Skip to content

Commit

Permalink
fix: Restrict access to closed tickets
Browse files Browse the repository at this point in the history 
When checking ticket access - only consider assignment IF the ticket is
open. This is required since staff_id field is overloaded to show who closed
the ticket.
  • Loading branch information
@protich
protich authored and Jared Hancock committed Mar 14, 2014
1 parent 3ad94d5 commit 80340e5
Showing 1 changed file with 18 additions and 3 deletions.
21 changes: 18 additions & 3 deletions include/class.ticket.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,9 +139,24 @@ function checkStaffAccess($staff) {
if(!is_object($staff) && !($staff=Staff::lookup($staff)))
return false;

return ((!$staff->showAssignedOnly() && $staff->canAccessDept($this->getDeptId()))
|| ($this->getTeamId() && $staff->isTeamMember($this->getTeamId()))
|| $staff->getId()==$this->getStaffId());
// Staff has access to the department.
if (!$staff->showAssignedOnly()
&& $staff->canAccessDept($this->getDeptId()))
return true;

// Only consider assignment if the ticket is open
if (!$this->isOpen())
return false;

// Check ticket access based on direct or team assignment
if ($staff->getId() == $this->getStaffId()
|| ($this->getTeamId()
&& $staff->isTeamMember($this->getTeamId())
))
return true;

// No access bro!
return false;
}

function checkClientAccess($client) {
Expand Down

0 comments on commit 80340e5

Please sign in to comment.