ticket_articles_controller.rb 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333
  1. # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
  2. class TicketArticlesController < ApplicationController
  3. include CreatesTicketArticles
  4. include ClonesTicketArticleAttachments
  5. prepend_before_action :authentication_check
  6. # GET /articles
  7. def index
  8. permission_check('admin')
  9. model_index_render(Ticket::Article, params)
  10. end
  11. # GET /articles/1
  12. def show
  13. article = Ticket::Article.find(params[:id])
  14. access!(article, 'read')
  15. if response_expand?
  16. result = article.attributes_with_association_names
  17. render json: result, status: :ok
  18. return
  19. end
  20. if response_full?
  21. full = Ticket::Article.full(params[:id])
  22. render json: full
  23. return
  24. end
  25. render json: article.attributes_with_association_names
  26. end
  27. # GET /ticket_articles/by_ticket/1
  28. def index_by_ticket
  29. ticket = Ticket.find(params[:id])
  30. access!(ticket, 'read')
  31. articles = []
  32. if response_expand?
  33. ticket.articles.each do |article|
  34. # ignore internal article if customer is requesting
  35. next if article.internal == true && current_user.permissions?('ticket.customer')
  36. result = article.attributes_with_association_names
  37. articles.push result
  38. end
  39. render json: articles, status: :ok
  40. return
  41. end
  42. if response_full?
  43. assets = {}
  44. record_ids = []
  45. ticket.articles.each do |article|
  46. # ignore internal article if customer is requesting
  47. next if article.internal == true && current_user.permissions?('ticket.customer')
  48. record_ids.push article.id
  49. assets = article.assets({})
  50. end
  51. render json: {
  52. record_ids: record_ids,
  53. assets: assets,
  54. }, status: :ok
  55. return
  56. end
  57. ticket.articles.each do |article|
  58. # ignore internal article if customer is requesting
  59. next if article.internal == true && current_user.permissions?('ticket.customer')
  60. articles.push article.attributes_with_association_names
  61. end
  62. render json: articles, status: :ok
  63. end
  64. # POST /articles
  65. def create
  66. ticket = Ticket.find(params[:ticket_id])
  67. access!(ticket, 'create')
  68. article = article_create(ticket, params)
  69. if response_expand?
  70. result = article.attributes_with_association_names
  71. render json: result, status: :created
  72. return
  73. end
  74. if response_full?
  75. full = Ticket::Article.full(params[:id])
  76. render json: full, status: :created
  77. return
  78. end
  79. render json: article.attributes_with_association_names, status: :created
  80. end
  81. # PUT /articles/1
  82. def update
  83. article = Ticket::Article.find(params[:id])
  84. access!(article, 'change')
  85. if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin')
  86. raise Exceptions::NotAuthorized, 'Not authorized (ticket.agent or admin permission required)!'
  87. end
  88. clean_params = Ticket::Article.association_name_to_id_convert(params)
  89. clean_params = Ticket::Article.param_cleanup(clean_params, true)
  90. article.update!(clean_params)
  91. if response_expand?
  92. result = article.attributes_with_association_names
  93. render json: result, status: :ok
  94. return
  95. end
  96. if response_full?
  97. full = Ticket::Article.full(params[:id])
  98. render json: full, status: :ok
  99. return
  100. end
  101. render json: article.attributes_with_association_names, status: :ok
  102. end
  103. # DELETE /articles/1
  104. def destroy
  105. article = Ticket::Article.find(params[:id])
  106. access!(article, 'delete')
  107. if current_user.permissions?('admin')
  108. article.destroy!
  109. head :ok
  110. return
  111. end
  112. if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note'
  113. article.destroy!
  114. head :ok
  115. return
  116. end
  117. raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!'
  118. end
  119. # DELETE /ticket_attachment_upload
  120. def ticket_attachment_upload_delete
  121. if params[:id].present?
  122. Store.remove_item(params[:id])
  123. render json: {
  124. success: true,
  125. }
  126. return
  127. end
  128. if params[:form_id].present?
  129. Store.remove(
  130. object: 'UploadCache',
  131. o_id: params[:form_id],
  132. )
  133. render json: {
  134. success: true,
  135. }
  136. return
  137. end
  138. render json: { message: 'No such id or form_id!' }, status: :unprocessable_entity
  139. end
  140. # POST /ticket_attachment_upload
  141. def ticket_attachment_upload_add
  142. # store file
  143. file = params[:File]
  144. content_type = file.content_type
  145. if !content_type || content_type == 'application/octet-stream'
  146. content_type = if MIME::Types.type_for(file.original_filename).first
  147. MIME::Types.type_for(file.original_filename).first.content_type
  148. else
  149. 'application/octet-stream'
  150. end
  151. end
  152. headers_store = {
  153. 'Content-Type' => content_type
  154. }
  155. store = Store.add(
  156. object: 'UploadCache',
  157. o_id: params[:form_id],
  158. data: file.read,
  159. filename: file.original_filename,
  160. preferences: headers_store
  161. )
  162. # return result
  163. render json: {
  164. success: true,
  165. data: {
  166. id: store.id,
  167. filename: file.original_filename,
  168. size: store.size,
  169. }
  170. }
  171. end
  172. # POST /ticket_attachment_upload_clone_by_article
  173. def ticket_attachment_upload_clone_by_article
  174. article = Ticket::Article.find(params[:article_id])
  175. access!(article.ticket, 'read')
  176. render json: {
  177. attachments: article_attachments_clone(article),
  178. }
  179. end
  180. # GET /ticket_attachment/:ticket_id/:article_id/:id
  181. def attachment
  182. ticket = Ticket.lookup(id: params[:ticket_id])
  183. access!(ticket, 'read')
  184. article = Ticket::Article.find(params[:article_id])
  185. if ticket.id != article.ticket_id
  186. # check if requested ticket got merged
  187. if ticket.state.state_type.name != 'merged'
  188. raise Exceptions::NotAuthorized, 'No access, article_id/ticket_id is not matching.'
  189. end
  190. ticket = article.ticket
  191. access!(ticket, 'read')
  192. end
  193. list = article.attachments || []
  194. access = false
  195. list.each do |item|
  196. if item.id.to_i == params[:id].to_i
  197. access = true
  198. end
  199. end
  200. raise Exceptions::NotAuthorized, 'Requested file id is not linked with article_id.' if !access
  201. # find file
  202. file = Store.find(params[:id])
  203. disposition = sanitized_disposition
  204. send_data(
  205. file.content,
  206. filename: file.filename,
  207. type: file.preferences['Content-Type'] || file.preferences['Mime-Type'] || 'application/octet-stream',
  208. disposition: disposition
  209. )
  210. end
  211. # GET /ticket_article_plain/1
  212. def article_plain
  213. article = Ticket::Article.find(params[:id])
  214. access!(article, 'read')
  215. file = article.as_raw
  216. # find file
  217. return if !file
  218. send_data(
  219. file.content,
  220. filename: file.filename,
  221. type: 'message/rfc822',
  222. disposition: 'inline'
  223. )
  224. end
  225. # @path [GET] /ticket_articles/import_example
  226. #
  227. # @summary Download of example CSV file.
  228. # @notes The requester have 'admin' permissions to be able to download it.
  229. # @example curl -u 'me@example.com:test' http://localhost:3000/api/v1/ticket_articles/import_example
  230. #
  231. # @response_message 200 File download.
  232. # @response_message 401 Invalid session.
  233. def import_example
  234. permission_check('admin')
  235. csv_string = Ticket::Article.csv_example(
  236. col_sep: ',',
  237. )
  238. send_data(
  239. csv_string,
  240. filename: 'example.csv',
  241. type: 'text/csv',
  242. disposition: 'attachment'
  243. )
  244. end
  245. # @path [POST] /ticket_articles/import
  246. #
  247. # @summary Starts import.
  248. # @notes The requester have 'admin' permissions to be create a new import.
  249. # @example curl -u 'me@example.com:test' -F 'file=@/path/to/file/ticket_articles.csv' 'https://your.zammad/api/v1/ticket_articles/import?try=true'
  250. # @example curl -u 'me@example.com:test' -F 'file=@/path/to/file/ticket_articles.csv' 'https://your.zammad/api/v1/ticket_articles/import'
  251. #
  252. # @response_message 201 Import started.
  253. # @response_message 401 Invalid session.
  254. def import_start
  255. permission_check('admin')
  256. if Setting.get('import_mode') != true
  257. raise 'Only can import tickets if system is in import mode.'
  258. end
  259. result = Ticket::Article.csv_import(
  260. string: params[:file].read.force_encoding('utf-8'),
  261. parse_params: {
  262. col_sep: ';',
  263. },
  264. try: params[:try],
  265. )
  266. render json: result, status: :ok
  267. end
  268. private
  269. def sanitized_disposition
  270. disposition = params.fetch(:disposition, 'inline')
  271. valid_disposition = %w[inline attachment]
  272. return disposition if valid_disposition.include?(disposition)
  273. raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
  274. end
  275. end