Merge pull request #4 from ivandiazwm/guillermo-master

Fix delete

build.sh

@@ -4,8 +4,10 @@ gulp prod --api
 rm build/index.html
 echo "2/3 Creating api folder..."
 cd ../server
-rm -rf files
-mkdir files
+mkdir files2
+mv files/.htaccess files2
+rm -rf files/
+mv files2 files
 cd ..
 mkdir api
 cp server/index.php api
@@ -17,8 +19,7 @@ cp -R server/data api
 cp -R server/libs api
 cp -R server/models api
 cp -R server/vendor api
-mkdir api/files
-touch api/files/.keep
+cp -R server/files api
 echo -n > api/config.php
 chmod -R 755 .
 echo "3/3 Generating zip..."

client/src/app/main/main-recover-password/main-recover-password-page.js

@@ -75,7 +75,7 @@ class MainRecoverPasswordPage extends React.Component {
     }
 
     onPasswordRecovered(response) {
-        setTimeout(() => {history.push(response.data.staff ? '/admin' : '/')}, 2000);
+        setTimeout(() => {history.push((response.data.staff*1) ? '/admin' : '/')}, 2000);
         this.setState({
             recoverStatus: 'valid',
             loading: false

server/controllers/system/edit-mail-template.php

@@ -24,7 +24,7 @@ use Respect\Validation\Validator as DataValidator;
  * @apiUse INVALID_SUBJECT
  * @apiUse INVALID_BODY
  *
- * @apiSuccess {Object} data Empty object 
+ * @apiSuccess {Object} data Empty object
  *
  */
 
@@ -60,18 +60,16 @@ class EditMailTemplateController extends Controller {
         $language = Controller::request('language');
         $templateType = Controller::request('templateType');
         $subject = Controller::request('subject', true);
-        $body = Controller::request('body', true);
+        $body = Controller::request('body');
 
         $mailTemplate = MailTemplate::findOne(' language = ? AND type = ?', [$language, $templateType]);
         if($mailTemplate->isNull()) {
-            Response::respondError(ERRORS::INVALID_TEMPLATE);
-            return;
+            throw new Exception(ERRORS::INVALID_TEMPLATE);
         }
         $mailTemplate->subject = $subject;
         $mailTemplate->body = $body;
         $mailTemplate->store();
 
         Response::respondSuccess();
-
     }
-}
+}

server/controllers/ticket/delete.php

@@ -42,14 +42,20 @@ class DeleteController extends Controller {
     public function handler() {
         $user = Controller::getLoggedUser();
         $ticket = Ticket::getByTicketNumber(Controller::request('ticketNumber'));
+        $ticketAuthor = $ticket->authorToArray();
 
-        if(Controller::isStaffLogged() && ($user->level < 3  || $ticket->owner)) {
+        if($ticket->owner) {
             throw new Exception(ERRORS::NO_PERMISSION);
         }
-        if(!Controller::isStaffLogged() && (($user->email !== $ticket->author->email) || $ticket->owner) ) {
+
+        if(Controller::isStaffLogged() && $user->level < 3) {
             throw new Exception(ERRORS::NO_PERMISSION);
         }
-        
+
+        if(!Controller::isStaffLogged() && ($user->email !== $ticketAuthor['email'] || $ticketAuthor['staff'])) {
+            throw new Exception(ERRORS::NO_PERMISSION);
+        }
+
         $ticket->delete();
 
         Response::respondSuccess();

tests/scripts.rb

@@ -35,10 +35,11 @@ class Scripts
             raise response['message']
         end
     end
-    def self.deleteStaff(staffid)
-
+    def self.deleteStaff(staffId)
         response = request('/staff/delete', {
-            :staffId => staffid
+            staffId: staffId,
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
         })
 
         if response['status'] === 'fail'

tests/staff/assign-ticket.rb

@@ -31,10 +31,12 @@ describe '/staff/assign-ticket' do
         (staff_ticket['ticket_id']).should.equal('1')
     end
     it 'should assign ticket if a staff choose another to assing a ticket ' do
+        staffId = $database.getRow('staff','ayra2@opensupports.com','email')['id']
+
         ticket = $database.getRow('ticket', 3 , 'id')
         result = request('/staff/assign-ticket', {
             ticketNumber: ticket['ticket_number'],
-            staffId:4,
+            staffId: staffId,
             csrf_userid: $csrf_userid,
             csrf_token: $csrf_token
         })
@@ -42,10 +44,9 @@ describe '/staff/assign-ticket' do
 
         ticket = $database.getRow('ticket', 3 , 'id')
 
-        (ticket['owner_id']).should.equal('4')
+        (ticket['owner_id']).should.equal(staffId)
 
         (ticket['unread']).should.equal('1')
-
     end
 
     it 'should fail if ticket is already owned' do

tests/staff/delete.rb

@@ -1,28 +1,30 @@
 describe'/staff/delete' do
     request('/user/logout')
     Scripts.login($staff[:email], $staff[:password], true)
+    @staffId = $database.getRow('staff','littlelannister@opensupports.com','email')['id']
 
     it 'should delete staff member' do
         result= request('/staff/delete', {
             csrf_userid: $csrf_userid,
             csrf_token: $csrf_token,
-            staffId: 3
+            staffId: @staffId
         })
 
         (result['status']).should.equal('success')
 
-        row = $database.getRow('staff', 3, 'id')
+        row = $database.getRow('staff', @staffId, 'id')
         (row).should.equal(nil)
 
         row = $database.getRow('department', 1, 'id')
         (row['owners']).should.equal('3')
 
     end
+
     it 'should fail delete if staff member is does not exist' do
-        result= request('/staff/delete', {
+        result = request('/staff/delete', {
             csrf_userid: $csrf_userid,
             csrf_token: $csrf_token,
-            staffId: 3
+            staffId: @staffId
         })
 
         (result['status']).should.equal('fail')
@@ -31,4 +33,4 @@ describe'/staff/delete' do
         row = $database.getRow('department', 1, 'id')
         (row['owners']).should.equal('3')
     end
-end
+end

tests/staff/edit.rb

@@ -3,23 +3,24 @@ describe'/staff/edit' do
     Scripts.login($staff[:email], $staff[:password], true)
 
     it 'should edit another staff member' do
+        staffId = $database.getRow('staff','tyrion@opensupports.com','email')['id']
         result= request('/staff/edit', {
             csrf_userid: $csrf_userid,
             csrf_token: $csrf_token,
             email: 'LittleLannister@opensupports.com',
             level: 1,
             departments: '[1, 2]',
-            staffId: 3
+            staffId: staffId
         })
 
         (result['status']).should.equal('success')
 
-        row = $database.getRow('staff', 3, 'id')
+        row = $database.getRow('staff', staffId, 'id')
 
         (row['email']).should.equal('littlelannister@opensupports.com')
         (row['level']).should.equal('1')
 
-        rows = $database.getRow('department_staff', 3, 'staff_id')
+        rows = $database.getRow('department_staff', staffId, 'staff_id')
 
         (rows['department_id']).should.equal('1')
 
@@ -28,7 +29,6 @@ describe'/staff/edit' do
 
         row = $database.getRow('department', 2, 'id')
         (row['owners']).should.equal('2')
-
     end
 
     it 'should edit staff member ' do
@@ -43,7 +43,7 @@ describe'/staff/edit' do
             departments: '[1]'
         })
 
-        row = $database.getRow('staff', 'Arya Stark', 'name')
+        row = $database.getRow('staff', 'arya@opensupports.com', 'email')
 
         result = request('/staff/edit', {
             csrf_userid: $csrf_userid,

tests/staff/get-new-tickets.rb

@@ -3,14 +3,12 @@ describe '/staff/get-new-tickets' do
     Scripts.login($staff[:email], $staff[:password], true)
 
     it 'should get news tickets' do
-
         result = request('/staff/get-new-tickets', {
             csrf_userid: $csrf_userid,
             csrf_token: $csrf_token
         })
 
         (result['status']).should.equal('success')
-        (result['data'].size).should.equal(11)
-
+        (result['data'].size).should.equal(9)
     end
 end

tests/staff/get.rb

@@ -16,10 +16,11 @@ describe '/staff/get/' do
         (result['data']['sendEmailOnNewTicket']).should.equal('1')
     end
     it 'should return staff member data with staff Id' do
+        staff = $database.getRow('staff','tyrion@opensupports.com','email')
         result = request('/staff/get', {
             csrf_userid: $csrf_userid,
             csrf_token: $csrf_token,
-            staffId: 3
+            staffId: staff['id']
         })
 
         (result['status']).should.equal('success')
@@ -29,4 +30,4 @@ describe '/staff/get/' do
         (result['data']['level']).should.equal('2')
         (result['data']['sendEmailOnNewTicket']).should.equal('0')
     end
-end
+end

tests/system/disable-user-system.rb

@@ -19,7 +19,7 @@ describe'system/disable-user-system' do
 
             numberOftickets= $database.query("SELECT * FROM ticket WHERE author_id IS NULL AND author_email IS NOT NULL AND author_name IS NOT NULL")
 
-            (numberOftickets.num_rows).should.equal(41)
+            (numberOftickets.num_rows).should.equal(40)
 
             request('/user/logout')
 
@@ -127,7 +127,7 @@ describe'system/disable-user-system' do
 
             numberOftickets= $database.query("SELECT * FROM ticket WHERE author_email IS NULL AND author_name IS NULL AND author_id IS NOT NULL"  )
 
-            (numberOftickets.num_rows).should.equal(42)
+            (numberOftickets.num_rows).should.equal(41)
 
         end
 

tests/ticket/delete.rb

@@ -1,52 +1,46 @@
 describe '/ticket/delete' do
-    request('/user/logout')
-    Scripts.login($staff[:email], $staff[:password], true)
-    Scripts.createTicket('tickettodelete')
-    Scripts.createTicket('tickettodelete4')
 
-    # it 'should delete ticket if it is not assigned and  is logged a staff lvl 3 ' do
-    #
-    #
-    #     ticket = $database.getRow('ticket', 'tickettodelete', 'title')
-    #
-    #     request('/staff/add', {
-    #         csrf_userid: $csrf_userid,
-    #         csrf_token: $csrf_token,
-    #         name: 'Ned Stark',
-    #         password: 'headless',
-    #         email: 'ned@opensupports.com',
-    #         level: 3,
-    #         profilePic: '',
-    #         departments: '[1]'
-    #     })
-    #
-    #     request('/user/logout')
-    #
-    #     Scripts.login('ned@opensupports.com', 'headless', true)
-    #
-    #     result = request('/ticket/delete', {
-    #         ticketNumber: ticket['ticket_number'],
-    #         csrf_userid: $csrf_userid,
-    #         csrf_token: $csrf_token
-    #     })
-    #
-    #     (result['status']).should.equal('success')
-    # end
+    it 'should delete ticket if it is not assigned and is logged a staff lvl 3 ' do
+        request('/user/logout')
+        Scripts.login($staff[:email], $staff[:password], true)
+        Scripts.createTicket('ticket_to_delete')
+        ticket = $database.getRow('ticket', 'ticket_to_delete', 'title')
+
+        request('/staff/add', {
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token,
+            name: 'Ned Stark',
+            password: 'headless',
+            email: 'ned@opensupports.com',
+            level: 3,
+            profilePic: '',
+            departments: '[1]'
+        })
+
+        request('/user/logout')
+        Scripts.login('ned@opensupports.com', 'headless', true)
+
+        result = request('/ticket/delete', {
+            ticketNumber: ticket['ticket_number'],
+            csrf_userid: $csrf_userid,
+            csrf_token: $csrf_token
+        })
+
+        (result['status']).should.equal('success')
+    end
 
     it 'should delete ticket if it is yours and it is not assigned' do
       request('/user/logout')
       Scripts.createUser('deleter@opensupports.com', 'deleterpassword', 'Delter')
       Scripts.login('deleter@opensupports.com', 'deleterpassword')
 
-      Scripts.createTicket('tickettodelete2')
-      ticket = $database.getRow('ticket', 'tickettodelete2', 'title');
-
+      Scripts.createTicket('ticket_to_delete_2')
+      ticket = $database.getRow('ticket', 'ticket_to_delete_2', 'title');
       result = request('/ticket/delete', {
           ticketNumber: ticket['ticket_number'],
           csrf_userid: $csrf_userid,
           csrf_token: $csrf_token
       })
-      puts result
       (result['status']).should.equal('success')
     end
 
@@ -54,8 +48,8 @@ describe '/ticket/delete' do
       request('/user/logout')
       Scripts.login('deleter@opensupports.com', 'deleterpassword')
 
-      Scripts.createTicket('tickettodelete3')
-      ticket = $database.getRow('ticket', 'tickettodelete3', 'title');
+      Scripts.createTicket('ticket_to_delete_3')
+      ticket = $database.getRow('ticket', 'ticket_to_delete_3', 'title');
 
       request('/user/logout')
       Scripts.login($staff[:email], $staff[:password], true)
@@ -76,14 +70,15 @@ describe '/ticket/delete' do
       })
 
       (result['status']).should.equal('fail')
+      (result['message']).should.equal('NO_PERMISSION')
     end
 
     it 'should not delete ticket if the staff logged is not lvl 3' do
          request('/user/logout')
-
          Scripts.login($staff[:email], $staff[:password], true)
+         Scripts.createTicket('ticket_to_delete_4')
 
-         ticket = $database.getRow('ticket', 'tickettodelete4', 'title');
+         ticket = $database.getRow('ticket', 'ticket_to_delete_4', 'title');
 
          request('/staff/add', {
              csrf_userid: $csrf_userid,
@@ -106,15 +101,14 @@ describe '/ticket/delete' do
          })
 
          (result['status']).should.equal('fail')
+         (result['message']).should.equal('NO_PERMISSION')
 
+         request('/user/logout')
+         Scripts.login($staff[:email], $staff[:password], true)
+         staff = $database.getRow('staff', 'ned@opensupports.com', 'email')
+         Scripts.deleteStaff(staff['id'])
+
+         staff = $database.getRow('staff', 'uselessstaff@opensupports.com', 'email')
+         Scripts.deleteStaff(staff['id'])
     end
-
-    request('/user/logout')
-    Scripts.login($staff[:email], $staff[:password], true)
-    staff = $database.getRow('staff', 'headless', 'password')
-    Scripts.deleteStaff(staff['id'])
-
-    staff = $database.getRow('staff', 'theyaregonnafireme', 'password')
-    Scripts.deleteStaff(staff['id'])
-
 end