From 0e3959ce008452b1a85f196595a4793e98ad41c2 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sat, 22 Feb 2025 14:25:24 -0500
Subject: [PATCH] Updated Client Access Permissions to use the  defined in
 check_login.php

---
 invoice.php  | 8 ++------
 invoices.php | 6 +-----
 quote.php    | 7 ++-----
 quotes.php   | 6 +-----
 ticket.php   | 6 +-----
 vendors.php  | 2 ++
 6 files changed, 9 insertions(+), 26 deletions(-)

diff --git a/invoice.php b/invoice.php
index 7bb5d4c0..273e9e42 100644
--- a/invoice.php
+++ b/invoice.php
@@ -9,11 +9,6 @@ if (isset($_GET['client_id'])) {
 
 // Perms
 enforceUserPermission('module_sales');
-$invoice_permission_snippet = '';
-if (!empty($client_access_string)) {
-    $invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
-}
-
 
 if (isset($_GET['invoice_id'])) {
 
@@ -26,7 +21,8 @@ if (isset($_GET['invoice_id'])) {
         LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
         LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
         WHERE invoice_id = $invoice_id
-        $invoice_permission_snippet"
+        $access_permission_query
+        LIMIT 1"
     );
 
     if (mysqli_num_rows($sql) == 0) {
diff --git a/invoices.php b/invoices.php
index a59d4112..aaf133bb 100644
--- a/invoices.php
+++ b/invoices.php
@@ -17,10 +17,6 @@ if (isset($_GET['client_id'])) {
 
 // Perms
 enforceUserPermission('module_sales');
-$invoice_permission_snippet = '';
-if (!empty($client_access_string)) {
-    $invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
-}
 
 $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query"));
 $sent_count = $row['num'];
@@ -98,7 +94,7 @@ $sql = mysqli_query(
     $overdue_query
     AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt'
     AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%')
-    $invoice_permission_snippet
+    $access_permission_query
     $client_query
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
diff --git a/quote.php b/quote.php
index 1e090e86..3668a03a 100644
--- a/quote.php
+++ b/quote.php
@@ -9,10 +9,6 @@ if (isset($_GET['client_id'])) {
 
 // Perms
 enforceUserPermission('module_sales');
-$quote_permission_snippet = '';
-if (!empty($client_access_string)) {
-    $quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
-}
 
 if (isset($_GET['quote_id'])) {
 
@@ -25,7 +21,8 @@ if (isset($_GET['quote_id'])) {
         LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
         LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
         WHERE quote_id = $quote_id
-        $quote_permission_snippet"
+        $access_permission_query
+        LIMIT 1"
     );
 
     if (mysqli_num_rows($sql) == 0) {
diff --git a/quotes.php b/quotes.php
index 99b594ce..b37e40c3 100644
--- a/quotes.php
+++ b/quotes.php
@@ -17,10 +17,6 @@ if (isset($_GET['client_id'])) {
 
 // Perms
 enforceUserPermission('module_sales');
-$quote_permission_snippet = '';
-if (!empty($client_access_string)) {
-    $quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
-}
 
 $sql = mysqli_query(
     $mysqli,
@@ -29,7 +25,7 @@ $sql = mysqli_query(
     LEFT JOIN categories ON quote_category_id = category_id
     WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%')
     AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt'
-    $quote_permission_snippet
+    $access_permission_query
     $client_query
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
diff --git a/ticket.php b/ticket.php
index c05a7c14..3053ebf6 100644
--- a/ticket.php
+++ b/ticket.php
@@ -11,10 +11,6 @@ if (isset($_GET['client_id'])) {
 
 // Perms
 enforceUserPermission('module_support');
-$ticket_permission_snippet = '';
-if (!empty($client_access_string)) {
-    $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
-}
 
 // Initialize the HTML Purifier to prevent XSS
 require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php";
@@ -42,7 +38,7 @@ if (isset($_GET['ticket_id'])) {
         LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id
         LEFT JOIN categories ON ticket_category = category_id
         WHERE ticket_id = $ticket_id
-        $ticket_permission_snippet
+        $access_permission_query
         LIMIT 1"
     );
 
diff --git a/vendors.php b/vendors.php
index ab05d0e3..46ee786c 100644
--- a/vendors.php
+++ b/vendors.php
@@ -18,10 +18,12 @@ if (isset($_GET['client_id'])) {
 $sql = mysqli_query(
     $mysqli,
     "SELECT SQL_CALC_FOUND_ROWS * FROM vendors
+    LEFT JOIN clients ON client_id = vendor_client_id
     WHERE vendor_$archive_query
     AND vendor_template = 0
     AND (vendor_name LIKE '%$q%' OR vendor_description LIKE '%$q%' OR vendor_account_number LIKE '%$q%' OR vendor_website LIKE '%$q%' OR vendor_contact_name LIKE '%$q%' OR vendor_email LIKE '%$q%' OR vendor_phone LIKE '%$phone_query%')
     $client_query
+    $access_permission_query
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );