123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- describe TicketPolicy do
- subject(:policy) { described_class.new(user, record) }
- let(:record) { create(:ticket) }
- context 'when given ticket’s owner' do
- let(:user) { record.owner }
- it { is_expected.to forbid_actions(%i[show full]) }
- context 'when owner has ticket.agent permission' do
- let(:user) do
- create(:agent, groups: [record.group]).tap do |user|
- record.update!(owner: user)
- end
- end
- it { is_expected.to permit_actions(%i[show full]) }
- end
- end
- context 'when given user that is agent and customer' do
- let(:user) { create(:agent_and_customer, groups: [record.group]) }
- it { is_expected.to permit_actions(%i[show full]) }
- end
- context 'when given a user that is neither owner nor customer' do
- let(:user) { create(:agent) }
- it { is_expected.to forbid_actions(%i[show full]) }
- context 'but the user is an agent with full access to ticket’s group' do
- before { user.group_names_access_map = { record.group.name => 'full' } }
- it { is_expected.to permit_actions(%i[show full]) }
- end
- context 'but the user is a customer from the same organization as ticket’s customer' do
- let(:record) { create(:ticket, customer: customer) }
- let(:customer) { create(:customer, organization: create(:organization)) }
- let(:user) { create(:customer, organization: customer.organization) }
- context 'and organization.shared is true (default)' do
- it { is_expected.to permit_actions(%i[show full]) }
- end
- context 'but organization.shared is false' do
- before { customer.organization.update(shared: false) }
- it { is_expected.to forbid_actions(%i[show full]) }
- end
- end
- context 'when user is admin with group access' do
- let(:user) { create(:user, roles: Role.where(name: %w[Admin])) }
- it { is_expected.to forbid_actions(%i[show full]) }
- end
- end
- context 'when user is agent' do
- context 'when owner has ticket.agent permission' do
- let(:user) do
- create(:agent, groups: [record.group]).tap do |user|
- record.update!(owner: user)
- end
- end
- it { is_expected.to permit_actions(%i[show full]) }
- end
- context 'when groups.follow_up_possible is set' do
- let(:record) { create(:ticket, customer: customer, group: group, state: Ticket::State.find_by(name: 'closed')) }
- let(:customer) { create(:customer, organization: create(:organization)) }
- let(:user) { create(:agent) }
- context 'to yes' do
- let(:group) { create(:group, follow_up_possible: 'yes') }
- context 'when user is customer' do
- let(:user) { record.customer }
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when user has no access' do
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- context 'when user has change access' do
- before do
- user.user_groups.create! group: group, access: 'change'
- end
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when user has read access' do
- before do
- user.user_groups.create! group: group, access: 'read'
- end
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- end
- context 'to new_ticket' do
- let(:group) { create(:group, follow_up_possible: 'new_ticket') }
- context 'when user is customer' do
- let(:user) { record.customer }
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- context 'when user has no access' do
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- context 'when user has change access' do
- before do
- user.user_groups.create! group: group, access: 'change'
- end
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when user has read access' do
- before do
- user.user_groups.create! group: group, access: 'read'
- end
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- end
- context 'to new_ticket_after_certain_time' do
- let(:group) { create(:group, follow_up_possible: 'new_ticket_after_certain_time', reopen_time_in_days: 2) }
- context 'when reopen_time_in_days is within configured time frame' do
- context 'when user is customer' do
- let(:user) { record.customer }
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when user has no access' do
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- context 'when user has change access' do
- before do
- user.user_groups.create! group: group, access: 'change'
- end
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when user has read access' do
- before do
- user.user_groups.create! group: group, access: 'read'
- end
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- end
- context 'when reopen_time_in_days is outside configured time frame' do
- before do
- policy
- travel 3.days
- end
- context 'when user is customer' do
- let(:user) { record.customer }
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- context 'when user has no access' do
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- context 'when user has change access' do
- before do
- user.user_groups.create! group: group, access: 'change'
- end
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when user has read access' do
- before do
- user.user_groups.create! group: group, access: 'read'
- end
- it { is_expected.to forbid_actions(%i[follow_up]) }
- end
- end
- end
- end
- end
- context 'when user is customer' do
- context 'when groups.follow_up_possible is yes' do
- let(:record) { create(:ticket, customer: user, group: group, state: Ticket::State.find_by(name: 'closed')) }
- let(:group) { create(:group, follow_up_possible: 'yes') }
- let(:user) { create(:customer, organization: create(:organization)) }
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when groups.follow_up_possible is new_ticket' do
- let(:record) { create(:ticket, customer: user, group: group, state: Ticket::State.find_by(name: 'closed')) }
- let(:group) { create(:group, follow_up_possible: 'new_ticket') }
- let(:user) { create(:customer, organization: create(:organization)) }
- it { is_expected.to forbid_action(:follow_up) }
- it { expect { policy.follow_up? }.to change(policy, :custom_exception).to(Exceptions::UnprocessableEntity) }
- end
- context 'when groups.follow_up_possible is new_ticket_after_certain_time' do
- let(:record) { create(:ticket, customer: user, group: group, state: Ticket::State.find_by(name: 'closed')) }
- let(:group) { create(:group, follow_up_possible: 'new_ticket_after_certain_time', reopen_time_in_days: 2) }
- let(:user) { create(:customer, organization: create(:organization)) }
- context 'when reopen_time_in_days is within reopen time frame' do
- it { is_expected.to permit_actions(%i[follow_up]) }
- end
- context 'when reopen_time_in_days is without reopen time frame' do
- before do
- policy
- travel 3.days
- end
- it { is_expected.to forbid_action(:follow_up) }
- it { expect { policy.follow_up? }.to change(policy, :custom_exception).to(Exceptions::UnprocessableEntity) }
- end
- end
- end
- describe 'agent access' do
- context 'when user is customer' do
- let(:user) { create(:customer) }
- let(:record) { create(:ticket, customer: user) }
- it { is_expected.to forbid_actions(%i[agent_read_access agent_update_access agent_create_access]) }
- end
- context 'when user is agent with read access' do
- let(:user) { create(:agent) }
- before do
- user.user_groups.create! group: record.group, access: 'read'
- end
- it { is_expected.to permit_actions(%i[agent_read_access]) }
- it { is_expected.to forbid_actions(%i[agent_update_access agent_create_access]) }
- end
- context 'when user is agent with update access' do
- let(:user) { create(:agent) }
- before do
- user.user_groups.create! group: record.group, access: 'change'
- end
- it { is_expected.to permit_actions(%i[agent_update_access]) }
- it { is_expected.to forbid_actions(%i[agent_read_access agent_create_access]) }
- end
- context 'when user is agent with full access' do
- let(:user) { create(:agent, groups: [record.group]) }
- it { is_expected.to permit_actions(%i[agent_read_access agent_update_access agent_update_access]) }
- end
- context 'when user is agent-customer with customer access to ticket' do
- let(:user) { create(:agent_and_customer) }
- let(:record) { create(:ticket, customer: user) }
- it { is_expected.to forbid_actions(%i[agent_read_access agent_update_access agent_create_access]) }
- end
- context 'when user is agent-customer with agent read access to ticket' do
- let(:user) { create(:agent_and_customer) }
- before do
- user.user_groups.create! group: record.group, access: 'read'
- end
- it { is_expected.to permit_actions(%i[agent_read_access]) }
- it { is_expected.to forbid_actions(%i[agent_update_access agent_create_access]) }
- end
- context 'when user is agent-customer with agent change access to ticket' do
- let(:user) { create(:agent_and_customer) }
- before do
- user.user_groups.create! group: record.group, access: 'change'
- end
- it { is_expected.to forbid_actions(%i[agent_read_access agent_create_access]) }
- it { is_expected.to permit_actions(%i[agent_update_access]) }
- end
- context 'when user is agent-customer with full agent access to ticket' do
- let(:user) { create(:agent_and_customer, groups: [record.group]) }
- it { is_expected.to permit_actions(%i[agent_read_access agent_update_access agent_create_access]) }
- end
- end
- describe '#create_mentions?' do
- let(:user) { create(:agent) }
- it 'delegates to #agent_read_access?' do
- allow(policy).to receive(:agent_read_access?)
- policy.create_mentions?
- expect(policy).to have_received(:agent_read_access?)
- end
- end
- describe 'fields restriction' do
- context 'when user is agent' do
- let(:user) { create(:agent, groups: [record.group]) }
- it 'does not forbid time unit and checklist fields' do
- expect(policy.show?).to permit_fields(%i[time_unit time_units_per_type checklist referencing_checklist_tickets])
- end
- end
- context 'when user is customer' do
- let(:user) { create(:customer) }
- before { record.update!(customer: user) }
- it 'forbids time unit and checklist fields' do
- expect(policy.show?)
- .to be_truthy
- .and(forbid_fields(%i[time_unit time_units_per_type checklist referencing_checklist_tickets]))
- end
- it 'permits other fields' do
- expect(policy.show?).to permit_fields(%i[id subject])
- end
- end
- context 'when user is customer via shared organization' do
- let(:organization) { create(:organization) }
- let(:user) { create(:customer, organization:) }
- let(:customer) { create(:customer, organization:) }
- let(:record) { create(:ticket, customer:) }
- it 'forbids time unit and checklist fields' do
- expect(policy.show?)
- .to be_truthy
- .and(forbid_fields(%i[time_unit time_units_per_type checklist referencing_checklist_tickets]))
- end
- it 'permits other fields' do
- expect(policy.show?).to permit_fields(%i[id subject])
- end
- end
- end
- end
|