Skip to content
Snippets Groups Projects
Commit 5ac63f34 authored by Peter Rotich's avatar Peter Rotich
Browse files

Add access restriction to search results

parent 0abfe60c
No related branches found
No related tags found
No related merge requests found
...@@ -21,6 +21,7 @@ include_once(INCLUDE_DIR.'class.ticket.php'); ...@@ -21,6 +21,7 @@ include_once(INCLUDE_DIR.'class.ticket.php');
class TicketsAjaxAPI extends AjaxController { class TicketsAjaxAPI extends AjaxController {
function search() { function search() {
global $thisstaff;
if(!is_numeric($_REQUEST['q'])) if(!is_numeric($_REQUEST['q']))
return self::searchByEmail(); return self::searchByEmail();
...@@ -31,7 +32,17 @@ class TicketsAjaxAPI extends AjaxController { ...@@ -31,7 +32,17 @@ class TicketsAjaxAPI extends AjaxController {
$sql='SELECT DISTINCT ticketID, email' $sql='SELECT DISTINCT ticketID, email'
.' FROM '.TICKET_TABLE .' FROM '.TICKET_TABLE
.' WHERE ticketID LIKE \''.db_input($_REQUEST['q'], false).'%\'' .' WHERE ticketID LIKE \''.db_input($_REQUEST['q'], false).'%\'';
$sql.=' AND ( staff_id='.db_input($thisstaff->getId());
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
$sql.=' OR team_id IN('.implode(',', array_filter($teams)).')';
if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
$sql.=' OR dept_id IN ('.implode(',', $depts).')';
$sql.=' ) '
.' ORDER BY created LIMIT '.$limit; .' ORDER BY created LIMIT '.$limit;
if(($res=db_query($sql)) && db_num_rows($res)) { if(($res=db_query($sql)) && db_num_rows($res)) {
...@@ -43,16 +54,28 @@ class TicketsAjaxAPI extends AjaxController { ...@@ -43,16 +54,28 @@ class TicketsAjaxAPI extends AjaxController {
} }
function searchByEmail() { function searchByEmail() {
global $thisstaff;
$limit = isset($_REQUEST['limit']) ? (int) $_REQUEST['limit']:25; $limit = isset($_REQUEST['limit']) ? (int) $_REQUEST['limit']:25;
$tickets=array(); $tickets=array();
$sql='SELECT email, count(ticket_id) as tickets ' $sql='SELECT email, count(ticket_id) as tickets '
.' FROM '.TICKET_TABLE .' FROM '.TICKET_TABLE
.' WHERE email LIKE \'%'.db_input(strtolower($_REQUEST['q']), false).'%\' ' .' WHERE email LIKE \'%'.db_input(strtolower($_REQUEST['q']), false).'%\' ';
$sql.=' AND ( staff_id='.db_input($thisstaff->getId());
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
$sql.=' OR team_id IN('.implode(',', array_filter($teams)).')';
if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
$sql.=' OR dept_id IN ('.implode(',', $depts).')';
$sql.=' ) '
.' GROUP BY email ' .' GROUP BY email '
.' ORDER BY created LIMIT '.$limit; .' ORDER BY created LIMIT '.$limit;
if(($res=db_query($sql)) && db_num_rows($res)) { if(($res=db_query($sql)) && db_num_rows($res)) {
while(list($email, $count)=db_fetch_row($res)) while(list($email, $count)=db_fetch_row($res))
$tickets[] = array('email'=>$email, 'value'=>$email, 'info'=>"$email ($count)"); $tickets[] = array('email'=>$email, 'value'=>$email, 'info'=>"$email ($count)");
......
...@@ -89,7 +89,7 @@ if($staffId && ($staffId==$thisstaff->getId())) { //Staff's assigned tickets. ...@@ -89,7 +89,7 @@ if($staffId && ($staffId==$thisstaff->getId())) { //Staff's assigned tickets.
} }
//******* Showing assigned tickets? (don't confuse it with show assigned To column). F'it it's confusing - just trust me! ***/ //******* Showing assigned tickets? (don't confuse it with show assigned To column). F'it it's confusing - just trust me! ***/
if(!($cfg->showAssignedTickets() || $thisstaff->showAssignedTickets()) && strcasecmp($status,'closed')) if(!($cfg->showAssignedTickets() || $thisstaff->showAssignedTickets()) && strcasecmp($status,'closed') && !$search)
$sql.=' AND (ticket.staff_id=0 OR ticket.staff_id='.db_input($thisstaff->getId()).') '; $sql.=' AND (ticket.staff_id=0 OR ticket.staff_id='.db_input($thisstaff->getId()).') ';
//Search?? Somebody...get me some coffee //Search?? Somebody...get me some coffee
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment