fix : prevented non-admin users from changing ticket status to closed

[tmdeveloper007]

Closes #788.

Summary of What Has Been Done:
Removed the incorrect clause from the status-change guard in PATCH /tickets/:id. The original condition used short-circuit logic that allowed non-admin users to close their own tickets. Now the guard blocks any status change by non-admin users (whether to 'closed' or any other status).

Changes Made:

• backend/api/src/routes/supportRoutes.js: Removed from the role guard; updated error message to reflect that only admins can change ticket status at all.

Impact it Made:
All 239 unit tests pass. Support ticket status changes are now restricted to admins only.

Summary by CodeRabbit

• Bug Fixes
  • Ticket status changes are now restricted to administrators only. Ticket owners can no longer modify ticket status.

[github-actions]

🎉 Thank you for your contribution! Your pull request has been received and will be reviewed shortly.

If you enjoy the project, please consider giving the repository a ⭐. You can also follow my GitHub profile to stay updated on future open-source projects.

Thanks for being part of the community! 🚀

[coderabbitai]

Warning

Review limit reached

@tmdeveloper007, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 35 seconds. Learn how PR review limits work.

To continue reviewing without waiting, enable usage-based billing in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 26f5bd22-9309-46bf-95cc-400effc0519a

📥 Commits

Reviewing files that changed from the base of the PR and between 820fc4d and 4a97faa.

📒 Files selected for processing (1)

• backend/api/src/routes/supportRoutes.js

📝 Walkthrough

Walkthrough

Two test cases in the PATCH /api/support/tickets/:id integration suite are updated. The owner-status-to-closed test is flipped from expecting success to expecting HTTP 403, and both affected tests are updated to assert the revised "Only admins can change ticket status." error message.

Changes

Non-admin ticket status authorization test updates

Layer / File(s)	Summary
Owner and non-admin status change denial assertions backend/api/test/integration/supportRoutes.test.js	The owner-to-closed test is changed from a success assertion to an HTTP 403 denial with the new error message. The in_progress/resolved non-admin denial test updates its error message string to match the revised text.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• #788 (fix: prevent non-admin users from changing ticket status to 'closed' in supportRoutes.js): This PR's test changes directly validate the guard fix described in the issue, asserting owners are denied HTTP 403 for all status transitions including closed.

Possibly related PRs

• KanishJebaMathewM/Truxify#728: Tightens the same PATCH /tickets/:id status-transition authorization logic in supportRoutes.js that these tests now validate.

Suggested labels

level:beginner, type:testing

Poem

🐇 Hop hop, the ticket gate is sealed tight,
No owner shall close what needs admin might!
A 403 bounces the sneaky request,
The guard now stands firm, put to the test.
Only admins may flip the status today —
This bunny says: unauthorized? No way! 🚫

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix—preventing non-admin users from changing ticket status to closed.
Linked Issues check	✅ Passed	Changes align with issue #788: integration tests updated to verify non-admin users cannot change ticket status [#788].
Out of Scope Changes check	✅ Passed	All changes are directly related to the security fix—only integration test updates to reflect stricter ticket status permissions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/api/src/routes/supportRoutes.js`:
- Around line 252-256: Update the two stale integration tests in
backend/api/test/integration/supportRoutes.test.js to match the new guard logic.
First, in the test at line 313-328 titled "allows owner to change status to
closed", change the expected response status code from 200 to 403 since
non-admins can no longer change ticket status. Second, in the test at line
330-345 titled "denies owner from changing status to in_progress or resolved",
update the expected error message on line 344 from 'Access Denied: Only admins
can change tickets to this status.' to 'Access Denied: Only admins can change
ticket status.' to match the new error message returned by the guard condition
in the supportRoutes.js file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0d622edd-b3e5-4734-8872-ce6d629bb30f

📥 Commits

Reviewing files that changed from the base of the PR and between 5ac71a8 and fb8b23d.

📒 Files selected for processing (1)

• backend/api/src/routes/supportRoutes.js