From c9097ea61fb19823c8a13fffcaa3c4eb7f030332 Mon Sep 17 00:00:00 2001
From: Jared Hancock <gravydish@gmail.com>
Date: Mon, 3 Sep 2012 22:55:03 -0500
Subject: [PATCH] Implement basic security on the staff tab of the table
---
include/ajax.reports.php | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/include/ajax.reports.php b/include/ajax.reports.php
index 87ae4a22a..2333b9c92 100644
--- a/include/ajax.reports.php
+++ b/include/ajax.reports.php
@@ -35,6 +35,8 @@ class OverviewReportAjaxAPI extends AjaxController {
}
function getData() {
+ global $thisstaff;
+
$start = $this->get('start', 'last month');
$stop = $this->get('stop', 'now');
if (substr($stop, 0, 1) == '+')
@@ -48,7 +50,8 @@ class OverviewReportAjaxAPI extends AjaxController {
"pk" => "dept_id",
"sort" => 'ORDER BY dept_name',
"fields" => 'T1.dept_name',
- "headers" => array('Department')
+ "headers" => array('Department'),
+ "filter" => "1"
),
"topic" => array(
"table" => TOPIC_TABLE,
@@ -57,16 +60,21 @@ class OverviewReportAjaxAPI extends AjaxController {
"fields" => "CONCAT_WS(' / ',"
."(SELECT P.topic FROM ".TOPIC_TABLE." P WHERE P.topic_id = T1.topic_pid),"
."T1.topic)",
- "headers" => array('Help Topic')
+ "headers" => array('Help Topic'),
+ "filter" => "1"
),
- # XXX: This will be relative to permissions based on the
- # logged-in-staff
"staff" => array(
"table" => STAFF_TABLE,
"pk" => 'staff_id',
"sort" => 'ORDER BY T1.lastname, T1.firstname',
"fields" => "CONCAT_WS(' ', T1.firstname, T1.lastname)",
- "headers" => array('Staff Member')
+ "headers" => array('Staff Member'),
+ "filter" =>
+ ($thisstaff->isAdmin())
+ ? "1"
+ : (($thisstaff->isManager())
+ ? "T1.dept_id=".db_input($thisstaff->getDeptId())
+ : "T1.staff_id=".db_input($thisstaff->getId()))
)
);
$group = $this->get('group', 'dept');
@@ -82,14 +90,14 @@ class OverviewReportAjaxAPI extends AjaxController {
COUNT(*)-COUNT(NULLIF(A1.state, "reopened")) AS Reopened
FROM '.$info['table'].' T1 LEFT JOIN '.TICKET_TABLE.' T2 USING ('.$info['pk'].')
LEFT JOIN '.TICKET_EVENT_TABLE.' A1 USING (ticket_id)
- WHERE A1.timestamp BETWEEN '.$start.' AND '.$stop.'
+ WHERE '.$info['filter'].' AND A1.timestamp BETWEEN '.$start.' AND '.$stop.'
GROUP BY '.$info['fields'].'
ORDER BY '.$info['fields']),
array(1, 'SELECT '.$info['fields'].',
FORMAT(AVG(DATEDIFF(T2.closed, T2.created)),1) AS ServiceTime
FROM '.$info['table'].' T1 LEFT JOIN '.TICKET_TABLE.' T2 USING ('.$info['pk'].')
- WHERE T2.closed BETWEEN '.$start.' AND '.$stop.'
+ WHERE '.$info['filter'].' AND T2.closed BETWEEN '.$start.' AND '.$stop.'
GROUP BY '.$info['fields'].'
ORDER BY '.$info['fields']),
@@ -99,7 +107,7 @@ class OverviewReportAjaxAPI extends AjaxController {
LEFT JOIN '.TICKET_THREAD_TABLE.' B2 ON (B2.ticket_id = T2.ticket_id
AND B2.thread_type="R")
LEFT JOIN '.TICKET_THREAD_TABLE.' B1 ON (B2.pid = B1.id)
- WHERE B1.created BETWEEN '.$start.' AND '.$stop.'
+ WHERE '.$info['filter'].' AND B1.created BETWEEN '.$start.' AND '.$stop.'
GROUP BY '.$info['fields'].'
ORDER BY '.$info['fields'])
);
--
GitLab