Skip to content
Snippets Groups Projects
Commit 3a48e4f6 authored by Jared Hancock's avatar Jared Hancock
Browse files

Only ticket owners can update ticket details

parent bda2e422
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
include/client/view.inc.php
+ 3
1
View file @ 3a48e4f6
......@@ -26,7 +26,9 @@ if ($thisclient && $thisclient->isGuest()
<h1>
Ticket #<?php echo $ticket->getNumber(); ?> &nbsp;
<a href="tickets.php?id=<?php echo $ticket->getId(); ?>" title="Reload"><span class="Icon refresh">&nbsp;</span></a>
<?php if ($cfg->allowClientUpdates()) { ?>
<?php if ($cfg->allowClientUpdates()
// Only ticket owners can edit the ticket details (and other forms)
&& $thisclient->getId() == $ticket->getUserId()) { ?>
<a class="action-button" href="tickets.php?a=edit&id=<?php
echo $ticket->getId(); ?>"><i class="icon-edit"></i> Edit</a>
<?php } ?>
......
tickets.php
+ 2
1
View file @ 3a48e4f6
......@@ -40,7 +40,8 @@ if($_POST && is_object($ticket) && $ticket->getId()):
$errors=array();
switch(strtolower($_POST['a'])){
case 'edit':
if(!$ticket->checkUserAccess($thisclient)) //double check perm again!
if(!$ticket->checkUserAccess($thisclient) //double check perm again!
|| $thisclient->getId() != $ticket->getUserId())
$errors['err']='Access Denied. Possibly invalid ticket ID';
elseif (!$cfg || !$cfg->allowClientUpdates())
$errors['err']='Access Denied. Client updates are currently disabled';
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment