mirror of
https://github.com/itflow-org/itflow
synced 2026-02-28 02:44:53 +00:00
Client file deletion
- Add file delete confirmation modal - Change file deletes to POST not GET requests in post.php as they are state changing - Require CSRF validation for file deletes
This commit is contained in:
Marcus Hill
29
post.php
29
post.php
@@ -244,7 +244,7 @@ if(isset($_POST['edit_profile'])){
|
||||
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
|
||||
|
||||
$file_tmp_path = $_FILES['file']['tmp_name'];
|
||||
|
||||
|
||||
// directory in which the uploaded file will be moved
|
||||
$upload_file_dir = "uploads/users/$user_id/";
|
||||
$dest_path = $upload_file_dir . $new_file_name;
|
||||
@@ -1787,7 +1787,7 @@ if(isset($_POST['add_event'])){
|
||||
$client_name = $row['client_name'];
|
||||
$contact_name = $row['contact_name'];
|
||||
$contact_email = $row['contact_email'];
|
||||
|
||||
|
||||
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql_company);
|
||||
$company_name = $row['company_name'];
|
||||
@@ -1844,7 +1844,7 @@ if(isset($_POST['edit_event'])){
|
||||
$client_name = $row['client_name'];
|
||||
$contact_name = $row['contact_name'];
|
||||
$contact_email = $row['contact_email'];
|
||||
|
||||
|
||||
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql_company);
|
||||
$company_name = $row['company_name'];
|
||||
@@ -3189,7 +3189,7 @@ if(isset($_GET['decline_quote'])){
|
||||
}
|
||||
|
||||
if(isset($_GET['email_quote'])){
|
||||
|
||||
|
||||
$quote_id = intval($_GET['email_quote']);
|
||||
|
||||
$sql = mysqli_query($mysqli,"SELECT * FROM quotes
|
||||
@@ -3216,7 +3216,7 @@ if(isset($_GET['email_quote'])){
|
||||
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
|
||||
$contact_mobile = formatPhoneNumber($row['contact_mobile']);
|
||||
$client_website = sanitizeInput($row['client_website']);
|
||||
|
||||
|
||||
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql);
|
||||
$company_name = sanitizeInput($row['company_name']);
|
||||
@@ -3672,7 +3672,7 @@ if(isset($_POST['add_payment'])){
|
||||
$contact_phone = formatPhoneNumber($row['contact_phone']);
|
||||
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
|
||||
$contact_mobile = formatPhoneNumber($row['contact_mobile']);
|
||||
|
||||
|
||||
|
||||
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql);
|
||||
@@ -3817,7 +3817,7 @@ if(isset($_GET['email_invoice'])){
|
||||
WHERE invoice_id = $invoice_id"
|
||||
);
|
||||
$row = mysqli_fetch_array($sql);
|
||||
|
||||
|
||||
$invoice_id = intval($row['invoice_id']);
|
||||
$invoice_prefix = $row['invoice_prefix'];
|
||||
$invoice_number = $row['invoice_number'];
|
||||
@@ -6137,7 +6137,7 @@ if(isset($_POST['add_ticket'])){
|
||||
$ticket_prefix = $row['ticket_prefix'];
|
||||
$ticket_number = intval($row['ticket_number']);
|
||||
$ticket_subject = $row['ticket_subject'];
|
||||
|
||||
|
||||
$sql = mysqli_query($mysqli,"SELECT company_phone FROM companies WHERE company_id = 1");
|
||||
|
||||
$company_phone = formatPhoneNumber($row['company_phone']);
|
||||
@@ -6350,7 +6350,7 @@ if(isset($_POST['add_ticket_reply'])){
|
||||
$client_id = intval($row['ticket_client_id']);
|
||||
$ticket_created_by = intval($row['ticket_created_by']);
|
||||
$ticket_assigned_to = intval($row['ticket_assigned_to']);
|
||||
|
||||
|
||||
|
||||
$company_sql = mysqli_query($mysqli,"SELECT company_phone FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($company_sql);
|
||||
@@ -6529,7 +6529,7 @@ if(isset($_GET['close_ticket'])){
|
||||
$ticket_prefix = sanitizeInput($row['ticket_prefix']);
|
||||
$ticket_number = intval($row['ticket_number']);
|
||||
$ticket_subject = sanitizeInput($row['ticket_subject']);
|
||||
|
||||
|
||||
$company_sql = mysqli_query($mysqli,"SELECT company_phone FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($company_sql);
|
||||
$company_phone = formatPhoneNumber($row['company_phone']);
|
||||
@@ -7079,11 +7079,12 @@ if(isset($_POST['add_file'])){
|
||||
|
||||
}
|
||||
|
||||
if(isset($_GET['delete_file'])){
|
||||
if(isset($_POST['delete_file'])){
|
||||
|
||||
validateAdminRole();
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
$file_id = intval($_GET['delete_file']);
|
||||
$file_id = intval($_POST['file_id']);
|
||||
|
||||
$sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id");
|
||||
$row = mysqli_fetch_array($sql_file);
|
||||
@@ -7318,7 +7319,7 @@ if(isset($_GET['delete_folder'])){
|
||||
}
|
||||
|
||||
if(isset($_GET['deactivate_shared_item'])){
|
||||
|
||||
|
||||
validateAdminRole();
|
||||
|
||||
$item_id = intval($_GET['deactivate_shared_item']);
|
||||
@@ -7436,7 +7437,7 @@ if(isset($_GET['force_recurring'])){
|
||||
$contact_phone = formatPhoneNumber($row['contact_phone']);
|
||||
$contact_extension = $row['contact_extension'];
|
||||
$contact_mobile = formatPhoneNumber($row['contact_mobile']);
|
||||
|
||||
|
||||
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql);
|
||||
$company_name = $row['company_name'];
|
||||
|
||||
Reference in New Issue
Block a user