zammad/test/controllers/taskbars_controller_test.rb

require 'test_helper'

class TaskbarsControllerTest < ActionDispatch::IntegrationTest
  setup do

    # set accept header
    @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' }
    UserInfo.current_user_id = 1

    # create agent
    roles = Role.where(name: 'Agent')
    groups = Group.all

    @agent = User.create!(
      login: 'taskbar-agent@example.com',
      firstname: 'Taskbar',
      lastname: 'Agent',
      email: 'taskbar-agent@example.com',
      password: 'agentpw',
      active: true,
      roles: roles,
      groups: groups,
    )

    # create customer without org
    roles = Role.where(name: 'Customer')
    @customer_without_org = User.create!(
      login: 'taskbar-customer1@example.com',
      firstname: 'Taskbar',
      lastname: 'Customer1',
      email: 'taskbar-customer1@example.com',
      password: 'customer1pw',
      active: true,
      roles: roles,
    )

  end

  test 'task ownership' do
    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('taskbar-agent@example.com', 'agentpw')
    params = {
      user_id: @customer_without_org.id,
      client_id: '123',
      key: 'Ticket-5',
      callback: 'TicketZoom',
      state: {
        ticket: {
          owner_id: @agent.id,
        },
        article: {},
      },
      params: {
        ticket_id: 5,
        shown: true,
      },
      prio: 3,
      notify: false,
      active: false,
    }

    post '/api/v1/taskbar', params: params.to_json, headers: @headers.merge('Authorization' => credentials)
    assert_response(201)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('123', result['client_id'])
    assert_equal(@agent.id, result['user_id'])
    assert_equal(5, result['params']['ticket_id'])
    assert_equal(true, result['params']['shown'])

    taskbar_id = result['id']
    params[:user_id] = @customer_without_org.id
    params[:params] = {
      ticket_id: 5,
      shown: false,
    }
    put "/api/v1/taskbar/#{taskbar_id}", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('123', result['client_id'])
    assert_equal(@agent.id, result['user_id'])
    assert_equal(5, result['params']['ticket_id'])
    assert_equal(false, result['params']['shown'])

    # try to access with other user
    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('taskbar-customer1@example.com', 'customer1pw')
    params = {
      active: true,
    }
    put "/api/v1/taskbar/#{taskbar_id}", params: params.to_json, headers: @headers.merge('Authorization' => credentials)
    assert_response(422)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('Not allowed to access this task.', result['error'])

    delete "/api/v1/taskbar/#{taskbar_id}", params: {}, headers: @headers.merge('Authorization' => credentials)
    assert_response(422)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('Not allowed to access this task.', result['error'])

    # delete with correct user
    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('taskbar-agent@example.com', 'agentpw')
    delete "/api/v1/taskbar/#{taskbar_id}", params: {}, headers: @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert(result.blank?)
  end

end