Skip to content
Snippets Groups Projects
Commit 2711f3c8 authored by Jared Hancock's avatar Jared Hancock
Browse files

Merge pull request #623 from protich/issue/ticket-access


Restrict access to closed tickets based on staff's access control.

Reviewed-By: default avatarJared Hancock <jared@osticket.com>
parents 79205975 61eea522
No related branches found
No related tags found
No related merge requests found
......@@ -106,10 +106,12 @@ class TicketsAjaxAPI extends AjaxController {
$select = 'SELECT ticket.ticket_id';
$from = ' FROM '.TICKET_TABLE.' ticket ';
//Access control.
$where = ' WHERE ( ticket.staff_id='.db_input($thisstaff->getId());
$where = ' WHERE ( (ticket.staff_id='.db_input($thisstaff->getId())
.' AND ticket.status="open" )';
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
$where.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
$where.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
.' ) AND ticket.status="open")';
if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
$where.=' OR ticket.dept_id IN ('.implode(',', db_input($depts)).')';
......
......@@ -1837,11 +1837,12 @@ class Ticket {
if(!$staff || (!is_object($staff) && !($staff=Staff::lookup($staff))) || !$staff->isStaff())
return null;
$where = array('ticket.staff_id='.db_input($staff->getId()));
$where = array('(ticket.staff_id='.db_input($staff->getId()) .' AND ticket.status="open")');
$where2 = '';
if(($teams=$staff->getTeams()))
$where[] = 'ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
$where[] = ' ( ticket.team_id IN('.implode(',', db_input(array_filter($teams)))
.') AND ticket.status="open")';
if(!$staff->showAssignedOnly() && ($depts=$staff->getDepts())) //Staff with limited access just see Assigned tickets.
$where[] = 'ticket.dept_id IN('.implode(',', db_input($depts)).') ';
......
......@@ -61,13 +61,15 @@ $qwhere ='';
$depts=$thisstaff->getDepts();
$qwhere =' WHERE ( '
.' ticket.staff_id='.db_input($thisstaff->getId());
.' ( ticket.staff_id='.db_input($thisstaff->getId())
.' AND ticket.status="open")';
if(!$thisstaff->showAssignedOnly())
$qwhere.=' OR ticket.dept_id IN ('.($depts?implode(',', db_input($depts)):0).')';
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
$qwhere.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).') ';
$qwhere.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
.') AND ticket.status="open")';
$qwhere .= ' )';
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment