Improved validation messages of controllers.

app/controllers/application_controller.rb

@@ -278,7 +278,7 @@ class ApplicationController < ActionController::Base
           permission: auth_param[:permission],
           inactive_user: true,
         )
-        raise Exceptions::NotAuthorized, 'No permission (token)!' if !user
+        raise Exceptions::NotAuthorized, 'Not authorized (token)!' if !user
       end
       @_token_auth = token # remember for permission_check
       return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
@@ -319,7 +319,7 @@ class ApplicationController < ActionController::Base
 
     # check scopes / permission check
     if auth_param[:permission] && !user.permissions?(auth_param[:permission])
-      raise Exceptions::NotAuthorized, 'No permission (user)!'
+      raise Exceptions::NotAuthorized, 'Not authorized (user)!'
     end
 
     current_user_set(user)
@@ -364,11 +364,11 @@ class ApplicationController < ActionController::Base
         permission: key,
       )
       return false if user
-      raise Exceptions::NotAuthorized, 'No permission (token)!'
+      raise Exceptions::NotAuthorized, 'Not authorized (token)!'
     end
 
     return false if current_user && current_user.permissions?(key)
-    raise Exceptions::NotAuthorized, 'No permission (user)!'
+    raise Exceptions::NotAuthorized, 'Not authorized (user)!'
   end
 
   def valid_session_with_user
@@ -543,6 +543,14 @@ class ApplicationController < ActionController::Base
     if error =~ /(already exists|duplicate key|duplicate entry)/i
       data[:error_human] = 'Object already exists!'
     end
+    if error =~ /null value in column "(.+?)" violates not-null constraint/i
+      data[:error_human] = "Attribute '#{$1}' required!"
+    end
+
+    if Rails.env.production? && !data[:error_human].empty?
+      data[:error] = data[:error_human]
+      data.delete('error_human')
+    end
     data
   end
 
@@ -598,7 +606,11 @@ class ApplicationController < ActionController::Base
   end
 
   def unauthorized(e)
-    error = model_match_error(e.message)
+    message = e.message
+    if message == 'Exceptions::NotAuthorized'
+      message = 'Not authorized'
+    end
+    error = model_match_error(message)
     if error && error[:error]
       response.headers['X-Failure'] = error[:error_human] || error[:error]
     end

app/controllers/tickets_controller.rb

@@ -74,6 +74,14 @@ class TicketsController < ApplicationController
     clean_params = Ticket.param_association_lookup(params)
     clean_params = Ticket.param_cleanup(clean_params, true)
 
+    # overwrite params
+    if !current_user.permissions?('ticket.agent')
+      [:owner, :owner_id, :customer, :customer_id, :organization, :organization_id, :preferences].each { |key|
+        clean_params.delete(key)
+      }
+      clean_params[:customer_id] = current_user.id
+    end
+
     # try to create customer if needed
     if clean_params[:customer_id] && clean_params[:customer_id] =~ /^guess:(.+?)$/
       email = $1
@@ -105,10 +113,7 @@ class TicketsController < ApplicationController
     end
 
     # create ticket
-    if !ticket.save
-      render json: ticket.errors, status: :unprocessable_entity
-      return
-    end
+    ticket.save!
 
     # create tags if given
     if params[:tags] && !params[:tags].empty?
@@ -128,12 +133,6 @@ class TicketsController < ApplicationController
       article_create(ticket, params[:article])
     end
 
-    if params[:expand]
-      result = ticket.attributes_with_relation_names
-      render json: result, status: :created
-      return
-    end
-
     # create links (e. g. in case of ticket split)
     # links: {
     #   Ticket: {
@@ -161,6 +160,12 @@ class TicketsController < ApplicationController
       }
     end
 
+    if params[:expand]
+      result = ticket.attributes_with_relation_names
+      render json: result, status: :created
+      return
+    end
+
     render json: ticket, status: :created
   end
 
@@ -174,22 +179,26 @@ class TicketsController < ApplicationController
     clean_params = Ticket.param_association_lookup(params)
     clean_params = Ticket.param_cleanup(clean_params, true)
 
-    if ticket.update_attributes(clean_params)
+    # overwrite params
+    if !current_user.permissions?('ticket.agent')
+      [:owner, :owner_id, :customer, :customer_id, :organization, :organization_id, :preferences].each { |key|
+        clean_params.delete(key)
+      }
+    end
 
-      if params[:article]
-        article_create(ticket, params[:article])
-      end
+    ticket.update_attributes!(clean_params)
 
-      if params[:expand]
-        result = ticket.attributes_with_relation_names
-        render json: result, status: :ok
-        return
-      end
+    if params[:article]
+      article_create(ticket, params[:article])
+    end
 
-      render json: ticket, status: :ok
-    else
-      render json: ticket.errors, status: :unprocessable_entity
+    if params[:expand]
+      result = ticket.attributes_with_relation_names
+      render json: result, status: :ok
+      return
     end
+
+    render json: ticket, status: :ok
   end
 
   # DELETE /api/v1/tickets/1
@@ -199,7 +208,9 @@ class TicketsController < ApplicationController
     ticket = Ticket.find(params[:id])
     ticket_permission(ticket)
 
-    ticket.destroy
+    raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!' if !current_user.permissions?('admin')
+
+    ticket.destroy!
 
     head :ok
   end
@@ -612,8 +623,36 @@ class TicketsController < ApplicationController
     form_id = params[:form_id]
     params.delete(:form_id)
 
+    # check min. params
+    raise 'Need at least article: { body: "some text" }' if !params[:body]
+
+    # fill default values
+    if params[:type_id].empty?
+      params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
+    end
+    if params[:sender_id].empty?
+      sender = 'Customer'
+      if current_user.permissions?('ticket.agent')
+        sender = 'Agent'
+      end
+      params[:sender_id] = Ticket::Article::Sender.lookup(name: sender).id
+    end
+
     clean_params = Ticket::Article.param_association_lookup(params)
     clean_params = Ticket::Article.param_cleanup(clean_params, true)
+
+    # overwrite params
+    if !current_user.permissions?('ticket.agent')
+      clean_params[:sender_id] = Ticket::Article::Sender.lookup(name: 'Customer').id
+      clean_params.delete(:sender)
+      type = Ticket::Article::Type.lookup(id: clean_params[:type_id])
+      if type !~ /^(note|web)$/
+        clean_params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
+      end
+      clean_params.delete(:type)
+      clean_params[:internal] = false
+    end
+
     article = Ticket::Article.new(clean_params)
     article.ticket_id = ticket.id
 
@@ -646,10 +685,7 @@ class TicketsController < ApplicationController
         o_id: form_id,
       )
     end
-    if !article.save
-      render json: article.errors, status: :unprocessable_entity
-      return
-    end
+    article.save!
 
     # remove attachments from upload cache
     return if !form_id

app/models/observer/ticket/article/communicate_email.rb

@@ -13,11 +13,13 @@ class Observer::Ticket::Article::CommunicateEmail < ActiveRecord::Observer
     return if ApplicationHandleInfo.current.split('.')[1] == 'postmaster'
 
     # if sender is customer, do not communicate
+    return if !record.sender_id
     sender = Ticket::Article::Sender.lookup(id: record.sender_id)
     return 1 if sender.nil?
     return 1 if sender['name'] == 'Customer'
 
     # only apply on emails
+    return if !record.type_id
     type = Ticket::Article::Type.lookup(id: record.type_id)
     return if type['name'] != 'email'
 

app/models/observer/ticket/article/communicate_facebook.rb

@@ -15,11 +15,13 @@ class Observer::Ticket::Article::CommunicateFacebook < ActiveRecord::Observer
     return if ApplicationHandleInfo.current.split('.')[1] == 'postmaster'
 
     # if sender is customer, do not communicate
+    return if !record.sender_id
     sender = Ticket::Article::Sender.lookup(id: record.sender_id)
     return 1 if sender.nil?
     return 1 if sender['name'] == 'Customer'
 
     # only apply for facebook
+    return if !record.type_id
     type = Ticket::Article::Type.lookup(id: record.type_id)
     return if type['name'] !~ /\Afacebook/
 

app/models/observer/ticket/article/communicate_twitter.rb

@@ -13,11 +13,13 @@ class Observer::Ticket::Article::CommunicateTwitter < ActiveRecord::Observer
     return if ApplicationHandleInfo.current.split('.')[1] == 'postmaster'
 
     # if sender is customer, do not communicate
+    return if !record.sender_id
     sender = Ticket::Article::Sender.lookup(id: record.sender_id)
     return if sender.nil?
     return if sender['name'] == 'Customer'
 
     # only apply on tweets
+    return if !record.type_id
     type = Ticket::Article::Type.lookup(id: record.type_id)
     return if type['name'] !~ /\Atwitter/i
 

app/models/observer/ticket/article/fillup_from_email.rb

@@ -13,11 +13,13 @@ class Observer::Ticket::Article::FillupFromEmail < ActiveRecord::Observer
     return if ApplicationHandleInfo.current.split('.')[1] == 'postmaster'
 
     # if sender is customer, do not change anything
+    return if !record.sender_id
     sender = Ticket::Article::Sender.lookup(id: record.sender_id)
     return if sender.nil?
     return if sender['name'] == 'Customer'
 
     # set email attributes
+    return if !record.type_id
     type = Ticket::Article::Type.lookup(id: record.type_id)
     return if type['name'] != 'email'
 

app/models/observer/ticket/article/fillup_from_general.rb

@@ -13,6 +13,7 @@ class Observer::Ticket::Article::FillupFromGeneral < ActiveRecord::Observer
     return if ApplicationHandleInfo.current.split('.')[1] == 'postmaster'
 
     # if sender is customer, do not change anything
+    return if !record.sender_id
     sender = Ticket::Article::Sender.lookup(id: record.sender_id)
     return if sender.nil?
     return if sender['name'] == 'Customer'
@@ -20,6 +21,7 @@ class Observer::Ticket::Article::FillupFromGeneral < ActiveRecord::Observer
     # set from if not given
     return if record.from
 
+    return if !record.created_by_id
     user        = User.find(record.created_by_id)
     record.from = "#{user.firstname} #{user.lastname}"
   end

app/models/observer/ticket/close_time.rb

@@ -22,6 +22,7 @@ class Observer::Ticket::CloseTime < ActiveRecord::Observer
     return true if record.close_time
 
     # check if ticket is closed now
+    return if !record.state_id
     state = Ticket::State.lookup(id: record.state_id)
     state_type = Ticket::StateType.lookup(id: state.state_type_id)
     return true if state_type.name != 'closed'

test/controllers/api_auth_controller_test.rb

@@ -140,7 +140,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_response(401)
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
-    assert_equal('No permission (token)!', result['error'])
+    assert_equal('Not authorized (token)!', result['error'])
 
     admin_token.preferences[:permission] = []
     admin_token.save!
@@ -149,7 +149,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_response(401)
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
-    assert_equal('No permission (token)!', result['error'])
+    assert_equal('Not authorized (token)!', result['error'])
 
     @admin.active = false
     @admin.save!
@@ -182,7 +182,7 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
     assert_response(401)
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
-    assert_equal('No permission (token)!', result['error'])
+    assert_equal('Not authorized (token)!', result['error'])
 
     admin_token.preferences[:permission] = ['admin.session_not_existing', 'admin.role']
     admin_token.save!

test/controllers/packages_controller_test.rb

@@ -111,7 +111,7 @@ class PackagesControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_not(result['packages'])
-    assert_equal('No permission (user)!', result['error'])
+    assert_equal('Not authorized (user)!', result['error'])
   end
 
   test '06 packages index with customer' do
@@ -125,7 +125,7 @@ class PackagesControllerTest < ActionDispatch::IntegrationTest
     result = JSON.parse(@response.body)
     assert_equal(Hash, result.class)
     assert_not(result['packages'])
-    assert_equal('No permission (user)!', result['error'])
+    assert_equal('Not authorized (user)!', result['error'])
   end
 
 end