trudesk icon indicating copy to clipboard operation
trudesk copied to clipboard

Published 20 hours ago verified publisher icon polonel

Upload Attachments from anyone

Open FlavioSantoro92 opened this issue 1 year ago • 1 comments

Is this a BUG REPORT or FEATURE REQUEST?:

  • [X ] BUG
  • [ ] FEATURE

What happened:

The endpoint /tickets/uploadattachment doens't check the user's permissions. Everyone can upload any attachment even if the user hasn't the tickets:update permission. This is verified instead if I try to delete the attachment.

What did you expect to happen:

Check the user permissions and prevent the upload.

How to reproduce it (as minimally and precisely as possible):

Postman, or enabling the upload element in the UI commenting the following check in IssuePartial.jsx at line 165: && helpers.hasPermOverRole(this.props.owner.role, null, 'tickets:update', true)

Anything else we need to know?:

Environment:

  • Trudesk Version: 1.2.9
  • OS (e.g. from /etc/os-release):
  • Node.JS Version: v20.5.1
  • MongoDB Version: 5
  • Is this hosted on cloud.trudesk.io: no

FlavioSantoro92 avatar Sep 18 '23 11:09 FlavioSantoro92

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Oct 18 '23 21:10 github-actions[bot]