jwed/dashboard-ticketing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: bootstrap blocker + 4 security bugs

Browse Source 
- Bootstrap (critical): settings/create/index no longer 403 on fresh install.
  Site admins (admin/super_admin) can access settings when 0 groups exist.
  First group creation seeds default priorities (Low/Medium/High/Urgent).
  Index shows friendly first-run splash. Create shows warning + settings link.

- Internal notes leak (high): submitters can no longer receive is_internal
  messages via ticket show, index detail panel, or any Inertia prop.
  filterMessagesForRole() strips internal notes for non-agents.

- Arbitrary assignee (med/high): update() now validates assigned_to against
  actual agent-access users for the ticket's group server-side.

- Cross-group priority/project forgery (medium): store() and update() now
  verify priority_id and project_id belong to the ticket's own group (or
  are global for priorities).

- Foreign message_id on attachment upload (medium): message_id is now
  validated to belong to the current ticket, not just any message row.
This commit is contained in:
Joel Wedemire
2026-04-08 18:31:51 -07:00
parent 615c091f88
commit 652829ab90
6 changed files with 213 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
resources/js/Pages/Ticketing/Create.vue
View File

@@ -5,7 +5,14 @@
<h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Submit a Ticket</h1> <h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Submit a Ticket</h1>
</div> </div>
<form @submit.prevent="submit" class="bg-white dark:bg-gray-800 rounded-xl shadow-sm border border-gray-200 dark:border-gray-700 p-6 space-y-5"> <!-- Bootstrap / No groups state -->
<div v-if="isBootstrap" class="bg-amber-50 dark:bg-amber-900/30 border border-amber-300 dark:border-amber-600 rounded-xl px-5 py-6 text-center">
<p class="text-amber-800 dark:text-amber-200 font-semibold text-base mb-2">📦 Ticketing isnt set up yet</p>
<p class="text-sm text-amber-700 dark:text-amber-300 mb-4">An admin needs to create at least one group before tickets can be submitted.</p>
<Link :href="route('ticketing.settings')" class="inline-block bg-indigo-600 text-white text-sm px-4 py-2 rounded-lg hover:bg-indigo-700">Go to Settings</Link>
</div>
<form v-else @submit.prevent="submit" class="bg-white dark:bg-gray-800 rounded-xl shadow-sm border border-gray-200 dark:border-gray-700 p-6 space-y-5">
<!-- Group --> <!-- Group -->
<div> <div>
<label class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1">Group <span class="text-red-500">*</span></label> <label class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1">Group <span class="text-red-500">*</span></label>
@@ -90,6 +97,7 @@ import { Link, useForm } from '@inertiajs/vue3'
const props = defineProps({ const props = defineProps({
groups: Array, groups: Array,
priorities: Array, priorities: Array,
isBootstrap: Boolean,
}) })
const form = useForm({ const form = useForm({

14
resources/js/Pages/Ticketing/Index.vue
View File

@@ -1,5 +1,17 @@
<template> <template>
<div class="flex h-screen overflow-hidden bg-slate-100 text-slate-900 dark:bg-slate-950 dark:text-slate-100"> <div class="flex h-screen overflow-hidden bg-slate-100 text-slate-900 dark:bg-slate-950 dark:text-slate-100">
<!-- Bootstrap / first-run state -->
<div v-if="isBootstrap" class="flex flex-col items-center justify-center w-full h-full text-center px-6">
<div class="max-w-md">
<div class="text-5xl mb-4">🎫</div>
<h2 class="text-2xl font-bold text-slate-800 dark:text-slate-100 mb-2">Ticketing isnt set up yet</h2>
<p class="text-slate-500 dark:text-slate-400 mb-6">Create your first group in Settings to get started. Default priorities will be seeded automatically.</p>
<Link :href="route('ticketing.settings')" class="inline-block bg-indigo-600 text-white px-5 py-2.5 rounded-xl text-sm font-medium hover:bg-indigo-700 transition">Go to Settings</Link>
</div>
</div>
<template v-else>
<aside class="hidden w-72 shrink-0 border-r border-slate-200 bg-white/90 backdrop-blur dark:border-slate-800 dark:bg-slate-900/90 lg:flex lg:flex-col"> <aside class="hidden w-72 shrink-0 border-r border-slate-200 bg-white/90 backdrop-blur dark:border-slate-800 dark:bg-slate-900/90 lg:flex lg:flex-col">
<div class="border-b border-slate-200 p-5 dark:border-slate-800"> <div class="border-b border-slate-200 p-5 dark:border-slate-800">
<div class="flex items-center justify-between gap-3"> <div class="flex items-center justify-between gap-3">
@@ -408,6 +420,7 @@
</div> </div>
</template> </template>
</section> </section>
</template>
</div> </div>
</template> </template>
@@ -425,6 +438,7 @@ const props = defineProps({
ticketDetail: Object, ticketDetail: Object,
detailAgents: Array, detailAgents: Array,
viewCounts: Object, viewCounts: Object,
isBootstrap: Boolean,
}) })
const search = ref('') const search = ref('')

11
resources/js/Pages/Ticketing/Settings.vue
View File

@@ -5,6 +5,15 @@
<h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Ticketing Settings</h1> <h1 class="text-2xl font-bold text-gray-900 dark:text-white mt-2">Ticketing Settings</h1>
</div> </div>
<!-- Bootstrap banner -->
<div v-if="isBootstrap" class="mb-6 px-5 py-4 bg-amber-50 dark:bg-amber-900/30 border border-amber-300 dark:border-amber-600 rounded-xl">
<h2 class="text-base font-semibold text-amber-800 dark:text-amber-200 mb-1">🚀 First-Run Setup</h2>
<p class="text-sm text-amber-700 dark:text-amber-300">
No groups exist yet. Create your first group below to get started.
Default priorities (Low, Medium, High, Urgent) will be seeded automatically.
</p>
</div>
<!-- Flash message --> <!-- Flash message -->
<div v-if="$page.props.flash?.success" class="mb-4 px-4 py-2 bg-green-50 dark:bg-green-900/30 border border-green-200 dark:border-green-700 text-green-700 dark:text-green-300 rounded-lg text-sm"> <div v-if="$page.props.flash?.success" class="mb-4 px-4 py-2 bg-green-50 dark:bg-green-900/30 border border-green-200 dark:border-green-700 text-green-700 dark:text-green-300 rounded-lg text-sm">
{{ $page.props.flash.success }} {{ $page.props.flash.success }}
@@ -239,6 +248,8 @@ const props = defineProps({
agents: Array, agents: Array,
priorities: Array, priorities: Array,
myGroupIds: Array, myGroupIds: Array,
isBootstrap: Boolean,
isSiteAdmin: Boolean,
}) })
const activeTab = ref('groups') const activeTab = ref('groups')

16
src/Http/Controllers/TicketAttachmentController.php
View File

@@ -31,7 +31,21 @@ class TicketAttachmentController extends Controller
$request->validate([ $request->validate([
'file' => 'required|file|max:' . (self::MAX_SIZE_MB * 1024), 'file' => 'required|file|max:' . (self::MAX_SIZE_MB * 1024),
'message_id' => 'nullable|exists:ticket_messages,id', // Bug #5: message_id must belong to THIS ticket, not any arbitrary message
'message_id' => [
'nullable',
'integer',
function ($attribute, $value, $fail) use ($ticket) {
if ($value !== null) {
$exists = \Dashboard\Ticketing\Models\TicketMessage::where('id', $value)
->where('ticket_id', $ticket->id)
->exists();
if (!$exists) {
$fail('The message does not belong to this ticket.');
}
}
},
],
]); ]);
$file = $request->file('file'); $file = $request->file('file');

90
src/Http/Controllers/TicketController.php
View File

@@ -40,12 +40,40 @@ class TicketController extends Controller
->exists(); ->exists();
} }
/**
* Filter messages for submitters — strip internal notes.
*/
private function filterMessagesForRole($messages, bool $isAgent)
{
if ($isAgent) {
return $messages;
}
return $messages->filter(fn($m) => !$m->is_internal)->values();
}
public function index(Request $request): Response public function index(Request $request): Response
{ {
$user = Auth::user(); $user = Auth::user();
$agentGroupIds = $this->agentGroupIds(); $agentGroupIds = $this->agentGroupIds();
$isAgent = count($agentGroupIds) > 0; $isAgent = count($agentGroupIds) > 0;
// If no groups exist at all, render a first-run / bootstrap state
$totalGroups = TicketingGroup::count();
if ($totalGroups === 0) {
return Inertia::render('Ticketing/Index', [
'tickets' => null,
'groups' => [],
'priorities' => [],
'projects' => [],
'isAgent' => $isAgent,
'filters' => [],
'ticketDetail' => null,
'detailAgents' => [],
'viewCounts' => ['all' => 0, 'mine' => 0, 'unassigned' => 0, 'pending' => 0, 'resolved' => 0],
'isBootstrap' => true,
]);
}
$baseQuery = Ticket::query(); $baseQuery = Ticket::query();
if ($isAgent) { if ($isAgent) {
@@ -169,9 +197,14 @@ class TicketController extends Controller
$dt->submitter = $detailUsers[$dt->submitter_id] ?? null; $dt->submitter = $detailUsers[$dt->submitter_id] ?? null;
$dt->assignee = $dt->assigned_to ? ($detailUsers[$dt->assigned_to] ?? null) : null; $dt->assignee = $dt->assigned_to ? ($detailUsers[$dt->assigned_to] ?? null) : null;
$dt->messages->each(function ($msg) use ($detailUsers) {
// Bug #2: Filter internal notes for non-agents
$visibleMessages = $this->filterMessagesForRole($dt->messages, $isAgent);
$visibleMessages->each(function ($msg) use ($detailUsers) {
$msg->author = $msg->user_id ? ($detailUsers[$msg->user_id] ?? null) : null; $msg->author = $msg->user_id ? ($detailUsers[$msg->user_id] ?? null) : null;
}); });
$dt->setRelation('messages', $visibleMessages);
$ticketDetail = $dt; $ticketDetail = $dt;
if ($isAgent) { if ($isAgent) {
@@ -191,6 +224,7 @@ class TicketController extends Controller
'ticketDetail' => $ticketDetail, 'ticketDetail' => $ticketDetail,
'detailAgents' => $detailAgents, 'detailAgents' => $detailAgents,
'viewCounts' => $viewCounts, 'viewCounts' => $viewCounts,
'isBootstrap' => false,
]); ]);
} }
@@ -201,11 +235,22 @@ class TicketController extends Controller
$isAgent = count($agentGroupIds) > 0; $isAgent = count($agentGroupIds) > 0;
$groups = TicketingGroup::when($isAgent, fn($q) => $q->whereIn('id', $agentGroupIds))->get(); $groups = TicketingGroup::when($isAgent, fn($q) => $q->whereIn('id', $agentGroupIds))->get();
// No groups at all? Show first-run state.
if ($groups->isEmpty() && TicketingGroup::count() === 0) {
return Inertia::render('Ticketing/Create', [
'groups' => [],
'priorities' => [],
'isBootstrap' => true,
]);
}
$priorities = PriorityLevel::orderBy('sort_order')->get(); $priorities = PriorityLevel::orderBy('sort_order')->get();
return Inertia::render('Ticketing/Create', [ return Inertia::render('Ticketing/Create', [
'groups' => $groups, 'groups' => $groups,
'priorities' => $priorities, 'priorities' => $priorities,
'isBootstrap' => false,
]); ]);
} }
@@ -219,6 +264,14 @@ class TicketController extends Controller
'due_date' => 'nullable|date', 'due_date' => 'nullable|date',
]); ]);
// Bug #4: Ensure priority belongs to the chosen group (or is global)
if (!empty($validated['priority_id'])) {
$priority = PriorityLevel::find($validated['priority_id']);
if ($priority && $priority->group_id !== null && $priority->group_id != $validated['group_id']) {
abort(422, 'Priority does not belong to the selected group.');
}
}
$group = TicketingGroup::findOrFail($validated['group_id']); $group = TicketingGroup::findOrFail($validated['group_id']);
$number = $group->nextTicketNumber(); $number = $group->nextTicketNumber();
@@ -244,13 +297,18 @@ class TicketController extends Controller
$ticket->load(['group', 'priority', 'project', 'messages', 'attachments']); $ticket->load(['group', 'priority', 'project', 'messages', 'attachments']);
$userIds = $ticket->messages->pluck('user_id')->filter()->unique(); // Bug #2: Filter internal notes for submitters
$visibleMessages = $this->filterMessagesForRole($ticket->messages, $isAgent);
$userIds = $visibleMessages->pluck('user_id')->filter()->unique();
$users = DB::table('users')->whereIn('id', $userIds)->get(['id', 'name', 'email'])->keyBy('id'); $users = DB::table('users')->whereIn('id', $userIds)->get(['id', 'name', 'email'])->keyBy('id');
$ticket->messages->each(function ($msg) use ($users) { $visibleMessages->each(function ($msg) use ($users) {
$msg->author = $msg->user_id ? ($users[$msg->user_id] ?? null) : null; $msg->author = $msg->user_id ? ($users[$msg->user_id] ?? null) : null;
}); });
$ticket->setRelation('messages', $visibleMessages);
$agents = []; $agents = [];
if ($isAgent) { if ($isAgent) {
$agentIds = TicketingAgentAccess::where('group_id', $ticket->group_id)->pluck('user_id'); $agentIds = TicketingAgentAccess::where('group_id', $ticket->group_id)->pluck('user_id');
@@ -296,6 +354,11 @@ class TicketController extends Controller
abort(403); abort(403);
} }
// Bug #3: Valid assignees are users with agent access to this group
$validAssigneeIds = TicketingAgentAccess::where('group_id', $ticket->group_id)
->pluck('user_id')
->toArray();
$rules = [ $rules = [
'title' => 'sometimes|required|string|max:255', 'title' => 'sometimes|required|string|max:255',
'description' => 'sometimes|required|string', 'description' => 'sometimes|required|string',
@@ -303,13 +366,28 @@ class TicketController extends Controller
'priority_id' => 'nullable|exists:ticketing_priority_levels,id', 'priority_id' => 'nullable|exists:ticketing_priority_levels,id',
'due_date' => 'nullable|date', 'due_date' => 'nullable|date',
'project_id' => 'nullable|exists:ticketing_projects,id', 'project_id' => 'nullable|exists:ticketing_projects,id',
'assigned_to' => 'nullable|in:' . implode(',', $validAssigneeIds ?: [0]),
]; ];
if ($this->isAgent($ticket->group_id)) { $validated = $request->validate($rules);
$rules['assigned_to'] = 'nullable|exists:users,id';
// Bug #4: priority_id must belong to this group or be global
if (!empty($validated['priority_id'])) {
$priority = PriorityLevel::find($validated['priority_id']);
if ($priority && $priority->group_id !== null && $priority->group_id !== $ticket->group_id) {
abort(422, 'Priority does not belong to this ticket\'s group.');
}
} }
$ticket->update($request->validate($rules)); // Bug #4: project_id must belong to this group
if (!empty($validated['project_id'])) {
$project = TicketingProject::find($validated['project_id']);
if ($project && $project->group_id !== $ticket->group_id) {
abort(422, 'Project does not belong to this ticket\'s group.');
}
}
$ticket->update($validated);
return back()->with('success', 'Ticket updated.'); return back()->with('success', 'Ticket updated.');
} }

89
src/Http/Controllers/TicketingSettingsController.php
View File

@@ -13,11 +13,38 @@ use Inertia\Response;
class TicketingSettingsController extends Controller class TicketingSettingsController extends Controller
{ {
/**
* True if there are zero groups in the system (first-run bootstrap state).
*/
private function isBootstrapState(): bool
{
return TicketingGroup::count() === 0;
}
/**
* True if the current user is a site-level admin or super_admin.
*/
private function isSiteAdmin(): bool
{
$role = Auth::user()?->role;
return in_array($role, ['admin', 'super_admin']);
}
/**
* Require either:
* - existing agent access, OR
* - bootstrap state + site admin (so first admin can seed the system)
*/
private function requireAgentAccess(): void private function requireAgentAccess(): void
{ {
$hasAccess = TicketingAgentAccess::where('user_id', Auth::id())->exists(); $hasAccess = TicketingAgentAccess::where('user_id', Auth::id())->exists();
if (!$hasAccess) { if (!$hasAccess) {
abort(403); // Allow site admins through during bootstrap (no groups yet)
if ($this->isBootstrapState() && $this->isSiteAdmin()) {
return;
}
abort(403, 'You need agent access to manage ticketing settings.');
} }
} }
@@ -37,29 +64,49 @@ class TicketingSettingsController extends Controller
$this->requireAgentAccess(); $this->requireAgentAccess();
$userId = Auth::id(); $userId = Auth::id();
$isBootstrap = $this->isBootstrapState();
$myGroupIds = TicketingAgentAccess::where('user_id', $userId)->pluck('group_id'); $myGroupIds = TicketingAgentAccess::where('user_id', $userId)->pluck('group_id');
$groups = TicketingGroup::whereIn('id', $myGroupIds)->get(); $groups = $isBootstrap
? collect()
: TicketingGroup::whereIn('id', $myGroupIds)->get();
$agents = TicketingAgentAccess::whereIn('group_id', $myGroupIds)->get(); $agents = $isBootstrap
$agentUserIds = $agents->pluck('user_id')->unique(); ? collect()
$agentUsers = \DB::table('users')->whereIn('id', $agentUserIds)->get(['id', 'name', 'email'])->keyBy('id'); : TicketingAgentAccess::whereIn('group_id', $myGroupIds)->get();
$agents->each(fn($a) => $a->user = $agentUsers[$a->user_id] ?? null);
$priorities = PriorityLevel::where(fn($q) => $q->whereNull('group_id')->orWhereIn('group_id', $myGroupIds)) if ($agents->isNotEmpty()) {
->orderBy('sort_order')->get(); $agentUserIds = $agents->pluck('user_id')->unique();
$agentUsers = \DB::table('users')->whereIn('id', $agentUserIds)->get(['id', 'name', 'email'])->keyBy('id');
$agents->each(fn($a) => $a->user = $agentUsers[$a->user_id] ?? null);
}
$priorities = $isBootstrap
? collect()
: PriorityLevel::where(fn($q) => $q->whereNull('group_id')->orWhereIn('group_id', $myGroupIds))
->orderBy('sort_order')->get();
return Inertia::render('Ticketing/Settings', [ return Inertia::render('Ticketing/Settings', [
'groups' => $groups, 'groups' => $groups,
'agents' => $agents, 'agents' => $agents,
'priorities' => $priorities, 'priorities' => $priorities,
'myGroupIds' => $myGroupIds, 'myGroupIds' => $myGroupIds,
'isBootstrap' => $isBootstrap,
'isSiteAdmin' => $this->isSiteAdmin(),
]); ]);
} }
public function storeGroup(Request $request) public function storeGroup(Request $request)
{ {
$this->requireAgentAccess(); // During bootstrap, any site admin can create the first group.
// After bootstrap, require existing agent access.
if ($this->isBootstrapState()) {
if (!$this->isSiteAdmin()) {
abort(403, 'Only site admins can create the first group.');
}
} else {
$this->requireAgentAccess();
}
$validated = $request->validate([ $validated = $request->validate([
'name' => 'required|string|max:100', 'name' => 'required|string|max:100',
@@ -77,6 +124,25 @@ class TicketingSettingsController extends Controller
'role' => 'manager', 'role' => 'manager',
]); ]);
// Seed default priorities for this group if none exist globally
if (PriorityLevel::count() === 0) {
$defaults = [
['name' => 'Low', 'color' => '#6b7280', 'sort_order' => 1],
['name' => 'Medium', 'color' => '#3b82f6', 'sort_order' => 2],
['name' => 'High', 'color' => '#f59e0b', 'sort_order' => 3],
['name' => 'Urgent', 'color' => '#ef4444', 'sort_order' => 4],
];
foreach ($defaults as $d) {
PriorityLevel::create([
'group_id' => $group->id,
'name' => $d['name'],
'color' => $d['color'],
'description' => null,
'sort_order' => $d['sort_order'],
]);
}
}
return back()->with('success', 'Group created.'); return back()->with('success', 'Group created.');
} }
@@ -137,6 +203,11 @@ class TicketingSettingsController extends Controller
'group_id' => 'nullable|exists:ticketing_groups,id', 'group_id' => 'nullable|exists:ticketing_groups,id',
]); ]);
// If group_id given, caller must be manager of that group
if (!empty($validated['group_id'])) {
$this->requireManagerAccess($validated['group_id']);
}
PriorityLevel::create($validated); PriorityLevel::create($validated);
return back()->with('success', 'Priority level created.'); return back()->with('success', 'Priority level created.');