article_policy.rb 1.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. class Ticket::ArticlePolicy < ApplicationPolicy
  3. def show?
  4. access?(__method__)
  5. end
  6. def create?
  7. access?(__method__)
  8. end
  9. def update?
  10. ticket_policy.agent_update_access?
  11. end
  12. def destroy?
  13. return false if !access?('show?')
  14. # agents can destroy articles of type 'note'
  15. # which were created by themselves within the last x minutes
  16. if !user.permissions?('ticket.agent')
  17. return not_authorized('agent permission required')
  18. end
  19. if record.created_by_id != user.id
  20. return not_authorized('you can only delete your own notes')
  21. end
  22. if record.type.communication? && !record.internal?
  23. return not_authorized('communication articles cannot be deleted')
  24. end
  25. if deletable_timeframe? && record.created_at <= deletable_timeframe.ago
  26. return not_authorized('note is too old to be deleted')
  27. end
  28. true
  29. end
  30. private
  31. def deletable_timeframe_setting
  32. Setting.get('ui_ticket_zoom_article_delete_timeframe')
  33. end
  34. def deletable_timeframe?
  35. deletable_timeframe_setting&.positive?
  36. end
  37. def deletable_timeframe
  38. deletable_timeframe_setting.seconds
  39. end
  40. def access?(query)
  41. return false if record.internal && !ticket_policy.agent_read_access?
  42. ticket_policy.send(query)
  43. end
  44. def ticket_policy
  45. @ticket_policy ||= TicketPolicy.new(user, Ticket.lookup(id: record.ticket_id))
  46. end
  47. end