Fixes #4907 - Agent can quote KB article in ticket even if he has no …

…permission to the part of the KB (cherry picked from commit e776584)
zammad · Nov 7, 2023 · 450551c · 450551c
1 parent 93fcc59
commit 450551c
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 23 deletions.
diff --git a/lib/search_knowledge_base_backend.rb b/lib/search_knowledge_base_backend.rb
@@ -19,7 +19,15 @@ def initialize(params)
     prepare_scope_ids
   end
 
+  def use_internal_assets?
+    flavor == :agent && KnowledgeBase.granular_permissions?
+  end
+
   def search(query, user: nil, pagination: nil)
+    if use_internal_assets? # cache for later use
+      @granular_permissions_handler = KnowledgeBase::InternalAssets.new(user)
+    end
+
     raw_results = raw_results(query, user, pagination: pagination)
 
     filtered = filter_results raw_results, user
@@ -94,23 +102,29 @@ def translation_ids_for_type(type, user)
 
   def translation_ids_for_answers(user)
     scope = KnowledgeBase::Answer
-            .joins(:category)
-            .where(knowledge_base_categories: { knowledge_base_id: knowledge_bases })
-
-    scope = if user&.permissions?('knowledge_base.editor')
-              scope
-            elsif user&.permissions?('knowledge_base.reader') && flavor == :agent
-              scope.internal
-            else
-              scope.published
-            end
+      .joins(:category)
+      .where(knowledge_base_categories: { knowledge_base_id: knowledge_bases })
+      .then do |relation|
+        if use_internal_assets? # cache for later use
+          relation.where(id: @granular_permissions_handler.all_answer_ids)
+        elsif user&.permissions?('knowledge_base.editor')
+          relation
+        elsif user&.permissions?('knowledge_base.reader') && flavor == :agent
+          relation.internal
+        else
+          relation.published
+        end
+      end
+
     flatten_translation_ids(scope)
   end
 
   def translation_ids_for_categories(user)
-    scope = KnowledgeBase::Category.where knowledge_base_id: knowledge_bases
+    scope = KnowledgeBase::Category.where(knowledge_base_id: knowledge_bases)
 
-    if user&.permissions?('knowledge_base.editor')
+    if use_internal_assets?
+      flatten_translation_ids scope.where(id: @granular_permissions_handler.all_category_ids)
+    elsif user&.permissions?('knowledge_base.editor')
       flatten_translation_ids scope
     elsif user&.permissions?('knowledge_base.reader') && flavor == :agent
       flatten_answer_translation_ids(scope, :internal)

diff --git a/spec/lib/search_knowledge_base_backend_spec.rb b/spec/lib/search_knowledge_base_backend_spec.rb
@@ -156,17 +156,19 @@ def expected_visibility_instance(ui_identifier)
       described_class.new options
     end
 
-    shared_examples 'verify given search backend' do |permissions:, ui:, elasticsearch:|
+    shared_examples 'verify given search backend' do |permissions:, ui:|
       is_visible = permissions == :all || permissions == ui
       prefix     = is_visible ? 'lists' : 'does not list'
 
-      it "#{prefix} in #{ui} interface when ES=#{elasticsearch}", searchindex: elasticsearch do
-        instance = expected_visibility_instance ui
-        object
+      [true, false].each do |elasticsearch|
+        it "#{prefix} in #{ui} interface when ES=#{elasticsearch}", searchindex: elasticsearch do
+          instance = expected_visibility_instance ui
+          object
 
-        handle_elasticsearch(elasticsearch)
+          handle_elasticsearch(elasticsearch)
 
-        expect(instance.search(object.translations.first.title, user: user)).to is_visible ? be_present : be_blank
+          expect(instance.search(object.translations.first.title, user: user)).to is_visible ? be_present : be_blank
+        end
       end
     end
 
@@ -183,11 +185,8 @@ def expected_visibility_instance(ui_identifier)
       context "with #{user_id}" do
         let(:user) { create(user_id) }
 
-        include_examples 'verify given search backend', permissions: permissions, ui: :agent, elasticsearch: true
-        include_examples 'verify given search backend', permissions: permissions, ui: :agent, elasticsearch: false
-
-        include_examples 'verify given search backend', permissions: permissions, ui: :public, elasticsearch: true
-        include_examples 'verify given search backend', permissions: permissions, ui: :public, elasticsearch: false
+        include_examples 'verify given search backend', permissions: permissions, ui: :agent
+        include_examples 'verify given search backend', permissions: permissions, ui: :public
       end
     end
 
@@ -201,5 +200,57 @@ def expected_visibility_instance(ui_identifier)
     include_examples 'verify given permissions', scope: :category, trait: :containing_internal,  admin: :all, agent: :agent
     include_examples 'verify given permissions', scope: :category, trait: :containing_draft,     admin: :all, agent: :none
     include_examples 'verify given permissions', scope: :category, trait: :containing_archived,  admin: :all, agent: :none
+
+    context 'with granular permissions' do
+      before do
+        KnowledgeBase::PermissionsUpdate
+          .new(category)
+          .update! Role.find_by(name: 'Agent') => 'none'
+      end
+
+      context 'with reader with limited access to answer' do
+        let(:object) { internal_answer }
+        let(:user)   { create(:agent)  }
+
+        include_examples 'verify given search backend', permissions: :none, ui: :agent
+      end
+
+      context 'with editor with full access to answer' do
+        let(:object) { internal_answer }
+        let(:user)   { create(:admin)  }
+
+        include_examples 'verify given search backend', permissions: :all, ui: :agent
+        include_examples 'verify given search backend', permissions: :all, ui: :public
+      end
+
+      context 'with reader with limited access to category' do
+        let(:object) { internal_answer.category }
+        let(:user)   { create(:agent)  }
+
+        include_examples 'verify given search backend', permissions: :none, ui: :agent
+      end
+
+      context 'with editor with full access to category' do
+        let(:object) { internal_answer.category }
+        let(:user)   { create(:admin)  }
+
+        include_examples 'verify given search backend', permissions: :all, ui: :agent
+        include_examples 'verify given search backend', permissions: :all, ui: :public
+      end
+
+      context 'with unauthorized user and public answer' do
+        let(:object) { published_answer }
+        let(:user)   { nil }
+
+        include_examples 'verify given search backend', permissions: :all, ui: :public
+      end
+
+      context 'with unauthorized user and internal answer' do
+        let(:object) { internal_answer }
+        let(:user)   { nil }
+
+        include_examples 'verify given search backend', permissions: :none, ui: :public
+      end
+    end
   end
 end