mirror of https://github.com/itflow-org/itflow
Fix a bug that allows technicians to view tickets they shouldn't have access to
This commit is contained in:
wrongecho
parent
2202f31a61
commit
573e2340df
18
ticket.php
18
ticket.php
|
|
@ -8,6 +8,12 @@ $purifier_config = HTMLPurifier_Config::createDefault();
|
|||
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
|
||||
$purifier = new HTMLPurifier($purifier_config);
|
||||
|
||||
// Ticket client access snippet
|
||||
$ticket_permission_snippet = '';
|
||||
if (!empty($client_access_string)) {
|
||||
$ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
|
||||
}
|
||||
|
||||
if (isset($_GET['ticket_id'])) {
|
||||
$ticket_id = intval($_GET['ticket_id']);
|
||||
|
||||
|
|
@ -25,7 +31,9 @@ if (isset($_GET['ticket_id'])) {
|
|||
LEFT JOIN invoices ON ticket_invoice_id = invoice_id
|
||||
LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id
|
||||
LEFT JOIN categories ON ticket_category = category_id
|
||||
WHERE ticket_id = $ticket_id LIMIT 1"
|
||||
WHERE ticket_id = $ticket_id
|
||||
$ticket_permission_snippet
|
||||
LIMIT 1"
|
||||
);
|
||||
|
||||
if (mysqli_num_rows($sql) == 0) {
|
||||
|
|
@ -532,10 +540,14 @@ if (isset($_GET['ticket_id'])) {
|
|||
<i class="fas fa-fw fa-layer-group mr-2 text-secondary"></i><?php echo $ticket_category_display; ?>
|
||||
</div>
|
||||
<?php } ?>
|
||||
|
||||
<div class="mt-2">
|
||||
<span class="text-info" id="ticket_collision_viewing"></span>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
</div>
|
||||
<span class="text-info ml-5" id="ticket_collision_viewing"></span>
|
||||
<br>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
|
|
|
|||
16
tickets.php
16
tickets.php
|
|
@ -7,7 +7,6 @@ $order = "DESC";
|
|||
|
||||
require_once "inc_all.php";
|
||||
|
||||
|
||||
// Ticket status from GET
|
||||
if (isset($_GET['status']) && is_array($_GET['status']) && !empty($_GET['status'])) {
|
||||
// Sanitize each element of the status array
|
||||
|
|
@ -50,6 +49,12 @@ if (isset($_GET['assigned']) & !empty($_GET['assigned'])) {
|
|||
//Rebuild URL
|
||||
$url_query_strings_sort = http_build_query(array_merge($_GET, array('sort' => $sort, 'order' => $order, 'status' => $status, 'assigned' => $ticket_assigned_filter_id)));
|
||||
|
||||
// Ticket client access snippet
|
||||
$ticket_permission_snippet = '';
|
||||
if (!empty($client_access_string)) {
|
||||
$ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
|
||||
}
|
||||
|
||||
// Main ticket query:
|
||||
$sql = mysqli_query(
|
||||
$mysqli,
|
||||
|
|
@ -64,28 +69,29 @@ $sql = mysqli_query(
|
|||
WHERE $ticket_status_snippet " . $ticket_assigned_query . "
|
||||
AND DATE(ticket_created_at) BETWEEN '$dtf' AND '$dtt'
|
||||
AND (CONCAT(ticket_prefix,ticket_number) LIKE '%$q%' OR client_name LIKE '%$q%' OR ticket_subject LIKE '%$q%' OR ticket_status_name LIKE '%$q%' OR ticket_priority LIKE '%$q%' OR user_name LIKE '%$q%' OR contact_name LIKE '%$q%' OR asset_name LIKE '%$q%' OR vendor_name LIKE '%$q%' OR ticket_vendor_ticket_number LIKE '%q%')
|
||||
$ticket_permission_snippet
|
||||
ORDER BY $sort $order LIMIT $record_from, $record_to"
|
||||
);
|
||||
|
||||
$num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
|
||||
//Get Total tickets open
|
||||
$sql_total_tickets_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_open FROM tickets WHERE ticket_resolved_at IS NULL");
|
||||
$sql_total_tickets_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_open FROM tickets WHERE ticket_resolved_at IS NULL $ticket_permission_snippet");
|
||||
$row = mysqli_fetch_array($sql_total_tickets_open);
|
||||
$total_tickets_open = intval($row['total_tickets_open']);
|
||||
|
||||
//Get Total tickets closed
|
||||
$sql_total_tickets_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_closed FROM tickets WHERE ticket_resolved_at IS NOT NULL");
|
||||
$sql_total_tickets_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_closed FROM tickets WHERE ticket_resolved_at IS NOT NULL $ticket_permission_snippet");
|
||||
$row = mysqli_fetch_array($sql_total_tickets_closed);
|
||||
$total_tickets_closed = intval($row['total_tickets_closed']);
|
||||
|
||||
//Get Unassigned tickets
|
||||
$sql_total_tickets_unassigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_unassigned FROM tickets WHERE ticket_assigned_to = '0' AND ticket_resolved_at IS NULL");
|
||||
$sql_total_tickets_unassigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_unassigned FROM tickets WHERE ticket_assigned_to = '0' AND ticket_resolved_at IS NULL $ticket_permission_snippet");
|
||||
$row = mysqli_fetch_array($sql_total_tickets_unassigned);
|
||||
$total_tickets_unassigned = intval($row['total_tickets_unassigned']);
|
||||
|
||||
//Get Total tickets assigned to me
|
||||
$sql_total_tickets_assigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_assigned FROM tickets WHERE ticket_assigned_to = $session_user_id AND ticket_resolved_at IS NULL");
|
||||
$sql_total_tickets_assigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_assigned FROM tickets WHERE ticket_assigned_to = $session_user_id AND ticket_resolved_at IS NULL $ticket_permission_snippet");
|
||||
$row = mysqli_fetch_array($sql_total_tickets_assigned);
|
||||
$user_active_assigned_tickets = intval($row['total_tickets_assigned']);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue