I installed a clear Drupal 7 with the Support module. I created a client, and one Test user, who can access that client, and I submitted a ticket with the Test user. As uid #1, I replied to the ticket, but the Test user can not see the replies, just the comments posted by itself. If I assign the 'View other users tickets' permission to the Test user, the replies are displayed.

I examined the code, the line that causes this problem is the 2402, so I modified this line. When the $table is comment, then skip the access inspection, because I think, the user always has access to see the replies for his ticket. The patch is attached.

ps.: I do not know exactly what are doing the support_query_alter() function, why do we need it? If I completely remove this function (return on 1st line), then the access system works well. The user can not see other tickets, but see the replies for own tickets.

CommentFileSizeAuthor
#11 user_replies-1339480-5913294.patch1.65 KBsgerbino
support.patch875 bytesZoltán Balogh
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

slampy’s picture

slampy CreditAttribution: slampy commented
Version: 7.x-1.x-dev » 7.x-1.0-beta3

This bug still exists in beta3. It is really strange that the client cannot see the replies to his/her ticket because the 'View other users tickets' is not set.

Please fix it. Thanks!

Zoltán Balogh’s picture

Zoltán Balogh CreditAttribution: Zoltán Balogh commented
Status: Active » Needs review

Ohh I posted the patch with wrong status...

bandanaman’s picture

bandanaman CreditAttribution: bandanaman commented

Works for me, thank You.

MrPeanut’s picture

MrPeanut CreditAttribution: MrPeanut commented

Also having this issue. Unfortunately, still novice enough to not know how to apply patches, so I will be changing the permissions for now.

Bandy’s picture

Bandy CreditAttribution: Bandy commented

The user will only have the opportunity to see their tickets and answers, if the note - is around controlling access to content. But this might not be the solution, since it then the user eg then in the Advanced forum can do it all. The patch has not helped. Sorry for my english.

Drupal 7.12

Bandy’s picture

Bandy CreditAttribution: Bandy commented

My problem is resolved. It was at the Forum Access module. With version 7.x-1.0-rc1 is now anything goes.

Bandy’s picture

Bandy CreditAttribution: Bandy commented

Sorry - here are the patch:

support.module

all NODE_ACCESS_IGNORE replace with NODE_ACCESS_ALLOW (line 188)

          if (user_access('view other users tickets') || user_access('administer support') || user_access('edit any ticket') || user_access('delete any ticket')) {
            $access = NODE_ACCESS_ALLOW;
          }
          else {
            // User created this ticket, allow access.
            if ($account->uid == $node->uid && $account->uid != 0) {
              $access = NODE_ACCESS_ALLOW;
            }
            // User is subscribed to this ticket, allow access.
            else if (db_query('SELECT 1 FROM {support_assigned} WHERE nid = :nid AND uid = :uid', array(':nid' => $node->nid, ':uid' => $account->uid))->fetchField()) {
              $access = NODE_ACCESS_ALLOW;
            }
kevin.klika’s picture

kevin.klika CreditAttribution: kevin.klika commented

Manually applied patch #7 above and tested. Works awesome! Please commit this

Thanks

sgerbino’s picture

sgerbino CreditAttribution: sgerbino commented
Version: 7.x-1.0-beta3 » 7.x-1.0-rc1

I'm running in to the same issue and patch #7 isn't resolving it for me.

Jeff Burnz’s picture

Jeff Burnz CreditAttribution: Jeff Burnz commented
Version: 7.x-1.0-rc1 » 7.x-1.x-dev

Unfortunatly the patch is not working for me either. I was running ACL, Content Access, Forum Access but all those have been removed recently and I still have this issue, even on rc1.

Has this anything to do with me using uid1?

As described in the OP, if I give "View other users tickets" to the role allowed to view tickets, it works, but then they can see all tickets, not good, those ticket can contain sensitive data like usernames and passwords.

This really is a critical bug in the module, its really driving my clients insane and many many complaints about this. Some feedback from the developer would be very much appreciated, this issue was posted some time ago and clearly is still an issue, and a bad one.

sgerbino’s picture

sgerbino CreditAttribution: sgerbino commented
FileSize
user_replies-1339480-5913294.patch1.65 KB

I have a patch that seems to be working for me. I think that it was comparing the comment uid with the uid of the current user, this worked for nodes but prevented the user from seeing anyone elses comments.

To apply manually:

Line 2354 support.module
Replace:

            global $user;
            $ticket_alias = $query->leftJoin('support_ticket', 'st', 'st.nid = ' . $nalias . '.nid');
              $query->condition(db_or()
                ->condition(db_and()
                // Must be on the allowed clients list
                ->condition($ticket_alias . '.client', $clients)
                // and must be owned by the user
                ->condition($nalias . '.uid', $user->uid))
                // or must be something other than a support ticket
               ->condition($ticket_alias . '.client', null));

With:

            global $user;
            $ticket_alias = $query->leftJoin('support_ticket', 'st', 'st.nid = ' . $nalias . '.nid');
            if ($table == 'node') {
              $query->condition(db_or()
                ->condition(db_and()
                // Must be on the allowed clients list
                ->condition($ticket_alias . '.client', $clients)
                // and must be owned by the user
                ->condition($nalias . '.uid', $user->uid))
                // or must be something other than a support ticket
                ->condition($ticket_alias . '.client', null));
            }
            else if ($table == 'comment') {
              $query->leftJoin('node', 'par', 'par.nid = '. $nalias . '.nid');
              $query->condition(db_or()
                ->condition(db_and()
                // Must be on the allowed clients list
                ->condition($ticket_alias . '.client', $clients)
                // and must be owned by the user
                ->condition('par.uid', $user->uid))
                // or must be something other than a support ticket
                ->condition($ticket_alias . '.client', null));
            }
Jeff Burnz’s picture

Jeff Burnz CreditAttribution: Jeff Burnz commented

sgerbino - success!

Will leave this as needs review for now until I have tested this more, but for now its working, I cannot thank you enough!

molavy2003’s picture

molavy2003 CreditAttribution: molavy2003 commented

i have same problem.
client'ss can't see user's reply's.
how can i solve this?
latest patch(obove comment) don't work.

molavy2003’s picture

molavy2003 CreditAttribution: molavy2003 commented

i solve this issue for my self
but that's may cause other problems that i don't mentioned
i changed

global $user;
            $ticket_alias = $query->leftJoin('support_ticket', 'st', 'st.nid = ' . $nalias . '.nid');
            $query->condition(db_or()
              ->condition(db_and()
                // Must be on the allowed clients list
                ->condition($ticket_alias . '.client', $clients)
                // and must be owned by the user
                ->condition($nalias . '.uid', $user->uid))
              // or must be something other than a support ticket
              ->condition($ticket_alias . '.client', null));

to this:

 global $user;
            $ticket_alias = $query->leftJoin('support_ticket', 'st', 'st.nid = ' . $nalias . '.nid');
            $query->condition(db_or()
              ->condition(db_and()
                // Must be on the allowed clients list
                ->condition($ticket_alias . '.client', $clients)
                // and must be owned by the user
                )
              // or must be something other than a support ticket
              ->condition($ticket_alias . '.client', null));

i don't know why "and must be owned by the user" should be there?

sgerbino’s picture

sgerbino CreditAttribution: sgerbino commented

Hrmm when I wrote the patch I put it there so people could not see comments to other tickets unless they have "View other tickets" permission or "Administer support tickets" permission.

You should only see comments when it is on the node you have created basically.

augur’s picture

augur CreditAttribution: augur commented

Works for me, thanks!

metin2 private servers

hejazee’s picture

hejazee CreditAttribution: hejazee commented

#11 works fine. thanks

dalearyous’s picture

dalearyous CreditAttribution: dalearyous commented

#11 worked for me too, w00t.

Jeremy’s picture

Jeremy CreditAttribution: Jeremy commented
Status: Needs review » Fixed

Thanks -- sorry to have waited so long to review this bug. Confirmed the bug, and fix -- committed the patch from #11, slightly modified.
http://drupalcode.org/project/support.git/commit/99d624d

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.