From ee5983cb0317aaabbf3a2d340caf6706ecacd99a Mon Sep 17 00:00:00 2001 From: Thorsten Eckel Date: Thu, 8 Mar 2018 13:30:30 +0100 Subject: [PATCH] Fixed issue #1857 - Direct access to organization tickets possible even though shared is deactivated. --- app/models/ticket/checks_access.rb | 12 ++--- spec/models/ticket_spec.rb | 75 ++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 7 deletions(-) diff --git a/app/models/ticket/checks_access.rb b/app/models/ticket/checks_access.rb index fe5366239..8aa9c61cd 100644 --- a/app/models/ticket/checks_access.rb +++ b/app/models/ticket/checks_access.rb @@ -21,13 +21,11 @@ class Ticket # access ok if its own ticket return true if customer_id == user.id - # access ok if its organization ticket - if user.organization_id && organization_id - return true if organization_id == user.organization_id - end - - # no access - return false + # check organization ticket access + return false if organization_id.blank? + return false if user.organization_id.blank? + return false if organization_id != user.organization_id + return organization.shared? end # check agent diff --git a/spec/models/ticket_spec.rb b/spec/models/ticket_spec.rb index dbbb6e28d..8fd6d3a2a 100644 --- a/spec/models/ticket_spec.rb +++ b/spec/models/ticket_spec.rb @@ -255,4 +255,79 @@ RSpec.describe Ticket do end end + + describe '#access?' do + + context 'agent' do + + it 'allows owner access' do + + owner = create(:agent_user) + ticket = create(:ticket, owner: owner) + + expect( ticket.access?(owner, 'full') ).to be(true) + end + + it 'allows group access' do + + agent = create(:agent_user) + group = create(:group) + ticket = create(:ticket, group: group) + + agent.group_names_access_map = { + group.name => 'full', + } + + expect( ticket.access?(agent, 'full') ).to be(true) + end + + it 'prevents unauthorized access' do + agent = create(:agent_user) + ticket = create(:ticket) + + expect( ticket.access?(agent, 'read') ).to be(false) + end + end + + context 'customer' do + + it 'allows assigned access' do + + customer = create(:customer_user) + ticket = create(:ticket, customer: customer) + + expect( ticket.access?(customer, 'full') ).to be(true) + end + + context 'organization' do + + it 'allows access for shared' do + + organization = create(:organization) + assigned = create(:customer_user, organization: organization) + collegue = create(:customer_user, organization: organization) + ticket = create(:ticket, customer: assigned) + + expect( ticket.access?(collegue, 'full') ).to be(true) + end + + it 'prevents unshared access' do + + organization = create(:organization, shared: false) + assigned = create(:customer_user, organization: organization) + collegue = create(:customer_user, organization: organization) + ticket = create(:ticket, customer: assigned) + + expect( ticket.access?(collegue, 'full') ).to be(false) + end + end + + it 'prevents unauthorized access' do + customer = create(:customer_user) + ticket = create(:ticket) + + expect( ticket.access?(customer, 'read') ).to be(false) + end + end + end end