From e6d341e134b22955e4e0fa007271a1d55a2bf1e1 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Tue, 4 Mar 2014 16:31:21 +0000
Subject: [PATCH] fix: Restrict access to closed tickets

When checking ticket access - only consider assignment IF the ticket is
open. This is required since staff_id field is overloaded to show who closed
the ticket.
---
 include/class.ticket.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/class.ticket.php b/include/class.ticket.php
index 578cbeeeb..d046a85f7 100644
--- a/include/class.ticket.php
+++ b/include/class.ticket.php
@@ -147,9 +147,24 @@ class Ticket {
         if(!is_object($staff) && !($staff=Staff::lookup($staff)))
             return false;
 
-        return ((!$staff->showAssignedOnly() && $staff->canAccessDept($this->getDeptId()))
-                 || ($this->getTeamId() && $staff->isTeamMember($this->getTeamId()))
-                 || $staff->getId()==$this->getStaffId());
+        // Staff has access to the department.
+        if (!$staff->showAssignedOnly()
+                && $staff->canAccessDept($this->getDeptId()))
+            return true;
+
+        // Only consider assignment if the ticket is open
+        if (!$this->isOpen())
+            return false;
+
+        // Check ticket access based on direct or team assignment
+        if ($staff->getId() == $this->getStaffId()
+                || ($this->getTeamId()
+                    && $staff->isTeamMember($this->getTeamId())
+        ))
+            return true;
+
+        // No access bro!
+        return false;
     }
 
     function checkClientAccess($client) {
-- 
GitLab