jwed/dashboard-ticketing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: bootstrap blocker + 4 security bugs

Browse Source 
- Bootstrap (critical): settings/create/index no longer 403 on fresh install.
  Site admins (admin/super_admin) can access settings when 0 groups exist.
  First group creation seeds default priorities (Low/Medium/High/Urgent).
  Index shows friendly first-run splash. Create shows warning + settings link.

- Internal notes leak (high): submitters can no longer receive is_internal
  messages via ticket show, index detail panel, or any Inertia prop.
  filterMessagesForRole() strips internal notes for non-agents.

- Arbitrary assignee (med/high): update() now validates assigned_to against
  actual agent-access users for the ticket's group server-side.

- Cross-group priority/project forgery (medium): store() and update() now
  verify priority_id and project_id belong to the ticket's own group (or
  are global for priorities).

- Foreign message_id on attachment upload (medium): message_id is now
  validated to belong to the current ticket, not just any message row.
This commit is contained in:
Joel Wedemire
2026-04-08 18:31:51 -07:00
parent 615c091f88
commit 652829ab90
6 changed files with 213 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
resources/js/Pages/Ticketing/Create.vue
View File

@@ -5,7 +5,14 @@
<h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Submit a Ticket</h1>
</div>
<form @submit.prevent="submit" class="bg-white dark:bg-gray-800 rounded-xl shadow-sm border border-gray-200 dark:border-gray-700 p-6 space-y-5">
<!-- Bootstrap / No groups state -->
<div v-if="isBootstrap" class="bg-amber-50 dark:bg-amber-900/30 border border-amber-300 dark:border-amber-600 rounded-xl px-5 py-6 text-center">
<p class="text-amber-800 dark:text-amber-200 font-semibold text-base mb-2">📦 Ticketing isnt set up yet</p>
<p class="text-sm text-amber-700 dark:text-amber-300 mb-4">An admin needs to create at least one group before tickets can be submitted.</p>
<Link :href="route('ticketing.settings')" class="inline-block bg-indigo-600 text-white text-sm px-4 py-2 rounded-lg hover:bg-indigo-700">Go to Settings</Link>
</div>
<form v-else @submit.prevent="submit" class="bg-white dark:bg-gray-800 rounded-xl shadow-sm border border-gray-200 dark:border-gray-700 p-6 space-y-5">
<!-- Group -->
<div>
<label class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1">Group <span class="text-red-500">*</span></label>
@@ -90,6 +97,7 @@ import { Link, useForm } from '@inertiajs/vue3'
const props = defineProps({
groups: Array,
priorities: Array,
isBootstrap: Boolean,
})
const form = useForm({

14
resources/js/Pages/Ticketing/Index.vue
View File

@@ -1,5 +1,17 @@
<template>
<div class="flex h-screen overflow-hidden bg-slate-100 text-slate-900 dark:bg-slate-950 dark:text-slate-100">
<!-- Bootstrap / first-run state -->
<div v-if="isBootstrap" class="flex flex-col items-center justify-center w-full h-full text-center px-6">
<div class="max-w-md">
<div class="text-5xl mb-4">🎫</div>
<h2 class="text-2xl font-bold text-slate-800 dark:text-slate-100 mb-2">Ticketing isnt set up yet</h2>
<p class="text-slate-500 dark:text-slate-400 mb-6">Create your first group in Settings to get started. Default priorities will be seeded automatically.</p>
<Link :href="route('ticketing.settings')" class="inline-block bg-indigo-600 text-white px-5 py-2.5 rounded-xl text-sm font-medium hover:bg-indigo-700 transition">Go to Settings</Link>
</div>
</div>
<template v-else>
<aside class="hidden w-72 shrink-0 border-r border-slate-200 bg-white/90 backdrop-blur dark:border-slate-800 dark:bg-slate-900/90 lg:flex lg:flex-col">
<div class="border-b border-slate-200 p-5 dark:border-slate-800">
<div class="flex items-center justify-between gap-3">
@@ -408,6 +420,7 @@
</div>
</template>
</section>
</template>
</div>
</template>
@@ -425,6 +438,7 @@ const props = defineProps({
ticketDetail: Object,
detailAgents: Array,
viewCounts: Object,
isBootstrap: Boolean,
})
const search = ref('')

11
resources/js/Pages/Ticketing/Settings.vue
View File

@@ -5,6 +5,15 @@
<h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Ticketing Settings</h1>
</div>
<!-- Bootstrap banner -->
<div v-if="isBootstrap" class="mb-6 px-5 py-4 bg-amber-50 dark:bg-amber-900/30 border border-amber-300 dark:border-amber-600 rounded-xl">
<h2 class="text-base font-semibold text-amber-800 dark:text-amber-200 mb-1">🚀 First-Run Setup</h2>
<p class="text-sm text-amber-700 dark:text-amber-300">
No groups exist yet. Create your first group below to get started.
Default priorities (Low, Medium, High, Urgent) will be seeded automatically.
</p>
</div>
<!-- Flash message -->
<div v-if="$page.props.flash?.success" class="mb-4 px-4 py-2 bg-green-50 dark:bg-green-900/30 border border-green-200 dark:border-green-700 text-green-700 dark:text-green-300 rounded-lg text-sm">
{{ $page.props.flash.success }}
@@ -239,6 +248,8 @@ const props = defineProps({
agents: Array,
priorities: Array,
myGroupIds: Array,
isBootstrap: Boolean,
isSiteAdmin: Boolean,
})
const activeTab = ref('groups')

16
src/Http/Controllers/TicketAttachmentController.php
View File

@@ -31,7 +31,21 @@ class TicketAttachmentController extends Controller
$request->validate([
'file' => 'required|file|max:' . (self::MAX_SIZE_MB * 1024),
'message_id' => 'nullable|exists:ticket_messages,id',
// Bug #5: message_id must belong to THIS ticket, not any arbitrary message
'message_id' => [
'nullable',
'integer',
function ($attribute, $value, $fail) use ($ticket) {
if ($value !== null) {
$exists = \Dashboard\Ticketing\Models\TicketMessage::where('id', $value)
->where('ticket_id', $ticket->id)
->exists();
if (!$exists) {
$fail('The message does not belong to this ticket.');
}
}
},
],
]);
$file = $request->file('file');

90
src/Http/Controllers/TicketController.php
View File

@@ -40,12 +40,40 @@ class TicketController extends Controller
->exists();
}
/**
* Filter messages for submitters — strip internal notes.
*/
private function filterMessagesForRole($messages, bool $isAgent)
{
if ($isAgent) {
return $messages;
}
return $messages->filter(fn($m) => !$m->is_internal)->values();
}
public function index(Request $request): Response
{
$user = Auth::user();
$agentGroupIds = $this->agentGroupIds();
$isAgent = count($agentGroupIds) > 0;
// If no groups exist at all, render a first-run / bootstrap state
$totalGroups = TicketingGroup::count();
if ($totalGroups === 0) {
return Inertia::render('Ticketing/Index', [
'tickets' => null,
'groups' => [],
'priorities' => [],
'projects' => [],
'isAgent' => $isAgent,
'filters' => [],
'ticketDetail' => null,
'detailAgents' => [],
'viewCounts' => ['all' => 0, 'mine' => 0, 'unassigned' => 0, 'pending' => 0, 'resolved' => 0],
'isBootstrap' => true,
]);
}
$baseQuery = Ticket::query();
if ($isAgent) {
@@ -169,9 +197,14 @@ class TicketController extends Controller
$dt->submitter = $detailUsers[$dt->submitter_id] ?? null;
$dt->assignee = $dt->assigned_to ? ($detailUsers[$dt->assigned_to] ?? null) : null;
$dt->messages->each(function ($msg) use ($detailUsers) {
// Bug #2: Filter internal notes for non-agents
$visibleMessages = $this->filterMessagesForRole($dt->messages, $isAgent);
$visibleMessages->each(function ($msg) use ($detailUsers) {
$msg->author = $msg->user_id ? ($detailUsers[$msg->user_id] ?? null) : null;
});
$dt->setRelation('messages', $visibleMessages);
$ticketDetail = $dt;
if ($isAgent) {
@@ -191,6 +224,7 @@ class TicketController extends Controller
'ticketDetail' => $ticketDetail,
'detailAgents' => $detailAgents,
'viewCounts' => $viewCounts,
'isBootstrap' => false,
]);
}
@@ -201,11 +235,22 @@ class TicketController extends Controller
$isAgent = count($agentGroupIds) > 0;
$groups = TicketingGroup::when($isAgent, fn($q) => $q->whereIn('id', $agentGroupIds))->get();
// No groups at all? Show first-run state.
if ($groups->isEmpty() && TicketingGroup::count() === 0) {
return Inertia::render('Ticketing/Create', [
'groups' => [],
'priorities' => [],
'isBootstrap' => true,
]);
}
$priorities = PriorityLevel::orderBy('sort_order')->get();
return Inertia::render('Ticketing/Create', [
'groups' => $groups,
'priorities' => $priorities,
'isBootstrap' => false,
]);
}
@@ -219,6 +264,14 @@ class TicketController extends Controller
'due_date' => 'nullable|date',
]);
// Bug #4: Ensure priority belongs to the chosen group (or is global)
if (!empty($validated['priority_id'])) {
$priority = PriorityLevel::find($validated['priority_id']);
if ($priority && $priority->group_id !== null && $priority->group_id != $validated['group_id']) {
abort(422, 'Priority does not belong to the selected group.');
}
}
$group = TicketingGroup::findOrFail($validated['group_id']);
$number = $group->nextTicketNumber();
@@ -244,13 +297,18 @@ class TicketController extends Controller
$ticket->load(['group', 'priority', 'project', 'messages', 'attachments']);
$userIds = $ticket->messages->pluck('user_id')->filter()->unique();
// Bug #2: Filter internal notes for submitters
$visibleMessages = $this->filterMessagesForRole($ticket->messages, $isAgent);
$userIds = $visibleMessages->pluck('user_id')->filter()->unique();
$users = DB::table('users')->whereIn('id', $userIds)->get(['id', 'name', 'email'])->keyBy('id');
$ticket->messages->each(function ($msg) use ($users) {
$visibleMessages->each(function ($msg) use ($users) {
$msg->author = $msg->user_id ? ($users[$msg->user_id] ?? null) : null;
});
$ticket->setRelation('messages', $visibleMessages);
$agents = [];
if ($isAgent) {
$agentIds = TicketingAgentAccess::where('group_id', $ticket->group_id)->pluck('user_id');
@@ -296,6 +354,11 @@ class TicketController extends Controller
abort(403);
}
// Bug #3: Valid assignees are users with agent access to this group
$validAssigneeIds = TicketingAgentAccess::where('group_id', $ticket->group_id)
->pluck('user_id')
->toArray();
$rules = [
'title' => 'sometimes|required|string|max:255',
'description' => 'sometimes|required|string',
@@ -303,13 +366,28 @@ class TicketController extends Controller
'priority_id' => 'nullable|exists:ticketing_priority_levels,id',
'due_date' => 'nullable|date',
'project_id' => 'nullable|exists:ticketing_projects,id',
'assigned_to' => 'nullable|in:' . implode(',', $validAssigneeIds ?: [0]),
];
if ($this->isAgent($ticket->group_id)) {
$rules['assigned_to'] = 'nullable|exists:users,id';
$validated = $request->validate($rules);
// Bug #4: priority_id must belong to this group or be global
if (!empty($validated['priority_id'])) {
$priority = PriorityLevel::find($validated['priority_id']);
if ($priority && $priority->group_id !== null && $priority->group_id !== $ticket->group_id) {
abort(422, 'Priority does not belong to this ticket\'s group.');
}
}
$ticket->update($request->validate($rules));
// Bug #4: project_id must belong to this group
if (!empty($validated['project_id'])) {
$project = TicketingProject::find($validated['project_id']);
if ($project && $project->group_id !== $ticket->group_id) {
abort(422, 'Project does not belong to this ticket\'s group.');
}
}
$ticket->update($validated);
return back()->with('success', 'Ticket updated.');
}

89
src/Http/Controllers/TicketingSettingsController.php
View File

@@ -13,11 +13,38 @@ use Inertia\Response;
class TicketingSettingsController extends Controller
{
/**
* True if there are zero groups in the system (first-run bootstrap state).
*/
private function isBootstrapState(): bool
{
return TicketingGroup::count() === 0;
}
/**
* True if the current user is a site-level admin or super_admin.
*/
private function isSiteAdmin(): bool
{
$role = Auth::user()?->role;
return in_array($role, ['admin', 'super_admin']);
}
/**
* Require either:
* - existing agent access, OR
* - bootstrap state + site admin (so first admin can seed the system)
*/
private function requireAgentAccess(): void
{
$hasAccess = TicketingAgentAccess::where('user_id', Auth::id())->exists();
if (!$hasAccess) {
abort(403);
// Allow site admins through during bootstrap (no groups yet)
if ($this->isBootstrapState() && $this->isSiteAdmin()) {
return;
}
abort(403, 'You need agent access to manage ticketing settings.');
}
}
@@ -37,29 +64,49 @@ class TicketingSettingsController extends Controller
$this->requireAgentAccess();
$userId = Auth::id();
$isBootstrap = $this->isBootstrapState();
$myGroupIds = TicketingAgentAccess::where('user_id', $userId)->pluck('group_id');
$groups = TicketingGroup::whereIn('id', $myGroupIds)->get();
$groups = $isBootstrap
? collect()
: TicketingGroup::whereIn('id', $myGroupIds)->get();
$agents = TicketingAgentAccess::whereIn('group_id', $myGroupIds)->get();
$agentUserIds = $agents->pluck('user_id')->unique();
$agentUsers = \DB::table('users')->whereIn('id', $agentUserIds)->get(['id', 'name', 'email'])->keyBy('id');
$agents->each(fn($a) => $a->user = $agentUsers[$a->user_id] ?? null);
$agents = $isBootstrap
? collect()
: TicketingAgentAccess::whereIn('group_id', $myGroupIds)->get();
$priorities = PriorityLevel::where(fn($q) => $q->whereNull('group_id')->orWhereIn('group_id', $myGroupIds))
->orderBy('sort_order')->get();
if ($agents->isNotEmpty()) {
$agentUserIds = $agents->pluck('user_id')->unique();
$agentUsers = \DB::table('users')->whereIn('id', $agentUserIds)->get(['id', 'name', 'email'])->keyBy('id');
$agents->each(fn($a) => $a->user = $agentUsers[$a->user_id] ?? null);
}
$priorities = $isBootstrap
? collect()
: PriorityLevel::where(fn($q) => $q->whereNull('group_id')->orWhereIn('group_id', $myGroupIds))
->orderBy('sort_order')->get();
return Inertia::render('Ticketing/Settings', [
'groups' => $groups,
'agents' => $agents,
'priorities' => $priorities,
'myGroupIds' => $myGroupIds,
'isBootstrap' => $isBootstrap,
'isSiteAdmin' => $this->isSiteAdmin(),
]);
}
public function storeGroup(Request $request)
{
$this->requireAgentAccess();
// During bootstrap, any site admin can create the first group.
// After bootstrap, require existing agent access.
if ($this->isBootstrapState()) {
if (!$this->isSiteAdmin()) {
abort(403, 'Only site admins can create the first group.');
}
} else {
$this->requireAgentAccess();
}
$validated = $request->validate([
'name' => 'required|string|max:100',
@@ -77,6 +124,25 @@ class TicketingSettingsController extends Controller
'role' => 'manager',
]);
// Seed default priorities for this group if none exist globally
if (PriorityLevel::count() === 0) {
$defaults = [
['name' => 'Low', 'color' => '#6b7280', 'sort_order' => 1],
['name' => 'Medium', 'color' => '#3b82f6', 'sort_order' => 2],
['name' => 'High', 'color' => '#f59e0b', 'sort_order' => 3],
['name' => 'Urgent', 'color' => '#ef4444', 'sort_order' => 4],
];
foreach ($defaults as $d) {
PriorityLevel::create([
'group_id' => $group->id,
'name' => $d['name'],
'color' => $d['color'],
'description' => null,
'sort_order' => $d['sort_order'],
]);
}
}
return back()->with('success', 'Group created.');
}
@@ -137,6 +203,11 @@ class TicketingSettingsController extends Controller
'group_id' => 'nullable|exists:ticketing_groups,id',
]);
// If group_id given, caller must be manager of that group
if (!empty($validated['group_id'])) {
$this->requireManagerAccess($validated['group_id']);
}
PriorityLevel::create($validated);
return back()->with('success', 'Priority level created.');