Maintenance: Improve user groups handling in the customer interface.

Co-authored-by: Florian Liebe <fl@zammad.com>

app/models/application_model/can_assets.rb

@@ -22,6 +22,7 @@ returns
 =end
 
   def assets(data = {})
+    return data if !authorized_asset?
 
     app_model = self.class.to_app_model
 
@@ -47,6 +48,10 @@ returns
     data
   end
 
+  def authorized_asset?
+    true
+  end
+
 =begin
 
 get assets and record_ids of selector

app/models/group/assets.rb

@@ -10,5 +10,15 @@ class Group
       attributes = super
       attributes.slice('id', 'name', 'name_last', 'follow_up_possible', 'reopen_time_in_days', 'active')
     end
+
+    def authorized_asset?
+      return true if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      allowed_group_ids = Auth::RequestCache.fetch_value("Group/Assets/authorized_asset/groups/#{UserInfo.current_user_id}") do
+        Array.wrap(Setting.get('customer_ticket_create_group_ids')).map(&:to_i) | TicketPolicy::ReadScope.new(User.find(UserInfo.current_user_id)).resolve.distinct(:group_id).pluck(:group_id)
+      end
+
+      allowed_group_ids.include?(id)
+    end
   end
 end

spec/system/basic/assets_spec.rb

@@ -12,6 +12,12 @@ RSpec.describe 'Assets', db_strategy: :reset, type: :system do
   end
   let(:admin)        { create(:admin, groups: [Group.find_by(name: 'Users')], note: 'hello', last_login: Time.zone.now, login_failed: 1) }
   let(:ticket)       { create(:ticket, owner: agent, group: Group.find_by(name: 'Users'), customer: customer, created_by: admin) }
+  let(:agent_groups) { create_list(:group, 3) }
+
+  before do
+    agent_groups
+    Setting.set('customer_ticket_create_group_ids', [Group.first.id])
+  end
 
   context 'groups' do
     before do
@@ -114,6 +120,10 @@ RSpec.describe 'Assets', db_strategy: :reset, type: :system do
       page.execute_script("return App.User.find(#{customer.id}).note")
     end
 
+    def customer_available_group_count
+      page.execute_script('return App.Group.all().length')
+    end
+
     def owner_firstname
       page.execute_script("return App.User.find(#{agent.id}).firstname")
     end
@@ -155,6 +165,23 @@ RSpec.describe 'Assets', db_strategy: :reset, type: :system do
       it 'can access not owner owner accounts' do
         expect(owner_accounts).to be_nil
       end
+
+      context 'when groups are restricted' do
+        it 'can not access agent groups' do
+          expect(customer_available_group_count).to eq(1)
+        end
+
+        context 'when there are old tickets for the customer', authenticated_as: :authenticate do
+          def authenticate
+            create(:ticket, group: agent_groups.first, customer: customer)
+            customer
+          end
+
+          it 'can access one of the agent groups' do
+            expect(customer_available_group_count).to eq(2)
+          end
+        end
+      end
     end
 
     describe 'when agent', authenticated_as: :agent do