Skip to content

Commit

Permalink
Deny access to history for operators without CAN_VIEWTHREADS permission
Browse files Browse the repository at this point in the history
  • Loading branch information
@JustBlackBird
JustBlackBird committed Jun 8, 2015
1 parent b340206 commit 5009f51
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion src/mibew/libs/classes/Mibew/Controller/HistoryController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,14 +95,28 @@ public function indexAction(Request $request)
$search_conditions[] = "({thread}.remote LIKE :query)";
}

// Build access condition:
$operator = $this->getOperator();
$access_condition = '';
// Operators without "view threads" permission can view only their
// own history. Administrators can view anything.
$can_view_others = is_capable(CAN_VIEWTHREADS, $operator)
|| is_capable(CAN_ADMINISTRATE, $operator);

if (!$can_view_others) {
$access_condition = ' AND {thread}.agentid = :operator_id ';
$values[':operator_id'] = $operator['operatorid'];
}

// Load threads
list($threads_count) = $db->query(
("SELECT COUNT(DISTINCT {thread}.dtmcreated) "
. "FROM {thread}, {message} "
. "WHERE {message}.threadid = {thread}.threadid "
. "AND ({thread}.invitationstate = :invitation_accepted "
. "OR {thread}.invitationstate = :invitation_not_invited) "
. "AND (" . implode(' OR ', $search_conditions) . ")"),
. "AND (" . implode(' OR ', $search_conditions) . ") "
. $access_condition),
$values,
array(
'return_rows' => Database::RETURN_ONE_ROW,
Expand All @@ -125,6 +139,7 @@ public function indexAction(Request $request)
. "AND ({thread}.invitationstate = :invitation_accepted "
. "OR {thread}.invitationstate = :invitation_not_invited) "
. "AND (" . implode(' OR ', $search_conditions) . ") "
. $access_condition
. "ORDER BY {thread}.dtmcreated DESC "
. "LIMIT " . $limit_start . ", " . $limit_end),
$values,
Expand Down

0 comments on commit 5009f51

Please sign in to comment.