AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

payments: enforceClientAccess

Browse Source
This commit is contained in:
johnnyq
2026-03-06 18:20:58 -05:00
parent 6f0a2a5a73
commit 6e3a36d8c4
1 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
agent/post/payment.php
View File

@@ -23,6 +23,10 @@ if (isset($_POST['add_payment'])) {
$reference = sanitizeInput($_POST['reference']);
$email_receipt = intval($_POST['email_receipt']);
$client_id = intval(getFieldById('invoices', $invoice_id, 'invoice_client_id'));
enforceClientAccess();
//Check to see if amount entered is greater than the balance of the invoice
if ($amount > $balance) {
flash_alert("Payment can not be more than the balance", 'error');
@@ -51,7 +55,6 @@ if (isset($_POST['add_payment'])) {
$invoice_number = intval($row['invoice_number']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']);
$invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
$client_id = intval($row['client_id']);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
@@ -187,6 +190,10 @@ if (isset($_POST['edit_payment'])) {
$payment_method = sanitizeInput($_POST['payment_method']);
$reference = sanitizeInput($_POST['reference']);
$client_id = intval(getFieldById('payments', $payment_id, 'payment_client_id'));
enforceClientAccess();
mysqli_query($mysqli,"UPDATE payments SET payment_date = '$date', payment_amount = $amount, payment_account_id = $account, payment_method = '$payment_method', payment_reference = '$reference' WHERE payment_id = $payment_id");
logAction("Payment", "Edit", "Payment edited amount of " . numfmt_format_currency($currency_format, $amount, $session_company_currency));
@@ -220,6 +227,8 @@ if (isset($_POST['apply_credit'])) {
$invoice_amount = floatval('invoice_amount');
$client_id = intval($row['invoice_client_id']);
enforceClientAccess();
// Get Credit Balance
$sql_credit_balance = mysqli_query($mysqli, "SELECT SUM(credit_amount) AS credit_balance FROM credits WHERE credit_client_id = $client_id");
$row = mysqli_fetch_assoc($sql_credit_balance);
@@ -340,6 +349,8 @@ if (isset($_POST['add_payment_stripe'])) {
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
$contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code']));
enforceClientAccess();
// Get ITFlow company details
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_assoc($sql);
@@ -707,6 +718,8 @@ if (isset($_POST['add_bulk_payment'])) {
$reference = sanitizeInput($_POST['reference']);
$email_receipt = intval($_POST['email_receipt']);
enforceClientAccess();
// Check if bulk_payment_amount exceeds total_account_balance
if ($bulk_payment_amount > $total_account_balance) {
flash_alert("Payment exceeds Client Balance.", 'error');
@@ -836,6 +849,9 @@ if (isset($_GET['delete_payment'])) {
$row = mysqli_fetch_assoc($sql);
$invoice_id = intval($row['payment_invoice_id']);
$deleted_payment_amount = floatval($row['payment_amount']);
$client_id = intval($row['payment_client_id']);
enforceClientAccess();
//Add up all the payments for the invoice and get the total amount paid to the invoice
$sql_total_payments_amount = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments_amount FROM payments WHERE payment_invoice_id = $invoice_id");
@@ -847,7 +863,6 @@ if (isset($_GET['delete_payment'])) {
$row = mysqli_fetch_assoc($sql);
$invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']);
$client_id = intval($row['invoice_client_id']);
$invoice_amount = floatval($row['invoice_amount']);
//Calculate the Invoice balance
@@ -890,13 +905,14 @@ if (isset($_POST['export_payments_csv'])) {
$client_query = "AND invoice_client_id = $client_id";
$client_name = getFieldById('clients', $client_id, 'client_name');
$file_name_prepend = "$client_name-";
enforceClientAccess();
} else {
$client_query = '';
$client_query = '1=1';
$client_name = '';
$file_name_prepend = "$session_company_name-";
}
$sql = mysqli_query($mysqli,"SELECT * FROM payments, invoices WHERE payment_invoice_id = invoice_id $client_query ORDER BY payment_date ASC");
$sql = mysqli_query($mysqli,"SELECT * FROM payments LEFT JOIN invoices ON invoice_id = payment_invoice_id LEFT JOIN clients ON client_id = invoice_client_id WHERE $client_query $access_permission_query ORDER BY payment_date ASC");
$num_rows = mysqli_num_rows($sql);