From 111a30f13c635dbc49c8ae2b29841e4a8e040e82 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Fri, 6 Mar 2026 18:01:20 -0500
Subject: [PATCH] recurring invoices: enforceClientAccess

---
 agent/post/recurring_invoice.php | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/agent/post/recurring_invoice.php b/agent/post/recurring_invoice.php
index 65355f6d..32ce971b 100644
--- a/agent/post/recurring_invoice.php
+++ b/agent/post/recurring_invoice.php
@@ -27,6 +27,8 @@ if (isset($_POST['add_invoice_recurring'])) {
     $client_id = intval($row['invoice_client_id']);
     $category_id = intval($row['invoice_category_id']);
 
+    enforceClientAccess();
+
     // Atomically increment and get the new recurring_invoice number
     mysqli_query($mysqli, "
         UPDATE settings
@@ -80,6 +82,8 @@ if (isset($_POST['add_recurring_invoice'])) {
     $category = intval($_POST['category']);
     $scope = sanitizeInput($_POST['scope']);
 
+    enforceClientAccess();
+
     // Atomically increment and get the new recurring_invoice number
     mysqli_query($mysqli, "
         UPDATE settings
@@ -126,6 +130,8 @@ if (isset($_POST['edit_recurring_invoice'])) {
     $recurring_invoice_number = intval($row['recurring_invoice_number']);
     $client_id = intval($row['recurring_invoice_client_id']);
 
+    enforceClientAccess();
+
     //Calculate new total
     $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_recurring_invoice_id = $recurring_invoice_id");
     $recurring_invoice_amount = 0;
@@ -163,6 +169,8 @@ if (isset($_GET['delete_recurring_invoice'])) {
     $recurring_invoice_scope = sanitizeInput($row['recurring_invoice_scope']);
     $client_id = intval($row['recurring_invoice_client_id']);
 
+    enforceClientAccess();
+
     mysqli_query($mysqli,"DELETE FROM recurring_invoices WHERE recurring_invoice_id = $recurring_invoice_id");
 
     //Delete Items Associated with the Recurring
@@ -201,6 +209,10 @@ if (isset($_POST['add_recurring_invoice_item'])) {
     $tax_id = intval($_POST['tax_id']);
     $item_order = intval($_POST['item_order']);
 
+    $client_id = intval(getFieldById('recurring_invoices', $recurring_invoice_id, 'recurring_invoice_client_id'));
+
+    enforceClientAccess();
+
     $subtotal = $price * $qty;
 
     if ($tax_id > 0) {
@@ -259,6 +271,8 @@ if (isset($_POST['recurring_invoice_note'])) {
     $recurring_invoice_number = intval($row['recurring_invoice_number']);
     $client_id = intval($row['recurring_invoice_client_id']);
 
+    enforceClientAccess();
+
     mysqli_query($mysqli,"UPDATE recurring_invoices SET recurring_invoice_note = '$note' WHERE recurring_invoice_id = $recurring_invoice_id");
 
     logAction("Recurring Invoice", "Edit", "$session_name added note to recurring invoice $recurring_invoice_prefix$recurring_invoice_number", $client_id, $recurring_invoice_id);
@@ -291,6 +305,8 @@ if (isset($_GET['delete_recurring_invoice_item'])) {
     $recurring_invoice_number = intval($row['recurring_invoice_number']);
     $client_id = intval($row['recurring_invoice_client_id']);
 
+    enforceClientAccess();
+
     $new_recurring_invoice_amount = floatval($row['recurring_invoice_amount']) - $item_total;
 
     mysqli_query($mysqli,"UPDATE recurring_invoices SET recurring_invoice_amount = $new_recurring_invoice_amount WHERE recurring_invoice_id = $recurring_invoice_id");
@@ -330,6 +346,8 @@ if (isset($_GET['force_recurring'])) {
     $client_id = intval($row['recurring_invoice_client_id']);
     $client_net_terms = intval($row['client_net_terms']);
 
+    enforceClientAccess();
+
     // Atomically increment and get the new invoice number
     mysqli_query($mysqli, "
         UPDATE settings
@@ -488,6 +506,8 @@ if (isset($_POST['set_recurring_payment'])) {
     $recurring_invoice_currency_code = sanitizeInput($row['recurring_invoice_currency_code']);
     $recurring_invoice_amount = floatval($row['recurring_invoice_amount']);
 
+    enforceClientAccess();
+
     if ($saved_payment_id) {
 
         // Get Payment provider and method
@@ -533,6 +553,8 @@ if (isset($_POST['export_client_recurring_invoice_csv'])) {
 
     $client_id = intval($_POST['client_id']);
 
+    enforceClientAccess();
+
     //get records from database
     $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
     $row = mysqli_fetch_assoc($sql);
@@ -592,6 +614,8 @@ if (isset($_GET['recurring_invoice_email_notify'])) {
     $recurring_invoice_number = intval($row['recurring_invoice_number']);
     $client_id = intval($row['recurring_invoice_client_id']);
 
+    enforceClientAccess();
+
     mysqli_query($mysqli,"UPDATE recurring_invoices SET recurring_invoice_email_notify = $recurring_invoice_email_notify WHERE recurring_invoice_id = $recurring_invoice_id");
 
     // Wording