fix: bootstrap blocker + 4 security bugs
- Bootstrap (critical): settings/create/index no longer 403 on fresh install. Site admins (admin/super_admin) can access settings when 0 groups exist. First group creation seeds default priorities (Low/Medium/High/Urgent). Index shows friendly first-run splash. Create shows warning + settings link. - Internal notes leak (high): submitters can no longer receive is_internal messages via ticket show, index detail panel, or any Inertia prop. filterMessagesForRole() strips internal notes for non-agents. - Arbitrary assignee (med/high): update() now validates assigned_to against actual agent-access users for the ticket's group server-side. - Cross-group priority/project forgery (medium): store() and update() now verify priority_id and project_id belong to the ticket's own group (or are global for priorities). - Foreign message_id on attachment upload (medium): message_id is now validated to belong to the current ticket, not just any message row.
This commit is contained in:
Joel Wedemire
@@ -13,11 +13,38 @@ use Inertia\Response;
|
||||
|
||||
class TicketingSettingsController extends Controller
|
||||
{
|
||||
/**
|
||||
* True if there are zero groups in the system (first-run bootstrap state).
|
||||
*/
|
||||
private function isBootstrapState(): bool
|
||||
{
|
||||
return TicketingGroup::count() === 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* True if the current user is a site-level admin or super_admin.
|
||||
*/
|
||||
private function isSiteAdmin(): bool
|
||||
{
|
||||
$role = Auth::user()?->role;
|
||||
return in_array($role, ['admin', 'super_admin']);
|
||||
}
|
||||
|
||||
/**
|
||||
* Require either:
|
||||
* - existing agent access, OR
|
||||
* - bootstrap state + site admin (so first admin can seed the system)
|
||||
*/
|
||||
private function requireAgentAccess(): void
|
||||
{
|
||||
$hasAccess = TicketingAgentAccess::where('user_id', Auth::id())->exists();
|
||||
|
||||
if (!$hasAccess) {
|
||||
abort(403);
|
||||
// Allow site admins through during bootstrap (no groups yet)
|
||||
if ($this->isBootstrapState() && $this->isSiteAdmin()) {
|
||||
return;
|
||||
}
|
||||
abort(403, 'You need agent access to manage ticketing settings.');
|
||||
}
|
||||
}
|
||||
|
||||
@@ -37,29 +64,49 @@ class TicketingSettingsController extends Controller
|
||||
$this->requireAgentAccess();
|
||||
|
||||
$userId = Auth::id();
|
||||
$isBootstrap = $this->isBootstrapState();
|
||||
$myGroupIds = TicketingAgentAccess::where('user_id', $userId)->pluck('group_id');
|
||||
|
||||
$groups = TicketingGroup::whereIn('id', $myGroupIds)->get();
|
||||
$groups = $isBootstrap
|
||||
? collect()
|
||||
: TicketingGroup::whereIn('id', $myGroupIds)->get();
|
||||
|
||||
$agents = TicketingAgentAccess::whereIn('group_id', $myGroupIds)->get();
|
||||
$agentUserIds = $agents->pluck('user_id')->unique();
|
||||
$agentUsers = \DB::table('users')->whereIn('id', $agentUserIds)->get(['id', 'name', 'email'])->keyBy('id');
|
||||
$agents->each(fn($a) => $a->user = $agentUsers[$a->user_id] ?? null);
|
||||
$agents = $isBootstrap
|
||||
? collect()
|
||||
: TicketingAgentAccess::whereIn('group_id', $myGroupIds)->get();
|
||||
|
||||
$priorities = PriorityLevel::where(fn($q) => $q->whereNull('group_id')->orWhereIn('group_id', $myGroupIds))
|
||||
->orderBy('sort_order')->get();
|
||||
if ($agents->isNotEmpty()) {
|
||||
$agentUserIds = $agents->pluck('user_id')->unique();
|
||||
$agentUsers = \DB::table('users')->whereIn('id', $agentUserIds)->get(['id', 'name', 'email'])->keyBy('id');
|
||||
$agents->each(fn($a) => $a->user = $agentUsers[$a->user_id] ?? null);
|
||||
}
|
||||
|
||||
$priorities = $isBootstrap
|
||||
? collect()
|
||||
: PriorityLevel::where(fn($q) => $q->whereNull('group_id')->orWhereIn('group_id', $myGroupIds))
|
||||
->orderBy('sort_order')->get();
|
||||
|
||||
return Inertia::render('Ticketing/Settings', [
|
||||
'groups' => $groups,
|
||||
'agents' => $agents,
|
||||
'priorities' => $priorities,
|
||||
'myGroupIds' => $myGroupIds,
|
||||
'isBootstrap' => $isBootstrap,
|
||||
'isSiteAdmin' => $this->isSiteAdmin(),
|
||||
]);
|
||||
}
|
||||
|
||||
public function storeGroup(Request $request)
|
||||
{
|
||||
$this->requireAgentAccess();
|
||||
// During bootstrap, any site admin can create the first group.
|
||||
// After bootstrap, require existing agent access.
|
||||
if ($this->isBootstrapState()) {
|
||||
if (!$this->isSiteAdmin()) {
|
||||
abort(403, 'Only site admins can create the first group.');
|
||||
}
|
||||
} else {
|
||||
$this->requireAgentAccess();
|
||||
}
|
||||
|
||||
$validated = $request->validate([
|
||||
'name' => 'required|string|max:100',
|
||||
@@ -77,6 +124,25 @@ class TicketingSettingsController extends Controller
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
// Seed default priorities for this group if none exist globally
|
||||
if (PriorityLevel::count() === 0) {
|
||||
$defaults = [
|
||||
['name' => 'Low', 'color' => '#6b7280', 'sort_order' => 1],
|
||||
['name' => 'Medium', 'color' => '#3b82f6', 'sort_order' => 2],
|
||||
['name' => 'High', 'color' => '#f59e0b', 'sort_order' => 3],
|
||||
['name' => 'Urgent', 'color' => '#ef4444', 'sort_order' => 4],
|
||||
];
|
||||
foreach ($defaults as $d) {
|
||||
PriorityLevel::create([
|
||||
'group_id' => $group->id,
|
||||
'name' => $d['name'],
|
||||
'color' => $d['color'],
|
||||
'description' => null,
|
||||
'sort_order' => $d['sort_order'],
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
return back()->with('success', 'Group created.');
|
||||
}
|
||||
|
||||
@@ -137,6 +203,11 @@ class TicketingSettingsController extends Controller
|
||||
'group_id' => 'nullable|exists:ticketing_groups,id',
|
||||
]);
|
||||
|
||||
// If group_id given, caller must be manager of that group
|
||||
if (!empty($validated['group_id'])) {
|
||||
$this->requireManagerAccess($validated['group_id']);
|
||||
}
|
||||
|
||||
PriorityLevel::create($validated);
|
||||
|
||||
return back()->with('success', 'Priority level created.');
|
||||
|
||||
Reference in New Issue
Block a user