From 1e087588d29e4927f5e8d82cf76e71a7bf8915ca Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Thu, 5 Mar 2015 16:34:42 -0600
Subject: [PATCH] perms: Mask user and org manage links on ticket view

---
 include/ajax.tickets.php                 | 2 +-
 include/ajax.users.php                   | 6 +++---
 include/staff/templates/tickets.tmpl.php | 4 ++--
 include/staff/templates/user.tmpl.php    | 6 ++++++
 include/staff/ticket-view.inc.php        | 6 ++++--
 include/staff/tickets.inc.php            | 5 +++--
 6 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index e13128529..e1b5aac41 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -178,7 +178,6 @@ class TicketsAjaxAPI extends AjaxController {
     }
 
     function previewTicket ($tid) {
-
         global $thisstaff;
 
         if(!$thisstaff || !($ticket=Ticket::lookup($tid))
@@ -445,6 +444,7 @@ class TicketsAjaxAPI extends AjaxController {
     }
 
     function _userlookup($user, $form, $info) {
+        global $thisstaff;
 
         ob_start();
         include(STAFFINC_DIR . 'templates/user-lookup.tmpl.php');
diff --git a/include/ajax.users.php b/include/ajax.users.php
index d4cb6a948..f3b6c247a 100644
--- a/include/ajax.users.php
+++ b/include/ajax.users.php
@@ -254,13 +254,13 @@ class UsersAjaxAPI extends AjaxController {
 
         $info = array();
 
-        if (!$thisstaff->getRole()->hasPerm(User::PERM_CREATE))
-            Http::response(403, 'Permission Denied');
-
         if (!AuthenticationBackend::getSearchDirectories())
             $info['lookup'] = 'local';
 
         if ($_POST) {
+            if (!$thisstaff->getRole()->hasPerm(User::PERM_CREATE))
+                Http::response(403, 'Permission Denied');
+
             $info['title'] = __('Add New User');
             $form = UserForm::getUserForm()->getForm($_POST);
             if (($user = User::fromForm($form)))
diff --git a/include/staff/templates/tickets.tmpl.php b/include/staff/templates/tickets.tmpl.php
index 87cc1f9af..7fc45a41a 100644
--- a/include/staff/templates/tickets.tmpl.php
+++ b/include/staff/templates/tickets.tmpl.php
@@ -31,7 +31,7 @@ $tickets->annotate(array(
     'thread_count' => SqlAggregate::COUNT('thread__entries'),
 ));
 
-$tickets->values('staff_id', 'staff__firstname', 'staff__lastname', 'team__name', 'team_id', 'lock_id', 'lock__staff_id', 'isoverdue', 'status_id', 'status__name', 'status__state', 'number', 'cdata__subject', 'ticket_id', 'source', 'dept_id', 'dept__name', 'user_id', 'user__default_email__address', 'user__name');
+$tickets->values('staff_id', 'staff__firstname', 'staff__lastname', 'team__name', 'team_id', 'lock__lock_id', 'lock__staff_id', 'isoverdue', 'status_id', 'status__name', 'status__state', 'number', 'cdata__subject', 'ticket_id', 'source', 'dept_id', 'dept__name', 'user_id', 'user__default_email__address', 'user__name');
 
 TicketForm::ensureDynamicDataView();
 
@@ -92,7 +92,7 @@ if ($results) { ?>
     $subject_field = TicketForm::objects()->one()->getField('subject');
     foreach($tickets as $T) {
         $flag=null;
-        if ($T['lock_id'] && $T['lock__staff_id'] != $thisstaff->getId())
+        if ($T['lock__lock_id'] && $T['lock__staff_id'] != $thisstaff->getId())
             $flag='locked';
         elseif ($T['isoverdue'])
             $flag='overdue';
diff --git a/include/staff/templates/user.tmpl.php b/include/staff/templates/user.tmpl.php
index 4737aaea2..555385020 100644
--- a/include/staff/templates/user.tmpl.php
+++ b/include/staff/templates/user.tmpl.php
@@ -50,9 +50,13 @@ if ($info['error']) {
 <div id="user_tabs_container">
 <div class="tab_content" id="info-tab">
 <div class="floating-options">
+<?php if ($thisstaff->getRole()->hasPerm(User::PERM_EDIT)) { ?>
     <a href="<?php echo $info['useredit'] ?: '#'; ?>" id="edituser" class="action" title="<?php echo __('Edit'); ?>"><i class="icon-edit"></i></a>
+<?php }
+      if ($thisstaff->getRole()->hasPerm(User::PERM_DIRECTORY)) { ?>
     <a href="users.php?id=<?php echo $user->getId(); ?>" title="<?php
         echo __('Manage User'); ?>" class="action"><i class="icon-share"></i></a>
+<?php } ?>
 </div>
     <table class="custom-info" width="100%">
 <?php foreach ($user->getDynamicData() as $entry) {
@@ -72,10 +76,12 @@ if ($info['error']) {
 
 <?php if ($org) { ?>
 <div class="hidden tab_content" id="org-tab">
+<?php if ($thisstaff->getRole()->hasPerm(User::PERM_DIRECTORY)) { ?>
 <div class="floating-options">
     <a href="orgs.php?id=<?php echo $org->getId(); ?>" title="<?php
     echo __('Manage Organization'); ?>" class="action"><i class="icon-share"></i></a>
 </div>
+<?php } ?>
     <table class="custom-info" width="100%">
 <?php foreach ($org->getDynamicData() as $entry) {
 ?>
diff --git a/include/staff/ticket-view.inc.php b/include/staff/ticket-view.inc.php
index d16b43523..580559cb4 100644
--- a/include/staff/ticket-view.inc.php
+++ b/include/staff/ticket-view.inc.php
@@ -223,14 +223,16 @@ if($ticket->isOverdue())
                                                 $user->getId(), sprintf(_N('%d Closed Ticket', '%d Closed Tickets', $closed), $closed));
                                     ?>
                                     <li><a href="tickets.php?a=search&uid=<?php echo $ticket->getOwnerId(); ?>"><i class="icon-double-angle-right icon-fixed-width"></i> <?php echo __('All Tickets'); ?></a></li>
+<?php   if ($thisstaff->getRole()->hasPerm(User::PERM_DIRECTORY)) { ?>
                                     <li><a href="users.php?id=<?php echo
                                     $user->getId(); ?>"><i class="icon-user
                                     icon-fixed-width"></i> <?php echo __('Manage User'); ?></a></li>
-<?php if ($user->getOrgId()) { ?>
+<?php       if ($user->getOrgId()) { ?>
                                     <li><a href="orgs.php?id=<?php echo $user->getOrgId(); ?>"><i
                                         class="icon-building icon-fixed-width"></i> <?php
                                         echo __('Manage Organization'); ?></a></li>
-<?php } ?>
+<?php       }
+        } ?>
                                 </ul>
                             </div>
                     <?php
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index 99c52d00e..f80ae6594 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -2,7 +2,7 @@
 $search = SavedSearch::create();
 $tickets = TicketModel::objects();
 $clear_button = false;
-$date_header = $date_col = false;
+$view_all_tickets = $date_header = $date_col = false;
 
 // Figure out REFRESH url — which might not be accurate after posting a
 // response
@@ -69,6 +69,7 @@ case 'search':
         $form = $search->getFormFromSession('advsearch');
         $form->loadState($_SESSION['advsearch']);
         $tickets = $search->mangleQuerySet($tickets, $form);
+        $view_all_tickets = $thisstaff->getRole()->hasPerm(SearchBackend::PERM_EVERYTHING);
         $results_type=__('Advanced Search')
             . '<a class="action-button" href="?clear_filter"><i class="icon-ban-circle"></i> <em>' . __('clear') . '</em></a>';
         break;
@@ -93,7 +94,7 @@ if ($status)
 
 // Impose visibility constraints
 // ------------------------------------------------------------
-if (!$thisstaff->getRole()->hasPerm(SearchBackend::PERM_EVERYTHING)) {
+if (!$view_all_tickets) {
     // -- Open and assigned to me
     $visibility = array(
         new Q(array('status__state'=>'open', 'staff_id' => $thisstaff->getId()))
-- 
GitLab