Working on user ticket security checker

api/BusinessLogic/Security/UserPrivilege.php

@@ -12,4 +12,5 @@ namespace BusinessLogic\Security;
 class UserPrivilege {
     const CAN_VIEW_TICKETS = 'can_view_tickets';
     const CAN_REPLY_TO_TICKETS = 'can_reply_tickets';
+    const CAN_EDIT_TICKETS = 'can_edit_tickets';
 }

api/BusinessLogic/Security/UserToTicketChecker.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace BusinessLogic\Security;
+
+
+use BusinessLogic\Tickets\Ticket;
+
+class UserToTicketChecker {
+
+    /**
+     * @param $user UserContext
+     * @param $ticket Ticket
+     * @param $isEditing bool true if editing a ticket, false if creating
+     * @param $heskSettings array
+     * @return bool
+     */
+    function isTicketWritableToUser($user, $ticket, $isEditing, $heskSettings) {
+        $hasAccess = $user->admin === true ||
+            (in_array($ticket->categoryId, $user->categories) &&
+                in_array(UserPrivilege::CAN_VIEW_TICKETS, $user->permissions));
+
+        return $isEditing
+            ? $hasAccess && in_array(UserPrivilege::CAN_EDIT_TICKETS, $user->permissions)
+            : $hasAccess;
+    }
+}

api/Tests/BusinessLogic/Security/UserToTicketCheckerTest.php

@@ -0,0 +1,88 @@
+<?php
+
+
+namespace BusinessLogic\Security;
+
+
+use BusinessLogic\Tickets\Ticket;
+use PHPUnit\Framework\TestCase;
+
+class UserToTicketCheckerTest extends TestCase {
+
+    /* @var $userToTicketChecker UserToTicketChecker */
+    private $userToTicketChecker;
+
+    /* @var $heskSettings array */
+    private $heskSettings;
+
+    protected function setUp() {
+        $this->userToTicketChecker = new UserToTicketChecker();
+    }
+
+    function testItReturnsTrueWhenTheUserIsAnAdmin() {
+        //-- Arrange
+        $user = new UserContext();
+        $user->admin = true;
+
+        $ticket = new Ticket();
+
+        //-- Act
+        $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, false, $this->heskSettings);
+
+        //-- Assert
+        self::assertThat($result, self::isTrue());
+    }
+
+    function testItReturnsTrueWhenTheUserHasAccessToTheCategory() {
+        //-- Arrange
+        $user = new UserContext();
+        $user->admin = false;
+        $user->categories = array(1);
+        $user->permissions = array(UserPrivilege::CAN_VIEW_TICKETS);
+
+        $ticket = new Ticket();
+        $ticket->categoryId = 1;
+
+        //-- Act
+        $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, false, $this->heskSettings);
+
+        //-- Assert
+        self::assertThat($result, self::isTrue());
+    }
+
+    function testItReturnsFalseWhenTheUserCannotViewTickets() {
+        //-- Arrange
+        $user = new UserContext();
+        $user->admin = false;
+        $user->categories = array(1);
+        $user->permissions = array();
+
+        $ticket = new Ticket();
+        $ticket->categoryId = 1;
+
+        //-- Act
+        $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, false, $this->heskSettings);
+
+        //-- Assert
+        self::assertThat($result, self::isFalse());
+    }
+
+    function testItReturnsFalseWhenTheUserCannotViewAndEditTicketsWhenEditFlagIsTrue() {
+        //-- Arrange
+        $user = new UserContext();
+        $user->admin = false;
+        $user->categories = array(1);
+        $user->permissions = array(UserPrivilege::CAN_VIEW_TICKETS, 'something else');
+
+        $ticket = new Ticket();
+        $ticket->categoryId = 1;
+
+        //-- Act
+        $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, true, $this->heskSettings);
+
+        //-- Assert
+        self::assertThat($result, self::isFalse());
+    }
+
+    //-- TODO Category Manager
+}