#208 Update some security stuff for managers. Still have a lot to do

9 years ago · 96fe276ea0
parent f4fc8ecf43
commit 96fe276ea0
2 changed files with 22 additions and 13 deletions
--- a/admin/admin_ticket.php
+++ b/admin/admin_ticket.php
@ -859,7 +859,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
        /* Do we need or have any canned responses? */
        $can_options = hesk_printCanned();
        
-        echo hesk_getAdminButtons();
+        echo hesk_getAdminButtons(0,1,$isManager);
        ?>   
        <div class="blankSpace"></div>
        <!-- BEGIN TICKET HEAD -->
@ -1273,7 +1273,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
        <?php
 		    if ($hesk_settings['new_top'])
            {
-        	    $i = hesk_printTicketReplies() ? 0 : 1;
+        	    $i = hesk_printTicketReplies($isManager) ? 0 : 1;
            }
            else
            {
@ -1353,7 +1353,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
            <div class="col-md-9 col-xs-12 pushMarginLeft">
                <div class="ticketMessageTop withBorder">
                    <!-- Action Buttons -->
-                    <?php echo hesk_getAdminButtonsInTicket(0, $i); ?>
+                    <?php echo hesk_getAdminButtonsInTicket(0, $i, $isManager); ?>
                    
                    <!-- Date -->
                    <p><br/><?php echo $hesklang['date']; ?>: <?php echo hesk_date($ticket['dt'], true); ?>
@ -1452,7 +1452,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
        <?php
 		if ( ! $hesk_settings['new_top'])
        {
-        	hesk_printTicketReplies();
+        	hesk_printTicketReplies($isManager);
        }
 		?>

@ -1635,7 +1635,7 @@ function hesk_getFontAwesomeIconForFileExtension($fileExtension)
 }


-function hesk_getAdminButtons($reply=0,$white=1)
+function hesk_getAdminButtons($reply=0,$white=1,$isManager)
 {
 	global $hesk_settings, $hesklang, $ticket, $reply, $trackingID, $can_edit, $can_archive, $can_delete;

@ -1686,7 +1686,8 @@ function hesk_getAdminButtons($reply=0,$white=1)
 	if ($can_edit)
 	{
    	$tmp = $reply ? '&amp;reply='.$reply['id'] : '';
-		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
+        $mgr = $isManager ? '&amp;isManager=true' : '';
+		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.$mgr.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
 	}


@ -1716,7 +1717,7 @@ function hesk_getAdminButtons($reply=0,$white=1)

 } // END hesk_getAdminButtons()

-function hesk_getAdminButtonsInTicket($reply=0,$white=1)
+function hesk_getAdminButtonsInTicket($reply=0,$white=1,$isManager=false)
 {
 	global $hesk_settings, $hesklang, $ticket, $reply, $trackingID, $can_edit, $can_archive, $can_delete;

@ -1730,7 +1731,8 @@ function hesk_getAdminButtonsInTicket($reply=0,$white=1)
 	if ($can_edit)
 	{
    	$tmp = $reply ? '&amp;reply='.$reply['id'] : '';
-		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
+        $mgr = $isManager ? '&amp;isManager=true' : '';
+		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.$mgr.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
 	}


@ -1841,7 +1843,7 @@ function print_form()
 } // End print_form()


-function hesk_printTicketReplies() {
+function hesk_printTicketReplies($isManager) {
 	global $hesklang, $hesk_settings, $result, $reply;

 	$i = $hesk_settings['new_top'] ? 0 : 1;
@ -1863,7 +1865,7 @@ function hesk_printTicketReplies() {
            </div>
            <div class="col-md-9 col-xs-12 pushMarginLeft">
                <div class="ticketMessageTop withBorder">
-                    <?php echo hesk_getAdminButtonsInTicket(); ?>
+                    <?php echo hesk_getAdminButtonsInTicket(0,1,$isManager); ?>
                    <div class="blankSpace"></div>
                    <p><?php echo $hesklang['date']; ?>: <?php echo $reply['dt']; ?></p> 
                </div>
--- a/admin/edit_post.php
+++ b/admin/edit_post.php
@ -46,8 +46,10 @@ hesk_dbConnect();
 hesk_isLoggedIn();

 /* Check permissions for this feature */
-hesk_checkPermission('can_view_tickets');
-hesk_checkPermission('can_edit_tickets');
+if (!isset($_REQUEST['isManager']) || !$_REQUEST['isManager']) {
+    hesk_checkPermission('can_view_tickets');
+    hesk_checkPermission('can_edit_tickets');
+}

 /* Ticket ID */
 $trackingID = hesk_cleanID() or die($hesklang['int_error'].': '.$hesklang['no_trackID']);
@ -70,7 +72,9 @@ if ( defined('HESK_DEMO') )
 }

 /* Is this user allowed to view tickets inside this category? */
-hesk_okCategory($ticket['category']);
+if (!isset($_REQUEST['isManager']) || !$_REQUEST['isManager']) {
+    hesk_okCategory($ticket['category']);
+}

 if ( hesk_isREQUEST('reply') )
 {
@ -466,6 +470,9 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
            </div>
            <div class="form-group" style="text-align: center">
                <input type="submit" value="<?php echo $hesklang['save_changes']; ?>" class="btn btn-default" />
+                <?php if (isset($_REQUEST['isManager']) && $_REQUEST['isManager']): ?>
+                    <input type="hidden" name="isManager" value="1">
+                <?php endif; ?>
                <a class="btn btn-default" href="javascript:history.go(-1)"><?php echo $hesklang['back']; ?></a>
            </div>
        </form>