From c7177593aaf2b1b8fd8dbd53b9cfb6562e1411d7 Mon Sep 17 00:00:00 2001
From: jessib <jessib@riseup.net>
Date: Mon, 5 Nov 2012 13:18:43 -0800
Subject: Use the same URL for viewing tickets when authenticated or not---the
 couchdb ID will be the random string for the secret URL.

Tickets created when user was unauthenticated will be viewable by anybody who knows the URL.
---
 help/app/controllers/tickets_controller.rb                   | 7 ++++---
 help/app/models/ticket.rb                                    | 8 +++++---
 help/app/views/tickets/show.html.haml                        | 7 ++-----
 users/app/controllers/controller_extension/authentication.rb | 2 +-
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb
index 4130ee6..a9e0bd4 100644
--- a/help/app/controllers/tickets_controller.rb
+++ b/help/app/controllers/tickets_controller.rb
@@ -41,7 +41,7 @@ class TicketsController < ApplicationController
   def update
     
     @ticket = Ticket.find(params[:id])
-    if !ticket_access_denied?
+    if !ticket_access_denied? #can update w/out logging in if the ticket was created unauthenticated
 
       #below is excessively complicated. issue is that we don't need a new comment if we have changed anything else (currently, is_open is the only other thing to change.) However, if we don't change anything else, then we want to try to add a new comment (and possibly fail.) Likely this should all be redone.
       @ticket.is_open = params[:ticket][:is_open]
@@ -93,9 +93,10 @@ class TicketsController < ApplicationController
 
   private
   
+  
   def ticket_access_denied?
-    # TODO---we will allow unauthenticated users to view tickets with a code
-    if !admin? and current_user.id != @ticket.created_by
+    # allow access if user is admin, the ticket was created without unauthentication (thus anybody with URL can access ticket where created_by is nil), or if there is a non-admin user and they created the ticket
+    if !admin? and @ticket.created_by and (!current_user or current_user.id != @ticket.created_by)
       @ticket = nil
       access_denied
     end
diff --git a/help/app/models/ticket.rb b/help/app/models/ticket.rb
index 6301e9e..eaad574 100644
--- a/help/app/models/ticket.rb
+++ b/help/app/models/ticket.rb
@@ -23,14 +23,14 @@ class Ticket < CouchRest::Model::Base
   
   #property :user_verified, TrueClass, :default => false #will be true exactly when user is set
   #admins
-  property :code, String, :protected => true # only should be set if created_by is nil
+  #property :code, String, :protected => true # only should be set if created_by is nil #instead we will just use couchdb ID
   property :is_open, TrueClass, :default => true
   property :comments, [TicketComment]
 
   timestamps!
   
   #before_validation :set_created_by, :set_code, :set_email, :on => :create
-  before_validation :set_code, :set_email, :on => :create
+  before_validation :set_email, :on => :create
 
 
   #named_scope :open, :conditions => {:is_open => true} #??
@@ -59,10 +59,12 @@ class Ticket < CouchRest::Model::Base
     !!created_by
   end
 
-  def set_code
+=begin
+  def set_code #let's not use this---can use same show url
     # ruby 1.9 provides url-safe option---this is not necessarily url-safe
     self.code = SecureRandom.hex(8) if !is_creator_validated?
   end
+=end
 
 
   def set_email
diff --git a/help/app/views/tickets/show.html.haml b/help/app/views/tickets/show.html.haml
index 3fb1d34..92b8d03 100644
--- a/help/app/views/tickets/show.html.haml
+++ b/help/app/views/tickets/show.html.haml
@@ -5,9 +5,6 @@
 - if flash[:alert]
   =flash[:alert]
 %h2= @ticket.title
-- if @ticket.code
-  code:
-  = @ticket.code
 - if @ticket.email
   email:
   = @ticket.email
@@ -24,6 +21,6 @@
   = #render :partial => 'new_comment'
   = f.label :is_open
   = f.select :is_open, [true, false]
-  = f.button :submit # have button to close
-  = # want to ahve button to close
+  = f.button :submit
+  = # TODO want to have button to close
   = link_to t(:cancel), tickets_path, :class => :btn
\ No newline at end of file
diff --git a/users/app/controllers/controller_extension/authentication.rb b/users/app/controllers/controller_extension/authentication.rb
index ebd80b0..598d8a9 100644
--- a/users/app/controllers/controller_extension/authentication.rb
+++ b/users/app/controllers/controller_extension/authentication.rb
@@ -21,7 +21,7 @@ module ControllerExtension::Authentication
 
   def access_denied
     redirect_to login_url, :alert => "Not authorized" if !logged_in?
-    redirect_to root_url, :alert => "Not authorized"
+    redirect_to root_url, :alert => "Not authorized" if logged_in?
   end
 
   def admin?
-- 
cgit v1.2.3