From 5ac63f347221397fd88c819c40b17b987ed591e3 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Mon, 2 Apr 2012 00:43:19 -0400
Subject: [PATCH] Add access restriction to search results
---
include/ajax.tickets.php | 29 ++++++++++++++++++++++++++---
include/staff/tickets.inc.php | 2 +-
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index f9151951c..0506d2447 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -21,6 +21,7 @@ include_once(INCLUDE_DIR.'class.ticket.php');
class TicketsAjaxAPI extends AjaxController {
function search() {
+ global $thisstaff;
if(!is_numeric($_REQUEST['q']))
return self::searchByEmail();
@@ -31,7 +32,17 @@ class TicketsAjaxAPI extends AjaxController {
$sql='SELECT DISTINCT ticketID, email'
.' FROM '.TICKET_TABLE
- .' WHERE ticketID LIKE \''.db_input($_REQUEST['q'], false).'%\''
+ .' WHERE ticketID LIKE \''.db_input($_REQUEST['q'], false).'%\'';
+
+ $sql.=' AND ( staff_id='.db_input($thisstaff->getId());
+
+ if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
+ $sql.=' OR team_id IN('.implode(',', array_filter($teams)).')';
+
+ if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
+ $sql.=' OR dept_id IN ('.implode(',', $depts).')';
+
+ $sql.=' ) '
.' ORDER BY created LIMIT '.$limit;
if(($res=db_query($sql)) && db_num_rows($res)) {
@@ -43,16 +54,28 @@ class TicketsAjaxAPI extends AjaxController {
}
function searchByEmail() {
+ global $thisstaff;
+
$limit = isset($_REQUEST['limit']) ? (int) $_REQUEST['limit']:25;
$tickets=array();
$sql='SELECT email, count(ticket_id) as tickets '
.' FROM '.TICKET_TABLE
- .' WHERE email LIKE \'%'.db_input(strtolower($_REQUEST['q']), false).'%\' '
+ .' WHERE email LIKE \'%'.db_input(strtolower($_REQUEST['q']), false).'%\' ';
+
+ $sql.=' AND ( staff_id='.db_input($thisstaff->getId());
+
+ if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
+ $sql.=' OR team_id IN('.implode(',', array_filter($teams)).')';
+
+ if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
+ $sql.=' OR dept_id IN ('.implode(',', $depts).')';
+
+ $sql.=' ) '
.' GROUP BY email '
.' ORDER BY created LIMIT '.$limit;
-
+
if(($res=db_query($sql)) && db_num_rows($res)) {
while(list($email, $count)=db_fetch_row($res))
$tickets[] = array('email'=>$email, 'value'=>$email, 'info'=>"$email ($count)");
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index ef7cb4d48..67d270c3f 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -89,7 +89,7 @@ if($staffId && ($staffId==$thisstaff->getId())) { //Staff's assigned tickets.
}
//******* Showing assigned tickets? (don't confuse it with show assigned To column). F'it it's confusing - just trust me! ***/
-if(!($cfg->showAssignedTickets() || $thisstaff->showAssignedTickets()) && strcasecmp($status,'closed'))
+if(!($cfg->showAssignedTickets() || $thisstaff->showAssignedTickets()) && strcasecmp($status,'closed') && !$search)
$sql.=' AND (ticket.staff_id=0 OR ticket.staff_id='.db_input($thisstaff->getId()).') ';
//Search?? Somebody...get me some coffee
--
GitLab