Upload Attachments from anyone
Opened this issue · 1 comments
Is this a BUG REPORT or FEATURE REQUEST?:
- [X ] BUG
- FEATURE
What happened:
The endpoint /tickets/uploadattachment doens't check the user's permissions. Everyone can upload any attachment even if the user hasn't the tickets:update permission. This is verified instead if I try to delete the attachment.
What did you expect to happen:
Check the user permissions and prevent the upload.
How to reproduce it (as minimally and precisely as possible):
Postman, or enabling the upload element in the UI commenting the following check in IssuePartial.jsx at line 165:
&& helpers.hasPermOverRole(this.props.owner.role, null, 'tickets:update', true)
Anything else we need to know?:
Environment:
- Trudesk Version: 1.2.9
- OS (e.g. from /etc/os-release):
- Node.JS Version: v20.5.1
- MongoDB Version: 5
- Is this hosted on cloud.trudesk.io: no
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.