ticket_articles_controller.rb 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346
  1. # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
  2. class TicketArticlesController < ApplicationController
  3. include CreatesTicketArticles
  4. include ClonesTicketArticleAttachments
  5. prepend_before_action :authentication_check
  6. # GET /articles
  7. def index
  8. permission_check('admin')
  9. model_index_render(Ticket::Article, params)
  10. end
  11. # GET /articles/1
  12. def show
  13. article = Ticket::Article.find(params[:id])
  14. access!(article, 'read')
  15. if response_expand?
  16. result = article.attributes_with_association_names
  17. render json: result, status: :ok
  18. return
  19. end
  20. if response_full?
  21. full = Ticket::Article.full(params[:id])
  22. render json: full
  23. return
  24. end
  25. render json: article.attributes_with_association_names
  26. end
  27. # GET /ticket_articles/by_ticket/1
  28. def index_by_ticket
  29. ticket = Ticket.find(params[:id])
  30. access!(ticket, 'read')
  31. articles = []
  32. if response_expand?
  33. ticket.articles.each do |article|
  34. # ignore internal article if customer is requesting
  35. next if article.internal == true && current_user.permissions?('ticket.customer')
  36. result = article.attributes_with_association_names
  37. articles.push result
  38. end
  39. render json: articles, status: :ok
  40. return
  41. end
  42. if response_full?
  43. assets = {}
  44. record_ids = []
  45. ticket.articles.each do |article|
  46. # ignore internal article if customer is requesting
  47. next if article.internal == true && current_user.permissions?('ticket.customer')
  48. record_ids.push article.id
  49. assets = article.assets({})
  50. end
  51. render json: {
  52. record_ids: record_ids,
  53. assets: assets,
  54. }, status: :ok
  55. return
  56. end
  57. ticket.articles.each do |article|
  58. # ignore internal article if customer is requesting
  59. next if article.internal == true && current_user.permissions?('ticket.customer')
  60. articles.push article.attributes_with_association_names
  61. end
  62. render json: articles, status: :ok
  63. end
  64. # POST /articles
  65. def create
  66. ticket = Ticket.find(params[:ticket_id])
  67. access!(ticket, 'create')
  68. article = article_create(ticket, params)
  69. if response_expand?
  70. result = article.attributes_with_association_names
  71. render json: result, status: :created
  72. return
  73. end
  74. if response_full?
  75. full = Ticket::Article.full(params[:id])
  76. render json: full, status: :created
  77. return
  78. end
  79. render json: article.attributes_with_association_names, status: :created
  80. end
  81. # PUT /articles/1
  82. def update
  83. article = Ticket::Article.find(params[:id])
  84. access!(article, 'change')
  85. if !current_user.permissions?('ticket.agent') && !current_user.permissions?('admin')
  86. raise Exceptions::NotAuthorized, 'Not authorized (ticket.agent or admin permission required)!'
  87. end
  88. clean_params = Ticket::Article.association_name_to_id_convert(params)
  89. clean_params = Ticket::Article.param_cleanup(clean_params, true)
  90. # only apply preferences changes (keep not updated keys/values)
  91. clean_params = article.param_preferences_merge(clean_params)
  92. article.update!(clean_params)
  93. if response_expand?
  94. result = article.attributes_with_association_names
  95. render json: result, status: :ok
  96. return
  97. end
  98. if response_full?
  99. full = Ticket::Article.full(params[:id])
  100. render json: full, status: :ok
  101. return
  102. end
  103. render json: article.attributes_with_association_names, status: :ok
  104. end
  105. # DELETE /articles/1
  106. def destroy
  107. article = Ticket::Article.find(params[:id])
  108. access!(article, 'delete')
  109. if current_user.permissions?('admin')
  110. article.destroy!
  111. head :ok
  112. return
  113. end
  114. if current_user.permissions?('ticket.agent') && article.created_by_id == current_user.id && article.type.name == 'note'
  115. article.destroy!
  116. head :ok
  117. return
  118. end
  119. raise Exceptions::NotAuthorized, 'Not authorized (admin permission required)!'
  120. end
  121. # DELETE /ticket_attachment_upload
  122. def ticket_attachment_upload_delete
  123. if params[:id].present?
  124. Store.remove_item(params[:id])
  125. render json: {
  126. success: true,
  127. }
  128. return
  129. end
  130. if params[:form_id].present?
  131. Store.remove(
  132. object: 'UploadCache',
  133. o_id: params[:form_id],
  134. )
  135. render json: {
  136. success: true,
  137. }
  138. return
  139. end
  140. render json: { message: 'No such id or form_id!' }, status: :unprocessable_entity
  141. end
  142. # POST /ticket_attachment_upload
  143. def ticket_attachment_upload_add
  144. # store file
  145. file = params[:File]
  146. content_type = file.content_type
  147. if !content_type || content_type == 'application/octet-stream'
  148. content_type = if MIME::Types.type_for(file.original_filename).first
  149. MIME::Types.type_for(file.original_filename).first.content_type
  150. else
  151. 'application/octet-stream'
  152. end
  153. end
  154. headers_store = {
  155. 'Content-Type' => content_type
  156. }
  157. store = Store.add(
  158. object: 'UploadCache',
  159. o_id: params[:form_id],
  160. data: file.read,
  161. filename: file.original_filename,
  162. preferences: headers_store
  163. )
  164. # return result
  165. render json: {
  166. success: true,
  167. data: {
  168. id: store.id,
  169. filename: file.original_filename,
  170. size: store.size,
  171. }
  172. }
  173. end
  174. # POST /ticket_attachment_upload_clone_by_article
  175. def ticket_attachment_upload_clone_by_article
  176. article = Ticket::Article.find(params[:article_id])
  177. access!(article.ticket, 'read')
  178. render json: {
  179. attachments: article_attachments_clone(article),
  180. }
  181. end
  182. # GET /ticket_attachment/:ticket_id/:article_id/:id
  183. def attachment
  184. ticket = Ticket.lookup(id: params[:ticket_id])
  185. access!(ticket, 'read')
  186. article = Ticket::Article.find(params[:article_id])
  187. if ticket.id != article.ticket_id
  188. # check if requested ticket got merged
  189. if ticket.state.state_type.name != 'merged'
  190. raise Exceptions::NotAuthorized, 'No access, article_id/ticket_id is not matching.'
  191. end
  192. ticket = article.ticket
  193. access!(ticket, 'read')
  194. end
  195. list = article.attachments || []
  196. access = false
  197. list.each do |item|
  198. if item.id.to_i == params[:id].to_i
  199. access = true
  200. end
  201. end
  202. raise Exceptions::NotAuthorized, 'Requested file id is not linked with article_id.' if !access
  203. # find file
  204. file = Store.find(params[:id])
  205. disposition = sanitized_disposition
  206. send_data(
  207. file.content,
  208. filename: file.filename,
  209. type: file.preferences['Content-Type'] || file.preferences['Mime-Type'] || 'application/octet-stream',
  210. disposition: disposition
  211. )
  212. end
  213. # GET /ticket_article_plain/1
  214. def article_plain
  215. article = Ticket::Article.find(params[:id])
  216. access!(article, 'read')
  217. file = article.as_raw
  218. # find file
  219. return if !file
  220. send_data(
  221. file.content,
  222. filename: file.filename,
  223. type: 'message/rfc822',
  224. disposition: 'inline'
  225. )
  226. end
  227. # @path [GET] /ticket_articles/import_example
  228. #
  229. # @summary Download of example CSV file.
  230. # @notes The requester have 'admin' permissions to be able to download it.
  231. # @example curl -u 'me@example.com:test' http://localhost:3000/api/v1/ticket_articles/import_example
  232. #
  233. # @response_message 200 File download.
  234. # @response_message 401 Invalid session.
  235. def import_example
  236. permission_check('admin')
  237. csv_string = Ticket::Article.csv_example(
  238. col_sep: ',',
  239. )
  240. send_data(
  241. csv_string,
  242. filename: 'example.csv',
  243. type: 'text/csv',
  244. disposition: 'attachment'
  245. )
  246. end
  247. # @path [POST] /ticket_articles/import
  248. #
  249. # @summary Starts import.
  250. # @notes The requester have 'admin' permissions to be create a new import.
  251. # @example curl -u 'me@example.com:test' -F 'file=@/path/to/file/ticket_articles.csv' 'https://your.zammad/api/v1/ticket_articles/import?try=true'
  252. # @example curl -u 'me@example.com:test' -F 'file=@/path/to/file/ticket_articles.csv' 'https://your.zammad/api/v1/ticket_articles/import'
  253. #
  254. # @response_message 201 Import started.
  255. # @response_message 401 Invalid session.
  256. def import_start
  257. permission_check('admin')
  258. if Setting.get('import_mode') != true
  259. raise 'Only can import tickets if system is in import mode.'
  260. end
  261. string = params[:data]
  262. if string.blank? && params[:file].present?
  263. string = params[:file].read.force_encoding('utf-8')
  264. end
  265. raise Exceptions::UnprocessableEntity, 'No source data submitted!' if string.blank?
  266. result = Ticket::Article.csv_import(
  267. string: string,
  268. parse_params: {
  269. col_sep: ';',
  270. },
  271. try: params[:try],
  272. )
  273. render json: result, status: :ok
  274. end
  275. private
  276. def sanitized_disposition
  277. disposition = params.fetch(:disposition, 'inline')
  278. valid_disposition = %w[inline attachment]
  279. return disposition if valid_disposition.include?(disposition)
  280. raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
  281. end
  282. end