Use the same URL for viewing tickets when authenticated or not---the couchdb ID will be the random string for the secret URL.

Tickets created when user was unauthenticated will be viewable by anybody who knows the URL.

1 files changed, 4 insertions, 3 deletions

diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb
index 4130ee6..a9e0bd4 100644
--- a/help/app/controllers/tickets_controller.rb
+++ b/help/app/controllers/tickets_controller.rb
@@ -41,7 +41,7 @@ class TicketsController < ApplicationController
   def update
     
     @ticket = Ticket.find(params[:id])
-    if !ticket_access_denied?
+    if !ticket_access_denied? #can update w/out logging in if the ticket was created unauthenticated
 
       #below is excessively complicated. issue is that we don't need a new comment if we have changed anything else (currently, is_open is the only other thing to change.) However, if we don't change anything else, then we want to try to add a new comment (and possibly fail.) Likely this should all be redone.
       @ticket.is_open = params[:ticket][:is_open]
@@ -93,9 +93,10 @@ class TicketsController < ApplicationController
 
   private
   
+  
   def ticket_access_denied?
-    # TODO---we will allow unauthenticated users to view tickets with a code
-    if !admin? and current_user.id != @ticket.created_by
+    # allow access if user is admin, the ticket was created without unauthentication (thus anybody with URL can access ticket where created_by is nil), or if there is a non-admin user and they created the ticket
+    if !admin? and @ticket.created_by and (!current_user or current_user.id != @ticket.created_by)
       @ticket = nil
       access_denied
     end