fix(tickets): permission enforcement

polonel · May 18, 2022 · 577c7eb · 577c7eb
1 parent 740d562
commit 577c7eb
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 23 deletions.
diff --git a/src/controllers/api/v1/routes.js b/src/controllers/api/v1/routes.js
@@ -12,20 +12,20 @@
  *  Copyright (c) 2014-2019. All rights reserved.
  */
 
-var packagejson = require('../../../../package')
+const packagejson = require('../../../../package')
 
 module.exports = function (middleware, router, controllers) {
-  // ShortenVars
-  var apiv1 = middleware.api
-  var isAdmin = middleware.isAdmin
-  var isAgent = middleware.isAgent
-  var isAgentOrAdmin = middleware.isAgentOrAdmin
-  var canUser = middleware.canUser
-  var apiCtrl = controllers.api.v1
+  // Shortenconsts
+  const apiv1 = middleware.api
+  const isAdmin = middleware.isAdmin
+  const isAgent = middleware.isAgent
+  const isAgentOrAdmin = middleware.isAgentOrAdmin
+  const canUser = middleware.canUser
+  const apiCtrl = controllers.api.v1
 
   // Common
   router.get('/api', controllers.api.index)
-  router.get('/api/v1/version', function (req, res) {
+  router.get('/api/v1/version', (req, res) => {
     return res.json({ version: packagejson.version })
   })
   router.post('/api/v1/login', apiCtrl.common.login)
@@ -92,7 +92,7 @@ module.exports = function (middleware, router, controllers) {
 
   // Tags
   router.get('/api/v1/count/tags', middleware.api, function (req, res) {
-    var tagSchema = require('../models/tag')
+    const tagSchema = require('../../../models/tag')
     tagSchema.countDocuments({}, function (err, count) {
       if (err) return res.status(500).json({ success: false, error: err })
 
@@ -106,8 +106,8 @@ module.exports = function (middleware, router, controllers) {
   router.delete('/api/v1/tags/:id', apiv1, isAgentOrAdmin, apiCtrl.tags.deleteTag)
 
   // Public Tickets
-  var checkCaptcha = middleware.checkCaptcha
-  var checkOrigin = middleware.checkOrigin
+  const checkCaptcha = middleware.checkCaptcha
+  const checkOrigin = middleware.checkOrigin
 
   router.post('/api/v1/public/users/checkemail', checkCaptcha, checkOrigin, apiCtrl.users.checkEmail)
   router.post('/api/v1/public/tickets/create', checkCaptcha, checkOrigin, apiCtrl.tickets.createPublicTicket)
@@ -154,8 +154,8 @@ module.exports = function (middleware, router, controllers) {
   router.delete('/api/v1/notices/:id', apiv1, canUser('notices:delete'), apiCtrl.notices.deleteNotice)
 
   // Reports Generator
-  var reportsGenCtrl = apiCtrl.reports.generate
-  var genBaseUrl = '/api/v1/reports/generate/'
+  const reportsGenCtrl = apiCtrl.reports.generate
+  const genBaseUrl = '/api/v1/reports/generate/'
   router.post(genBaseUrl + 'tickets_by_group', apiv1, canUser('reports:create'), reportsGenCtrl.ticketsByGroup)
   router.post(genBaseUrl + 'tickets_by_status', apiv1, canUser('reports:create'), reportsGenCtrl.ticketsByStatus)
   router.post(genBaseUrl + 'tickets_by_priority', apiv1, canUser('reports:create'), reportsGenCtrl.ticketsByPriority)
@@ -171,7 +171,7 @@ module.exports = function (middleware, router, controllers) {
   router.post('/api/v1/settings/testmailer', apiv1, isAdmin, apiCtrl.settings.testMailer)
   router.put('/api/v1/settings/mailer/template/:id', apiv1, isAdmin, apiCtrl.settings.updateTemplateSubject)
   router.get('/api/v1/settings/buildsass', apiv1, isAdmin, apiCtrl.settings.buildsass)
-  router.put('/api/v1/settings/updateroleorder', isAdmin, apiv1, apiCtrl.settings.updateRoleOrder)
+  router.put('/api/v1/settings/updateroleorder', apiv1, isAdmin, apiCtrl.settings.updateRoleOrder)
 
   // Backups
   router.get('/api/v1/backups', apiv1, isAdmin, controllers.backuprestore.getBackups)

diff --git a/src/controllers/api/v2/tickets.js b/src/controllers/api/v2/tickets.js
@@ -134,8 +134,8 @@ ticketsV2.get = function (req, res) {
   )
 }
 
-ticketsV2.single = function (req, res) {
-  var uid = req.params.uid
+ticketsV2.single = async function (req, res) {
+  const uid = req.params.uid
   if (!uid) return apiUtils.sendApiError(res, 400, 'Invalid Parameters')
   Ticket.getTicketByUid(uid, function (err, ticket) {
     if (err) return apiUtils.sendApiError(res, 500, err)
@@ -144,7 +144,7 @@ ticketsV2.single = function (req, res) {
       Department.getDepartmentGroupsOfUser(req.user._id, function (err, dbGroups) {
         if (err) return apiUtils.sendApiError(res, 500, err)
 
-        var groups = dbGroups.map(function (g) {
+        const groups = dbGroups.map(function (g) {
           return g._id.toString()
         })
 
@@ -158,7 +158,7 @@ ticketsV2.single = function (req, res) {
       Group.getAllGroupsOfUser(req.user._id, function (err, userGroups) {
         if (err) return apiUtils.sendApiError(res, 500, err)
 
-        var groupIds = userGroups.map(function (m) {
+        const groupIds = userGroups.map(function (m) {
           return m._id.toString()
         })
 

diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js
@@ -513,6 +513,13 @@ ticketsController.single = function (req, res) {
             }
           }
 
+          if (
+            ticket.owner._id.toString() !== req.user._id.toString() &&
+            !permissions.canThis(user.role, 'tickets:viewall')
+          ) {
+            return res.redirect('/tickets')
+          }
+
           if (!permissions.canThis(user.role, 'comments:view')) ticket.comments = []
 
           if (!permissions.canThis(user.role, 'tickets:notes')) ticket.notes = []

diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
@@ -213,8 +213,8 @@ middleware.apiv2 = function (req, res, next) {
 middleware.canUser = function (action) {
   return function (req, res, next) {
     if (!req.user) return res.status(401).json({ success: false, error: 'Not Authorized for this API call.' })
-    var permissions = require('../permissions')
-    var perm = permissions.canThis(req.user.role, action)
+    const permissions = require('../permissions')
+    const perm = permissions.canThis(req.user.role, action)
     if (perm) return next()
 
     return res.status(401).json({ success: false, error: 'Not Authorized for this API call.' })

diff --git a/src/permissions/index.js b/src/permissions/index.js
@@ -38,11 +38,11 @@ var register = function (callback) {
  * Checks to see if a role as the given action
  * @param role [role to check against]
  * @param a [action to check]
- * @param adminOverride [Override permission check if idAdmin]
+ * @param adminOverride [override if admin]
  * @returns {boolean}
  */
 
-var canThis = function (role, a, adminOverride) {
+var canThis = function (role, a, adminOverride = false) {
   if (_.isUndefined(role)) return false
   if (adminOverride === true && role.isAdmin) return true