From a9451d9822bec7da1812f8c5aeea513c7a1bc2e0 Mon Sep 17 00:00:00 2001 From: Thierry Bugier Date: Tue, 7 Mar 2023 08:57:08 +0100 Subject: [PATCH] fix(formanswer): access restriction --- inc/formanswer.class.php | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/inc/formanswer.class.php b/inc/formanswer.class.php index 8ee7ff938..b1c3baaff 100644 --- a/inc/formanswer.class.php +++ b/inc/formanswer.class.php @@ -127,8 +127,10 @@ public function canViewItem() { $groupUser = new Group_User(); $groups = $groupUser->getUserGroups($currentUser); - if (in_array($this->fields['users_id_validator'], $groups)) { - return true; + foreach ($groups as $group) { + if ($this->fields['groups_id_validator'] == $group['id']) { + return true; + } } $request = [ @@ -170,13 +172,19 @@ public function canViewItem() { $ticket_user_table = Ticket_User::getTable(); $item_ticket_table = Item_Ticket::getTable(); $request = [ - 'SELECT' => Ticket_User::getTableField(User::getForeignKeyField()), + 'SELECT' => [ + Ticket_User::getTableField(User::getForeignKeyField()), + Ticket::getTableField('id'), + ], 'FROM' => $ticket_user_table, 'INNER JOIN' => [ $ticket_table => [ 'FKEY' => [ $ticket_table => 'id', $ticket_user_table => 'tickets_id', + ['AND' => [ + Ticket_User::getTableField(User::getForeignKeyField()) => $currentUser, + ]], ], ], $item_ticket_table => [ @@ -184,18 +192,16 @@ public function canViewItem() { $item_ticket_table => 'tickets_id', $ticket_table => 'id', ['AND' => [ - Item_Ticket::getTableField('itemtype') => self::getType(), + Item_Ticket::getTableField('itemtype') => self::getType(), + Item_Ticket::getTableField('items_id') => $this->getID(), ]], ], ], - ] ]; - foreach ($DB->request($request) as $row) { - if ($row[User::getForeignKeyField()] == $currentUser) { - return true; - } + if ($DB->request($request)->count() > 0) { + return true; } return false;