[Tickets #1272] NEW: Permission check on editing the ticket

bugs at bugs.horde.org bugs at bugs.horde.org
Fri Jan 28 11:02:43 PST 2005 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=1272
-----------------------------------------------------------------------
 Ticket     | 1272
 Created By | allen.zhao at camilion.com
 Summary    | Permission check on editing the ticket
 Queue      | Whups
 State      | New
 Priority   | 1. Low
 Type       | Enhancement
 Owners     | 
-----------------------------------------------------------------------


allen.zhao at camilion.com (2005-01-28 11:02) wrote:

Only allow the the user who has the PERMS_EDIT on the queue to edit and
update the ticket. (Comment not included)
in /lib/Whups.php  function &getTicketTabs(&$vars, $qid=null):

Old:
    function &getTicketTabs(&$vars)  
    {  
        $tabs = &new Horde_UI_Tabs('action', $vars);  
        $tabs->addTab(_("History"), Horde::applicationUrl('ticket/'), ''); 

        if (Auth::getAuth()) {  
            $tabs->addTab(_("Update"),
Horde::applicationUrl('ticket/update.php'));  
        }  
        $tabs->addTab(_("Comment"),
Horde::applicationUrl('ticket/comment.php'));  
        if (Auth::getAuth()) {  
            $tabs->addTab(_("People"),
Horde::applicationUrl('ticket/people.php'));  
            $tabs->addTab(_("Set Queue"),
Horde::applicationUrl('ticket/queue.php'));  
        }  
        if (Auth::isAdmin('whups:admin')) {  
            $tabs->addTab(_("Set Type"),
Horde::applicationUrl('ticket/type.php'));  
            $tabs->addTab(_("Delete"),
Horde::applicationUrl('ticket/delete.php'));  
        }  
    
        return $tabs;  
    }  

New:
    function &getTicketTabs(&$vars, $qid=null)
    {
        global $perms;
        $tabs = &new Horde_UI_Tabs('action', $vars);
        $tabs->addTab(_("History"), Horde::applicationUrl('ticket/'), '');
        if ( $perms->hasPermission('whups:queues:'.$qid, Auth::getAuth() ,
PERMS_EDIT) ) {
            $tabs->addTab(_("Update"),
Horde::applicationUrl('ticket/update.php'));
        }
        $tabs->addTab(_("Comment"),
Horde::applicationUrl('ticket/comment.php'));
        if ( $perms->hasPermission('whups:queues:'.$qid, Auth::getAuth() ,
PERMS_EDIT) ) {
            $tabs->addTab(_("People"),
Horde::applicationUrl('ticket/people.php'));
            $tabs->addTab(_("Set Queue"),
Horde::applicationUrl('ticket/queue.php'));  
        }
        if (Auth::isAdmin('whups:admin')) {
            $tabs->addTab(_("Set Type"),
Horde::applicationUrl('ticket/type.php'));
            $tabs->addTab(_("Delete"),
Horde::applicationUrl('ticket/delete.php'));
        }
        return $tabs;
    }

And add the correct permission check in
ticket/update.php
ticket/people.php
ticket/queue.php
like:
if ( ! $perms->hasPermission('whups:queues:'.$qid, Auth::getAuth() ,
PERMS_EDIT) ) {
   // deny
}

Note: if the user set queue of a ticket to the one he/she has no permission,
he/she will lose the controle of the ticket.

More information about the bugs mailing list