From 4f4ff7a4f052b27f17fc237ae8c90b9de7d97a4f Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Tue, 4 Mar 2014 16:31:21 +0000
Subject: [PATCH] fix: Restrict access to closed tickets

When checking ticket access - only consider assignment IF the ticket is
open. This is required since staff_id field is overloaded to show who closed
the ticket.
---
 include/class.ticket.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/class.ticket.php b/include/class.ticket.php
index d31ceffe2..f1fb1f3bb 100644
--- a/include/class.ticket.php
+++ b/include/class.ticket.php
@@ -151,9 +151,24 @@ class Ticket {
         if(!is_object($staff) && !($staff=Staff::lookup($staff)))
             return false;
 
-        return ((!$staff->showAssignedOnly() && $staff->canAccessDept($this->getDeptId()))
-                 || ($this->getTeamId() && $staff->isTeamMember($this->getTeamId()))
-                 || $staff->getId()==$this->getStaffId());
+        // Staff has access to the department.
+        if (!$staff->showAssignedOnly()
+                && $staff->canAccessDept($this->getDeptId()))
+            return true;
+
+        // Only consider assignment if the ticket is open
+        if (!$this->isOpen())
+            return false;
+
+        // Check ticket access based on direct or team assignment
+        if ($staff->getId() == $this->getStaffId()
+                || ($this->getTeamId()
+                    && $staff->isTeamMember($this->getTeamId())
+        ))
+            return true;
+
+        // No access bro!
+        return false;
     }
 
     function checkUserAccess($user) {
-- 
GitLab