Maintenance: Improved article view for agent customer.

zammad · Nov 6, 2020 · bf573b4 · bf573b4
1 parent d9de9ca
commit bf573b4
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/app/policies/ticket/article_policy.rb b/app/policies/ticket/article_policy.rb
@@ -55,9 +55,9 @@ def deletable_timeframe
   end
 
   def access?(query)
-    return false if record.internal == true && !user.permissions?('ticket.agent')
-
     ticket = Ticket.lookup(id: record.ticket_id)
+    return false if record.internal == true && !TicketPolicy.new(user, ticket).agent_read_access?
+
     Pundit.authorize(user, ticket, query)
   end
 end
diff --git a/app/policies/ticket_policy.rb b/app/policies/ticket_policy.rb
@@ -34,6 +34,10 @@ def follow_up?
     raise Exceptions::UnprocessableEntity, 'Cannot follow-up on a closed ticket. Please create a new ticket.'
   end
 
+  def agent_read_access?
+    agent_access?('read')
+  end
+
   private
 
   def access?(access)

diff --git a/spec/factories/role.rb b/spec/factories/role.rb
@@ -8,6 +8,10 @@
       permissions { Permission.where(name: 'ticket.agent') }
     end
 
+    trait :customer do
+      permissions { Permission.where(name: 'ticket.customer') }
+    end
+
     trait :admin do
       permissions { Permission.where(name: 'admin') }
     end

diff --git a/spec/policies/ticket/article_policy_spec.rb b/spec/policies/ticket/article_policy_spec.rb
@@ -29,6 +29,15 @@
       it { is_expected.to permit_actions(%i[show]) }
     end
 
+    context 'when agent and customer but no agent group access' do
+      let(:user) do
+        customer_role = create(:role, :customer)
+        create(:agent_and_customer, roles: [customer_role])
+      end
+
+      it { is_expected.not_to permit_actions(%i[show]) }
+    end
+
     context 'when customer' do
       let(:user) { ticket_customer }