Fixed issue #588 - API Call crashes webinterface - or search?

app/controllers/tickets_controller.rb

@@ -76,7 +76,6 @@ class TicketsController < ApplicationController
   # POST /api/v1/tickets
   def create
     clean_params = Ticket.param_association_lookup(params)
-    clean_params = Ticket.param_cleanup(clean_params, true)
 
     # overwrite params
     if !current_user.permissions?('ticket.agent')
@@ -108,6 +107,7 @@ class TicketsController < ApplicationController
       clean_params[:customer_id] = customer.id
     end
 
+    clean_params = Ticket.param_cleanup(clean_params, true)
     ticket = Ticket.new(clean_params)
 
     # check if article is given
@@ -283,6 +283,8 @@ class TicketsController < ApplicationController
       ticket_lists = Ticket
                      .where(
                        customer_id: ticket.customer_id,
+                     ).where.not(
+                       state_id: Ticket::State.by_category('merged')
                      )
                      .where(access_condition)
                      .where('id != ?', [ ticket.id ])
@@ -303,7 +305,8 @@ class TicketsController < ApplicationController
       next if recent_view['object'] != 'Ticket'
       ticket_ids_recent_viewed.push recent_view['o_id']
       recent_view_ticket = Ticket.find(recent_view['o_id'])
-      assets             = recent_view_ticket.assets(assets)
+      next if recent_view_ticket.state.state_type.name == 'merged'
+      assets = recent_view_ticket.assets(assets)
     }
 
     # return result
@@ -491,6 +494,9 @@ class TicketsController < ApplicationController
     user_ticket_volume_by_year = []
     if params[:user_id]
       user = User.lookup(id: params[:user_id])
+      if !user
+        raise "No such user with id #{params[:user_id]}"
+      end
       condition = {
         'ticket.state_id' => {
           operator: 'is',
@@ -661,7 +667,7 @@ class TicketsController < ApplicationController
 
     # get related users
     article_ids = []
-    ticket.articles.order('created_at ASC, id ASC').each { |article|
+    ticket.articles.each { |article|
 
       # ignore internal article if customer is requesting
       next if article.internal == true && current_user.permissions?('ticket.customer')

app/models/application_model.rb

@@ -93,6 +93,17 @@ returns
     clean_params = {}
     new.attributes.each { |attribute, _value|
       next if !data.key?(attribute.to_sym)
+
+      # check reference records, referenced by _id attributes
+      reflect_on_all_associations.map { |assoc|
+        class_name = assoc.options[:class_name]
+        next if !class_name
+        name = "#{assoc.name}_id".to_sym
+        next if !data.key?(name)
+        next if data[name].blank?
+        next if assoc.klass.lookup(id: data[name])
+        raise ArgumentError, "Invalid value for param '#{name}': #{data[name].inspect}"
+      }
       clean_params[attribute.to_sym] = data[attribute.to_sym]
     }
 

test/controllers/tickets_controller_test.rb

@@ -127,12 +127,104 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest
     assert_equal(@agent.id, result['created_by_id'])
   end
 
-  test '01.04 ticket create with agent - minimal article with guess customer' do
+  test '01.04 ticket create with agent - wrong owner_id - 0' do
     credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
     params = {
       title: 'a new ticket #4',
       group: 'Users',
       priority: '2 normal',
+      owner_id: 0,
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal('Invalid value for param \'owner_id\': 0', result['error'])
+  end
+
+  test '01.05 ticket create with agent - wrong owner_id - ""' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #5',
+      group: 'Users',
+      priority: '2 normal',
+      owner_id: '',
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    #assert_response(422)
+    #result = JSON.parse(@response.body)
+    #assert_equal(Hash, result.class)
+    #assert_equal('Invalid value for param \'owner_id\': ""', result['error'])
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id'])
+    assert_equal('a new ticket #5', result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+  end
+
+  test '01.06 ticket create with agent - wrong owner_id - 99999' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #6',
+      group: 'Users',
+      priority: '2 normal',
+      owner_id: 99_999,
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    assert_response(422)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal('Invalid value for param \'owner_id\': 99999', result['error'])
+  end
+
+  test '01.07 ticket create with agent - wrong owner_id - nil' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #7',
+      group: 'Users',
+      priority: '2 normal',
+      owner_id: nil,
+      state: 'new',
+      customer_id: @customer_without_org.id,
+      article: {
+        body: 'some test 123',
+      },
+    }
+    post '/api/v1/tickets', params.to_json, @headers.merge('Authorization' => credentials)
+    assert_response(201)
+    result = JSON.parse(@response.body)
+    assert_equal(Hash, result.class)
+    assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id'])
+    assert_equal('a new ticket #7', result['title'])
+    assert_equal(@customer_without_org.id, result['customer_id'])
+    assert_equal(@agent.id, result['updated_by_id'])
+    assert_equal(@agent.id, result['created_by_id'])
+  end
+
+  test '01.08 ticket create with agent - minimal article with guess customer' do
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('tickets-agent@example.com', 'agentpw')
+    params = {
+      title: 'a new ticket #8',
+      group: 'Users',
+      priority: '2 normal',
       state: 'new',
       customer_id: 'guess:some_new_customer@example.com',
       article: {
@@ -144,7 +236,7 @@ class TicketsControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_equal(Ticket::State.lookup(name: 'new').id, result['state_id'])
-    assert_equal('a new ticket #4', result['title'])
+    assert_equal('a new ticket #8', result['title'])
     assert_equal(User.lookup(email: 'some_new_customer@example.com').id, result['customer_id'])
     assert_equal(@agent.id, result['updated_by_id'])
     assert_equal(@agent.id, result['created_by_id'])