# Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/ require 'rails_helper' RSpec.describe Gql::Mutations::Ticket::Create, :aggregate_failures, type: :graphql do let(:query) do <<~QUERY mutation ticketCreate($input: TicketCreateInput!) { ticketCreate(input: $input) { ticket { id title group { name } priority { name } customer { fullname } owner { fullname } objectAttributeValues { attribute { name } value } tags } errors { message field } } } QUERY end let(:agent) { create(:agent, groups: [ Group.find_by(name: 'Users')]) } let(:customer) { create(:customer) } let(:user) { agent } let(:group) { agent.groups.first } let(:priority) { Ticket::Priority.last } let(:article_payload) { nil } let(:input_base_payload) do { title: 'Ticket Create Mutation Test', groupId: gql.id(group), priorityId: gql.id(priority), customer: { id: gql.id(customer) }, ownerId: gql.id(agent), tags: %w[foo bar], article: article_payload # pending_time: 10.minutes.from_now, # type: ... } end let(:input_payload) { input_base_payload } let(:variables) { { input: input_payload } } let(:expected_base_response) do { 'id' => gql.id(Ticket.last), 'title' => 'Ticket Create Mutation Test', 'owner' => { 'fullname' => agent.fullname }, 'group' => { 'name' => agent.groups.first.name }, 'customer' => { 'fullname' => customer.fullname }, 'priority' => { 'name' => Ticket::Priority.last.name }, 'tags' => %w[foo bar], 'objectAttributeValues' => [], } end let(:expected_response) do expected_base_response end def it_creates_ticket(articles: 0, stores: 0) expect { gql.execute(query, variables: variables) } .to change(Ticket, :count).by(1) .and change(Ticket::Article, :count).by(articles) .and change(Store, :count).by(stores) end def it_fails_to_create_ticket expect { gql.execute(query, variables: variables) } .not_to change(Ticket, :count) end context 'when creating a new ticket' do context 'with an agent', authenticated_as: :agent do it 'creates Ticket record' do it_creates_ticket expect(gql.result.data[:ticket]).to eq(expected_response) end context 'without title' do let(:input_payload) { input_base_payload.tap { |h| h[:title] = ' ' } } it 'fails validation' do it_fails_to_create_ticket expect(gql.result.error_message).to include('Variable $input of type TicketCreateInput! was provided invalid value for title') end end context 'with custom object_attribute', db_strategy: :reset do let(:object_attribute) do screens = { create: { 'admin.organization': { shown: true, required: false } } } create(:object_manager_attribute_text, object_name: 'Ticket', screens: screens).tap do |_oa| ObjectManager::Attribute.migration_execute end end let(:input_payload) do input_base_payload.merge( { objectAttributeValues: [ { name: object_attribute.name, value: 'object_attribute_value' } ] } ) end let(:expected_response) do expected_base_response.merge( { 'objectAttributeValues' => [{ 'attribute' => { 'name'=>object_attribute.name }, 'value' => 'object_attribute_value' }] } ) end it 'creates the ticket' do it_creates_ticket expect(gql.result.data[:ticket]).to eq(expected_response) end end context 'with links' do let!(:other_ticket) { create(:ticket, group: agent.groups.first) } let(:links) do [ { linkObjectId: gql.id(other_ticket), linkType: 'child' }, { linkObjectId: gql.id(other_ticket), linkType: 'normal' }, ] end let(:input_payload) { input_base_payload.merge(links:) } it 'creates the ticket and adds links' do it_creates_ticket expect(Link.list(link_object: 'Ticket', link_object_value: Ticket.last.id)).to contain_exactly( { 'link_object' => 'Ticket', 'link_object_value' => other_ticket.id, 'link_type' => 'parent' }, { 'link_object' => 'Ticket', 'link_object_value' => other_ticket.id, 'link_type' => 'normal' }, ) end end context 'when customer is provided as an email address' do let(:email_address) { Faker::Internet.email } let(:input_payload) { input_base_payload.merge(customer: { email: email_address }) } context 'with valid email address' do it 'creates the ticket and a new customer' do it_creates_ticket expect(User.find_by(email: email_address)).to be_present expect(gql.result.data[:ticket][:customer][:fullname]).to eq(User.find_by(email: email_address).fullname) end end context 'with invalid email address' do let(:email_address) { 'invalid-email' } it 'fails to create the ticket' do it_fails_to_create_ticket expect(gql.result.error_message).to include('The email address is invalid.') end end context 'with valid email address of an existing customer' do let(:email_address) { customer.email } it 'creates the ticket' do it_creates_ticket expect(gql.result.data[:ticket][:customer][:fullname]).to eq(customer.fullname) end end end context 'when creating the ticket in a group with only :create permission' do let(:group) { create(:group) } let(:owner) { create(:agent, groups: [group]) } let(:input_payload) { input_base_payload.merge(ownerId: gql.id(owner)) } before do user.groups << group user.group_names_access_map = { user.groups.first.name => ['full'], group.name => ['create'] } end it 'creates the ticket in the correct group, but returns an error trying to access the new ticket' do expect { gql.execute(query, variables: variables) }.to change(Ticket, :count).by(1) expect(Ticket.last.group.id).to eq(group.id) expect(gql.result.payload['data']['ticketCreate']).to eq({ 'ticket' => nil, 'errors' => nil }) # Mutation did run, but data retrieval was not authorized. expect(gql.result.payload['errors'].first['message']).to eq('Access forbidden by Gql::Types::TicketType') expect(gql.result.payload['errors'].first['extensions']['type']).to eq('Exceptions::Forbidden') end end context 'when creating the ticket in a group without email address' do let(:group) { create(:group, email_address: nil) } let(:agent) { create(:agent, groups: [group]) } let(:article_payload) { { body: 'dummy', type: 'email' } } let(:input_payload) { input_base_payload.merge(groupId: gql.id(group)) } it 'fails to create the ticket' do it_fails_to_create_ticket expect(gql.result.payload['data']['ticketCreate']).to eq( { 'ticket' => nil, 'errors' => [ { 'message' => 'This group has no email address configured for outgoing communication.', 'field' => 'group_id' } ] } ) end end context 'with no permission to the group' do let(:group) { create(:group) } it 'raises an error', :aggregate_failures do it_fails_to_create_ticket expect(gql.result.error_type).to eq(Exceptions::Forbidden) expect(gql.result.error_message).to eq('Access forbidden by Gql::Types::GroupType') end end context 'with article' do before do Group.find(agent.groups.first.id).update(email_address: create(:email_address)) end context 'with inline attachments' do let(:body) do <<~BODY This is a test article with inline attachments. BODY end let(:article_payload) do { body: body, contentType: 'text/html', } end it 'creates a new ticket + a new article with inline attachments' do it_creates_ticket(articles: 1, stores: 1) expect(Store.last.filename).to eq('image1.png') end end context 'with attachments' do let(:article_payload) do form_id = SecureRandom.uuid file_name = 'file1.txt' file_type = 'text/plain' file_content = Base64.strict_encode64('file1') UploadCache.new(form_id).tap do |cache| cache.add( data: file_content, filename: file_name, preferences: { 'Content-Type' => file_type }, created_by_id: agent.id ) end { body: 'dummy', contentType: 'text/html', attachments: { formId: form_id, files: [ { name: file_name, type: file_type, content: file_content, }, ], }, } end it 'creates a new ticket + a new article with attachments' do it_creates_ticket(articles: 1, stores: 1) expect(Store.last.filename).to eq('file1.txt') end end context 'with inline attachments + attachments' do let(:body) do <<~BODY This is a test article with inline attachments. BODY end let(:article_payload) do form_id = SecureRandom.uuid file_name = 'file1.txt' file_type = 'text/plain' file_content = Base64.strict_encode64('file1') UploadCache.new(form_id).tap do |cache| cache.add( data: file_content, filename: file_name, preferences: { 'Content-Type' => file_type }, created_by_id: agent.id ) end { body: body, contentType: 'text/html', attachments: { formId: form_id, files: [ { name: file_name, type: file_type, content: file_content, }, ], }, } end it 'creates a new ticket + a new article with inline attachments + attachments' do it_creates_ticket(articles: 1, stores: 2) expect(Store.last.filename).to eq('image1.png') end end context 'with a specific sender' do let(:article_payload) do { body: 'dummy', sender: 'Agent', } end it 'creates a new ticket + a new article with a specific sender' do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.sender.name).to eq('Agent') end it 'sets correct "to" and "from" values', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last) .to have_attributes( from: agent.fullname, to: "#{customer.fullname} <#{customer.email}>" ) end end context 'with no type' do let(:article_payload) do { body: 'dummy', } end it 'creates a new ticket + a new article, but falls back to type "note"' do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.type.name).to eq('note') end end context 'with a specific type' do let(:article_payload) do { body: 'dummy', type: Ticket::Article::Type.first.name, to: 'dummy@example.org', } end it 'creates a new ticket + a new article with a specific type' do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.type.name).to eq(Ticket::Article::Type.first.name) end context 'with all integrations disabled' do let(:article_payload) do { body: 'dummy', to: ['to@example.com'], type: 'email', security: { method: 'SMIME', options: %w[encryption sign] } } end before do Setting.set('smime_integration', false) Setting.set('pgp_integration', false) end it 'doesn\'t set security if security integrations are not enabled', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.preferences[:security]).to be_nil end end context 'with smime enabled' do let(:article_payload) do { body: 'dummy', to: ['to@example.com'], type: 'email', security: { method: 'SMIME', options: %w[encryption sign] } } end before do Setting.set('smime_integration', true) Setting.set('pgp_integration', false) end it 'creates a new ticket with correct security preferences', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.preferences[:security]).to eq( 'type' => 'S/MIME', 'encryption' => { 'success' => true }, 'sign' => { 'success' => true }, ) end end context 'with pgp enabled' do let(:article_payload) do { body: 'dummy', to: ['to@example.com'], type: 'email', security: { method: 'PGP', options: %w[encryption sign] } } end before do Setting.set('smime_integration', false) Setting.set('pgp_integration', true) end it 'creates a new ticket with correct security preferences', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.preferences[:security]).to eq( 'type' => 'PGP', 'encryption' => { 'success' => true }, 'sign' => { 'success' => true }, ) end end end end context 'with to: and cc: being string values' do let(:article_payload) do { body: 'dummy', to: 'to@example.com', cc: 'cc@example.com', } end it 'creates a new ticket + a new article and sets correct "to" and "cc" values', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last).to have_attributes(to: 'to@example.com', cc: 'cc@example.com') end end context 'with to: and cc: containing array values' do let(:article_payload) do { body: 'dummy', to: ['to@example.com', 'to2@example.com'], cc: ['cc@example.com', 'cc2@example.com'], } end it 'creates a new ticket + a new article and sets correct "to" and "cc" values', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last).to have_attributes(to: 'to@example.com, to2@example.com', cc: 'cc@example.com, cc2@example.com') end end context 'with a shared draft' do let(:shared_draft) { create(:ticket_shared_draft_start, group:) } let(:input_payload) do input_base_payload .merge(sharedDraftId: Gql::ZammadSchema.id_from_object(shared_draft)) end it 'passed to ticket create service' do expect_any_instance_of(Service::Ticket::Create) .to receive(:execute) .with(ticket_data: include(shared_draft:)) .and_call_original gql.execute(query, variables: variables) end end end context 'with a customer', authenticated_as: :customer do let(:input_payload) { input_base_payload.tap { |h| h.delete(:customer) } } let(:expected_response) do expected_base_response.merge( { 'owner' => { 'fullname' => nil }, 'priority' => { 'name' => Ticket::Priority.where(default_create: true).first.name }, 'tags' => nil } ) end it 'creates the ticket with filtered values' do it_creates_ticket expect(gql.result.data[:ticket]).to eq(expected_response) end context 'when sending a different customerId' do let(:input_payload) { input_base_payload.tap { |h| h[:customer][:id] = gql.id(create(:customer)) } } it 'fails creating a ticket with permission exception' do it_fails_to_create_ticket expect(gql.result.error_type).to eq(Exceptions::Forbidden) expect(gql.result.error_message).to eq('Access forbidden by Gql::Types::UserType') end end context 'with links' do let!(:other_ticket) { create(:ticket, customer: customer) } let(:links) do [ { linkObjectId: gql.id(other_ticket), linkType: 'child' }, { linkObjectId: gql.id(other_ticket), linkType: 'normal' }, ] end let(:input_payload) { input_base_payload.merge(links:) } it 'creates the ticket without links' do it_creates_ticket expect(Link.list(link_object: 'Ticket', link_object_value: Ticket.last.id)).to eq([]) end end context 'with article' do context 'with a forbidden sender' do let(:article_payload) do { body: 'dummy', sender: 'Agent', } end it 'creates a new ticket + a new article, but falls back to "Customer" as sender' do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.sender.name).to eq('Customer') end end context 'with type "phone"' do let(:article_payload) do { body: 'dummy', type: 'phone', } end it 'creates a new ticket + a new article, but falls back to "note" as type' do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.type.name).to eq('note') end it 'sets correct "to" and "from" values', :aggregate_failures do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last) .to have_attributes( to: Ticket.last.group.name, from: customer.fullname ) end end context 'with an article flagged as internal' do let(:article_payload) do { body: 'dummy', internal: true, } end it 'creates a new ticket + a new article, but flags it as not internal' do it_creates_ticket(articles: 1) expect(Ticket.last.articles.last.internal).to be(false) end end end end context 'with an agent that has a specific role limited to create/update permission', authenticated_as: :user do let(:user) { create(:user, roles: [api_role]) } let(:api_role) do role = create(:role, name: 'API', permission_names: ['ticket.agent']) role.group_names_access_map = { Group.first.name => %w[create], } role end let(:input_payload) do { title: 'Test title for issue #4647', groupId: gql.id(Group.first), customer: { id: gql.id(customer) }, article: article_payload, } end let(:article_payload) do { type: 'web', internal: false, sender: 'Customer', subject: 'Test subject', body: SecureRandom.uuid, } end before { Trigger.destroy_all } # triggers may cause additional articles to be created it 'contains correct "origin_by" + "from" information' do gql.execute(query, variables: variables) expect(Ticket.last.articles.last).to have_attributes( origin_by_id: customer.id, from: "#{customer.fullname} <#{customer.email}>", ) end end end end