Remove special functionality of "ticket assignment", other minor fixes (#587)

* fix ticketEventId submit * staff allow manage ticket feature * edit-comment log * fix staff1/2 change own perfile pic * Makes frontend allow ticket editing for any staff member * Allows all staff members in charge of the department of a ticket to manage it (change its department, priority, comment on it, etc.) * fix comments github pt1 * tests ruby * fix * Fix ruby tests * add commenteed tests
2025-04-08 18:35:06 +02:00 · 2019-10-01 16:40:30 -03:00 · 2019-10-01 16:40:30 -03:00 · 63ef66198a
commit 63ef66198a
parent 2e4817b144
42 changed files with 612 additions and 196 deletions
--- a/client/src/app-components/activity-row.js
+++ b/client/src/app-components/activity-row.js
@ -19,6 +19,7 @@ class ActivityRow extends React.Component {
            'RE_OPEN',
            'DEPARTMENT_CHANGED',
            'PRIORITY_CHANGED',
+            'EDIT_COMMENT',

            'EDIT_SETTINGS',
            'SIGNUP',
@ -56,7 +57,8 @@ class ActivityRow extends React.Component {
            'CREATE_TICKET',
            'RE_OPEN',
            'DEPARTMENT_CHANGED',
-            'PRIORITY_CHANGED'
+            'PRIORITY_CHANGED',
+            'COMMENT_EDITED',
        ];

        return (
@ -100,6 +102,7 @@ class ActivityRow extends React.Component {
            'RE_OPEN': 'unlock-alt',
            'DEPARTMENT_CHANGED': 'exchange',
            'PRIORITY_CHANGED': 'exclamation',
+            'EDIT_COMMENT': 'edit',

            'EDIT_SETTINGS': 'wrench',
            'SIGNUP': 'user-plus',
--- a/client/src/app-components/ticket-event.scss
+++ b/client/src/app-components/ticket-event.scss
@ -97,20 +97,24 @@
            padding: 20px 10px;
            text-align: left;
            position:relative;
-            
+
+            &:hover {
+                .ticket-event__comment-content__edit {
+                    color: grey;
+                    cursor:pointer;
+                }
+            }
+
            img {
                max-width:100%;
            }
+
            &__edit {
                position:absolute;
                top: 3px;
                right: 9px;
                align-self: right;
                color:white;
-                :hover {
-                    color: grey;
-                    cursor:pointer;
-                }
            }
        }
    }
--- a/client/src/app-components/ticket-viewer.js
+++ b/client/src/app-components/ticket-viewer.js
@ -444,6 +444,7 @@ class TicketViewer extends React.Component {
            }
        }).then(this.onTicketModification.bind(this));
    }
+
    addTag(tag) {
        API.call({
            path: '/ticket/add-tag',
@ -463,6 +464,7 @@ class TicketViewer extends React.Component {
            }
        }).then(this.onTicketModification.bind(this))
    }
+
    onCustomResponsesChanged({index}) {
        let replaceContentWithCustomResponse = () => {
            this.setState({
@ -492,7 +494,7 @@ class TicketViewer extends React.Component {
        const data = {};

        if(ticketeventid){
-            data.ticketeventId = ticketeventid
+            data.ticketEventId = ticketeventid
        }else{
            data.ticketNumber = this.props.ticket.ticketNumber
        }
@ -523,6 +525,7 @@ class TicketViewer extends React.Component {
            commentError: true
        });
    }
+
    onSubmit(formState) {
        this.setState({
            loading: true
--- a/client/src/app/admin/panel/articles/admin-panel-view-article.scss
+++ b/client/src/app/admin/panel/articles/admin-panel-view-article.scss
@ -23,7 +23,7 @@
        text-align: left;
        margin-bottom: 20px;
    }
-    
+
    &__button {
        margin-right: 20px;
    }
--- a/client/src/app/admin/panel/dashboard/admin-panel-activity.js
+++ b/client/src/app/admin/panel/dashboard/admin-panel-activity.js
@ -43,7 +43,7 @@ class AdminPanelActivity extends React.Component {
            </div>
        );
    }
-    
+
    getMenuProps() {
        return {
            className: 'admin-panel-activity__menu',
@ -148,4 +148,4 @@ class AdminPanelActivity extends React.Component {
    }
 }

-export default AdminPanelActivity;
+export default AdminPanelActivity;
--- a/client/src/app/admin/panel/tickets/admin-panel-view-ticket.js
+++ b/client/src/app/admin/panel/tickets/admin-panel-view-ticket.js
@ -75,10 +75,7 @@ class AdminPanelViewTicket extends React.Component {
            onChange: this.retrieveTicket.bind(this),
            assignmentAllowed: this.props.assignmentAllowed,
            customResponses: this.props.customResponses,
-            editable: (
-                (this.state.ticket.owner && this.state.ticket.owner.id == SessionStore.getSessionData().userId) ||
-                (this.state.ticket.author && this.state.ticket.author.staff && this.state.ticket.author.id == SessionStore.getSessionData().userId)
-            )
+            editable: true
        };
    }

--- a/client/src/data/languages/en.js
+++ b/client/src/data/languages/en.js
@ -228,6 +228,7 @@ export default {
    'ACTIVITY_RE_OPEN': 'reopened ticket',
    'ACTIVITY_DEPARTMENT_CHANGED': 'changed department of ticket',
    'ACTIVITY_PRIORITY_CHANGED': 'changed priority of ticket',
+    'ACTIVITY_EDIT_COMMENT': 'edited a comment of ticket',

    'ACTIVITY_EDIT_SETTINGS': 'edited settings',
    'ACTIVITY_SIGNUP': 'signed up',
--- a/server/controllers/staff/assign-ticket.php
+++ b/server/controllers/staff/assign-ticket.php
@ -49,6 +49,7 @@ class AssignStaffController extends Controller {
        $ticketNumber = Controller::request('ticketNumber');
        $staffId = Controller::request('staffId');
        $this->ticket = Ticket::getByTicketNumber($ticketNumber);
+        $user = Controller::getLoggedUser();

        if($staffId) {
            $this->staffToAssign = Staff::getDataStore($staffId, 'id');
@ -68,8 +69,8 @@ class AssignStaffController extends Controller {
            throw new RequestException(ERRORS::TICKET_ALREADY_ASSIGNED);
        }

-        if(!$this->ticketHasStaffDepartment())  {
-            throw new RequestException(ERRORS::INVALID_DEPARTMENT);
+        if(!$user->canManageTicket($this->ticket)) {
+            throw new RequestException(ERRORS::NO_PERMISSION);
        } else {
            $this->staffToAssign->sharedTicketList->add($this->ticket);
            $this->ticket->owner = $this->staffToAssign;
@ -90,15 +91,4 @@ class AssignStaffController extends Controller {

    }

-    public function ticketHasStaffDepartment() {
-        $departmentMatch = false;
-
-        foreach ($this->staffToAssign->sharedDepartmentList as $department) {
-            if($this->ticket->department->id === $department->id) {
-                $departmentMatch = true;
-            }
-        }
-
-        return $departmentMatch;
-    }
 }
--- a/server/controllers/staff/edit.php
+++ b/server/controllers/staff/edit.php
@ -59,7 +59,7 @@ class EditStaffController extends Controller {

        if(!$staffId) {
            $this->staffInstance = Controller::getLoggedUser();
-        } else if(Controller::isStaffLogged(3)) {
+        } else if(Controller::isStaffLogged(3) || ((Controller::isStaffLogged() && Controller::getLoggedUser()->id == $staffId)) ) {
            $this->staffInstance = Staff::getDataStore($staffId, 'id');

            if($this->staffInstance->isNull()) {
--- a/server/controllers/staff/last-events.php
+++ b/server/controllers/staff/last-events.php
@ -14,10 +14,10 @@ use Respect\Validation\Validator as DataValidator;
 * @apiPermission staff1
 *
 * @apiParam {Number} page The page number.
- * 
+ *
 * @apiUse NO_PERMISSION
 * @apiUse INVALID_PAGE
- * 
+ *
 * @apiSuccess {[TicketEvent](#api-Data_Structures-ObjectTicketevent)[]} data Array of last events
 *
 */
@ -56,4 +56,4 @@ class LastEventsStaffController extends Controller {
            Response::respondSuccess([]);
        }
    }
-}
+}
--- a/server/controllers/staff/un-assign-ticket.php
+++ b/server/controllers/staff/un-assign-ticket.php
@ -51,6 +51,10 @@ class UnAssignStaffController extends Controller {
        $ticket = Ticket::getByTicketNumber($ticketNumber);
        $owner = $ticket->owner;

+        if(!$user->canManageTicket($ticket)) {
+            throw new RequestException(ERRORS::NO_PERMISSION);
+        }
+
        if($owner && ($ticket->isOwner($user) || $user->level > 2)) {
            if(!$ticket->isAuthor($owner)) {
                $owner->sharedTicketList->remove($ticket);
--- a/server/controllers/ticket/add-tag.php
+++ b/server/controllers/ticket/add-tag.php
@ -50,6 +50,9 @@ class AddTagController extends Controller {
        $tagId = Controller::request('tagId');
        $tag = Tag::getDataStore($tagId);
        $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $user = Controller::getLoggedUser();
+
+        if(!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);

        if ($ticket->sharedTagList->includesId($tagId)) throw new RequestException(ERRORS::TAG_EXISTS);

--- a/server/controllers/ticket/change-department.php
+++ b/server/controllers/ticket/change-department.php
@ -56,7 +56,7 @@ class ChangeDepartmentController extends Controller {
            throw new Exception(ERRORS::NO_PERMISSION);
        }

-        if($ticket->owner && $ticket->owner->id !== $user->id && $user->level == 1){
+        if(!$user->canManageTicket($ticket)){
            throw new RequestException(ERRORS::NO_PERMISSION);
        }

--- a/server/controllers/ticket/change-priority.php
+++ b/server/controllers/ticket/change-priority.php
@ -50,23 +50,20 @@ class ChangePriorityController extends Controller {
        $ticket = Ticket::getByTicketNumber($ticketNumber);
        $user = Controller::getLoggedUser();

-        if($ticket->owner && $user->id === $ticket->owner->id) {
-            $ticket->priority = $priority;
-            $ticket->unread = !$ticket->isAuthor($user);
-            $event = Ticketevent::getEvent(Ticketevent::PRIORITY_CHANGED);
-            $event->setProperties(array(
-                'authorStaff' => Controller::getLoggedUser(),
-                'content' => $ticket->priority,
-                'date' => Date::getCurrentDate()
-            ));
-            $ticket->addEvent($event);
-            $ticket->store();
+        if(!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);

-            Log::createLog('PRIORITY_CHANGED', $ticket->ticketNumber);
-            Response::respondSuccess();
-        } else {
-            throw new RequestException(ERRORS::NO_PERMISSION);
-        }
+        $ticket->priority = $priority;
+        $ticket->unread = !$ticket->isAuthor($user);
+        $event = Ticketevent::getEvent(Ticketevent::PRIORITY_CHANGED);
+        $event->setProperties(array(
+            'authorStaff' => Controller::getLoggedUser(),
+            'content' => $ticket->priority,
+            'date' => Date::getCurrentDate()
+        ));
+        $ticket->addEvent($event);
+        $ticket->store();

+        Log::createLog('PRIORITY_CHANGED', $ticket->ticketNumber);
+        Response::respondSuccess();
    }
 }
--- a/server/controllers/ticket/close.php
+++ b/server/controllers/ticket/close.php
@ -61,12 +61,14 @@ class CloseController extends Controller {

    public function handler() {
        $this->ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $user = Controller::getLoggedUser();

-        if(
-          (Controller::isUserSystemEnabled() || Controller::isStaffLogged()) &&
-          !$this->ticket->isOwner(Controller::getLoggedUser()) &&
-          !$this->ticket->isAuthor(Controller::getLoggedUser())
-        ) {
+        if(!Controller::isStaffLogged() && Controller::isUserSystemEnabled() &&
+           !$user->canManageTicket($this->ticket)){
+            throw new RequestException(ERRORS::NO_PERMISSION);
+        }
+
+        if(Controller::isStaffLogged() && (!$user->canManageTicket($this->ticket))){
            throw new RequestException(ERRORS::NO_PERMISSION);
        }

--- a/server/controllers/ticket/comment.php
+++ b/server/controllers/ticket/comment.php
@ -81,8 +81,13 @@ class CommentController extends Controller {
        $ticketAuthor = $this->ticket->authorToArray();
        $isAuthor = $this->ticket->isAuthor(Controller::getLoggedUser()) || Session::getInstance()->isTicketSession();
        $isOwner = $this->ticket->isOwner(Controller::getLoggedUser());
+        $user = Controller::getLoggedUser();

-        if((Controller::isUserSystemEnabled() || Controller::isStaffLogged()) && !$isOwner && !$isAuthor) {
+        if(!Controller::isStaffLogged() && Controller::isUserSystemEnabled() && !$isAuthor){
+            throw new RequestException(ERRORS::NO_PERMISSION);
+        }
+
+        if(!$user->canManageTicket($this->ticket)) {
            throw new RequestException(ERRORS::NO_PERMISSION);
        }

--- a/server/controllers/ticket/edit-comment.php
+++ b/server/controllers/ticket/edit-comment.php
@ -44,25 +44,41 @@ class EditCommentController extends Controller {
    public function handler() {
        $user = Controller::getLoggedUser();
        $newcontent = Controller::request('content');
+        $ticketNumberLog = null;

        $ticketevent = Ticketevent::getTicketEvent(Controller::request('ticketEventId'));
        $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));

-        if(!Controller::isStaffLogged() && ($user->id !== $ticketevent->authorUserId && $user->id !== $ticket->authorId )){
+        if(!Controller::isStaffLogged() &&  ($user->id !== $ticketevent->authorUserId && $user->id !== $ticket->authorId ) ){
            throw new RequestException(ERRORS::NO_PERMISSION);
        }

+        if(Controller::isStaffLogged()){
+            if(!$ticketevent->isNull()){
+                $ticket = $ticketevent->ticket;
+            }
+
+            if(!$user->canManageTicket($ticket)) {
+                throw new RequestException(ERRORS::NO_PERMISSION);
+            }
+        }
+
        if(!$ticketevent->isNull()){
+            $ticketNumber = Ticket::getTicket($ticketevent->ticketId)->ticketNumber;
+
            $ticketevent->content = $newcontent;
            $ticketevent->editedContent = true;
            $ticketevent->store();
        }else{
+            $ticketNumber = $ticket->ticketNumber;
+
            $ticket->content = $newcontent;
            $ticket->editedContent = true;
            $ticket->store();
        }

-        
+        Log::createLog('EDIT_COMMENT', $ticketNumber);
+
        Response::respondSuccess();
    }
 }
--- a/server/controllers/ticket/get.php
+++ b/server/controllers/ticket/get.php
@ -77,7 +77,7 @@ class TicketGetController extends Controller {
    private function shouldDenyPermission() {
        $user = Controller::getLoggedUser();

-        return (!Controller::isStaffLogged() && (Controller::isUserSystemEnabled() && $this->ticket->author->id !== $user->id)) ||
-               (Controller::isStaffLogged() && (!$user->sharedTicketList->includesId($this->ticket->id) && !$user->sharedDepartmentList->includesId($this->ticket->department->id)));
+        return (!Controller::isStaffLogged() && (Controller::isUserSystemEnabled() && !$user->canManageTicket($this->ticket))) ||
+               (Controller::isStaffLogged() && !$user->canManageTicket($this->ticket));
    }
 }
--- a/server/controllers/ticket/re-open.php
+++ b/server/controllers/ticket/re-open.php
@ -42,11 +42,9 @@ class ReOpenController extends Controller {

    public function handler() {
        $this->ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $user = Controller::getLoggedUser();

-        if($this->shouldDenyPermission()) {
-            throw new RequestException(ERRORS::NO_PERMISSION);
-            return;
-        }
+        if (!$user->canManageTicket($this->ticket)) throw new RequestException(ERRORS::NO_PERMISSION);

        $this->markAsUnread();
        $this->addReopenEvent();
@ -59,19 +57,6 @@ class ReOpenController extends Controller {
        Response::respondSuccess();
    }

-
-    private function shouldDenyPermission() {
-        $user = Controller::getLoggedUser();
-
-        return !(
-            $this->ticket->isAuthor($user) ||
-            (
-                Controller::isStaffLogged() &&
-                $user->sharedDepartmentList->includesId($this->ticket->department->id)
-            )
-        );
-    }
-
    private function markAsUnread() {
        if(Controller::isStaffLogged()) {
            $this->ticket->unread = true;
--- a/server/controllers/ticket/remove-tag.php
+++ b/server/controllers/ticket/remove-tag.php
@ -49,6 +49,9 @@ class RemoveTagController extends Controller {
        $tagId = Controller::request('tagId');
        $tag = Tag::getDataStore($tagId);
        $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $user = Controller::getLoggedUser();
+
+        if (!$user->canManageTicket($ticket)) throw new RequestException(ERRORS::NO_PERMISSION);

        if (!$ticket->sharedTagList->includesId($tagId)) throw new RequestException(ERRORS::INVALID_TAG);

--- a/server/controllers/ticket/seen.php
+++ b/server/controllers/ticket/seen.php
@ -44,7 +44,7 @@ class SeenController extends Controller {
        $user = Controller::getLoggedUser();
        $ticket = Ticket::getByTicketNumber($ticketnumber);

-        if(!$ticket->isOwner($user) && !$ticket->isAuthor($user)) {
+        if(!$user->canManageTicket($this->ticket) && !$ticket->isAuthor($user)) {
            throw new RequestException(ERRORS::NO_PERMISSION);
        }

--- a/server/models/Log.php
+++ b/server/models/Log.php
@ -28,9 +28,9 @@ class Log extends DataStore {

    public static function createLog($type,$to, $author = null) {
        if($author === null) {
-            $author = Controller::getLoggedUser();    
-        } 
-        
+            $author = Controller::getLoggedUser();
+        }
+
        $log = new Log();

        $log->setProperties(array(
@ -50,7 +50,7 @@ class Log extends DataStore {

    public function toArray() {
        $author = ($this->authorUser instanceof User) ? $this->authorUser : $this->authorStaff;
-        
+
        return [
            'type' => $this->type,
            'to' => $this->to,
@ -59,7 +59,7 @@ class Log extends DataStore {
                'id' => $author->id,
                'staff' => $author instanceof Staff
            ],
-            'date' => $this->date 
+            'date' => $this->date
        ];
    }
-}
+}
--- a/server/models/Staff.php
+++ b/server/models/Staff.php
@ -41,7 +41,7 @@ class Staff extends DataStore {
        return [
            'level' => 1,
            'ownStatList' => new DataStoreList(),
-            'sendEmailOnNewTicket' => 0 
+            'sendEmailOnNewTicket' => 0
        ];
    }

@ -49,6 +49,10 @@ class Staff extends DataStore {
        return parent::getDataStore($value, $property);
    }

+    public function canManageTicket(Ticket $ticket){
+        return $this->sharedDepartmentList->includesId($ticket->departmentId) || $this->id === $ticket->author_staff_id;
+    }
+
    public function toArray() {
        return [
            'id' => $this->id,
--- a/server/models/User.php
+++ b/server/models/User.php
@ -43,6 +43,10 @@ class User extends DataStore {
        return parent::getDataStore($value, $property);
    }

+    public function canManageTicket(Ticket $ticket){
+        return $ticket->isAuthor($this);
+    }
+
    public function toArray() {
        return [
            'email' => $this->email,
--- a/tests/scripts.rb
+++ b/tests/scripts.rb
@ -67,16 +67,15 @@ class Scripts
      request('/user/logout')
    end

-    def self.createTicket(title = 'Winter is coming',content = 'The north remembers')
+    def self.createTicket(title = 'Winter is coming',content = 'The north remembers', department = 1)
        result = request('/ticket/create', {
            title: title,
            content: content,
-            departmentId: 1,
+            departmentId: department,
            language: 'en',
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
-
        result['data']
    end

--- a/tests/staff/add.rb
+++ b/tests/staff/add.rb
@ -24,7 +24,7 @@ describe'/staff/add' do
        (row['level']).should.equal('2')

        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal('3')
+        (row['owners']).should.equal('4')

        lastLog = $database.getLastRow('log')
        (lastLog['type']).should.equal('ADD_STAFF')
@ -46,6 +46,6 @@ describe'/staff/add' do
        (result['message']).should.equal('ALREADY_A_STAFF')

        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal('3')
+        (row['owners']).should.equal('4')
    end
-end
+end
--- a/tests/staff/delete.rb
+++ b/tests/staff/delete.rb
@ -16,7 +16,7 @@ describe'/staff/delete' do
        (row).should.equal(nil)

        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal('3')
+        (row['owners']).should.equal('4')

    end

@ -31,6 +31,6 @@ describe'/staff/delete' do
        (result['message']).should.equal('INVALID_STAFF')

        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal('3')
+        (row['owners']).should.equal('4')
    end
 end
--- a/tests/staff/edit.rb
+++ b/tests/staff/edit.rb
@ -25,20 +25,20 @@ describe'/staff/edit' do
        (rows['department_id']).should.equal('1')

        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal('3')
+        (row['owners']).should.equal('4')

        row = $database.getRow('department', 2, 'id')
-        (row['owners']).should.equal('2')
+        (row['owners']).should.equal('3')
    end

-    it 'should edit staff member ' do
+    it 'should edit own data staff' do
        request('/staff/add', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'Arya Stark',
            password: 'starkpassword',
            email: 'arya@opensupports.com',
-            level: 2,
+            level: 1,
            profilePic: '',
            departments: '[1]'
        })
@ -51,7 +51,8 @@ describe'/staff/edit' do
            staffId: row['id'],
            email: 'ayra2@opensupports.com',
            departments: '[1, 2, 3]',
-            sendEmailOnNewTicket: 1
+            sendEmailOnNewTicket: 1,
+            level: 2
        })

        (result['status']).should.equal('success')
@ -63,10 +64,10 @@ describe'/staff/edit' do
        (row['send_email_on_new_ticket']).should.equal('0')

        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal('4')
+        (row['owners']).should.equal('5')

        row = $database.getRow('department', 2, 'id')
-        (row['owners']).should.equal('3')
+        (row['owners']).should.equal('4')

        row = $database.getRow('department', 3, 'id')
        (row['owners']).should.equal('2')
@ -82,4 +83,23 @@ describe'/staff/edit' do
        row = $database.getRow('staff', 'Arya Stark', 'name')
        (row['send_email_on_new_ticket']).should.equal('1')
    end
+
+    it 'should fail if is not staff logged' do
+
+        request('/user/logout')
+
+        result = request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            staffId: 1,
+            email:  'stafffalse@opensupports.com',
+            departments: '[1, 2]',
+            sendEmailOnNewTicket: 1
+        })
+
+        (result['status']).should.equal('fail')
+        (result['message']).should.equal('NO_PERMISSION')
+
+
+    end
 end
--- a/tests/staff/get-all-tickets.rb
+++ b/tests/staff/get-all-tickets.rb
@ -46,7 +46,7 @@ describe 'Retrieve all tickets' do
            })

            (response['status']).should.equal('success')
-            (response['data']['pages']).should.equal(4)
+            (response['data']['pages']).should.equal(5)
            (response['data']['tickets'].size).should.equal(10)
            (response['data']['tickets'][0]['title']).should.equal('Quisque egestas ipsum')
            (response['data']['tickets'][1]['title']).should.equal('placerat id velit')
@ -68,7 +68,7 @@ describe 'Retrieve all tickets' do
            })

            (response['status']).should.equal('success')
-            (response['data']['pages']).should.equal(4)
+            (response['data']['pages']).should.equal(5)
            (response['data']['tickets'].size).should.equal(10)
            (response['data']['tickets'][0]['title']).should.equal('quis vulputate lectus feugiat eu')
            (response['data']['tickets'][1]['title']).should.equal('Fusce venenatis iaculis commodo')
@ -96,4 +96,4 @@ describe 'Retrieve all tickets' do
        (response['data']['tickets'].size).should.equal(10)
        (response['data']['tickets'][0]['title']).should.equal('ipsum Aenean maximus quis leo et eleifend')
    end
-end
+end
--- a/tests/staff/get-all.rb
+++ b/tests/staff/get-all.rb
@ -14,14 +14,14 @@ describe'/staff/get-all' do
        (result['data'][0]['email']).should.equal('staff@opensupports.com')
        (result['data'][0]['profilePic']).should.equal('')
        (result['data'][0]['level']).should.equal('3')
-        (result['data'][0]['departments'][0]['id']).should.equal('1')
-        (result['data'][0]['departments'][0]['name']).should.equal('Help and Support')
-        (result['data'][0]['departments'][1]['id']).should.equal('2')
-        (result['data'][0]['departments'][1]['name']).should.equal('useless private deapartment')
+        (result['data'][0]['departments'][0]['id']).should.equal('2')
+        (result['data'][0]['departments'][0]['name']).should.equal('useless private deapartment')
+        (result['data'][0]['departments'][1]['id']).should.equal('1')
+        (result['data'][0]['departments'][1]['name']).should.equal('Help and Support')
        (result['data'][0]['departments'][2]['id']).should.equal('3')
        (result['data'][0]['departments'][2]['name']).should.equal('Suggestions')
-        (result['data'][0]['assignedTickets']).should.equal(6)
-        (result['data'][0]['closedTickets']).should.equal(0)
+        (result['data'][0]['assignedTickets']).should.equal(10)
+        (result['data'][0]['closedTickets']).should.equal(1)

        (result['data'][2]['name']).should.equal('Arya Stark')
        (result['data'][2]['email']).should.equal('ayra2@opensupports.com')
--- a/tests/staff/get-new-tickets.rb
+++ b/tests/staff/get-new-tickets.rb
@ -10,6 +10,6 @@ describe '/staff/get-new-tickets' do
        })

        (result['status']).should.equal('success')
-        (result['data']['tickets'].size).should.equal(8)
+        (result['data']['tickets'].size).should.equal(10)
    end
 end
--- a/tests/staff/get-tickets.rb
+++ b/tests/staff/get-tickets.rb
@ -25,6 +25,6 @@ describe '/staff/get-tickets' do
        })

        (result['status']).should.equal('success')
-        (result['data']['tickets'].size).should.equal(5)
+        (result['data']['tickets'].size).should.equal(9)
    end
 end
--- a/tests/system/add-department.rb
+++ b/tests/system/add-department.rb
@ -29,7 +29,7 @@ describe'system/add-department' do

            (result['status']).should.equal('success')

-            row = $database.getRow('department', 5, 'id')
+            row = $database.getRow('department', 6, 'id')

            (row['name']).should.equal('new department')
            (row['private']).should.equal("0")
--- a/tests/system/disable-user-system.rb
+++ b/tests/system/disable-user-system.rb
@ -19,7 +19,7 @@ describe'system/disable-user-system' do

            numberOftickets= $database.query("SELECT * FROM ticket WHERE author_id IS NULL AND author_email IS NOT NULL AND author_name IS NOT NULL")

-            (numberOftickets.num_rows).should.equal(41)
+            (numberOftickets.num_rows).should.equal(51)

            request('/user/logout')

@ -127,7 +127,7 @@ describe'system/disable-user-system' do

            numberOftickets= $database.query("SELECT * FROM ticket WHERE author_email IS NULL AND author_name IS NULL AND author_id IS NOT NULL"  )

-            (numberOftickets.num_rows).should.equal(42)
+            (numberOftickets.num_rows).should.equal(52)

        end

--- a/tests/ticket/add-tag.rb
+++ b/tests/ticket/add-tag.rb
@ -30,7 +30,7 @@ describe '/ticket/add-tag' do
        (result['message']).should.equal('INVALID_TICKET')
    end

-    it 'should add a tag' do
+    it 'should add a tag if staff member serves to the deparment of the ticket' do
        result = request('/ticket/add-tag', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
@ -43,6 +43,58 @@ describe '/ticket/add-tag' do
        (result['status']).should.equal('success')
    end

+    it 'should add tag if staff member does not serve to the department of the ticket but is the author' do
+        Scripts.createTicket('titleofthetickettoaddtags','thisisthecontentofthetickettoaddtags',3)
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2]',
+            staffId: 1
+        })
+
+        ticket = $database.getRow('ticket', 'thisisthecontentofthetickettoaddtags' , 'content')
+
+        result = request('/ticket/add-tag', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            tagId: 3,
+            ticketNumber: ticket['ticket_number']
+        })
+
+        (result['status']).should.equal('success')
+    end
+
+    it 'should fail if staff member does not serve to the department of the ticket and he is not the author' do
+        request('/user/logout')
+        Scripts.createUser('pepito@pepito.com', 'pepito12345','pepito')
+        Scripts.login('pepito@pepito.com', 'pepito12345')
+        Scripts.createTicket('title70','contentoftheticket70',3)
+
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+        ticket = $database.getRow('ticket','title70', 'title')
+
+        result = request('/ticket/add-tag', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            tagId: 2,
+            ticketNumber: ticket['ticket_number']
+        })
+
+        (result['status']).should.equal('fail')
+        (result['message']).should.equal('NO_PERMISSION')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
+    end
+
+
+
    it 'should fail if the tag is already attached' do
        result = request('/ticket/add-tag', {
            csrf_userid: $csrf_userid,
--- a/tests/ticket/change-department.rb
+++ b/tests/ticket/change-department.rb
@ -2,6 +2,12 @@ describe '/ticket/change-department' do
    request('/user/logout')
    Scripts.login($staff[:email], $staff[:password], true)

+    Scripts.createTicket('Stafftitle','This ticket was made by an staff',1)
+    request('/user/logout')
+
+    request('/user/logout')
+    Scripts.login($staff[:email], $staff[:password], true)
+
    request('/system/add-department', {
        csrf_userid: $csrf_userid,
        csrf_token: $csrf_token,
@ -12,6 +18,11 @@ describe '/ticket/change-department' do
        csrf_token: $csrf_token,
        name: 'Tech support'
    })
+    request('/system/add-department', {
+        csrf_userid: $csrf_userid,
+        csrf_token: $csrf_token,
+        name: 'Instalation problems'
+    })
    request('/staff/edit', {
        csrf_userid: $csrf_userid,
        csrf_token: $csrf_token,
@ -19,17 +30,15 @@ describe '/ticket/change-department' do
        staffId: 1
    })

-    it 'should change department if everything is okey' do
+    it 'should change department if staff has same department as ticket' do
+
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
        ticket = $database.getRow('ticket', 1 , 'id')
-        request('/staff/assign-ticket', {
-            ticketNumber: ticket['ticket_number'],
-            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
-        })

        result = request('/ticket/change-department', {
            ticketNumber: ticket['ticket_number'],
-            departmentId: 3,
+            departmentId: 4,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
@ -38,44 +47,60 @@ describe '/ticket/change-department' do

        ticket = $database.getRow('ticket', 1 , 'id')
        (ticket['unread']).should.equal('1')
-        (ticket['department_id']).should.equal('3')
-        (ticket['owner_id']).should.equal('1')
+        (ticket['department_id']).should.equal('4')

        lastLog = $database.getLastRow('log')
        (lastLog['type']).should.equal('DEPARTMENT_CHANGED')
    end

    it 'should unassing ticket if staff does not server new department' do
-      ticket = $database.getRow('ticket', 1 , 'id')
-      request('/staff/edit', {
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token,
-          departments: '[1, 2]',
-          staffId: 1
-      })

-      result = request('/ticket/change-department', {
-          ticketNumber: ticket['ticket_number'],
-          departmentId: 3,
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token
-      })
+          ticket = $database.getRow('ticket', 1 , 'id')
+          Scripts.assignTicket(ticket['ticket_number'])
+          request('/staff/edit', {
+              csrf_userid: $csrf_userid,
+              csrf_token: $csrf_token,
+              departments: '[2, 4]',
+              staffId: 1
+          })

-      (result['status']).should.equal('success')
+          result = request('/ticket/change-department', {
+              ticketNumber: ticket['ticket_number'],
+              departmentId: 3,
+              csrf_userid: $csrf_userid,
+              csrf_token: $csrf_token
+          })

-      ticket = $database.getRow('ticket', 1 , 'id')
-      (ticket['unread']).should.equal('1')
-      (ticket['department_id']).should.equal('3')
-      (ticket['owner_id']).should.equal(nil)
+          (result['status']).should.equal('success')

-      lastLog = $database.getLastRow('log')
-      (lastLog['type']).should.equal('DEPARTMENT_CHANGED')
+          ticket = $database.getRow('ticket', 1 , 'id')
+          (ticket['unread']).should.equal('1')
+          (ticket['department_id']).should.equal('3')
+          (ticket['owner_id']).should.equal(nil)

-      request('/staff/edit', {
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token,
-          departments: '[1, 2, 3]',
-          staffId: 1
-      })
+          lastLog = $database.getLastRow('log')
+          (lastLog['type']).should.equal('DEPARTMENT_CHANGED')
+
+    end
+    it 'should change department if staff does not have ticket department and is author' do
+
+        ticket = $database.getRow('ticket', 'Stafftitle', 'title')
+
+        result = request('/ticket/change-department', {
+            ticketNumber: ticket['ticket_number'],
+            departmentId: 1,
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('success')
+        (ticket['department_id']).should.equal('1')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
    end
 end
--- a/tests/ticket/close.rb
+++ b/tests/ticket/close.rb
@ -1,61 +1,44 @@
 describe '/ticket/close' do
-    request('/user/logout')
-    Scripts.login($staff[:email], $staff[:password], true)

-    it 'should not close ticket if not assigned' do
-      ticket = $database.getRow('ticket', 1 , 'id')
-      request('/staff/un-assign-ticket', {
-          ticketNumber: ticket['ticket_number'],
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token
-      })
+    it 'should close ticket if staff member has the same department as ticket' do
+        request('/user/logout')
+        Scripts.createUser('closer@os4.com','closer','Closer')
+        Scripts.login('closer@os4.com','closer')
+        Scripts.createTicket('tickettoclose','thecontentoftickettoclose',1)
+        Scripts.createTicket('tickettoclose2','thecontentoftickettoclose2',3)
+        Scripts.createTicket('tickettoclose3','thecontentoftickettoclose3',3)

-      result = request('/ticket/close', {
-          ticketNumber: ticket['ticket_number'],
-          csrf_userid: $csrf_userid,
-          csrf_token: $csrf_token
-      })
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)

-      (result['status']).should.equal('fail')
-    end
-
-    it 'should close ticket if you have it assigned' do
-        ticket = $database.getRow('ticket', 1 , 'id')
-
-        request('/staff/assign-ticket', {
-            ticketNumber: ticket['ticket_number'],
-            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
-        })
+        ticket = $database.getRow('ticket', 'tickettoclose', 'title')

        result = request('/ticket/close', {
            ticketNumber: ticket['ticket_number'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
+
        })

        (result['status']).should.equal('success')

-        ticket = $database.getRow('ticket', 1 , 'id')
+        ticket = $database.getRow('ticket', 'tickettoclose', 'title')
        (ticket['closed']).should.equal('1')
-        (ticket['unread']).should.equal('1')

        lastLog = $database.getLastRow('log')
        (lastLog['type']).should.equal('CLOSE')
-        request('/staff/un-assign-ticket', {
-            ticketNumber: ticket['ticket_number'],
-            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
-        })
    end
+    it 'should close ticket if staff member does not serve to the department of the ticket but he is the author' do

-    it 'should close ticket if you are the author' do
-      request('/user/logout')
-      Scripts.createUser('closer@os4.com','closer','Closer')
-      Scripts.login('closer@os4.com','closer')
-      Scripts.createTicket('tickettoclose')
+      request('/staff/edit', {
+        csrf_userid: $csrf_userid,
+        csrf_token: $csrf_token,
+        departments: '[1, 2]',
+        staffId: 1
+      })
+      Scripts.createTicket('thisisanewticket','thisisthecontentofthenewticket',3)

-      ticket = $database.getRow('ticket', 'tickettoclose', 'title')
+      ticket = $database.getRow('ticket', 'thisisanewticket', 'title')

      result = request('/ticket/close', {
          ticketNumber: ticket['ticket_number'],
@ -71,5 +54,52 @@ describe '/ticket/close' do

      lastLog = $database.getLastRow('log')
      (lastLog['type']).should.equal('CLOSE')
+
+    end
+    it 'should not close ticket if staff does not serve to the department of the ticket and  he is not the author'do
+
+        ticket = $database.getRow('ticket', 'tickettoclose2', 'title')
+
+        result = request('/ticket/close', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+
+        })
+
+        (result['status']).should.equal('fail')
+        (result['message']).should.equal('NO_PERMISSION')
+
+        ticket = $database.getRow('ticket', 'tickettoclose2', 'title')
+        (ticket['closed']).should.equal('0')
+
+        request('/staff/edit', {
+          csrf_userid: $csrf_userid,
+          csrf_token: $csrf_token,
+          departments: '[1, 2, 3]',
+          staffId: 1
+        })
+    end
+    it 'should close ticket if User is the author' do
+        request('/user/logout')
+        Scripts.login('closer@os4.com','closer')
+
+        ticket = $database.getRow('ticket', 'tickettoclose3', 'title')
+
+        result = request('/ticket/close', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('success')
+
+        ticket = $database.getRow('ticket', 'tickettoclose3', 'title')
+        (ticket['closed']).should.equal('1')
+
+        lastLog = $database.getLastRow('log')
+        (lastLog['type']).should.equal('CLOSE')
+
+        request('/user/logout')
    end
 end
--- a/tests/ticket/comment.rb
+++ b/tests/ticket/comment.rb
@ -78,7 +78,7 @@ describe '/ticket/comment/' do
        (lastLog['type']).should.equal('COMMENT')
    end

-    it 'should add comment to ticket created by staff' do
+    it 'should add comment if staff member serves to the same department as the ticket' do
        request('/user/logout')
        Scripts.login($staff[:email], $staff[:password], true)
        result = request('/ticket/comment', {
@ -102,6 +102,69 @@ describe '/ticket/comment/' do

        request('/user/logout')
    end
+    it 'should comment the ticket if staff member does not serve the deparment of the ticket and he is author' do
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+        Scripts.createTicket('ticketttobecommented', 'tickettobecommentedbytheauthor', 2)
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1]',
+            staffId: 1
+        })
+        ticket = $database.getRow('ticket', 'ticketttobecommented' , 'title')
+
+        result = request('/ticket/comment', {
+            content: 'some comment content jeje',
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('success')
+
+        ticket = $database.getRow('ticket', 'ticketttobecommented' , 'title')
+        comment = $database.getRow('ticketevent', ticket['id'], 'ticket_id')
+        (comment['content']).should.equal('some comment content jeje')
+        (comment['type']).should.equal('COMMENT')
+        (comment['author_staff_id']).should.equal($csrf_userid)
+
+        lastLog = $database.getLastRow('log')
+        (lastLog['type']).should.equal('COMMENT')
+
+    end
+    it 'should not comment the ticket if staff member does not serve to the department of the ticket and he is not the author' do
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[]',
+            staffId: 1
+        })
+
+        request('/user/logout')
+        Scripts.login('commenter@os4.com', 'commenter')
+        Scripts.createTicket('title138','commentofthetitkect138', 1)
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+        ticket = $database.getRow('ticket', 'title138' , 'title')
+
+        result = request('/ticket/comment', {
+            content: 'some comment content jeje',
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('fail')
+        (result['message']).should.equal('NO_PERMISSION')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2]',
+            staffId: 1
+        })
+    end

    it 'should fail if user is not the author nor owner' do
        Scripts.createUser('no_commenter@comment.com', 'no_commenter', 'No Commenter')
@ -139,8 +202,7 @@ describe '/ticket/comment/' do
            csrf_token: $csrf_token
        })

-        (result['status']).should.equal('fail')
-        (result['message']).should.equal('NO_PERMISSION')
+        (result['status']).should.equal('success')
    end

    it 'should keep private on 0 if an user creates a private comment' do
@ -179,7 +241,7 @@ describe '/ticket/comment/' do
            csrf_token: $csrf_token,
            private: 1
        })
-        puts result['message']
+
        (result['status']).should.equal('success')
        comment = $database.getRow('ticketevent', 'this is a private comment', 'content')
        (comment['private']).should.equal("1")
--- a/tests/ticket/edit-comment.rb
+++ b/tests/ticket/edit-comment.rb
@ -15,7 +15,7 @@ describe '/ticket/edit-comment' do
        })

        ticket = $database.getRow('ticket', 'ticket made by an user', 'title')
-
+    
        (result['status']).should.equal('success')
        (ticket['content']).should.equal('content edited by the user')
    end
@ -69,7 +69,6 @@ describe '/ticket/edit-comment' do
        request('/user/logout')
    end

-
    it 'should not change the content of a comment if the user is not the author' do
        request('/user/logout')
        Scripts.login($staff[:email], $staff[:password], true)
--- a/tests/ticket/get.rb
+++ b/tests/ticket/get.rb
@ -81,4 +81,71 @@ describe '/ticket/get/' do
        (result['data']['events'][0]['type']).should.equal('COMMENT')
        (result['data']['events'][0]['content']).should.equal('some valid comment made')
    end
-end
+    it 'should successfully return the ticket information if staff member serves to the department of the ticket' do
+        request('/user/logout')
+        Scripts.login('cersei@os4.com', 'cersei')
+        Scripts.createTicket('titleofticket87','contentoftheticket87',1)
+        Scripts.createTicket('2titleofticket87','2contentoftheticket87',1)
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+
+        ticket = $database.getRow('ticket','titleofticket87', 'title')
+
+        result = request('/ticket/get', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('success')
+        (result['data']['ticketNumber']).should.equal(ticket['ticket_number'])
+        (result['data']['title']).should.equal('titleofticket87')
+        (result['data']['content']).should.equal('contentoftheticket87')
+
+    end
+    it 'should successfully return the ticket information if staff member does not serve to the deparment of the ticket but is author' do
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+
+        Scripts.createTicket('titleoftheticket107','contentoftheticket107',1)
+        ticket = $database.getRow('ticket','titleoftheticket107', 'title')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[]'
+        })
+
+        result = request('/ticket/get', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('success')
+        (result['data']['ticketNumber']).should.equal(ticket['ticket_number'])
+        (result['data']['title']).should.equal('titleoftheticket107')
+        (result['data']['content']).should.equal('contentoftheticket107')
+    end
+
+    it 'should fail if staff member does not serve to the department of the ticket and is not the author' do
+        ticket = $database.getRow('ticket','2titleofticket87', 'title')
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+        
+        result = request('/ticket/get', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+        (result['status']).should.equal('fail')
+        (result['message']).should.equal('NO_PERMISSION')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
+    end
+end
--- a/tests/ticket/re-open.rb
+++ b/tests/ticket/re-open.rb
@ -2,7 +2,7 @@ describe '/ticket/re-open' do
    request('/user/logout')
    Scripts.login($staff[:email], $staff[:password], true)

-    it 'should re open  a ticket if everything is okey' do
+    it 'should re open  a ticket if staff member has the deparment of the ticket' do
        ticket = $database.getRow('ticket', 1 , 'id')

        result = request('/ticket/re-open', {
@ -21,12 +21,50 @@ describe '/ticket/re-open' do
        (lastLog['type']).should.equal('RE_OPEN')

        request('/user/logout')
+    end
+    it 'Should re-open if staff member does not serve to the department of the ticket and its the author'do
+        Scripts.login($staff[:email], $staff[:password], true)
+        Scripts.createTicket('tickettitle','contentoftheticketthatisgoingtosucces',3)
+
+        ticket = $database.getRow('ticket', 'contentoftheticketthatisgoingtosucces' , 'content')
+
+        Scripts.closeTicket(ticket['ticketNumber'])
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2]',
+            staffId: 1
+        })
+
+        result = request('/ticket/re-open', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+        (result['status']).should.equal('success')
+
+        ticket = $database.getRow('ticket', 'contentoftheticketthatisgoingtosucces' , 'content')
+        (ticket['closed']).should.equal('0')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
+    end
+
+    it 'Should re-open ticket if the user is author' do
        Scripts.createUser('reopener@os4.com','reopener','Reopener')
        Scripts.login('reopener@os4.com','reopener')
        Scripts.createTicket('tickettoreopen')
+        Scripts.createTicket('tickettuser','this ticket was made by an user',3)
+
+        ticket = $database.getRow('ticket', 'this ticket was made by an user', 'content')
+        Scripts.closeTicket(ticket['ticketNumber'])

        ticket = $database.getRow('ticket', 'tickettoreopen', 'title')
-
        Scripts.closeTicket(ticket['ticketNumber'])

        result = request('/ticket/re-open', {
@ -42,5 +80,36 @@ describe '/ticket/re-open' do

        lastLog = $database.getLastRow('log')
        (lastLog['type']).should.equal('RE_OPEN')
+
+        request('/user/logout')
+    end
+
+    it 'Should fail re-open the ticket if the staff does not serve to the department and he is not the author' do
+
+        Scripts.login($staff[:email], $staff[:password], true)
+        ticket = $database.getRow('ticket', 'this ticket was made by an user' , 'content')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2]',
+            staffId: 1
+        })
+
+        result = request('/ticket/re-open', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('fail')
+        (result['message']).should.equal('NO_PERMISSION')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
    end
 end
--- a/tests/ticket/remove-tag.rb
+++ b/tests/ticket/remove-tag.rb
@ -29,7 +29,7 @@ describe '/ticket/remove-tag' do
        (result['message']).should.equal('INVALID_TAG')
    end

-    it 'should remove an attached tag' do
+    it 'should remove an attached tag if staff member serves to the department of the ticket' do
        result = request('/ticket/remove-tag', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
@ -40,7 +40,79 @@ describe '/ticket/remove-tag' do
        (result['status']).should.equal('success')

    end
+    it 'should remove an attached tag if staff member does not serve to department ticket but is author' do
+        Scripts.createTicket('title44','contentoftheticket44',3)
+        ticket = $database.getRow('ticket','title44', 'title')

+        request('/ticket/add-tag', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            tagId: 1,
+            ticketNumber: ticket['ticket_number']
+        })
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2]',
+            staffId: 1
+        })
+
+        result = request('/ticket/remove-tag', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            tagId: 1,
+            ticketNumber: ticket['ticket_number']
+        })
+
+        (result['status']).should.equal('success')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
+    end
+    it 'should fail if staff does not serve to department of the ticket and is not the author' do
+        request('/user/logout')
+        Scripts.login('pepito@pepito.com', 'pepito12345')
+        Scripts.createTicket('title73','contentoftheticket73',3)
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+
+        ticket = $database.getRow('ticket','title73', 'title')
+
+        request('/ticket/add-tag', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            tagId: 1,
+            ticketNumber: ticket['ticket_number']
+        })
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2]',
+            staffId: 1
+        })
+
+        result = request('/ticket/remove-tag', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            tagId: 1,
+            ticketNumber: ticket['ticket_number']
+        })
+
+        (result['status']).should.equal('fail')
+
+        request('/staff/edit', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            departments: '[1, 2, 3]',
+            staffId: 1
+        })
+    end

    it 'should fail if the tag is not attached' do
        result = request('/ticket/remove-tag', {