Maintenance: Ticket Article permissions handling enhancements

app/policies/ticket/article_policy.rb

@@ -11,10 +11,7 @@ class Ticket::ArticlePolicy < ApplicationPolicy
   end
 
   def update?
-    return false if !access?(__method__)
-    return true if user.permissions?(['ticket.agent', 'admin'])
-
-    not_authorized('ticket.agent or admin permission required')
+    ticket_policy.agent_update_access?
   end
 
   def destroy?
@@ -57,9 +54,12 @@ class Ticket::ArticlePolicy < ApplicationPolicy
   end
 
   def access?(query)
-    ticket = Ticket.lookup(id: record.ticket_id)
-    return false if record.internal == true && !TicketPolicy.new(user, ticket).agent_read_access?
+    return false if record.internal && !ticket_policy.agent_read_access?
+
+    ticket_policy.send(query)
+  end
 
-    Pundit.authorize(user, ticket, query)
+  def ticket_policy
+    @ticket_policy ||= TicketPolicy.new(user, Ticket.lookup(id: record.ticket_id))
   end
 end

spec/policies/ticket/article_policy_spec.rb

@@ -65,4 +65,11 @@ describe Ticket::ArticlePolicy do
     it { is_expected.to permit_actions(%i[show]) }
   end
 
+  context 'when customer is agent and customer' do
+    let(:user)            { ticket_customer }
+    let(:ticket_customer) { create(:agent_and_customer) }
+
+    it { is_expected.to permit_actions(%i[show]) }
+    it { is_expected.to forbid_actions(%i[update destroy]) }
+  end
 end

spec/requests/ticket_spec.rb

@@ -1358,7 +1358,7 @@ RSpec.describe 'Ticket', type: :request do
       put "/api/v1/ticket_articles/#{json_response['id']}", params: params, as: :json
       expect(response).to have_http_status(:forbidden)
       expect(json_response).to be_a(Hash)
-      expect(json_response['error']).to eq('Not authorized (ticket.agent or admin permission required)!')
+      expect(json_response['error']).to eq('Not authorized')
 
       delete "/api/v1/tickets/#{ticket.id}", params: {}, as: :json
       expect(response).to have_http_status(:forbidden)