AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Some Client Permission Checks to the new Global View and some tidying

Browse Source
This commit is contained in:
johnnyq
2025-02-21 00:28:36 -05:00
parent ab3ffdf7fc
commit 64f3df6baf
13 changed files with 36 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
asset_details.php
View File

@@ -11,7 +11,6 @@ if (isset($_GET['client_id'])) {
$client_url = ''; $client_url = '';
} }
if (isset($_GET['asset_id'])) { if (isset($_GET['asset_id'])) {
$asset_id = intval($_GET['asset_id']); $asset_id = intval($_GET['asset_id']);
@@ -25,7 +24,7 @@ if (isset($_GET['asset_id'])) {
"); ");
$row = mysqli_fetch_array($sql); $row = mysqli_fetch_array($sql);
$client_id = intval($row['asset_client_id']); $client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); $client_name = nullable_htmlentities($row['client_name']);
$asset_id = intval($row['asset_id']); $asset_id = intval($row['asset_id']);
$asset_type = nullable_htmlentities($row['asset_type']); $asset_type = nullable_htmlentities($row['asset_type']);

6
assets.php
View File

@@ -67,10 +67,12 @@ $row = mysqli_fetch_assoc(mysqli_query($mysqli, "
SUM(CASE WHEN asset_type NOT IN ('laptop', 'desktop', 'server', 'virtual machine', 'Firewall/Router', 'switch', 'access point') THEN 1 ELSE 0 END) AS other_count SUM(CASE WHEN asset_type NOT IN ('laptop', 'desktop', 'server', 'virtual machine', 'Firewall/Router', 'switch', 'access point') THEN 1 ELSE 0 END) AS other_count
FROM ( FROM (
SELECT assets.* FROM assets SELECT assets.* FROM assets
LEFT JOIN clients ON client_id = asset_client_id
LEFT JOIN contacts ON asset_contact_id = contact_id LEFT JOIN contacts ON asset_contact_id = contact_id
LEFT JOIN locations ON asset_location_id = location_id LEFT JOIN locations ON asset_location_id = location_id
LEFT JOIN asset_interfaces ON interface_asset_id = asset_id AND interface_primary = 1 LEFT JOIN asset_interfaces ON interface_asset_id = asset_id AND interface_primary = 1
WHERE asset_$archive_query WHERE asset_$archive_query
$access_permission_query
$client_query $client_query
) AS filtered_assets; ) AS filtered_assets;
")); "));
@@ -106,8 +108,10 @@ $sql = mysqli_query(
WHERE asset_$archive_query WHERE asset_$archive_query
AND (asset_name LIKE '%$q%' OR asset_description LIKE '%$q%' OR asset_type LIKE '%$q%' OR interface_ip LIKE '%$q%' OR interface_ipv6 LIKE '%$q%' OR asset_make LIKE '%$q%' OR asset_model LIKE '%$q%' OR asset_serial LIKE '%$q%' OR asset_os LIKE '%$q%' OR contact_name LIKE '%$q%' OR location_name LIKE '%$q%' OR client_name LIKE '%$q%') AND (asset_name LIKE '%$q%' OR asset_description LIKE '%$q%' OR asset_type LIKE '%$q%' OR interface_ip LIKE '%$q%' OR interface_ipv6 LIKE '%$q%' OR asset_make LIKE '%$q%' OR asset_model LIKE '%$q%' OR asset_serial LIKE '%$q%' OR asset_os LIKE '%$q%' OR contact_name LIKE '%$q%' OR location_name LIKE '%$q%' OR client_name LIKE '%$q%')
AND ($type_query) AND ($type_query)
$access_permission_query
$location_query $location_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );
@@ -226,7 +230,7 @@ if (mysqli_num_rows($os_sql) > 0) {
<option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option> <option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option>
<?php <?php
$sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC"); $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql_clients_filter)) { while ($row = mysqli_fetch_array($sql_clients_filter)) {
$client_id = intval($row['client_id']); $client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); $client_name = nullable_htmlentities($row['client_name']);

1
certificates.php
View File

@@ -25,6 +25,7 @@ $sql = mysqli_query($mysqli, "SELECT SQL_CALC_FOUND_ROWS * FROM certificates
LEFT JOIN clients ON client_id = certificate_client_id LEFT JOIN clients ON client_id = certificate_client_id
WHERE certificate_archived_at IS NULL WHERE certificate_archived_at IS NULL
AND (certificate_name LIKE '%$q%' OR certificate_domain LIKE '%$q%' OR certificate_issued_by LIKE '%$q%' OR client_name LIKE '%$q%') AND (certificate_name LIKE '%$q%' OR certificate_domain LIKE '%$q%' OR certificate_issued_by LIKE '%$q%' OR client_name LIKE '%$q%')
$access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );

34
check_login.php
View File

@@ -77,30 +77,22 @@ $session_company_currency = $row['company_currency'];
// Set Currency Format // Set Currency Format
$currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY); $currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
// Get User Client Access Permissions
$user_client_access_sql = "SELECT client_id FROM user_permissions WHERE user_id = $session_user_id";
$user_client_access_result = mysqli_query($mysqli, $user_client_access_sql);
try { $client_access_array = [];
// Get User Client Access Permissions while ($row = mysqli_fetch_assoc($user_client_access_result)) {
$user_client_access_sql = "SELECT client_id FROM user_permissions WHERE user_id = $session_user_id"; $client_access_array[] = $row['client_id'];
$user_client_access_result = mysqli_query($mysqli, $user_client_access_sql); }
$client_access_array = []; $client_access_string = implode(',', $client_access_array);
while ($row = mysqli_fetch_assoc($user_client_access_result)) {
$client_access_array[] = $row['client_id'];
}
$client_access_string = implode(',', $client_access_array); // Client access permission check
// Default allow, if a list of allowed clients is set & the user isn't an admin, restrict them
// Client access permission check $access_permission_query = "";
// Default allow, if a list of allowed clients is set & the user isn't an admin, restrict them if ($client_access_string && !$session_is_admin) {
$access_permission_query = ""; $access_permission_query = "AND clients.client_id IN ($client_access_string)";
if ($client_access_string && !$session_is_admin) {
$access_permission_query = "AND clients.client_id IN ($client_access_string)";
}
} catch (Exception $e) {
// Handle exception
error_log('MySQL error: ' . $e->getMessage());
$access_permission_query = ""; // Ensure safe default if query fails
} }
// Include the settings vars // Include the settings vars

3
contacts.php
View File

@@ -65,6 +65,7 @@ $sql = mysqli_query($mysqli, "SELECT SQL_CALC_FOUND_ROWS contacts.*, clients.*,
WHERE contact_$archive_query WHERE contact_$archive_query
$tag_query $tag_query
AND (contact_name LIKE '%$q%' OR contact_title LIKE '%$q%' OR location_name LIKE '%$q%' OR contact_email LIKE '%$q%' OR contact_department LIKE '%$q%' OR contact_phone LIKE '%$phone_query%' OR contact_extension LIKE '%$q%' OR contact_mobile LIKE '%$phone_query%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%') AND (contact_name LIKE '%$q%' OR contact_title LIKE '%$q%' OR location_name LIKE '%$q%' OR contact_email LIKE '%$q%' OR contact_department LIKE '%$q%' OR contact_phone LIKE '%$phone_query%' OR contact_extension LIKE '%$q%' OR contact_mobile LIKE '%$phone_query%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%')
$access_permission_query
$client_query $client_query
$location_query $location_query
GROUP BY contact_id GROUP BY contact_id
@@ -158,7 +159,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option> <option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option>
<?php <?php
$sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC"); $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql_clients_filter)) { while ($row = mysqli_fetch_array($sql_clients_filter)) {
$client_id = intval($row['client_id']); $client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); $client_name = nullable_htmlentities($row['client_name']);

3
credentials.php
View File

@@ -74,6 +74,7 @@ $sql = mysqli_query(
$tag_query $tag_query
AND (l.login_name LIKE '%$q%' OR l.login_description LIKE '%$q%' OR l.login_uri LIKE '%$q%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%') AND (l.login_name LIKE '%$q%' OR l.login_description LIKE '%$q%' OR l.login_uri LIKE '%$q%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%')
$location_query $location_query
$access_permission_query
$client_query $client_query
GROUP BY l.login_id GROUP BY l.login_id
ORDER BY l.login_important DESC, $sort $order LIMIT $record_from, $record_to" ORDER BY l.login_important DESC, $sort $order LIMIT $record_from, $record_to"
@@ -151,7 +152,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option> <option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option>
<?php <?php
$sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC"); $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql_clients_filter)) { while ($row = mysqli_fetch_array($sql_clients_filter)) {
$client_id = intval($row['client_id']); $client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); $client_name = nullable_htmlentities($row['client_name']);

5
domains.php
View File

@@ -32,8 +32,9 @@ $sql = mysqli_query($mysqli, "SELECT SQL_CALC_FOUND_ROWS domains.*, clients.*,
LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id
LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id
LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id
WHERE (domains.domain_name LIKE '%$q%' OR domains.domain_description LIKE '%$q%' OR registrar.vendor_name LIKE '%$q%' OR dnshost.vendor_name LIKE '%$q%' OR mailhost.vendor_name LIKE '%$q%' OR webhost.vendor_name LIKE '%$q%' OR client_name LIKE '%$q%')
AND domain_$archive_query AND domain_$archive_query
AND (domains.domain_name LIKE '%$q%' OR domains.domain_description LIKE '%$q%' OR registrar.vendor_name LIKE '%$q%' OR dnshost.vendor_name LIKE '%$q%' OR mailhost.vendor_name LIKE '%$q%' OR webhost.vendor_name LIKE '%$q%' OR client_name LIKE '%$q%') $access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to"); ORDER BY $sort $order LIMIT $record_from, $record_to");
@@ -43,7 +44,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="card card-dark"> <div class="card card-dark">
<div class="card-header py-2"> <div class="card-header py-2">
<h3 class="card-title mt-2"><i class="fa fa-fw fa-globe mr-2"></i>Domain Management</h3> <h3 class="card-title mt-2"><i class="fa fa-fw fa-globe mr-2"></i>Domains</h3>
<div class="card-tools"> <div class="card-tools">
<div class="btn-group"> <div class="btn-group">
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addDomainModal"><i class="fas fa-plus mr-2"></i>New Domain</button> <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addDomainModal"><i class="fas fa-plus mr-2"></i>New Domain</button>

4
global_search.php
View File

@@ -93,8 +93,8 @@ if (isset($_GET['query'])) {
$sql_recurring_tickets = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets $sql_recurring_tickets = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets
LEFT JOIN clients ON scheduled_ticket_client_id = client_id LEFT JOIN clients ON scheduled_ticket_client_id = client_id
WHERE scheduled_ticket_subject LIKE '%$query%' WHERE (scheduled_ticket_subject LIKE '%$query%'
OR scheduled_ticket_details LIKE '%$query%' OR scheduled_ticket_details LIKE '%$query%')
$access_permission_query $access_permission_query
ORDER BY scheduled_ticket_id DESC LIMIT 5" ORDER BY scheduled_ticket_id DESC LIMIT 5"
); );

4
includes/get_side_nav_counts.php
View File

@@ -6,11 +6,11 @@ $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('client_id') AS nu
$num_active_clients = $row['num']; $num_active_clients = $row['num'];
// Active Ticket Count // Active Ticket Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('ticket_id') AS num FROM tickets WHERE ticket_archived_at IS NULL AND ticket_closed_at IS NULL AND ticket_status != 4")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('ticket_id') AS num FROM tickets LEFT JOIN clients ON client_id = ticket_client_id WHERE ticket_archived_at IS NULL AND ticket_closed_at IS NULL AND ticket_status != 4 $access_permission_query"));
$num_active_tickets = $row['num']; $num_active_tickets = $row['num'];
// Recurring Ticket Count // Recurring Ticket Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('scheduled_ticket_id') AS num FROM scheduled_tickets")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('scheduled_ticket_id') AS num FROM scheduled_tickets LEFT JOIN clients ON client_id = scheduled_ticket_client_id WHERE 1 = 1 $access_permission_query"));
$num_recurring_tickets = $row['num']; $num_recurring_tickets = $row['num'];
// Active Project Count // Active Project Count

1
locations.php
View File

@@ -43,6 +43,7 @@ $sql = mysqli_query(
WHERE location_$archive_query WHERE location_$archive_query
$tag_query $tag_query
AND (location_name LIKE '%$q%' OR location_description LIKE '%$q%' OR location_address LIKE '%$q%' OR location_phone LIKE '%$phone_query%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%') AND (location_name LIKE '%$q%' OR location_description LIKE '%$q%' OR location_address LIKE '%$q%' OR location_phone LIKE '%$phone_query%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%')
$access_permission_query
$client_query $client_query
GROUP BY location_id GROUP BY location_id
ORDER BY location_primary DESC, $sort $order LIMIT $record_from, $record_to" ORDER BY location_primary DESC, $sort $order LIMIT $record_from, $record_to"

1
networks.php
View File

@@ -28,6 +28,7 @@ $sql = mysqli_query(
LEFT JOIN locations ON location_id = network_location_id LEFT JOIN locations ON location_id = network_location_id
WHERE network_$archive_query WHERE network_$archive_query
AND (network_name LIKE '%$q%' OR network_description LIKE '%$q%' OR network_vlan LIKE '%$q%' OR network LIKE '%$q%' OR network_gateway LIKE '%$q%' OR network_subnet LIKE '%$q%' OR network_primary_dns LIKE '%$q%' OR network_secondary_dns LIKE '%$q%' OR network_dhcp_range LIKE '%$q%' OR location_name LIKE '%$q%' OR client_name LIKE '%$q%') AND (network_name LIKE '%$q%' OR network_description LIKE '%$q%' OR network_vlan LIKE '%$q%' OR network LIKE '%$q%' OR network_gateway LIKE '%$q%' OR network_subnet LIKE '%$q%' OR network_primary_dns LIKE '%$q%' OR network_secondary_dns LIKE '%$q%' OR network_dhcp_range LIKE '%$q%' OR location_name LIKE '%$q%' OR client_name LIKE '%$q%')
$access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );

1
services.php
View File

@@ -24,6 +24,7 @@ $sql = mysqli_query(
"SELECT SQL_CALC_FOUND_ROWS * FROM services "SELECT SQL_CALC_FOUND_ROWS * FROM services
LEFT JOIN clients ON client_id = service_client_id LEFT JOIN clients ON client_id = service_client_id
WHERE (service_name LIKE '%$q%' OR service_description LIKE '%$q%' OR service_category LIKE '%$q%' OR client_name LIKE '%$q%') WHERE (service_name LIKE '%$q%' OR service_description LIKE '%$q%' OR service_category LIKE '%$q%' OR client_name LIKE '%$q%')
$access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );

1
software.php
View File

@@ -25,6 +25,7 @@ $sql = mysqli_query(
WHERE software_template = 0 WHERE software_template = 0
AND software_$archive_query AND software_$archive_query
AND (software_name LIKE '%$q%' OR software_type LIKE '%$q%' OR software_key LIKE '%$q%' OR client_name LIKE '%$q%') AND (software_name LIKE '%$q%' OR software_type LIKE '%$q%' OR software_key LIKE '%$q%' OR client_name LIKE '%$q%')
$access_permission_query
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to"); ORDER BY $sort $order LIMIT $record_from, $record_to");