Implement basic security on the staff tab of the table

include/ajax.reports.php

@@ -35,6 +35,8 @@ class OverviewReportAjaxAPI extends AjaxController {
     }
 
     function getData() {
+        global $thisstaff;
+
         $start = $this->get('start', 'last month');
         $stop = $this->get('stop', 'now');
         if (substr($stop, 0, 1) == '+')
@@ -48,7 +50,8 @@ class OverviewReportAjaxAPI extends AjaxController {
                 "pk" => "dept_id",
                 "sort" => 'ORDER BY dept_name',
                 "fields" => 'T1.dept_name',
-                "headers" => array('Department')
+                "headers" => array('Department'),
+                "filter" => "1"
             ),
             "topic" => array(
                 "table" => TOPIC_TABLE,
@@ -57,16 +60,21 @@ class OverviewReportAjaxAPI extends AjaxController {
                 "fields" => "CONCAT_WS(' / ',"
                     ."(SELECT P.topic FROM ".TOPIC_TABLE." P WHERE P.topic_id = T1.topic_pid),"
                     ."T1.topic)",
-                "headers" => array('Help Topic')
+                "headers" => array('Help Topic'),
+                "filter" => "1"
             ),
-            # XXX: This will be relative to permissions based on the
-            # logged-in-staff
             "staff" => array(
                 "table" => STAFF_TABLE,
                 "pk" => 'staff_id',
                 "sort" => 'ORDER BY T1.lastname, T1.firstname',
                 "fields" => "CONCAT_WS(' ', T1.firstname, T1.lastname)",
-                "headers" => array('Staff Member')
+                "headers" => array('Staff Member'),
+                "filter" =>
+                    ($thisstaff->isAdmin())
+                        ? "1"
+                        : (($thisstaff->isManager())
+                            ? "T1.dept_id=".db_input($thisstaff->getDeptId())
+                            : "T1.staff_id=".db_input($thisstaff->getId()))
             )
         );
         $group = $this->get('group', 'dept');
@@ -82,14 +90,14 @@ class OverviewReportAjaxAPI extends AjaxController {
                 COUNT(*)-COUNT(NULLIF(A1.state, "reopened")) AS Reopened
             FROM '.$info['table'].' T1 LEFT JOIN '.TICKET_TABLE.' T2 USING ('.$info['pk'].')
                 LEFT JOIN '.TICKET_EVENT_TABLE.' A1 USING (ticket_id)
-            WHERE A1.timestamp BETWEEN '.$start.' AND '.$stop.'
+            WHERE '.$info['filter'].' AND A1.timestamp BETWEEN '.$start.' AND '.$stop.'
             GROUP BY '.$info['fields'].'
             ORDER BY '.$info['fields']),
 
             array(1, 'SELECT '.$info['fields'].',
                 FORMAT(AVG(DATEDIFF(T2.closed, T2.created)),1) AS ServiceTime
             FROM '.$info['table'].' T1 LEFT JOIN '.TICKET_TABLE.' T2 USING ('.$info['pk'].')
-            WHERE T2.closed BETWEEN '.$start.' AND '.$stop.'
+            WHERE '.$info['filter'].' AND T2.closed BETWEEN '.$start.' AND '.$stop.'
             GROUP BY '.$info['fields'].'
             ORDER BY '.$info['fields']),
 
@@ -99,7 +107,7 @@ class OverviewReportAjaxAPI extends AjaxController {
                 LEFT JOIN '.TICKET_THREAD_TABLE.' B2 ON (B2.ticket_id = T2.ticket_id
                     AND B2.thread_type="R")
                 LEFT JOIN '.TICKET_THREAD_TABLE.' B1 ON (B2.pid = B1.id)
-            WHERE B1.created BETWEEN '.$start.' AND '.$stop.'
+            WHERE '.$info['filter'].' AND B1.created BETWEEN '.$start.' AND '.$stop.'
             GROUP BY '.$info['fields'].'
             ORDER BY '.$info['fields'])
         );