From 115640fc89b4a27953554f02390933f74fae8c85 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Tue, 12 Nov 2024 18:09:00 -0500 Subject: [PATCH] Updated product post to use new logAction function, tidy and added more details to logging and add permission check --- post/user/product.php | 119 +++++++++++++++++++++++------------------- 1 file changed, 64 insertions(+), 55 deletions(-) diff --git a/post/user/product.php b/post/user/product.php index d4c186e0..b63b20d2 100644 --- a/post/user/product.php +++ b/post/user/product.php @@ -7,13 +7,16 @@ // Products if (isset($_POST['add_product'])) { - require_once 'post/user/product_model.php'; + enforceUserPermission('module_sales', 2); + require_once 'post/user/product_model.php'; mysqli_query($mysqli,"INSERT INTO products SET product_name = '$name', product_description = '$description', product_price = '$price', product_currency_code = '$session_company_currency', product_tax_id = $tax, product_category_id = $category"); - //logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Create', log_description = '$session_name created product $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); + $product_id = mysqli_insert_id($mysqli); + + // Logging + logAction("Product", "Create", "$session_name created product $name", 0, $product_id); $_SESSION['alert_message'] = "Product $name created"; @@ -23,19 +26,18 @@ if (isset($_POST['add_product'])) { if (isset($_POST['edit_product'])) { + enforceUserPermission('module_sales', 2); + require_once 'post/user/product_model.php'; $product_id = intval($_POST['product_id']); mysqli_query($mysqli,"UPDATE products SET product_name = '$name', product_description = '$description', product_price = '$price', product_tax_id = $tax, product_category_id = $category WHERE product_id = $product_id"); - //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Modify', log_description = '$name', log_user_id = $session_user_id"); + // Logging + logAction("Product", "Edit", "$session_name edited product $name", 0, $product_id); - //logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Modify', log_description = '$session_name modified product $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); - - $_SESSION['alert_message'] = "Product $name modified"; + $_SESSION['alert_message'] = "Product $name edited"; header("Location: " . $_SERVER["HTTP_REFERER"]); @@ -43,7 +45,7 @@ if (isset($_POST['edit_product'])) { if (isset($_GET['archive_product'])) { - validateTechRole(); + enforceUserPermission('module_sales', 2); $product_id = intval($_GET['archive_product']); @@ -54,8 +56,8 @@ if (isset($_GET['archive_product'])) { mysqli_query($mysqli,"UPDATE products SET product_archived_at = NOW() WHERE product_id = $product_id"); - //logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Archive', log_description = '$session_name archived product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id"); + // Logging + logAction("Product", "Archive", "$session_name archived product $product_name", 0, $product_id); $_SESSION['alert_type'] = "error"; $_SESSION['alert_message'] = "Product $product_name archived"; @@ -66,7 +68,7 @@ if (isset($_GET['archive_product'])) { if (isset($_GET['unarchive_product'])) { - validateTechRole(); + enforceUserPermission('module_sales', 2); $product_id = intval($_GET['unarchive_product']); @@ -77,8 +79,8 @@ if (isset($_GET['unarchive_product'])) { mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id"); - //logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Unarchive', log_description = '$session_name restored product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id"); + // Logging + logAction("Product", "Unarchive", "$session_name unarchived product $product_name", 0, $product_id); $_SESSION['alert_message'] = "Product $product_name restored"; @@ -87,6 +89,9 @@ if (isset($_GET['unarchive_product'])) { } if (isset($_GET['delete_product'])) { + + enforceUserPermission('module_sales', 3); + $product_id = intval($_GET['delete_product']); //Get Product Name @@ -96,8 +101,8 @@ if (isset($_GET['delete_product'])) { mysqli_query($mysqli,"DELETE FROM products WHERE product_id = $product_id"); - //logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Delete', log_description = '$session_name deleted product $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); + // Logging + logAction("Product", "Delete", "$session_name deleted product $product_name"); $_SESSION['alert_type'] = "error"; $_SESSION['alert_message'] = "Product $product_name deleted"; @@ -108,6 +113,8 @@ if (isset($_GET['delete_product'])) { if (isset($_POST['bulk_edit_product_category'])) { + enforceUserPermission('module_sales', 2); + $category_id = intval($_POST['bulk_category_id']); // Get Category name for logging and Notification @@ -115,11 +122,12 @@ if (isset($_POST['bulk_edit_product_category'])) { $row = mysqli_fetch_array($sql); $category_name = sanitizeInput($row['category_name']); - // Get Count - $count = count($_POST['product_ids']); - // Assign category to Selected Products - if (!empty($_POST['product_ids'])) { + if ($_POST['product_ids']) { + + // Get Count + $count = count($_POST['product_ids']); + foreach($_POST['product_ids'] as $product_id) { $product_id = intval($product_id); @@ -131,27 +139,31 @@ if (isset($_POST['bulk_edit_product_category'])) { mysqli_query($mysqli,"UPDATE products SET product_category_id = $category_id WHERE product_id = $product_id"); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Edit', log_description = '$session_name assigned $product_name to income category $category_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id"); + logAction("Product", "Edit", "$session_name assigned product $product_name to category $category_name", 0, $product_id); } // End Assign Product Loop - $_SESSION['alert_message'] = "You assigned product category $category_name to $count products"; + //Logging + logAction("Product", "Edit", "$session_name assigned category $category_name to $count product(s)"); + + $_SESSION['alert_message'] = "Assigned category $category_name to $count product(s)"; } header("Location: " . $_SERVER["HTTP_REFERER"]); } if (isset($_POST['bulk_archive_products'])) { - validateAdminRole(); + + enforceUserPermission('module_sales', 2); + validateCSRFToken($_POST['csrf_token']); - $count = 0; // Default 0 - $product_ids = $_POST['product_ids']; // Get array of IDs to be deleted + if ($_POST['product_ids']) { - if (!empty($product_ids)) { + $count = count($_POST['product_ids']); // Cycle through array and archive each record - foreach ($product_ids as $product_id) { + foreach ($_POST['product_ids'] as $product_id) { $product_id = intval($product_id); @@ -163,15 +175,14 @@ if (isset($_POST['bulk_archive_products'])) { mysqli_query($mysqli,"UPDATE products SET product_archived_at = NOW() WHERE product_id = $product_id"); // Individual Contact logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Archive', log_description = '$session_name archived product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id"); - $count++; + logAction("Product", "Archive", "$session_name archived product $product_name", 0, $product_id); } // Bulk Logging - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Bulk Archive', log_description = '$session_name archived $count products', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); + logAction("Product", "Bulk Archive", "$session_name archived $count product(s)"); $_SESSION['alert_type'] = "error"; - $_SESSION['alert_message'] = "Archived $count product(s)"; + $_SESSION['alert_message'] = "Archived $count product(s)"; } @@ -179,16 +190,15 @@ if (isset($_POST['bulk_archive_products'])) { } if (isset($_POST['bulk_unarchive_products'])) { - validateAdminRole(); + enforceUserPermission('module_sales', 2); validateCSRFToken($_POST['csrf_token']); - $count = 0; // Default 0 - $product_ids = $_POST['product_ids']; // Get array of IDs + if ($_POST['product_ids']) { - if (!empty($product_ids)) { + $count = count($_POST['product_ids']); - // Cycle through array and unarchive - foreach ($product_ids as $product_id) { + // Cycle through array and unarchive each record + foreach ($_POST['product_ids'] as $product_id) { $product_id = intval($product_id); @@ -200,16 +210,14 @@ if (isset($_POST['bulk_unarchive_products'])) { mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id"); // Individual logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Unarchive', log_description = '$session_name Unarchived product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id"); + logAction("Product", "Unarchive", "$session_name unarchived product $product_name", 0, $product_id); - - $count++; } // Bulk Logging - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Unarchive', log_description = '$session_name Unarchived $count products', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); + logAction("Product", "Bulk Unarchive", "$session_name unarchived $count product(s)"); - $_SESSION['alert_message'] = "Unarchived $count product(s)"; + $_SESSION['alert_message'] = "Unarchived $count product(s)"; } @@ -217,16 +225,15 @@ if (isset($_POST['bulk_unarchive_products'])) { } if (isset($_POST['bulk_delete_products'])) { - validateAdminRole(); + enforceUserPermission('module_sales', 3); validateCSRFToken($_POST['csrf_token']); - $count = 0; // Default 0 - $product_ids = $_POST['product_ids']; // Get array of IDs to be deleted + if ($_POST['product_ids']) { - if (!empty($product_ids)) { + $count = count($_POST['product_ids']); // Cycle through array and delete each record - foreach ($product_ids as $product_id) { + foreach ($_POST['product_ids'] as $product_id) { $product_id = intval($product_id); @@ -237,15 +244,15 @@ if (isset($_POST['bulk_delete_products'])) { mysqli_query($mysqli, "DELETE FROM products WHERE product_id = $product_id"); - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Delete', log_description = '$session_name deleted product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id"); + // Individual logging + logAction("Product", "Delete", "$session_name deleted product $product_name"); - $count++; } - // Logging - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Bulk Delete', log_description = '$session_name bulk deleted $count products', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); + // Bulk logging + logAction("Product", "Bulk Delete", "$session_name deleted $count product(s)"); - $_SESSION['alert_message'] = "Deleted $count product(s)"; + $_SESSION['alert_message'] = "Deleted $count product(s)"; } @@ -263,7 +270,9 @@ if (isset($_POST['export_products_csv'])) { ORDER BY product_name DESC "); - if (mysqli_num_rows($sql) > 0) { + $num_rows = mysqli_num_rows($sql); + + if ($num_rows > 0) { $delimiter = ","; $filename = "$session_company_name-Products.csv"; @@ -292,7 +301,7 @@ if (isset($_POST['export_products_csv'])) { } //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Export', log_description = '$session_name exported products to CSV File', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); + logAction("Product", "Export", "$session_name exported $num_rows product(s) to a CSV file"); exit; }