Restrict access to closed tickets based on staff's access control.

Background: osTicket allows access to assigned open tickets (both personal and team assignments) regardless of the assigned department or group. This is necessary to allow staff to work on tickets in an otherwise restricted department. When a staff member closes a ticket, they're credited (ticket.staff_id is set to staff's id) for the purpose of showing who closed the ticket. osTicket mistakenly allowed continued access to closed tickets even when the staff doesn't have access to the ticket based on departmental access.
osTicket · Mar 14, 2014 · e607018 · e607018
1 parent 80340e5
commit e607018
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
@@ -90,13 +90,14 @@ function search() {
  $result=array();
  $select = 'SELECT count( DISTINCT ticket.ticket_id) as tickets ';
  $from = ' FROM '.TICKET_TABLE.' ticket ';
- $where = ' WHERE 1 ';
 
  //Access control.
- $where.=' AND ( ticket.staff_id='.db_input($thisstaff->getId());
+ $where = ' WHERE ( (ticket.staff_id='.db_input($thisstaff->getId())
+ .' AND ticket.status="open" )';
 
  if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
- $where.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
+ $where.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
+ .' ) AND ticket.status="open")';
 
  if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
  $where.=' OR ticket.dept_id IN ('.implode(',', db_input($depts)).')';

diff --git a/include/class.ticket.php b/include/class.ticket.php
@@ -1812,11 +1812,12 @@ function getStaffStats($staff) {
  if(!$staff || (!is_object($staff) && !($staff=Staff::lookup($staff))) || !$staff->isStaff())
  return null;
 
- $where = array('ticket.staff_id='.db_input($staff->getId()));
+ $where = array('(ticket.staff_id='.db_input($staff->getId()) .' AND ticket.status="open")');
  $where2 = '';
 
  if(($teams=$staff->getTeams()))
- $where[] = 'ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
+ $where[] = ' ( ticket.team_id IN('.implode(',', db_input(array_filter($teams)))
+ .') AND ticket.status="open")';
 
  if(!$staff->showAssignedOnly() && ($depts=$staff->getDepts())) //Staff with limited access just see Assigned tickets.
  $where[] = 'ticket.dept_id IN('.implode(',', db_input($depts)).') ';

diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
@@ -61,13 +61,15 @@
 
 $depts=$thisstaff->getDepts(); 
 $qwhere =' WHERE ( '
- .' ticket.staff_id='.db_input($thisstaff->getId());
+ .' ( ticket.staff_id='.db_input($thisstaff->getId())
+ .' AND ticket.status="open")';
 
 if(!$thisstaff->showAssignedOnly())
  $qwhere.=' OR ticket.dept_id IN ('.($depts?implode(',', db_input($depts)):0).')';
 
 if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
- $qwhere.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).') ';
+ $qwhere.=' OR (ticket.team_id IN ('.implode(',', db_input(array_filter($teams)))
+ .') AND ticket.status="open")';
 
 $qwhere .= ' )';