| Summary | Permission check on editing the ticket |
| Queue | Whups |
| Type | Enhancement |
| State | Rejected |
| Priority | 1. Low |
| Owners | |
| Requester | allen.zhao (at) camilion (dot) com |
| Created | 01/28/2005 (7440 days ago) |
| Due | |
| Updated | 01/28/2005 (7440 days ago) |
| Assigned | |
| Resolved | 01/28/2005 (7440 days ago) |
| Milestone | |
| Patch | No |
State ⇒ Rejected
of all changes in a *seperate* text file attached to the ticket.
ticket/comment.php:98://$tabs = &Whups::getTicketTabs($vars, );
ticket/comment.php:99:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/delete.php:85://$tabs = &Whups::getTicketTabs($vars, );
ticket/delete.php:86:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/index.php:29://$tabs = &Whups::getTicketTabs($vars, );
ticket/index.php:30:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/people.php:132://$tabs = &Whups::getTicketTabs($vars, );
ticket/people.php:133:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/queue.php:185://$tabs = &Whups::getTicketTabs($vars, );
ticket/queue.php:186:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/type.php:133://$tabs = &Whups::getTicketTabs($vars, );
ticket/type.php:134:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/update.php:143://$tabs = &Whups::getTicketTabs($vars, );
ticket/update.php:144:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
ticket/upload.php:72://$tabs = &Whups::getTicketTabs($vars, );
ticket/upload.php:73:$tabs = &Whups::getTicketTabs($vars,
$ticket->get('queue'));
State ⇒ New
Priority ⇒ 1. Low
Type ⇒ Enhancement
Summary ⇒ Permission check on editing the ticket
Queue ⇒ Whups
and update the ticket. (Comment not included)
in /lib/Whups.php function &getTicketTabs(&$vars, $qid=null):
Old:
function &getTicketTabs(&$vars)
{
$tabs = &new Horde_UI_Tabs('action', $vars);
$tabs->addTab(_("History"), Horde::applicationUrl('ticket/'), '');
if (Auth::getAuth()) {
$tabs->addTab(_("Update"),
Horde::applicationUrl('ticket/update.php'));
}
$tabs->addTab(_("Comment"),
Horde::applicationUrl('ticket/comment.php'));
if (Auth::getAuth()) {
$tabs->addTab(_("People"),
Horde::applicationUrl('ticket/people.php'));
$tabs->addTab(_("Set Queue"),
Horde::applicationUrl('ticket/queue.php'));
}
if (Auth::isAdmin('whups:admin')) {
$tabs->addTab(_("Set Type"),
Horde::applicationUrl('ticket/type.php'));
$tabs->addTab(_("Delete"),
Horde::applicationUrl('ticket/delete.php'));
}
return $tabs;
}
New:
function &getTicketTabs(&$vars, $qid=null)
{
global $perms;
$tabs = &new Horde_UI_Tabs('action', $vars);
$tabs->addTab(_("History"), Horde::applicationUrl('ticket/'), '');
if ( $perms->hasPermission('whups:queues:'.$qid,
Auth::getAuth() , PERMS_EDIT) ) {
$tabs->addTab(_("Update"),
Horde::applicationUrl('ticket/update.php'));
}
$tabs->addTab(_("Comment"),
Horde::applicationUrl('ticket/comment.php'));
if ( $perms->hasPermission('whups:queues:'.$qid,
Auth::getAuth() , PERMS_EDIT) ) {
$tabs->addTab(_("People"),
Horde::applicationUrl('ticket/people.php'));
$tabs->addTab(_("Set Queue"),
Horde::applicationUrl('ticket/queue.php'));
}
if (Auth::isAdmin('whups:admin')) {
$tabs->addTab(_("Set Type"),
Horde::applicationUrl('ticket/type.php'));
$tabs->addTab(_("Delete"),
Horde::applicationUrl('ticket/delete.php'));
}
return $tabs;
}
And add the correct permission check in
ticket/update.php
ticket/people.php
ticket/queue.php
like:
if ( ! $perms->hasPermission('whups:queues:'.$qid, Auth::getAuth() ,
PERMS_EDIT) ) {
// deny
}
Note: if the user set queue of a ticket to the one he/she has no
permission, he/she will lose the controle of the ticket.