maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Fixed that every support ticket could be accessed by every customer and admin, fixes #1037

Browse Source 
Signed-off-by: Andreas Burchert (scarya) <scarya@froxlor.org>
This commit is contained in:
Andreas Burchert (scarya)
2012-02-08 17:54:25 +01:00
parent ac74e7e6a7
commit d589b77ae0
4 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
admin_tickets.php
View File

@@ -32,6 +32,19 @@ if(isset($_POST['id']))
elseif(isset($_GET['id'])) elseif(isset($_GET['id']))
{ {
$id = intval($_GET['id']); $id = intval($_GET['id']);
if (!$userinfo['customers_see_all']) {
/*
* Check if the current user is allowed to see the current ticket.
*/
$sql = "SELECT `id` FROM `panel_tickets` WHERE `id` = '".$id."' AND `adminid` = '".$userinfo['admindid']."'";
$result = $db->query_first($sql);
if ($result == null) {
// no rights to see the requested ticket
standard_error(array('ticketnotaccessible'));
}
}
} }
if($page == 'tickets' if($page == 'tickets'
@@ -681,7 +694,7 @@ elseif($page == 'archive'
break; break;
case 3: $ticket['display'] = 'low'; case 3: $ticket['display'] = 'low';
break; break;
default: $ticket['display'] = 'unknown'; default: $ticket['display'] = 'unknown';
} }
$ticket['priority'] = ticket::getPriorityText($lng, $ticket['priority']); $ticket['priority'] = ticket::getPriorityText($lng, $ticket['priority']);

11
customer_tickets.php
View File

@@ -28,6 +28,17 @@ require ("./lib/init.php");
if(isset($_POST['id'])) if(isset($_POST['id']))
{ {
$id = intval($_POST['id']); $id = intval($_POST['id']);
/*
* Check if the current user is allowed to see the current ticket.
*/
$sql = "SELECT `id` FROM `panel_tickets` WHERE `id` = '".$id."' AND `customerid` = '".$userinfo['customerid']."'";
$result = $db->query_first($sql);
if ($result == null) {
// no rights to see the requested ticket
standard_error(array('ticketnotaccessible'));
}
} }
elseif(isset($_GET['id'])) elseif(isset($_GET['id']))
{ {

1
lng/english.lng.php
View File

@@ -235,6 +235,7 @@ $lng['error']['destinationalreadyexistasmail'] = 'The forwarder to %s already ex
$lng['error']['destinationalreadyexist'] = 'You have already defined a forwarder to %s .'; $lng['error']['destinationalreadyexist'] = 'You have already defined a forwarder to %s .';
$lng['error']['destinationiswrong'] = 'The forwarder %s contains invalid character(s) or is incomplete.'; $lng['error']['destinationiswrong'] = 'The forwarder %s contains invalid character(s) or is incomplete.';
$lng['error']['domainname'] = $lng['domains']['domainname']; $lng['error']['domainname'] = $lng['domains']['domainname'];
$lng['error']['ticketnotaccessible'] = 'You cannot access this ticket.';
/** /**
* Questions * Questions

1
lng/german.lng.php
View File

@@ -235,6 +235,7 @@ $lng['error']['destinationalreadyexistasmail'] = 'Die Weiterleitung zu %s exisit
$lng['error']['destinationalreadyexist'] = 'Es gibt bereits eine Weiterleitung nach %s .'; $lng['error']['destinationalreadyexist'] = 'Es gibt bereits eine Weiterleitung nach %s .';
$lng['error']['destinationiswrong'] = 'Die Weiterleitungsadresse-Adresse %s enth&auml;lt ung&uuml;ltige Zeichen oder ist nicht vollst&auml;ndig.'; $lng['error']['destinationiswrong'] = 'Die Weiterleitungsadresse-Adresse %s enth&auml;lt ung&uuml;ltige Zeichen oder ist nicht vollst&auml;ndig.';
$lng['error']['domainname'] = $lng['domains']['domainname']; $lng['error']['domainname'] = $lng['domains']['domainname'];
$lng['error']['ticketnotaccessible'] = 'Sie k&ouml;nnen sich das Ticket nicht ansehen.';
/** /**
* Questions * Questions