Check support team data

app/http/endpoints/api/ticket/getticket.go

@@ -17,6 +17,7 @@ var MentionRegex, _ = regexp.Compile("<@(\\d+)>")
 
 func GetTicket(ctx *gin.Context) {
 	guildId := ctx.Keys["guildid"].(uint64)
+	userId := ctx.Keys["userid"].(uint64)
 
 	botContext, err := botcontext.ContextForGuild(guildId)
 	if err != nil {
@@ -62,6 +63,17 @@ func GetTicket(ctx *gin.Context) {
 		return
 	}
 
+	hasPermission, err := utils.HasPermissionToViewTicket(guildId, userId, ticket)
+	if err != nil {
+		ctx.JSON(500, utils.ErrorJson(err))
+		return
+	}
+
+	if !hasPermission {
+		ctx.JSON(403, utils.ErrorStr("You do not have permission to view this ticket"))
+		return
+	}
+
 	messagesFormatted := make([]map[string]interface{}, 0)
 	if ticket.ChannelId != nil {
 		// Get messages

app/http/endpoints/api/transcripts/get.go

@@ -2,10 +2,9 @@ package api
 
 import (
 	"errors"
-	"github.com/TicketsBot/GoPanel/database"
+	dbclient "github.com/TicketsBot/GoPanel/database"
 	"github.com/TicketsBot/GoPanel/utils"
 	"github.com/TicketsBot/archiverclient"
-	"github.com/TicketsBot/common/permission"
 	"github.com/gin-gonic/gin"
 	"strconv"
 )
@@ -22,7 +21,7 @@ func GetTranscriptHandler(ctx *gin.Context) {
 	}
 
 	// get ticket object
-	ticket, err := database.Client.Tickets.Get(ticketId, guildId)
+	ticket, err := dbclient.Client.Tickets.Get(ticketId, guildId)
 	if err != nil {
 		ctx.AbortWithStatusJSON(500, gin.H{
 			"success": false,
@@ -40,13 +39,13 @@ func GetTranscriptHandler(ctx *gin.Context) {
 	// Verify the user has permissions to be here
 	// ticket.UserId cannot be 0
 	if ticket.UserId != userId {
-		permLevel, err := utils.GetPermissionLevel(guildId, userId)
+		hasPermission, err := utils.HasPermissionToViewTicket(guildId, userId, ticket)
 		if err != nil {
 			ctx.JSON(500, utils.ErrorJson(err))
 			return
 		}
 
-		if permLevel < permission.Support {
+		if !hasPermission {
 			ctx.JSON(403, utils.ErrorStr("You do not have permission to view this transcript"))
 			return
 		}

app/http/server.go

@@ -77,14 +77,16 @@ func StartServer() {
 			middleware.Logging,
 		)
 
-		guildAuthApiAdmin.GET("/settings", api_settings.GetSettingsHandler)
+		// Must be readable to load transcripts page
+		guildAuthApiSupport.GET("/settings", api_settings.GetSettingsHandler)
 		guildAuthApiAdmin.POST("/settings", api_settings.UpdateSettingsHandler)
 
 		guildAuthApiSupport.GET("/blacklist", api_blacklist.GetBlacklistHandler)
 		guildAuthApiSupport.POST("/blacklist/:user", api_blacklist.AddBlacklistHandler)
 		guildAuthApiSupport.DELETE("/blacklist/:user", api_blacklist.RemoveBlacklistHandler)
 
-		guildAuthApiAdmin.GET("/panels", api_panels.ListPanels)
+		// Must be readable to load transcripts page
+		guildAuthApiSupport.GET("/panels", api_panels.ListPanels)
 		guildAuthApiAdmin.POST("/panels", api_panels.CreatePanel)
 		guildAuthApiAdmin.POST("/panels/:panelid", rl(middleware.RateLimitTypeGuild, 5, 5*time.Second), api_panels.ResendPanel)
 		guildAuthApiAdmin.PATCH("/panels/:panelid", api_panels.UpdatePanel)

frontend/src/components/manage/PanelCreationForm.svelte

@@ -41,13 +41,15 @@
                 <div class="col-2">
                     <label class="form-label">Mention On Open</label>
                     <div class="multiselect-super">
-            <Select items={mentionValues} bind:selectedValue={mentionsRaw} on:select={updateMentions} isMulti={true}/>
+                        <Select items={mentionValues} bind:selectedValue={mentionsRaw} on:select={updateMentions}
+                                isMulti={true}/>
                     </div>
                 </div>
                 <div class="col-2">
                     <label class="form-label">Support Teams</label>
                     <div class="multiselect-super">
-            <Select items={teamsItems} bind:selectedValue={teamsRaw} on:select={updateTeams} isMulti={true}/>
+                        <Select items={teamsItems} bind:selectedValue={teamsRaw} on:select={updateTeams}
+                                isMulti={true}/>
                     </div>
                 </div>
             </div>
@@ -123,6 +125,7 @@
 
     function updateTeams() {
         if (teamsRaw === undefined) {
+            data.default_team = false;
             data.teams = [];
         } else {
             data.default_team = teamsRaw.find((option) => option.value === 'default') !== undefined;

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/TicketsBot/archiverclient v0.0.0-20210220155137-a562b2f1bbbb
 	github.com/TicketsBot/common v0.0.0-20210910205523-7ce93fba6fa5
-	github.com/TicketsBot/database v0.0.0-20211029152712-e9861d66f2d6
+	github.com/TicketsBot/database v0.0.0-20211030123522-eeed94443867
 	github.com/TicketsBot/worker v0.0.0-20210910205947-89f7bd5ccf67
 	github.com/apex/log v1.1.2
 	github.com/boj/redistore v0.0.0-20180917114910-cd5dcc76aeff // indirect

go.sum

@@ -14,8 +14,8 @@ github.com/TicketsBot/common v0.0.0-20210910205523-7ce93fba6fa5/go.mod h1:SVwX6g
 github.com/TicketsBot/database v0.0.0-20200516170158-fd8a949aec2c/go.mod h1:eky4tBL+IZ0svPgTT0N/9i6j7ygHDQH3784DW+HgfcA=
 github.com/TicketsBot/database v0.0.0-20210902172951-4e1f8ced84b7/go.mod h1:A4T2uQFIWC/ttCYpfgv7AkPjR09mMRgzG13lgoV/+aI=
 github.com/TicketsBot/database v0.0.0-20210906215136-2d0c54bd1109/go.mod h1:A4T2uQFIWC/ttCYpfgv7AkPjR09mMRgzG13lgoV/+aI=
-github.com/TicketsBot/database v0.0.0-20211029152712-e9861d66f2d6 h1:vb+Ia5kBlW3AwQBX384GH4tgGUFmuVNazNXoGEezGrI=
+github.com/TicketsBot/database v0.0.0-20211030123522-eeed94443867 h1:2tYF3avpUUY1voXuzcY2gQHggnk17M+1btblS7Zkygk=
-github.com/TicketsBot/database v0.0.0-20211029152712-e9861d66f2d6/go.mod h1:72oWvH/Gq1iKeXCZhVRZn1JFbNVC5iAgERZWTrEarEo=
+github.com/TicketsBot/database v0.0.0-20211030123522-eeed94443867/go.mod h1:72oWvH/Gq1iKeXCZhVRZn1JFbNVC5iAgERZWTrEarEo=
 github.com/TicketsBot/logarchiver v0.0.0-20200423221245-a3f92edf8c14/go.mod h1:whts8TRxrAF4WuDuEAMllkWA/inKem0NhDEFeyuoOvE=
 github.com/TicketsBot/ttlcache v1.6.1-0.20200405150101-acc18e37b261 h1:NHD5GB6cjlkpZFjC76Yli2S63/J2nhr8MuE6KlYJpQM=
 github.com/TicketsBot/ttlcache v1.6.1-0.20200405150101-acc18e37b261/go.mod h1:2zPxDAN2TAPpxUPjxszjs3QFKreKrQh5al/R3cMXmYk=

utils/permissionutils.go

@@ -2,7 +2,11 @@ package utils
 
 import (
 	"github.com/TicketsBot/GoPanel/botcontext"
+	dbclient "github.com/TicketsBot/GoPanel/database"
 	"github.com/TicketsBot/common/permission"
+	"github.com/TicketsBot/database"
+	"github.com/rxdn/gdl/objects/member"
+	discordperms "github.com/rxdn/gdl/permission"
 )
 
 func GetPermissionLevel(guildId, userId uint64) (permission.PermissionLevel, error) {
@@ -24,3 +28,168 @@ func GetPermissionLevel(guildId, userId uint64) (permission.PermissionLevel, err
 
 	return permission.GetPermissionLevel(botContext, member, guildId)
 }
+
+// TODO: Use this on the ticket list
+func HasPermissionToViewTicket(guildId, userId uint64, ticket database.Ticket) (bool, error) {
+	// If user opened the ticket, they will always have permission
+	if ticket.UserId == userId && ticket.GuildId == guildId {
+		return true, nil
+	}
+
+	// Admin override
+	botContext, err := botcontext.ContextForGuild(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	if botContext.IsBotAdmin(userId) {
+		return true, nil
+	}
+
+	// Check if server owner
+	guild, err := botContext.GetGuild(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	if guild.OwnerId == userId {
+		return true, nil
+	}
+
+	member, err := botContext.GetGuildMember(guildId, userId)
+	if err != nil {
+		return false, err
+	}
+
+	// Admins should have access to all tickets
+	isAdmin, err := dbclient.Client.Permissions.IsAdmin(guildId, userId)
+	if err != nil {
+        return false, err
+    }
+
+	if isAdmin {
+		return true, nil
+	}
+
+	// TODO: Check in db
+	adminRoles, err := dbclient.Client.RolePermissions.GetAdminRoles(guildId)
+	if err != nil {
+        return false, err
+    }
+
+	for _, roleId := range adminRoles {
+        if member.HasRole(roleId) {
+            return true, nil
+        }
+    }
+
+	// If ticket is not from a panel, we can use default team perms
+	if ticket.PanelId == nil {
+		canView, err := isOnDefaultTeam(guildId, userId, botContext, member)
+		if err != nil {
+			return false, err
+		}
+
+		return canView, nil
+	} else {
+		panel, err := dbclient.Client.Panel.GetById(*ticket.PanelId)
+		if err != nil {
+			return false, err
+		}
+
+		if panel.WithDefaultTeam {
+			canView, err := isOnDefaultTeam(guildId, userId, botContext, member)
+			if err != nil {
+				return false, err
+			}
+
+			if canView {
+				return true, nil
+			}
+		} else { // If panel does not use default team, check support teams
+			supportTeams, err := dbclient.Client.PanelTeams.GetTeams(*ticket.PanelId)
+			if err != nil {
+				return false, err
+			}
+
+			var supportTeamIds []int
+			for _, team := range supportTeams {
+				supportTeamIds = append(supportTeamIds, team.Id)
+			}
+
+			// Check if user is added to support team directly
+			isSupport, err := dbclient.Client.SupportTeamMembers.IsSupportSubset(guildId, userId, supportTeamIds)
+			if err != nil {
+				return false, err
+			}
+
+			if isSupport {
+				return true, nil
+			}
+
+			// Check if user is added to support team via a role
+			isSupport, err = dbclient.Client.SupportTeamRoles.IsSupportAnySubset(guildId, member.Roles, supportTeamIds)
+			if err != nil {
+				return false, err
+			}
+
+			if isSupport {
+				return true, nil
+			}
+		}
+
+		return false, nil
+	}
+}
+
+func isOnDefaultTeam(guildId, userId uint64, ctx botcontext.BotContext, member member.Member) (bool, error) {
+	// Check user perms for admin
+	if isAdmin, err := dbclient.Client.Permissions.IsAdmin(guildId, userId); err == nil {
+		if isAdmin {
+			return true, nil
+		}
+	} else {
+		return false, err
+	}
+
+	// Check roles from DB
+	adminRoles, err := dbclient.Client.RolePermissions.GetAdminRoles(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	for _, adminRoleId := range adminRoles {
+		if member.HasRole(adminRoleId) {
+			return true, nil
+		}
+	}
+
+	// Check if user has Administrator permission
+	hasAdminPermission := permission.HasPermissions(ctx, guildId, member.User.Id, discordperms.Administrator)
+	if hasAdminPermission {
+		return true, nil
+	}
+
+	// Check user perms for support
+	if isSupport, err := dbclient.Client.Permissions.IsSupport(guildId, member.User.Id); err == nil {
+		if isSupport {
+			return true, nil
+		}
+	} else {
+		return false, err
+	}
+
+	// Check DB for support roles
+	supportRoles, err := dbclient.Client.RolePermissions.GetSupportRoles(guildId)
+	if err != nil {
+		return false, err
+	}
+
+	for _, supportRoleId := range supportRoles {
+		if member.HasRole(supportRoleId) {
+			return false, nil
+		}
+	}
+
+	return false, nil
+}