From 40086f1ce06e958de3261d27990ba87b528309e6 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Wed, 14 May 2025 11:07:25 +0100
Subject: [PATCH] Quotes / Invoicing - More role/perms enforcement

---
 invoice.php           | 12 +++++++-----
 post/user/invoice.php | 13 +++++++++++++
 quote.php             | 34 ++++++++++++++++++----------------
 3 files changed, 38 insertions(+), 21 deletions(-)

diff --git a/invoice.php b/invoice.php
index 2f01dea5..fcc8a2c0 100644
--- a/invoice.php
+++ b/invoice.php
@@ -192,10 +192,11 @@ if (isset($_GET['invoice_id'])) {
 
         <div class="card-header d-print-none">
 
-            <div class="row">
+            <?php if (lookupUserPermission("module_sales") >= 2) { ?>
+                <div class="row">
 
                 <div class="col-8">
-                    <?php if ($invoice_status == 'Draft') { ?>
+                        <?php if ($invoice_status == 'Draft') { ?>
                         <button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
                             <i class="fas fa-fw fa-paper-plane mr-2"></i>Send
                         </button>
@@ -209,8 +210,7 @@ if (isset($_GET['invoice_id'])) {
                             <a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
                                 <i class="fas fa-fw fa-check mr-2"></i>Mark Sent
                             </a>
-                        </div>
-                    <?php } ?>
+                    </div>
 
                     <?php if ($invoice_status !== 'Paid' && $invoice_status !== 'Cancelled' && $invoice_status !== 'Draft' && $invoice_amount != 0) { ?>
                         <a class="btn btn-success" href="#" data-toggle="modal" data-target="#addPaymentModal">
@@ -230,6 +230,7 @@ if (isset($_GET['invoice_id'])) {
                     <?php } ?>
 
                 </div>
+                <?php } ?>
 
                 <div class="col-4">
 
@@ -282,6 +283,7 @@ if (isset($_GET['invoice_id'])) {
                 </div>
 
             </div>
+            <?php } ?>
 
         </div>
 
@@ -417,7 +419,7 @@ if (isset($_GET['invoice_id'])) {
                                     <?php
                                 }
                                 ?>
-                                <tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled") { echo "hidden"; } ?>>
+                                <tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled" || lookupUserPermission("module_sales") <= 1) { echo "hidden"; } ?>>
                                     <form action="post.php" method="post" autocomplete="off">
                                         <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
                                         <input type="hidden" name="item_order" value="<?php echo mysqli_num_rows($sql_invoice_items) + 1; ?>">
diff --git a/post/user/invoice.php b/post/user/invoice.php
index dd6288e0..9469aeab 100644
--- a/post/user/invoice.php
+++ b/post/user/invoice.php
@@ -523,6 +523,7 @@ if (isset($_GET['delete_invoice'])) {
 }
 
 if (isset($_POST['add_invoice_item'])) {
+    enforceUserPermission('module_sales', 2);
 
     $invoice_id = intval($_POST['invoice_id']);
     $name = sanitizeInput($_POST['name']);
@@ -576,6 +577,7 @@ if (isset($_POST['add_invoice_item'])) {
 }
 
 if (isset($_POST['invoice_note'])) {
+    enforceUserPermission('module_sales', 2);
 
     $invoice_id = intval($_POST['invoice_id']);
     $note = sanitizeInput($_POST['note']);
@@ -598,6 +600,7 @@ if (isset($_POST['invoice_note'])) {
 }
 
 if (isset($_POST['edit_item'])) {
+    enforceUserPermission('module_sales', 2);
 
     $item_id = intval($_POST['item_id']);
     $name = sanitizeInput($_POST['name']);
@@ -694,6 +697,8 @@ if (isset($_POST['edit_item'])) {
 }
 
 if (isset($_GET['delete_invoice_item'])) {
+    enforceUserPermission('module_sales', 2);
+
     $item_id = intval($_GET['delete_invoice_item']);
 
     $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
@@ -727,6 +732,8 @@ if (isset($_GET['delete_invoice_item'])) {
 }
 
 if (isset($_POST['add_payment'])) {
+    enforceUserPermission('module_sales', 2);
+    enforceUserPermission('module_financial', 2);
 
     $invoice_id = intval($_POST['invoice_id']);
     $balance = floatval($_POST['balance']);
@@ -890,6 +897,7 @@ if (isset($_POST['add_payment'])) {
 if (isset($_GET['add_payment_stripe'])) {
 
     enforceUserPermission('module_sales', 2);
+    enforceUserPermission('module_financial', 2);
     validateCSRFToken($_GET['csrf_token']);
 
     $invoice_id = intval($_GET['invoice_id']);
@@ -1075,6 +1083,8 @@ if (isset($_GET['add_payment_stripe'])) {
 }
 
 if (isset($_POST['add_bulk_payment'])) {
+    enforceUserPermission('module_sales', 2);
+    enforceUserPermission('module_financial', 2);
 
     $client_id = intval($_POST['client_id']);
     $date = sanitizeInput($_POST['date']);
@@ -1207,6 +1217,9 @@ if (isset($_POST['add_bulk_payment'])) {
 }
 
 if (isset($_GET['delete_payment'])) {
+    enforceUserPermission('module_sales', 2);
+    enforceUserPermission('module_financial', 2);
+
     $payment_id = intval($_GET['delete_payment']);
 
     $sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id");
diff --git a/quote.php b/quote.php
index a6be1092..d383dab6 100644
--- a/quote.php
+++ b/quote.php
@@ -146,25 +146,25 @@ if (isset($_GET['quote_id'])) {
     <div class="card">
         <div class="card-header d-print-none">
 
-            <div class="row">
+            <?php if (lookupUserPermission("module_sales") >= 2) { ?>
+                <div class="row">
 
                 <div class="col-8">
-                    <?php if ($quote_status == 'Draft' && lookupUserPermission("module_sales") >= 2) { ?>
-                        <button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
-                            <i class="fas fa-fw fa-paper-plane mr-2"></i>Send
-                        </button>
-                        <div class="dropdown-menu">
-                            <?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
-                                <a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
-                                    <i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
-                                </a>
-                                <div class="dropdown-divider"></div>
-                            <?php } ?>
-                            <a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
-                                <i class="fas fa-fw fa-check mr-2"></i>Mark Sent
+                <?php if ($quote_status == 'Draft') { ?>
+                    <button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
+                        <i class="fas fa-fw fa-paper-plane mr-2"></i>Send
+                    </button>
+                    <div class="dropdown-menu">
+                        <?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
+                            <a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
+                                <i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
                             </a>
-                        </div>
-                    <?php } ?>
+                            <div class="dropdown-divider"></div>
+                        <?php } ?>
+                        <a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
+                            <i class="fas fa-fw fa-check mr-2"></i>Mark Sent
+                        </a>
+                    </div>
 
                     <?php if ($quote_status == 'Sent' || $quote_status == 'Viewed') { ?>
                         <a class="btn btn-primary" href="post.php?accept_quote=<?php echo $quote_id; ?>">
@@ -192,6 +192,7 @@ if (isset($_GET['quote_id'])) {
                     <?php } ?>
 
                 </div>
+                <?php } ?>
 
                 <div class="col-4">
                     <div class="dropdown dropleft text-center float-right">
@@ -240,6 +241,7 @@ if (isset($_GET['quote_id'])) {
                     </div>
                 </div>
             </div>
+            <?php } ?>
         </div>
 
         <div class="card-body">