From c5d67cd4f943612724d192073b11f78a2d107086 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Wed, 20 May 2026 14:01:55 +0100
Subject: [PATCH] Kanban - Enforce per-client perms (ajax)

---
 agent/ajax.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/agent/ajax.php b/agent/ajax.php
index b9f2ef0c..c5450e17 100644
--- a/agent/ajax.php
+++ b/agent/ajax.php
@@ -454,6 +454,12 @@ if (isset($_POST['update_kanban_ticket'])) {
 
     foreach ($positions as $position) {
         $ticket_id = intval($position['ticket_id']);
+
+        // Client perms check
+        $client_query = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT ticket_client_id FROM tickets WHERE ticket_id = $ticket_id"));
+        $client_id = intval($client_query['ticket_client_id']);
+        enforceClientAccess();
+
         $kanban = intval($position['ticket_order']); // ticket kanban position
         $status = intval($position['ticket_status']); // ticket statuses
         $oldStatus = intval($position['ticket_oldStatus']); // ticket old status if moved