
+  test 'auth tests - email auth, wrong pw' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'not_existing')
+
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal('authentication failed', result['error'])
+  end
+
+  test 'auth tests - username auth' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin', 'adminpw')
+
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+  end
+
+  test 'auth tests - email auth' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+  end
+
+  test 'user index and create with admin' do
+
+    # email auth
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+
+    # me
+    get '/api/v1/users/me', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result['email'], 'rest-admin@example.com')
+
+    # index
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+
+    # index
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result.class, Array)
+    assert(result.length >= 3)
+
+    # show/:id
+    get "/api/v1/users/#{@agent.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result.class, Hash)
+    assert_equal(result['email'], 'rest-agent@example.com')
+
+    get "/api/v1/users/#{@customer_without_org.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result.class, Hash)
+    assert_equal(result['email'], 'rest-customer1@example.com')
+
+    # create user with admin role
+    role = Role.lookup(name: 'Admin')
+    params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_admin@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+    user = User.find(result['id'])
+    assert(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert_not(user.role?('Customer'))
+    assert_equal('new_admin_by_admin@example.com', result['login'])
+    assert_equal('new_admin_by_admin@example.com', result['email'])
+
+    # create user with agent role
+    role = Role.lookup(name: 'Agent')
+    params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_admin1@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+    user = User.find(result['id'])
+    assert_not(user.role?('Admin'))
+    assert(user.role?('Agent'))
+    assert_not(user.role?('Customer'))
+    assert_equal('new_agent_by_admin1@example.com', result['login'])
+    assert_equal('new_agent_by_admin1@example.com', result['email'])
+
+    role = Role.lookup(name: 'Agent')
+    params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+    user = User.find(result['id'])
+    assert_not(user.role?('Admin'))
+    assert(user.role?('Agent'))
+    assert_not(user.role?('Customer'))
+    assert_equal('new_agent_by_admin2@example.com', result['login'])
+    assert_equal('new_agent_by_admin2@example.com', result['email'])
+    assert_equal('Agent', result['firstname'])
+    assert_equal('First', result['lastname'])
+
+    role = Role.lookup(name: 'Agent')
+    params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal('Email address is already used for other user.', result['error'])
+
+    # missing required attributes
+    params = { note: 'some note' }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal('Minimum one identifier (login, firstname, lastname, phone or email) for user is required.', result['error'])
+
+    # invalid email
+    params = { firstname: 'newfirstname123', email: 'some_what', note: 'some note' }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal('Invalid email', result['error'])
+
+    # with valid attributes
+    params = { firstname: 'newfirstname123', note: 'some note' }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert(result)
+    user = User.find(result['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+    assert(result['login'].start_with?('auto-'))
+    assert_equal('', result['email'])
+    assert_equal('newfirstname123', result['firstname'])
+    assert_equal('', result['lastname'])
+  end
+
+  test 'user index and create with agent' do
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-agent@example.com', 'agentpw')
+
+    # me
+    get '/api/v1/users/me', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result['email'], 'rest-agent@example.com')
+
+    # index
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+
+    # index
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result.class, Array)
+    assert(result.length >= 3)
+
+    get '/api/v1/users?limit=40&page=1&per_page=2', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    users = User.order(:id).limit(2)
+    assert_equal(users[0].id, result[0]['id'])
+    assert_equal(users[1].id, result[1]['id'])
+    assert_equal(2, result.count)
+
+    get '/api/v1/users?limit=40&page=2&per_page=2', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    users = User.order(:id).limit(4)
+    assert_equal(users[2].id, result[0]['id'])
+    assert_equal(users[3].id, result[1]['id'])
+    assert_equal(2, result.count)
+
+    # create user with admin role
+    firstname = "First test#{rand(999_999_999)}"
+    role = Role.lookup(name: 'Admin')
+    params = { firstname: "Admin#{firstname}", lastname: 'Admin Last', email: 'new_admin_by_agent@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result_user1 = JSON.parse(@response.body)
+    assert(result_user1)
+    user = User.find(result_user1['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+    assert_equal('new_admin_by_agent@example.com', result_user1['login'])
+    assert_equal('new_admin_by_agent@example.com', result_user1['email'])
+
+    # create user with agent role
+    role = Role.lookup(name: 'Agent')
+    params = { firstname: "Agent#{firstname}", lastname: 'Agent Last', email: 'new_agent_by_agent@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result_user1 = JSON.parse(@response.body)
+    assert(result_user1)
+    user = User.find(result_user1['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+    assert_equal('new_agent_by_agent@example.com', result_user1['login'])
+    assert_equal('new_agent_by_agent@example.com', result_user1['email'])
+
+    # create user with customer role
+    role = Role.lookup(name: 'Customer')
+    params = { firstname: "Customer#{firstname}", lastname: 'Customer Last', email: 'new_customer_by_agent@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result_user1 = JSON.parse(@response.body)
+    assert(result_user1)
+    user = User.find(result_user1['id'])
+    assert_not(user.role?('Admin'))
+    assert_not(user.role?('Agent'))
+    assert(user.role?('Customer'))
+    assert_equal('new_customer_by_agent@example.com', result_user1['login'])
+    assert_equal('new_customer_by_agent@example.com', result_user1['email'])
+
+    # search as agent
+    Scheduler.worker(true)
+    sleep 2 # let es time to come ready
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+
+    assert_equal(result_user1['id'], result[0]['id'])
+    assert_equal("Customer#{firstname}", result[0]['firstname'])
+    assert_equal('Customer Last', result[0]['lastname'])
+    assert(result[0]['role_ids'])
+    assert_not(result[0]['roles'])
+
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&expand=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(result_user1['id'], result[0]['id'])
+    assert_equal("Customer#{firstname}", result[0]['firstname'])
+    assert_equal('Customer Last', result[0]['lastname'])
+    assert(result[0]['role_ids'])
+    assert(result[0]['roles'])
+
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&label=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(result_user1['id'], result[0]['id'])
+    assert_equal("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>", result[0]['label'])
+    assert_equal("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>", result[0]['value'])
+    assert_not(result[0]['role_ids'])
+    assert_not(result[0]['roles'])
+
+    role = Role.find_by(name: 'Agent')
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&role_ids=#{role.id}&label=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(0, result.count)
+
+    role = Role.find_by(name: 'Customer')
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&role_ids=#{role.id}&label=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(result_user1['id'], result[0]['id'])
+    assert_equal("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>", result[0]['label'])
+    assert_equal("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>", result[0]['value'])
+    assert_not(result[0]['role_ids'])
+    assert_not(result[0]['roles'])
+
+    permission = Permission.find_by(name: 'ticket.agent')
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&permissions=#{permission.name}&label=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(0, result.count)
+
+    permission = Permission.find_by(name: 'ticket.customer')
+    get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&permissions=#{permission.name}&label=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(result_user1['id'], result[0]['id'])
+    assert_equal("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>", result[0]['label'])
+    assert_equal("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>", result[0]['value'])
+    assert_not(result[0]['role_ids'])
+    assert_not(result[0]['roles'])
+  end
+
+  test 'user index and create with customer1' do
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer1@example.com', 'customer1pw')
+
+    # me
+    get '/api/v1/users/me', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result['email'], 'rest-customer1@example.com')
+
+    # index
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Array)
+    assert_equal(result.length, 1)
+
+    # show/:id
+    get "/api/v1/users/#{@customer_without_org.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_equal(result['email'], 'rest-customer1@example.com')
+
+    get "/api/v1/users/#{@customer_with_org.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert(result['error'])
+
+    # create user with admin role
+    role = Role.lookup(name: 'Admin')
+    params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_customer1@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+
+    # create user with agent role
+    role = Role.lookup(name: 'Agent')
+    params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_customer1@example.com', role_ids: [ role.id ] }
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+
+    # search
+    Scheduler.worker(true)
+    get "/api/v1/users/search?query=#{CGI.escape('First')}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+  end
+
+  test 'user index with customer2' do
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer2@example.com', 'customer2pw')
+
+    # me
+    get '/api/v1/users/me', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert(result)
+    assert_equal(result['email'], 'rest-customer2@example.com')
+
+    # index
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Array)
+    assert_equal(result.length, 1)
+
+    # show/:id
+    get "/api/v1/users/#{@customer_with_org.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert_equal(result['email'], 'rest-customer2@example.com')
+
+    get "/api/v1/users/#{@customer_without_org.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+    result = JSON.parse(@response.body)
+    assert_equal(result.class, Hash)
+    assert(result['error'])
+
+    # search
+    Scheduler.worker(true)
+    get "/api/v1/users/search?query=#{CGI.escape('First')}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(401)
+  end
+
+  test '04.01 users show and response format' do
+    roles = Role.where(name: 'Customer')
+    organization = Organization.first
+    user = User.create!(
+      login: 'rest-customer3@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer3',
+      email: 'rest-customer3@example.com',
+      password: 'customer3pw',
+      active: true,
+      organization: organization,
+      roles: roles,
+      updated_by_id: @admin.id,
+      created_by_id: @admin.id,
+    )
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+    get "/api/v1/users/#{user.id}", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(user.id, result['id'])
+    assert_equal(user.firstname, result['firstname'])
+    assert_not(result['organization'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_not(result['password'])
+    assert_equal(user.role_ids, result['role_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    get "/api/v1/users/#{user.id}?expand=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(user.id, result['id'])
+    assert_equal(user.firstname, result['firstname'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_equal(user.organization.name, result['organization'])
+    assert_equal(user.role_ids, result['role_ids'])
+    assert_not(result['password'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    get "/api/v1/users/#{user.id}?expand=false", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(user.id, result['id'])
+    assert_equal(user.firstname, result['firstname'])
+    assert_not(result['organization'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_not(result['password'])
+    assert_equal(user.role_ids, result['role_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    get "/api/v1/users/#{user.id}?full=true", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Hash, result.class)
+    assert_equal(user.id, result['id'])
+    assert(result['assets'])
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][user.id.to_s])
+    assert_equal(user.id, result['assets']['User'][user.id.to_s]['id'])
+    assert_equal(user.firstname, result['assets']['User'][user.id.to_s]['firstname'])
+    assert_equal(user.organization_id, result['assets']['User'][user.id.to_s]['organization_id'])
+    assert_equal(user.role_ids, result['assets']['User'][user.id.to_s]['role_ids'])
+
+    get "/api/v1/users/#{user.id}?full=false", params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(user.id, result['id'])
+    assert_equal(user.firstname, result['firstname'])
+    assert_not(result['organization'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_not(result['password'])
+    assert_equal(user.role_ids, result['role_ids'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+  end
+
+  test '04.02 user index and response format' do
+    roles = Role.where(name: 'Customer')
+    organization = Organization.first
+    user = User.create!(
+      login: 'rest-customer3@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer3',
+      email: 'rest-customer3@example.com',
+      password: 'customer3pw',
+      active: true,
+      organization: organization,
+      roles: roles,
+      updated_by_id: @admin.id,
+      created_by_id: @admin.id,
+    )
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+    get '/api/v1/users', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(user.id, result.last['id'])
+    assert_equal(user.lastname, result.last['lastname'])
+    assert_not(result.last['organization'])
+    assert_equal(user.role_ids, result.last['role_ids'])
+    assert_equal(user.organization_id, result.last['organization_id'])
+    assert_not(result.last['password'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+
+    get '/api/v1/users?expand=true', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(user.id, result.last['id'])
+    assert_equal(user.lastname, result.last['lastname'])
+    assert_equal(user.organization_id, result.last['organization_id'])
+    assert_equal(user.organization.name, result.last['organization'])
+    assert_not(result.last['password'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+
+    get '/api/v1/users?expand=false', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(user.id, result.last['id'])
+    assert_equal(user.lastname, result.last['lastname'])
+    assert_not(result.last['organization'])
+    assert_equal(user.role_ids, result.last['role_ids'])
+    assert_equal(user.organization_id, result.last['organization_id'])
+    assert_not(result.last['password'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+
+    get '/api/v1/users?full=true', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+
+    assert_equal(Hash, result.class)
+    assert_equal(Array, result['record_ids'].class)
+    assert_equal(1, result['record_ids'][0])
+    assert_equal(user.id, result['record_ids'].last)
+    assert(result['assets'])
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][user.id.to_s])
+    assert_equal(user.id, result['assets']['User'][user.id.to_s]['id'])
+    assert_equal(user.lastname, result['assets']['User'][user.id.to_s]['lastname'])
+    assert_equal(user.organization_id, result['assets']['User'][user.id.to_s]['organization_id'])
+    assert_not(result['assets']['User'][user.id.to_s]['password'])
+
+    get '/api/v1/users?full=false', params: {}, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Array, result.class)
+    assert_equal(Hash, result[0].class)
+    assert_equal(user.id, result.last['id'])
+    assert_equal(user.lastname, result.last['lastname'])
+    assert_not(result.last['organization'])
+    assert_equal(user.role_ids, result.last['role_ids'])
+    assert_equal(user.organization_id, result.last['organization_id'])
+    assert_not(result.last['password'])
+    assert_equal(@admin.id, result.last['updated_by_id'])
+    assert_equal(@admin.id, result.last['created_by_id'])
+  end
+
+  test '04.03 ticket create and response format' do
+    organization = Organization.first
+    params = {
+      firstname: 'newfirstname123',
+      note: 'some note',
+      organization: organization.name,
+    }
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+
+    post '/api/v1/users', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    user = User.find(result['id'])
+    assert_equal(user.firstname, result['firstname'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_not(result['organization'])
+    assert_not(result['password'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    post '/api/v1/users?expand=true', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    user = User.find(result['id'])
+    assert_equal(user.firstname, result['firstname'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_equal(user.organization.name, result['organization'])
+    assert_not(result['password'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    post '/api/v1/users?full=true', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    user = User.find(result['id'])
+    assert(result['assets'])
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][user.id.to_s])
+    assert_equal(user.id, result['assets']['User'][user.id.to_s]['id'])
+    assert_equal(user.firstname, result['assets']['User'][user.id.to_s]['firstname'])
+    assert_equal(user.lastname, result['assets']['User'][user.id.to_s]['lastname'])
+    assert_not(result['assets']['User'][user.id.to_s]['password'])
+
+    assert(result['assets']['User'][@admin.id.to_s])
+    assert_equal(@admin.id, result['assets']['User'][@admin.id.to_s]['id'])
+    assert_equal(@admin.firstname, result['assets']['User'][@admin.id.to_s]['firstname'])
+    assert_equal(@admin.lastname, result['assets']['User'][@admin.id.to_s]['lastname'])
+    assert_not(result['assets']['User'][@admin.id.to_s]['password'])
+
+  end
+
+  test '04.04 ticket update and response formats' do
+    roles = Role.where(name: 'Customer')
+    organization = Organization.first
+    user = User.create!(
+      login: 'rest-customer3@example.com',
+      firstname: 'Rest',
+      lastname: 'Customer3',
+      email: 'rest-customer3@example.com',
+      password: 'customer3pw',
+      active: true,
+      organization: organization,
+      roles: roles,
+      updated_by_id: @admin.id,
+      created_by_id: @admin.id,
+    )
+
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw')
+
+    params = {
+      firstname: 'a update firstname #1',
+    }
+    put "/api/v1/users/#{user.id}", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    user = User.find(result['id'])
+    assert_equal(user.lastname, result['lastname'])
+    assert_equal(params[:firstname], result['firstname'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_not(result['organization'])
+    assert_not(result['password'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    params = {
+      firstname: 'a update firstname #2',
+    }
+    put "/api/v1/users/#{user.id}?expand=true", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    user = User.find(result['id'])
+    assert_equal(user.lastname, result['lastname'])
+    assert_equal(params[:firstname], result['firstname'])
+    assert_equal(user.organization_id, result['organization_id'])
+    assert_equal(user.organization.name, result['organization'])
+    assert_not(result['password'])
+    assert_equal(@admin.id, result['updated_by_id'])
+    assert_equal(@admin.id, result['created_by_id'])
+
+    params = {
+      firstname: 'a update firstname #3',
+    }
+    put "/api/v1/users/#{user.id}?full=true", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
+    assert_response(200)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+
+    user = User.find(result['id'])
+    assert(result['assets'])
+    assert(result['assets']['User'])
+    assert(result['assets']['User'][user.id.to_s])
+    assert_equal(user.id, result['assets']['User'][user.id.to_s]['id'])
+    assert_equal(params[:firstname], result['assets']['User'][user.id.to_s]['firstname'])
+    assert_equal(user.lastname, result['assets']['User'][user.id.to_s]['lastname'])
+    assert_not(result['assets']['User'][user.id.to_s]['password'])
+
+    assert(result['assets']['User'][@admin.id.to_s])
+    assert_equal(@admin.id, result['assets']['User'][@admin.id.to_s]['id'])
+    assert_equal(@admin.firstname, result['assets']['User'][@admin.id.to_s]['firstname'])
+    assert_equal(@admin.lastname, result['assets']['User'][@admin.id.to_s]['lastname'])
+    assert_not(result['assets']['User'][@admin.id.to_s]['password'])
+
+  end
+
+end

test/integration/report_test.rb

@@ -136,8 +136,8 @@ class ReportTest < ActiveSupport::TestCase
       state: Ticket::State.lookup(name: 'closed'),
       priority: Ticket::Priority.lookup(name: '2 normal'),
       close_at: '2015-10-28 11:30:00 UTC',
-      created_at: '2015-10-28 10:30:00 UTC',
-      updated_at: '2015-10-28 10:30:00 UTC',
+      created_at: '2015-10-28 10:30:01 UTC',
+      updated_at: '2015-10-28 10:30:01 UTC',
       updated_by_id: 1,
       created_by_id: 1,
     )
@@ -151,8 +151,8 @@ class ReportTest < ActiveSupport::TestCase
       internal: false,
       sender: Ticket::Article::Sender.where(name: 'Customer').first,
       type: Ticket::Article::Type.where(name: 'email').first,
-      created_at: '2015-10-28 10:30:00 UTC',
-      updated_at: '2015-10-28 10:30:00 UTC',
+      created_at: '2015-10-28 10:30:01 UTC',
+      updated_at: '2015-10-28 10:30:01 UTC',
       updated_by_id: 1,
       created_by_id: 1,
     )
@@ -735,12 +735,11 @@ class ReportTest < ActiveSupport::TestCase
       params:      { field: 'created_at' },
     )
     assert(result)
-
     assert_equal(@ticket7.id, result[:ticket_ids][0].to_i)
     assert_equal(@ticket6.id, result[:ticket_ids][1].to_i)
     assert_equal(@ticket5.id, result[:ticket_ids][2].to_i)
-    assert_equal(@ticket3.id, result[:ticket_ids][3].to_i)
-    assert_equal(@ticket4.id, result[:ticket_ids][4].to_i)
+    assert_equal(@ticket4.id, result[:ticket_ids][3].to_i)
+    assert_equal(@ticket3.id, result[:ticket_ids][4].to_i)
     assert_equal(@ticket2.id, result[:ticket_ids][5].to_i)
     assert_equal(@ticket1.id, result[:ticket_ids][6].to_i)
     assert_nil(result[:ticket_ids][7])