Fixes #2687 - Article deletion for agents limited to 10 minutes after article creation.
This commit is contained in:
parent
a9dbe2d555
commit
f35cd7fbe9
3 changed files with 72 additions and 8 deletions
|
@ -18,7 +18,15 @@ class Delete
|
|||
|
||||
callback = ->
|
||||
article = App.TicketArticle.find(article.id)
|
||||
article.destroy()
|
||||
article.destroy(
|
||||
fail: (article, details) ->
|
||||
ui.log 'errors', details
|
||||
ui.notify(
|
||||
type: 'error'
|
||||
msg: App.i18n.translateContent(details.error_human || details.error || 'Unable to delete article!')
|
||||
timeout: 6000
|
||||
)
|
||||
)
|
||||
|
||||
new App.ControllerConfirm(
|
||||
message: 'Sure?'
|
||||
|
|
|
@ -134,24 +134,31 @@ class TicketArticlesController < ApplicationController
|
|||
render json: article.attributes_with_association_names, status: :ok
|
||||
end
|
||||
|
||||
# DELETE /articles/1
|
||||
# DELETE /api/v1/ticket_articles/:id
|
||||
def destroy
|
||||
article = Ticket::Article.find(params[:id])
|
||||
access!(article, 'delete')
|
||||
|
||||
if current_user.permissions?('admin')
|
||||
article.destroy!
|
||||
head :ok
|
||||
render json: {}, status: :ok
|
||||
return
|
||||
end
|
||||
|
||||
if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note'
|
||||
article_deletable =
|
||||
current_user.permissions?('ticket.agent') &&
|
||||
article.created_by_id == current_user.id &&
|
||||
!article.type.communication?
|
||||
|
||||
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' if !article_deletable
|
||||
|
||||
if article_deletable && article.created_at >= 10.minutes.ago
|
||||
article.destroy!
|
||||
head :ok
|
||||
render json: {}, status: :ok
|
||||
return
|
||||
end
|
||||
|
||||
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!'
|
||||
raise Exceptions::NotAuthorized, 'Articles can only be deleted within 10 minutes after creation.'
|
||||
end
|
||||
|
||||
# POST /ticket_attachment_upload_clone_by_article
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
require 'rails_helper'
|
||||
|
||||
RSpec.describe 'Ticket Article', type: :request do
|
||||
RSpec.describe 'Ticket Article API endpoints', type: :request do
|
||||
|
||||
let(:admin_user) do
|
||||
create(:admin_user)
|
||||
create(:admin_user, groups: Group.all)
|
||||
end
|
||||
let!(:group) { create(:group) }
|
||||
|
||||
|
@ -479,4 +479,53 @@ AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
|
|||
expect(json_response['attachments'].count).to eq(0)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'DELETE /api/v1/ticket_articles/:id' do
|
||||
|
||||
let!(:article) { create(:ticket_article, sender_name: 'Agent', type_name: 'note', updated_by_id: agent_user.id, created_by_id: agent_user.id ) }
|
||||
|
||||
context 'by Admin user' do
|
||||
before do
|
||||
authenticated_as(admin_user)
|
||||
end
|
||||
|
||||
it 'always succeeds' do
|
||||
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }
|
||||
end
|
||||
end
|
||||
|
||||
context 'by Agent user' do
|
||||
before do
|
||||
# this is needed, role needs full rights for the new group
|
||||
# so that agent can delete the article
|
||||
group_ids_access_map = Group.all.pluck(:id).each_with_object({}) { |group_id, result| result[group_id] = 'full'.freeze }
|
||||
role = Role.find_by(name: 'Agent')
|
||||
role.group_ids_access_map = group_ids_access_map
|
||||
role.save!
|
||||
end
|
||||
|
||||
context 'within 10 minutes of creation' do
|
||||
before do
|
||||
|
||||
authenticated_as(agent_user)
|
||||
travel 8.minutes
|
||||
end
|
||||
|
||||
it 'succeeds' do
|
||||
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }
|
||||
end
|
||||
end
|
||||
|
||||
context '10+ minutes after creation' do
|
||||
before do
|
||||
authenticated_as(agent_user)
|
||||
travel 10.minutes
|
||||
end
|
||||
|
||||
it 'fails' do
|
||||
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }.to(false)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue