LotusGuild/tinker_tickets
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix loose comparisons in authorization checks

Browse Source 
- TicketModel.php: fix bind_param "sssi"→"issi" for ticketId in addComment()
- TicketModel.php: use strict (int) cast === for confidential ticket access check
- update_ticket.php: use strict (int) cast !== for creator/assignee auth check
- AttachmentModel.php: use strict (int) cast === for upload ownership check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-03-28 22:35:48 -04:00
parent cfbef029cb
commit d33f761a55
3 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/update_ticket.php
+2 -2
View File
@@ -92,8 +92,8 @@ try {
// Authorization: admins can edit any ticket; others only their own or assigned // Authorization: admins can edit any ticket; others only their own or assigned
if (!$this->isAdmin if (!$this->isAdmin
&& $currentTicket['created_by'] != $this->userId && (int)$currentTicket['created_by'] !== (int)$this->userId
&& $currentTicket['assigned_to'] != $this->userId && (int)$currentTicket['assigned_to'] !== (int)$this->userId
) { ) {
return [ return [
'success' => false, 'success' => false,
models/AttachmentModel.php
+1 -1
View File
@@ -131,7 +131,7 @@ class AttachmentModel {
} }
$attachment = $this->getAttachment($attachmentId); $attachment = $this->getAttachment($attachmentId);
return $attachment && $attachment['uploaded_by'] == $userId; return $attachment && (int)$attachment['uploaded_by'] === (int)$userId;
} }
/** /**
models/TicketModel.php
+2 -2
View File
@@ -468,7 +468,7 @@ class TicketModel {
$markdownEnabled = $commentData['markdown_enabled'] ? 1 : 0; $markdownEnabled = $commentData['markdown_enabled'] ? 1 : 0;
$stmt->bind_param( $stmt->bind_param(
"sssi", "issi",
$ticketId, $ticketId,
$username, $username,
$commentData['comment_text'], $commentData['comment_text'],
@@ -591,7 +591,7 @@ class TicketModel {
// Confidential tickets: only creator, assignee, and admins // Confidential tickets: only creator, assignee, and admins
if ($visibility === 'confidential') { if ($visibility === 'confidential') {
$userId = $user['user_id'] ?? null; $userId = $user['user_id'] ?? null;
return ($ticket['created_by'] == $userId || $ticket['assigned_to'] == $userId); return ((int)$ticket['created_by'] === (int)$userId || (int)$ticket['assigned_to'] === (int)$userId);
} }
// Internal tickets: check if user is in any of the allowed groups // Internal tickets: check if user is in any of the allowed groups