mirror of https://github.com/itflow-org/itflow
- Require CSRF validation when disabling/enabling users
- Code tidy
This commit is contained in:
Marcus Hill
parent
a09eb11a1d
commit
3cb83d2b41
4
post.php
4
post.php
|
|
@ -190,6 +190,7 @@ if(isset($_POST['edit_user'])){
|
||||||
if(isset($_GET['activate_user'])){
|
if(isset($_GET['activate_user'])){
|
||||||
|
|
||||||
validateAdminRole();
|
validateAdminRole();
|
||||||
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
$user_id = intval($_GET['activate_user']);
|
$user_id = intval($_GET['activate_user']);
|
||||||
|
|
||||||
|
|
@ -207,6 +208,7 @@ if(isset($_GET['activate_user'])){
|
||||||
if(isset($_GET['disable_user'])){
|
if(isset($_GET['disable_user'])){
|
||||||
|
|
||||||
validateAdminRole();
|
validateAdminRole();
|
||||||
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
$user_id = intval($_GET['disable_user']);
|
$user_id = intval($_GET['disable_user']);
|
||||||
|
|
||||||
|
|
@ -6836,7 +6838,7 @@ if(isset($_POST['merge_ticket'])){
|
||||||
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Merged', log_description = 'Merged ticket $ticket_prefix$ticket_number into $ticket_prefix$merge_into_ticket_number', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
|
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Merged', log_description = 'Merged ticket $ticket_prefix$ticket_number into $ticket_prefix$merge_into_ticket_number', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
|
||||||
|
|
||||||
$_SESSION['alert_message'] = "Ticket merged into $ticket_prefix$merge_into_ticket_number.";
|
$_SESSION['alert_message'] = "Ticket merged into $ticket_prefix$merge_into_ticket_number.";
|
||||||
|
|
||||||
header("Location: " . $_SERVER["HTTP_REFERER"]);
|
header("Location: " . $_SERVER["HTTP_REFERER"]);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
48
users.php
48
users.php
|
|
@ -10,11 +10,14 @@ if (!empty($_GET['sb'])) {
|
||||||
//Rebuild URL
|
//Rebuild URL
|
||||||
$url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
|
$url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
|
||||||
|
|
||||||
$sql = mysqli_query($mysqli, "SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
|
$sql = mysqli_query(
|
||||||
|
$mysqli,
|
||||||
|
"SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
|
||||||
WHERE users.user_id = user_settings.user_id
|
WHERE users.user_id = user_settings.user_id
|
||||||
AND (user_name LIKE '%$q%' OR user_email LIKE '%$q%')
|
AND (user_name LIKE '%$q%' OR user_email LIKE '%$q%')
|
||||||
AND user_archived_at IS NULL
|
AND user_archived_at IS NULL
|
||||||
ORDER BY $sb $o LIMIT $record_from, $record_to");
|
ORDER BY $sb $o LIMIT $record_from, $record_to"
|
||||||
|
);
|
||||||
|
|
||||||
$num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
$num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
|
|
||||||
|
|
@ -67,9 +70,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
$user_status = intval($row['user_status']);
|
$user_status = intval($row['user_status']);
|
||||||
if ($user_status == 2) {
|
if ($user_status == 2) {
|
||||||
$user_status_display = "<span class='text-info'>Invited</span>";
|
$user_status_display = "<span class='text-info'>Invited</span>";
|
||||||
}elseif ($user_status == 1) {
|
} elseif ($user_status == 1) {
|
||||||
$user_status_display = "<span class='text-success'>Active</span>";
|
$user_status_display = "<span class='text-success'>Active</span>";
|
||||||
}else{
|
} else{
|
||||||
$user_status_display = "<span class='text-danger'>Disabled</span>";
|
$user_status_display = "<span class='text-danger'>Disabled</span>";
|
||||||
}
|
}
|
||||||
$user_avatar = htmlentities($row['user_avatar']);
|
$user_avatar = htmlentities($row['user_avatar']);
|
||||||
|
|
@ -78,9 +81,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
$user_role = $row['user_role'];
|
$user_role = $row['user_role'];
|
||||||
if ($user_role == 3) {
|
if ($user_role == 3) {
|
||||||
$user_role_display = "Administrator";
|
$user_role_display = "Administrator";
|
||||||
}elseif ($user_role == 2) {
|
} elseif ($user_role == 2) {
|
||||||
$user_role_display = "Technician";
|
$user_role_display = "Technician";
|
||||||
}else{
|
} else {
|
||||||
$user_role_display = "Accountant";
|
$user_role_display = "Accountant";
|
||||||
}
|
}
|
||||||
$user_company_access_sql = mysqli_query($mysqli, "SELECT company_id FROM user_companies WHERE user_id = $user_id");
|
$user_company_access_sql = mysqli_query($mysqli, "SELECT company_id FROM user_companies WHERE user_id = $user_id");
|
||||||
|
|
@ -95,8 +98,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
$sql_last_login = mysqli_query(
|
$sql_last_login = mysqli_query(
|
||||||
$mysqli,
|
$mysqli,
|
||||||
"SELECT * FROM logs
|
"SELECT * FROM logs
|
||||||
WHERE log_user_id = $user_id AND log_type = 'Login'
|
WHERE log_user_id = $user_id AND log_type = 'Login'
|
||||||
ORDER BY log_id DESC LIMIT 1"
|
ORDER BY log_id DESC LIMIT 1"
|
||||||
);
|
);
|
||||||
$row = mysqli_fetch_array($sql_last_login);
|
$row = mysqli_fetch_array($sql_last_login);
|
||||||
$log_created_at = $row['log_created_at'];
|
$log_created_at = $row['log_created_at'];
|
||||||
|
|
@ -115,11 +118,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
<a class="text-dark" href="#" data-toggle="modal" data-target="#editUserModal<?php echo $user_id; ?>">
|
<a class="text-dark" href="#" data-toggle="modal" data-target="#editUserModal<?php echo $user_id; ?>">
|
||||||
<?php if (!empty($user_avatar)) { ?>
|
<?php if (!empty($user_avatar)) { ?>
|
||||||
<img class="img-size-50 img-circle" src="<?php echo "uploads/users/$user_id/$user_avatar"; ?>">
|
<img class="img-size-50 img-circle" src="<?php echo "uploads/users/$user_id/$user_avatar"; ?>">
|
||||||
<?php }else{ ?>
|
<?php } else { ?>
|
||||||
<span class="fa-stack fa-2x">
|
<span class="fa-stack fa-2x">
|
||||||
<i class="fa fa-circle fa-stack-2x text-secondary"></i>
|
<i class="fa fa-circle fa-stack-2x text-secondary"></i>
|
||||||
<span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span>
|
<span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span>
|
||||||
</span>
|
</span>
|
||||||
<br>
|
<br>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
|
||||||
|
|
@ -142,9 +145,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
<div class="dropdown-menu">
|
<div class="dropdown-menu">
|
||||||
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserModal<?php echo $user_id; ?>">Edit</a>
|
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserModal<?php echo $user_id; ?>">Edit</a>
|
||||||
<?php if ($user_status == 0) { ?>
|
<?php if ($user_status == 0) { ?>
|
||||||
<a class="dropdown-item text-success" href="post.php?activate_user=<?php echo $user_id; ?>">Activate</a>
|
<a class="dropdown-item text-success" href="post.php?activate_user=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Activate</a>
|
||||||
<?php }elseif ($user_status == 1) { ?>
|
<?php }elseif ($user_status == 1) { ?>
|
||||||
<a class="dropdown-item text-danger" href="post.php?disable_user=<?php echo $user_id; ?>">Disable</a>
|
<a class="dropdown-item text-danger" href="post.php?disable_user=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Disable</a>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
<div class="dropdown-divider"></div>
|
<div class="dropdown-divider"></div>
|
||||||
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserCompaniesModal<?php echo $user_id; ?>">Company Access</a>
|
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserCompaniesModal<?php echo $user_id; ?>">Company Access</a>
|
||||||
|
|
@ -157,9 +160,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
|
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
include("user_edit_modal.php");
|
require("user_edit_modal.php");
|
||||||
include("user_companies_modal.php");
|
require("user_companies_modal.php");
|
||||||
include("user_archive_modal.php");
|
require("user_archive_modal.php");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -168,7 +171,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
</div>
|
</div>
|
||||||
<?php include("pagination.php"); ?>
|
<?php require_once("pagination.php"); ?>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<script>
|
<script>
|
||||||
|
|
@ -179,9 +182,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||||
|
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
include("user_add_modal.php");
|
require_once("user_add_modal.php");
|
||||||
include("user_invite_modal.php");
|
require_once("user_invite_modal.php");
|
||||||
|
require_once("footer.php");
|
||||||
include("footer.php");
|
|
||||||
|
|
||||||
?>
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue