diff --git a/server/controllers/ticket/edit-comment.php b/server/controllers/ticket/edit-comment.php index 830ce731..3c11b18b 100644 --- a/server/controllers/ticket/edit-comment.php +++ b/server/controllers/ticket/edit-comment.php @@ -60,14 +60,19 @@ class EditCommentController extends Controller { $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber')); } - $ticketEventArray = $ticketEvent->toArray(); - - if(!Controller::isStaffLogged() && $user->id !== $ticketEventArray["author"]["id"] && $user->id !== $ticket->authorId) { - throw new RequestException(ERRORS::NO_PERMISSION); - } - if (!$ticketEvent->isNull()) { - if($user->id !== $ticketEventArray["author"]["id"]) { + $ticketEventArray = $ticketEvent->toArray(); + $userArray = $user->toArray(); + + if($user->id !== $ticketEventArray["author"]["id"] && $user->id !== $ticket->authorId) { + throw new RequestException(ERRORS::NO_PERMISSION); + } + + if((!!$userArray["isStaff"] === !!$ticketEventArray["author"]["staff"]) && ($user->id !== $ticketEventArray["author"]["id"])) { + throw new RequestException(ERRORS::NO_PERMISSION); + } + + if (!!$userArray["isStaff"] !== !!$ticketEventArray["author"]["staff"]) { throw new RequestException(ERRORS::NO_PERMISSION); } } else if ($user->id !== $ticket->authorId) { diff --git a/server/controllers/user/get-supervised-tickets.php b/server/controllers/user/get-supervised-tickets.php index 17ff6690..c5ddedd3 100644 --- a/server/controllers/user/get-supervised-tickets.php +++ b/server/controllers/user/get-supervised-tickets.php @@ -1,6 +1,6 @@ [ 'validation' => DataValidator::oneOf(DataValidator::intVal()->between(5, 50),DataValidator::nullType()), - 'error' => ERRORS::PAGESIZE_ERROR + 'error' => ERRORS::INVALID_PAGE_SIZE ] ] ]; @@ -55,6 +55,7 @@ class GetSupervisedTicketController extends Controller { private $page; private $showOwnTickets; private $supervisedUserList; + private $pageSize; public function handler() { if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION); @@ -79,7 +80,7 @@ class GetSupervisedTicketController extends Controller { case 'supervisor': return 1; case 'pageSize': - return $this->pageSize; + return $this->pageSize*1; } return null; diff --git a/server/models/Staff.php b/server/models/Staff.php index a7870204..c22d3d7a 100755 --- a/server/models/Staff.php +++ b/server/models/Staff.php @@ -73,7 +73,8 @@ class Staff extends DataStore { 'departments' => $this->sharedDepartmentList->toArray(), 'tickets' => $this->sharedTicketList->toArray(), 'lastLogin' => $this->lastLogin, - 'sendEmailOnNewTicket' => $this->sendEmailOnNewTicket + 'sendEmailOnNewTicket' => $this->sendEmailOnNewTicket, + 'isStaff' => 1 ]; } } diff --git a/server/models/User.php b/server/models/User.php index 613927b1..3d1efc12 100755 --- a/server/models/User.php +++ b/server/models/User.php @@ -80,7 +80,8 @@ class User extends DataStore { 'disabled' => $this->disabled, 'customfields' => $this->xownCustomfieldvalueList->toArray(), 'notRegistered' => $this->notRegistered, - 'supervisedrelation' => $this->supervisedrelation + 'supervisedrelation' => $this->supervisedrelation, + 'isStaff' => 0 ]; } } diff --git a/tests/ticket/edit-comment.rb b/tests/ticket/edit-comment.rb index 4249ec47..1637fbee 100644 --- a/tests/ticket/edit-comment.rb +++ b/tests/ticket/edit-comment.rb @@ -96,11 +96,39 @@ describe '/ticket/edit-comment' do ticketevent = tickets_comments.to_a.last (result['status']).should.equal('success') + + Scripts.logout() + Scripts.login($staff[:email], $staff[:password], true) + + Scripts.commentTicket(ticket['ticket_number'],'com ment of a staff xd') + ticketevent = $database.getRow('ticketevent', 'com ment of a staff xd', 'content') + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(4) + tickets_comments.to_a.last['content'].should.equal('com ment of a staff xd') + + result = request('/ticket/edit-comment', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + content: 'comment edited by the staff xd', + ticketEventId: ticketevent['id'] + }) + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(4) + tickets_comments.to_a.last['content'].should.equal('comment edited by the staff xd') + + ticketevent = tickets_comments.to_a.last + + (result['status']).should.equal('success') + + Scripts.logout() + Scripts.login() end it 'should fail if author is right but ticket has other commets below' do tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) - tickets_comments.size.should.equal(3) + tickets_comments.size.should.equal(4) result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid, @@ -113,13 +141,18 @@ describe '/ticket/edit-comment' do (result['message']).should.equal('TICKET_CONTENT_CANNOT_BE_EDITED') tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) - tickets_comments.size.should.equal(3) - ticket_comment3 = tickets_comments.to_a.last + tickets_comments.size.should.equal(4) Scripts.commentTicket(ticket['ticket_number'],'com ment of a user 4') tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) - tickets_comments.size.should.equal(4) + tickets_comments.size.should.equal(5) + ticket_comment3 = tickets_comments.to_a.last + + Scripts.commentTicket(ticket['ticket_number'],'com ment of a user 5') + + tickets_comments = $database.query(getTicketEventsCommentsQuery(ticket['id'])) + tickets_comments.size.should.equal(6) result = request('/ticket/edit-comment', { csrf_userid: $csrf_userid,