Move account/asset post logic to new permissions system

client_assets.php

@@ -99,7 +99,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
         <div class="card-header py-2">
             <h3 class="card-title mt-2"><i class="fa fa-fw fa-desktop mr-2"></i>Assets</h3>
             <div class="card-tools">
-                <div class="btn-group">
+                <?php if (lookupUserPermission("module_support") >= 2) { ?>
+                    <div class="btn-group">
                     <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addAssetModal">
                         <i class="fas fa-plus mr-2"></i>New <?php if (!empty($_GET['type'])) { echo ucwords(strip_tags(nullable_htmlentities($_GET['type']))); } else { echo "Asset"; } ?>
                     </button>
@@ -116,6 +117,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                         <?php } ?>
                     </div>
                 </div>
+                <?php } ?>
             </div>
         </div>
         <div class="card-body">

post/user/account.php

@@ -5,6 +5,7 @@
  */
 
 if (isset($_POST['add_account'])) {
+    enforceUserPermission('module_financial', 2);
     validateCSRFToken($_POST['csrf_token']);
 
     $name = sanitizeInput($_POST['name']);
@@ -24,6 +25,7 @@ if (isset($_POST['add_account'])) {
 }
 
 if (isset($_POST['edit_account'])) {
+    enforceUserPermission('module_financial', 2);
     validateCSRFToken($_POST['csrf_token']);
 
     $account_id = intval($_POST['account_id']);
@@ -42,6 +44,8 @@ if (isset($_POST['edit_account'])) {
 }
 
 if (isset($_GET['archive_account'])) {
+    enforceUserPermission('module_financial', 2);
+
     validateCSRFToken($_GET['csrf_token']);
     $account_id = intval($_GET['archive_account']);
 
@@ -58,6 +62,8 @@ if (isset($_GET['archive_account'])) {
 
 // Not used anywhere?
 if (isset($_GET['delete_account'])) {
+    enforceUserPermission('module_financial', 3);
+
     $account_id = intval($_GET['delete_account']);
 
     mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");

post/user/asset.php

@@ -6,8 +6,9 @@
 
 if (isset($_POST['add_asset'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $client_id = intval($_POST['client_id']);
     $name = sanitizeInput($_POST['name']);
@@ -106,8 +107,9 @@ if (isset($_POST['add_asset'])) {
 
 if (isset($_POST['edit_asset'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $asset_id = intval($_POST['asset_id']);
     $client_id = intval($_POST['client_id']);
@@ -199,8 +201,9 @@ if (isset($_POST['edit_asset'])) {
 
 if (isset($_POST['change_client_asset'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $current_asset_id = intval($_POST['current_asset_id']);
     $new_client_id = intval($_POST['new_client_id']);
@@ -247,8 +250,9 @@ if (isset($_POST['change_client_asset'])) {
 
 if (isset($_GET['archive_asset'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_GET['csrf_token']);
-    validateTechRole();
 
     $asset_id = intval($_GET['archive_asset']);
 
@@ -272,8 +276,9 @@ if (isset($_GET['archive_asset'])) {
 
 if (isset($_GET['unarchive_asset'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_GET['csrf_token']);
-    validateTechRole();
 
     $asset_id = intval($_GET['unarchive_asset']);
 
@@ -296,8 +301,9 @@ if (isset($_GET['unarchive_asset'])) {
 
 if (isset($_GET['delete_asset'])) {
 
+    enforceUserPermission('module_support', 3);
+
     validateCSRFToken($_GET['csrf_token']);
-    validateAdminRole();
 
     $asset_id = intval($_GET['delete_asset']);
 
@@ -324,8 +330,9 @@ if (isset($_GET['delete_asset'])) {
 
 if (isset($_POST['bulk_assign_asset_location'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $location_id = intval($_POST['bulk_location_id']);
 
@@ -364,8 +371,9 @@ if (isset($_POST['bulk_assign_asset_location'])) {
 
 if (isset($_POST['bulk_assign_asset_contact'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $contact_id = intval($_POST['bulk_contact_id']);
 
@@ -404,8 +412,9 @@ if (isset($_POST['bulk_assign_asset_contact'])) {
 
 if (isset($_POST['bulk_edit_asset_status'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $status = sanitizeInput($_POST['bulk_status']);
 
@@ -439,8 +448,9 @@ if (isset($_POST['bulk_edit_asset_status'])) {
 
 if (isset($_POST['bulk_archive_assets'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateAdminRole();
 
     $count = 0; // Default 0
     $asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted
@@ -480,8 +490,9 @@ if (isset($_POST['bulk_archive_assets'])) {
 
 if (isset($_POST['bulk_unarchive_assets'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateAdminRole();
 
     $count = 0; // Default 0
     $asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted
@@ -520,8 +531,9 @@ if (isset($_POST['bulk_unarchive_assets'])) {
 
 if (isset($_POST["import_client_assets_csv"])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $client_id = intval($_POST['client_id']);
     $file_name = $_FILES["file"]["tmp_name"];
@@ -667,8 +679,9 @@ if (isset($_GET['download_client_assets_csv_template'])) {
 
 if (isset($_POST['export_client_assets_csv'])) {
 
+    enforceUserPermission('module_support');
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $client_id = intval($_POST['client_id']);
 
@@ -717,8 +730,9 @@ if (isset($_POST['export_client_assets_csv'])) {
 
 if (isset($_POST['add_asset_interface'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $asset_id = intval($_POST['asset_id']);
 
@@ -754,8 +768,9 @@ if (isset($_POST['add_asset_interface'])) {
 
 if (isset($_POST['edit_asset_interface'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_POST['csrf_token']);
-    validateTechRole();
 
     $interface_id = intval($_POST['interface_id']);
 
@@ -790,8 +805,9 @@ if (isset($_POST['edit_asset_interface'])) {
 
 if (isset($_GET['delete_asset_interface'])) {
 
+    enforceUserPermission('module_support', 2);
+
     validateCSRFToken($_GET['csrf_token']);
-    validateAdminRole();
 
     $interface_id = intval($_GET['delete_asset_interface']);