[WIP]: Handle user ID when creating and updating ticket via API #3086

rimi-itk · 2025-07-24T13:08:30Z

Description

Suggested fix for #3085.

As mentioned in #3067 (comment) (and in #3068) some cleanups should be done throughout the code handling API requests.

Link to ticket

#3085

Type

Fix
Feature
Cleanup

Screenshot of the result

If your change affects the user interface, you should include a screenshot of the result with the pull request.

marcelfolaron · 2025-07-31T12:21:18Z

app/Domain/Tickets/Services/Tickets.php

        ];

-        if (! $this->projectService->isUserAssignedToProject(session('userdata.id'), $values['projectId'])) {
+        if (! $this->projectService->isUserAssignedToProject($userId, $values['projectId'])) {


The problem with this approach is that is completely circumvents the roles, permissions and projects assigned to an API Key. Devs could just set the userId to any administrator and act on behalf of that admin.

3085: Handled user ID when creating and updating ticket

6893074

marcelfolaron reviewed Jul 31, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[WIP]: Handle user ID when creating and updating ticket via API #3086

[WIP]: Handle user ID when creating and updating ticket via API #3086

Uh oh!

rimi-itk commented Jul 24, 2025

Uh oh!

marcelfolaron Jul 31, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

[WIP]: Handle user ID when creating and updating ticket via API #3086

Are you sure you want to change the base?

[WIP]: Handle user ID when creating and updating ticket via API #3086

Uh oh!

Conversation

rimi-itk commented Jul 24, 2025

Description

Link to ticket

Type

Screenshot of the result

Uh oh!

marcelfolaron Jul 31, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants