ticket_articles_controller.rb 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291
  1. # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
  2. class TicketArticlesController < ApplicationController
  3. include CreatesTicketArticles
  4. include ClonesTicketArticleAttachments
  5. prepend_before_action -> { authorize! }, only: %i[index import_example import_start]
  6. prepend_before_action :authentication_check
  7. # GET /articles
  8. def index
  9. model_index_render(Ticket::Article, params)
  10. end
  11. # GET /articles/1
  12. def show
  13. article = Ticket::Article.find(params[:id])
  14. authorize!(article)
  15. if response_expand?
  16. result = article.attributes_with_association_names
  17. render json: result, status: :ok
  18. return
  19. end
  20. if response_full?
  21. full = Ticket::Article.full(params[:id])
  22. render json: full
  23. return
  24. end
  25. render json: article.attributes_with_association_names
  26. end
  27. # GET /ticket_articles/by_ticket/1
  28. def index_by_ticket
  29. ticket = Ticket.find(params[:id])
  30. authorize!(ticket, :show?)
  31. articles = []
  32. if response_expand?
  33. ticket.articles.each do |article|
  34. next if !authorized?(article, :show?)
  35. result = article.attributes_with_association_names
  36. articles.push result
  37. end
  38. render json: articles, status: :ok
  39. return
  40. end
  41. if response_full?
  42. assets = {}
  43. record_ids = []
  44. ticket.articles.each do |article|
  45. next if !authorized?(article, :show?)
  46. record_ids.push article.id
  47. assets = article.assets({})
  48. end
  49. render json: {
  50. record_ids: record_ids,
  51. assets: assets,
  52. }, status: :ok
  53. return
  54. end
  55. ticket.articles.each do |article|
  56. next if !authorized?(article, :show?)
  57. articles.push article.attributes_with_association_names
  58. end
  59. render json: articles, status: :ok
  60. end
  61. # POST /articles
  62. def create
  63. ticket = Ticket.find(params[:ticket_id])
  64. authorize!(ticket)
  65. article = article_create(ticket, params)
  66. if response_expand?
  67. result = article.attributes_with_association_names
  68. render json: result, status: :created
  69. return
  70. end
  71. if response_full?
  72. full = Ticket::Article.full(params[:id])
  73. render json: full, status: :created
  74. return
  75. end
  76. render json: article.attributes_with_association_names, status: :created
  77. end
  78. # PUT /articles/1
  79. def update
  80. article = Ticket::Article.find(params[:id])
  81. authorize!(article)
  82. # only update internal and highlight info
  83. clean_params = {}
  84. if !params[:internal].nil?
  85. clean_params[:internal] = params[:internal]
  86. end
  87. if params.dig(:preferences, :highlight).present?
  88. clean_params = article.param_preferences_merge(clean_params.merge(
  89. preferences: {
  90. highlight: params[:preferences][:highlight].to_s
  91. }
  92. ))
  93. end
  94. article.update!(clean_params)
  95. if response_expand?
  96. result = article.attributes_with_association_names
  97. render json: result, status: :ok
  98. return
  99. end
  100. if response_full?
  101. full = Ticket::Article.full(params[:id])
  102. render json: full, status: :ok
  103. return
  104. end
  105. render json: article.attributes_with_association_names, status: :ok
  106. end
  107. # DELETE /api/v1/ticket_articles/:id
  108. def destroy
  109. article = Ticket::Article.find(params[:id])
  110. authorize!(article)
  111. article.destroy!
  112. render json: {}, status: :ok
  113. end
  114. # POST /ticket_attachment_upload_clone_by_article
  115. def ticket_attachment_upload_clone_by_article
  116. article = Ticket::Article.find(params[:article_id])
  117. authorize!(article.ticket, :show?)
  118. render json: {
  119. attachments: article_attachments_clone(article),
  120. }
  121. end
  122. # GET /ticket_attachment/:ticket_id/:article_id/:id
  123. def attachment
  124. ticket = Ticket.lookup(id: params[:ticket_id])
  125. authorize!(ticket, :show?)
  126. article = Ticket::Article.find(params[:article_id])
  127. if ticket.id != article.ticket_id
  128. # check if requested ticket got merged
  129. if ticket.state.state_type.name != 'merged'
  130. raise Exceptions::NotAuthorized, 'No access, article_id/ticket_id is not matching.'
  131. end
  132. ticket = article.ticket
  133. authorize!(ticket, :show?)
  134. end
  135. list = article.attachments || []
  136. access = false
  137. list.each do |item|
  138. if item.id.to_i == params[:id].to_i
  139. access = true
  140. end
  141. end
  142. raise Exceptions::NotAuthorized, 'Requested file id is not linked with article_id.' if !access
  143. # find file
  144. file = Store.find(params[:id])
  145. disposition = sanitized_disposition
  146. content = nil
  147. if params[:view].present? && file.preferences[:resizable] == true
  148. if file.preferences[:content_inline] == true && params[:view] == 'inline'
  149. content = file.content_inline
  150. elsif file.preferences[:content_preview] == true && params[:view] == 'preview'
  151. content = file.content_preview
  152. end
  153. end
  154. if content.blank?
  155. content = file.content
  156. end
  157. send_data(
  158. content,
  159. filename: file.filename,
  160. type: file.preferences['Content-Type'] || file.preferences['Mime-Type'] || 'application/octet-stream',
  161. disposition: disposition
  162. )
  163. end
  164. # GET /ticket_article_plain/1
  165. def article_plain
  166. article = Ticket::Article.find(params[:id])
  167. authorize!(article, :show?)
  168. file = article.as_raw
  169. # find file
  170. return if !file
  171. send_data(
  172. file.content,
  173. filename: file.filename,
  174. type: 'message/rfc822',
  175. disposition: 'inline'
  176. )
  177. end
  178. # @path [GET] /ticket_articles/import_example
  179. #
  180. # @summary Download of example CSV file.
  181. # @notes The requester have 'admin' permissions to be able to download it.
  182. # @example curl -u 'me@example.com:test' http://localhost:3000/api/v1/ticket_articles/import_example
  183. #
  184. # @response_message 200 File download.
  185. # @response_message 401 Invalid session.
  186. def import_example
  187. csv_string = Ticket::Article.csv_example(
  188. col_sep: ',',
  189. )
  190. send_data(
  191. csv_string,
  192. filename: 'example.csv',
  193. type: 'text/csv',
  194. disposition: 'attachment'
  195. )
  196. end
  197. # @path [POST] /ticket_articles/import
  198. #
  199. # @summary Starts import.
  200. # @notes The requester have 'admin' permissions to be create a new import.
  201. # @example curl -u 'me@example.com:test' -F 'file=@/path/to/file/ticket_articles.csv' 'https://your.zammad/api/v1/ticket_articles/import?try=true'
  202. # @example curl -u 'me@example.com:test' -F 'file=@/path/to/file/ticket_articles.csv' 'https://your.zammad/api/v1/ticket_articles/import'
  203. #
  204. # @response_message 201 Import started.
  205. # @response_message 401 Invalid session.
  206. def import_start
  207. if Setting.get('import_mode') != true
  208. raise 'Only can import tickets if system is in import mode.'
  209. end
  210. string = params[:data]
  211. if string.blank? && params[:file].present?
  212. string = params[:file].read.force_encoding('utf-8')
  213. end
  214. raise Exceptions::UnprocessableEntity, 'No source data submitted!' if string.blank?
  215. result = Ticket::Article.csv_import(
  216. string: string,
  217. parse_params: {
  218. col_sep: ';',
  219. },
  220. try: params[:try],
  221. )
  222. render json: result, status: :ok
  223. end
  224. def retry_security_process
  225. article = Ticket::Article.find(params[:id])
  226. authorize!(article, :update?)
  227. result = SecureMailing.retry(article)
  228. render json: result
  229. end
  230. private
  231. def sanitized_disposition
  232. disposition = params.fetch(:disposition, 'inline')
  233. valid_disposition = %w[inline attachment]
  234. return disposition if valid_disposition.include?(disposition)
  235. raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
  236. end
  237. end