diff --git a/client/src/app-components/ticket-viewer.js b/client/src/app-components/ticket-viewer.js index 8554ffeb..c7eec937 100644 --- a/client/src/app-components/ticket-viewer.js +++ b/client/src/app-components/ticket-viewer.js @@ -393,7 +393,7 @@ class TicketViewer extends React.Component { } onDepartmentDropdownChanged(event) { - AreYouSure.openModal(null, this.changeDepartment.bind(this, event.index)); + AreYouSure.openModal(null, this.changeDepartment.bind(this, this.getDepartmentsForTransfer()[event.index].id)); } onAssignmentChange(event) { @@ -492,14 +492,20 @@ class TicketViewer extends React.Component { }); } - changeDepartment(index) { + changeDepartment(departmentId) { + const { + userId, + userDepartments, + ticket + } = this.props; + return API.call({ path: '/ticket/change-department', data: { - ticketNumber: this.props.ticket.ticketNumber, - departmentId: this.getDepartmentsForTransfer()[index].id + ticketNumber: ticket.ticketNumber, + departmentId } - }).then(this.onTicketModification.bind(this)); + }).then((_.some(userDepartments, {id: departmentId}) || (userId === (ticket.author.id*1))) ? this.onTicketModification.bind(this) : history.goBack()); } addTag(tag) { diff --git a/server/controllers/staff/un-assign-ticket.php b/server/controllers/staff/un-assign-ticket.php index 67aad332..d69b3306 100755 --- a/server/controllers/staff/un-assign-ticket.php +++ b/server/controllers/staff/un-assign-ticket.php @@ -55,7 +55,7 @@ class UnAssignStaffController extends Controller { throw new RequestException(ERRORS::NO_PERMISSION); } - if($owner && ($ticket->isOwner($user) || $user->level > 2)) { + if($owner) { if(!$ticket->isAuthor($owner)) { $owner->sharedTicketList->remove($ticket); $owner->store(); diff --git a/server/controllers/ticket/change-department.php b/server/controllers/ticket/change-department.php index 58f363f3..39d0dd79 100755 --- a/server/controllers/ticket/change-department.php +++ b/server/controllers/ticket/change-department.php @@ -60,6 +60,14 @@ class ChangeDepartmentController extends Controller { throw new RequestException(ERRORS::NO_PERMISSION); } + if($ticket->owner && !$ticket->owner->sharedDepartmentList->includesId($department->id)) { + $unAssignTicketController = new UnAssignStaffController($user); + $unAssignTicketController->validate(); + $unAssignTicketController->handler(); + } + + $ticket = Ticket::getByTicketNumber($ticketNumber); + $event = Ticketevent::getEvent(Ticketevent::DEPARTMENT_CHANGED); $event->setProperties(array( 'authorStaff' => $user, @@ -71,12 +79,6 @@ class ChangeDepartmentController extends Controller { $ticket->unread = !$ticket->isAuthor($user); $ticket->store(); - if($ticket->owner && !$ticket->owner->sharedDepartmentList->includesId($department->id)) { - $unAssignTicketController = new UnAssignStaffController($ticket->owner); - $unAssignTicketController->validate(); - $unAssignTicketController->handler(); - } - Log::createLog('DEPARTMENT_CHANGED', $ticket->ticketNumber); Response::respondSuccess(); diff --git a/tests/staff/un-assign-ticket.rb b/tests/staff/un-assign-ticket.rb index 4b0676bf..4f8d3cbe 100644 --- a/tests/staff/un-assign-ticket.rb +++ b/tests/staff/un-assign-ticket.rb @@ -10,6 +10,7 @@ describe '/staff/un-assign-ticket' do it 'should unassign ticket if it is the current owner' do ticket = $database.getRow('ticket', 1 , 'id') + result = request('/staff/un-assign-ticket', { ticketNumber: ticket['ticket_number'], csrf_userid: $csrf_userid, @@ -28,8 +29,9 @@ describe '/staff/un-assign-ticket' do (staff_ticket).should.equal(nil) end - it 'should fail if ticket is not yours and you are a staff level 1' do + it 'should unassign ticket if you are a staff level 1' do $database.query('update staff set level="1" where id="1";') + ticket = $database.getRow('ticket', 1 , 'id') Scripts.logout() @@ -40,6 +42,7 @@ describe '/staff/un-assign-ticket' do csrf_userid: $csrf_userid, csrf_token: $csrf_token }) + (result['status']).should.equal('success') ticket = $database.getRow('ticket', 1 , 'id') @@ -53,15 +56,59 @@ describe '/staff/un-assign-ticket' do csrf_token: $csrf_token }) - (result['status']).should.equal('fail') - (result['message']).should.equal('NO_PERMISSION') + (result['status']).should.equal('success') + + $database.query('update staff set level="3" where id="1";') + end + + it 'should unassign ticket if you are a staff level 2' do + $database.query('update staff set level="2" where id="1";') + + ticket = $database.getRow('ticket', 1 , 'id') + + Scripts.logout() + Scripts.login('ayra2@opensupports.com', 'starkpassword', true) + + result = request('/staff/assign-ticket', { + ticketNumber: ticket['ticket_number'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 1 , 'id') + + Scripts.logout() + Scripts.login($staff[:email], $staff[:password], true) + + result = request('/staff/un-assign-ticket', { + ticketNumber: ticket['ticket_number'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + $database.query('update staff set level="3" where id="1";') end it 'should unassign ticket if you are a staff level 3' do ticket = $database.getRow('ticket', 1 , 'id') + Scripts.logout() Scripts.login($staff[:email], $staff[:password], true) + + result = request('/staff/assign-ticket', { + ticketNumber: ticket['ticket_number'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 1 , 'id') + result = request('/staff/un-assign-ticket', { ticketNumber: ticket['ticket_number'], csrf_userid: $csrf_userid, diff --git a/tests/ticket/change-department.rb b/tests/ticket/change-department.rb index 1b55942b..3a5249e7 100644 --- a/tests/ticket/change-department.rb +++ b/tests/ticket/change-department.rb @@ -103,4 +103,153 @@ describe '/ticket/change-department' do staffId: 1 }) end + it 'should not unassing ticket if owner has the new ticket department and staff does not have it' do + request('/user/logout') + Scripts.login($staff[:email], $staff[:password], true) + + result = request('/staff/edit', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + departments: '[1, 2]', + staffId: 1 + }) + (result['status']).should.equal('success') + + result = request('/staff/invite', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'Jon Snow', + email: 'jon_snow@opensupports.com', + level: 2, + profilePic: '', + departments: '[1, 3]' + }) + + (result['status']).should.equal('success') + + Scripts.createTicket('title of the ticket to change department', 'this is the content of the ticket to change department', 1) + + staffId = $database.getRow('staff','jon_snow@opensupports.com','email')['id'] + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(nil) + + result = request('/staff/assign-ticket', { + ticketNumber: ticket['ticket_number'], + staffId: staffId, + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(staffId) + + result = request('/ticket/change-department', { + ticketNumber: ticket['ticket_number'], + departmentId: 3, + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(staffId) + + result = request('/staff/un-assign-ticket', { + ticketNumber: ticket['ticket_number'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(nil) + + result = request('/ticket/delete', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + ticketNumber: ticket['ticket_number'] + }) + + (result['status']).should.equal('success') + + staff = $database.getRow('staff', 'jon_snow@opensupports.com', 'email') + Scripts.deleteStaff(staff['id']) + end + it 'should unassing ticket if owner has not the new ticket department' do + request('/user/logout') + Scripts.login($staff[:email], $staff[:password], true) + + result = request('/staff/edit', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + departments: '[1, 2, 3]', + staffId: 1 + }) + (result['status']).should.equal('success') + + result = request('/staff/invite', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'Oberyn', + email: 'Oberyn_martel@opensupports.com', + level: 2, + profilePic: '', + departments: '[1, 2]' + }) + + (result['status']).should.equal('success') + + Scripts.createTicket('title of the ticket to change department', 'this is the content of the ticket to change department', 1) + + staffId = $database.getRow('staff','Oberyn_martel@opensupports.com','email')['id'] + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(nil) + + result = request('/staff/assign-ticket', { + ticketNumber: ticket['ticket_number'], + staffId: staffId, + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(staffId) + + result = request('/ticket/change-department', { + ticketNumber: ticket['ticket_number'], + departmentId: 3, + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + ticket = $database.getRow('ticket', 'title of the ticket to change department', 'title') + + (ticket['owner_id']).should.equal(nil) + + result = request('/ticket/delete', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + ticketNumber: ticket['ticket_number'] + }) + + (result['status']).should.equal('success') + + staff = $database.getRow('staff', 'Oberyn_martel@opensupports.com', 'email') + + Scripts.deleteStaff(staff['id']) + end end