! Preferences weren't checked properly. Further investigation yielded a possible bug in the permissions system when checking multiple permissions at once when it might have been possible for users to do something wild and crazy with the permissions leading to permissions being granted in edge cases where options might have been presented that didn't work, such as the button for the list of closed tickets (though it must be noted that data was never at risk of leak to unauthorised users) [Bug 769] (42a8512) - SD-SimpleDesk

! Preferences weren't checked properly. Further investigation yielded a possible bug in the permissions system when checking multiple permissions at once when it might have been possible for users to do something wild and crazy with the permissions leading to permissions being granted in edge cases where options might have been presented that didn't work, such as the button for the list of closed tickets (though it must be noted that data was never at risk of leak to unauthorised users) [Bug 769]

Parent f2d47c9

gruffen commited on 2011-06-23 09:53:56
Showing 2 changed files, with 8 additions and 2 deletions.

sd_source/SimpleDesk-Display.php 67261c3..71c0568
sd_source/Subs-SimpleDeskPermissions.php 1845d2d..f9eaf01

sd_source/SimpleDesk-Display.php

View file @ 42a8512

@@ -795,7 +795,7 @@ function shd_view_ticket()
 	$context['display_notifications'] = array(
 		'show' => false,
 		'preferences' => array(),
-		'can_change' => shd_allowed_to('shd_view_profile', 0) && shd_allowed_to('shd_view_preferences', 0), // not department related
+		'can_change' => shd_allowed_to(array('shd_view_profile_own', 'shd_view_profile_any'), 0) && shd_allowed_to(array('shd_view_preferences_own', 'shd_view_preferences_any'), 0), // not department related
 		'can_monitor' => shd_allowed_to('shd_monitor_ticket_any', $context['ticket']['dept']) || ($context['ticket']['ticket_opener'] && shd_allowed_to('shd_monitor_ticket_own', $context['ticket']['dept'])),
 		'is_monitoring' => false,
 		'can_ignore' => shd_allowed_to('shd_ignore_ticket_any', $context['ticket']['dept']) || ($context['ticket']['ticket_opener'] && shd_allowed_to('shd_ignore_ticket_own', $context['ticket']['dept'])),

sd_source/Subs-SimpleDeskPermissions.php

View file @ 42a8512

@@ -494,8 +494,14 @@ function shd_allowed_to($permission, $dept = 0)
 			return true;
 		elseif (!is_array($permission) && !empty($user_info['shd_permissions'][$permission]))
 			return true;
-		elseif (is_array($permission) && count(array_intersect(array_keys($user_info['shd_permissions']), $permission)) != 0)
+		elseif (is_array($permission))
+		{
+			foreach ($permission as $perm)
+				if (!empty($user_info['shd_permissions'][$perm]))
 					return true;
+
+			return false;
+		}
 		else
 			return false;
 	}


...	...	@@ -795,7 +795,7 @@ function shd_view_ticket()
795	795	$context['display_notifications'] = array(
796	796	'show' => false,
797	797	'preferences' => array(),
798		- 'can_change' => shd_allowed_to('shd_view_profile', 0) && shd_allowed_to('shd_view_preferences', 0), // not department related
	798	+ 'can_change' => shd_allowed_to(array('shd_view_profile_own', 'shd_view_profile_any'), 0) && shd_allowed_to(array('shd_view_preferences_own', 'shd_view_preferences_any'), 0), // not department related
799	799	'can_monitor' => shd_allowed_to('shd_monitor_ticket_any', $context['ticket']['dept']) \|\| ($context['ticket']['ticket_opener'] && shd_allowed_to('shd_monitor_ticket_own', $context['ticket']['dept'])),
800	800	'is_monitoring' => false,
801	801	'can_ignore' => shd_allowed_to('shd_ignore_ticket_any', $context['ticket']['dept']) \|\| ($context['ticket']['ticket_opener'] && shd_allowed_to('shd_ignore_ticket_own', $context['ticket']['dept'])),

...	...	@@ -494,8 +494,14 @@ function shd_allowed_to($permission, $dept = 0)
494	494	return true;
495	495	elseif (!is_array($permission) && !empty($user_info['shd_permissions'][$permission]))
496	496	return true;
497		- elseif (is_array($permission) && count(array_intersect(array_keys($user_info['shd_permissions']), $permission)) != 0)
	497	+ elseif (is_array($permission))
	498	+ {
	499	+ foreach ($permission as $perm)
	500	+ if (!empty($user_info['shd_permissions'][$perm]))
498	501	return true;
	502	+
	503	+ return false;
	504	+ }
499	505	else
500	506	return false;
501	507	}
502	508