diff --git a/companies.php b/companies.php index ee6b370f..f6bb7d5e 100644 --- a/companies.php +++ b/companies.php @@ -26,6 +26,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
+ +
diff --git a/post.php b/post.php index d87c2559..cb43dd71 100644 --- a/post.php +++ b/post.php @@ -25,7 +25,8 @@ if(isset($_GET['switch_company'])){ mysqli_query($mysqli,"UPDATE user_settings SET user_default_company = $company_id WHERE user_id = $session_user_id"); - $_SESSION['alert_message'] = "Switched Companies!"; + $_SESSION['alert_type'] = "error"; + $_SESSION['alert_message'] = "Switched Companies. Deprecated!"; //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Company', log_action = 'Switch', log_description = '$session_name switched to company $company_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id"); @@ -43,6 +44,7 @@ if(isset($_GET['switch_company'])){ } if(isset($_POST['add_user'])){ + validateAdminRole(); // CSRF Check @@ -141,6 +143,7 @@ if(isset($_POST['add_user'])){ } if(isset($_POST['edit_user'])){ + validateAdminRole(); if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){ @@ -352,6 +355,7 @@ if(isset($_POST['edit_profile'])){ } if(isset($_POST['edit_user_companies'])){ + validateAdminRole(); $user_id = intval($_POST['user_id']); @@ -377,6 +381,7 @@ if(isset($_POST['edit_user_companies'])){ } if(isset($_GET['archive_user'])){ + validateAdminRole(); // CSRF Check @@ -406,6 +411,7 @@ if(isset($_GET['archive_user'])){ // API Key if(isset($_POST['add_api_key'])){ + validateAdminRole(); // CSRF Check @@ -430,6 +436,7 @@ if(isset($_POST['add_api_key'])){ } if(isset($_GET['delete_api_key'])){ + validateAdminRole(); // CSRF Check @@ -454,6 +461,7 @@ if(isset($_GET['delete_api_key'])){ } if(isset($_POST['add_company'])){ + validateAdminRole(); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -553,8 +561,8 @@ if(isset($_POST['add_company'])){ } if(isset($_POST['edit_company'])){ - validateAdminRole(); + validateAdminRole(); $company_id = intval($_POST['company_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); @@ -651,6 +659,7 @@ if(isset($_GET['archive_company'])){ } if(isset($_GET['delete_company'])){ + validateAdminRole(); // CSRF Check @@ -777,6 +786,7 @@ if(isset($_POST['verify'])){ } if(isset($_POST['edit_mail_settings'])){ + validateAdminRole(); $config_smtp_host = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_smtp_host']))); @@ -828,6 +838,7 @@ if(isset($_POST['edit_mail_settings'])){ } if(isset($_POST['test_email_smtp'])){ + validateAdminRole(); $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])); @@ -850,6 +861,7 @@ if(isset($_POST['test_email_smtp'])){ } if(isset($_POST['test_email_imap'])){ + validateAdminRole(); // Prepare connection string with encryption (TLS/SSL/) @@ -870,6 +882,7 @@ if(isset($_POST['test_email_imap'])){ } if(isset($_POST['edit_invoice_settings'])){ + validateAdminRole(); $config_invoice_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_invoice_prefix']))); @@ -893,6 +906,7 @@ if(isset($_POST['edit_invoice_settings'])){ } if(isset($_POST['edit_quote_settings'])){ + validateAdminRole(); $config_quote_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_quote_prefix']))); @@ -913,6 +927,7 @@ if(isset($_POST['edit_quote_settings'])){ } if(isset($_POST['edit_ticket_settings'])){ + validateAdminRole(); $config_ticket_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_ticket_prefix']))); @@ -934,6 +949,7 @@ if(isset($_POST['edit_ticket_settings'])){ } if(isset($_POST['edit_default_settings'])){ + validateAdminRole(); $expense_account = intval($_POST['expense_account']); @@ -956,6 +972,7 @@ if(isset($_POST['edit_default_settings'])){ } if(isset($_POST['edit_alert_settings'])){ + validateAdminRole(); $config_enable_cron = intval($_POST['config_enable_cron']); @@ -975,6 +992,7 @@ if(isset($_POST['edit_alert_settings'])){ } if(isset($_POST['edit_online_payment_settings'])){ + validateAdminRole(); $config_stripe_enable = intval($_POST['config_stripe_enable']); @@ -992,6 +1010,7 @@ if(isset($_POST['edit_online_payment_settings'])){ } if(isset($_POST['edit_integrations_settings'])){ + validateAdminRole(); $azure_client_id = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['azure_client_id']))); @@ -1009,6 +1028,7 @@ if(isset($_POST['edit_integrations_settings'])){ } if(isset($_POST['edit_module_settings'])){ + validateAdminRole(); $config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc']); @@ -1055,6 +1075,7 @@ if(isset($_POST['disable_2fa'])){ } if(isset($_GET['download_database'])){ + validateAdminRole(); // Get All Table Names From the Database @@ -1134,6 +1155,7 @@ if(isset($_GET['download_database'])){ } if(isset($_POST['backup_master_key'])){ + validateAdminRole(); $password = $_POST['password']; @@ -1165,6 +1187,7 @@ if(isset($_POST['backup_master_key'])){ } if(isset($_GET['update'])){ + validateAdminRole(); exec("git pull"); @@ -1187,6 +1210,7 @@ if(isset($_GET['update'])){ } if(isset($_GET['update_db'])){ + validateAdminRole(); // Get the current version @@ -1204,6 +1228,7 @@ if(isset($_GET['update_db'])){ } if(isset($_POST['add_client'])){ + validateAdminRole(); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -1316,6 +1341,7 @@ if(isset($_POST['add_client'])){ } if(isset($_POST['edit_client'])){ + validateAdminRole(); $client_id = intval($_POST['client_id']); @@ -1348,6 +1374,7 @@ if(isset($_POST['edit_client'])){ } if(isset($_GET['archive_client'])){ + validateAdminRole(); $client_id = intval($_GET['archive_client']); @@ -1369,7 +1396,6 @@ if(isset($_GET['archive_client'])){ } if(isset($_GET['undo_archive_client'])){ - validateAdminRole(); $client_id = intval($_GET['undo_archive_client']); @@ -1389,6 +1415,7 @@ if(isset($_GET['undo_archive_client'])){ } if(isset($_GET['delete_client'])){ + validateAdminRole(); // CSRF Check @@ -1806,7 +1833,6 @@ if(isset($_GET['export_client_vendors_csv'])){ // Products if(isset($_POST['add_product'])){ - validateAccountantRole(); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $description = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['description']))); @@ -1826,7 +1852,6 @@ if(isset($_POST['add_product'])){ } if(isset($_POST['edit_product'])){ - validateAccountantRole(); $product_id = intval($_POST['product_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -1850,8 +1875,6 @@ if(isset($_POST['edit_product'])){ } if(isset($_GET['delete_product'])){ - validateAccountantRole(); - $product_id = intval($_GET['delete_product']); //Get Product Name @@ -1935,7 +1958,6 @@ if(isset($_GET['delete_trip'])){ } if(isset($_POST['add_account'])){ - validateAccountantRole(); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $opening_balance = floatval($_POST['opening_balance']); @@ -1954,7 +1976,6 @@ if(isset($_POST['add_account'])){ } if(isset($_POST['edit_account'])){ - validateAccountantRole(); $account_id = intval($_POST['account_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -1972,8 +1993,6 @@ if(isset($_POST['edit_account'])){ } if(isset($_GET['archive_account'])){ - validateAccountantRole(); - $account_id = intval($_GET['archive_account']); mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id"); @@ -1988,8 +2007,6 @@ if(isset($_GET['archive_account'])){ } if(isset($_GET['delete_account'])){ - validateAccountantRole(); - $account_id = intval($_GET['delete_account']); mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id AND company_id = $session_company_id"); @@ -2126,7 +2143,6 @@ if(isset($_GET['delete_tag'])){ //Tax if(isset($_POST['add_tax'])){ - validateAccountantRole(); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $percent = floatval($_POST['percent']); @@ -2143,7 +2159,6 @@ if(isset($_POST['add_tax'])){ } if(isset($_POST['edit_tax'])){ - validateAccountantRole(); $tax_id = intval($_POST['tax_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -2161,8 +2176,6 @@ if(isset($_POST['edit_tax'])){ } if(isset($_GET['archive_tax'])){ - validateAccountantRole(); - $tax_id = intval($_GET['archive_tax']); mysqli_query($mysqli,"UPDATE taxes SET tax_archived_at = NOW() WHERE tax_id = $tax_id"); @@ -2177,8 +2190,6 @@ if(isset($_GET['archive_tax'])){ } if(isset($_GET['delete_tax'])){ - validateAccountantRole(); - $tax_id = intval($_GET['delete_tax']); mysqli_query($mysqli,"DELETE FROM taxes WHERE tax_id = $tax_id AND company_id = $session_company_id"); @@ -2234,7 +2245,6 @@ if(isset($_GET['dismiss_all_notifications'])){ } if(isset($_POST['add_expense'])){ - validateAccountantRole(); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); $amount = floatval($_POST['amount']); @@ -2300,7 +2310,6 @@ if(isset($_POST['add_expense'])){ } if(isset($_POST['edit_expense'])){ - validateAccountantRole(); $expense_id = intval($_POST['expense_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2369,8 +2378,6 @@ if(isset($_POST['edit_expense'])){ } if(isset($_GET['delete_expense'])){ - validateAccountantRole(); - $expense_id = intval($_GET['delete_expense']); $sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id AND company_id = $session_company_id"); @@ -2391,8 +2398,6 @@ if(isset($_GET['delete_expense'])){ } if(isset($_POST['export_expenses_csv'])){ - validateAccountantRole(); - $date_from = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date_from']))); $date_to = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date_to']))); if(!empty($date_from) && !empty($date_to)){ @@ -2449,7 +2454,6 @@ if(isset($_POST['export_expenses_csv'])){ } if(isset($_POST['add_transfer'])){ - validateAccountantRole(); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); $amount = floatval($_POST['amount']); @@ -2475,7 +2479,6 @@ if(isset($_POST['add_transfer'])){ } if(isset($_POST['edit_transfer'])){ - validateAccountantRole(); $transfer_id = intval($_POST['transfer_id']); $expense_id = intval($_POST['expense_id']); @@ -2502,8 +2505,6 @@ if(isset($_POST['edit_transfer'])){ } if(isset($_GET['delete_transfer'])){ - validateAccountantRole(); - $transfer_id = intval($_GET['delete_transfer']); //Query the transfer ID to get the Payment and Expense IDs so we can delete those as well @@ -2528,8 +2529,6 @@ if(isset($_GET['delete_transfer'])){ } if(isset($_POST['add_invoice'])){ - validateAccountantRole(); - $client = intval($_POST['client']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); $category = intval($_POST['category']); @@ -2562,7 +2561,6 @@ if(isset($_POST['add_invoice'])){ } if(isset($_POST['edit_invoice'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2582,7 +2580,6 @@ if(isset($_POST['edit_invoice'])){ } if(isset($_POST['add_invoice_copy'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2639,7 +2636,6 @@ if(isset($_POST['add_invoice_copy'])){ } if(isset($_POST['add_invoice_recurring'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $recurring_frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency']))); @@ -2690,7 +2686,6 @@ if(isset($_POST['add_invoice_recurring'])){ } if(isset($_POST['add_quote'])){ - validateAccountantRole(); $client = intval($_POST['client']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2722,7 +2717,6 @@ if(isset($_POST['add_quote'])){ } if(isset($_POST['add_quote_copy'])){ - validateAccountantRole(); $quote_id = intval($_POST['quote_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2775,7 +2769,6 @@ if(isset($_POST['add_quote_copy'])){ } if(isset($_POST['add_quote_to_invoice'])){ - validateAccountantRole(); $quote_id = intval($_POST['quote_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2831,7 +2824,6 @@ if(isset($_POST['add_quote_to_invoice'])){ } if(isset($_POST['add_quote_item'])){ - validateAccountantRole(); $quote_id = intval($_POST['quote_id']); @@ -2872,7 +2864,6 @@ if(isset($_POST['add_quote_item'])){ } if(isset($_POST['quote_note'])){ - validateAccountantRole(); $quote_id = intval($_POST['quote_id']); $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note']))); @@ -2886,7 +2877,6 @@ if(isset($_POST['quote_note'])){ } if(isset($_POST['edit_quote'])){ - validateAccountantRole(); $quote_id = intval($_POST['quote_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -2905,8 +2895,6 @@ if(isset($_POST['edit_quote'])){ } if(isset($_GET['delete_quote'])){ - validateAccountantRole(); - $quote_id = intval($_GET['delete_quote']); mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id"); @@ -2935,8 +2923,6 @@ if(isset($_GET['delete_quote'])){ } if(isset($_GET['delete_quote_item'])){ - validateAccountantRole(); - $item_id = intval($_GET['delete_quote_item']); $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id"); @@ -2965,7 +2951,6 @@ if(isset($_GET['delete_quote_item'])){ } if(isset($_GET['mark_quote_sent'])){ - validateAccountantRole(); $quote_id = intval($_GET['mark_quote_sent']); @@ -2983,7 +2968,6 @@ if(isset($_GET['mark_quote_sent'])){ } if(isset($_GET['accept_quote'])){ - validateAccountantRole(); $quote_id = intval($_GET['accept_quote']); @@ -3001,7 +2985,6 @@ if(isset($_GET['accept_quote'])){ } if(isset($_GET['decline_quote'])){ - validateAccountantRole(); $quote_id = intval($_GET['decline_quote']); @@ -3019,8 +3002,6 @@ if(isset($_GET['decline_quote'])){ } if(isset($_GET['email_quote'])){ - validateAccountantRole(); - $quote_id = intval($_GET['email_quote']); $sql = mysqli_query($mysqli,"SELECT * FROM quotes @@ -3093,7 +3074,6 @@ if(isset($_GET['email_quote'])){ } if(isset($_POST['add_recurring'])){ - validateAccountantRole(); $client = intval($_POST['client']); $frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency']))); @@ -3123,7 +3103,6 @@ if(isset($_POST['add_recurring'])){ } if(isset($_POST['edit_recurring'])){ - validateAccountantRole(); $recurring_id = intval($_POST['recurring_id']); $frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency']))); @@ -3145,7 +3124,6 @@ if(isset($_POST['edit_recurring'])){ } if(isset($_POST['edit_recurring_next_date'])){ - validateAccountantRole(); $recurring_id = intval($_POST['recurring_id']); $next_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['next_date']))); @@ -3164,8 +3142,6 @@ if(isset($_POST['edit_recurring_next_date'])){ } if(isset($_GET['delete_recurring'])){ - validateAccountantRole(); - $recurring_id = intval($_GET['delete_recurring']); mysqli_query($mysqli,"DELETE FROM recurring WHERE recurring_id = $recurring_id AND company_id = $session_company_id"); @@ -3194,7 +3170,6 @@ if(isset($_GET['delete_recurring'])){ } if(isset($_POST['add_recurring_item'])){ - validateAccountantRole(); $recurring_id = intval($_POST['recurring_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -3234,7 +3209,6 @@ if(isset($_POST['add_recurring_item'])){ } if(isset($_POST['recurring_note'])){ - validateAccountantRole(); $recurring_id = intval($_POST['recurring_id']); $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note']))); @@ -3248,8 +3222,6 @@ if(isset($_POST['recurring_note'])){ } if(isset($_GET['delete_recurring_item'])){ - validateAccountantRole(); - $item_id = intval($_GET['delete_recurring_item']); $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id"); @@ -3278,7 +3250,6 @@ if(isset($_GET['delete_recurring_item'])){ } if(isset($_GET['mark_invoice_sent'])){ - validateAccountantRole(); $invoice_id = intval($_GET['mark_invoice_sent']); @@ -3296,7 +3267,6 @@ if(isset($_GET['mark_invoice_sent'])){ } if(isset($_GET['cancel_invoice'])){ - validateAccountantRole(); $invoice_id = intval($_GET['cancel_invoice']); @@ -3314,8 +3284,6 @@ if(isset($_GET['cancel_invoice'])){ } if(isset($_GET['delete_invoice'])){ - validateAccountantRole(); - $invoice_id = intval($_GET['delete_invoice']); mysqli_query($mysqli,"DELETE FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id"); @@ -3351,7 +3319,6 @@ if(isset($_GET['delete_invoice'])){ } if(isset($_POST['add_invoice_item'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -3392,7 +3359,6 @@ if(isset($_POST['add_invoice_item'])){ } if(isset($_POST['invoice_note'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note']))); @@ -3406,7 +3372,6 @@ if(isset($_POST['invoice_note'])){ } if(isset($_POST['edit_item'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $quote_id = intval($_POST['quote_id']); @@ -3467,8 +3432,6 @@ if(isset($_POST['edit_item'])){ } if(isset($_GET['delete_invoice_item'])){ - validateAccountantRole(); - $item_id = intval($_GET['delete_invoice_item']); $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id"); @@ -3497,7 +3460,6 @@ if(isset($_GET['delete_invoice_item'])){ } if(isset($_POST['add_payment'])){ - validateAccountantRole(); $invoice_id = intval($_POST['invoice_id']); $balance = floatval($_POST['balance']); @@ -3636,8 +3598,6 @@ if(isset($_POST['add_payment'])){ } if(isset($_GET['delete_payment'])){ - validateAccountantRole(); - $payment_id = intval($_GET['delete_payment']); $sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id AND company_id = $session_company_id"); @@ -3683,8 +3643,6 @@ if(isset($_GET['delete_payment'])){ } if(isset($_GET['email_invoice'])){ - validateAccountantRole(); - $invoice_id = intval($_GET['email_invoice']); $sql = mysqli_query($mysqli,"SELECT * FROM invoices @@ -3775,7 +3733,6 @@ if(isset($_GET['email_invoice'])){ } if(isset($_POST['add_revenue'])){ - validateAccountantRole(); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); $amount = floatval($_POST['amount']); @@ -3798,7 +3755,6 @@ if(isset($_POST['add_revenue'])){ } if(isset($_POST['edit_revenue'])){ - validateAccountantRole(); $revenue_id = intval($_POST['revenue_id']); $date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']))); @@ -3822,8 +3778,6 @@ if(isset($_POST['edit_revenue'])){ } if(isset($_GET['delete_revenue'])){ - validateAccountantRole(); - $revenue_id = intval($_GET['delete_revenue']); mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id AND company_id = $session_company_id"); diff --git a/side_nav.php b/side_nav.php index 76f0b51d..1da310d5 100644 --- a/side_nav.php +++ b/side_nav.php @@ -98,8 +98,6 @@ - -
  • SALES
  • "> @@ -131,7 +129,10 @@

    Products
    • -
  • ACCOUNTING
    • + + + +
  • ACCOUNTING
  • "> diff --git a/ticket.php b/ticket.php index ecf6afeb..9b714163 100644 --- a/ticket.php +++ b/ticket.php @@ -589,17 +589,12 @@ if(isset($_GET['ticket_id'])){
    -