Fixed issue #1857 - Direct access to organization tickets possible even though shared is deactivated.

2018-03-08 13:30:30 +01:00 · 2018-03-08 13:30:30 +01:00 · ee5983cb03
commit ee5983cb03
parent 68881113e4
2 changed files with 80 additions and 7 deletions
--- a/app/models/ticket/checks_access.rb
+++ b/app/models/ticket/checks_access.rb
@ -21,13 +21,11 @@ class Ticket
        # access ok if its own ticket
        return true if customer_id == user.id

-        # access ok if its organization ticket
-        if user.organization_id && organization_id
-          return true if organization_id == user.organization_id
-        end
-
-        # no access
-        return false
+        # check organization ticket access
+        return false if organization_id.blank?
+        return false if user.organization_id.blank?
+        return false if organization_id != user.organization_id
+        return organization.shared?
      end

      # check agent
--- a/spec/models/ticket_spec.rb
+++ b/spec/models/ticket_spec.rb
@ -255,4 +255,79 @@ RSpec.describe Ticket do

    end
  end
+
+  describe '#access?' do
+
+    context 'agent' do
+
+      it 'allows owner access' do
+
+        owner  = create(:agent_user)
+        ticket = create(:ticket, owner: owner)
+
+        expect( ticket.access?(owner, 'full') ).to be(true)
+      end
+
+      it 'allows group access' do
+
+        agent  = create(:agent_user)
+        group  = create(:group)
+        ticket = create(:ticket, group: group)
+
+        agent.group_names_access_map = {
+          group.name => 'full',
+        }
+
+        expect( ticket.access?(agent, 'full') ).to be(true)
+      end
+
+      it 'prevents unauthorized access' do
+        agent  = create(:agent_user)
+        ticket = create(:ticket)
+
+        expect( ticket.access?(agent, 'read') ).to be(false)
+      end
+    end
+
+    context 'customer' do
+
+      it 'allows assigned access' do
+
+        customer = create(:customer_user)
+        ticket   = create(:ticket, customer: customer)
+
+        expect( ticket.access?(customer, 'full') ).to be(true)
+      end
+
+      context 'organization' do
+
+        it 'allows access for shared' do
+
+          organization = create(:organization)
+          assigned     = create(:customer_user, organization: organization)
+          collegue     = create(:customer_user, organization: organization)
+          ticket       = create(:ticket, customer: assigned)
+
+          expect( ticket.access?(collegue, 'full') ).to be(true)
+        end
+
+        it 'prevents unshared access' do
+
+          organization = create(:organization, shared: false)
+          assigned     = create(:customer_user, organization: organization)
+          collegue     = create(:customer_user, organization: organization)
+          ticket       = create(:ticket, customer: assigned)
+
+          expect( ticket.access?(collegue, 'full') ).to be(false)
+        end
+      end
+
+      it 'prevents unauthorized access' do
+        customer = create(:customer_user)
+        ticket   = create(:ticket)
+
+        expect( ticket.access?(customer, 'read') ).to be(false)
+      end
+    end
+  end
 end