Merge branch 'customer_login'

.gitignore

@@ -23,6 +23,7 @@ app/assets/stylesheets/scaffolds.css.scss
 
 # uploads
 public/system
+data
 
 # Capistrano deploy details
 config/deploy

Gemfile.lock

@@ -27,7 +27,9 @@ GEM
       tzinfo (~> 0.3.37)
     arel (4.0.2)
     atomic (1.1.15)
-    bcrypt-ruby (3.1.2)
+    bcrypt (3.1.7)
+    bcrypt-ruby (3.1.5)
+      bcrypt (>= 3.1.3)
     builder (3.1.4)
     cancan (1.6.10)
     capistrano (3.1.0)
@@ -56,25 +58,25 @@ GEM
       execjs
     coffee-script-source (1.7.0)
     columnize (0.3.6)
-    compass (0.12.2)
+    compass (0.12.3)
       chunky_png (~> 1.2)
       fssm (>= 0.2.7)
-      sass (~> 3.1)
-    compass-rails (1.1.3)
+      sass (= 3.2.14)
+    compass-rails (1.1.6)
       compass (>= 0.12.2)
     coveralls (0.7.0)
       multi_json (~> 1.3)
       rest-client
       simplecov (>= 0.7)
       term-ansicolor
       thor
-    debugger (1.6.5)
+    debugger (1.6.6)
       columnize (>= 0.3.1)
       debugger-linecache (~> 1.2.0)
-      debugger-ruby_core_source (~> 1.3.1)
+      debugger-ruby_core_source (~> 1.3.2)
     debugger-linecache (1.2.0)
-    debugger-ruby_core_source (1.3.1)
-    devise (3.2.2)
+    debugger-ruby_core_source (1.3.2)
+    devise (3.2.3)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -102,12 +104,12 @@ GEM
       treetop (~> 1.4.8)
     mime-types (1.25.1)
     minitest (4.7.5)
-    multi_json (1.8.4)
+    multi_json (1.9.0)
     net-scp (1.1.2)
       net-ssh (>= 2.6.5)
     net-ssh (2.8.0)
     orm_adapter (0.5.0)
-    paperclip (4.1.0)
+    paperclip (4.1.1)
       activemodel (>= 3.0.0)
       activesupport (>= 3.0.0)
       cocaine (~> 0.5.3)
@@ -131,14 +133,15 @@ GEM
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rake (10.1.1)
-    redcarpet (3.0.0)
+    redcarpet (3.1.1)
     ref (1.0.5)
     rest-client (1.6.7)
       mime-types (>= 1.16)
     sass (3.2.14)
-    sass-rails (4.0.1)
+    sass-rails (4.0.2)
       railties (>= 4.0.0, < 5.0)
-      sass (>= 3.1.10)
+      sass (~> 3.2.0)
+      sprockets (~> 2.8, <= 2.11.0)
       sprockets-rails (~> 2.0.0)
     simplecov (0.8.2)
       docile (~> 1.1.0)
@@ -154,7 +157,7 @@ GEM
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (~> 2.8)
-    sqlite3 (1.3.8)
+    sqlite3 (1.3.9)
     sshkit (1.3.0)
       net-scp (>= 1.1.2)
       net-ssh
@@ -172,7 +175,7 @@ GEM
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.38)
+    tzinfo (0.3.39)
     uglifier (2.4.0)
       execjs (>= 0.3.0)
       json (>= 1.8.0)

app/controllers/application_controller.rb

@@ -18,4 +18,23 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
 
   before_filter :authenticate_user!
+
+  check_authorization unless: :devise_controller?
+
+  rescue_from CanCan::AccessDenied do |exception|
+    if Rails.env == :production
+      redirect_to root_url, alert: exception.message
+    else
+      # for tests and development, we want unauthorized status codes
+      render text: exception, status: :unauthorized
+    end
+  end
+
+  # Always automatically call strong parameters filter based on controller name
+  # this fixes cancan problems for create etc.
+  before_filter do
+    resource = controller_path.singularize.gsub('/', '_').to_sym
+    method = "#{resource}_params"
+    params[resource] &&= send(method) if respond_to?(method, true)
+  end
 end

app/controllers/attachments_controller.rb

@@ -0,0 +1,38 @@
+# Brimir is a helpdesk system to handle email support requests.
+# Copyright (C) 2012-2014 Ivaldi http://ivaldi.nl
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+class AttachmentsController < ApplicationController
+
+  load_and_authorize_resource :attachment
+
+  def show
+    begin
+      if params[:format] == 'thumb'
+        send_file @attachment.file.path(:thumb),
+            type: 'image/jpeg',
+            disposition: :inline
+      else
+        send_file @attachment.file.path,
+            filename: @attachment.file_file_name,
+            type: @attachment.file_content_type,
+            disposition: :attachment
+      end
+    rescue ActionController::MissingFile
+      render text: 'File not found.', status: :not_found
+    end
+  end
+
+end

app/controllers/replies_controller.rb

@@ -16,8 +16,23 @@
 
 class RepliesController < ApplicationController
 
+  load_and_authorize_resource :reply
+
   def create
-    @reply = Reply.new(reply_params)
+    @reply = Reply.new
+
+    if !params[:attachment].nil?
+
+      params[:attachment].each do |file|
+
+        @reply.attachments.new(file: file)
+
+      end
+
+      params[:reply].delete(:attachments_attributes)
+    end
+
+    @reply.assign_attributes(reply_params)
 
     @reply.user = current_user    
 
@@ -34,16 +49,17 @@ def create
     end
   end
 
-  def new
-    @reply = Reply.new(reply_params)
-
-    @reply.to = @reply.ticket.user.email
-  end
-
   private
     def reply_params
-      params.require(:reply).permit(:content, :ticket_id, :message_id, :user_id,
-          :attachments_attributes, :to, :cc, :bcc)
+      params.require(:reply).permit(
+          :content,
+          :ticket_id,
+          :message_id,
+          :user_id,
+          :to,
+          :cc,
+          :bcc
+      )
     end
 
 end

app/controllers/tickets_controller.rb

@@ -17,8 +17,9 @@
 class TicketsController < ApplicationController
   before_filter :authenticate_user!, except: [ :create ] 
 
+  load_and_authorize_resource :ticket, except: [ :index ]
+
   def show
-    @ticket = Ticket.find(params[:id])
     @agents = User.agents
     @statuses = Status.all
     @priorities = Priority.all    
@@ -39,13 +40,19 @@ def index
       .search(params[:q])
       .filter_by_assignee_id(params[:assignee_id])
       .page(params[:page])
-      .order(:created_at)
+      .ordered
+      .viewable_by(current_user)
 
+    if @tickets.count > 0
+      @tickets.each do |ticket|
+        authorize! :index, ticket
+      end
+    else
+      authorize! :index, Ticket
+    end
   end
 
   def update
-    @ticket = Ticket.find(params[:id])
-
     respond_to do |format|
       if @ticket.update_attributes(ticket_params)
 

app/controllers/users_controller.rb

@@ -15,6 +15,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 class UsersController < ApplicationController
+
+  load_and_authorize_resource :user
 
   def edit
     @user = User.find(params[:id])

app/models/ability.rb

@@ -1,3 +1,19 @@
+# Brimir is a helpdesk system to handle email support requests.
+# Copyright (C) 2012 Ivaldi http://ivaldi.nl
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 class Ability
   include CanCan::Ability
 
@@ -7,33 +23,14 @@ def initialize(user)
       can :manage, :all
     else
 
-    end
+      # customers can view their own tickets, its replies and attachments
+      can :read, Ticket, user_id: user.id
+      can :read, Reply, ticket: { user_id: user.id }
+      can :read, Attachment, attachable_type: 'Ticket', attachable: { user_id: user.id }
+      can :read, Attachment, attachable_type: 'Reply', attachable: { ticket: { user_id: user.id } }
 
-    # Define abilities for the passed in user here. For example:
-    #
-    #   user ||= User.new # guest user (not logged in)
-    #   if user.admin?
-    #     can :manage, :all
-    #   else
-    #     can :read, :all
-    #   end
-    #
-    # The first argument to `can` is the action you are giving the user 
-    # permission to do.
-    # If you pass :manage it will apply to every action. Other common actions
-    # here are :read, :create, :update and :destroy.
-    #
-    # The second argument is the resource the user can perform the action on. 
-    # If you pass :all it will apply to every resource. Otherwise pass a Ruby
-    # class of the resource.
-    #
-    # The third argument is an optional hash of conditions to further filter the
-    # objects.
-    # For example, here the user can only update published articles.
-    #
-    #   can :update, Article, :published => true
-    #
-    # See the wiki for details:
-    # https://github.com/ryanb/cancan/wiki/Defining-Abilities
+      # customers can edit their own account
+      can [ :edit, :update ], User, id: user.id
+    end
   end
 end

app/models/attachment.rb

@@ -18,7 +18,17 @@ class Attachment < ActiveRecord::Base
   # polymorphic relation with tickets & replies
   belongs_to :attachable, polymorphic: true
 
-  has_attached_file :file, styles: { thumb: [ '50x50#', :jpg ] }
+  has_attached_file :file,
+      path: ':rails_root/data/:class/:attachment/:id_partition/:style/:id.:extension',
+      url: '/attachments/:id/:style',
+      styles: {
+          thumb: {
+              geometry: '50x50#',
+              format: :jpg,
+              # this will convert transparent parts to white instead of black
+              convert_options: '-flatten'
+          }
+      }
   do_not_validate_attachment_file_type :file
   before_post_process :image?
 

app/models/ticket.rb

@@ -46,4 +46,14 @@ class Ticket < ActiveRecord::Base
           term, term)
     end
   }
+
+  scope :ordered, -> {
+    order(:created_at)
+  }
+
+  scope :viewable_by, ->(user) {
+    if !user.agent?
+      where(user_id: user.id)
+    end
+  }
 end

app/models/user.rb

@@ -22,7 +22,4 @@ class User < ActiveRecord::Base
 
   scope :agents, -> { where(agent: true) }
 
-  def active_for_authentication?
-    super && agent
-  end
 end

app/views/replies/_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_for @reply, html: { class: 'new_reply' } do |r| %>
+<%= form_for @reply, html: { multipart: true, class: 'new_reply' } do |r| %>
 
   <%= r.hidden_field :ticket_id %>
   <h5 class="mt">Reply</h5>
@@ -40,10 +40,8 @@
         <% markdown = Redcarpet::Markdown.new Redcarpet::Render::HTML %>
         <%= markdown.render(current_user.signature.to_s).html_safe %>
 
-        <%= r.fields_for :attachments, Attachment.new, child_index: nil do |a| %>
-          <%= a.label :file, 'Attach file(s)' %>
-          <%= a.file_field :file, multiple: true, label: false %>
-        <% end %>
+        <%= label_tag 'attachment[]', 'Attach file(s)' %>
+        <%= file_field_tag 'attachment[]', multiple: true, label: false %>
       </div>
     </div>
     <div class="content full" id="preview">