fix: bootstrap blocker + 4 security bugs

- Bootstrap (critical): settings/create/index no longer 403 on fresh install. Site admins (admin/super_admin) can access settings when 0 groups exist. First group creation seeds default priorities (Low/Medium/High/Urgent). Index shows friendly first-run splash. Create shows warning + settings link. - Internal notes leak (high): submitters can no longer receive is_internal messages via ticket show, index detail panel, or any Inertia prop. filterMessagesForRole() strips internal notes for non-agents. - Arbitrary assignee (med/high): update() now validates assigned_to against actual agent-access users for the ticket's group server-side. - Cross-group priority/project forgery (medium): store() and update() now verify priority_id and project_id belong to the ticket's own group (or are global for priorities). - Foreign message_id on attachment upload (medium): message_id is now validated to belong to the current ticket, not just any message row.
2026-04-08 18:31:51 -07:00
parent 615c091f88
commit 652829ab90
6 changed files with 213 additions and 17 deletions
--- a/resources/js/Pages/Ticketing/Create.vue
+++ b/resources/js/Pages/Ticketing/Create.vue
@@ -5,7 +5,14 @@
      <h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Submit a Ticket</h1>
    </div>

-    <form @submit.prevent="submit" class="bg-white dark:bg-gray-800 rounded-xl shadow-sm border border-gray-200 dark:border-gray-700 p-6 space-y-5">
+    <!-- Bootstrap / No groups state -->
+    <div v-if="isBootstrap" class="bg-amber-50 dark:bg-amber-900/30 border border-amber-300 dark:border-amber-600 rounded-xl px-5 py-6 text-center">
+      <p class="text-amber-800 dark:text-amber-200 font-semibold text-base mb-2">📦 Ticketing isn’t set up yet</p>
+      <p class="text-sm text-amber-700 dark:text-amber-300 mb-4">An admin needs to create at least one group before tickets can be submitted.</p>
+      <Link :href="route('ticketing.settings')" class="inline-block bg-indigo-600 text-white text-sm px-4 py-2 rounded-lg hover:bg-indigo-700">Go to Settings</Link>
+    </div>
+
+    <form v-else @submit.prevent="submit" class="bg-white dark:bg-gray-800 rounded-xl shadow-sm border border-gray-200 dark:border-gray-700 p-6 space-y-5">
      <!-- Group -->
      <div>
        <label class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1">Group <span class="text-red-500">*</span></label>
@@ -90,6 +97,7 @@ import { Link, useForm } from '@inertiajs/vue3'
 const props = defineProps({
  groups: Array,
  priorities: Array,
+  isBootstrap: Boolean,
 })

 const form = useForm({
--- a/resources/js/Pages/Ticketing/Index.vue
+++ b/resources/js/Pages/Ticketing/Index.vue
@@ -1,5 +1,17 @@
 <template>
  <div class="flex h-screen overflow-hidden bg-slate-100 text-slate-900 dark:bg-slate-950 dark:text-slate-100">
+
+    <!-- Bootstrap / first-run state -->
+    <div v-if="isBootstrap" class="flex flex-col items-center justify-center w-full h-full text-center px-6">
+      <div class="max-w-md">
+        <div class="text-5xl mb-4">🎫</div>
+        <h2 class="text-2xl font-bold text-slate-800 dark:text-slate-100 mb-2">Ticketing isn’t set up yet</h2>
+        <p class="text-slate-500 dark:text-slate-400 mb-6">Create your first group in Settings to get started. Default priorities will be seeded automatically.</p>
+        <Link :href="route('ticketing.settings')" class="inline-block bg-indigo-600 text-white px-5 py-2.5 rounded-xl text-sm font-medium hover:bg-indigo-700 transition">Go to Settings</Link>
+      </div>
+    </div>
+
+    <template v-else>
    <aside class="hidden w-72 shrink-0 border-r border-slate-200 bg-white/90 backdrop-blur dark:border-slate-800 dark:bg-slate-900/90 lg:flex lg:flex-col">
      <div class="border-b border-slate-200 p-5 dark:border-slate-800">
        <div class="flex items-center justify-between gap-3">
@@ -408,6 +420,7 @@
        </div>
      </template>
    </section>
+  </template>
  </div>
 </template>

@@ -425,6 +438,7 @@ const props = defineProps({
  ticketDetail: Object,
  detailAgents: Array,
  viewCounts: Object,
+  isBootstrap: Boolean,
 })

 const search = ref('')
--- a/resources/js/Pages/Ticketing/Settings.vue
+++ b/resources/js/Pages/Ticketing/Settings.vue
@@ -5,6 +5,15 @@
      <h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Ticketing Settings</h1>
    </div>

+    <!-- Bootstrap banner -->
+    <div v-if="isBootstrap" class="mb-6 px-5 py-4 bg-amber-50 dark:bg-amber-900/30 border border-amber-300 dark:border-amber-600 rounded-xl">
+      <h2 class="text-base font-semibold text-amber-800 dark:text-amber-200 mb-1">🚀 First-Run Setup</h2>
+      <p class="text-sm text-amber-700 dark:text-amber-300">
+        No groups exist yet. Create your first group below to get started.
+        Default priorities (Low, Medium, High, Urgent) will be seeded automatically.
+      </p>
+    </div>
+
    <!-- Flash message -->
    <div v-if="$page.props.flash?.success" class="mb-4 px-4 py-2 bg-green-50 dark:bg-green-900/30 border border-green-200 dark:border-green-700 text-green-700 dark:text-green-300 rounded-lg text-sm">
      {{ $page.props.flash.success }}
@@ -239,6 +248,8 @@ const props = defineProps({
  agents: Array,
  priorities: Array,
  myGroupIds: Array,
+  isBootstrap: Boolean,
+  isSiteAdmin: Boolean,
 })

 const activeTab = ref('groups')