From 573e2340dfb735629d835d1ab98bf00ade2a55ab Mon Sep 17 00:00:00 2001 From: wrongecho Date: Sun, 25 Aug 2024 15:32:40 +0100 Subject: [PATCH] Fix a bug that allows technicians to view tickets they shouldn't have access to --- ticket.php | 18 +++++++++++++++--- tickets.php | 16 +++++++++++----- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/ticket.php b/ticket.php index 7ed140ec..b4b1502e 100644 --- a/ticket.php +++ b/ticket.php @@ -8,6 +8,12 @@ $purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); $purifier = new HTMLPurifier($purifier_config); +// Ticket client access snippet +$ticket_permission_snippet = ''; +if (!empty($client_access_string)) { + $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)"; +} + if (isset($_GET['ticket_id'])) { $ticket_id = intval($_GET['ticket_id']); @@ -25,7 +31,9 @@ if (isset($_GET['ticket_id'])) { LEFT JOIN invoices ON ticket_invoice_id = invoice_id LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id LEFT JOIN categories ON ticket_category = category_id - WHERE ticket_id = $ticket_id LIMIT 1" + WHERE ticket_id = $ticket_id + $ticket_permission_snippet + LIMIT 1" ); if (mysqli_num_rows($sql) == 0) { @@ -532,10 +540,14 @@ if (isset($_GET['ticket_id'])) { + +
+ +
- + - +
diff --git a/tickets.php b/tickets.php index 4cca4833..f6a76f1b 100644 --- a/tickets.php +++ b/tickets.php @@ -7,7 +7,6 @@ $order = "DESC"; require_once "inc_all.php"; - // Ticket status from GET if (isset($_GET['status']) && is_array($_GET['status']) && !empty($_GET['status'])) { // Sanitize each element of the status array @@ -50,6 +49,12 @@ if (isset($_GET['assigned']) & !empty($_GET['assigned'])) { //Rebuild URL $url_query_strings_sort = http_build_query(array_merge($_GET, array('sort' => $sort, 'order' => $order, 'status' => $status, 'assigned' => $ticket_assigned_filter_id))); +// Ticket client access snippet +$ticket_permission_snippet = ''; +if (!empty($client_access_string)) { + $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)"; +} + // Main ticket query: $sql = mysqli_query( $mysqli, @@ -64,28 +69,29 @@ $sql = mysqli_query( WHERE $ticket_status_snippet " . $ticket_assigned_query . " AND DATE(ticket_created_at) BETWEEN '$dtf' AND '$dtt' AND (CONCAT(ticket_prefix,ticket_number) LIKE '%$q%' OR client_name LIKE '%$q%' OR ticket_subject LIKE '%$q%' OR ticket_status_name LIKE '%$q%' OR ticket_priority LIKE '%$q%' OR user_name LIKE '%$q%' OR contact_name LIKE '%$q%' OR asset_name LIKE '%$q%' OR vendor_name LIKE '%$q%' OR ticket_vendor_ticket_number LIKE '%q%') + $ticket_permission_snippet ORDER BY $sort $order LIMIT $record_from, $record_to" ); $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); //Get Total tickets open -$sql_total_tickets_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_open FROM tickets WHERE ticket_resolved_at IS NULL"); +$sql_total_tickets_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_open FROM tickets WHERE ticket_resolved_at IS NULL $ticket_permission_snippet"); $row = mysqli_fetch_array($sql_total_tickets_open); $total_tickets_open = intval($row['total_tickets_open']); //Get Total tickets closed -$sql_total_tickets_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_closed FROM tickets WHERE ticket_resolved_at IS NOT NULL"); +$sql_total_tickets_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_closed FROM tickets WHERE ticket_resolved_at IS NOT NULL $ticket_permission_snippet"); $row = mysqli_fetch_array($sql_total_tickets_closed); $total_tickets_closed = intval($row['total_tickets_closed']); //Get Unassigned tickets -$sql_total_tickets_unassigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_unassigned FROM tickets WHERE ticket_assigned_to = '0' AND ticket_resolved_at IS NULL"); +$sql_total_tickets_unassigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_unassigned FROM tickets WHERE ticket_assigned_to = '0' AND ticket_resolved_at IS NULL $ticket_permission_snippet"); $row = mysqli_fetch_array($sql_total_tickets_unassigned); $total_tickets_unassigned = intval($row['total_tickets_unassigned']); //Get Total tickets assigned to me -$sql_total_tickets_assigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_assigned FROM tickets WHERE ticket_assigned_to = $session_user_id AND ticket_resolved_at IS NULL"); +$sql_total_tickets_assigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_assigned FROM tickets WHERE ticket_assigned_to = $session_user_id AND ticket_resolved_at IS NULL $ticket_permission_snippet"); $row = mysqli_fetch_array($sql_total_tickets_assigned); $user_active_assigned_tickets = intval($row['total_tickets_assigned']);