From 41c858aa9bae5a207d5989132b24bc40821b235e Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Wed, 12 Oct 2016 21:29:44 -0400 Subject: [PATCH] Update move category --- admin/move_category.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/admin/move_category.php b/admin/move_category.php index cedd2216..d78b8ab3 100755 --- a/admin/move_category.php +++ b/admin/move_category.php @@ -44,7 +44,9 @@ hesk_isLoggedIn(); $modsForHesk_settings = mfh_getSettings(); /* Check permissions for this feature */ -hesk_checkPermission('can_change_cat'); +if (hesk_checkPermission('can_change_cat', 0)) { + hesk_checkPermission('can_change_own_cat'); +} /* A security check */ hesk_token_check('POST'); @@ -73,6 +75,11 @@ if (!$row['autoassign']) { /* Is user allowed to view tickets in new category? */ $category_ok = hesk_okCategory($category, 0); +// Is user allowed to move tickets to this category? +if (!$category_ok && !hesk_checkPermission('can_submit_any_cat', 0)) { + hesk_process_messages($hesklang['noauth_move'],'admin_main.php'); +} + /* Get details about the original ticket */ $res = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "tickets` WHERE `trackid`='" . hesk_dbEscape($trackingID) . "' LIMIT 1"); if (hesk_dbNumRows($res) != 1) { @@ -113,7 +120,7 @@ if ($need_to_reassign || !$ticket['owner']) { } } -hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "tickets` SET `category`='" . intval($category) . "', `owner`='" . intval($ticket['owner']) . "' , `history`=CONCAT(`history`,'" . hesk_dbEscape($history) . "') WHERE `trackid`='" . hesk_dbEscape($trackingID) . "' LIMIT 1"); +hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "tickets` SET `category`='" . intval($category) . "', `owner`='" . intval($ticket['owner']) . "' , `history`=CONCAT(`history`,'" . hesk_dbEscape($history) . "') WHERE `trackid`='" . hesk_dbEscape($trackingID) . "'"); $ticket['category'] = $category;