AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bugfix: Client Access Permissions 

Fix bug that allows users to view recurring tickets and projects they shouldn't have access to
This commit is contained in:
wrongecho 2024-08-28 20:17:41 +01:00
parent a4a110f1e7
commit 26d6737468
6 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
project_add_modal.php
View File

@ -98,7 +98,7 @@
<select class="form-control select2" name="client_id" required>
<option value="">- Client -</option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']);

6
projects.php
View File

@ -20,6 +20,11 @@ if($status == 1) {
$status_query = "IS NULL";
}
// Ticket client access snippet
$project_permission_snippet = '';
if (!empty($client_access_string)) {
$project_permission_snippet = "AND project_client_id IN ($client_access_string)";
}
//Rebuild URL
$url_query_strings_sort = http_build_query($get_copy);
@ -33,6 +38,7 @@ $sql_projects = mysqli_query(
AND (project_name LIKE '%$q%' OR project_description LIKE '%$q%' OR user_name LIKE '%$q%')
AND project_archived_at IS NULL
AND project_completed_at $status_query
$project_permission_snippet
ORDER BY $sort $order LIMIT $record_from, $record_to"
);

2
recurring_ticket_add_modal.php
View File

@ -111,7 +111,7 @@
<option value="">- Client -</option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$selectable_client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); ?>

6
recurring_tickets.php
View File

@ -6,6 +6,11 @@ $order = "ASC";
require_once "inc_all.php";
// Ticket client access snippet
$rec_ticket_permission_snippet = '';
if (!empty($client_access_string)) {
$rec_ticket_permission_snippet = "AND scheduled_ticket_client_id IN ($client_access_string)";
}
//Rebuild URL
$url_query_strings_sort = http_build_query($get_copy);
@ -16,6 +21,7 @@ $sql = mysqli_query(
"SELECT SQL_CALC_FOUND_ROWS * FROM scheduled_tickets
LEFT JOIN clients on scheduled_ticket_client_id = client_id
WHERE scheduled_tickets.scheduled_ticket_subject LIKE '%$q%'
$rec_ticket_permission_snippet
ORDER BY $sort $order LIMIT $record_from, $record_to"
);

2
ticket_add_from_template_modal.php
View File

@ -87,7 +87,7 @@
<option value="">- Client -</option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); ?>

2
ticket_add_modal.php
View File

@ -81,7 +81,7 @@
<option value="">- Client -</option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); ?>