AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Quotes / Invoicing - More role/perms enforcement

This commit is contained in:
wrongecho 2025-05-14 11:07:25 +01:00
parent be66ad9a4c
commit 40086f1ce0
3 changed files with 38 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
invoice.php
View File

@ -192,10 +192,11 @@ if (isset($_GET['invoice_id'])) {
<div class="card-header d-print-none">
<div class="row">
<?php if (lookupUserPermission("module_sales") >= 2) { ?>
<div class="row">
<div class="col-8">
<?php if ($invoice_status == 'Draft') { ?>
<?php if ($invoice_status == 'Draft') { ?>
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
</button>
@ -209,8 +210,7 @@ if (isset($_GET['invoice_id'])) {
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
</a>
</div>
<?php } ?>
</div>
<?php if ($invoice_status !== 'Paid' && $invoice_status !== 'Cancelled' && $invoice_status !== 'Draft' && $invoice_amount != 0) { ?>
<a class="btn btn-success" href="#" data-toggle="modal" data-target="#addPaymentModal">
@ -230,6 +230,7 @@ if (isset($_GET['invoice_id'])) {
<?php } ?>
</div>
<?php } ?>
<div class="col-4">
@ -282,6 +283,7 @@ if (isset($_GET['invoice_id'])) {
</div>
</div>
<?php } ?>
</div>
@ -417,7 +419,7 @@ if (isset($_GET['invoice_id'])) {
<?php
}
?>
<tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled") { echo "hidden"; } ?>>
<tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled" || lookupUserPermission("module_sales") <= 1) { echo "hidden"; } ?>>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
<input type="hidden" name="item_order" value="<?php echo mysqli_num_rows($sql_invoice_items) + 1; ?>">

13
post/user/invoice.php
View File

@ -523,6 +523,7 @@ if (isset($_GET['delete_invoice'])) {
}
if (isset($_POST['add_invoice_item'])) {
enforceUserPermission('module_sales', 2);
$invoice_id = intval($_POST['invoice_id']);
$name = sanitizeInput($_POST['name']);
@ -576,6 +577,7 @@ if (isset($_POST['add_invoice_item'])) {
}
if (isset($_POST['invoice_note'])) {
enforceUserPermission('module_sales', 2);
$invoice_id = intval($_POST['invoice_id']);
$note = sanitizeInput($_POST['note']);
@ -598,6 +600,7 @@ if (isset($_POST['invoice_note'])) {
}
if (isset($_POST['edit_item'])) {
enforceUserPermission('module_sales', 2);
$item_id = intval($_POST['item_id']);
$name = sanitizeInput($_POST['name']);
@ -694,6 +697,8 @@ if (isset($_POST['edit_item'])) {
}
if (isset($_GET['delete_invoice_item'])) {
enforceUserPermission('module_sales', 2);
$item_id = intval($_GET['delete_invoice_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
@ -727,6 +732,8 @@ if (isset($_GET['delete_invoice_item'])) {
}
if (isset($_POST['add_payment'])) {
enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2);
$invoice_id = intval($_POST['invoice_id']);
$balance = floatval($_POST['balance']);
@ -890,6 +897,7 @@ if (isset($_POST['add_payment'])) {
if (isset($_GET['add_payment_stripe'])) {
enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2);
validateCSRFToken($_GET['csrf_token']);
$invoice_id = intval($_GET['invoice_id']);
@ -1075,6 +1083,8 @@ if (isset($_GET['add_payment_stripe'])) {
}
if (isset($_POST['add_bulk_payment'])) {
enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2);
$client_id = intval($_POST['client_id']);
$date = sanitizeInput($_POST['date']);
@ -1207,6 +1217,9 @@ if (isset($_POST['add_bulk_payment'])) {
}
if (isset($_GET['delete_payment'])) {
enforceUserPermission('module_sales', 2);
enforceUserPermission('module_financial', 2);
$payment_id = intval($_GET['delete_payment']);
$sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id");

34
quote.php
View File

@ -146,25 +146,25 @@ if (isset($_GET['quote_id'])) {
<div class="card">
<div class="card-header d-print-none">
<div class="row">
<?php if (lookupUserPermission("module_sales") >= 2) { ?>
<div class="row">
<div class="col-8">
<?php if ($quote_status == 'Draft' && lookupUserPermission("module_sales") >= 2) { ?>
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
</button>
<div class="dropdown-menu">
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
</a>
<div class="dropdown-divider"></div>
<?php } ?>
<a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
<?php if ($quote_status == 'Draft') { ?>
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
</button>
<div class="dropdown-menu">
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
</a>
</div>
<?php } ?>
<div class="dropdown-divider"></div>
<?php } ?>
<a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
</a>
</div>
<?php if ($quote_status == 'Sent' || $quote_status == 'Viewed') { ?>
<a class="btn btn-primary" href="post.php?accept_quote=<?php echo $quote_id; ?>">
@ -192,6 +192,7 @@ if (isset($_GET['quote_id'])) {
<?php } ?>
</div>
<?php } ?>
<div class="col-4">
<div class="dropdown dropleft text-center float-right">
@ -240,6 +241,7 @@ if (isset($_GET['quote_id'])) {
</div>
</div>
</div>
<?php } ?>
</div>
<div class="card-body">