mirror of
https://github.com/itflow-org/itflow
synced 2026-03-13 01:04:50 +00:00
Vendors: Add missing CSRF, need to update the permissions as a vendor can be client or global and permissions need to be set based off if the referal url has client_id or not
This commit is contained in:
johnnyq
@@ -4,10 +4,14 @@
|
||||
* ITFlow - GET/POST request handler for vendors
|
||||
*/
|
||||
|
||||
// Todo: 2026-03-02 JQ - Need Permssions reworked as we have client vendors and Global Vendors basically check the referral url if it has client_id then Perm check client else perm check financial.
|
||||
|
||||
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if (isset($_POST['add_vendor_from_template'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
// GET POST Data
|
||||
$client_id = intval($_POST['client_id']); //Used if this vendor is under a contact otherwise its 0 for under company and or template
|
||||
$vendor_template_id = intval($_POST['vendor_template_id']);
|
||||
@@ -48,6 +52,8 @@ if (isset($_POST['add_vendor_from_template'])) {
|
||||
|
||||
if (isset($_POST['add_vendor'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
require_once 'vendor_model.php';
|
||||
|
||||
$client_id = intval($_POST['client_id']); // Used if this vendor is under a contact otherwise its 0 for under company
|
||||
@@ -66,6 +72,8 @@ if (isset($_POST['add_vendor'])) {
|
||||
|
||||
if (isset($_POST['edit_vendor'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
require_once 'vendor_model.php';
|
||||
|
||||
$vendor_id = intval($_POST['vendor_id']);
|
||||
@@ -86,6 +94,8 @@ if (isset($_POST['edit_vendor'])) {
|
||||
|
||||
if (isset($_GET['archive_vendor'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
$vendor_id = intval($_GET['archive_vendor']);
|
||||
|
||||
//Get Vendor Name
|
||||
@@ -104,9 +114,11 @@ if (isset($_GET['archive_vendor'])) {
|
||||
|
||||
}
|
||||
|
||||
if(isset($_GET['unarchive_vendor'])){
|
||||
if(isset($_GET['restore_vendor'])){
|
||||
|
||||
$vendor_id = intval($_GET['unarchive_vendor']);
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
$vendor_id = intval($_GET['restore_vendor']);
|
||||
|
||||
// Get Name and Client ID for logging and alert message
|
||||
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
|
||||
@@ -116,7 +128,7 @@ if(isset($_GET['unarchive_vendor'])){
|
||||
|
||||
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
|
||||
|
||||
logAction("Vendor", "Unarchive", "$session_name unarchived vendor $vendor_name", $client_id, $vendor_id);
|
||||
logAction("Vendor", "Restore", "$session_name restored vendor $vendor_name", $client_id, $vendor_id);
|
||||
|
||||
flash_alert("Vendor <strong>$vendor_name</strong> restored");
|
||||
|
||||
@@ -126,6 +138,10 @@ if(isset($_GET['unarchive_vendor'])){
|
||||
|
||||
if (isset($_GET['delete_vendor'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
validateAdminRole();
|
||||
|
||||
$vendor_id = intval($_GET['delete_vendor']);
|
||||
|
||||
//Get Vendor Name
|
||||
@@ -154,8 +170,6 @@ if (isset($_POST['bulk_archive_vendors'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
validateAdminRole();
|
||||
|
||||
if (isset($_POST['vendor_ids'])) {
|
||||
|
||||
// Get Selected Count
|
||||
@@ -187,12 +201,10 @@ if (isset($_POST['bulk_archive_vendors'])) {
|
||||
|
||||
}
|
||||
|
||||
if (isset($_POST['bulk_unarchive_vendors'])) {
|
||||
if (isset($_POST['bulk_restore_vendors'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
validateAdminRole();
|
||||
|
||||
if (isset($_POST['vendor_ids'])) {
|
||||
|
||||
// Get Selected Count
|
||||
@@ -211,13 +223,13 @@ if (isset($_POST['bulk_unarchive_vendors'])) {
|
||||
|
||||
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
|
||||
|
||||
logAction("Vendor", "Unarchive", "$session_name unarchived vendor $vendor_name", $client_id, $vendor_id);
|
||||
logAction("Vendor", "Restore", "$session_name restored vendor $vendor_name", $client_id, $vendor_id);
|
||||
|
||||
}
|
||||
|
||||
logAction("Vendor", "Bulk Unarchive", "$session_name unarchived $count vendor(s)");
|
||||
logAction("Vendor", "Bulk Restore", "$session_name restored $count vendor(s)");
|
||||
|
||||
flash_alert("Unarchived <strong>$count</strong> vendor(s)");
|
||||
flash_alert("Restored <strong>$count</strong> vendor(s)");
|
||||
|
||||
}
|
||||
|
||||
@@ -271,6 +283,8 @@ if (isset($_POST['bulk_delete_vendors'])) {
|
||||
|
||||
if (isset($_POST['export_vendors_csv'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
if ($_POST['client_id']) {
|
||||
$client_id = intval($_POST['client_id']);
|
||||
$client_query = "WHERE vendor_client_id = $client_id";
|
||||
|
||||
Reference in New Issue
Block a user