AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated Client Access Permissions to use the defined in check_login.php

This commit is contained in:
johnnyq 2025-02-22 14:25:24 -05:00
parent 8d05633d7d
commit 0e3959ce00
6 changed files with 9 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
invoice.php
View File

@ -9,11 +9,6 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_sales'); enforceUserPermission('module_sales');
$invoice_permission_snippet = '';
if (!empty($client_access_string)) {
$invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
}
if (isset($_GET['invoice_id'])) { if (isset($_GET['invoice_id'])) {
@ -26,7 +21,8 @@ if (isset($_GET['invoice_id'])) {
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1 LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
WHERE invoice_id = $invoice_id WHERE invoice_id = $invoice_id
$invoice_permission_snippet" $access_permission_query
LIMIT 1"
); );
if (mysqli_num_rows($sql) == 0) { if (mysqli_num_rows($sql) == 0) {

6
invoices.php
View File

@ -17,10 +17,6 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_sales'); enforceUserPermission('module_sales');
$invoice_permission_snippet = '';
if (!empty($client_access_string)) {
$invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
}
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query"));
$sent_count = $row['num']; $sent_count = $row['num'];
@ -98,7 +94,7 @@ $sql = mysqli_query(
$overdue_query $overdue_query
AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt' AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt'
AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%') AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%')
$invoice_permission_snippet $access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );

7
quote.php
View File

@ -9,10 +9,6 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_sales'); enforceUserPermission('module_sales');
$quote_permission_snippet = '';
if (!empty($client_access_string)) {
$quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
}
if (isset($_GET['quote_id'])) { if (isset($_GET['quote_id'])) {
@ -25,7 +21,8 @@ if (isset($_GET['quote_id'])) {
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1 LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
WHERE quote_id = $quote_id WHERE quote_id = $quote_id
$quote_permission_snippet" $access_permission_query
LIMIT 1"
); );
if (mysqli_num_rows($sql) == 0) { if (mysqli_num_rows($sql) == 0) {

6
quotes.php
View File

@ -17,10 +17,6 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_sales'); enforceUserPermission('module_sales');
$quote_permission_snippet = '';
if (!empty($client_access_string)) {
$quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
}
$sql = mysqli_query( $sql = mysqli_query(
$mysqli, $mysqli,
@ -29,7 +25,7 @@ $sql = mysqli_query(
LEFT JOIN categories ON quote_category_id = category_id LEFT JOIN categories ON quote_category_id = category_id
WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%') WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%')
AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt' AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt'
$quote_permission_snippet $access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );

6
ticket.php
View File

@ -11,10 +11,6 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_support'); enforceUserPermission('module_support');
$ticket_permission_snippet = '';
if (!empty($client_access_string)) {
$ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
}
// Initialize the HTML Purifier to prevent XSS // Initialize the HTML Purifier to prevent XSS
require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php"; require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php";
@ -42,7 +38,7 @@ if (isset($_GET['ticket_id'])) {
LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id
LEFT JOIN categories ON ticket_category = category_id LEFT JOIN categories ON ticket_category = category_id
WHERE ticket_id = $ticket_id WHERE ticket_id = $ticket_id
$ticket_permission_snippet $access_permission_query
LIMIT 1" LIMIT 1"
); );

2
vendors.php
View File

@ -18,10 +18,12 @@ if (isset($_GET['client_id'])) {
$sql = mysqli_query( $sql = mysqli_query(
$mysqli, $mysqli,
"SELECT SQL_CALC_FOUND_ROWS * FROM vendors "SELECT SQL_CALC_FOUND_ROWS * FROM vendors
LEFT JOIN clients ON client_id = vendor_client_id
WHERE vendor_$archive_query WHERE vendor_$archive_query
AND vendor_template = 0 AND vendor_template = 0
AND (vendor_name LIKE '%$q%' OR vendor_description LIKE '%$q%' OR vendor_account_number LIKE '%$q%' OR vendor_website LIKE '%$q%' OR vendor_contact_name LIKE '%$q%' OR vendor_email LIKE '%$q%' OR vendor_phone LIKE '%$phone_query%') AND (vendor_name LIKE '%$q%' OR vendor_description LIKE '%$q%' OR vendor_account_number LIKE '%$q%' OR vendor_website LIKE '%$q%' OR vendor_contact_name LIKE '%$q%' OR vendor_email LIKE '%$q%' OR vendor_phone LIKE '%$phone_query%')
$client_query $client_query
$access_permission_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );