From d589b77ae043d175e7802e5545d85e38f26b7e8d Mon Sep 17 00:00:00 2001 From: "Andreas Burchert (scarya)" Date: Wed, 8 Feb 2012 17:54:25 +0100 Subject: [PATCH] Fixed that every support ticket could be accessed by every customer and admin, fixes #1037 Signed-off-by: Andreas Burchert (scarya) --- admin_tickets.php | 15 ++++++++++++++- customer_tickets.php | 11 +++++++++++ lng/english.lng.php | 1 + lng/german.lng.php | 1 + 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/admin_tickets.php b/admin_tickets.php index 88a83cb4..11bfa0b7 100644 --- a/admin_tickets.php +++ b/admin_tickets.php @@ -32,6 +32,19 @@ if(isset($_POST['id'])) elseif(isset($_GET['id'])) { $id = intval($_GET['id']); + + if (!$userinfo['customers_see_all']) { + /* + * Check if the current user is allowed to see the current ticket. + */ + $sql = "SELECT `id` FROM `panel_tickets` WHERE `id` = '".$id."' AND `adminid` = '".$userinfo['admindid']."'"; + + $result = $db->query_first($sql); + if ($result == null) { + // no rights to see the requested ticket + standard_error(array('ticketnotaccessible')); + } + } } if($page == 'tickets' @@ -681,7 +694,7 @@ elseif($page == 'archive' break; case 3: $ticket['display'] = 'low'; break; - default: $ticket['display'] = 'unknown'; + default: $ticket['display'] = 'unknown'; } $ticket['priority'] = ticket::getPriorityText($lng, $ticket['priority']); diff --git a/customer_tickets.php b/customer_tickets.php index 45e293eb..f7ad0e8a 100644 --- a/customer_tickets.php +++ b/customer_tickets.php @@ -28,6 +28,17 @@ require ("./lib/init.php"); if(isset($_POST['id'])) { $id = intval($_POST['id']); + + /* + * Check if the current user is allowed to see the current ticket. + */ + $sql = "SELECT `id` FROM `panel_tickets` WHERE `id` = '".$id."' AND `customerid` = '".$userinfo['customerid']."'"; + + $result = $db->query_first($sql); + if ($result == null) { + // no rights to see the requested ticket + standard_error(array('ticketnotaccessible')); + } } elseif(isset($_GET['id'])) { diff --git a/lng/english.lng.php b/lng/english.lng.php index 77985e29..08bff569 100644 --- a/lng/english.lng.php +++ b/lng/english.lng.php @@ -235,6 +235,7 @@ $lng['error']['destinationalreadyexistasmail'] = 'The forwarder to %s already ex $lng['error']['destinationalreadyexist'] = 'You have already defined a forwarder to %s .'; $lng['error']['destinationiswrong'] = 'The forwarder %s contains invalid character(s) or is incomplete.'; $lng['error']['domainname'] = $lng['domains']['domainname']; +$lng['error']['ticketnotaccessible'] = 'You cannot access this ticket.'; /** * Questions diff --git a/lng/german.lng.php b/lng/german.lng.php index 35a02147..a922351b 100644 --- a/lng/german.lng.php +++ b/lng/german.lng.php @@ -235,6 +235,7 @@ $lng['error']['destinationalreadyexistasmail'] = 'Die Weiterleitung zu %s exisit $lng['error']['destinationalreadyexist'] = 'Es gibt bereits eine Weiterleitung nach %s .'; $lng['error']['destinationiswrong'] = 'Die Weiterleitungsadresse-Adresse %s enthält ungültige Zeichen oder ist nicht vollständig.'; $lng['error']['domainname'] = $lng['domains']['domainname']; +$lng['error']['ticketnotaccessible'] = 'Sie können sich das Ticket nicht ansehen.'; /** * Questions