Merge pull request #623 from protich/issue/ticket-access

Restrict access to closed tickets based on staff's access control. Reviewed-By: Jared Hancock <jared@osticket.com>

Merge pull request #623 from protich/issue/ticket-access
Restrict access to closed tickets based on staff's access control. Reviewed-By: Jared Hancock <jared@osticket.com>
2711f3c8 · Jared Hancock · 79205975 · 61eea522 · 2711f3c8 · 2711f3c8
Commit 2711f3c8 authored 11 years ago by Jared Hancock
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -106,10 +106,12 @@ class TicketsAjaxAPI extends AjaxController {
        $select = 'SELECT ticket.ticket_id';
        $from = ' FROM '.TICKET_TABLE.' ticket ';
        //Access control.
-        $where = ' WHERE ( ticket.staff_id='.db_input($thisstaff->getId());
+        $where = ' WHERE ( (ticket.staff_id='.db_input($thisstaff->getId())
+                    .' AND ticket.status="open" )';

        if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
-            $where.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
+            $where.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
+                   .' ) AND ticket.status="open")';

        if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
            $where.=' OR ticket.dept_id IN ('.implode(',', db_input($depts)).')';

--- a/include/class.ticket.php
+++ b/include/class.ticket.php
@@ -1837,11 +1837,12 @@ class Ticket {
        if(!$staff || (!is_object($staff) && !($staff=Staff::lookup($staff))) || !$staff->isStaff())
            return null;

-        $where = array('ticket.staff_id='.db_input($staff->getId()));
+        $where = array('(ticket.staff_id='.db_input($staff->getId()) .' AND ticket.status="open")');
        $where2 = '';

        if(($teams=$staff->getTeams()))
-            $where[] = 'ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
+            $where[] = ' ( ticket.team_id IN('.implode(',', db_input(array_filter($teams)))
+                        .') AND ticket.status="open")';

        if(!$staff->showAssignedOnly() && ($depts=$staff->getDepts())) //Staff with limited access just see Assigned tickets.
            $where[] = 'ticket.dept_id IN('.implode(',', db_input($depts)).') ';

--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -61,13 +61,15 @@ $qwhere ='';

 $depts=$thisstaff->getDepts();
 $qwhere =' WHERE ( '
-        .'  ticket.staff_id='.db_input($thisstaff->getId());
+        .'  ( ticket.staff_id='.db_input($thisstaff->getId())
+        .' AND ticket.status="open")';

 if(!$thisstaff->showAssignedOnly())
    $qwhere.=' OR ticket.dept_id IN ('.($depts?implode(',', db_input($depts)):0).')';

 if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
-    $qwhere.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).') ';
+    $qwhere.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
+            .') AND ticket.status="open")';

 $qwhere .= ' )';