From 1d63e25855483440e2b2382eaf095b673dc87592 Mon Sep 17 00:00:00 2001 From: Garret Wassermann Date: Fri, 15 Dec 2017 17:18:54 -0500 Subject: [PATCH] Improve permissions to view pages, to partially address #326 --- helpdesk/views/staff.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/helpdesk/views/staff.py b/helpdesk/views/staff.py index c8ab1884..34e766ad 100644 --- a/helpdesk/views/staff.py +++ b/helpdesk/views/staff.py @@ -86,6 +86,15 @@ def _has_access_to_queue(user, queue): return user.has_perm(queue.permission_name) +def _is_my_ticket(user, ticket): + """Check to see if the user has permission to access + a ticket. If not then deny access.""" + if user.is_superuser or user.is_staff or user.id == ticket.customer_id: + return True + else: + return False + + def dashboard(request): """ A quick summary overview for users: A list of their own tickets, a table @@ -173,6 +182,8 @@ def delete_ticket(request, ticket_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() if request.method == 'GET': return render(request, 'helpdesk/delete_ticket.html', { @@ -192,6 +203,9 @@ def followup_edit(request, ticket_id, followup_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() + if request.method == 'GET': form = EditFollowUpForm(initial={ 'title': escape(followup.title), @@ -257,6 +271,8 @@ def view_ticket(request, ticket_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() if 'take' in request.GET: # Allow the user to assign the ticket to themselves whilst viewing it. @@ -952,6 +968,8 @@ def edit_ticket(request, ticket_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() if request.method == 'POST': form = EditTicketForm(request.POST, instance=ticket) @@ -1031,6 +1049,8 @@ def hold_ticket(request, ticket_id, unhold=False): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() if unhold: ticket.on_hold = False @@ -1410,6 +1430,8 @@ def ticket_cc(request, ticket_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() copies_to = ticket.ticketcc_set.all() return render(request, 'helpdesk/ticket_cc_list.html', { @@ -1425,6 +1447,8 @@ def ticket_cc_add(request, ticket_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() if request.method == 'POST': form = TicketCCForm(request.POST) @@ -1464,6 +1488,8 @@ def ticket_dependency_add(request, ticket_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() if request.method == 'POST': form = TicketDependencyForm(request.POST) if form.is_valid(): @@ -1498,6 +1524,8 @@ def attachment_del(request, ticket_id, attachment_id): ticket = get_object_or_404(Ticket, id=ticket_id) if not _has_access_to_queue(request.user, ticket.queue): raise PermissionDenied() + if not _is_my_ticket(request.user, ticket): + raise PermissionDenied() attachment = get_object_or_404(Attachment, id=attachment_id) if request.method == 'POST':