AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 02:44:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

More enforcing user permissions

Browse Source
This commit is contained in:
wrongecho
2024-09-28 20:04:33 +01:00
parent e94aae7940
commit 654b590033
24 changed files with 136 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
post/location.php
View File

@@ -8,7 +8,7 @@ if(isset($_POST['add_location'])){
validateTechRole();
require_once 'post/client_locations_model.php';
require_once 'post/location_model.php';
if(!file_exists("uploads/clients/$client_id")) {
@@ -67,7 +67,7 @@ if(isset($_POST['edit_location'])){
validateTechRole();
require_once 'post/client_locations_model.php';
require_once 'post/location_model.php';
$location_id = intval($_POST['location_id']);

0
post/client_locations_model.php → post/location_model.php
View File

31
post/login.php
View File

@@ -6,10 +6,9 @@
if (isset($_POST['add_login'])) {
validateTechRole();
require_once 'post/client_logins_model.php';
enforceUserPermission('module_credential', 2);
require_once 'post/login_model.php';
mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id");
@@ -26,10 +25,9 @@ if (isset($_POST['add_login'])) {
if (isset($_POST['edit_login'])) {
validateTechRole();
require_once 'post/client_logins_model.php';
enforceUserPermission('module_credential', 2);
require_once 'post/login_model.php';
$login_id = intval($_POST['login_id']);
@@ -55,7 +53,7 @@ if (isset($_POST['edit_login'])) {
if(isset($_GET['archive_login'])){
validateTechRole();
enforceUserPermission('module_credential', 2);
$login_id = intval($_GET['archive_login']);
@@ -79,6 +77,8 @@ if(isset($_GET['archive_login'])){
if(isset($_GET['unarchive_login'])){
enforceUserPermission('module_credential', 2);
$login_id = intval($_GET['unarchive_login']);
// Get Name and Client ID for logging and alert message
@@ -99,7 +99,7 @@ if(isset($_GET['unarchive_login'])){
if (isset($_GET['delete_login'])) {
validateAdminRole();
enforceUserPermission('module_credential', 3);
$login_id = intval($_GET['delete_login']);
@@ -128,7 +128,8 @@ if (isset($_GET['delete_login'])) {
}
if (isset($_POST['bulk_archive_logins'])) {
validateAdminRole();
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@@ -166,7 +167,9 @@ if (isset($_POST['bulk_archive_logins'])) {
}
if (isset($_POST['bulk_unarchive_logins'])) {
validateAdminRole();
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@@ -205,7 +208,9 @@ if (isset($_POST['bulk_unarchive_logins'])) {
}
if (isset($_POST['bulk_delete_logins'])) {
validateAdminRole();
enforceUserPermission('module_credential', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@@ -250,7 +255,7 @@ if (isset($_POST['bulk_delete_logins'])) {
if (isset($_POST['export_client_logins_csv'])) {
validateAdminRole();
enforceUserPermission('module_credential');
$client_id = intval($_POST['client_id']);
@@ -301,7 +306,7 @@ if (isset($_POST['export_client_logins_csv'])) {
if (isset($_POST["import_client_logins_csv"])) {
validateTechRole();
enforceUserPermission('module_credential', 2);
$client_id = intval($_POST['client_id']);
$file_name = $_FILES["file"]["tmp_name"];

1
post/client_logins_model.php → post/login_model.php
View File

@@ -1,4 +1,5 @@
<?php
// Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);

27
post/network.php
View File

@@ -8,18 +8,7 @@ if (isset($_POST['add_network'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']);
$network = sanitizeInput($_POST['network']);
$subnet = sanitizeInput($_POST['subnet']);
$gateway = sanitizeInput($_POST['gateway']);
$primary_dns = sanitizeInput($_POST['primary_dns']);
$secondary_dns = sanitizeInput($_POST['secondary_dns']);
$dhcp_range = sanitizeInput($_POST['dhcp_range']);
$notes = sanitizeInput($_POST['notes']);
$location_id = intval($_POST['location']);
require_once 'post/login_model.php';
mysqli_query($mysqli,"INSERT INTO networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id, network_client_id = $client_id");
@@ -39,18 +28,8 @@ if (isset($_POST['edit_network'])) {
validateTechRole();
$network_id = intval($_POST['network_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']);
$network = sanitizeInput($_POST['network']);
$subnet = sanitizeInput($_POST['subnet']);
$gateway = sanitizeInput($_POST['gateway']);
$primary_dns = sanitizeInput($_POST['primary_dns']);
$secondary_dns = sanitizeInput($_POST['secondary_dns']);
$dhcp_range = sanitizeInput($_POST['dhcp_range']);
$notes = sanitizeInput($_POST['notes']);
$location_id = intval($_POST['location']);
$client_id = intval($_POST['client_id']);
require_once 'post/login_model.php';
mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");

13
post/network_model.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']);
$network = sanitizeInput($_POST['network']);
$subnet = sanitizeInput($_POST['subnet']);
$gateway = sanitizeInput($_POST['gateway']);
$primary_dns = sanitizeInput($_POST['primary_dns']);
$secondary_dns = sanitizeInput($_POST['secondary_dns']);
$dhcp_range = sanitizeInput($_POST['dhcp_range']);
$notes = sanitizeInput($_POST['notes']);
$location_id = intval($_POST['location']);
$client_id = intval($_POST['client_id']);

32
post/quote.php
View File

@@ -6,6 +6,8 @@
if (isset($_POST['add_quote'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/quote_model.php';
$client = intval($_POST['client']);
@@ -35,6 +37,8 @@ if (isset($_POST['add_quote'])) {
if (isset($_POST['add_quote_copy'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$client_id = intval($_POST['client']);
$date = sanitizeInput($_POST['date']);
@@ -90,6 +94,8 @@ if (isset($_POST['add_quote_copy'])) {
if (isset($_POST['add_quote_to_invoice'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$date = sanitizeInput($_POST['date']);
$client_net_terms = intval($_POST['client_net_terms']);
@@ -147,6 +153,8 @@ if (isset($_POST['add_quote_to_invoice'])) {
if (isset($_POST['add_quote_item'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
@@ -196,6 +204,8 @@ if (isset($_POST['add_quote_item'])) {
if (isset($_POST['quote_note'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$note = sanitizeInput($_POST['note']);
@@ -209,6 +219,8 @@ if (isset($_POST['quote_note'])) {
if (isset($_POST['edit_quote'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/quote_model.php';
$quote_id = intval($_POST['quote_id']);
@@ -235,6 +247,9 @@ if (isset($_POST['edit_quote'])) {
}
if (isset($_GET['delete_quote'])) {
enforceUserPermission('module_sales', 3);
$quote_id = intval($_GET['delete_quote']);
mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id");
@@ -268,6 +283,9 @@ if (isset($_GET['delete_quote'])) {
}
if (isset($_GET['delete_quote_item'])) {
enforceUserPermission('module_sales', 2);
$item_id = intval($_GET['delete_quote_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
@@ -297,6 +315,8 @@ if (isset($_GET['delete_quote_item'])) {
if (isset($_GET['mark_quote_sent'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['mark_quote_sent']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent' WHERE quote_id = $quote_id");
@@ -314,6 +334,8 @@ if (isset($_GET['mark_quote_sent'])) {
if (isset($_GET['accept_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['accept_quote']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Accepted' WHERE quote_id = $quote_id");
@@ -331,6 +353,8 @@ if (isset($_GET['accept_quote'])) {
if (isset($_GET['decline_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['decline_quote']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Declined' WHERE quote_id = $quote_id");
@@ -348,6 +372,8 @@ if (isset($_GET['decline_quote'])) {
if (isset($_GET['email_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['email_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes
@@ -422,6 +448,9 @@ if (isset($_GET['email_quote'])) {
}
if(isset($_POST['export_client_quotes_csv'])){
enforceUserPermission('module_sales');
$client_id = intval($_POST['client_id']);
//get records from database
@@ -464,6 +493,8 @@ if(isset($_POST['export_client_quotes_csv'])){
if (isset($_POST['update_quote_item_order'])) {
enforceUserPermission('module_sales', 2);
if ($_POST['update_quote_item_order'] == 'up') {
$item_id = intval($_POST['item_id']);
$item_quote_id = intval($_POST['item_quote_id']);
@@ -488,7 +519,6 @@ if (isset($_POST['update_quote_item_order'])) {
}
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $item_order WHERE item_quote_id = $item_quote_id AND item_order = $new_item_order");
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $new_item_order WHERE item_id = $item_id");