From d9e4df9e8e3e9a10365e2fd93c1f54b3cf3d6e16 Mon Sep 17 00:00:00 2001
From: rxdn <29165304+rxdn@users.noreply.github.com>
Date: Mon, 30 May 2022 20:33:42 +0100
Subject: [PATCH] Implement better permission check

---
 app/http/endpoints/api/ticket/closeticket.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/http/endpoints/api/ticket/closeticket.go b/app/http/endpoints/api/ticket/closeticket.go
index cd67d85..efca641 100644
--- a/app/http/endpoints/api/ticket/closeticket.go
+++ b/app/http/endpoints/api/ticket/closeticket.go
@@ -48,12 +48,23 @@ func CloseTicket(ctx *gin.Context) {
 	// Verify the ticket exists
 	if ticket.UserId == 0 {
 		ctx.AbortWithStatusJSON(404, gin.H{
-			"success": true,
+			"success": false,
 			"error":   "Ticket does not exist",
 		})
 		return
 	}
 
+	hasPermission, err := utils.HasPermissionToViewTicket(guildId, userId, ticket)
+	if err != nil {
+		ctx.JSON(500, utils.ErrorJson(err))
+		return
+	}
+
+	if !hasPermission {
+		ctx.JSON(403, utils.ErrorStr("You do not have permission to close this ticket"))
+		return
+	}
+
 	data := closerelay.TicketClose{
 		GuildId:  guildId,
 		TicketId: ticket.Id,