diff --git a/server/controllers/ticket/edit-comment.php b/server/controllers/ticket/edit-comment.php index faf7a3b9..e30bca64 100644 --- a/server/controllers/ticket/edit-comment.php +++ b/server/controllers/ticket/edit-comment.php @@ -20,7 +20,9 @@ DataValidator::with('CustomValidations', true); * * @apiUse NO_PERMISSION * @apiUse INVALID_CONTENT - * @apiUse INVALID_TOKEN + * @apiUse INVALID_TICKET + * @apiUse INVALID_TICKET_EVENT + * @apiUse TICKET_CONTENT_CANNOT_BE_EDITED * * @apiSuccess {Object} data Empty object * @@ -62,6 +64,14 @@ class EditCommentController extends Controller { throw new RequestException(ERRORS::NO_PERMISSION); } + if (!$ticketevent->isNull()) { + if($user->id !== $ticketevent->authorUserId) { + throw new RequestException(ERRORS::NO_PERMISSION); + } + } else if ($user->id !== $ticket->authorId) { + throw new RequestException(ERRORS::NO_PERMISSION); + } + if(Controller::isStaffLogged() && !$user->canManageTicket($ticket)) { throw new RequestException(ERRORS::NO_PERMISSION); } @@ -70,10 +80,8 @@ class EditCommentController extends Controller { if($ticketevent->type !== "COMMENT" || $ticket->closed || $ticket->getLatestEventOfType("COMMENT")['id'] !== $ticketevent->id) { throw new RequestException(ERRORS::INVALID_TICKET_EVENT); } - } else { - if(sizeof($ticket->getEventsOfType("COMMENT"))) { - throw new RequestException(ERRORS::INVALID_TICKET_EVENT); - } + } else if(sizeof($ticket->getEventsOfType("COMMENT"))) { + throw new RequestException(ERRORS::TICKET_CONTENT_CANNOT_BE_EDITED); } if(!$ticketevent->isNull()){ diff --git a/server/data/ERRORS.php b/server/data/ERRORS.php index 8ca25033..90c61321 100755 --- a/server/data/ERRORS.php +++ b/server/data/ERRORS.php @@ -323,6 +323,10 @@ * @apiDefine INVALID_SUPERVISED_USERS * @apiError {String} INVALID_SUPERVISED_USERS supervised users are invalid */ +/** + * @apiDefine TICKET_CONTENT_CANNOT_BE_EDITED + * @apiError {String} TICKET_CONTENT_CANNOT_BE_EDITED Ticket content cannot be edited because it has comments + */ class ERRORS { const INVALID_CREDENTIALS = 'INVALID_CREDENTIALS'; @@ -410,4 +414,5 @@ class ERRORS { const REGISTRATION_IS_DESACTIVATED = 'REGISTRATION_IS_DESACTIVATED'; const INVALID_SUPERVISED_USERS = 'INVALID_SUPERVISED_USERS'; const INVALID_USER_SEARCH_OPTION = 'INVALID_USER_SEARCH_OPTION'; + const TICKET_CONTENT_CANNOT_BE_EDITED = 'TICKET_CONTENT_CANNOT_BE_EDITED'; } diff --git a/tests/article/article.rb b/tests/article/article.rb index 42c13e3f..5eb06bc1 100644 --- a/tests/article/article.rb +++ b/tests/article/article.rb @@ -28,7 +28,7 @@ describe 'Article path' do it 'should create article' do result = request('/article/add', { - name: 'Some article', + title: 'Some article', content: 'This is an article about server management.', topicId: @topic_id, position: 1, @@ -108,7 +108,7 @@ describe 'Article path' do it 'should retrieve all articles' do request('/article/add', { - name: 'Some article', + title: 'Some article', content: 'This is an article about server management.', topicId: @topic_id, position: 1, diff --git a/tests/system/mandatory-login.rb b/tests/system/mandatory-login.rb index 00205d63..1fd25ce0 100644 --- a/tests/system/mandatory-login.rb +++ b/tests/system/mandatory-login.rb @@ -205,6 +205,15 @@ describe'system/mandatory-login' do }) (result['status']).should.equal('success') + result = request('/ticket/edit-comment', { + csrf_token: $sessionToken, + csrf_userid: $sessionId, + ticketNumber: $sessionTicketNumber, + ticketEventId: 0, + content: 'this is the first edited-comment without login' + }) + (result['status']).should.equal('success') + result = request('/ticket/comment', { csrf_token: $sessionToken, csrf_userid: $sessionId, @@ -221,15 +230,6 @@ describe'system/mandatory-login' do }) (result['status']).should.equal('success') - result = request('/ticket/edit-comment', { - csrf_token: $sessionToken, - csrf_userid: $sessionId, - ticketNumber: $sessionTicketNumber, - ticketEventId: 0, - content: 'this is the first edited-comment without login' - }) - (result['status']).should.equal('success') - result = request('/ticket/close', { csrf_token: $sessionToken, csrf_userid: $sessionId, diff --git a/tests/ticket/edit-comment.rb b/tests/ticket/edit-comment.rb index 4e807f69..4249ec47 100644 --- a/tests/ticket/edit-comment.rb +++ b/tests/ticket/edit-comment.rb @@ -1,12 +1,20 @@ describe '/ticket/edit-comment' do + Scripts.logout() + Scripts.login($staff[:email], $staff[:password], true) + Scripts.createTicket('ticket made by a staff','content of the ticket made by a staff') Scripts.logout() Scripts.login() - Scripts.createTicket('ticket made by an user','content of the ticket made by an user') - ticket = $database.getRow('ticket', 'ticket made by an user', 'title') - Scripts.commentTicket(ticket['ticket_number'],'com ment of a user') + Scripts.createTicket('ticket made by a user','content of the ticket made by a user') - it 'should change content of the ticket if the author user tries it' do + def getTicketEventsCommentsQuery(ticketId) + return "SELECT * FROM `ticketevent` WHERE `type` = 'COMMENT' AND `ticket_id` = #{ticketId} ORDER BY `ticketevent`.`id` ASC;" + end + + ticket = $database.getRow('ticket', 'ticket made by a user', 'title') + ticket2 = $database.getRow('ticket', 'ticket made by a staff', 'title') + + it 'should success if author is right and ticket has no comment' do result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid, csrf_token: $csrf_token, @@ -14,16 +22,25 @@ describe '/ticket/edit-comment' do ticketNumber: ticket['ticket_number'] }) - ticket = $database.getRow('ticket', 'ticket made by an user', 'title') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(0) + ticket = $database.getRow('ticket', 'ticket made by a user', 'title') (result['status']).should.equal('success') (ticket['content']).should.equal('content edited by the user') end - it 'should change the content of a comment if the user is the author' do + it 'should success if author is right and its the last comment' do + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(0) + Scripts.commentTicket(ticket['ticket_number'],'com ment of a user') ticketevent = $database.getRow('ticketevent', 'com ment of a user', 'content') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(1) + tickets_comments.to_a.last['content'].should.equal('com ment of a user') + result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid, csrf_token: $csrf_token, @@ -31,54 +48,119 @@ describe '/ticket/edit-comment' do ticketEventId: ticketevent['id'] }) - ticketevent = $database.getRow('ticketevent', 'comment edited by the user', 'content') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(1) - (result['status']).should.equal('success') - (ticketevent['content']).should.equal('comment edited by the user') - end + (result['status']).should.equal('success') - it 'should change the content of a comment and the content of the ticket if the admin is logged' do - Scripts.logout() - Scripts.login($staff[:email], $staff[:password], true) - ticketevent = $database.getRow('ticketevent', 'comment edited by the user', 'content') + tickets_comments.to_a.last['content'].should.equal('comment edited by the user') + + Scripts.commentTicket(ticket['ticket_number'],'com ment of a user 2') + ticketevent = $database.getRow('ticketevent', 'com ment of a user 2', 'content') + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(2) + tickets_comments.to_a.last['content'].should.equal('com ment of a user 2') result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid, csrf_token: $csrf_token, - content: 'comment edited by a staff', + content: 'comment edited by the user 2', ticketEventId: ticketevent['id'] }) - ticketevent = $database.getRow('ticketevent', 'comment edited by a staff', 'content') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(2) + tickets_comments.to_a.last['content'].should.equal('comment edited by the user 2') (result['status']).should.equal('success') - (ticketevent['content']).should.equal('comment edited by a staff') + + Scripts.commentTicket(ticket['ticket_number'],'com ment of a user 3') + ticketevent = $database.getRow('ticketevent', 'com ment of a user 3', 'content') + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(3) + tickets_comments.to_a.last['content'].should.equal('com ment of a user 3') result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid, csrf_token: $csrf_token, - content: 'content edited by a staff', + content: 'comment edited by the user 3', + ticketEventId: ticketevent['id'] + }) + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(3) + tickets_comments.to_a.last['content'].should.equal('comment edited by the user 3') + + ticketevent = tickets_comments.to_a.last + + (result['status']).should.equal('success') + end + + it 'should fail if author is right but ticket has other commets below' do + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(3) + + result = request('/ticket/edit-comment', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + content: 'content edited by the user', ticketNumber: ticket['ticket_number'] }) - ticket = $database.getRow('ticket', ticket['ticket_number'], 'ticket_number') + (result['status']).should.equal('fail') + (result['message']).should.equal('TICKET_CONTENT_CANNOT_BE_EDITED') - (result['status']).should.equal('success') - (ticket['content']).should.equal('content edited by a staff') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(3) + ticket_comment3 = tickets_comments.to_a.last - Scripts.logout() + Scripts.commentTicket(ticket['ticket_number'],'com ment of a user 4') + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(4) + + result = request('/ticket/edit-comment', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + content: 'this is not the last comment of the ticket', + ticketEventId: ticket_comment3['id'] + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_TICKET_EVENT') end - it 'should not change the content of a comment if the user is not the author' do + it 'should fail if ticket has no comments but author is wrong' do + result = request('/ticket/edit-comment', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + content: 'this is not my ticket', + ticketNumber: ticket2['ticket_number'] + }) + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(0) + ticket2 = $database.getRow('ticket', 'ticket made by a staff', 'title') + + (result['status']).should.equal('fail') + (ticket2['content']).should.equal('content of the ticket made by a staff') + (result['message']).should.equal('NO_PERMISSION') + end + + it 'should fail if ticket has comment and author is wrong' do Scripts.logout() Scripts.login($staff[:email], $staff[:password], true) - ticket = $database.getRow('ticket', 'ticket made by an user', 'title') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(0) - Scripts.assignTicket(ticket['ticket_number']) - Scripts.commentTicket(ticket['ticket_number'],'this is a new comment of a staff member') + Scripts.commentTicket(ticket2['ticket_number'],'com ment of a staff') - ticketevent = $database.getRow('ticketevent', 'this is a new comment of a staff member', 'content') + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(1) + tickets_comments.to_a.last['content'].should.equal('com ment of a staff') Scripts.logout() Scripts.login() @@ -86,11 +168,72 @@ describe '/ticket/edit-comment' do result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid, csrf_token: $csrf_token, - content: 'comment edited by an user', - ticketEventId: ticketevent['id'] + content: 'this is not my ticket', + ticketNumber: ticket2['ticket_number'] }) + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(1) + ticket2 = $database.getRow('ticket', 'ticket made by a staff', 'title') + (result['status']).should.equal('fail') + (ticket2['content']).should.equal('content of the ticket made by a staff') (result['message']).should.equal('NO_PERMISSION') end + + it 'should fail if author is wrong but comment is the last' do + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(1) + + ticket_comment = tickets_comments.to_a.last + + ticket_comment['content'].should.equal('com ment of a staff') + + result = request('/ticket/edit-comment', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + content: 'this comment it is not mine', + ticketEventId: ticket_comment['id'] + }) + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(1) + + ticket_comment = tickets_comments.to_a.last + + (result['status']).should.equal('fail') + (result['message']).should.equal('NO_PERMISSION') + ticket_comment['content'].should.equal('com ment of a staff') + end + + it 'should fail if the author and comment are wrong' do + Scripts.logout() + Scripts.login($staff[:email], $staff[:password], true) + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(1) + first_comment = tickets_comments.to_a.last + + Scripts.commentTicket(ticket2['ticket_number'],'com ment of a staff 2') + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket2['id'])) + tickets_comments.size.should.equal(2) + last_comment = tickets_comments.to_a.last + last_comment['content'].should.equal('com ment of a staff 2') + + Scripts.logout() + Scripts.login() + + result = request('/ticket/edit-comment', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + content: 'this comment it is not mine and is not the last', + ticketEventId: first_comment['id'] + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('NO_PERMISSION') + last_comment['content'].should.equal('com ment of a staff 2') + end end