ticket_policy.rb 2.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. class TicketPolicy < ApplicationPolicy
  3. def show?
  4. access?('read')
  5. end
  6. def create?
  7. return false if !ensure_group?
  8. access?('create')
  9. end
  10. def update?
  11. access?('change')
  12. end
  13. def destroy?
  14. return true if user.permissions?('admin')
  15. # This might look like a bug is actually just defining
  16. # what exception is being raised and shown to the user.
  17. return false if !access?('delete')
  18. not_authorized('admin permission required')
  19. end
  20. def full?
  21. access?('full')
  22. end
  23. def ensure_group?
  24. return true if record.group_id
  25. not_authorized Exceptions::UnprocessableEntity.new __("The required value 'group_id' is missing.")
  26. end
  27. def follow_up?
  28. # This method is used to check if a follow-up is possible (mostly based on the configuration).
  29. # Agents are always allowed to reopen tickets, configuration does not matter.
  30. return update? if Ticket::StateType.lookup(id: record.state.state_type_id).name != 'closed' # check if the ticket state is already closed
  31. return true if agent_update_access?
  32. # Check follow_up_possible configuration, based on the group.
  33. return true if follow_up_possible? && update?
  34. not_authorized Exceptions::UnprocessableEntity.new __('Cannot follow-up on a closed ticket. Please create a new ticket.')
  35. end
  36. def agent_read_access?
  37. agent_access?('read')
  38. end
  39. def agent_update_access?
  40. agent_access?('change')
  41. end
  42. def agent_create_access?
  43. agent_access?('create')
  44. end
  45. def create_mentions?
  46. return true if agent_read_access?
  47. not_authorized __('You have insufficient permissions to mention other users.')
  48. end
  49. private
  50. def follow_up_possible?
  51. case record.group.follow_up_possible
  52. when 'yes'
  53. true
  54. when 'new_ticket_after_certain_time'
  55. record.reopen_after_certain_time?
  56. when 'new_ticket'
  57. false
  58. end
  59. end
  60. def access?(access)
  61. return true if agent_access?(access)
  62. customer_access?
  63. end
  64. def agent_access?(access)
  65. return false if !user.permissions?('ticket.agent')
  66. return true if owner?
  67. user.group_access?(record.group.id, access)
  68. end
  69. def owner?
  70. record.owner_id == user.id
  71. end
  72. def customer_access?
  73. return false if !user.permissions?('ticket.customer')
  74. return customer_field_scope if customer?
  75. shared_organization?
  76. end
  77. def customer?
  78. record.customer_id == user.id
  79. end
  80. def shared_organization?
  81. return false if record.organization_id.blank?
  82. return false if user.organization_id.blank?
  83. return false if !user.organization_id?(record.organization_id)
  84. return false if !record.organization.shared?
  85. customer_field_scope
  86. end
  87. def customer_field_scope
  88. @customer_field_scope ||= ApplicationPolicy::FieldScope.new(deny: %i[time_unit time_units_per_type])
  89. end
  90. end