Upload Attachments from anyone

[FlavioSantoro92]

Is this a BUG REPORT or FEATURE REQUEST?:

• [X ] BUG
• FEATURE

What happened:

The endpoint /tickets/uploadattachment doens't check the user's permissions. Everyone can upload any attachment even if the user hasn't the tickets:update permission. This is verified instead if I try to delete the attachment.

What did you expect to happen:

Check the user permissions and prevent the upload.

How to reproduce it (as minimally and precisely as possible):

Postman, or enabling the upload element in the UI commenting the following check in IssuePartial.jsx at line 165:
&& helpers.hasPermOverRole(this.props.owner.role, null, 'tickets:update', true)

Anything else we need to know?:

Environment:

• Trudesk Version: 1.2.9
• OS (e.g. from /etc/os-release):
• Node.JS Version: v20.5.1
• MongoDB Version: 5
• Is this hosted on cloud.trudesk.io: no

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.