Skip to content

Commit 6e56aee

Browse files
rolfschmidtthorsteneckel
authored andcommitted
Enhancement: Added authorization checks for ticket controller actions: ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split.
1 parent 4014839 commit 6e56aee

File tree

3 files changed

+43
-2
lines changed

3 files changed

+43
-2
lines changed

Diff for: app/controllers/tickets_controller.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ class TicketsController < ApplicationController
66
include ChecksUserAttributesByCurrentUserPermission
77
include TicketStats
88

9-
prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start]
9+
prepend_before_action -> { authorize! }, only: %i[create selector import_example import_start ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split]
1010
prepend_before_action :authentication_check
1111

1212
# GET /api/v1/tickets
+1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
class Controllers::TicketsControllerPolicy < Controllers::ApplicationControllerPolicy
22
permit! %i[import_example import_start], to: 'admin'
33
permit! :selector, to: 'admin.*'
4+
permit! %i[ticket_customer ticket_history ticket_related ticket_recent ticket_merge ticket_split], to: 'ticket.agent'
45
permit! :create, to: ['ticket.agent', 'ticket.customer']
56
end

Diff for: spec/requests/ticket_spec.rb

+41-1
Original file line numberDiff line numberDiff line change
@@ -1793,6 +1793,10 @@
17931793
created_by_id: 1,
17941794
)
17951795

1796+
authenticated_as(customer_user)
1797+
get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json
1798+
expect(response).to have_http_status(:unauthorized)
1799+
17961800
authenticated_as(agent_user)
17971801
get "/api/v1/ticket_split?ticket_id=#{ticket.id}&article_id=#{article.id}&form_id=new_form_id123", params: {}, as: :json
17981802
expect(response).to have_http_status(:ok)
@@ -1918,6 +1922,10 @@
19181922
customer_id: customer_user.id,
19191923
)
19201924

1925+
authenticated_as(customer_user)
1926+
get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json
1927+
expect(response).to have_http_status(:unauthorized)
1928+
19211929
authenticated_as(agent_user)
19221930
get "/api/v1/ticket_merge/#{ticket2.id}/#{ticket1.id}", params: {}, as: :json
19231931
expect(response).to have_http_status(:ok)
@@ -2068,7 +2076,39 @@
20682076
expect(json_response['assets'].class).to eq(Hash)
20692077
expect(json_response['assets']['User'][customer_user.id.to_s]).not_to be_nil
20702078
expect(json_response['assets']['Ticket'][ticket1.id.to_s]).not_to be_nil
2079+
2080+
authenticated_as(customer_user)
2081+
get "/api/v1/ticket_history/#{ticket1.id}", params: {}, as: :json
2082+
expect(response).to have_http_status(:unauthorized)
2083+
end
2084+
2085+
it 'does ticket related' do
2086+
ticket1 = create(
2087+
:ticket,
2088+
title: 'some title',
2089+
group: ticket_group,
2090+
customer_id: customer_user.id,
2091+
)
2092+
2093+
authenticated_as(agent_user)
2094+
get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json
2095+
expect(response).to have_http_status(:ok)
2096+
2097+
authenticated_as(customer_user)
2098+
get "/api/v1/ticket_related/#{ticket1.id}", params: {}, as: :json
2099+
expect(response).to have_http_status(:unauthorized)
2100+
end
2101+
2102+
it 'does ticket recent' do
2103+
authenticated_as(agent_user)
2104+
get '/api/v1/ticket_recent', params: {}, as: :json
2105+
expect(response).to have_http_status(:ok)
2106+
2107+
authenticated_as(customer_user)
2108+
get '/api/v1/ticket_recent', params: {}, as: :json
2109+
expect(response).to have_http_status(:unauthorized)
20712110
end
2111+
20722112
end
20732113

20742114
describe 'stats' do
@@ -2213,7 +2253,7 @@
22132253
end
22142254

22152255
context 'as authorized customer', authenticated_as: -> { customer_authorized } do
2216-
include_examples 'has access'
2256+
include_examples 'has no access'
22172257
end
22182258

22192259
context 'as unauthorized customer', authenticated_as: -> { customer_unauthorized } do

0 commit comments

Comments
 (0)