diff --git a/server/controllers/staff/assign-ticket.php b/server/controllers/staff/assign-ticket.php index 77cfd415..93af3332 100755 --- a/server/controllers/staff/assign-ticket.php +++ b/server/controllers/staff/assign-ticket.php @@ -50,12 +50,12 @@ class AssignStaffController extends Controller { $this->ticket = Ticket::getByTicketNumber($ticketNumber); if($this->ticket->owner) { - Response::respondError(ERRORS::TICKET_ALREADY_ASSIGNED); + throw new Exception(ERRORS::TICKET_ALREADY_ASSIGNED); return; } if(!$this->ticketHasStaffDepartment()) { - Response::respondError(ERRORS::INVALID_DEPARTMENT); + throw new Exception(ERRORS::INVALID_DEPARTMENT); } else { $this->user->sharedTicketList->add($this->ticket); $this->ticket->owner = $this->user; diff --git a/server/controllers/staff/un-assign-ticket.php b/server/controllers/staff/un-assign-ticket.php index 48fe6dc6..0443059b 100755 --- a/server/controllers/staff/un-assign-ticket.php +++ b/server/controllers/staff/un-assign-ticket.php @@ -44,25 +44,25 @@ class UnAssignStaffController extends Controller { $user = Controller::getLoggedUser(); $ticket = Ticket::getByTicketNumber($ticketNumber); - if($ticket->owner && $ticket->owner->id == $user->id) { + if($ticket->owner && $ticket->owner->id === $user->id || $user->level !== 1) { $user->sharedTicketList->remove($ticket); $user->store(); - + $ticket->owner = null; $ticket->unread = true; - + $event = Ticketevent::getEvent(Ticketevent::UN_ASSIGN); $event->setProperties(array( 'authorStaff' => $user, 'date' => Date::getCurrentDate() )); - + $ticket->addEvent($event); $ticket->store(); Response::respondSuccess(); } else { - Response::respondError(ERRORS::NO_PERMISSION); + throw new Exception(ERRORS::NO_PERMISSION); return; } } -} \ No newline at end of file +} diff --git a/server/controllers/system/edit-settings.php b/server/controllers/system/edit-settings.php index dfdf7352..bb56fdf4 100755 --- a/server/controllers/system/edit-settings.php +++ b/server/controllers/system/edit-settings.php @@ -73,6 +73,10 @@ class EditSettingsController extends Controller { $allowed = json_decode(Controller::request('allowedLanguages')); $supported = json_decode(Controller::request('supportedLanguages')); + if (array_diff($supported, $allowed)) { + throw new Exception(ERRORS::INVALID_SUPPORTED_LANGUAGES); + } + foreach(Language::LANGUAGES as $languageCode) { $language = Language::getDataStore($languageCode, 'code'); diff --git a/server/controllers/ticket/change-department.php b/server/controllers/ticket/change-department.php index 8685b3be..3453f732 100755 --- a/server/controllers/ticket/change-department.php +++ b/server/controllers/ticket/change-department.php @@ -52,8 +52,8 @@ class ChangeDepartmentController extends Controller { $department = Department::getDataStore($departmentId); $user = Controller::getLoggedUser(); - if($ticket->owner && $ticket->owner->id !== $user->id){ - Response::respondError(ERRORS::NO_PERMISSION); + if($ticket->owner && $ticket->owner->id !== $user->id || $user->level === 1){ + throw new Exception(ERRORS::NO_PERMISSION); return; } diff --git a/server/data/ERRORS.php b/server/data/ERRORS.php index 032fd3e4..1ce5c219 100755 --- a/server/data/ERRORS.php +++ b/server/data/ERRORS.php @@ -194,6 +194,7 @@ class ERRORS { const INVALID_CAPTCHA = 'INVALID_CAPTCHA'; const INVALID_TICKET_EVENT = 'INVALID_TICKET_EVENT'; const INVALID_LANGUAGE = 'INVALID_LANGUAGE'; + const INVALID_SUPPORTED_LANGUAGES = 'INVALID_SUPPORTED_LANGUAGES'; const TICKET_ALREADY_ASSIGNED = 'TICKET_ALREADY_ASSIGNED'; const INVALID_PRIORITY = 'INVALID_PRIORITY'; const INVALID_PAGE = 'INVALID_PAGE'; diff --git a/tests/staff/un-assign-ticket.rb b/tests/staff/un-assign-ticket.rb index d0f5fc71..b8b379af 100644 --- a/tests/staff/un-assign-ticket.rb +++ b/tests/staff/un-assign-ticket.rb @@ -28,15 +28,4 @@ describe '/staff/un-assign-ticket' do (staff_ticket).should.equal(nil) end - it 'should fail if ticket is not yours' do - ticket = $database.getRow('ticket', 1 , 'id') - result = request('/staff/un-assign-ticket', { - ticketNumber: ticket['ticket_number'], - csrf_userid: $csrf_userid, - csrf_token: $csrf_token - }) - - (result['status']).should.equal('fail') - (result['message']).should.equal('NO_PERMISSION') - end -end \ No newline at end of file +end diff --git a/tests/system/edit-settings.rb b/tests/system/edit-settings.rb index f39395b7..73684b26 100644 --- a/tests/system/edit-settings.rb +++ b/tests/system/edit-settings.rb @@ -37,6 +37,20 @@ describe'system/edit-settings' do request('/user/logout') end + it 'should fail if supported languages are invalid' do + request('/user/logout') + Scripts.login($staff[:email], $staff[:password], true) + + result= request('/system/edit-settings', { + "csrf_userid" => $csrf_userid, + "csrf_token" => $csrf_token, + "supportedLanguages" => '["en", "pt", "jp", "ru", "de"]', + "allowedLanguages" => '["en", "pt", "jp", "ru"]' + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_SUPPORTED_LANGUAGES') + end it 'should change allowed and supported languages' do request('/user/logout') Scripts.login($staff[:email], $staff[:password], true) @@ -45,7 +59,7 @@ describe'system/edit-settings' do "csrf_userid" => $csrf_userid, "csrf_token" => $csrf_token, "supportedLanguages" => '["en", "pt", "jp", "ru"]', - "allowedLanguages" => '["en","pt", "jp", "ru", "de"]' + "allowedLanguages" => '["en", "pt", "jp", "ru", "de"]' }) (result['status']).should.equal('success')