AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-05-31 07:08:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1284 from itflow-org/develop

Browse Source 
Bump Version
This commit is contained in:
Johnny
2026-05-21 10:53:48 -04:00
committed by GitHub
parent 885a002611 a02d78bde5
commit 60563e3392
7 changed files with 35 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -2,6 +2,9 @@
This file documents all notable changes made to ITFlow. This file documents all notable changes made to ITFlow.
## [26.05.1] Stable Release
- Security Fixes.
## [26.05] Stable Release ## [26.05] Stable Release
### Bug Fixes ### Bug Fixes
- Stripe Payment: Fix adding saved cards on client portal. - Stripe Payment: Fix adding saved cards on client portal.

6
agent/ajax.php
View File

@@ -454,6 +454,12 @@ if (isset($_POST['update_kanban_ticket'])) {
foreach ($positions as $position) { foreach ($positions as $position) {
$ticket_id = intval($position['ticket_id']); $ticket_id = intval($position['ticket_id']);
// Client perms check
$client_query = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT ticket_client_id FROM tickets WHERE ticket_id = $ticket_id"));
$client_id = intval($client_query['ticket_client_id']);
enforceClientAccess();
$kanban = intval($position['ticket_order']); // ticket kanban position $kanban = intval($position['ticket_order']); // ticket kanban position
$status = intval($position['ticket_status']); // ticket statuses $status = intval($position['ticket_status']); // ticket statuses
$oldStatus = intval($position['ticket_oldStatus']); // ticket old status if moved $oldStatus = intval($position['ticket_oldStatus']); // ticket old status if moved

4
agent/post/invoice.php
View File

@@ -542,8 +542,8 @@ if (isset($_GET['email_invoice'])) {
$invoice_number = intval($row['invoice_number']); $invoice_number = intval($row['invoice_number']);
$invoice_scope = sanitizeInput($row['invoice_scope']); $invoice_scope = sanitizeInput($row['invoice_scope']);
$invoice_status = sanitizeInput($row['invoice_status']); $invoice_status = sanitizeInput($row['invoice_status']);
$invoice_date = sanitizeInput($row['invoice_date']); $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
$invoice_due = sanitizeInput($row['invoice_due']); $invoice_due = sanitizeInput(validateDate($row['invoice_due']));
$invoice_amount = floatval($row['invoice_amount']); $invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']); $invoice_url_key = sanitizeInput($row['invoice_url_key']);
$invoice_currency_code = sanitizeInput($row['invoice_currency_code']); $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);

8
agent/post/recurring_invoice.php
View File

@@ -13,13 +13,13 @@ if (isset($_POST['add_invoice_recurring'])) {
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
$invoice_id = intval($_POST['invoice_id']); $invoice_id = intval($_POST['invoice_id']);
$recurring_invoice_frequency = sanitizeInput($_POST['frequency']); $recurring_invoice_frequency = ($_POST['frequency'] === 'year') ? 'year' : 'month';
$sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id"); $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
$invoice_prefix = sanitizeInput($row['invoice_prefix']); $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']); $invoice_number = intval($row['invoice_number']);
$invoice_date = sanitizeInput($row['invoice_date']); $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
$invoice_amount = floatval($row['invoice_amount']); $invoice_amount = floatval($row['invoice_amount']);
$invoice_currency_code = sanitizeInput($row['invoice_currency_code']); $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
$invoice_scope = sanitizeInput($row['invoice_scope']); $invoice_scope = sanitizeInput($row['invoice_scope']);
@@ -394,7 +394,7 @@ if (isset($_GET['force_recurring'])) {
$row = mysqli_fetch_assoc($sql_recurring_invoices); $row = mysqli_fetch_assoc($sql_recurring_invoices);
$recurring_invoice_id = intval($row['recurring_invoice_id']); $recurring_invoice_id = intval($row['recurring_invoice_id']);
$recurring_invoice_scope = sanitizeInput($row['recurring_invoice_scope']); $recurring_invoice_scope = sanitizeInput($row['recurring_invoice_scope']);
$recurring_invoice_frequency = sanitizeInput($row['recurring_invoice_frequency']); $recurring_invoice_frequency = ($_POST['frequency'] === 'year') ? 'year' : 'month';
$recurring_invoice_status = sanitizeInput($row['recurring_invoice_status']); $recurring_invoice_status = sanitizeInput($row['recurring_invoice_status']);
$recurring_invoice_last_sent = sanitizeInput($row['recurring_invoice_last_sent']); $recurring_invoice_last_sent = sanitizeInput($row['recurring_invoice_last_sent']);
$recurring_invoice_next_date = sanitizeInput($row['recurring_invoice_next_date']); $recurring_invoice_next_date = sanitizeInput($row['recurring_invoice_next_date']);
@@ -480,7 +480,7 @@ if (isset($_GET['force_recurring'])) {
$invoice_prefix = sanitizeInput($row['invoice_prefix']); $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']); $invoice_number = intval($row['invoice_number']);
$invoice_scope = sanitizeInput($row['invoice_scope']); $invoice_scope = sanitizeInput($row['invoice_scope']);
$invoice_date = sanitizeInput($row['invoice_date']); $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
$invoice_due = sanitizeInput($row['invoice_due']); $invoice_due = sanitizeInput($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']); $invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']); $invoice_url_key = sanitizeInput($row['invoice_url_key']);

18
client/post.php
View File

@@ -524,12 +524,6 @@ if (isset($_GET['add_payment_by_provider'])) {
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']); $contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
$contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code'])); $contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code']));
// Check to make sure saved payment method belongs to logged in client
if ($client_id !== $session_client_id) {
flash_alert("Saved Payment method does not belong to you!", 'danger');
redirect();
}
// Get ITFlow company details // Get ITFlow company details
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1"); $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
@@ -548,7 +542,7 @@ if (isset($_GET['add_payment_by_provider'])) {
$config_invoice_from_email = sanitizeInput($config_invoice_from_email); $config_invoice_from_email = sanitizeInput($config_invoice_from_email);
// Get Client Payment Details // Get Client Payment Details
$sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id LIMIT 1"); $sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id AND saved_payment_client_id = $session_client_id LIMIT 1");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
$public_key = sanitizeInput($row['payment_provider_public_key']); $public_key = sanitizeInput($row['payment_provider_public_key']);
@@ -561,9 +555,17 @@ if (isset($_GET['add_payment_by_provider'])) {
$payment_provider_client = sanitizeInput($row['payment_provider_client']); $payment_provider_client = sanitizeInput($row['payment_provider_client']);
$saved_payment_method = sanitizeInput($row['saved_payment_provider_method']); $saved_payment_method = sanitizeInput($row['saved_payment_provider_method']);
$saved_payment_description = sanitizeInput($row['saved_payment_description']); $saved_payment_description = sanitizeInput($row['saved_payment_description']);
$payment_client_id = intval($row['saved_payment_client_id']);
// Sanity checks // Sanity checks
if (!$payment_provider_client || !$saved_payment_method) { // Check to make invoice belongs to logged in client
if ($client_id !== $session_client_id) {
flash_alert("Invoice does not belong to you!", 'danger');
redirect();
} elseif ($payment_client_id !== $session_client_id) {
flash_alert("Saved Payment method does not belong to you!", 'danger');
redirect();
} elseif (!$payment_provider_client || !$saved_payment_method) {
flash_alert("Stripe not enabled or no client card saved", 'error'); flash_alert("Stripe not enabled or no client card saved", 'error');
redirect(); redirect();
} elseif ($invoice_status !== 'Sent' && $invoice_status !== 'Viewed') { } elseif ($invoice_status !== 'Sent' && $invoice_status !== 'Viewed') {

11
functions.php
View File

@@ -1512,8 +1512,8 @@ function logAction($type, $action, $description, $client_id = 0, $entity_id = 0)
function logApp($category, $type, $details) { function logApp($category, $type, $details) {
global $mysqli; global $mysqli;
$category = substr($category, 0, 200); $category = mysqli_real_escape_string($mysqli, substr($category, 0, 200));
$details = substr($details, 0, 1000); $details = mysqli_real_escape_string($mysqli, substr($details, 0, 1000));
mysqli_query($mysqli, "INSERT INTO app_logs SET app_log_category = '$category', app_log_type = '$type', app_log_details = '$details'"); mysqli_query($mysqli, "INSERT INTO app_logs SET app_log_category = '$category', app_log_type = '$type', app_log_details = '$details'");
} }
@@ -2073,3 +2073,10 @@ function formatDuration($time) {
return implode(' ', $parts); return implode(' ', $parts);
} }
function validateDate($date) {
if (preg_match('/^\d{4}-\d{2}-\d{2}$/', $date)) {
return $date;
}
return date('Y-m-d'); // Fallback
}

2
includes/app_version.php
View File

@@ -5,4 +5,4 @@
* Update this file each time we merge develop into master. Format is YY.MM (add a .v if there is more than one release a month. * Update this file each time we merge develop into master. Format is YY.MM (add a .v if there is more than one release a month.
*/ */
DEFINE("APP_VERSION", "26.05"); DEFINE("APP_VERSION", "26.05.1");