From 61eea522d82b699a0dada6d163f9593a3bc3e45f Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Thu, 27 Feb 2014 15:26:08 +0000
Subject: [PATCH] Restrict access to closed tickets based on staff's access
 control.

Background: osTicket allows access to assigned open tickets (both personal
and team assignments) regardless of the assigned department or group. This
is necessary to allow staff to work on tickets in an otherwise restricted
department.

When a staff member closes a ticket, they're credited (ticket.staff_id is
set to staff's id) for the purpose of showing who closed the ticket.
osTicket mistakenly allowed continued access to closed tickets even when the
staff doesn't have access to the ticket based on departmental access.
---
 include/ajax.tickets.php      | 6 ++++--
 include/class.ticket.php      | 5 +++--
 include/staff/tickets.inc.php | 6 ++++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index 22af61cb3..367958792 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -106,10 +106,12 @@ class TicketsAjaxAPI extends AjaxController {
         $select = 'SELECT ticket.ticket_id';
         $from = ' FROM '.TICKET_TABLE.' ticket ';
         //Access control.
-        $where = ' WHERE ( ticket.staff_id='.db_input($thisstaff->getId());
+        $where = ' WHERE ( (ticket.staff_id='.db_input($thisstaff->getId())
+                    .' AND ticket.status="open" )';
 
         if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
-            $where.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
+            $where.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
+                   .' ) AND ticket.status="open")';
 
         if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
             $where.=' OR ticket.dept_id IN ('.implode(',', db_input($depts)).')';
diff --git a/include/class.ticket.php b/include/class.ticket.php
index 3ea61d6f3..482bafbb7 100644
--- a/include/class.ticket.php
+++ b/include/class.ticket.php
@@ -1837,11 +1837,12 @@ class Ticket {
         if(!$staff || (!is_object($staff) && !($staff=Staff::lookup($staff))) || !$staff->isStaff())
             return null;
 
-        $where = array('ticket.staff_id='.db_input($staff->getId()));
+        $where = array('(ticket.staff_id='.db_input($staff->getId()) .' AND ticket.status="open")');
         $where2 = '';
 
         if(($teams=$staff->getTeams()))
-            $where[] = 'ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
+            $where[] = ' ( ticket.team_id IN('.implode(',', db_input(array_filter($teams)))
+                        .') AND ticket.status="open")';
 
         if(!$staff->showAssignedOnly() && ($depts=$staff->getDepts())) //Staff with limited access just see Assigned tickets.
             $where[] = 'ticket.dept_id IN('.implode(',', db_input($depts)).') ';
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index a48f15256..ba6576c16 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -61,13 +61,15 @@ $qwhere ='';
 
 $depts=$thisstaff->getDepts();
 $qwhere =' WHERE ( '
-        .'  ticket.staff_id='.db_input($thisstaff->getId());
+        .'  ( ticket.staff_id='.db_input($thisstaff->getId())
+        .' AND ticket.status="open")';
 
 if(!$thisstaff->showAssignedOnly())
     $qwhere.=' OR ticket.dept_id IN ('.($depts?implode(',', db_input($depts)):0).')';
 
 if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
-    $qwhere.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).') ';
+    $qwhere.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
+            .') AND ticket.status="open")';
 
 $qwhere .= ' )';
 
-- 
GitLab