tyler.durden
/
opensupports
mirror of https://github.com/opensupports/opensupports.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #859 from opensupports/forbid-get-supervised-tickets-path-to-staffs 

Forbids call to /get-supervised-tickets from staff
This commit is contained in:
Maximiliano Redigonda 2020-07-31 12:03:14 -03:00 committed by GitHub
parent 38c90e2c07 785e2d8ac5
commit 76b7e2c6e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
server/controllers/user/get-supervised-tickets.php
View File

@ -52,6 +52,8 @@ class GetSupervisedTicketController extends Controller {
private $supervisedUserList;
public function handler() {
if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION);
$this->page = Controller::request('page') ? Controller::request('page') : 1;
$this->showOwnTickets = (bool)Controller::request('showOwnTickets');
$this->supervisedUserList = Controller::request('supervisedUsers')? json_decode(Controller::request('supervisedUsers')) : [];
@ -66,7 +68,7 @@ class GetSupervisedTicketController extends Controller {
switch ($key) {
case 'authors':
return json_encode($this->authors);
case 'page' :
case 'page' :
return $this->page*1;
case 'supervisor':
return 1;
@ -77,12 +79,12 @@ class GetSupervisedTicketController extends Controller {
if(empty($this->authors)) {
Response::respondSuccess([]);
}else{
} else {
$searchController->handler();
}
}
}
public function canUserHandleSupervisedUsers() {
public function canUserHandleSupervisedUsers() {
$user = Controller::getLoggedUser();
if(!$user->supervisedrelation && $this->supervisedUserList) return false;
@ -103,12 +105,12 @@ class GetSupervisedTicketController extends Controller {
if(!empty($this->supervisedUserList)){
foreach(array_unique($this->supervisedUserList) as $supervised){
array_push($authors,['id'=> $supervised,'isStaff'=> 0]);
array_push($authors, ['id' => $supervised, 'isStaff' => 0]);
}
};
if(!in_array( $user->id, $this->supervisedUserList) && $this->showOwnTickets){
array_push($authors,['id'=> $user->id*1,'isStaff'=> 0]);
array_push($authors, ['id' => $user->id*1, 'isStaff' => 0]);
}
return $authors;
}