I'm not sure if I should post this here, or that I should follow the steps for a security issue. I will just start here.

A few weeks ago I implemented the ticket system, I have -at the moment only for test- multiple clients with per client multiple users able to add their tickets, and see their own client tickets (Its for home owner associations, the home owners can put their repair issues for shared property (ie. entrance, elevator, ..) in the system, and their neighbours should be able to see it). This all worked more or less ok for a version still under development, some errors did apear but the security/authorization was all fine.

Today I updated the ticket system to the recommended version (Deleted the support folder on FTP, uploaded the files, went to update page, no errors apeared). I clicked on the home page button.

And there they were: *ALL* tickets promoted to the frontpage. Also when I used another (not logged in, so anonymous) browser, they were all there.

Did I do something stupid, or is there an issue with the current recomended version?

Comments

LeeHarveyOswald’s picture

Title: All tickets promoted to the frontpage » Extra info

When I browse (logged of) to the ticket itself, I do receive a 403... So that part goes like it should.

LeeHarveyOswald’s picture

Title: Extra info » All tickets promoted to the frontpage
bdragon’s picture

checking...

bdragon’s picture

Version: 7.x-1.0-beta1 » 7.x-1.x-dev
Status: Active » Fixed

DOH!

I forgot to add the else block to remove tickets from the query if the user has access to 0 clients.

Thanks for the report!

http://drupalcode.org/project/support.git/commit/9a0fb9f35a7765b59e04b13...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.