123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- RSpec.describe 'Api Auth From', type: :request do
- let(:admin) do
- create(:admin, groups: Group.all)
- end
- let(:agent) do
- create(:agent)
- end
- let(:customer) do
- create(:customer, firstname: 'From')
- end
- describe 'request handling' do
- it 'does From auth - ticket create admin for customer by id' do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.id)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:created)
- expect(json_response).to be_a(Hash)
- expect(customer.id).to eq(json_response['created_by_id'])
- end
- it 'does From auth - ticket create admin for customer by login (upcase)' do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.login.upcase)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:created)
- expect(json_response).to be_a(Hash)
- expect(customer.id).to eq(json_response['created_by_id'])
- end
- it 'does From auth - ticket create admin for customer by login' do
- ActivityStream.cleanup(1.year)
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.login)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:created)
- json_response_ticket = json_response
- expect(json_response_ticket).to be_a(Hash)
- expect(customer.id).to eq(json_response_ticket['created_by_id'])
- authenticated_as(admin)
- get '/api/v1/activity_stream?full=true', params: {}, as: :json
- expect(response).to have_http_status(:ok)
- json_response_activity = json_response
- expect(json_response_activity).to be_a(Hash)
- ticket_created = nil
- json_response_activity['record_ids'].each do |record_id|
- activity_stream = ActivityStream.find(record_id)
- next if activity_stream.object.name != 'Ticket'
- next if activity_stream.o_id != json_response_ticket['id'].to_i
- ticket_created = activity_stream
- end
- expect(ticket_created).to be_truthy
- expect(customer.id).to eq(ticket_created.created_by_id)
- get '/api/v1/activity_stream', params: {}, as: :json
- expect(response).to have_http_status(:ok)
- json_response_activity = json_response
- expect(json_response_activity).to be_a(Array)
- ticket_created = nil
- json_response_activity.each do |record|
- activity_stream = ActivityStream.find(record['id'])
- next if activity_stream.object.name != 'Ticket'
- next if activity_stream.o_id != json_response_ticket['id']
- ticket_created = activity_stream
- end
- expect(ticket_created).to be_truthy
- expect(customer.id).to eq(ticket_created.created_by_id)
- end
- it 'does From auth - ticket create admin for customer by email' do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.email)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:created)
- expect(json_response).to be_a(Hash)
- expect(customer.id).to eq(json_response['created_by_id'])
- end
- it 'does From auth - ticket create admin for unknown' do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: 99_449_494_949)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(response.header).not_to be_key('Access-Control-Allow-Origin')
- expect(json_response).to be_a(Hash)
- expect(json_response['error']).to eq("No such user '99449494949'")
- end
- it 'does From auth - ticket create customer for admin' do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(customer, from: admin.email)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(response.header).not_to be_key('Access-Control-Allow-Origin')
- expect(json_response).to be_a(Hash)
- expect(json_response['error']).to eq("Current user has no permission to use 'From'/'X-On-Behalf-Of'!")
- end
- it 'does From auth - ticket create admin for customer by email but no permitted action' do
- params = {
- title: 'a new ticket #3',
- group: 'secret1234',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.email)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:unprocessable_entity)
- expect(response.header).not_to be_key('Access-Control-Allow-Origin')
- expect(json_response).to be_a(Hash)
- expect(json_response['error']).to eq('No lookup value found for \'group\': "secret1234"')
- end
- context 'when Token Admin has no ticket.* permission' do
- let(:admin) { create(:user, firstname: 'Requester', roles: [admin_user_role]) }
- let(:token) { create(:token, user: admin, permissions: %w[admin.user]) }
- let(:admin_user_role) do
- create(:role).tap { |role| role.permission_grant('admin.user') }
- end
- it 'creates Ticket because of behalf of user permission' do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.email, token: token)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:created)
- expect(json_response).to be_a(Hash)
- expect(customer.id).to eq(json_response['created_by_id'])
- end
- end
- context 'when customer account has device user permission' do
- let(:customer_user_devices_role) do
- create(:role).tap { |role| role.permission_grant('user_preferences.device') }
- end
- let(:customer) do
- create(:customer, firstname: 'Behalf of', role_ids: Role.signup_role_ids.push(customer_user_devices_role.id))
- end
- it 'creates Ticket because of behalf of customer user, which should not trigger a new user device', performs_jobs: true do
- params = {
- title: 'a new ticket #3',
- group: 'Users',
- priority: '2 normal',
- state: 'new',
- customer_id: customer.id,
- article: {
- body: 'some test 123',
- },
- }
- authenticated_as(admin, from: customer.email)
- post '/api/v1/tickets', params: params, as: :json
- expect(response).to have_http_status(:created)
- expect(customer.id).to eq(json_response['created_by_id'])
- expect { perform_enqueued_jobs }.not_to change(UserDevice, :count)
- end
- end
- end
- describe 'user lookup' do
- it 'does From auth - user lookup by ID' do
- authenticated_as(admin, from: customer.id)
- get '/api/v1/users/me', as: :json
- expect(json_response.fetch('id')).to be customer.id
- end
- it 'does From auth - user lookup by login' do
- authenticated_as(admin, from: customer.login)
- get '/api/v1/users/me', as: :json
- expect(json_response.fetch('id')).to be customer.id
- end
- it 'does From auth - user lookup by email' do
- authenticated_as(admin, from: customer.email)
- get '/api/v1/users/me', as: :json
- expect(json_response.fetch('id')).to be customer.id
- end
- # https://github.com/zammad/zammad/issues/2851
- it 'does From auth - user lookup by email even if email starts with a digit' do
- customer.update! email: "#{agent.id}#{customer.email}"
- authenticated_as(admin, from: customer.email)
- get '/api/v1/users/me', as: :json
- expect(json_response.fetch('id')).to be customer.id
- end
- end
- end
|