Security enhancements:

- ensure that a user can ony see the details of the ticket she/he is allowed to see, even if the id is typed manually
- add a define'd filter to filter the drop-down lists of the search form for searching closed tickets.

SVN:trunk[3027]

portal/index.php

@@ -790,6 +790,15 @@ function ListResolvedRequests(WebPage $oP)
 function ListClosedTickets(WebPage $oP)
 {
 	$aAttSpecs = explode(',', PORTAL_TICKETS_SEARCH_CRITERIA);
+	// Remove the caller_id form the search criteria if the user is not a Portal Power User
+	// since the user is only allowed to see her/his own tickets
+	foreach($aAttSpecs as $idx => $sAttCode)
+	{
+		if (($sAttCode == 'caller_id') && !IsPowerUser())
+		{
+			unset($aAttSpecs[$idx]);
+		}
+	}
 	$aClasses = GetTicketClasses();
 	$sMainClass = reset($aClasses);
 	$oP->DisplaySearchForm($sMainClass, $aAttSpecs, array('operation' => 'show_closed'), 'search_', false /* => not closed */);

portal/readme.txt

@@ -19,7 +19,8 @@ PORTAL_VALIDATE_SERVICESUBCATEGORY_QUERY: OQL to check the service again (securi
 PORTAL_ALL_PARAMS: parameters that the wizard will kindly propagate through its pages (mixing should not be a problem, default value could be cleaned a little...)
 PORTAL_SET_TYPE_FROM: attribute of the class ServiceSubcategory determining the request type
 PORTAL_TYPE_TO_CLASS: optional mapping from the request types to ticket classes
-PORTAL_TICKETS_SEARCH_CRITERIA: list of search criteria for closed tickets
+PORTAL_TICKETS_SEARCH_CRITERIA: comma separated list of search criteria (attcodes) for closed tickets
+PORTAL_TICKETS_SEARCH_FILTER_attcode: an OQL query to limit the list of values available in the search form (drop-down list). One define per entry in PORTAL_TICKETS_SEARCH_CRITERIA
 
 
 Caution: Hardcoded stuff