From 3a48e4f67b1abf790e0cbea47111d0cb75a074b5 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Fri, 23 May 2014 14:14:06 -0500
Subject: [PATCH] Only ticket owners can update ticket details

---
 include/client/view.inc.php | 4 +++-
 tickets.php                 | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/client/view.inc.php b/include/client/view.inc.php
index f326e2f29..02e72f4b0 100644
--- a/include/client/view.inc.php
+++ b/include/client/view.inc.php
@@ -26,7 +26,9 @@ if ($thisclient && $thisclient->isGuest()
             <h1>
                 Ticket #<?php echo $ticket->getNumber(); ?> &nbsp;
                 <a href="tickets.php?id=<?php echo $ticket->getId(); ?>" title="Reload"><span class="Icon refresh">&nbsp;</span></a>
-<?php if ($cfg->allowClientUpdates()) { ?>
+<?php if ($cfg->allowClientUpdates()
+        // Only ticket owners can edit the ticket details (and other forms)
+        && $thisclient->getId() == $ticket->getUserId()) { ?>
                 <a class="action-button" href="tickets.php?a=edit&id=<?php
                      echo $ticket->getId(); ?>"><i class="icon-edit"></i> Edit</a>
 <?php } ?>
diff --git a/tickets.php b/tickets.php
index 9561da31d..0d675aa88 100644
--- a/tickets.php
+++ b/tickets.php
@@ -40,7 +40,8 @@ if($_POST && is_object($ticket) && $ticket->getId()):
     $errors=array();
     switch(strtolower($_POST['a'])){
     case 'edit':
-        if(!$ticket->checkUserAccess($thisclient)) //double check perm again!
+        if(!$ticket->checkUserAccess($thisclient) //double check perm again!
+                || $thisclient->getId() != $ticket->getUserId())
             $errors['err']='Access Denied. Possibly invalid ticket ID';
         elseif (!$cfg || !$cfg->allowClientUpdates())
             $errors['err']='Access Denied. Client updates are currently disabled';
-- 
GitLab