Fixes #2687 - Article deletion for agents limited to 10 minutes after article creation.

This commit is contained in:
Denny Korsukéwitz 2019-11-11 16:47:51 +01:00 committed by Thorsten Eckel
parent a9dbe2d555
commit f35cd7fbe9
3 changed files with 72 additions and 8 deletions

View file

@ -18,7 +18,15 @@ class Delete
callback = -> callback = ->
article = App.TicketArticle.find(article.id) article = App.TicketArticle.find(article.id)
article.destroy() article.destroy(
fail: (article, details) ->
ui.log 'errors', details
ui.notify(
type: 'error'
msg: App.i18n.translateContent(details.error_human || details.error || 'Unable to delete article!')
timeout: 6000
)
)
new App.ControllerConfirm( new App.ControllerConfirm(
message: 'Sure?' message: 'Sure?'

View file

@ -134,24 +134,31 @@ class TicketArticlesController < ApplicationController
render json: article.attributes_with_association_names, status: :ok render json: article.attributes_with_association_names, status: :ok
end end
# DELETE /articles/1 # DELETE /api/v1/ticket_articles/:id
def destroy def destroy
article = Ticket::Article.find(params[:id]) article = Ticket::Article.find(params[:id])
access!(article, 'delete') access!(article, 'delete')
if current_user.permissions?('admin') if current_user.permissions?('admin')
article.destroy! article.destroy!
head :ok render json: {}, status: :ok
return return
end end
if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note' article_deletable =
current_user.permissions?('ticket.agent') &&
article.created_by_id == current_user.id &&
!article.type.communication?
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' if !article_deletable
if article_deletable && article.created_at >= 10.minutes.ago
article.destroy! article.destroy!
head :ok render json: {}, status: :ok
return return
end end
raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' raise Exceptions::NotAuthorized, 'Articles can only be deleted within 10 minutes after creation.'
end end
# POST /ticket_attachment_upload_clone_by_article # POST /ticket_attachment_upload_clone_by_article

View file

@ -1,9 +1,9 @@
require 'rails_helper' require 'rails_helper'
RSpec.describe 'Ticket Article', type: :request do RSpec.describe 'Ticket Article API endpoints', type: :request do
let(:admin_user) do let(:admin_user) do
create(:admin_user) create(:admin_user, groups: Group.all)
end end
let!(:group) { create(:group) } let!(:group) { create(:group) }
@ -479,4 +479,53 @@ AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
expect(json_response['attachments'].count).to eq(0) expect(json_response['attachments'].count).to eq(0)
end end
end end
describe 'DELETE /api/v1/ticket_articles/:id' do
let!(:article) { create(:ticket_article, sender_name: 'Agent', type_name: 'note', updated_by_id: agent_user.id, created_by_id: agent_user.id ) }
context 'by Admin user' do
before do
authenticated_as(admin_user)
end
it 'always succeeds' do
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }
end
end
context 'by Agent user' do
before do
# this is needed, role needs full rights for the new group
# so that agent can delete the article
group_ids_access_map = Group.all.pluck(:id).each_with_object({}) { |group_id, result| result[group_id] = 'full'.freeze }
role = Role.find_by(name: 'Agent')
role.group_ids_access_map = group_ids_access_map
role.save!
end
context 'within 10 minutes of creation' do
before do
authenticated_as(agent_user)
travel 8.minutes
end
it 'succeeds' do
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }
end
end
context '10+ minutes after creation' do
before do
authenticated_as(agent_user)
travel 10.minutes
end
it 'fails' do
expect { delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json }.to change { Ticket::Article.exists?(id: article.id) }.to(false)
end
end
end
end
end end