tyler.durden
/
opensupports
mirror of https://github.com/opensupports/opensupports.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #859 from opensupports/forbid-get-supervised-tickets-path-to-staffs 

Forbids call to /get-supervised-tickets from staff
This commit is contained in:
Maximiliano Redigonda 2020-07-31 12:03:14 -03:00 committed by GitHub
parent 38c90e2c07 785e2d8ac5
commit 76b7e2c6e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
server/controllers/user/get-supervised-tickets.php
View File

@ -52,6 +52,8 @@ class GetSupervisedTicketController extends Controller {
private $supervisedUserList; private $supervisedUserList;
public function handler() { public function handler() {
if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION);
$this->page = Controller::request('page') ? Controller::request('page') : 1; $this->page = Controller::request('page') ? Controller::request('page') : 1;
$this->showOwnTickets = (bool)Controller::request('showOwnTickets'); $this->showOwnTickets = (bool)Controller::request('showOwnTickets');
$this->supervisedUserList = Controller::request('supervisedUsers')? json_decode(Controller::request('supervisedUsers')) : []; $this->supervisedUserList = Controller::request('supervisedUsers')? json_decode(Controller::request('supervisedUsers')) : [];
@ -66,7 +68,7 @@ class GetSupervisedTicketController extends Controller {
switch ($key) { switch ($key) {
case 'authors': case 'authors':
return json_encode($this->authors); return json_encode($this->authors);
case 'page' : case 'page' :
return $this->page*1; return $this->page*1;
case 'supervisor': case 'supervisor':
return 1; return 1;
@ -77,12 +79,12 @@ class GetSupervisedTicketController extends Controller {
if(empty($this->authors)) { if(empty($this->authors)) {
Response::respondSuccess([]); Response::respondSuccess([]);
}else{ } else {
$searchController->handler(); $searchController->handler();
} }
} }
public function canUserHandleSupervisedUsers() { public function canUserHandleSupervisedUsers() {
$user = Controller::getLoggedUser(); $user = Controller::getLoggedUser();
if(!$user->supervisedrelation && $this->supervisedUserList) return false; if(!$user->supervisedrelation && $this->supervisedUserList) return false;
@ -103,12 +105,12 @@ class GetSupervisedTicketController extends Controller {
if(!empty($this->supervisedUserList)){ if(!empty($this->supervisedUserList)){
foreach(array_unique($this->supervisedUserList) as $supervised){ foreach(array_unique($this->supervisedUserList) as $supervised){
array_push($authors,['id'=> $supervised,'isStaff'=> 0]); array_push($authors, ['id' => $supervised, 'isStaff' => 0]);
} }
}; };
if(!in_array( $user->id, $this->supervisedUserList) && $this->showOwnTickets){ if(!in_array( $user->id, $this->supervisedUserList) && $this->showOwnTickets){
array_push($authors,['id'=> $user->id*1,'isStaff'=> 0]); array_push($authors, ['id' => $user->id*1, 'isStaff' => 0]);
} }
return $authors; return $authors;
} }