fix(ticketing): restrict settings link to admins and protect global priorities

- Show 'Go to Settings' bootstrap link only for admin/super_admin users - Pass isSiteAdmin prop to Create.vue to control settings CTA visibility - Require site admin for updatePriority/destroyPriority when priority is global (group_id = null) - Closes: non-admin users seeing forbidden settings link; agents mutating global priorities
2026-04-09 14:32:19 -07:00
parent 45b019dad2
commit bce98c0d4b
7 changed files with 493 additions and 473 deletions
--- a/src/Http/Controllers/TicketingSettingsController.php
+++ b/src/Http/Controllers/TicketingSettingsController.php
@@ -235,6 +235,11 @@ class TicketingSettingsController extends Controller

        if ($priority->group_id) {
            $this->requireManagerAccess($priority->group_id);
+        } else {
+            // Global priorities require site admin
+            if (!$this->isSiteAdmin()) {
+                abort(403, 'Only site admins can manage global priorities.');
+            }
        }

        $validated = $request->validate([
@@ -264,6 +269,11 @@ class TicketingSettingsController extends Controller

        if ($priority->group_id) {
            $this->requireManagerAccess($priority->group_id);
+        } else {
+            // Global priorities require site admin
+            if (!$this->isSiteAdmin()) {
+                abort(403, 'Only site admins can manage global priorities.');
+            }
        }

        if ($priority->tickets()->exists()) {