From 13bc9b80a91d949063d11394435df3f1b3755207 Mon Sep 17 00:00:00 2001
From: Sanjeev Papnoi <sanjeev.papnoi829@webkul.com>
Date: Fri, 23 Jul 2021 11:33:37 +0530
Subject: [PATCH] updates

---
 Controller/Ticket.php | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/Controller/Ticket.php b/Controller/Ticket.php
index c7708a6..2c86114 100644
--- a/Controller/Ticket.php
+++ b/Controller/Ticket.php
@@ -275,11 +275,14 @@ public function saveReply(int $id, Request $request)
         $this->isWebsiteActive();
         $data = $request->request->all();
         $ticket = $this->getDoctrine()->getRepository('UVDeskCoreFrameworkBundle:Ticket')->find($id);
+        $user = $this->userService->getSessionUser();
 
-        // Proceed only if user has access to the resource
-        if (false == $this->ticketService->isTicketAccessGranted($ticket)) {
-	       throw new \Exception('Access Denied', 403);
-	    }
+        // process only if access for the resource.
+        if (empty($ticket) || ( (!empty($user)) && $user->getId() != $ticket->getCustomer()->getId()) ) {
+            if(!$this->isCollaborator($ticket, $user)) {
+                throw new \Exception('Access Denied', 403);
+            }
+        }
 
         if($_POST) {
             if(str_replace(' ','',str_replace('&nbsp;','',trim(strip_tags($data['message'], '<img>')))) != "") {
@@ -510,9 +513,13 @@ public function downloadAttachmentZip(Request $request)
         }
 
         $ticket = $attachment->getThread()->getTicket();
-        // Proceed only if user has access to the resource
-        if (false == $this->ticketService->isTicketAccessGranted($ticket)) {
-            throw new \Exception('Access Denied', 403);
+        $user = $this->userService->getSessionUser();
+        
+        // process only if access for the resource.
+        if (empty($ticket) || ( (!empty($user)) && $user->getId() != $ticket->getCustomer()->getId()) ) {
+            if(!$this->isCollaborator($ticket, $user)) {
+                throw new \Exception('Access Denied', 403);
+            }
         }
 
         $zipname = 'attachments/' .$threadId.'.zip';
@@ -572,10 +579,14 @@ public function ticketCollaboratorXhr(Request $request)
         $content = json_decode($request->getContent(), true);
         $em = $this->getDoctrine()->getManager();
         $ticket = $em->getRepository('UVDeskCoreFrameworkBundle:Ticket')->find($content['ticketId']);
-
-        if (false == $this->ticketService->isTicketAccessGranted($ticket)) {
-            throw new \Exception('Access Denied', 403);
-        }    
+        $user = $this->userService->getSessionUser();
+        
+        // process only if access for the resource.
+        if (empty($ticket) || ( (!empty($user)) && $user->getId() != $ticket->getCustomer()->getId()) ) {
+            if(!$this->isCollaborator($ticket, $user)) {
+                throw new \Exception('Access Denied', 403);
+            }
+        }
         
         if ($request->getMethod() == "POST") {
             if ($content['email'] == $ticket->getCustomer()->getEmail()) {
@@ -601,7 +612,6 @@ public function ticketCollaboratorXhr(Request $request)
                     $ticket->lastCollaborator = $collaborator;
                     $collaborator = $em->getRepository('UVDeskCoreFrameworkBundle:User')->find($collaborator->getId());
                    
-
                     $json['collaborator'] =  $this->userService->getCustomerPartialDetailById($collaborator->getId());
                     $json['alertClass'] = 'success';
                     $json['alertMessage'] = $this->translator->trans('Success ! Collaborator added successfully.');