From 3983c45cacf2a995188c3e99b5795edbb2fb66a7 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Fri, 6 Mar 2026 15:59:18 -0500 Subject: [PATCH] Calendar Events: use client_id instead of client in POST and enforceClientAccess if client is assigned to an event --- agent/modals/calendar/calendar_event_add.php | 4 +-- agent/modals/calendar/calendar_event_edit.php | 2 +- agent/post/event.php | 31 ++++++++++++++----- agent/post/event_model.php | 2 +- 4 files changed, 27 insertions(+), 12 deletions(-) diff --git a/agent/modals/calendar/calendar_event_add.php b/agent/modals/calendar/calendar_event_add.php index 671dbe29..aad986a0 100644 --- a/agent/modals/calendar/calendar_event_add.php +++ b/agent/modals/calendar/calendar_event_add.php @@ -120,7 +120,7 @@
- +
@@ -129,7 +129,7 @@
- "> - +
diff --git a/agent/post/event.php b/agent/post/event.php index 78d58d48..6de627a2 100644 --- a/agent/post/event.php +++ b/agent/post/event.php @@ -74,7 +74,12 @@ if (isset($_POST['add_event'])) { require_once 'event_model.php'; - mysqli_query($mysqli,"INSERT INTO calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client"); + // Don't Enforce Client Access if Calendar event doesn't have a client + if ($client_id) { + enforceClientAccess(); + } + + mysqli_query($mysqli,"INSERT INTO calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client_id"); $event_id = mysqli_insert_id($mysqli); @@ -84,7 +89,7 @@ if (isset($_POST['add_event'])) { //If email is checked if ($email_event == 1) { - $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client"); + $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client_id"); $row = mysqli_fetch_assoc($sql_client); $client_name = sanitizeInput($row['client_name']); $contact_name = sanitizeInput($row['contact_name']); @@ -124,7 +129,7 @@ if (isset($_POST['add_event'])) { // Logging for email (success/fail) if ($mail === true) { - logAction("Calendar Event", "Email", "$session_name emailed event $title to $contact_name from client $client_name", $client, $event_id); + logAction("Calendar Event", "Email", "$session_name emailed event $title to $contact_name from client $client_name", $client_id, $event_id); } else { appNotify("Mail", "Failed to send email to $contact_email"); logAction("Mail", "Error", "Failed to send email to $contact_email regarding $subject. $mail"); @@ -132,7 +137,7 @@ if (isset($_POST['add_event'])) { } // End mail IF - logAction("Calendar Event", "Create", "$session_name created a calendar event titled $title in calendar $calendar_name", $client, $event_id); + logAction("Calendar Event", "Create", "$session_name created a calendar event titled $title in calendar $calendar_name", $client_id, $event_id); flash_alert("Event $title created in calendar $calendar_name"); @@ -146,14 +151,19 @@ if (isset($_POST['edit_event'])) { require_once 'event_model.php'; + // Don't Enforce Client Access if Calendar event doesn't have a client + if ($client_id) { + enforceClientAccess(); + } + $event_id = intval($_POST['event_id']); - mysqli_query($mysqli,"UPDATE calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client WHERE event_id = $event_id"); + mysqli_query($mysqli,"UPDATE calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client_id WHERE event_id = $event_id"); //If email is checked if ($email_event == 1) { - $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client"); + $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client_id"); $row = mysqli_fetch_assoc($sql_client); $client_name = sanitizeInput($row['client_name']); $contact_name = sanitizeInput($row['contact_name']); @@ -193,7 +203,7 @@ if (isset($_POST['edit_event'])) { $mail = addToMailQueue($data); // Logging for email (success/fail) if ($mail === true) { - logAction("Calendar Event", "Email", "$session_name Emailed modified event $title to $contact_name email $contact_email", $client, $event_id); + logAction("Calendar Event", "Email", "$session_name Emailed modified event $title to $contact_name email $contact_email", $client_id, $event_id); } else { appNotify("Mail", "Failed to send email to $contact_email"); logAction("Mail", "Error", "Failed to send email to $contact_email regarding $subject. $mail"); @@ -201,7 +211,7 @@ if (isset($_POST['edit_event'])) { } // End mail IF - logAction("Calendar Event", "Edit", "$session_name edited calendar event $title", $client, $event_id); + logAction("Calendar Event", "Edit", "$session_name edited calendar event $title", $client_id, $event_id); flash_alert("Calendar event titled $title edited"); @@ -221,6 +231,11 @@ if (isset($_GET['delete_event'])) { $event_title = sanitizeInput($row['event_title']); $client_id = intval($row['event_client_id']); + // Don't Enforce Client Access if Calendar event doesn't have a client + if ($client_id) { + enforceClientAccess(); + } + mysqli_query($mysqli,"DELETE FROM calendar_events WHERE event_id = $event_id"); logAction("Calendar Event", "Delete", "$session_name deleted calendar event $event_title", $client_id); diff --git a/agent/post/event_model.php b/agent/post/event_model.php index 2d238c7b..673795bd 100644 --- a/agent/post/event_model.php +++ b/agent/post/event_model.php @@ -8,5 +8,5 @@ $description = sanitizeInput($_POST['description']); $start = sanitizeInput($_POST['start']); $end = sanitizeInput($_POST['end']); $repeat = sanitizeInput($_POST['repeat'] ?? 0); -$client = intval($_POST['client']); +$client_id = intval($_POST['client_id']); $email_event = intval($_POST['email_event'] ?? 0);