From 4e70c0639706c26bdcfafb4d8c6ffbef625ea642 Mon Sep 17 00:00:00 2001
From: sunnavy <sunnavy@bestpractical.com>
Date: Wed, 10 Jan 2024 05:30:00 -0500
Subject: [PATCH] Fix ticket/attachment links on SelfService transaction
 display page

Previously these links were privileged ones that unprivileged users couldn't
access.
---
 .../html/SelfService/Transaction/Display.html | 10 ++++++-
 t/web/self_service.t                          | 27 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/share/html/SelfService/Transaction/Display.html b/share/html/SelfService/Transaction/Display.html
index ee47ebf7434..ccfa255f5f7 100644
--- a/share/html/SelfService/Transaction/Display.html
+++ b/share/html/SelfService/Transaction/Display.html
@@ -45,4 +45,12 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-<& /Transaction/Display.html, %ARGS &>
+<& /Transaction/Display.html,
+    DisplayPath     => RT->Config->Get('WebPath') . '/SelfService/Display.html',
+    AttachmentPath  => RT->Config->Get('WebPath') . '/SelfService/Attachment',
+    UpdatePath      => RT->Config->Get('WebPath') . '/SelfService/Update.html',
+    ForwardPath     => undef,
+    EmailRecordPath => undef,
+    EncryptionPath  => undef,
+    %ARGS,
+&>
diff --git a/t/web/self_service.t b/t/web/self_service.t
index 8e41d327b32..859e8213a3d 100644
--- a/t/web/self_service.t
+++ b/t/web/self_service.t
@@ -51,6 +51,33 @@ $m->follow_link_ok(
 $m->content_contains( "<h1>$title</h1>", "contains <h1>$title</h1>" );
 $m->content_lacks( "There are unread messages on this ticket." );
 
+$m->follow_link_ok( { url_regex => qr{^/SelfService/Transaction/Display.html}, n => 2 }, 'Followed transaction link' );
+
+$m->text_contains('sample correspondence');
+
+ok( !$m->find_link( url_regex => qr{^/Ticket/} ),     'No privileged ticket links found' );
+ok( !$m->find_link( url_regex => qr{^Update.html} ),  'No self service update links found' );
+
+
+$m->follow_link_ok( { url_regex => qr{^/SelfService/Attachment/}, }, 'Followed self service attachment link' );
+$m->text_contains('sample correspondence');
+$m->back;
+
+RT::Test->add_rights( { Principal => $Cc, Right => ['ReplyToTicket'] } );
+$m->reload;
+$m->follow_link_ok( { url_regex => qr{^/SelfService/Update.html}, }, 'Followed self service ticket link' );
+$m->submit_form_ok(
+    {
+        form_name   => 'TicketUpdate',
+        with_fields => { UpdateContent => 'Test correspondence from self service' },
+        button => 'SubmitTicket',
+    },
+    'Submitted self service update form'
+);
+$m->text_contains('Correspondence added');
+$m->text_contains('Test correspondence from self service');
+
+
 diag 'Test $SelfServiceUserPrefs config';
 {
   # Verify the $SelfServiceUserPrefs config option renders the correct display at