From 96fe276ea09878d280eedb3170e0ef771612119c Mon Sep 17 00:00:00 2001
From: Mike Koch <mkoch227@gmail.com>
Date: Sat, 6 Jun 2015 22:13:44 -0400
Subject: [PATCH] #208 Update some security stuff for managers. Still have a
 lot to do

---
 admin/admin_ticket.php | 22 ++++++++++++----------
 admin/edit_post.php    | 13 ++++++++++---
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/admin/admin_ticket.php b/admin/admin_ticket.php
index c9b89f35..9720c1d9 100644
--- a/admin/admin_ticket.php
+++ b/admin/admin_ticket.php
@@ -859,7 +859,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
         /* Do we need or have any canned responses? */
         $can_options = hesk_printCanned();
         
-        echo hesk_getAdminButtons();
+        echo hesk_getAdminButtons(0,1,$isManager);
         ?>   
         <div class="blankSpace"></div>
         <!-- BEGIN TICKET HEAD -->
@@ -1273,7 +1273,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
         <?php
 		    if ($hesk_settings['new_top'])
             {
-        	    $i = hesk_printTicketReplies() ? 0 : 1;
+        	    $i = hesk_printTicketReplies($isManager) ? 0 : 1;
             }
             else
             {
@@ -1353,7 +1353,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
             <div class="col-md-9 col-xs-12 pushMarginLeft">
                 <div class="ticketMessageTop withBorder">
                     <!-- Action Buttons -->
-                    <?php echo hesk_getAdminButtonsInTicket(0, $i); ?>
+                    <?php echo hesk_getAdminButtonsInTicket(0, $i, $isManager); ?>
                     
                     <!-- Date -->
                     <p><br/><?php echo $hesklang['date']; ?>: <?php echo hesk_date($ticket['dt'], true); ?>
@@ -1452,7 +1452,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
         <?php
 		if ( ! $hesk_settings['new_top'])
         {
-        	hesk_printTicketReplies();
+        	hesk_printTicketReplies($isManager);
         }
 		?>
 
@@ -1635,7 +1635,7 @@ function hesk_getFontAwesomeIconForFileExtension($fileExtension)
 }
 
 
-function hesk_getAdminButtons($reply=0,$white=1)
+function hesk_getAdminButtons($reply=0,$white=1,$isManager)
 {
 	global $hesk_settings, $hesklang, $ticket, $reply, $trackingID, $can_edit, $can_archive, $can_delete;
 
@@ -1686,7 +1686,8 @@ function hesk_getAdminButtons($reply=0,$white=1)
 	if ($can_edit)
 	{
     	$tmp = $reply ? '&amp;reply='.$reply['id'] : '';
-		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
+        $mgr = $isManager ? '&amp;isManager=true' : '';
+		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.$mgr.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
 	}
 
 
@@ -1716,7 +1717,7 @@ function hesk_getAdminButtons($reply=0,$white=1)
 
 } // END hesk_getAdminButtons()
 
-function hesk_getAdminButtonsInTicket($reply=0,$white=1)
+function hesk_getAdminButtonsInTicket($reply=0,$white=1,$isManager=false)
 {
 	global $hesk_settings, $hesklang, $ticket, $reply, $trackingID, $can_edit, $can_archive, $can_delete;
 
@@ -1730,7 +1731,8 @@ function hesk_getAdminButtonsInTicket($reply=0,$white=1)
 	if ($can_edit)
 	{
     	$tmp = $reply ? '&amp;reply='.$reply['id'] : '';
-		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
+        $mgr = $isManager ? '&amp;isManager=true' : '';
+		$options .= '<a class="btn btn-default" href="edit_post.php?track='.$trackingID.$tmp.$mgr.'"><i class="fa fa-pencil"></i> '.$hesklang['edtt'].'</a> ';
 	}
 
 
@@ -1841,7 +1843,7 @@ function print_form()
 } // End print_form()
 
 
-function hesk_printTicketReplies() {
+function hesk_printTicketReplies($isManager) {
 	global $hesklang, $hesk_settings, $result, $reply;
 
 	$i = $hesk_settings['new_top'] ? 0 : 1;
@@ -1863,7 +1865,7 @@ function hesk_printTicketReplies() {
             </div>
             <div class="col-md-9 col-xs-12 pushMarginLeft">
                 <div class="ticketMessageTop withBorder">
-                    <?php echo hesk_getAdminButtonsInTicket(); ?>
+                    <?php echo hesk_getAdminButtonsInTicket(0,1,$isManager); ?>
                     <div class="blankSpace"></div>
                     <p><?php echo $hesklang['date']; ?>: <?php echo $reply['dt']; ?></p> 
                 </div>
diff --git a/admin/edit_post.php b/admin/edit_post.php
index 4abcb98e..833f5b24 100644
--- a/admin/edit_post.php
+++ b/admin/edit_post.php
@@ -46,8 +46,10 @@ hesk_dbConnect();
 hesk_isLoggedIn();
 
 /* Check permissions for this feature */
-hesk_checkPermission('can_view_tickets');
-hesk_checkPermission('can_edit_tickets');
+if (!isset($_REQUEST['isManager']) || !$_REQUEST['isManager']) {
+    hesk_checkPermission('can_view_tickets');
+    hesk_checkPermission('can_edit_tickets');
+}
 
 /* Ticket ID */
 $trackingID = hesk_cleanID() or die($hesklang['int_error'].': '.$hesklang['no_trackID']);
@@ -70,7 +72,9 @@ if ( defined('HESK_DEMO') )
 }
 
 /* Is this user allowed to view tickets inside this category? */
-hesk_okCategory($ticket['category']);
+if (!isset($_REQUEST['isManager']) || !$_REQUEST['isManager']) {
+    hesk_okCategory($ticket['category']);
+}
 
 if ( hesk_isREQUEST('reply') )
 {
@@ -466,6 +470,9 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
             </div>
             <div class="form-group" style="text-align: center">
                 <input type="submit" value="<?php echo $hesklang['save_changes']; ?>" class="btn btn-default" />
+                <?php if (isset($_REQUEST['isManager']) && $_REQUEST['isManager']): ?>
+                    <input type="hidden" name="isManager" value="1">
+                <?php endif; ?>
                 <a class="btn btn-default" href="javascript:history.go(-1)"><?php echo $hesklang['back']; ?></a>
             </div>
         </form>