diff --git a/api/ApplicationContext.php b/api/ApplicationContext.php index 9e6cacda..95b312b8 100644 --- a/api/ApplicationContext.php +++ b/api/ApplicationContext.php @@ -87,7 +87,8 @@ class ApplicationContext { // Tickets $this->get[UserToTicketChecker::class] = new UserToTicketChecker($this->get[UserGateway::class]); $this->get[TicketGateway::class] = new TicketGateway(); - $this->get[TicketRetriever::class] = new TicketRetriever($this->get[TicketGateway::class]); + $this->get[TicketRetriever::class] = new TicketRetriever($this->get[TicketGateway::class], + $this->get[UserToTicketChecker::class]); $this->get[TicketValidators::class] = new TicketValidators($this->get[TicketGateway::class]); $this->get[TrackingIdGenerator::class] = new TrackingIdGenerator($this->get[TicketGateway::class]); $this->get[Autoassigner::class] = new Autoassigner($this->get[CategoryGateway::class], $this->get[UserGateway::class]); diff --git a/api/BusinessLogic/Tickets/Ticket.php b/api/BusinessLogic/Tickets/Ticket.php index 73ebf8b4..029dcff4 100644 --- a/api/BusinessLogic/Tickets/Ticket.php +++ b/api/BusinessLogic/Tickets/Ticket.php @@ -131,8 +131,8 @@ class Ticket { $reply->staffId = $replyRow['staffid'] > 0 ? $replyRow['staffid'] : null; $reply->rating = $replyRow['rating']; - $reply->isRead = $replyRow['read']; - $reply->usesHtml = $replyRow['html']; + $reply->isRead = $replyRow['read'] === '1'; + $reply->usesHtml = $replyRow['html'] === '1'; $replies[$reply->id] = $reply; } diff --git a/api/BusinessLogic/Tickets/TicketRetriever.php b/api/BusinessLogic/Tickets/TicketRetriever.php index 438af152..b63bb8e0 100644 --- a/api/BusinessLogic/Tickets/TicketRetriever.php +++ b/api/BusinessLogic/Tickets/TicketRetriever.php @@ -3,8 +3,10 @@ namespace BusinessLogic\Tickets; +use BusinessLogic\Exceptions\AccessViolationException; use BusinessLogic\Exceptions\ApiFriendlyException; use BusinessLogic\Exceptions\ValidationException; +use BusinessLogic\Security\UserToTicketChecker; use BusinessLogic\ValidationModel; use DataAccess\Tickets\TicketGateway; @@ -14,12 +16,27 @@ class TicketRetriever { */ private $ticketGateway; - function __construct($ticketGateway) { + /* @var $userToTicketChecker UserToTicketChecker */ + private $userToTicketChecker; + + function __construct($ticketGateway, $userToTicketChecker) { $this->ticketGateway = $ticketGateway; + $this->userToTicketChecker = $userToTicketChecker; } + //TODO Properly test function getTicketById($id, $heskSettings, $userContext) { - return $this->ticketGateway->getTicketById($id, $heskSettings); + $ticket = $this->ticketGateway->getTicketById($id, $heskSettings); + + if ($ticket !== null) { + throw new ApiFriendlyException("Ticket {$id} not found!", "Ticket Not Found", 404); + } + + if (!$this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings)) { + throw new AccessViolationException("User does not have access to ticket {$id}!"); + } + + return $ticket; } function getTicketByTrackingIdAndEmail($trackingId, $emailAddress, $heskSettings) { diff --git a/api/Controllers/Tickets/StaffTicketController.php b/api/Controllers/Tickets/StaffTicketController.php index 7e582eb7..001cd556 100644 --- a/api/Controllers/Tickets/StaffTicketController.php +++ b/api/Controllers/Tickets/StaffTicketController.php @@ -7,9 +7,19 @@ use BusinessLogic\Helpers; use BusinessLogic\Tickets\EditTicketModel; use BusinessLogic\Tickets\TicketDeleter; use BusinessLogic\Tickets\TicketEditor; +use BusinessLogic\Tickets\TicketRetriever; use Controllers\JsonRetriever; class StaffTicketController { + function get($id) { + global $applicationContext, $userContext, $hesk_settings; + + /* @var $ticketRetriever TicketRetriever */ + $ticketRetriever = $applicationContext->get[TicketRetriever::class]; + + output($ticketRetriever->getTicketById($id, $hesk_settings, $userContext)); + } + function delete($id) { global $applicationContext, $userContext, $hesk_settings;