security: FAQ Manage Permissions

This addresses a vulnerability reported by @lujiefsi where Agents can potentially bypass the FAQ restrictions.
osTicket · Oct 25, 2023 · 04f4e61 · 04f4e61
1 parent 45d7030
commit 04f4e61
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/scp/faq.php b/scp/faq.php
@@ -62,8 +62,11 @@
         $attachments->setAttachments($faq->getAttachments($lang)->window(array('inline' => false)));
     }
 }
+// Check if the Staff can Manage FAQs
+$can_manage = $thisstaff->hasPerm(FAQ::PERM_MANAGE);
 
-if ($_POST) {
+// Make sure the Agent has permission
+if ($_POST && $can_manage) {
     $errors=array();
     // General attachments
     $_POST['files'] = $faq_form->getField('attachments')->getClean();
@@ -142,20 +145,19 @@
             break;
         default:
             $errors['err']=__('Unknown action');
-
     }
 }
 
 $inc='faq-categories.inc.php'; //FAQs landing page.
 if($faq && $faq->getId()) {
     $inc='faq-view.inc.php';
     if ($_REQUEST['a']=='edit'
-            && $thisstaff->hasPerm(FAQ::PERM_MANAGE))
+            && $can_manage)
         $inc='faq.inc.php';
     elseif ($_REQUEST['a'] == 'print')
         return $faq->printPdf();
 }elseif($_REQUEST['a']=='add'
-        && $thisstaff->hasPerm(FAQ::PERM_MANAGE)) {
+        && $can_manage) {
     $inc='faq.inc.php';
 } elseif($category && $_REQUEST['a']!='search') {
     $inc='faq-category.inc.php';