Skip to content

Commit

Permalink
fix(formanswer): access restriction
Browse files Browse the repository at this point in the history
  • Loading branch information
@btry
btry committed Mar 7, 2023
1 parent a62f879 commit a9451d9
Showing 1 changed file with 15 additions and 9 deletions.
24 changes: 15 additions & 9 deletions inc/formanswer.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,8 +127,10 @@ public function canViewItem() {

$groupUser = new Group_User();
$groups = $groupUser->getUserGroups($currentUser);
if (in_array($this->fields['users_id_validator'], $groups)) {
return true;
foreach ($groups as $group) {
if ($this->fields['groups_id_validator'] == $group['id']) {
return true;
}
}

$request = [
Expand Down Expand Up @@ -170,32 +172,36 @@ public function canViewItem() {
$ticket_user_table = Ticket_User::getTable();
$item_ticket_table = Item_Ticket::getTable();
$request = [
'SELECT' => Ticket_User::getTableField(User::getForeignKeyField()),
'SELECT' => [
Ticket_User::getTableField(User::getForeignKeyField()),
Ticket::getTableField('id'),
],
'FROM' => $ticket_user_table,
'INNER JOIN' => [
$ticket_table => [
'FKEY' => [
$ticket_table => 'id',
$ticket_user_table => 'tickets_id',
['AND' => [
Ticket_User::getTableField(User::getForeignKeyField()) => $currentUser,
]],
],
],
$item_ticket_table => [
'FKEY' => [
$item_ticket_table => 'tickets_id',
$ticket_table => 'id',
['AND' => [
Item_Ticket::getTableField('itemtype') => self::getType(),
Item_Ticket::getTableField('itemtype') => self::getType(),
Item_Ticket::getTableField('items_id') => $this->getID(),
]],
],
],

]
];

foreach ($DB->request($request) as $row) {
if ($row[User::getForeignKeyField()] == $currentUser) {
return true;
}
if ($DB->request($request)->count() > 0) {
return true;
}

return false;
Expand Down

0 comments on commit a9451d9

Please sign in to comment.