search

discord-tickets / bot

The most popular open-source and self-hosted ticket management bot for Discord - a free alternative to the premium and white-label plans of other popular ticketing bots.
https://discordtickets.app
GNU General Public License v3.0
933 stars 477 forks source link

[BUG] Non-admin can close tickets in servers they are not admin in #466

Closed NonPlayerCharacterNPC closed 1 year ago

NonPlayerCharacterNPC commented 1 year ago

Is there an existing issue for this?

Current Behavior

/force-close command ran in Server 1 where User 1 is Admin in showcases the inactive ticket from Server 2, where User 1 is not an admin in and so User 1 can close the tickets of Server 2.

Expected Behavior

/force-close when used with the optional time parameter, should only showcase inactive tickets in which the server it is being ran in because you might not want to be closing inactive tickets in Server 2, only Server 1 (where you ran the command in)

Steps To Reproduce

Invite your self-hosted version of the bot to TWO servers (in both cases you authorise the bot, it doesn't matter if you are server owner or not, as long as you have the manage server permissions of course and be allowed to use the /force-close command).

Create the ticket panels, and open a ticket in both servers (send a message inside of those created tickets), one with an alt account and one with the account that was defined as "SUPER" in .env

Go to either of the TWO servers and enter in the command /force-close time: 1s to showcase the list of tickets that have been inactive for more then 1 second.

If in Server 2, you are just the admin of Discord server and you run the command (and not the SUPER admin defined in .env), you might not see which servers the tickets are from and the channel will say #unknown because your alt account in Server 1, is clearly not an admin of it.

If you proceed to press the Close button, you will have closed the inactive ticket in Server 1 where you were not an admin of it.

Alternatively, if you are an admin of BOTH servers, you will see the inactive tickets and which servers the inactive tickets are from, and when you hit close, instead of having closed the tickets from the server you ran the command in, you will have closed the tickets in BOTH servers.

Environment

- OS: Ubuntu 20.04
- Node: 18.0.0
- NPM:
- Bot: 4.0.7

I am using Pterodactyl Panel.

Anything else?

I haven't inferred anything here, I did hit the close button and it did end up closing the ticket of another server where I wasn't admin in (I used an alt account), obviously you still need to be an admin with the admin permissions to have access to force-close command, you can't use it as a normal regular user which is good.

eartharoid commented 1 year ago

Thank you for the detailed report. Unfortunately, this extremely important problem was caused by a single very short line that was overlooked. 😔