From 88c8c691dd47a48735cf571f46116f2dc3916ac4 Mon Sep 17 00:00:00 2001
From: rxdn <29165304+rxdn@users.noreply.github.com>
Date: Sat, 30 Oct 2021 14:06:49 +0100
Subject: [PATCH] Check support team data

---
 app/http/endpoints/api/ticket/getticket.go    |  12 ++
 app/http/endpoints/api/transcripts/get.go     |   9 +-
 app/http/server.go                            |   6 +-
 .../manage/PanelCreationForm.svelte           | 101 ++++++-----
 go.mod                                        |   2 +-
 go.sum                                        |   4 +-
 utils/permissionutils.go                      | 171 +++++++++++++++++-
 7 files changed, 245 insertions(+), 60 deletions(-)

diff --git a/app/http/endpoints/api/ticket/getticket.go b/app/http/endpoints/api/ticket/getticket.go
index dff8c1a..3172ca6 100644
--- a/app/http/endpoints/api/ticket/getticket.go
+++ b/app/http/endpoints/api/ticket/getticket.go
@@ -17,6 +17,7 @@ var MentionRegex, _ = regexp.Compile("<@(\\d+)>")
 
 func GetTicket(ctx *gin.Context) {
 	guildId := ctx.Keys["guildid"].(uint64)
+	userId := ctx.Keys["userid"].(uint64)
 
 	botContext, err := botcontext.ContextForGuild(guildId)
 	if err != nil {
@@ -62,6 +63,17 @@ func GetTicket(ctx *gin.Context) {
 		return
 	}
 
+	hasPermission, err := utils.HasPermissionToViewTicket(guildId, userId, ticket)
+	if err != nil {
+		ctx.JSON(500, utils.ErrorJson(err))
+		return
+	}
+
+	if !hasPermission {
+		ctx.JSON(403, utils.ErrorStr("You do not have permission to view this ticket"))
+		return
+	}
+
 	messagesFormatted := make([]map[string]interface{}, 0)
 	if ticket.ChannelId != nil {
 		// Get messages
diff --git a/app/http/endpoints/api/transcripts/get.go b/app/http/endpoints/api/transcripts/get.go
index b22705b..792341a 100644
--- a/app/http/endpoints/api/transcripts/get.go
+++ b/app/http/endpoints/api/transcripts/get.go
@@ -2,10 +2,9 @@ package api
 
 import (
 	"errors"
-	"github.com/TicketsBot/GoPanel/database"
+	dbclient "github.com/TicketsBot/GoPanel/database"
 	"github.com/TicketsBot/GoPanel/utils"
 	"github.com/TicketsBot/archiverclient"
-	"github.com/TicketsBot/common/permission"
 	"github.com/gin-gonic/gin"
 	"strconv"
 )
@@ -22,7 +21,7 @@ func GetTranscriptHandler(ctx *gin.Context) {
 	}
 
 	// get ticket object
-	ticket, err := database.Client.Tickets.Get(ticketId, guildId)
+	ticket, err := dbclient.Client.Tickets.Get(ticketId, guildId)
 	if err != nil {
 		ctx.AbortWithStatusJSON(500, gin.H{
 			"success": false,
@@ -40,13 +39,13 @@ func GetTranscriptHandler(ctx *gin.Context) {
 	// Verify the user has permissions to be here
 	// ticket.UserId cannot be 0
 	if ticket.UserId != userId {
-		permLevel, err := utils.GetPermissionLevel(guildId, userId)
+		hasPermission, err := utils.HasPermissionToViewTicket(guildId, userId, ticket)
 		if err != nil {
 			ctx.JSON(500, utils.ErrorJson(err))
 			return
 		}
 
-		if permLevel < permission.Support {
+		if !hasPermission {
 			ctx.JSON(403, utils.ErrorStr("You do not have permission to view this transcript"))
 			return
 		}
diff --git a/app/http/server.go b/app/http/server.go
index 5d12554..970750f 100644
--- a/app/http/server.go
+++ b/app/http/server.go
@@ -77,14 +77,16 @@ func StartServer() {
 			middleware.Logging,
 		)
 
-		guildAuthApiAdmin.GET("/settings", api_settings.GetSettingsHandler)
+		// Must be readable to load transcripts page
+		guildAuthApiSupport.GET("/settings", api_settings.GetSettingsHandler)
 		guildAuthApiAdmin.POST("/settings", api_settings.UpdateSettingsHandler)
 
 		guildAuthApiSupport.GET("/blacklist", api_blacklist.GetBlacklistHandler)
 		guildAuthApiSupport.POST("/blacklist/:user", api_blacklist.AddBlacklistHandler)
 		guildAuthApiSupport.DELETE("/blacklist/:user", api_blacklist.RemoveBlacklistHandler)
 
-		guildAuthApiAdmin.GET("/panels", api_panels.ListPanels)
+		// Must be readable to load transcripts page
+		guildAuthApiSupport.GET("/panels", api_panels.ListPanels)
 		guildAuthApiAdmin.POST("/panels", api_panels.CreatePanel)
 		guildAuthApiAdmin.POST("/panels/:panelid", rl(middleware.RateLimitTypeGuild, 5, 5*time.Second), api_panels.ResendPanel)
 		guildAuthApiAdmin.PATCH("/panels/:panelid", api_panels.UpdatePanel)
diff --git a/frontend/src/components/manage/PanelCreationForm.svelte b/frontend/src/components/manage/PanelCreationForm.svelte
index ed01193..cccd914 100644
--- a/frontend/src/components/manage/PanelCreationForm.svelte
+++ b/frontend/src/components/manage/PanelCreationForm.svelte
@@ -1,62 +1,64 @@
 <form class="settings-form" on:submit|preventDefault>
-  <div class="row">
-    <div class="col-1-3">
-      <Input label="Panel Title" placeholder="Open a ticket!" col1=true bind:value={data.title}/>
-    </div>
-    <div class="col-2-3">
+    <div class="row">
+        <div class="col-1-3">
+            <Input label="Panel Title" placeholder="Open a ticket!" col1=true bind:value={data.title}/>
+        </div>
+        <div class="col-2-3">
       <Textarea col1=true label="Panel Content" placeholder="By clicking the button, a ticket will be opened for you."
                 bind:value={data.content}/>
+        </div>
     </div>
-  </div>
-  <div class="row">
-    <Colour col4=true label="Panel Colour" on:change={updateColour} bind:value={tempColour}/>
-    <ChannelDropdown label="Panel Channel" col4=true {channels} bind:value={data.channel_id}/>
-    <CategoryDropdown label="Ticket Category" col4=true {channels} bind:value={data.category_id}/>
-    <EmojiInput label="Button Emoji" col4=true bind:value={data.emote}/>
-  </div>
-  <div class="row">
-    <Dropdown col4=true label="Button Style" bind:value={data.button_style}>
-      <option value="1">Blue</option>
-      <option value="2">Grey</option>
-      <option value="3">Green</option>
-      <option value="4">Red</option>
-    </Dropdown>
-  </div>
-  <div class="row" style="justify-content: center">
-    <div class="col-3">
-      <Button icon="fas fa-sliders-h" fullWidth=true type="button"
-              on:click={toggleAdvancedSettings}>Toggle Advanced Settings
-      </Button>
+    <div class="row">
+        <Colour col4=true label="Panel Colour" on:change={updateColour} bind:value={tempColour}/>
+        <ChannelDropdown label="Panel Channel" col4=true {channels} bind:value={data.channel_id}/>
+        <CategoryDropdown label="Ticket Category" col4=true {channels} bind:value={data.category_id}/>
+        <EmojiInput label="Button Emoji" col4=true bind:value={data.emote}/>
     </div>
-  </div>
-  <div class="row advanced-settings" class:advanced-settings-show={advancedSettings}
-       class:advanced-settings-hide={!advancedSettings} class:show-overflow={overflowShow}>
-    <div class="inner" class:inner-show={advancedSettings}>
-      <div class="row">
+    <div class="row">
+        <Dropdown col4=true label="Button Style" bind:value={data.button_style}>
+            <option value="1">Blue</option>
+            <option value="2">Grey</option>
+            <option value="3">Green</option>
+            <option value="4">Red</option>
+        </Dropdown>
+    </div>
+    <div class="row" style="justify-content: center">
+        <div class="col-3">
+            <Button icon="fas fa-sliders-h" fullWidth=true type="button"
+                    on:click={toggleAdvancedSettings}>Toggle Advanced Settings
+            </Button>
+        </div>
+    </div>
+    <div class="row advanced-settings" class:advanced-settings-show={advancedSettings}
+         class:advanced-settings-hide={!advancedSettings} class:show-overflow={overflowShow}>
+        <div class="inner" class:inner-show={advancedSettings}>
+            <div class="row">
       <Textarea col1=true bind:value={data.welcome_message} label="Welcome Message"
                 placeholder="If blank, your server's default welcome message will be used"
                 on:input={handleWelcomeMessageUpdate}/>
-      </div>
-      <div class="row">
-        <div class="col-2">
-          <label class="form-label">Mention On Open</label>
-          <div class="multiselect-super">
-            <Select items={mentionValues} bind:selectedValue={mentionsRaw} on:select={updateMentions} isMulti={true}/>
-          </div>
+            </div>
+            <div class="row">
+                <div class="col-2">
+                    <label class="form-label">Mention On Open</label>
+                    <div class="multiselect-super">
+                        <Select items={mentionValues} bind:selectedValue={mentionsRaw} on:select={updateMentions}
+                                isMulti={true}/>
+                    </div>
+                </div>
+                <div class="col-2">
+                    <label class="form-label">Support Teams</label>
+                    <div class="multiselect-super">
+                        <Select items={teamsItems} bind:selectedValue={teamsRaw} on:select={updateTeams}
+                                isMulti={true}/>
+                    </div>
+                </div>
+            </div>
+            <div class="row">
+                <Input col2={true} label="Large Image URL" bind:value={data.image_url}/>
+                <Input col2={true} label="Small Image URL" bind:value={data.thumbnail_url}/>
+            </div>
         </div>
-        <div class="col-2">
-          <label class="form-label">Support Teams</label>
-          <div class="multiselect-super">
-            <Select items={teamsItems} bind:selectedValue={teamsRaw} on:select={updateTeams} isMulti={true}/>
-          </div>
-        </div>
-      </div>
-      <div class="row">
-        <Input col2={true} label="Large Image URL" bind:value={data.image_url}/>
-        <Input col2={true} label="Small Image URL" bind:value={data.thumbnail_url}/>
-      </div>
     </div>
-  </div>
 </form>
 
 <script>
@@ -123,6 +125,7 @@
 
     function updateTeams() {
         if (teamsRaw === undefined) {
+            data.default_team = false;
             data.teams = [];
         } else {
             data.default_team = teamsRaw.find((option) => option.value === 'default') !== undefined;
diff --git a/go.mod b/go.mod
index a335a07..b700a47 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/TicketsBot/archiverclient v0.0.0-20210220155137-a562b2f1bbbb
 	github.com/TicketsBot/common v0.0.0-20210910205523-7ce93fba6fa5
-	github.com/TicketsBot/database v0.0.0-20211029152712-e9861d66f2d6
+	github.com/TicketsBot/database v0.0.0-20211030123522-eeed94443867
 	github.com/TicketsBot/worker v0.0.0-20210910205947-89f7bd5ccf67
 	github.com/apex/log v1.1.2
 	github.com/boj/redistore v0.0.0-20180917114910-cd5dcc76aeff // indirect
diff --git a/go.sum b/go.sum
index 60c8a9b..787d5cb 100644
--- a/go.sum
+++ b/go.sum
@@ -14,8 +14,8 @@ github.com/TicketsBot/common v0.0.0-20210910205523-7ce93fba6fa5/go.mod h1:SVwX6g
 github.com/TicketsBot/database v0.0.0-20200516170158-fd8a949aec2c/go.mod h1:eky4tBL+IZ0svPgTT0N/9i6j7ygHDQH3784DW+HgfcA=
 github.com/TicketsBot/database v0.0.0-20210902172951-4e1f8ced84b7/go.mod h1:A4T2uQFIWC/ttCYpfgv7AkPjR09mMRgzG13lgoV/+aI=
 github.com/TicketsBot/database v0.0.0-20210906215136-2d0c54bd1109/go.mod h1:A4T2uQFIWC/ttCYpfgv7AkPjR09mMRgzG13lgoV/+aI=
-github.com/TicketsBot/database v0.0.0-20211029152712-e9861d66f2d6 h1:vb+Ia5kBlW3AwQBX384GH4tgGUFmuVNazNXoGEezGrI=
-github.com/TicketsBot/database v0.0.0-20211029152712-e9861d66f2d6/go.mod h1:72oWvH/Gq1iKeXCZhVRZn1JFbNVC5iAgERZWTrEarEo=
+github.com/TicketsBot/database v0.0.0-20211030123522-eeed94443867 h1:2tYF3avpUUY1voXuzcY2gQHggnk17M+1btblS7Zkygk=
+github.com/TicketsBot/database v0.0.0-20211030123522-eeed94443867/go.mod h1:72oWvH/Gq1iKeXCZhVRZn1JFbNVC5iAgERZWTrEarEo=
 github.com/TicketsBot/logarchiver v0.0.0-20200423221245-a3f92edf8c14/go.mod h1:whts8TRxrAF4WuDuEAMllkWA/inKem0NhDEFeyuoOvE=
 github.com/TicketsBot/ttlcache v1.6.1-0.20200405150101-acc18e37b261 h1:NHD5GB6cjlkpZFjC76Yli2S63/J2nhr8MuE6KlYJpQM=
 github.com/TicketsBot/ttlcache v1.6.1-0.20200405150101-acc18e37b261/go.mod h1:2zPxDAN2TAPpxUPjxszjs3QFKreKrQh5al/R3cMXmYk=
diff --git a/utils/permissionutils.go b/utils/permissionutils.go
index 135bc66..96396ac 100644
--- a/utils/permissionutils.go
+++ b/utils/permissionutils.go
@@ -2,7 +2,11 @@ package utils
 
 import (
 	"github.com/TicketsBot/GoPanel/botcontext"
+	dbclient "github.com/TicketsBot/GoPanel/database"
 	"github.com/TicketsBot/common/permission"
+	"github.com/TicketsBot/database"
+	"github.com/rxdn/gdl/objects/member"
+	discordperms "github.com/rxdn/gdl/permission"
 )
 
 func GetPermissionLevel(guildId, userId uint64) (permission.PermissionLevel, error) {
@@ -23,4 +27,169 @@ func GetPermissionLevel(guildId, userId uint64) (permission.PermissionLevel, err
 	}
 
 	return permission.GetPermissionLevel(botContext, member, guildId)
-}
\ No newline at end of file
+}
+
+// TODO: Use this on the ticket list
+func HasPermissionToViewTicket(guildId, userId uint64, ticket database.Ticket) (bool, error) {
+	// If user opened the ticket, they will always have permission
+	if ticket.UserId == userId && ticket.GuildId == guildId {
+		return true, nil
+	}
+
+	// Admin override
+	botContext, err := botcontext.ContextForGuild(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	if botContext.IsBotAdmin(userId) {
+		return true, nil
+	}
+
+	// Check if server owner
+	guild, err := botContext.GetGuild(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	if guild.OwnerId == userId {
+		return true, nil
+	}
+
+	member, err := botContext.GetGuildMember(guildId, userId)
+	if err != nil {
+		return false, err
+	}
+
+	// Admins should have access to all tickets
+	isAdmin, err := dbclient.Client.Permissions.IsAdmin(guildId, userId)
+	if err != nil {
+        return false, err
+    }
+
+	if isAdmin {
+		return true, nil
+	}
+
+	// TODO: Check in db
+	adminRoles, err := dbclient.Client.RolePermissions.GetAdminRoles(guildId)
+	if err != nil {
+        return false, err
+    }
+
+	for _, roleId := range adminRoles {
+        if member.HasRole(roleId) {
+            return true, nil
+        }
+    }
+
+	// If ticket is not from a panel, we can use default team perms
+	if ticket.PanelId == nil {
+		canView, err := isOnDefaultTeam(guildId, userId, botContext, member)
+		if err != nil {
+			return false, err
+		}
+
+		return canView, nil
+	} else {
+		panel, err := dbclient.Client.Panel.GetById(*ticket.PanelId)
+		if err != nil {
+			return false, err
+		}
+
+		if panel.WithDefaultTeam {
+			canView, err := isOnDefaultTeam(guildId, userId, botContext, member)
+			if err != nil {
+				return false, err
+			}
+
+			if canView {
+				return true, nil
+			}
+		} else { // If panel does not use default team, check support teams
+			supportTeams, err := dbclient.Client.PanelTeams.GetTeams(*ticket.PanelId)
+			if err != nil {
+				return false, err
+			}
+
+			var supportTeamIds []int
+			for _, team := range supportTeams {
+				supportTeamIds = append(supportTeamIds, team.Id)
+			}
+
+			// Check if user is added to support team directly
+			isSupport, err := dbclient.Client.SupportTeamMembers.IsSupportSubset(guildId, userId, supportTeamIds)
+			if err != nil {
+				return false, err
+			}
+
+			if isSupport {
+				return true, nil
+			}
+
+			// Check if user is added to support team via a role
+			isSupport, err = dbclient.Client.SupportTeamRoles.IsSupportAnySubset(guildId, member.Roles, supportTeamIds)
+			if err != nil {
+				return false, err
+			}
+
+			if isSupport {
+				return true, nil
+			}
+		}
+
+		return false, nil
+	}
+}
+
+func isOnDefaultTeam(guildId, userId uint64, ctx botcontext.BotContext, member member.Member) (bool, error) {
+	// Check user perms for admin
+	if isAdmin, err := dbclient.Client.Permissions.IsAdmin(guildId, userId); err == nil {
+		if isAdmin {
+			return true, nil
+		}
+	} else {
+		return false, err
+	}
+
+	// Check roles from DB
+	adminRoles, err := dbclient.Client.RolePermissions.GetAdminRoles(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	for _, adminRoleId := range adminRoles {
+		if member.HasRole(adminRoleId) {
+			return true, nil
+		}
+	}
+
+	// Check if user has Administrator permission
+	hasAdminPermission := permission.HasPermissions(ctx, guildId, member.User.Id, discordperms.Administrator)
+	if hasAdminPermission {
+		return true, nil
+	}
+
+	// Check user perms for support
+	if isSupport, err := dbclient.Client.Permissions.IsSupport(guildId, member.User.Id); err == nil {
+		if isSupport {
+			return true, nil
+		}
+	} else {
+		return false, err
+	}
+
+	// Check DB for support roles
+	supportRoles, err := dbclient.Client.RolePermissions.GetSupportRoles(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	for _, supportRoleId := range supportRoles {
+		if member.HasRole(supportRoleId) {
+			return false, nil
+		}
+	}
+
+	return false, nil
+}