maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

deny access to tickets not owned by current user, thx to chbi

Browse Source 
Signed-off-by: Michael Kaufmann <michael.kaufmann@aixit.com>
This commit is contained in:
Michael Kaufmann
2018-06-19 21:46:11 +02:00
parent 06ef81cc5b
commit aa881560cc
2 changed files with 273 additions and 246 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
customer_tickets.php
View File

@@ -238,7 +238,11 @@ if ($page == 'overview') {
}
} elseif ($action == 'answer' && $id != 0) {
if (isset($_POST['send']) && $_POST['send'] == 'send') {
try {
$replyticket = ticket::getInstanceOf($userinfo, -1);
} catch(Exception $e) {
standard_error($e->getMessage());
}
$replyticket->Set('subject', validate($_POST['subject'], 'subject'), true, false);
$replyticket->Set('priority', validate($_POST['priority'], 'priority'), true, false);
$replyticket->Set('message', validate(str_replace("\r\n", "\n", $_POST['message']), 'message', '/^[^\0]*$/'), true, false);
@@ -272,7 +276,11 @@ if ($page == 'overview') {
}
} else {
$ticket_replies = '';
try {
$mainticket = ticket::getInstanceOf($userinfo, (int)$id);
} catch(Exception $e) {
standard_error($e->getMessage());
}
$dt = date("d.m.Y H:i\h", $mainticket->Get('dt'));
$status = ticket::getStatusText($lng, $mainticket->Get('status'));
@@ -351,7 +359,11 @@ if ($page == 'overview') {
} elseif ($action == 'close' && $id != 0) {
if (isset($_POST['send']) && $_POST['send'] == 'send') {
$now = time();
try {
$mainticket = ticket::getInstanceOf($userinfo, (int)$id);
} catch(Exception $e) {
standard_error($e->getMessage());
}
$mainticket->Set('lastchange', $now, true, true);
$mainticket->Set('lastreplier', '0', true, true);
$mainticket->Set('status', '3', true, true);
@@ -359,7 +371,11 @@ if ($page == 'overview') {
$log->logAction(USR_ACTION, LOG_NOTICE, "closed support-ticket '" . $mainticket->Get('subject') . "'");
redirectTo($filename, array('page' => $page, 's' => $s));
} else {
try {
$mainticket = ticket::getInstanceOf($userinfo, (int)$id);
} catch(Exception $e) {
standard_error($e->getMessage());
}
ask_yesno('ticket_reallyclose', $filename, array('id' => $id, 'page' => $page, 'action' => $action), $mainticket->Get('subject'));
}
} elseif ($action == 'reopen' && $id != 0) {
@@ -377,7 +393,11 @@ if ($page == 'overview') {
}
$now = time();
try {
$mainticket = ticket::getInstanceOf($userinfo, (int)$id);
} catch(Exception $e) {
standard_error($e->getMessage());
}
$mainticket->Set('lastchange', $now, true, true);
$mainticket->Set('lastreplier', '0', true, true);
$mainticket->Set('status', '0', true, true);

317
lib/classes/ticket/class.ticket.php
View File

@@ -19,40 +19,47 @@
*
* Support Tickets - Tickets-Class
*/
class ticket {
class ticket
{
/**
* Userinfo
*
* @var array
*/
private $userinfo = array();
/**
* Ticket ID
* @var tid
*
* @var int
*/
private $tid = - 1;
/**
* Ticket Data Array
* @var t_data
*
* @var array
*/
private $t_data = array();
/**
* Ticket-Object-Array
* @var tickets
*
* @var ticket
*/
static private $tickets = array();
private static $tickets = array();
/**
* Class constructor.
*
* @param array userinfo
* @param int ticket id
* @param
* array userinfo
* @param
* int ticket id
*/
private function __construct($userinfo, $tid = - 1) {
private function __construct($userinfo, $tid = - 1)
{
$this->userinfo = $userinfo;
$this->tid = $tid;
@@ -66,21 +73,24 @@ class ticket {
/**
* Singleton ftw ;-)
*
* @param array userinfo
* @param int ticket id
* @param
* array userinfo
* @param
* int ticket id
*/
static public function getInstanceOf($_usernfo, $_tid) {
if (!isset(self::$tickets[$_tid])) {
self::$tickets[$_tid] = new ticket($_usernfo, $_tid);
static public function getInstanceOf($_usernfo, $_tid)
{
if (! isset(self::$tickets[$_tid . '-' . $_usernfo['userid']])) {
self::$tickets[$_tid . '-' . $_usernfo['userid']] = new ticket($_usernfo, $_tid);
}
return self::$tickets[$_tid];
return self::$tickets[$_tid . '-' . $_usernfo['userid']];
}
/**
* Initialize data-array
*/
private function initData() {
private function initData()
{
$this->Set('customer', 0, true, true);
$this->Set('admin', 1, true, true);
$this->Set('subject', '', true, true);
@@ -100,15 +110,32 @@ class ticket {
/**
* Read ticket data from database.
*/
private function readData() {
private function readData()
{
if (isset($this->tid) && $this->tid != - 1) {
if (isset($this->tid)
&& $this->tid != - 1
) {
if ($this->userinfo['customerid'] > 0) {
$_ticket_stmt = Database::prepare('
SELECT * FROM `' . TABLE_PANEL_TICKETS . '` WHERE `id` = :tid'
SELECT * FROM `' . TABLE_PANEL_TICKETS . '` WHERE `id` = :tid AND `customerid` = :cid');
$tdata = array(
'tid' => $this->tid,
'cid' => $this->userinfo['customerid']
);
$_ticket = Database::pexecute_first($_ticket_stmt, array('tid' => $this->tid));
} else {
$_ticket_stmt = Database::prepare('
SELECT * FROM `' . TABLE_PANEL_TICKETS . '` WHERE `id` = :tid' . ($this->userinfo['customers_see_all'] ? '' : ' AND `adminid` = :adminid'));
$tdata = array(
'tid' => $this->tid
);
if ($this->userinfo['customers_see_all'] != '1') {
$tdata['adminid'] = $this->userinfo['adminid'];
}
}
$_ticket = Database::pexecute_first($_ticket_stmt, $tdata);
if ($_ticket == false) {
throw new Exception("Invalid ticket id");
}
$this->Set('customer', $_ticket['customerid'], true, false);
$this->Set('admin', $_ticket['adminid'], true, false);
@@ -130,8 +157,8 @@ class ticket {
/**
* Insert data to database
*/
public function Insert() {
public function Insert()
{
$ins_stmt = Database::prepare("
INSERT INTO `" . TABLE_PANEL_TICKETS . "` SET
`customerid` = :customerid,
@@ -146,8 +173,7 @@ class ticket {
`status` = :status,
`lastreplier` = :lastreplier,
`by` = :by,
`answerto` = :answerto"
);
`answerto` = :answerto");
$ins_data = array(
'customerid' => $this->Get('customer'),
'adminid' => $this->Get('admin'),
@@ -171,7 +197,8 @@ class ticket {
/**
* Update data in database
*/
public function Update() {
public function Update()
{
// Update "main" ticket
$upd_stmt = Database::prepare('
@@ -180,8 +207,7 @@ class ticket {
`lastchange` = :lastchange,
`status` = :status,
`lastreplier` = :lastreplier
WHERE `id` = :tid'
);
WHERE `id` = :tid');
$upd_data = array(
'priority' => $this->Get('priority'),
'lastchange' => $this->Get('lastchange'),
@@ -196,38 +222,44 @@ class ticket {
/**
* Moves a ticket to the archive
*/
public function Archive() {
public function Archive()
{
// Update "main" ticket
$upd_stmt = Database::prepare('
UPDATE `' . TABLE_PANEL_TICKETS . '` SET `archived` = "1" WHERE `id` = :tid'
);
Database::pexecute($upd_stmt, array('tid' => $this->tid));
UPDATE `' . TABLE_PANEL_TICKETS . '` SET `archived` = "1" WHERE `id` = :tid');
Database::pexecute($upd_stmt, array(
'tid' => $this->tid
));
// Update "answers" to ticket
$upd_stmt = Database::prepare('
UPDATE `' . TABLE_PANEL_TICKETS . '` SET `archived` = "1" WHERE `answerto` = :tid'
);
Database::pexecute($upd_stmt, array('tid' => $this->tid));
UPDATE `' . TABLE_PANEL_TICKETS . '` SET `archived` = "1" WHERE `answerto` = :tid');
Database::pexecute($upd_stmt, array(
'tid' => $this->tid
));
return true;
}
/**
* Remove ticket from database
*/
public function Delete() {
public function Delete()
{
// Delete "main" ticket
$del_stmt = Database::prepare('
DELETE FROM `' . TABLE_PANEL_TICKETS . '` WHERE `id` = :tid'
);
Database::pexecute($del_stmt, array('tid' => $this->tid));
DELETE FROM `' . TABLE_PANEL_TICKETS . '` WHERE `id` = :tid');
Database::pexecute($del_stmt, array(
'tid' => $this->tid
));
// Delete "answers" to ticket"
$del_stmt = Database::prepare('
DELETE FROM `' . TABLE_PANEL_TICKETS . '` WHERE `answerto` = :tid'
);
Database::pexecute($del_stmt, array('tid' => $this->tid));
DELETE FROM `' . TABLE_PANEL_TICKETS . '` WHERE `answerto` = :tid');
Database::pexecute($del_stmt, array(
'tid' => $this->tid
));
return true;
}
@@ -243,9 +275,10 @@ class ticket {
// Get e-mail message for customer
$usr_stmt = Database::prepare('
SELECT `name`, `firstname`, `company`, `email`
FROM `' . TABLE_PANEL_CUSTOMERS . '` WHERE `customerid` = :customerid'
);
$usr = Database::pexecute_first($usr_stmt, array('customerid' => $customerid));
FROM `' . TABLE_PANEL_CUSTOMERS . '` WHERE `customerid` = :customerid');
$usr = Database::pexecute_first($usr_stmt, array(
'customerid' => $customerid
));
$replace_arr = array(
'FIRSTNAME' => $usr['firstname'],
@@ -268,8 +301,7 @@ class ticket {
SELECT `value` FROM `" . TABLE_PANEL_TEMPLATES . "`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`= 'mails' AND `varname`= :tplsubject"
);
AND `templategroup`= 'mails' AND `varname`= :tplsubject");
$result = Database::pexecute_first($result_stmt, $tpl_seldata);
$mail_subject = html_entity_decode(replace_variables((($result['value'] != '') ? $result['value'] : $default_subject), $replace_arr));
@@ -280,8 +312,7 @@ class ticket {
SELECT `value` FROM `" . TABLE_PANEL_TEMPLATES . "`
WHERE `adminid`= :adminid
AND `language`= :lang
AND `templategroup`= 'mails' AND `varname`= :tplmailbody"
);
AND `templategroup`= 'mails' AND `varname`= :tplmailbody");
$result = Database::pexecute_first($result_stmt, $tpl_seldata);
$mail_body = html_entity_decode(replace_variables((($result['value'] != '') ? $result['value'] : $default_body), $replace_arr));
@@ -303,19 +334,21 @@ class ticket {
}
if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'ticket_class'));
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'ticket_class'
));
$rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
standard_error('errorsendingmail', $usr['email']);
}
$mail->ClearAddresses();
} else {
$admin_stmt = Database::prepare("
SELECT `name`, `email` FROM `" . TABLE_PANEL_ADMINS . "`
WHERE `adminid` = :adminid"
);
$admin = Database::pexecute_first($admin_stmt, array('adminid' => $this->userinfo['adminid']));
WHERE `adminid` = :adminid");
$admin = Database::pexecute_first($admin_stmt, array(
'adminid' => $this->userinfo['adminid']
));
$_mailerror = false;
try {
$mail->SetFrom(Settings::Get('ticket.noreply_email'), Settings::Get('ticket.noreply_name'));
@@ -333,7 +366,9 @@ class ticket {
}
if ($_mailerror) {
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'ticket_class'));
$rstlog = FroxlorLogger::getInstanceOf(array(
'loginname' => 'ticket_class'
));
$rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
standard_error('errorsendingmail', $admin['email']);
}
@@ -345,11 +380,9 @@ class ticket {
/**
* Add a support-categories
*/
static public function addCategory($_category = null, $_admin = 1, $_order = 1) {
if ($_category != null
&& $_category != ''
) {
static public function addCategory($_category = null, $_admin = 1, $_order = 1)
{
if ($_category != null && $_category != '') {
if ($_order < 1) {
$_order = 1;
}
@@ -358,8 +391,7 @@ class ticket {
INSERT INTO `" . TABLE_PANEL_TICKET_CATS . "` SET
`name` = :name,
`adminid` = :adminid,
`logicalorder` = :lo"
);
`logicalorder` = :lo");
$ins_data = array(
'name' => $_category,
'adminid' => $_admin,
@@ -374,12 +406,9 @@ class ticket {
/**
* Edit a support-categories
*/
static public function editCategory($_category = null, $_id = 0, $_order = 1) {
if ($_category != null
&& $_category != ''
&& $_id != 0
) {
static public function editCategory($_category = null, $_id = 0, $_order = 1)
{
if ($_category != null && $_category != '' && $_id != 0) {
if ($_order < 1) {
$_order = 1;
}
@@ -390,7 +419,11 @@ class ticket {
`logicalorder` = :lo
WHERE `id` = :id
");
Database::pexecute($upd_stmt, array('name' => $_category, 'lo' => $_order, 'id' => $_id));
Database::pexecute($upd_stmt, array(
'name' => $_category,
'lo' => $_order,
'id' => $_id
));
return true;
}
return false;
@@ -399,21 +432,23 @@ class ticket {
/**
* Delete a support-categories
*/
static public function deleteCategory($_id = 0) {
static public function deleteCategory($_id = 0)
{
if ($_id != 0) {
$result_stmt = Database::prepare("
SELECT COUNT(`id`) as `numtickets` FROM `" . TABLE_PANEL_TICKETS . "`
WHERE `category` = :cat"
);
$result = Database::pexecute_first($result_stmt, array('cat' => $_id));
WHERE `category` = :cat");
$result = Database::pexecute_first($result_stmt, array(
'cat' => $_id
));
if ($result['numtickets'] == "0") {
$del_stmt = Database::prepare("
DELETE FROM `" . TABLE_PANEL_TICKET_CATS . "` WHERE `id` = :id"
);
Database::pexecute($del_stmt, array('id' => $_id));
DELETE FROM `" . TABLE_PANEL_TICKET_CATS . "` WHERE `id` = :id");
Database::pexecute($del_stmt, array(
'id' => $_id
));
return true;
} else {
return false;
@@ -426,13 +461,14 @@ class ticket {
/**
* Return a support-category-name
*/
static public function getCategoryName($_id = 0) {
static public function getCategoryName($_id = 0)
{
if ($_id != 0) {
$stmt = Database::prepare("
SELECT `name` FROM `" . TABLE_PANEL_TICKET_CATS . "` WHERE `id` = :id"
);
$category = Database::pexecute_first($stmt, array('id' => $_id));
SELECT `name` FROM `" . TABLE_PANEL_TICKET_CATS . "` WHERE `id` = :id");
$category = Database::pexecute_first($stmt, array(
'id' => $_id
));
return $category['name'];
}
return null;
@@ -441,12 +477,13 @@ class ticket {
/**
* get the highest order number
*
* @param object $_uid admin-id (optional)
* @param object $_uid
* admin-id (optional)
*
* @return int highest order number
*/
static public function getHighestOrderNumber($_uid = 0) {
static public function getHighestOrderNumber($_uid = 0)
{
$where = '';
$sel_data = array();
if ($_uid > 0) {
@@ -462,8 +499,8 @@ class ticket {
/**
* returns the last x archived tickets
*/
static public function getLastArchived($_num = 10, $_admin = 1) {
static public function getLastArchived($_num = 10, $_admin = 1)
{
if ($_num > 0) {
$archived = array();
@@ -477,9 +514,10 @@ class ticket {
FROM `" . TABLE_PANEL_TICKETS . "` `main`
WHERE `main`.`answerto` = '0' AND `main`.`archived` = '1'
AND `main`.`adminid` = :adminid
ORDER BY `main`.`lastchange` DESC LIMIT 0, ".(int)$_num
);
Database::pexecute($result_stmt, array('adminid' => $_admin));
ORDER BY `main`.`lastchange` DESC LIMIT 0, " . (int) $_num);
Database::pexecute($result_stmt, array(
'adminid' => $_admin
));
while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
@@ -523,86 +561,56 @@ class ticket {
WHERE `sub`.`answerto` = `main`.`id`
) as `ticket_answers`
FROM `" . TABLE_PANEL_TICKETS . "` `main`
WHERE `main`.`archived` = '1' AND `main`.`adminid` = :admin"
;
WHERE `main`.`archived` = '1' AND `main`.`adminid` = :admin";
$search_params['admin'] = $admin;
if ($subject != NULL
&& $subject != ''
) {
if ($subject != NULL && $subject != '') {
$query .= " AND `main`.`subject` LIKE :subject";
$search_params['subject'] = "%" . $subject . "%";
}
if ($priority != null
&& isset($priority[0])
&& $priority[0] != ''
) {
if ($priority != null && isset($priority[0]) && $priority[0] != '') {
if (isset($priority[1])
&& $priority[1] != ''
) {
if (isset($priority[1]) && $priority[1] != '') {
if (isset($priority[2])
&& $priority[2] != ''
) {
if (isset($priority[2]) && $priority[2] != '') {
$query .= " AND (`main`.`priority` = '1' OR `main`.`priority` = '2' OR `main`.`priority` = '3')";
} else {
$query .= " AND (`main`.`priority` = '1' OR `main`.`priority` = '1')";
}
} elseif (isset($priority[2])
&& $priority[2] != ''
) {
} elseif (isset($priority[2]) && $priority[2] != '') {
$query .= " AND (`main`.`priority` = '1' OR `main`.`priority` = '3')";
} else {
$query .= " AND `main`.`priority` = '1'";
}
} elseif($priority != null
&& isset($priority[1])
&& $priority[1] != ''
) {
if (isset($priority[2])
&& $priority[2] != ''
) {
} elseif ($priority != null && isset($priority[1]) && $priority[1] != '') {
if (isset($priority[2]) && $priority[2] != '') {
$query .= " AND (`main`.`priority` = '2' OR `main`.`priority` = '3')";
} else {
$query .= " AND `main`.`priority` = '2'";
}
} elseif ($priority != null) {
if (isset($priority[3])
&& $priority[3] != ''
) {
if (isset($priority[3]) && $priority[3] != '') {
$query .= " AND `main`.`priority` = '3'";
}
}
if ($fromdate != null
&& $fromdate > 0
) {
if ($fromdate != null && $fromdate > 0) {
$query .= " AND `main`.`lastchange` > :fromdate";
$search_params['fromdate'] = strtotime($fromdate);
}
if ($todate != null
&& $todate > 0
) {
if ($todate != null && $todate > 0) {
$query .= " AND `main`.`lastchange` < :todate";
$search_params['todate'] = strtotime($todate);
}
if ($message != null
&& $message != ''
) {
if ($message != null && $message != '') {
$query .= " AND `main`.`message` LIKE :message";
$search_params['message'] = "%" . $message . "%";
}
@@ -638,7 +646,10 @@ class ticket {
}
}
return array('0' => $query, '1' => $search_params);
return array(
'0' => $query,
'1' => $search_params
);
}
/**
@@ -646,8 +657,7 @@ class ticket {
*/
static public function getStatusText($_lng, $_status = 0)
{
switch($_status)
{
switch ($_status) {
case 0:
return $_lng['ticket']['open'];
break;
@@ -668,8 +678,7 @@ class ticket {
*/
static public function getPriorityText($_lng, $_priority = 0)
{
switch($_priority)
{
switch ($_priority) {
case 1:
return $_lng['ticket']['high'];
break;
@@ -706,17 +715,19 @@ class ticket {
/**
* function customerHasTickets
*
* @param int customer-id
* @param
* int customer-id
*
* @return array/bool array of ticket-ids if customer has any, else false
*/
static public function customerHasTickets($_cid = 0) {
static public function customerHasTickets($_cid = 0)
{
if ($_cid != 0) {
$result_stmt = Database::prepare("
SELECT `id` FROM `" . TABLE_PANEL_TICKETS . "` WHERE `customerid` = :cid"
);
Database::pexecute($result_stmt, array('cid' => $_cid));
SELECT `id` FROM `" . TABLE_PANEL_TICKETS . "` WHERE `customerid` = :cid");
Database::pexecute($result_stmt, array(
'cid' => $_cid
));
$tickets = array();
while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
@@ -732,8 +743,8 @@ class ticket {
/**
* Get a data-var
*/
public function Get($_var = '', $_vartrusted = false) {
public function Get($_var = '', $_vartrusted = false)
{
if ($_var != '') {
if (! $_vartrusted) {
$_var = htmlspecialchars($_var);
@@ -758,11 +769,9 @@ class ticket {
/**
* Set a data-var
*/
public function Set($_var = '', $_value = '', $_vartrusted = false, $_valuetrusted = false) {
if ($_var != ''
&& $_value != ''
) {
public function Set($_var = '', $_value = '', $_vartrusted = false, $_valuetrusted = false)
{
if ($_var != '' && $_value != '') {
if (! $_vartrusted) {
$_var = strip_tags($_var);
}
@@ -771,9 +780,7 @@ class ticket {
$_value = strip_tags($_value, '<br />');
}
if (strtolower($_var) == 'message'
|| strtolower($_var) == 'subject'
) {
if (strtolower($_var) == 'message' || strtolower($_var) == 'subject') {
$_value = $this->convertLatin1ToHtml($_value);
}