diff --git a/api/BusinessLogic/Attachments/AttachmentHandler.php b/api/BusinessLogic/Attachments/AttachmentHandler.php index 22399f35..3a874ae9 100644 --- a/api/BusinessLogic/Attachments/AttachmentHandler.php +++ b/api/BusinessLogic/Attachments/AttachmentHandler.php @@ -3,6 +3,7 @@ namespace BusinessLogic\Attachments; +use BusinessLogic\Exceptions\AccessViolationException; use BusinessLogic\Exceptions\ApiFriendlyException; use BusinessLogic\Exceptions\ValidationException; use BusinessLogic\Security\UserContext; @@ -55,12 +56,16 @@ class AttachmentHandler { $ticket = $this->ticketGateway->getTicketById($createAttachmentModel->ticketId, $heskSettings); + if ($ticket === null) { + throw new ApiFriendlyException("Ticket {$createAttachmentModel->ticketId} not found", "Ticket Not Found", 404); + } + $extraPermissions = $createAttachmentModel->isEditing ? array(UserPrivilege::CAN_EDIT_TICKETS) : array(); if (!$this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings, $extraPermissions)) { - throw new \Exception("User does not have access to ticket {$ticket->id} being created / edited!"); + throw new AccessViolationException("User does not have access to ticket {$ticket->id} being created / edited!"); } $cleanedFileName = $this->cleanFileName($createAttachmentModel->displayName); @@ -99,8 +104,12 @@ class AttachmentHandler { function deleteAttachmentFromTicket($ticketId, $attachmentId, $userContext, $heskSettings) { $ticket = $this->ticketGateway->getTicketById($ticketId, $heskSettings); + if ($ticket === null) { + throw new ApiFriendlyException("Ticket {$ticketId} not found!", "Ticket Not Found", 404); + } + if (!$this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings, array(UserPrivilege::CAN_EDIT_TICKETS))) { - throw new \Exception("User does not have access to ticket {$ticketId} being created / edited!"); + throw new AccessViolationException("User does not have access to ticket {$ticketId} being created / edited!"); } $indexToRemove = -1; diff --git a/api/BusinessLogic/Attachments/AttachmentRetriever.php b/api/BusinessLogic/Attachments/AttachmentRetriever.php index cfdec67b..59fdcc54 100644 --- a/api/BusinessLogic/Attachments/AttachmentRetriever.php +++ b/api/BusinessLogic/Attachments/AttachmentRetriever.php @@ -3,6 +3,8 @@ namespace BusinessLogic\Attachments; +use BusinessLogic\Exceptions\AccessViolationException; +use BusinessLogic\Exceptions\ApiFriendlyException; use BusinessLogic\Security\UserToTicketChecker; use DataAccess\Attachments\AttachmentGateway; use DataAccess\Files\FileReader; @@ -31,8 +33,12 @@ class AttachmentRetriever { function getAttachmentContentsForTicket($ticketId, $attachmentId, $userContext, $heskSettings) { $ticket = $this->ticketGateway->getTicketById($ticketId, $heskSettings); - if (!$this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings)) { - throw new \Exception("User does not have access to attachment {$attachmentId}!"); + if ($ticket === null) { + throw new ApiFriendlyException("Ticket {$ticketId} not found!", "Ticket Not Found", 404); + } + + if ($this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings)) { + throw new AccessViolationException("User does not have access to attachment {$attachmentId}!"); } $attachment = $this->attachmentGateway->getAttachmentById($attachmentId, $heskSettings); diff --git a/api/BusinessLogic/Exceptions/AccessViolationException.php b/api/BusinessLogic/Exceptions/AccessViolationException.php new file mode 100644 index 00000000..1c252646 --- /dev/null +++ b/api/BusinessLogic/Exceptions/AccessViolationException.php @@ -0,0 +1,10 @@ +localizedNames = $localizedLanguages; $status->sort = intval($row['sort']); diff --git a/api/BusinessLogic/Statuses/StatusLanguage.php b/api/BusinessLogic/Statuses/StatusLanguage.php deleted file mode 100644 index 58acc40b..00000000 --- a/api/BusinessLogic/Statuses/StatusLanguage.php +++ /dev/null @@ -1,14 +0,0 @@ -language = $language; - $this->text = $text; - } -} \ No newline at end of file diff --git a/api/BusinessLogic/Tickets/TicketDeleter.php b/api/BusinessLogic/Tickets/TicketDeleter.php index cc9f3f8a..fde51ee7 100644 --- a/api/BusinessLogic/Tickets/TicketDeleter.php +++ b/api/BusinessLogic/Tickets/TicketDeleter.php @@ -4,6 +4,8 @@ namespace BusinessLogic\Tickets; use BusinessLogic\Attachments\AttachmentHandler; +use BusinessLogic\Exceptions\AccessViolationException; +use BusinessLogic\Exceptions\ApiFriendlyException; use BusinessLogic\Security\UserPrivilege; use BusinessLogic\Security\UserToTicketChecker; use DataAccess\Tickets\TicketGateway; @@ -27,9 +29,13 @@ class TicketDeleter { function deleteTicket($ticketId, $userContext, $heskSettings) { $ticket = $this->ticketGateway->getTicketById($ticketId, $heskSettings); + if ($ticket === null) { + throw new ApiFriendlyException("Ticket {$ticketId} not found!", "Ticket Not Found", 404); + } + if (!$this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings, array(UserPrivilege::CAN_DELETE_TICKETS))) { - throw new \Exception("User does not have access to ticket {$ticketId}"); + throw new AccessViolationException("User does not have access to ticket {$ticketId}"); } foreach ($ticket->attachments as $attachment) { diff --git a/api/BusinessLogic/Tickets/TicketEditor.php b/api/BusinessLogic/Tickets/TicketEditor.php index 6ad52ccd..a5fe9774 100644 --- a/api/BusinessLogic/Tickets/TicketEditor.php +++ b/api/BusinessLogic/Tickets/TicketEditor.php @@ -3,6 +3,7 @@ namespace BusinessLogic\Tickets; +use BusinessLogic\Exceptions\AccessViolationException; use BusinessLogic\Exceptions\ApiFriendlyException; use BusinessLogic\Exceptions\ValidationException; use BusinessLogic\Security\UserContext; @@ -43,7 +44,7 @@ class TicketEditor { } if (!$this->userToTicketChecker->isTicketAccessibleToUser($userContext, $ticket, $heskSettings, array(UserPrivilege::CAN_EDIT_TICKETS))) { - throw new \Exception("User does not have access to ticket {$editTicketModel->id}"); + throw new AccessViolationException("User does not have access to ticket {$editTicketModel->id}"); } $this->validate($editTicketModel, $ticket->categoryId, $heskSettings); @@ -88,7 +89,7 @@ class TicketEditor { $customFieldNumber = intval(str_replace('custom', '', $key)); //TODO test this - if (!array_key_exists($customFieldNumber, $editTicketModel->customFields)) { + if ($editTicketModel->customFields === null || !array_key_exists($customFieldNumber, $editTicketModel->customFields)) { continue; } diff --git a/api/Controllers/Attachments/StaffTicketAttachmentsController.php b/api/Controllers/Attachments/StaffTicketAttachmentsController.php index 3ca6ca74..1d32f812 100644 --- a/api/Controllers/Attachments/StaffTicketAttachmentsController.php +++ b/api/Controllers/Attachments/StaffTicketAttachmentsController.php @@ -22,7 +22,7 @@ class StaffTicketAttachmentsController { $contents = $attachmentRetriever->getAttachmentContentsForTicket($ticketId, $attachmentId, $userContext, $hesk_settings); - output(array('contents' => base64_encode($contents))); + output(array('contents' => $contents)); } private function verifyAttachmentsAreEnabled($heskSettings) { @@ -51,6 +51,7 @@ class StaffTicketAttachmentsController { $model = new CreateAttachmentForTicketModel(); $model->attachmentContents = Helpers::safeArrayGet($json, 'data'); $model->displayName = Helpers::safeArrayGet($json, 'displayName'); + $model->isEditing = Helpers::safeArrayGet($json, 'isEditing'); $model->ticketId = $ticketId; return $model; diff --git a/api/Controllers/Categories/CategoryController.php b/api/Controllers/Categories/CategoryController.php index bf640a3e..e376afef 100644 --- a/api/Controllers/Categories/CategoryController.php +++ b/api/Controllers/Categories/CategoryController.php @@ -3,10 +3,16 @@ namespace Controllers\Categories; use BusinessLogic\Categories\CategoryRetriever; +use BusinessLogic\Exceptions\ApiFriendlyException; class CategoryController { function get($id) { $categories = self::getAllCategories(); + + if (!isset($categories[$id])) { + throw new ApiFriendlyException("Category {$id} not found!", "Category Not Found", 404); + } + output($categories[$id]); } diff --git a/api/Controllers/Tickets/StaffTicketController.php b/api/Controllers/Tickets/StaffTicketController.php index 901fc617..7e582eb7 100644 --- a/api/Controllers/Tickets/StaffTicketController.php +++ b/api/Controllers/Tickets/StaffTicketController.php @@ -17,6 +17,8 @@ class StaffTicketController { $ticketDeleter = $applicationContext->get[TicketDeleter::class]; $ticketDeleter->deleteTicket($id, $userContext, $hesk_settings); + + http_response_code(204); } function put($id) { diff --git a/api/DataAccess/Logging/LoggingGateway.php b/api/DataAccess/Logging/LoggingGateway.php index 0df48939..43fdde13 100644 --- a/api/DataAccess/Logging/LoggingGateway.php +++ b/api/DataAccess/Logging/LoggingGateway.php @@ -36,7 +36,11 @@ class LoggingGateway extends CommonDao { hesk_dbQuery("INSERT INTO `" . hesk_dbEscape($heskSettings['db_pfix']) . "logging` (`username`, `message`, `severity`, `location`, `timestamp`, `stack_trace`) VALUES ('" . hesk_dbEscape($userContext->username) . "', - '" . hesk_dbEscape($message) . "', " . intval($severity) . ", '" . hesk_dbEscape($location) . "', NOW(), '" . hesk_dbEscape($stackTrace) . "')"); + '" . hesk_dbEscape(addslashes($message)) . "', + " . intval($severity) . ", + '" . hesk_dbEscape(addslashes($location)) . "', + NOW(), + '" . hesk_dbEscape(addslashes($stackTrace)) . "')"); $insertedId = hesk_dbInsertID();