1# BEGIN BPS TAGGED BLOCK {{{
2#
3# COPYRIGHT:
4#
5# This software is Copyright (c) 1996-2021 Best Practical Solutions, LLC
6#                                          <sales@bestpractical.com>
7#
8# (Except where explicitly superseded by other copyright notices)
9#
10#
11# LICENSE:
12#
13# This work is made available to you under the terms of Version 2 of
14# the GNU General Public License. A copy of that license should have
15# been provided with this software, but in any event can be snarfed
16# from www.gnu.org.
17#
18# This work is distributed in the hope that it will be useful, but
19# WITHOUT ANY WARRANTY; without even the implied warranty of
20# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
21# General Public License for more details.
22#
23# You should have received a copy of the GNU General Public License
24# along with this program; if not, write to the Free Software
25# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
26# 02110-1301 or visit their web page on the internet at
27# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
28#
29#
30# CONTRIBUTION SUBMISSION POLICY:
31#
32# (The following paragraph is not intended to limit the rights granted
33# to you to modify and distribute this software under the terms of
34# the GNU General Public License and is only of importance to you if
35# you choose to contribute your changes and enhancements to the
36# community by submitting them to Best Practical Solutions, LLC.)
37#
38# By intentionally submitting any modifications, corrections or
39# derivatives to this work, or any other work intended for use with
40# Request Tracker, to Best Practical Solutions, LLC, you confirm that
41# you are the copyright holder for those contributions and you grant
42# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
43# royalty-free, perpetual, license to use, copy, create derivative
44# works based on those contributions, and sublicense and distribute
45# those contributions and any derivatives thereof.
46#
47# END BPS TAGGED BLOCK }}}
48
49package RT::REST2::Resource::Attachments;
50use strict;
51use warnings;
52
53use Moose;
54use namespace::autoclean;
55
56extends 'RT::REST2::Resource::Collection';
57with 'RT::REST2::Resource::Collection::QueryByJSON';
58
59sub dispatch_rules {
60    Path::Dispatcher::Rule::Regex->new(
61        regex => qr{^/attachments/?$},
62        block => sub { { collection_class => 'RT::Attachments' } },
63    ),
64    Path::Dispatcher::Rule::Regex->new(
65        regex => qr{^/transaction/(\d+)/attachments/?$},
66        block => sub {
67            my ($match, $req) = @_;
68            my $txn = RT::Transaction->new($req->env->{"rt.current_user"});
69            $txn->Load($match->pos(1));
70            return { collection => $txn->Attachments };
71        },
72    ),
73    Path::Dispatcher::Rule::Regex->new(
74        regex => qr{^/ticket/(\d+)/attachments/?$},
75        block => sub {
76            my ($match, $req) = @_;
77            return _get_ticket_attachments($match, $req);
78        },
79    ),
80}
81
82# Get a collection of attachments associated with a ticket This code
83# was put into a subroutine as it was a little long to put inline
84# above and maintain readability.
85
86sub _get_ticket_attachments
87{
88    my ($match, $req) = @_;
89
90    my $ticket = RT::Ticket->new($req->env->{"rt.current_user"});
91    my $id = $ticket->Load($match->pos(1));
92    my $attachments = RT::Attachments->new($req->env->{"rt.current_user"});
93
94    # Return empty list if no such ticket
95    return { collection => $attachments } unless $id;
96
97    # Explicitly check for permission to see the ticket.
98    # If we do not do that, we leak the total number of attachments
99    # even though the actual attachments themselves are not shown.
100    return { collection => $attachments } unless $ticket->CurrentUserHasRight('ShowTicket');
101
102    $attachments->LimitByTicket($id);
103    return { collection => $attachments };
104}
105
106__PACKAGE__->meta->make_immutable;
107
1081;
109
110