Fixed issue #1857 - Direct access to organization tickets possible even though shared is deactivated.

This commit is contained in:
Thorsten Eckel 2018-03-08 13:30:30 +01:00
parent 68881113e4
commit ee5983cb03
2 changed files with 80 additions and 7 deletions

View file

@ -21,13 +21,11 @@ class Ticket
# access ok if its own ticket # access ok if its own ticket
return true if customer_id == user.id return true if customer_id == user.id
# access ok if its organization ticket # check organization ticket access
if user.organization_id && organization_id return false if organization_id.blank?
return true if organization_id == user.organization_id return false if user.organization_id.blank?
end return false if organization_id != user.organization_id
return organization.shared?
# no access
return false
end end
# check agent # check agent

View file

@ -255,4 +255,79 @@ RSpec.describe Ticket do
end end
end end
describe '#access?' do
context 'agent' do
it 'allows owner access' do
owner = create(:agent_user)
ticket = create(:ticket, owner: owner)
expect( ticket.access?(owner, 'full') ).to be(true)
end
it 'allows group access' do
agent = create(:agent_user)
group = create(:group)
ticket = create(:ticket, group: group)
agent.group_names_access_map = {
group.name => 'full',
}
expect( ticket.access?(agent, 'full') ).to be(true)
end
it 'prevents unauthorized access' do
agent = create(:agent_user)
ticket = create(:ticket)
expect( ticket.access?(agent, 'read') ).to be(false)
end
end
context 'customer' do
it 'allows assigned access' do
customer = create(:customer_user)
ticket = create(:ticket, customer: customer)
expect( ticket.access?(customer, 'full') ).to be(true)
end
context 'organization' do
it 'allows access for shared' do
organization = create(:organization)
assigned = create(:customer_user, organization: organization)
collegue = create(:customer_user, organization: organization)
ticket = create(:ticket, customer: assigned)
expect( ticket.access?(collegue, 'full') ).to be(true)
end
it 'prevents unshared access' do
organization = create(:organization, shared: false)
assigned = create(:customer_user, organization: organization)
collegue = create(:customer_user, organization: organization)
ticket = create(:ticket, customer: assigned)
expect( ticket.access?(collegue, 'full') ).to be(false)
end
end
it 'prevents unauthorized access' do
customer = create(:customer_user)
ticket = create(:ticket)
expect( ticket.access?(customer, 'read') ).to be(false)
end
end
end
end end