staff allow manage ticket feature

client/src/app-components/activity-row.js

@@ -19,6 +19,7 @@ class ActivityRow extends React.Component {
             'RE_OPEN',
             'DEPARTMENT_CHANGED',
             'PRIORITY_CHANGED',
+            'EDIT_COMMENT',
 
             'EDIT_SETTINGS',
             'SIGNUP',

client/src/app-components/ticket-event.scss

@@ -97,20 +97,24 @@
             padding: 20px 10px;
             text-align: left;
             position:relative;
-            
+
+            &:hover {
+                .ticket-event__comment-content__edit {
+                    color: grey;
+                    cursor:pointer;
+                }
+            }
+
             img {
                 max-width:100%;
             }
+
             &__edit {
                 position:absolute;
                 top: 3px;
                 right: 9px;
                 align-self: right;
                 color:white;
-                :hover {
-                    color: grey;
-                    cursor:pointer;
-                }
             }
         }
     }

server/controllers/staff/assign-ticket.php

@@ -49,6 +49,7 @@ class AssignStaffController extends Controller {
         $ticketNumber = Controller::request('ticketNumber');
         $staffId = Controller::request('staffId');
         $this->ticket = Ticket::getByTicketNumber($ticketNumber);
+        $user = Controller::getLoggedUser();
 
         if($staffId) {
             $this->staffToAssign = Staff::getDataStore($staffId, 'id');
@@ -68,8 +69,8 @@ class AssignStaffController extends Controller {
             throw new RequestException(ERRORS::TICKET_ALREADY_ASSIGNED);
         }
 
-        if(!$this->ticketHasStaffDepartment())  {
+        if(!$user->canManageTicket($this->ticket)) {
-            throw new RequestException(ERRORS::INVALID_DEPARTMENT);
+            throw new RequestException(ERRORS::NO_PERMISSION);
         } else {
             $this->staffToAssign->sharedTicketList->add($this->ticket);
             $this->ticket->owner = $this->staffToAssign;
@@ -90,15 +91,4 @@ class AssignStaffController extends Controller {
 
     }
 
-    public function ticketHasStaffDepartment() {
-        $departmentMatch = false;
-
-        foreach ($this->staffToAssign->sharedDepartmentList as $department) {
-            if($this->ticket->department->id === $department->id) {
-                $departmentMatch = true;
-            }
-        }
-
-        return $departmentMatch;
-    }
 }

server/controllers/staff/un-assign-ticket.php

@@ -51,6 +51,10 @@ class UnAssignStaffController extends Controller {
         $ticket = Ticket::getByTicketNumber($ticketNumber);
         $owner = $ticket->owner;
 
+        if(!$user->canManageTicket($ticket)) {
+            throw new RequestException(ERRORS::NO_PERMISSION);
+        }
+
         if($owner && ($ticket->isOwner($user) || $user->level > 2)) {
             if(!$ticket->isAuthor($owner)) {
                 $owner->sharedTicketList->remove($ticket);

server/controllers/ticket/add-tag.php

@@ -50,6 +50,9 @@ class AddTagController extends Controller {
         $tagId = Controller::request('tagId');
         $tag = Tag::getDataStore($tagId);
         $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $user = Controller::getLoggedUser();
+
+        if(!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);
 
         if ($ticket->sharedTagList->includesId($tagId)) throw new RequestException(ERRORS::TAG_EXISTS);
 

server/controllers/ticket/change-department.php

@@ -56,6 +56,8 @@ class ChangeDepartmentController extends Controller {
             throw new Exception(ERRORS::NO_PERMISSION);
         }
 
+        if (!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);
+
         if($ticket->owner && $ticket->owner->id !== $user->id && $user->level == 1){
             throw new RequestException(ERRORS::NO_PERMISSION);
         }

server/controllers/ticket/change-priority.php

@@ -50,6 +50,9 @@ class ChangePriorityController extends Controller {
         $ticket = Ticket::getByTicketNumber($ticketNumber);
         $user = Controller::getLoggedUser();
 
+        if (!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);
+
+
         if($ticket->owner && $user->id === $ticket->owner->id) {
             $ticket->priority = $priority;
             $ticket->unread = !$ticket->isAuthor($user);

server/controllers/ticket/close.php

@@ -70,6 +70,12 @@ class CloseController extends Controller {
             throw new RequestException(ERRORS::NO_PERMISSION);
         }
 
+        if(Controller::isStaffLogged()){
+            $user = Controller::getLoggedUser();
+
+            if (!$user->canManageTicket($this->ticket)) throw new RequestException(ERRORS::NO_PERMISSION);
+        }
+
         $this->markAsUnread();
         $this->addCloseEvent();
         $this->ticket->closed = true;

server/controllers/ticket/comment.php

@@ -81,11 +81,18 @@ class CommentController extends Controller {
         $ticketAuthor = $this->ticket->authorToArray();
         $isAuthor = $this->ticket->isAuthor(Controller::getLoggedUser()) || Session::getInstance()->isTicketSession();
         $isOwner = $this->ticket->isOwner(Controller::getLoggedUser());
+        $user = Controller::getLoggedUser();
 
         if((Controller::isUserSystemEnabled() || Controller::isStaffLogged()) && !$isOwner && !$isAuthor) {
             throw new RequestException(ERRORS::NO_PERMISSION);
         }
 
+        if(Controller::isStaffLogged()){
+            if(!$user->canManageTicket($this->ticket)) {
+                throw new RequestException(ERRORS::NO_PERMISSION);
+            }
+        }
+
         $this->storeComment();
 
         if($isAuthor && $this->ticket->owner) {

server/controllers/ticket/edit-comment.php

@@ -44,6 +44,7 @@ class EditCommentController extends Controller {
     public function handler() {
         $user = Controller::getLoggedUser();
         $newcontent = Controller::request('content');
+        $ticketNumberLog = null;
 
         $ticketevent = Ticketevent::getTicketEvent(Controller::request('ticketEventId'));
         $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
@@ -52,17 +53,32 @@ class EditCommentController extends Controller {
             throw new RequestException(ERRORS::NO_PERMISSION);
         }
 
+        if(Controller::isStaffLogged()){
+            if(!$ticketevent->isNull()){
+                $ticket = $ticketevent->ticket;
+            }
+
+            if(!$user->canManageTicket($ticket)) {
+                throw new RequestException(ERRORS::NO_PERMISSION);
+            }
+        }
+
         if(!$ticketevent->isNull()){
+            $ticketNumber = Ticket::getTicket($ticketevent->ticketId)->ticketNumber;
+
             $ticketevent->content = $newcontent;
             $ticketevent->editedContent = true;
             $ticketevent->store();
         }else{
+            $ticketNumber = $ticket->ticketNumber;
+
             $ticket->content = $newcontent;
             $ticket->editedContent = true;
             $ticket->store();
         }
 
-        
+        Log::createLog('EDIT_COMMENT', $ticketNumber);
+
         Response::respondSuccess();
     }
 }

server/controllers/ticket/re-open.php

@@ -43,9 +43,10 @@ class ReOpenController extends Controller {
     public function handler() {
         $this->ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
 
-        if($this->shouldDenyPermission()) {
+        if(Controller::isStaffLogged()){
-            throw new RequestException(ERRORS::NO_PERMISSION);
+            $user = Controller::getLoggedUser();
-            return;
+
+            if (!$user->canManageTicket($this->ticket)) throw new RequestException(ERRORS::NO_PERMISSION);
         }
 
         $this->markAsUnread();
@@ -59,19 +60,6 @@ class ReOpenController extends Controller {
         Response::respondSuccess();
     }
 
-
-    private function shouldDenyPermission() {
-        $user = Controller::getLoggedUser();
-
-        return !(
-            $this->ticket->isAuthor($user) ||
-            (
-                Controller::isStaffLogged() &&
-                $user->sharedDepartmentList->includesId($this->ticket->department->id)
-            )
-        );
-    }
-
     private function markAsUnread() {
         if(Controller::isStaffLogged()) {
             $this->ticket->unread = true;

server/controllers/ticket/remove-tag.php

@@ -49,6 +49,9 @@ class RemoveTagController extends Controller {
         $tagId = Controller::request('tagId');
         $tag = Tag::getDataStore($tagId);
         $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $user = Controller::getLoggedUser();
+
+        if (!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);
 
         if (!$ticket->sharedTagList->includesId($tagId)) throw new RequestException(ERRORS::INVALID_TAG);
 

server/models/Log.php

@@ -28,9 +28,9 @@ class Log extends DataStore {
 
     public static function createLog($type,$to, $author = null) {
         if($author === null) {
-            $author = Controller::getLoggedUser();    
+            $author = Controller::getLoggedUser();
-        } 
+        }
-        
+
         $log = new Log();
 
         $log->setProperties(array(
@@ -50,7 +50,9 @@ class Log extends DataStore {
 
     public function toArray() {
         $author = ($this->authorUser instanceof User) ? $this->authorUser : $this->authorStaff;
-        
+        if(!$author){
+            throw new Exception($this->id);
+        }
         return [
             'type' => $this->type,
             'to' => $this->to,
@@ -59,7 +61,7 @@ class Log extends DataStore {
                 'id' => $author->id,
                 'staff' => $author instanceof Staff
             ],
-            'date' => $this->date 
+            'date' => $this->date
         ];
     }
-}
+}

server/models/Staff.php

@@ -41,7 +41,7 @@ class Staff extends DataStore {
         return [
             'level' => 1,
             'ownStatList' => new DataStoreList(),
-            'sendEmailOnNewTicket' => 0 
+            'sendEmailOnNewTicket' => 0
         ];
     }
 
@@ -49,6 +49,10 @@ class Staff extends DataStore {
         return parent::getDataStore($value, $property);
     }
 
+    public function canManageTicket(Ticket $ticket){
+        return $this->sharedDepartmentList->includesId($ticket->departmentId);
+    }
+
     public function toArray() {
         return [
             'id' => $this->id,

tests/ticket/change-department.rb

@@ -45,37 +45,4 @@ describe '/ticket/change-department' do
         (lastLog['type']).should.equal('DEPARTMENT_CHANGED')
     end
 
-    it 'should unassing ticket if staff does not server new department' do
-      ticket = $database.getRow('ticket', 1 , 'id')
-      request('/staff/edit', {
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token,
-          departments: '[1, 2]',
-          staffId: 1
-      })
-
-      result = request('/ticket/change-department', {
-          ticketNumber: ticket['ticket_number'],
-          departmentId: 3,
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token
-      })
-
-      (result['status']).should.equal('success')
-
-      ticket = $database.getRow('ticket', 1 , 'id')
-      (ticket['unread']).should.equal('1')
-      (ticket['department_id']).should.equal('3')
-      (ticket['owner_id']).should.equal(nil)
-
-      lastLog = $database.getLastRow('log')
-      (lastLog['type']).should.equal('DEPARTMENT_CHANGED')
-
-      request('/staff/edit', {
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token,
-          departments: '[1, 2, 3]',
-          staffId: 1
-      })
-    end
 end