New apikeys permissions (#869)

* back-end y ruby test * ruby test * frontend part * delete unused component * resolve relevant github maxi comments * delete .catch of getAllkeys * fix github ivan comments * add ruby test and minor changes * search ruby test * fix name checkticketpermission
2025-07-31 01:35:15 +02:00 · 2020-10-14 15:08:14 -03:00 · 2020-10-14 15:08:14 -03:00 · b8944a3f04
commit b8944a3f04
parent a64c9f2255
28 changed files with 464 additions and 115 deletions
--- a/client/src/app/admin/panel/settings/admin-panel-advanced-settings.js
+++ b/client/src/app/admin/panel/settings/admin-panel-advanced-settings.js
@ -4,7 +4,6 @@ import {connect} from 'react-redux';
 import ConfigActions from 'actions/config-actions';
 import API from 'lib-app/api-call';
 import i18n from 'lib-app/i18n';
 import ToggleButton from 'app-components/toggle-button';
 import AreYouSure from 'app-components/are-you-sure';
 import ModalContainer from 'app-components/modal-container';
@ -26,10 +25,9 @@ class AdminPanelAdvancedSettings extends React.Component {
        messageTitle: null,
        messageType: '',
        messageContent: '',
        keyName: '',
        keyCode: '',
        selectedAPIKey: -1,
-        APIKeys: []
+        APIKeys: [],
        error: ''
    };
    componentDidMount() {
@ -95,7 +93,7 @@ class AdminPanelAdvancedSettings extends React.Component {
                            <Listing {...this.getListingProps()} />
                        </div>
                        <div className="col-md-8 admin-panel-advanced-settings__api-keys__container">
-                            {(this.state.selectedAPIKey === -1) ? this.renderNoKey() : this.renderKey()}
+                            {this.state.error ? <Message type="error">{i18n(this.state.error)}</Message> : (this.state.selectedAPIKey === -1) ? this.renderNoKey() : this.renderKey()}
                        </div>
                    </div>
                </div>
@ -121,13 +119,21 @@ class AdminPanelAdvancedSettings extends React.Component {
    renderKey() {
        let currentAPIKey = this.state.APIKeys[this.state.selectedAPIKey];
        return (
            <div className="admin-panel-advanced-settings__api-keys__container-info">
                <div className="admin-panel-advanced-settings__api-keys-subtitle">{i18n('NAME_OF_KEY')}</div>
                <div className="admin-panel-advanced-settings__api-keys-data">{currentAPIKey.name}</div>
                <div className="admin-panel-advanced-settings__api-keys-subtitle">{i18n('KEY')}</div>
                <div className="admin-panel-advanced-settings__api-keys-data">{currentAPIKey.token}</div>
                <div className="admin-panel-advanced-settings__api-keys-subtitle">{i18n('PERMISSIONS')}</div>
                <div className="admin-panel-advanced-settings__api-keys__permissions">
                    <FormField className="admin-panel-advanced-settings__api-keys__permissions__item" value={currentAPIKey.canCreateTickets*1} label={i18n('TICKET_CREATION_PERMISSION')} field='checkbox'/>
                    <FormField value={currentAPIKey.shouldReturnTicketNumber*1} label={i18n('TICKET_NUMBER_RETURN_PERMISSION')} field='checkbox'/>
                </div>
                <div className="admin-panel-advanced-settings__api-keys__permissions" >
                    <FormField className="admin-panel-advanced-settings__api-keys__permissions__item" value={currentAPIKey.canCheckTickets*1} label={i18n('TICKET_CHECK_PERMISSION')} field='checkbox'/>
                    <FormField value={currentAPIKey.canCreateUser*1} label={i18n('USER_CREATION_PERMISSION')} field='checkbox'/>
                </div>
                <Button className="admin-panel-advanced-settings__api-keys-button" size="medium" onClick={this.onDeleteKeyClick.bind(this)}>
                    {i18n('DELETE')}
                </Button>
@ -146,7 +152,7 @@ class AdminPanelAdvancedSettings extends React.Component {
                };
            }),
            selectedIndex: this.state.selectedAPIKey,
-            onChange: index => this.setState({selectedAPIKey: index}),
+            onChange: index => this.setState({selectedAPIKey: index, error:''}),
            onAddClick: this.openAPIKeyModal.bind(this)
        };
    }
@ -156,16 +162,33 @@ class AdminPanelAdvancedSettings extends React.Component {
            <Form className="admin-panel-advanced-settings__api-keys-modal" onSubmit={this.addAPIKey.bind(this)}>
                <Header title={i18n('ADD_API_KEY')} description={i18n('ADD_API_KEY_DESCRIPTION')}/>
                <FormField name="name" label={i18n('NAME_OF_KEY')} validation="DEFAULT" required fieldProps={{size: 'large'}}/>
-                <SubmitButton type="secondary">{i18n('SUBMIT')}</SubmitButton>
+                <div className="admin-panel-advanced-settings__api-keys__permissions">
                    <FormField className = "admin-panel-advanced-settings__api-keys__permissions__item" name="createTicketPermission" label={i18n('TICKET_CREATION_PERMISSION')}   field='checkbox'/>
                    <FormField name="ticketNumberPermission" label={i18n('TICKET_NUMBER_RETURN_PERMISSION')}  field='checkbox'/>
                </div>
                <div className="admin-panel-advanced-settings__api-keys__permissions" >
                    <FormField className = "admin-panel-advanced-settings__api-keys__permissions__item" name="checkTicketPermission" label={i18n('TICKET_CHECK_PERMISSION')}  field='checkbox'/>
                    <FormField name="userPermission" label={i18n('USER_CREATION_PERMISSION')}   field='checkbox'/>
                </div>
                <SubmitButton className="admin-panel-advanced-settings__api-keys-modal__submit-button" type="secondary">{i18n('SUBMIT')}</SubmitButton>
            </Form>
        );
    }
-    addAPIKey({name}) {
+    addAPIKey({name,userPermission,createTicketPermission,checkTicketPermission,ticketNumberPermission}) {
        ModalContainer.closeModal();
        this.setState({
            error: ''
        })
        API.call({
            path: '/system/add-api-key',
-            data: {name, type: 'REGISTRATION'}
+            data: {
                name,
                canCreateUsers: userPermission*1,
                canCreateTickets: createTicketPermission*1,
                canCheckTickets: checkTicketPermission*1,
                shouldReturnTicketNumber: ticketNumberPermission*1
            }
        }).then(this.getAllKeys.bind(this));
    }
@ -173,7 +196,7 @@ class AdminPanelAdvancedSettings extends React.Component {
        API.call({
            path: '/system/get-api-keys',
            data: {}
-        }).then(this.onRetrieveSuccess.bind(this));
+        }).then(this.onRetrieveSuccess.bind(this))
    }
    onDeleteKeyClick() {
@ -189,8 +212,9 @@ class AdminPanelAdvancedSettings extends React.Component {
    onRetrieveSuccess(result) {
        this.setState({
-            APIKeys: result.data.filter(key => key['type'] === 'REGISTRATION'),
+            APIKeys: result.data,
-            selectedAPIKey: -1
+            selectedAPIKey: -1,
            error: null
        });
    }
--- a/client/src/app/admin/panel/settings/admin-panel-advanced-settings.scss
+++ b/client/src/app/admin/panel/settings/admin-panel-advanced-settings.scss
@ -45,8 +45,21 @@
            padding: 5px 0;
        }
        &__permissions {
            display: flex;
            justify-content: flex-start;
            margin-bottom: 20px;
            &__item {
                margin-right: 25px;
            }
        }
        &-modal {
            min-width: 500px;
            &__submit-button {
                margin-top: 20px;
            }
        }
        &-none {
--- a/client/src/data/languages/en.js
+++ b/client/src/data/languages/en.js
@ -228,7 +228,11 @@ export default {
    'DESCRIPTION_ADD_CUSTOM_TAG': 'here you can add a new custom tag',
    'DESCRIPTION_EDIT_CUSTOM_TAG': 'here you can edit a custom tag',
    'CUSTOM_FIELDS': 'Custom fields',
-
+    'PERMISSIONS': 'Permissions',
    'TICKET_CREATION_PERMISSION': 'Allow ticket creation',
    'TICKET_CHECK_PERMISSION': 'Allow ticket check',
    'TICKET_NUMBER_RETURN_PERMISSION' : 'Allow ticket number return',
    'USER_CREATION_PERMISSION': 'Allow user creation',
    'CHART_CREATE_TICKET': 'Tickets created',
    'CHART_CLOSE': 'Tickets closed',
    'CHART_SIGNUP': 'Signups',
@ -395,6 +399,7 @@ export default {
    'INVALID_DEFAULT_DEPARTMENT': 'Default department choosen is invalid',
    'INVALID_SUPERVISED_USERS': 'Invalid supervised users',
    'SUPERVISOR_CAN_NOT_SUPERVISE_HIMSELF': 'Supervisor can not supervise himself',
    'NAME_ALREADY_USED': 'Name already used',
    //MESSAGES
    'SIGNUP_SUCCESS': 'You have registered successfully in our support system.',
--- a/server/controllers/system/add-api-key.php
+++ b/server/controllers/system/add-api-key.php
@ -14,12 +14,13 @@ use Respect\Validation\Validator as DataValidator;
 * @apiPermission staff3
 *
 * @apiParam {String} name Name of the new APIKey.
- * @apiParam {String} type Type of APIKey: "REGISTRATION" or "TICKET_CREATE"
+ * @apiParam {Boolean} canCreateUsers canCreateUsers determinates if the apikey has the permission to create users 
- *
+ * @apiParam {Boolean} canCreateTickets canCreateTickets determinates if the apikey has the permission to create tickets
 * @apiParam {Boolean} canCheckTickets canCheckTickets determinates if the apikey has the permission to check tickets
 * @apiParam {Boolean} shouldReturnTicketNumber shouldReturnTicketNumber determinates if the apikey has the permission of returning ticket number after ticket creation
 * @apiUse NO_PERMISSION
 * @apiUse INVALID_NAME
 * @apiUse NAME_ALREADY_USED
 * @apiUse INVALID_API_KEY_TYPE
 *
 * @apiSuccess {String} data Token of the APIKey.
 *
@ -36,10 +37,6 @@ class AddAPIKeyController extends Controller {
                'name' => [
                    'validation' => DataValidator::notBlank()->length(2, 55)->alnum(),
                    'error' => ERRORS::INVALID_NAME
                ],
                'type' => [
                    'validation' => DataValidator::in(APIKey::TYPES),
                    'error' => ERRORS::INVALID_API_KEY_TYPE
                ]
            ]
        ];
@ -49,8 +46,10 @@ class AddAPIKeyController extends Controller {
        $apiInstance = new APIKey();
        $name = Controller::request('name');
-        $type = Controller::request('type');
+        $canCreateUsers = (bool)Controller::request('canCreateUsers');
-
+        $canCreateTickets = (bool)Controller::request('canCreateTickets');
        $canCheckTickets = (bool)Controller::request('canCheckTickets');
        $shouldReturnTicketNumber = (bool)Controller::request('shouldReturnTicketNumber');
        $keyInstance = APIKey::getDataStore($name, 'name');
        if($keyInstance->isNull()){
@ -59,7 +58,10 @@ class AddAPIKeyController extends Controller {
            $apiInstance->setProperties([
                'name' => $name,
                'token' => $token,
-                'type' => $type,
+                'canCreateUsers' => $canCreateUsers,
                'canCreateTickets' => $canCreateTickets,
                'canCheckTickets' => $canCheckTickets,
                'shouldReturnTicketNumber' => $shouldReturnTicketNumber
            ]);
            $apiInstance->store();
--- a/server/controllers/system/get-api-keys.php
+++ b/server/controllers/system/get-api-keys.php
@ -32,7 +32,6 @@ class GetAPIKeysController extends Controller {
    public function handler() {
        $apiList = APIKey::getAll();
        Response::respondSuccess($apiList->toArray());
    }
 }
--- a/server/controllers/ticket/check.php
+++ b/server/controllers/ticket/check.php
@ -46,7 +46,7 @@ class CheckTicketController extends Controller {
                    'error' => ERRORS::INVALID_EMAIL
                ],
                'captcha' => [
-                    'validation' => DataValidator::captcha(),
+                    'validation' => DataValidator::captcha(APIKey::TICKET_CHECK_PERMISSION),
                    'error' => ERRORS::INVALID_CAPTCHA
                ]
            ]
--- a/server/controllers/ticket/comment.php
+++ b/server/controllers/ticket/comment.php
@ -17,7 +17,8 @@ DataValidator::with('CustomValidations', true);
 * @apiParam {String} content Content of the comment.
 * @apiParam {Number} ticketNumber The number of the ticket to comment.
 * @apiParam {Boolean} private Indicates if the comment is not shown to users.
- * @apiParam {Number} images The number of images in the content
+ * @apiParam {Number} images The number of images in the content.
 * @apiParam {String} apiKey apiKey to comment a ticket.
 * @apiParam image_i The image file of index `i` (mutiple params accepted)
 * @apiParam file The file you with to upload.
 *
@ -67,6 +68,7 @@ class CommentController extends Controller {
        $isAuthor = $this->ticket->isAuthor($this->user);
        $isOwner = $this->ticket->isOwner($this->user);
        $private = Controller::request('private');
        $apiKey = APIKey::getDataStore(Controller::request('apiKey'), 'token');
        if(!$this->user->canManageTicket($this->ticket)) {
            throw new RequestException(ERRORS::NO_PERMISSION);
--- a/server/controllers/ticket/create.php
+++ b/server/controllers/ticket/create.php
@ -19,7 +19,8 @@ DataValidator::with('CustomValidations', true);
 * @apiParam {Number} departmentId The id of the department of the current ticket.
 * @apiParam {String} language The language of the ticket.
 * @apiParam {String} email The email of the user who created the ticket.
- * @apiParam {Number} images The number of images in the content
+ * @apiParam {Number} images The number of images in the content.
 * @apiParam {String} apiKey apiKey to create tickets and show ticket-number created.
 * @apiParam image_i The image file of index `i` (mutiple params accepted)
 * @apiParam file The file you with to upload.
 *
@ -48,7 +49,7 @@ class CreateController extends Controller {
    private $ticketNumber;
    private $email;
    private $name;
-
+    private $apiKey;
    public function validations() {
        $validations = [
            'permission' => 'user',
@ -74,7 +75,7 @@ class CreateController extends Controller {
        if (!Controller::isLoginMandatory() && !Controller::isStaffLogged() && !Controller::isUserLogged()) {
            $validations['permission'] = 'any';
            $validations['requestData']['captcha'] = [
-                'validation' => DataValidator::captcha(APIKey::TICKET_CREATE),
+                'validation' => DataValidator::captcha(APIKey::TICKET_CREATE_PERMISSION),
                'error' => ERRORS::INVALID_CAPTCHA
            ];
            $validations['requestData']['email'] = [
@ -92,12 +93,10 @@ class CreateController extends Controller {
    public function handler() {
        ///
        $session = Session::getInstance();
        if($session->isTicketSession())  {
            $session->clearSessionData();
        }
        ///
        $this->title = Controller::request('title');
        $this->content = Controller::request('content', true);
@ -105,8 +104,9 @@ class CreateController extends Controller {
        $this->language = Controller::request('language');
        $this->email = Controller::request('email');
        $this->name = Controller::request('name');
        $this->apiKey = APIKey::getDataStore(Controller::request('apiKey'), 'token');
-        if(!Controller::isStaffLogged() && Department::getDataStore($this->departmentId)->private){
+        if(!Controller::isStaffLogged() && Department::getDataStore($this->departmentId)->private) {
            throw new Exception(ERRORS::INVALID_DEPARTMENT);
        }
@ -132,11 +132,14 @@ class CreateController extends Controller {
        }
        Log::createLog('CREATE_TICKET', $this->ticketNumber);
-
+        
-        Response::respondSuccess([
+        if(!$this->apiKey->isNull() && $this->apiKey->shouldReturnTicketNumber){
-            'ticketNumber' => $this->ticketNumber
+            Response::respondSuccess([
-        ]);
+                'ticketNumber' => $this->ticketNumber
-           
+            ]);
        }else{
            Response::respondSuccess();
        }
    }
    private function isEmailInvalid(){
--- a/server/controllers/user/signup.php
+++ b/server/controllers/user/signup.php
@ -18,7 +18,7 @@ DataValidator::with('CustomValidations', true);
 * @apiParam {String} name The name of the new user.
 * @apiParam {String} email The email of the new user.
 * @apiParam {String} password The password of the new user.
- * @apiParam {String} apiKey APIKey to sign up an user if the registration system is disabled.
+ * @apiParam {String} apiKey apiKey to sign up an user if the registration system is disabled.
 * @apiParam {String} customfield_ Custom field values for this user.
 * @apiParam {Boolean} indirectSignUp Indicates if the new User has been created by ticket/create
 *
@ -72,7 +72,7 @@ class SignUpController extends Controller {
        if(!$this->csvImported) {
            $validations['requestData']['captcha'] = [
-                'validation' => DataValidator::captcha(APIKey::REGISTRATION),
+                'validation' => DataValidator::captcha(APIKey::USER_CREATE_PERMISSION),
                'error' => ERRORS::INVALID_CAPTCHA
            ];
        }
@ -99,10 +99,6 @@ class SignUpController extends Controller {
        if (!Setting::getSetting('registration')->value && $apiKey->isNull() && !Controller::isStaffLogged(2) && !$this->csvImported) {
            throw new RequestException(ERRORS::NO_PERMISSION);
        }
        if(!$apiKey->isNull() && $apiKey->type !== APIKey::REGISTRATION) {
            throw new RequestException(ERRORS::INVALID_API_KEY_TYPE);
        }
        $userId = $this->createNewUserAndRetrieveId();
--- a/server/data/ERRORS.php
+++ b/server/data/ERRORS.php
@ -308,8 +308,8 @@
 * @apiError {String} INVALID_COLOR The color should be in hexadecimal, preceded by a '#'
 */
 /**
- * @apiDefine INVALID_API_KEY_TYPE
+ * @apiDefine INVALID_API_KEY_PERMISSION
- * @apiError {String} INVALID_API_KEY_TYPE Api key type is not one of the availables
+ * @apiError {String} INVALID_API_KEY_PERMISSION Api key type is not one of the availables
 */
 /**
 * @apiDefine MANDATORY_LOGIN_IS_DESACTIVATED
@ -404,7 +404,7 @@ class ERRORS {
    const INVALID_CUSTOM_FIELD_OPTION = 'INVALID_CUSTOM_FIELD_OPTION';
    const UNAVAILABLE_STATS = 'UNAVAILABLE_STATS';
    const INVALID_COLOR = 'INVALID_COLOR';
-    const INVALID_API_KEY_TYPE = 'INVALID_API_KEY_TYPE';
+    const INVALID_API_KEY_PERMISSION = 'INVALID_API_KEY_PERMISSION';
    const MANDATORY_LOGIN_IS_DESACTIVATED = 'MANDATORY_LOGIN_IS_DESACTIVATED';
    const REGISTRATION_IS_DESACTIVATED = 'REGISTRATION_IS_DESACTIVATED';
    const INVALID_SUPERVISED_USERS = 'INVALID_SUPERVISED_USERS';
--- a/server/libs/validations/captcha.php
+++ b/server/libs/validations/captcha.php
@ -6,25 +6,36 @@ use Respect\Validation\Rules\AbstractRule;
 class Captcha extends AbstractRule {
    private $dataStoreName;
    private $apiKeyPermissionType;
-    public function __construct($apiKeyType = '') {
+    public function __construct($apiKeyPermissionType = '') {
-        if (in_array($apiKeyType, \APIKey::TYPES)) {
+        $this->apiKeyPermissionType = $apiKeyPermissionType;
-            $this->apiKeyType = $apiKeyType;
+        if (in_array($apiKeyPermissionType, \APIKey::TYPES)) {
-        } else if($apiKeyType) {
+            $this->apiKeyType = $apiKeyPermissionType;
        } else if($apiKeyPermissionType) {
            throw new \Exception(\ERRORS::INVALID_API_KEY_TYPE);
        }
    }
-
+    
    public function validate($reCaptchaResponse) {
        $reCaptchaPrivateKey = \Setting::getSetting('recaptcha-private')->getValue();
        $apiKey = \APIKey::getDataStore(\Controller::request('apiKey'), 'token');
        if (!$reCaptchaPrivateKey) return true;
-        if (!$apiKey->isNull() && $apiKey->type === $apiKeyType) return true;
+
        if (!$apiKey->isNull()){
            switch ($this->apiKeyPermissionType) {
                case 'TICKET_CREATE_PERMISSION':
                    return $apiKey->canCreateTickets;
                case 'USER_CREATE_PERMISSION': 
                    return $apiKey->canCreateUsers;
                case 'TICKET_CHECK_PERMISSION':
                    return $apiKey->canCheckTickets;
            }
        }
        $reCaptcha = new \ReCaptcha\ReCaptcha($reCaptchaPrivateKey);
        $reCaptchaValidation = $reCaptcha->verify($reCaptchaResponse, $_SERVER['REMOTE_ADDR']);
        return $reCaptchaValidation->isSuccess();
    }
 }
--- a/server/models/APIKey.php
+++ b/server/models/APIKey.php
@ -9,29 +9,32 @@
 class APIKey extends DataStore {
    const TABLE  = 'apikey';
-    const REGISTRATION = 'REGISTRATION';
+    const TICKET_CREATE_PERMISSION = 'TICKET_CREATE_PERMISSION';
-    const TICKET_CREATE = 'TICKET_CREATE';
+    const USER_CREATE_PERMISSION = 'USER_CREATE_PERMISSION';
-    const TYPES = [APIKey::REGISTRATION, APIKey::TICKET_CREATE];
+    const TICKET_CHECK_PERMISSION = 'TICKET_CHECK_PERMISSION';
    const TICKET_NUMBER_RETURN_PERMISSION = 'TICKET_NUMBER_RETURN_PERMISSION';
    const TYPES = [APIKey::TICKET_CREATE_PERMISSION,APIKey::USER_CREATE_PERMISSION,APIKey::TICKET_CHECK_PERMISSION,APIKey::TICKET_NUMBER_RETURN_PERMISSION];
    public static function getProps() {
        return [
            'name',
            'token',
-            'type'
+            'canCreateUsers',
            'canCreateTickets',
            'canCheckTickets',
            'shouldReturnTicketNumber'
        ];
    }
-
+    
    public function getDefaultProps() {
        return [
            'type' => APIKey::REGISTRATION
        ];
    }
    public function toArray() {
        return [
            'name' => $this->name,
            'token' => $this->token,
-            'type' => $this->type
+            'canCreateUser' => $this->canCreateUsers,
            'canCreateTickets' => $this->canCreateTickets,
            'canCheckTickets' => $this->canCheckTickets,
            'shouldReturnTicketNumber' => $this->shouldReturnTicketNumber
        ];
    }
 }
--- a/tests/init.rb
+++ b/tests/init.rb
@ -79,4 +79,5 @@ require './system/mandatory-login.rb'
 require './system/default-department.rb'
 require './user/edit-supervised-list.rb'
 require './user/get-supervised-tickets.rb'
 require './system/apikey-permissions.rb'
 # require './system/get-stats.rb'
--- a/tests/scripts.rb
+++ b/tests/scripts.rb
@ -84,7 +84,6 @@ class Scripts
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        result['data']
    end
    def self.closeTicket(ticketNumber)
@ -97,12 +96,15 @@ class Scripts
        result['data']
    end
-    def self.createAPIKey(name, type)
+    def self.createAPIKey(name, canCreateUsers=0, canCreateTickets=0, canCheckTickets=0,  shouldReturnTicketNumber=0)
        request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: name,
-            type: type
+            canCreateUsers: canCreateUsers,
            canCreateTickets: canCreateTickets,
            canCheckTickets: canCheckTickets,
            shouldReturnTicketNumber: shouldReturnTicketNumber
        })
    end
--- a/tests/system/add-api-key.rb
+++ b/tests/system/add-api-key.rb
@ -7,12 +7,12 @@ describe'system/add-api-key' do
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'new API',
-            type: 'REGISTRATION'
+            canCreateUser: 1
        })
        (result['status']).should.equal('success')
-        row = $database.getRow('apikey', 1, 'id')
+        row = $database.getRow('apikey', 2, 'id')
        (row['name']).should.equal('new API')
        (result['data']).should.equal(row['token'])
@ -23,22 +23,96 @@ describe'system/add-api-key' do
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'new API',
-            type: 'REGISTRATION'
+            canCreateUser: 1
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('NAME_ALREADY_USED')
    end
-    it 'should not add API key if invalid type is used' do
+    it 'should fail if API key size is wrong' do
        result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
-            name: 'new API2',
+            name: 'A',
            type: 'REGISTRATON'
        })
        (result['status']).should.equal('fail')
-        (result['message']).should.equal('INVALID_API_KEY_TYPE')
+        (result['message']).should.equal('INVALID_NAME')
        result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'APIKEYNAMEAPIKEYNAMEAPIKEYNAMEAPIKEYNAMEAPIKEYNAMEAPIKEYNAMEAPIKEYNAME',
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_NAME')
    end
    it 'should succes with the required permissions API key' do
        result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'APIkey ticketnumber return',
            shouldReturnTicketNumber: 'true'
        })
        (result['status']).should.equal('success')
        row = $database.getRow('apikey', 3, 'id')
        (row['can_create_users']).should.equal(0)
        (row['can_create_tickets']).should.equal(0)
        (row['should_return_ticket_number']).should.equal(1)
        (row['can_check_tickets']).should.equal(0)
        result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'APIkey check tickets',
            canCheckTickets: 'true'
        })
        (result['status']).should.equal('success')
        row = $database.getRow('apikey', 4, 'id')
        (row['can_create_users']).should.equal(0)
        (row['can_create_tickets']).should.equal(0)
        (row['should_return_ticket_number']).should.equal(0)
        (row['can_check_tickets']).should.equal(1)
        result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'APIkey user create',
            canCreateUsers: 'true'
        })
        (result['status']).should.equal('success')
        row = $database.getRow('apikey', 5, 'id')
        (row['can_create_users']).should.equal(1)
        (row['can_create_tickets']).should.equal(0)
        (row['should_return_ticket_number']).should.equal(0)
        (row['can_check_tickets']).should.equal(0)
        result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'APIkey  create tickets',
            canCreateTickets: 'true'
        })
        (result['status']).should.equal('success')
        row = $database.getRow('apikey', 6, 'id')
        (row['can_create_users']).should.equal(0)
        (row['can_create_tickets']).should.equal(1)
        (row['should_return_ticket_number']).should.equal(0)
        (row['can_check_tickets']).should.equal(0)
    end
 end
--- a/tests/system/apikey-permissions.rb
+++ b/tests/system/apikey-permissions.rb
@ -0,0 +1,197 @@
 describe '/system/apikey-permissions' do
    request('/user/logout')
    Scripts.login($staff[:email], $staff[:password], true)
    apikeycanCreateUsersToken = Scripts.createAPIKey('create users',canCreateUsers=1, canCreateTickets=0, canCheckTickets=0,  shouldReturnTicketNumber=0)['data']
    apikeycanCreateTickets = Scripts.createAPIKey('create tickets',canCreateUsers=0, canCreateTickets=1, canCheckTickets=0,  shouldReturnTicketNumber=0)['data']
    apikeycanCheckTickets = Scripts.createAPIKey('comment tickets',canCreateUsers=0, canCreateTickets=0, canCheckTickets=1,  shouldReturnTicketNumber=0)['data']
    apikeycanReturnTickets = Scripts.createAPIKey('create and return tickets',canCreateUsers=0, canCreateTickets=1, canCheckTickets=0,  shouldReturnTicketNumber=1)['data']
    result = request('/system/disable-mandatory-login', {
            "csrf_userid" => $csrf_userid,
            "csrf_token" => $csrf_token,
            "password" => "staff"
    })
    result = request('/system/edit-settings', {
        "csrf_userid" => $csrf_userid,
        "csrf_token" => $csrf_token,
        "recaptcha-private" => "THISISVALID"
    })
    request('/user/logout')
    it 'should fail ticket create if the apikey does not have create ticket permission' do
        result = request('/ticket/create', {
            language: 'en',
            email: 'valid@os4.com',
            name: 'validname',
            title: 'try of title Ticket',
            content: 'try of content Ticket',
            departmentId: 1,
            captcha: 'invalid captcha',
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
        result = request('/ticket/create', {
            language: 'en',
            email: 'valid@os4.com',
            name: 'validname',
            title: 'try of title Ticket',
            content: 'try of content Ticket',
            departmentId: 1,
            captcha: 'THISISVALID',
            apiKey: apikeycanCheckTickets,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
    end
    it 'should create ticket if the apikey has the correct permission' do
        result = request('/ticket/create', {
            language: 'en',
            email: 'valid@os4.com',
            title: 'ticket created with apikeycanCreateTickets',
            name: 'validname',
            content: 'content of Ticket apikeycanCreateTickets',
            departmentId: 1,
            captcha: 'INVALID',
            apiKey: apikeycanCreateTickets,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('success')
        (result['data']).should.equal(nil)
        result = request('/ticket/create', {
            language: 'en',
            email: 'valid@os4.com',
            title: 'ticket created with apikeycanReturnTickets',
            name: 'validname',
            content: 'content of Ticket apikeycanReturnTickets',
            departmentId: 1,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            captcha: 'INVALID',
            apiKey: apikeycanReturnTickets   
        })
        ticket = $database.getRow('ticket','ticket created with apikeycanReturnTickets','title')
        (result['status']).should.equal('success')
        (result['data']['ticketNumber']).should.equal(ticket['ticket_number'])
    end
    it 'should fail comment ticket if the apikey permission is wrong' do      
        ticket = $database.getRow('ticket','ticket created with apikeycanReturnTickets','title')
        author = $database.getRow('user',ticket['author_id'],'id')
        result = request('/ticket/check', {
            email: author['email'],
            content: 'some comment content',
            ticketNumber: ticket['ticket_number'],
            captcha: 'INVALID',
            apiKey: apikeycanReturnTickets
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
        result = request('/ticket/check', {
            email: author['email'],
            content: 'some comment content',
            ticketNumber: ticket['ticket_number'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            captcha: 'INVALID',
            apiKey: apikeycanCreateUsersToken
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
        result = request('/ticket/check', {
            email: author['email'],
            content: 'some comment content',
            ticketNumber: ticket['ticket_number'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            captcha: 'INVALID',
            apiKey: apikeycanCreateTickets
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
    end
    it 'should success comment ticket if the apikey permission is correct' do
        ticket = $database.getRow('ticket','ticket created with apikeycanReturnTickets','title')
        author = $database.getRow('user',ticket['author_id'],'id')
        result = request('/ticket/check', {
            email: author['email'],
            content: 'some comment content',
            ticketNumber: ticket['ticket_number'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            captcha: 'INVALID',
            apiKey: apikeycanCheckTickets
        })
        (result['status']).should.equal('success')
    end
    it 'should fail signing up user if the apikey permission is wrong' do
        request('/user/logout')            
        result = request('/user/signup', {
            name: 'Petyr Baelish',
            email: 'littlefinger@got.com',
            password: 'Catelyn<3',
            captcha: 'INVALID',
            apiKey: apikeycanCreateTickets
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
        result = request('/user/signup', {
            name: 'Petyr Baelish',
            email: 'littlefinger@got.com',
            password: 'Catelyn<3',
            captcha: 'INVALID',
            apiKey: apikeycanCheckTickets
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
        result = request('/user/signup', {
            name: 'Petyr Baelish',
            email: 'littlefinger@got.com',
            password: 'Catelyn<3',
            captcha: 'INVALID',
            apiKey: apikeycanReturnTickets
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_CAPTCHA')
    end
    it 'should success signing up user if the apikey permission is correct' do
        result = request('/user/signup', {
            name: 'Petyr Baelish',
            email: 'littlefinger@got.com',
            password: 'Catelyn<3',
            captcha: 'INVALID',
            apiKey: apikeycanCreateUsersToken
        })
        (result['status']).should.equal('success')
    end
 end
--- a/tests/system/delete-api-key.rb
+++ b/tests/system/delete-api-key.rb
@ -22,7 +22,7 @@ describe'system/delete-api-key' do
            (result['status']).should.equal('success')
-            row = $database.getRow('apikey', 1, 'id')
+            row = $database.getRow('apikey', 2, 'id')
            (row).should.equal(nil)
        end
--- a/tests/system/delete-department.rb
+++ b/tests/system/delete-department.rb
@ -2,14 +2,16 @@ describe 'system/delete-department' do
        request('/user/logout')
        Scripts.createUser('tranferguy@opensupports.com', 'transfer', 'Transfer Guy')
        Scripts.login('tranferguy@opensupports.com', 'transfer')
-
+        $apikey = $database.getRow('apikey',1,'id')
        ticket1 = request('/ticket/create',{
            title: 'Transferible ticket 1',
            content: 'The north remembers',
            departmentId: 4,
            language: 'en',
            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
+            csrf_token: $csrf_token,
            apiKey: $apikey['token']
        })
        ticket2 =request('/ticket/create',{
            title: 'Transferible ticket 2',
@ -17,7 +19,8 @@ describe 'system/delete-department' do
            departmentId: 4,
            language: 'en',
            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
+            csrf_token: $csrf_token,
            apiKey: $apikey['token']
        })
        ticket3 = request('/ticket/create',{
            title: 'Transferible ticket 3',
@ -25,7 +28,8 @@ describe 'system/delete-department' do
            departmentId: 4,
            language: 'en',
            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
+            csrf_token: $csrf_token,
            apiKey: $apikey['token']
        })
        ticket1 = ticket1['data']['ticketNumber']
        ticket2 = ticket2['data']['ticketNumber']
--- a/tests/system/disable-registration.rb
+++ b/tests/system/disable-registration.rb
@ -1,7 +1,7 @@
 describe'/system/disable-registration' do
    request('/user/logout')
    Scripts.login($staff[:email], $staff[:password], true)
-    api_key = Scripts.createAPIKey('registrationKey', 'REGISTRATION')['data']
+    api_key = Scripts.createAPIKey('registrationKey', canCreateUsers = 1)['data']
    it 'should not disable registration if password is not correct' do
        result= request('/system/disable-registration', {
--- a/tests/system/get-api-keys.rb
+++ b/tests/system/get-api-keys.rb
@ -3,11 +3,6 @@ describe'system/get-api-keys' do
    Scripts.login($staff[:email], $staff[:password], true)
    it 'should get all API keys' do
        Scripts.createAPIKey('namekey1', 'REGISTRATION')
        Scripts.createAPIKey('namekey2', 'REGISTRATION')
        Scripts.createAPIKey('namekey3', 'REGISTRATION')
        Scripts.createAPIKey('namekey4', 'REGISTRATION')
        Scripts.createAPIKey('namekey5', 'REGISTRATION')
        result = request('/system/get-api-keys', {
            csrf_userid: $csrf_userid,
@ -15,11 +10,11 @@ describe'system/get-api-keys' do
        })
        (result['status']).should.equal('success')
-        (result['data'][0]['name']).should.equal('namekey1')
+        (result['data'][0]['name']).should.equal('APIkeyToTicketget')
-        (result['data'][1]['name']).should.equal('namekey2')
+        (result['data'][1]['name']).should.equal('APIkey ticketnumber return')
-        (result['data'][2]['name']).should.equal('namekey3')
+        (result['data'][2]['name']).should.equal('APIkey check tickets')
-        (result['data'][3]['name']).should.equal('namekey4')
+        (result['data'][3]['name']).should.equal('APIkey user create')
-        (result['data'][4]['name']).should.equal('namekey5')
+        (result['data'][4]['name']).should.equal('APIkey  create tickets')
-
+        
    end
 end
--- a/tests/system/mandatory-login.rb
+++ b/tests/system/mandatory-login.rb
@ -111,7 +111,6 @@ describe'system/mandatory-login' do
            $userRow = $database.getRow('user','nonuser@os4.com','email')
            (result['status']).should.equal('success')
            (result['data']['ticketNumber']).should.equal($ticketRow['ticket_number'].to_i)
            ($userRow['email']).should.equal('nonuser@os4.com')
            ($userRow['not_registered']).should.equal(1)
            ($userRow['tickets']).should.equal(1)
@ -131,7 +130,6 @@ describe'system/mandatory-login' do
            $userRow = $database.getRow('user','nonuser@os4.com','email')
            (result['status']).should.equal('success')
            (result['data']['ticketNumber']).should.equal($ticketRow['ticket_number'].to_i)
            ($userRow['email']).should.equal('nonuser@os4.com')
            ($userRow['tickets']).should.equal(2)
--- a/tests/ticket/add-tag.rb
+++ b/tests/ticket/add-tag.rb
@ -3,9 +3,9 @@ describe '/ticket/add-tag' do
    Scripts.login($staff[:email], $staff[:password], true)
    Scripts.createTag('test tag', 'orange')
-    result = Scripts.createTicket('test ticket')
+    Scripts.createTicket('test ticket')
-
+    ticket = $database.getRow('ticket', 'test ticket', 'title')
-    @ticketNumber = result['ticketNumber']
+    @ticketNumber = ticket['ticket_number']
    it 'should fail if the tagId is invalid' do
        result = request('/ticket/add-tag', {
--- a/tests/ticket/comment.rb
+++ b/tests/ticket/comment.rb
@ -2,9 +2,9 @@ describe '/ticket/comment/' do
    Scripts.createUser('commenter@os4.com', 'commenter', 'Commenter')
    Scripts.login('commenter@os4.com', 'commenter')
-    result = Scripts.createTicket
+    Scripts.createTicket('Winter came and it was a disappointment','The fandom remembers')
-
+    ticket = $database.getRow('ticket', 'Winter came and it was a disappointment' , 'title')
-    @ticketNumber = result['ticketNumber']
+    @ticketNumber = ticket['ticket_number']
    it 'should fail if invalid token is passed' do
        result = request('/ticket/comment', {
--- a/tests/ticket/create.rb
+++ b/tests/ticket/create.rb
@ -181,18 +181,19 @@ describe '/ticket/create' do
        Scripts.login($staff[:email], $staff[:password], true)
        result = request('/ticket/create', {
            title: 'created by staff',
-            content: 'The staff created it',
+            content: 'The staff created it believing this path returns the ticketnumber',
            departmentId: 1,
            language: 'en',
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('success')
-        ticket = $database.getRow('ticket', result['data']['ticketNumber'], 'ticket_number')
+        
        ticket = $database.getRow('ticket', 'The staff created it believing this path returns the ticketnumber', 'content')
        (ticket['author_id']).should.equal(nil)
        (ticket['author_staff_id']).should.equal(1)
-        $ticketNumberByStaff = result['data']['ticketNumber']
+        $ticketNumberByStaff = ticket['ticket_number']
        request('/user/logout')
    end
 end
--- a/tests/ticket/events.rb
+++ b/tests/ticket/events.rb
@ -12,7 +12,9 @@ describe 'Ticket Events' do
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
-        ticketNumber = response['data']['ticketNumber']
+        ticket = $database.getRow('ticket', 'Ticket with many events','title')
        ticketNumber = ticket['ticket_number']
        request('/user/logout')
        Scripts.login($staff[:email], $staff[:password], true)
--- a/tests/ticket/get.rb
+++ b/tests/ticket/get.rb
@ -1,5 +1,19 @@
 describe '/ticket/get/' do
    request('/user/logout')
    Scripts.login($staff[:email], $staff[:password], true)    
    result= request('/system/add-api-key', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'APIkeyToTicketget',
            shouldReturnTicketNumber: 'true',
            canCreateTickets: 1
    })
    (result['status']).should.equal('success')
    $token = result['data'];
    request('/user/logout')
    Scripts.createUser('cersei@os4.com', 'cersei','Cersei Lannister')
    Scripts.createUser('not_ticket_getter@os4.com', 'not_ticket_getter','No Author')
@ -13,10 +27,11 @@ describe '/ticket/get/' do
            departmentId: 1,
            language: 'en',
            csrf_userid: $csrf_userid,
-            csrf_token: $csrf_token
+            csrf_token: $csrf_token,
            apiKey: $token
        })
        @ticketNumber = result['data']['ticketNumber']
-
+        
        request('/ticket/comment', {
            ticketNumber: @ticketNumber,
            content: 'some valid comment made',
--- a/tests/ticket/search.rb
+++ b/tests/ticket/search.rb
@ -2,14 +2,14 @@ describe '/ticket/search' do
    request('/user/logout')
    Scripts.login($staff[:email], $staff[:password], true)
-    result = Scripts.createTicket('test ticket1')
+    Scripts.createTicket('test ticket1')
-    @ticketNumber1 = result['ticketNumber']
+    @ticketNumber1 = $database.getRow('ticket', 'test ticket1', 'title')['ticket_number']
-    result = Scripts.createTicket('test ticket2')
+    Scripts.createTicket('test ticket2')
-    @ticketNumber2 = result['ticketNumber']
+    @ticketNumber2 = $database.getRow('ticket', 'test ticket2', 'title')['ticket_number']
-    result = Scripts.createTicket('test ticket3')
+    Scripts.createTicket('test ticket3')
-    @ticketNumber3 = result['ticketNumber']
+    @ticketNumber3 = $database.getRow('ticket', 'test ticket3', 'title')['ticket_number']
    $pages = 1..10
--- a/tests/user/get.rb
+++ b/tests/user/get.rb
@ -5,14 +5,16 @@ describe '/user/get' do
    Scripts.login('user_get@os4.com', 'user_get')
    result = request('/ticket/create', {
        title: 'Should we pay?',
-        content: 'A Lannister always pays his debts.',
+        content: 'A Lannister always pays his debtssss.',
        departmentId: 1,
        language: 'en',
        csrf_userid: $csrf_userid,
        csrf_token: $csrf_token
    })
-    @ticketNumber = result['data']['ticketNumber']
+    ticket = $database.getRow('ticket', 'A Lannister always pays his debtssss.' , 'content')
    @ticketNumber = ticket['ticket_number']
    it 'should fail if not logged' do
        request('/user/logout')