# Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/ require 'rails_helper' RSpec.describe 'Ticket Article API endpoints', type: :request do let(:admin) do create(:admin, groups: Group.all) end let!(:group) { create(:group) } let(:agent) do create(:agent, groups: Group.all) end let(:customer) do create(:customer) end describe 'request handling' do it 'does ticket create with agent and articles' do params = { title: 'a new ticket #1', group: 'Users', customer_id: customer.id, article: { body: 'some body', } } authenticated_as(agent) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:created) params = { ticket_id: json_response['id'], content_type: 'text/plain', # or text/html body: 'some body', type: 'note', } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).to eq('some body') expect(json_response['content_type']).to eq('text/plain') expect(json_response['updated_by_id']).to eq(agent.id) expect(json_response['created_by_id']).to eq(agent.id) ticket = Ticket.find(json_response['ticket_id']) expect(ticket.articles.count).to eq(2) expect(ticket.articles[0].attachments.count).to eq(0) expect(ticket.articles[1].attachments.count).to eq(0) params = { ticket_id: json_response['ticket_id'], content_type: 'text/html', # or text/html body: 'some body Red dot', type: 'note', } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).not_to match(%r{some body Red dot 'some_file.txt', 'data' => 'dGVzdCAxMjM=', 'mime-type' => 'text/plain' }, ], } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).to eq('some body') expect(json_response['content_type']).to eq('text/html') expect(json_response['updated_by_id']).to eq(agent.id) expect(json_response['created_by_id']).to eq(agent.id) ticket.articles.reload expect(ticket.articles.count).to eq(4) expect(ticket.articles[0].attachments.count).to eq(0) expect(ticket.articles[1].attachments.count).to eq(0) expect(ticket.articles[2].attachments.count).to eq(1) expect(ticket.articles[3].attachments.count).to eq(1) get "/api/v1/ticket_articles/#{json_response['id']}?expand=true", params: {}, as: :json expect(response).to have_http_status(:ok) expect(json_response).to be_a(Hash) expect(json_response['attachments'].count).to eq(1) expect(json_response['attachments'][0]['id']).to be_truthy expect(json_response['attachments'][0]['filename']).to eq('some_file.txt') expect(json_response['attachments'][0]['size']).to eq('8') expect(json_response['attachments'][0]['preferences']['Mime-Type']).to eq('text/plain') params = { ticket_id: json_response['ticket_id'], content_type: 'text/plain', body: 'some body', type: 'note', internal: false, preferences: { some_key1: 123, highlight: '123', }, } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).to eq('some body') expect(json_response['internal']).to be(false) expect(json_response['content_type']).to eq('text/plain') expect(json_response['updated_by_id']).to eq(agent.id) expect(json_response['created_by_id']).to eq(agent.id) expect(json_response['preferences']['some_key1']).to eq(123) expect(json_response['preferences']['highlight']).to eq('123') expect(ticket.articles.count).to eq(5) params = { body: 'some body 2', internal: true, preferences: { some_key2: 'abc', highlight: '234', }, } put "/api/v1/ticket_articles/#{json_response['id']}", params: params, as: :json expect(response).to have_http_status(:ok) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).not_to eq('some body 2') expect(json_response['internal']).to be(true) expect(json_response['content_type']).to eq('text/plain') expect(json_response['updated_by_id']).to eq(agent.id) expect(json_response['created_by_id']).to eq(agent.id) expect(json_response['preferences']['some_key1']).to eq(123) expect(json_response['preferences']['some_key2']).not_to eq('abc') expect(json_response['preferences']['highlight']).to eq('234') end it 'does ticket create with customer and articles' do params = { title: 'a new ticket #2', group: 'Users', article: { body: 'some body', } } authenticated_as(customer) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:created) params = { ticket_id: json_response['id'], content_type: 'text/plain', # or text/html body: 'some body', type: 'note', } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).to eq('some body') expect(json_response['content_type']).to eq('text/plain') expect(json_response['updated_by_id']).to eq(customer.id) expect(json_response['created_by_id']).to eq(customer.id) ticket = Ticket.find(json_response['ticket_id']) expect(ticket.articles.count).to eq(2) expect(ticket.articles[1].sender.name).to eq('Customer') expect(ticket.articles[0].attachments.count).to eq(0) expect(ticket.articles[1].attachments.count).to eq(0) params = { ticket_id: json_response['ticket_id'], content_type: 'text/plain', # or text/html body: 'some body', sender: 'Agent', type: 'note', } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).to eq('some body') expect(json_response['content_type']).to eq('text/plain') expect(json_response['updated_by_id']).to eq(customer.id) expect(json_response['created_by_id']).to eq(customer.id) ticket.articles.reload ticket = Ticket.find(json_response['ticket_id']) expect(ticket.articles.count).to eq(3) expect(ticket.articles[2].sender.name).to eq('Customer') expect(ticket.articles[2].internal).to be(false) expect(ticket.articles[0].attachments.count).to eq(0) expect(ticket.articles[1].attachments.count).to eq(0) expect(ticket.articles[2].attachments.count).to eq(0) params = { ticket_id: json_response['ticket_id'], content_type: 'text/plain', # or text/html body: 'some body 2', sender: 'Agent', type: 'note', internal: true, } post '/api/v1/ticket_articles', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['subject']).to be_nil expect(json_response['body']).to eq('some body 2') expect(json_response['content_type']).to eq('text/plain') expect(json_response['updated_by_id']).to eq(customer.id) expect(json_response['created_by_id']).to eq(customer.id) ticket.articles.reload ticket = Ticket.find(json_response['ticket_id']) expect(ticket.articles.count).to eq(4) expect(ticket.articles[3].sender.name).to eq('Customer') expect(ticket.articles[3].internal).to be(false) expect(ticket.articles[0].attachments.count).to eq(0) expect(ticket.articles[1].attachments.count).to eq(0) expect(ticket.articles[2].attachments.count).to eq(0) expect(ticket.articles[3].attachments.count).to eq(0) # add internal article article = create( :ticket_article, ticket_id: ticket.id, internal: true, sender: Ticket::Article::Sender.find_by(name: 'Agent'), type: Ticket::Article::Type.find_by(name: 'note'), ) ticket.articles.reload expect(ticket.articles.count).to eq(5) expect(ticket.articles[4].sender.name).to eq('Agent') expect(ticket.articles[4].updated_by_id).to eq(1) expect(ticket.articles[4].created_by_id).to eq(1) expect(ticket.articles[0].attachments.count).to eq(0) expect(ticket.articles[1].attachments.count).to eq(0) expect(ticket.articles[2].attachments.count).to eq(0) expect(ticket.articles[3].attachments.count).to eq(0) expect(ticket.articles[4].attachments.count).to eq(0) get "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json expect(response).to have_http_status(:forbidden) expect(json_response).to be_a(Hash) expect(json_response['error']).to eq('Not authorized') put "/api/v1/ticket_articles/#{article.id}", params: { internal: false }, as: :json expect(response).to have_http_status(:forbidden) expect(json_response).to be_a(Hash) expect(json_response['error']).to eq('Not authorized') end it 'does create phone ticket for customer and expected origin_by_id' do params = { title: 'a new ticket #1', group: 'Users', customer_id: customer.id, article: { body: 'some body', sender: 'Customer', type: 'phone', } } authenticated_as(agent) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(json_response['title']).to eq('a new ticket #1') expect(Ticket::Article.where(ticket_id: json_response['id']).count).to eq(2) # original + auto responder article = Ticket::Article.where(ticket_id: json_response['id']).first expect(article.origin_by_id).to eq(customer.id) expect(article.from).to be_in( [ "#{customer.firstname} #{customer.lastname} <#{customer.email}>", "\"#{customer.firstname} #{customer.lastname}\" <#{customer.email}>" ] ) end it 'does create phone ticket by customer and manipulate origin_by_id' do params = { title: 'a new ticket #1', group: 'Users', customer_id: customer.id, article: { body: 'some body', sender: 'Customer', type: 'phone', origin_by_id: 1, } } authenticated_as(customer) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:created) expect(json_response).to be_a(Hash) expect(Ticket::Article.where(ticket_id: json_response['id']).count).to eq(1) # ony original article = Ticket::Article.where(ticket_id: json_response['id']).first expect(article.origin_by_id).to eq(customer.id) end it 'does ticket split with html - check attachments' do ticket = create(:ticket, group: group) article = create( :ticket_article, ticket_id: ticket.id, type: Ticket::Article::Type.lookup(name: 'note'), sender: Ticket::Article::Sender.lookup(name: 'Customer'), body: 'test test ', content_type: 'text/html', ) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file1_normally_should_be_an_image', filename: 'some_file1.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '15.274327094.140938@zammad.example.com', 'Content-Disposition' => 'inline', }) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file2_normally_should_be_an_image', filename: 'some_file2.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '15.274327094.140938.2@zammad.example.com', 'Content-Disposition' => 'inline', }) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file3_normally_should_be_an_image', filename: 'some_file3.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '15.274327094.140938.3@zammad.example.com', }) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file4_normally_should_be_an_image', filename: 'some_file4.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '15.274327094.140938.4@zammad.example.com', }) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file1_normally_should_be_an_pdf', filename: 'Rechnung_RE-2018-200.pdf', preferences: { 'Content-Type' => 'application/octet-stream; name="Rechnung_RE-2018-200.pdf"', 'Mime-Type' => 'application/octet-stream', 'Content-ID' => '8AB0BEC88984EE4EBEF643C79C8E0346@zammad.example.com', 'Content-Description' => 'Rechnung_RE-2018-200.pdf', 'Content-Disposition' => 'attachment', }) params = { form_id: 'b47ea422-1b96-49db-8399-aeffaa0e3fc9', } authenticated_as(agent) post "/api/v1/ticket_attachment_upload_clone_by_article/#{article.id}", params: params, as: :json expect(response).to have_http_status(:ok) expect(json_response).to be_a(Hash) expect(json_response['attachments']).to be_truthy expect(json_response['attachments'].count).to eq(3) post "/api/v1/ticket_attachment_upload_clone_by_article/#{article.id}", params: params, as: :json expect(response).to have_http_status(:ok) expect(json_response).to be_a(Hash) expect(json_response['attachments']).to be_truthy expect(json_response['attachments'].count).to eq(0) end it 'does ticket split with plain - check attachments' do ticket = create( :ticket, group: group, updated_by_id: agent.id, created_by_id: agent.id, ) article = create( :ticket_article, ticket_id: ticket.id, type: Ticket::Article::Type.lookup(name: 'note'), sender: Ticket::Article::Sender.lookup(name: 'Customer'), body: 'test ', content_type: 'text/plain', updated_by_id: 1, created_by_id: 1, ) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file1_normally_should_be_an_image', filename: 'some_file1.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '15.274327094.140938@zammad.example.com', 'Content-Disposition' => 'inline', }) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file1_normally_should_be_an_image', filename: 'some_file2.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '15.274327094.140938.2@zammad.example.com', 'Content-Disposition' => 'inline', }) create(:store, object: 'Ticket::Article', o_id: article.id, data: 'content_file1_normally_should_be_an_pdf', filename: 'Rechnung_RE-2018-200.pdf', preferences: { 'Content-Type' => 'application/octet-stream; name="Rechnung_RE-2018-200.pdf"', 'Mime-Type' => 'application/octet-stream', 'Content-ID' => '8AB0BEC88984EE4EBEF643C79C8E0346@zammad.example.com', 'Content-Description' => 'Rechnung_RE-2018-200.pdf', 'Content-Disposition' => 'attachment', }) params = { form_id: 'b47ea422-1b96-49db-8399-aeffaa0e3fc9', } authenticated_as(agent) post "/api/v1/ticket_attachment_upload_clone_by_article/#{article.id}", params: params, as: :json expect(response).to have_http_status(:ok) expect(json_response).to be_a(Hash) expect(json_response['attachments']).to be_truthy expect(json_response['attachments'].count).to eq(3) post "/api/v1/ticket_attachment_upload_clone_by_article/#{article.id}", params: params, as: :json expect(response).to have_http_status(:ok) expect(json_response).to be_a(Hash) expect(json_response['attachments']).to be_truthy expect(json_response['attachments'].count).to eq(0) end it 'does ticket create with mentions' do params = { title: 'a new ticket #1', group: 'Users', customer_id: customer.id, article: { body: "some body agent", } } authenticated_as(agent) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:created) expect(Mention.where(mentionable: Ticket.last).count).to eq(1) end it 'does not ticket create with invalid mentions' do params = { title: 'a new ticket #1', group: 'Users', customer_id: customer.id, article: { body: "some body customer", } } authenticated_as(agent) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:unprocessable_entity) expect(Mention.count).to eq(0) end it 'does not ticket create with mentions when customer' do params = { title: 'a new ticket #1', group: 'Users', customer_id: customer.id, article: { body: "some body agent", } } authenticated_as(customer) post '/api/v1/tickets', params: params, as: :json expect(response).to have_http_status(:forbidden) expect(Mention.count).to eq(0) end end describe 'DELETE /api/v1/ticket_articles/:id', authenticated_as: -> { user } do let(:other_agent) { create(:agent, groups: [Group.first]) } let(:ticket) do create(:ticket, group: Group.first) end let(:article_communication) do create(:ticket_article, sender_name: 'Agent', type_name: 'email', ticket: ticket, updated_by_id: agent.id, created_by_id: agent.id) end let(:article_note_self) do create(:ticket_article, sender_name: 'Agent', internal: true, type_name: 'note', ticket: ticket, updated_by_id: user.id, created_by_id: user.id) end let(:article_note_other) do create(:ticket_article, sender_name: 'Agent', internal: true, type_name: 'note', ticket: ticket, updated_by_id: other_agent.id, created_by_id: other_agent.id) end let(:article_note_customer) do create(:ticket_article, sender_name: 'Customer', internal: false, type_name: 'note', ticket: ticket, updated_by_id: customer.id, created_by_id: customer.id) end let(:article_note_communication_self) do create(:ticket_article_type, name: 'note_communication', communication: true) create(:ticket_article, sender_name: 'Agent', internal: true, type_name: 'note_communication', ticket: ticket, updated_by_id: user.id, created_by_id: user.id) end let(:article_note_communication_other) do create(:ticket_article_type, name: 'note_communication', communication: true) create(:ticket_article, sender_name: 'Agent', internal: true, type_name: 'note_communication', ticket: ticket, updated_by_id: other_agent.id, created_by_id: other_agent.id) end def delete_article_via_rest(article) delete "/api/v1/ticket_articles/#{article.id}", params: {}, as: :json end shared_examples 'succeeds' do it 'succeeds' do expect { delete_article_via_rest(article) }.to change { Ticket::Article.exists?(id: article.id) } end end shared_examples 'fails' do it 'fails' do expect { delete_article_via_rest(article) }.not_to change { Ticket::Article.exists?(id: article.id) } end end shared_examples 'deleting' do |item:, now:, later:, much_later:| context "deleting #{item}" do let(:article) { send(item) } include_examples now ? 'succeeds' : 'fails' context '8 minutes later' do before { article && travel(8.minutes) } include_examples later ? 'succeeds' : 'fails' end context '11 minutes later' do before { article && travel(11.minutes) } include_examples much_later ? 'succeeds' : 'fails' end end end context 'as admin' do let(:user) { admin } include_examples 'deleting', item: 'article_communication', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_self', now: true, later: true, much_later: false include_examples 'deleting', item: 'article_note_other', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_customer', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_communication_self', now: true, later: true, much_later: false include_examples 'deleting', item: 'article_note_communication_other', now: false, later: false, much_later: false end context 'as agent' do let(:user) { agent } include_examples 'deleting', item: 'article_communication', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_self', now: true, later: true, much_later: false include_examples 'deleting', item: 'article_note_other', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_customer', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_communication_self', now: true, later: true, much_later: false include_examples 'deleting', item: 'article_note_communication_other', now: false, later: false, much_later: false end context 'as customer' do let(:user) { customer } include_examples 'deleting', item: 'article_communication', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_other', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_customer', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_communication_self', now: false, later: false, much_later: false include_examples 'deleting', item: 'article_note_communication_other', now: false, later: false, much_later: false end context 'with custom timeframe' do before { Setting.set 'ui_ticket_zoom_article_delete_timeframe', 6000 } let(:article) { article_note_self } context 'as admin' do let(:user) { admin } context 'deleting before timeframe' do before { article && travel(5000.seconds) } include_examples 'succeeds' end context 'deleting after timeframe' do before { article && travel(8000.seconds) } include_examples 'fails' end end context 'as agent' do let(:user) { agent } context 'deleting before timeframe' do before { article && travel(5000.seconds) } include_examples 'succeeds' end context 'deleting after timeframe' do before { article && travel(8000.seconds) } include_examples 'fails' end end end context 'with timeframe as 0' do before { Setting.set 'ui_ticket_zoom_article_delete_timeframe', 0 } let(:article) { article_note_self } context 'as agent' do let(:user) { agent } context 'deleting long after' do before { article && travel(99.days) } include_examples 'succeeds' end end end end end