Fixes #2687 - Article deletion for agents limited to 10 minutes after article creation.
This commit is contained in:
parent
a9dbe2d555
commit
f35cd7fbe9
3 changed files with 72 additions and 8 deletions
|
@ -18,7 +18,15 @@ class Delete
|
||||||
|
|
||||||
callback = ->
|
callback = ->
|
||||||
article = App.TicketArticle.find(article.id)
|
article = App.TicketArticle.find(article.id)
|
||||||
article.destroy()
|
article.destroy(
|
||||||
|
fail: (article, details) ->
|
||||||
|
ui.log 'errors', details
|
||||||
|
ui.notify(
|
||||||
|
type: 'error'
|
||||||
|
msg: App.i18n.translateContent(details.error_human || details.error || 'Unable to delete article!')
|
||||||
|
timeout: 6000
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
new App.ControllerConfirm(
|
new App.ControllerConfirm(
|
||||||
message: 'Sure?'
|
message: 'Sure?'
|
||||||
|
|
|
@ -134,24 +134,31 @@ class TicketArticlesController < ApplicationController
|
||||||
render json: article.attributes_with_association_names, status: :ok
|
render json: article.attributes_with_association_names, status: :ok
|
||||||
end
|
end
|
||||||
|
|
||||||
# DELETE /articles/1
|
# DELETE /api/v1/ticket_articles/:id
|
||||||
def destroy
|
def destroy
|
||||||
article = Ticket::Article.find(params[:id])
|
article = Ticket::Article.find(params[:id])
|
||||||
access!(article, 'delete')
|
access!(article, 'delete')
|
||||||
|
|
||||||
if current_user.permissions?('admin')
|
if current_user.permissions?('admin')
|
||||||
article.destroy!
|
article.destroy!
|
||||||
head :ok
|
render json: {}, status: :ok
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note'
|
article_deletable =
|
||||||
|
current_user.permissions?('ticket.agent') &&
|
||||||
|
article.created_by_id == current_user.id &&
|
||||||
|
!article.type.communication?
|
||||||
|
|
||||||
|
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' if !article_deletable
|
||||||
|
|
||||||
|
if article_deletable && article.created_at >= 10.minutes.ago
|
||||||
article.destroy!
|
article.destroy!
|
||||||
head :ok
|
render json: {}, status: :ok
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!'
|
raise Exceptions::NotAuthorized, 'Articles can only be deleted within 10 minutes after creation.'
|
||||||
end
|
end
|
||||||
|
|
||||||
# POST /ticket_attachment_upload_clone_by_article
|
# POST /ticket_attachment_upload_clone_by_article
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
require 'rails_helper'
|
require 'rails_helper'
|
||||||
|
|
||||||
RSpec.describe 'Ticket Article', type: :request do
|
RSpec.describe 'Ticket Article API endpoints', type: :request do
|
||||||
|
|
||||||
let(:admin_user) do
|
let(:admin_user) do
|
||||||
create(:admin_user)
|
create(:admin_user, groups: Group.all)
|
||||||
end
|
end
|
||||||
let!(:group) { create(:group) }
|
let!(:group) { create(:group) }
|
||||||
|
|
||||||
|
@ -479,4 +479,53 @@ AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
|
||||||
expect(json_response['attachments'].count).to eq(0)
|
expect(json_response['attachments'].count).to eq(0)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'DELETE /api/v1/ticket_articles/:id' do
|
||||||
|
|
||||||
|
let!(:article) { create(:ticket_article, sender_name: 'Agent', type_name: 'note', updated_by_id: agent_user.id, created_by_id: agent_user.id ) }
|
||||||
|
|
||||||
|
context 'by Admin user' do
|
||||||
|
before do
|
||||||
|
authenticated_as(admin_user)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'always succeeds' do
|
||||||
|
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'by Agent user' do
|
||||||
|
before do
|
||||||
|
# this is needed, role needs full rights for the new group
|
||||||
|
# so that agent can delete the article
|
||||||
|
group_ids_access_map = Group.all.pluck(:id).each_with_object({}) { |group_id, result| result[group_id] = 'full'.freeze }
|
||||||
|
role = Role.find_by(name: 'Agent')
|
||||||
|
role.group_ids_access_map = group_ids_access_map
|
||||||
|
role.save!
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'within 10 minutes of creation' do
|
||||||
|
before do
|
||||||
|
|
||||||
|
authenticated_as(agent_user)
|
||||||
|
travel 8.minutes
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'succeeds' do
|
||||||
|
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context '10+ minutes after creation' do
|
||||||
|
before do
|
||||||
|
authenticated_as(agent_user)
|
||||||
|
travel 10.minutes
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'fails' do
|
||||||
|
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }.to(false)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue