AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Client file deletion 

- Add file delete confirmation modal
- Change file deletes to POST not GET requests in post.php as they are state changing
- Require CSRF validation for file deletes
This commit is contained in:
Marcus Hill 2023-04-08 21:59:54 +01:00
parent c2b25cbf7d
commit 04dad13ad3
5 changed files with 46 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client_file_add_modal.php
View File

@ -17,7 +17,7 @@
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-file"></i></span>
</div>
<input type="text" class="form-control" name="new_name" placeholder="leave blank to use existing name">
<input type="text" class="form-control" name="new_name" placeholder="Leave blank to use existing name">
</div>
</div>

21
client_file_delete_modal.php Normal file
View File

@ -0,0 +1,21 @@
<script src="js/file_delete_modal.js"></script>
<div class="modal" id="deleteFileModal" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-body">
<div class="mb-4" style="text-align: center;">
<i class="far fa-10x fa-times-circle text-danger mb-3 mt-3"></i>
<h2>Are you sure?</h2>
<h6 class="mb-4 text-secondary">Do you really want to delete this file?</h6>
<h5 class="mb-4 text-secondary text-bold" id="file_delete_name">Name</h5>
<form action="post.php" method="POST">
<input type="hidden" name="file_id" id="file_delete_id" value="id">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<button type="button" name="cancel" class="btn btn-outline-secondary btn-lg px-5 mr-4" data-dismiss="modal">Cancel</button>
<input type="submit" name="delete_file" class="btn btn-danger btn-lg px-5" value="Yes, Delete!">
</form>
</div>
</div>
</div>
</div>
</div>

6
client_files.php
View File

@ -47,7 +47,7 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_
<small><?php echo $file_name; ?></small>
<a href="post.php?delete_file=<?php echo $file_id; ?>" class="text-white float-right mr-1"><i class="fa fa-times"></i></a>
<a href="#" data-toggle="modal" data-target="#deleteFileModal" onclick="populateFileDeleteModal(<?php echo "$file_id , '$file_name'" ?>)" class="text-white float-right mr-1"><i class="fa fa-times"></i></a>
</div>
</div>
</div>
@ -90,7 +90,7 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_
<td>
<a href="<?php echo "uploads/clients/$client_id/$file_reference_name"; ?>" download="<?php echo $file_name; ?>" class="text-secondary float-left ml-1"><i class="fa fa-cloud-download-alt"></i></a>
<a href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'File', $file_id"; ?>)" class="text-secondary float-left ml-1"><i class="fa fa-share"></i></a>
<a href="post.php?delete_file=<?php echo $file_id; ?>" class="text-secondary float-right mr-1"><i class="fa fa-times"></i></a>
<a href="#" data-toggle="modal" data-target="#deleteFileModal" onclick="populateFileDeleteModal(<?php echo "$file_id , '$file_name'" ?>)" class="text-secondary float-right mr-1"><i class="fa fa-times"></i></a>
</td>
</tr>
<?php
@ -104,4 +104,6 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_
<?php
require_once("client_file_add_modal.php");
require_once("share_modal.php");
require_once("client_file_delete_modal.php");
require_once("footer.php");

5
js/file_delete_modal.js Normal file
View File

@ -0,0 +1,5 @@
function populateFileDeleteModal(file_id, file_name) {
// Dynamically populate the file delete modal with the file id (hidden) and name
document.getElementById("file_delete_id").value = file_id;
document.getElementById("file_delete_name").innerText = file_name;
}

29
post.php
View File

@ -244,7 +244,7 @@ if(isset($_POST['edit_profile'])){
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/users/$user_id/";
$dest_path = $upload_file_dir . $new_file_name;
@ -1787,7 +1787,7 @@ if(isset($_POST['add_event'])){
$client_name = $row['client_name'];
$contact_name = $row['contact_name'];
$contact_email = $row['contact_email'];
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
$company_name = $row['company_name'];
@ -1844,7 +1844,7 @@ if(isset($_POST['edit_event'])){
$client_name = $row['client_name'];
$contact_name = $row['contact_name'];
$contact_email = $row['contact_email'];
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
$company_name = $row['company_name'];
@ -3189,7 +3189,7 @@ if(isset($_GET['decline_quote'])){
}
if(isset($_GET['email_quote'])){
$quote_id = intval($_GET['email_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes
@ -3216,7 +3216,7 @@ if(isset($_GET['email_quote'])){
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
$contact_mobile = formatPhoneNumber($row['contact_mobile']);
$client_website = sanitizeInput($row['client_website']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = sanitizeInput($row['company_name']);
@ -3672,7 +3672,7 @@ if(isset($_POST['add_payment'])){
$contact_phone = formatPhoneNumber($row['contact_phone']);
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
$contact_mobile = formatPhoneNumber($row['contact_mobile']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
@ -3817,7 +3817,7 @@ if(isset($_GET['email_invoice'])){
WHERE invoice_id = $invoice_id"
);
$row = mysqli_fetch_array($sql);
$invoice_id = intval($row['invoice_id']);
$invoice_prefix = $row['invoice_prefix'];
$invoice_number = $row['invoice_number'];
@ -6137,7 +6137,7 @@ if(isset($_POST['add_ticket'])){
$ticket_prefix = $row['ticket_prefix'];
$ticket_number = intval($row['ticket_number']);
$ticket_subject = $row['ticket_subject'];
$sql = mysqli_query($mysqli,"SELECT company_phone FROM companies WHERE company_id = 1");
$company_phone = formatPhoneNumber($row['company_phone']);
@ -6350,7 +6350,7 @@ if(isset($_POST['add_ticket_reply'])){
$client_id = intval($row['ticket_client_id']);
$ticket_created_by = intval($row['ticket_created_by']);
$ticket_assigned_to = intval($row['ticket_assigned_to']);
$company_sql = mysqli_query($mysqli,"SELECT company_phone FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($company_sql);
@ -6529,7 +6529,7 @@ if(isset($_GET['close_ticket'])){
$ticket_prefix = sanitizeInput($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_subject = sanitizeInput($row['ticket_subject']);
$company_sql = mysqli_query($mysqli,"SELECT company_phone FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($company_sql);
$company_phone = formatPhoneNumber($row['company_phone']);
@ -7079,11 +7079,12 @@ if(isset($_POST['add_file'])){
}
if(isset($_GET['delete_file'])){
if(isset($_POST['delete_file'])){
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$file_id = intval($_GET['delete_file']);
$file_id = intval($_POST['file_id']);
$sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql_file);
@ -7318,7 +7319,7 @@ if(isset($_GET['delete_folder'])){
}
if(isset($_GET['deactivate_shared_item'])){
validateAdminRole();
$item_id = intval($_GET['deactivate_shared_item']);
@ -7436,7 +7437,7 @@ if(isset($_GET['force_recurring'])){
$contact_phone = formatPhoneNumber($row['contact_phone']);
$contact_extension = $row['contact_extension'];
$contact_mobile = formatPhoneNumber($row['contact_mobile']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = $row['company_name'];