mirror of
https://github.com/itflow-org/itflow
synced 2026-03-28 16:25:40 +00:00
Quotes / Invoicing - More role/perms enforcement
This commit is contained in:
wrongecho
12
invoice.php
12
invoice.php
@@ -192,10 +192,11 @@ if (isset($_GET['invoice_id'])) {
|
|||||||
|
|
||||||
<div class="card-header d-print-none">
|
<div class="card-header d-print-none">
|
||||||
|
|
||||||
<div class="row">
|
<?php if (lookupUserPermission("module_sales") >= 2) { ?>
|
||||||
|
<div class="row">
|
||||||
|
|
||||||
<div class="col-8">
|
<div class="col-8">
|
||||||
<?php if ($invoice_status == 'Draft') { ?>
|
<?php if ($invoice_status == 'Draft') { ?>
|
||||||
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
|
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
|
||||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
|
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
|
||||||
</button>
|
</button>
|
||||||
@@ -209,8 +210,7 @@ if (isset($_GET['invoice_id'])) {
|
|||||||
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
|
<a class="dropdown-item" href="post.php?mark_invoice_sent=<?php echo $invoice_id; ?>">
|
||||||
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
||||||
</a>
|
</a>
|
||||||
</div>
|
</div>
|
||||||
<?php } ?>
|
|
||||||
|
|
||||||
<?php if ($invoice_status !== 'Paid' && $invoice_status !== 'Cancelled' && $invoice_status !== 'Draft' && $invoice_amount != 0) { ?>
|
<?php if ($invoice_status !== 'Paid' && $invoice_status !== 'Cancelled' && $invoice_status !== 'Draft' && $invoice_amount != 0) { ?>
|
||||||
<a class="btn btn-success" href="#" data-toggle="modal" data-target="#addPaymentModal">
|
<a class="btn btn-success" href="#" data-toggle="modal" data-target="#addPaymentModal">
|
||||||
@@ -230,6 +230,7 @@ if (isset($_GET['invoice_id'])) {
|
|||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
<?php } ?>
|
||||||
|
|
||||||
<div class="col-4">
|
<div class="col-4">
|
||||||
|
|
||||||
@@ -282,6 +283,7 @@ if (isset($_GET['invoice_id'])) {
|
|||||||
</div>
|
</div>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
<?php } ?>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
@@ -417,7 +419,7 @@ if (isset($_GET['invoice_id'])) {
|
|||||||
<?php
|
<?php
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
<tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled") { echo "hidden"; } ?>>
|
<tr class="d-print-none" <?php if ($invoice_status == "Paid" || $invoice_status == "Cancelled" || lookupUserPermission("module_sales") <= 1) { echo "hidden"; } ?>>
|
||||||
<form action="post.php" method="post" autocomplete="off">
|
<form action="post.php" method="post" autocomplete="off">
|
||||||
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
|
<input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
|
||||||
<input type="hidden" name="item_order" value="<?php echo mysqli_num_rows($sql_invoice_items) + 1; ?>">
|
<input type="hidden" name="item_order" value="<?php echo mysqli_num_rows($sql_invoice_items) + 1; ?>">
|
||||||
|
|||||||
@@ -523,6 +523,7 @@ if (isset($_GET['delete_invoice'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['add_invoice_item'])) {
|
if (isset($_POST['add_invoice_item'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
|
||||||
$invoice_id = intval($_POST['invoice_id']);
|
$invoice_id = intval($_POST['invoice_id']);
|
||||||
$name = sanitizeInput($_POST['name']);
|
$name = sanitizeInput($_POST['name']);
|
||||||
@@ -576,6 +577,7 @@ if (isset($_POST['add_invoice_item'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['invoice_note'])) {
|
if (isset($_POST['invoice_note'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
|
||||||
$invoice_id = intval($_POST['invoice_id']);
|
$invoice_id = intval($_POST['invoice_id']);
|
||||||
$note = sanitizeInput($_POST['note']);
|
$note = sanitizeInput($_POST['note']);
|
||||||
@@ -598,6 +600,7 @@ if (isset($_POST['invoice_note'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['edit_item'])) {
|
if (isset($_POST['edit_item'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
|
||||||
$item_id = intval($_POST['item_id']);
|
$item_id = intval($_POST['item_id']);
|
||||||
$name = sanitizeInput($_POST['name']);
|
$name = sanitizeInput($_POST['name']);
|
||||||
@@ -694,6 +697,8 @@ if (isset($_POST['edit_item'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_GET['delete_invoice_item'])) {
|
if (isset($_GET['delete_invoice_item'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
|
||||||
$item_id = intval($_GET['delete_invoice_item']);
|
$item_id = intval($_GET['delete_invoice_item']);
|
||||||
|
|
||||||
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
|
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
|
||||||
@@ -727,6 +732,8 @@ if (isset($_GET['delete_invoice_item'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['add_payment'])) {
|
if (isset($_POST['add_payment'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
enforceUserPermission('module_financial', 2);
|
||||||
|
|
||||||
$invoice_id = intval($_POST['invoice_id']);
|
$invoice_id = intval($_POST['invoice_id']);
|
||||||
$balance = floatval($_POST['balance']);
|
$balance = floatval($_POST['balance']);
|
||||||
@@ -890,6 +897,7 @@ if (isset($_POST['add_payment'])) {
|
|||||||
if (isset($_GET['add_payment_stripe'])) {
|
if (isset($_GET['add_payment_stripe'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_sales', 2);
|
enforceUserPermission('module_sales', 2);
|
||||||
|
enforceUserPermission('module_financial', 2);
|
||||||
validateCSRFToken($_GET['csrf_token']);
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
$invoice_id = intval($_GET['invoice_id']);
|
$invoice_id = intval($_GET['invoice_id']);
|
||||||
@@ -1075,6 +1083,8 @@ if (isset($_GET['add_payment_stripe'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['add_bulk_payment'])) {
|
if (isset($_POST['add_bulk_payment'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
enforceUserPermission('module_financial', 2);
|
||||||
|
|
||||||
$client_id = intval($_POST['client_id']);
|
$client_id = intval($_POST['client_id']);
|
||||||
$date = sanitizeInput($_POST['date']);
|
$date = sanitizeInput($_POST['date']);
|
||||||
@@ -1207,6 +1217,9 @@ if (isset($_POST['add_bulk_payment'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_GET['delete_payment'])) {
|
if (isset($_GET['delete_payment'])) {
|
||||||
|
enforceUserPermission('module_sales', 2);
|
||||||
|
enforceUserPermission('module_financial', 2);
|
||||||
|
|
||||||
$payment_id = intval($_GET['delete_payment']);
|
$payment_id = intval($_GET['delete_payment']);
|
||||||
|
|
||||||
$sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id");
|
$sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id");
|
||||||
|
|||||||
34
quote.php
34
quote.php
@@ -146,25 +146,25 @@ if (isset($_GET['quote_id'])) {
|
|||||||
<div class="card">
|
<div class="card">
|
||||||
<div class="card-header d-print-none">
|
<div class="card-header d-print-none">
|
||||||
|
|
||||||
<div class="row">
|
<?php if (lookupUserPermission("module_sales") >= 2) { ?>
|
||||||
|
<div class="row">
|
||||||
|
|
||||||
<div class="col-8">
|
<div class="col-8">
|
||||||
<?php if ($quote_status == 'Draft' && lookupUserPermission("module_sales") >= 2) { ?>
|
<?php if ($quote_status == 'Draft') { ?>
|
||||||
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
|
<button class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">
|
||||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
|
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send
|
||||||
</button>
|
</button>
|
||||||
<div class="dropdown-menu">
|
<div class="dropdown-menu">
|
||||||
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
|
<?php if (!empty($config_smtp_host) && !empty($contact_email)) { ?>
|
||||||
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
|
<a class="dropdown-item" href="post.php?email_quote=<?php echo $quote_id; ?>">
|
||||||
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
|
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Email
|
||||||
</a>
|
|
||||||
<div class="dropdown-divider"></div>
|
|
||||||
<?php } ?>
|
|
||||||
<a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
|
|
||||||
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
|
||||||
</a>
|
</a>
|
||||||
</div>
|
<div class="dropdown-divider"></div>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
<a class="dropdown-item" href="post.php?mark_quote_sent=<?php echo $quote_id; ?>">
|
||||||
|
<i class="fas fa-fw fa-check mr-2"></i>Mark Sent
|
||||||
|
</a>
|
||||||
|
</div>
|
||||||
|
|
||||||
<?php if ($quote_status == 'Sent' || $quote_status == 'Viewed') { ?>
|
<?php if ($quote_status == 'Sent' || $quote_status == 'Viewed') { ?>
|
||||||
<a class="btn btn-primary" href="post.php?accept_quote=<?php echo $quote_id; ?>">
|
<a class="btn btn-primary" href="post.php?accept_quote=<?php echo $quote_id; ?>">
|
||||||
@@ -192,6 +192,7 @@ if (isset($_GET['quote_id'])) {
|
|||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
<?php } ?>
|
||||||
|
|
||||||
<div class="col-4">
|
<div class="col-4">
|
||||||
<div class="dropdown dropleft text-center float-right">
|
<div class="dropdown dropleft text-center float-right">
|
||||||
@@ -240,6 +241,7 @@ if (isset($_GET['quote_id'])) {
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
<?php } ?>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="card-body">
|
<div class="card-body">
|
||||||
|
|||||||
Reference in New Issue
Block a user