AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Locations and tickets enforceClientAccess in POST fix a few missing client_id vars which were bale to be used for logging too

Browse Source
This commit is contained in:
johnnyq
2026-03-06 14:09:51 -05:00
parent 8fc3dfed1f
commit 71b19e125e
3 changed files with 212 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
agent/post/contact.php
View File

@@ -1277,7 +1277,7 @@ if (isset($_POST['export_contacts_csv'])) {
}
//Contacts
$sql = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN locations ON location_id = contact_location_id LEFT JOIN clients ON client_id = contact_client_id WHERE contact_archived_at IS NULL $client_query $access_permission_query ORDER BY contact_name ASC");
$sql = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN locations ON location_id = contact_location_id LEFT JOIN clients ON client_id = contact_client_id WHERE contact_archived_at IS NULL AND client_archived_at IS NULL $client_query $access_permission_query ORDER BY contact_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {

26
agent/post/location.php
View File

@@ -14,6 +14,8 @@ if(isset($_POST['add_location'])){
require_once 'location_model.php';
enforceClientAccess();
if(!file_exists("../uploads/clients/$client_id")) {
mkdir("../uploads/clients/$client_id");
}
@@ -71,9 +73,12 @@ if(isset($_POST['edit_location'])){
$location_id = intval($_POST['location_id']);
// Get old location photo
$sql = mysqli_query($mysqli,"SELECT location_photo FROM locations WHERE location_id = $location_id");
$sql = mysqli_query($mysqli,"SELECT location_photo, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_assoc($sql);
$existing_file_name = sanitizeInput($row['location_photo']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
if(!file_exists("../uploads/clients/$client_id")) {
mkdir("../uploads/clients/$client_id");
@@ -138,6 +143,8 @@ if(isset($_GET['archive_location'])){
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
logAction("Location", "Archive", "$session_name archived location $location_name", $client_id, $location_id);
@@ -162,6 +169,8 @@ if(isset($_GET['restore_location'])){
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
@@ -186,6 +195,8 @@ if(isset($_GET['delete_location'])){
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id");
logAction("Location", "Delete", "$session_name deleted location $location_name", $client_id);
@@ -217,6 +228,8 @@ if (isset($_POST['bulk_assign_location_tags'])) {
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
@@ -270,6 +283,8 @@ if (isset($_POST['bulk_archive_locations'])) {
$location_primary = intval($row['location_primary']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
if($location_primary == 0) {
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
@@ -313,6 +328,8 @@ if (isset($_POST['bulk_restore_locations'])) {
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
@@ -351,6 +368,8 @@ if (isset($_POST['bulk_delete_locations'])) {
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli, "DELETE FROM locations WHERE location_id = $location_id AND location_client_id = $client_id");
logAction("Location", "Delete", "$session_name deleted location $location_name", $client_id);
@@ -385,7 +404,7 @@ if(isset($_POST['export_locations_csv'])){
}
//Locations
$sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_archived_at IS NULL $client_query ORDER BY location_name ASC");
$sql = mysqli_query($mysqli,"SELECT * FROM locations LEFT JOIN clients ON client_id = location_client_id WHERE location_archived_at IS NULL AND client_archived_at IS NULL $client_query $access_permission_query ORDER BY location_name ASC");
$num_rows = mysqli_num_rows($sql);
@@ -432,6 +451,9 @@ if (isset($_POST["import_locations_csv"])) {
enforceUserPermission('module_client', 2);
$client_id = intval($_POST['client_id']);
enforceClientAccess();
$error = false;
if (!empty($_FILES["file"]["tmp_name"])) {

196
agent/post/ticket.php
View File

@@ -45,6 +45,8 @@ if (isset($_POST['add_ticket'])) {
}
}
enforceClientAccess();
// Add the primary contact as the ticket contact if "Use primary contact" is checked
if ($use_primary_contact == 1) {
$sql = mysqli_query($mysqli, "SELECT contact_id FROM contacts WHERE contact_client_id = $client_id AND contact_primary = 1");
@@ -227,6 +229,13 @@ if (isset($_POST['edit_ticket'])) {
}
}
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_category = $category_id, ticket_subject = '$ticket_subject', ticket_priority = '$ticket_priority', ticket_billable = $billable, ticket_details = '$details', ticket_due_at = $due, ticket_vendor_ticket_number = '$vendor_ticket_number', ticket_contact_id = $contact_id, ticket_assigned_to = $assigned_to, ticket_vendor_id = $vendor_id, ticket_location_id = $location_id, ticket_asset_id = $asset_id, ticket_project_id = $project_id WHERE ticket_id = $ticket_id");
// Add Additional Assets
@@ -329,6 +338,11 @@ if (isset($_POST['edit_ticket_priority'])) {
$ticket_status = sanitizeInput($row['ticket_status_name']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_priority = '$priority' WHERE ticket_id = $ticket_id");
// Update Ticket History
@@ -376,6 +390,11 @@ if (isset($_POST['edit_ticket_contact'])) {
$url_key = sanitizeInput($row['ticket_url_key']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Update the contact
mysqli_query($mysqli, "UPDATE tickets SET ticket_contact_id = $contact_id WHERE ticket_id = $ticket_id");
@@ -444,6 +463,11 @@ if (isset($_POST['edit_ticket_project'])) {
$ticket_prefix = sanitizeInput(getFieldById('tickets', $ticket_id, 'ticket_prefix'));
$ticket_number = sanitizeInput(getFieldById('tickets', $ticket_id, 'ticket_number'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_project_id = $project_id WHERE ticket_id = $ticket_id");
logAction("Ticket", "Edit", "$session_name set ticket $ticket_prefix$ticket_number project to $project_name", $client_id, $ticket_id);
@@ -485,6 +509,11 @@ if (isset($_POST['add_ticket_watcher'])) {
$ticket_created_by = intval($row['ticket_created_by']);
$ticket_assigned_to = intval($row['ticket_assigned_to']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Get Company Phone Number
$sql = mysqli_query($mysqli, "SELECT company_name, company_phone, company_phone_country_code FROM companies WHERE company_id = 1");
$row = mysqli_fetch_assoc($sql);
@@ -557,6 +586,11 @@ if (isset($_GET['delete_ticket_watcher'])) {
$client_id = intval($row['ticket_client_id']);
$ticket_id = intval($row['ticket_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "DELETE FROM ticket_watchers WHERE watcher_id = $watcher_id");
// History
@@ -593,6 +627,11 @@ if (isset($_GET['delete_ticket_additional_asset'])) {
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "DELETE FROM ticket_assets WHERE ticket_id = $ticket_id AND asset_id = $asset_id");
// History
@@ -615,6 +654,13 @@ if (isset($_POST['edit_ticket_asset'])) {
$ticket_id = intval($_POST['ticket_id']);
$asset_id = intval($_POST['asset']);
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_asset_id = $asset_id WHERE ticket_id = $ticket_id");
// Add Additional Assets
@@ -661,6 +707,13 @@ if (isset($_POST['edit_ticket_vendor'])) {
$ticket_id = intval($_POST['ticket_id']);
$vendor_id = intval($_POST['vendor']);
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_vendor_id = $vendor_id WHERE ticket_id = $ticket_id");
// Get ticket / vendor details for logging
@@ -730,6 +783,11 @@ if (isset($_POST['assign_ticket'])) {
$client_id = intval($ticket_details['ticket_client_id']);
$client_name = sanitizeInput($ticket_details['client_name']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
if (!$ticket_subject) {
flash_alert("Invalid ticket!", 'error');
redirect();
@@ -748,7 +806,6 @@ if (isset($_POST['assign_ticket'])) {
logAction("Ticket", "Edit", "$session_name reassigned $ticket_prefix$ticket_number to $agent_name", $client_id, $ticket_id);
// Notification
if ($session_user_id != $assigned_to && $assigned_to != 0) {
@@ -808,6 +865,11 @@ if (isset($_GET['delete_ticket'])) {
$ticket_closed_at = sanitizeInput($row['ticket_closed_at']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
if (empty($ticket_closed_at)) {
mysqli_query($mysqli, "DELETE FROM tickets WHERE ticket_id = $ticket_id");
@@ -851,6 +913,14 @@ if (isset($_POST['bulk_delete_tickets'])) {
foreach ($_POST['ticket_ids'] as $ticket_id) {
$ticket_id = intval($ticket_id);
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "DELETE FROM tickets WHERE ticket_id = $ticket_id");
// Delete all ticket replies
@@ -908,6 +978,11 @@ if (isset($_POST['bulk_assign_ticket'])) {
$ticket_subject = sanitizeInput($row['ticket_subject']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
if ($ticket_status == 1 && $assigned_to !== 0) {
$ticket_status = 2;
}
@@ -1010,6 +1085,11 @@ if (isset($_POST['bulk_edit_ticket_priority'])) {
$original_ticket_priority = sanitizeInput($row['ticket_priority']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Update ticket & insert reply
mysqli_query($mysqli, "UPDATE tickets SET ticket_priority = '$priority' WHERE ticket_id = $ticket_id");
@@ -1056,6 +1136,11 @@ if (isset($_POST['bulk_edit_ticket_category'])) {
$previous_ticket_category_name = sanitizeInput($row['category_name']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Get Category Name
$category_name = sanitizeInput(getFieldById('categories', $category_id, 'category_name'));
@@ -1117,6 +1202,11 @@ if (isset($_POST['bulk_merge_tickets'])) {
$ticket_first_response_at = sanitizeInput($row['ticket_first_response_at']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Update current ticket
if (empty($ticket_first_response_at)) {
mysqli_query($mysqli, "UPDATE tickets SET ticket_first_response_at = NOW() WHERE ticket_id = $ticket_id");
@@ -1190,6 +1280,11 @@ if (isset($_POST['bulk_resolve_tickets'])) {
$ticket_first_response_at = sanitizeInput($row['ticket_first_response_at']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Mark FR time if required
if (empty($ticket_first_response_at)) {
mysqli_query($mysqli, "UPDATE tickets SET ticket_first_response_at = NOW() WHERE ticket_id = $ticket_id");
@@ -1321,6 +1416,11 @@ if (isset($_POST['bulk_ticket_reply'])) {
$ticket_first_response_at = sanitizeInput($row['ticket_first_response_at']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
if ($client_id) {
$client_uri = "&client_id=$client_id";
} else {
@@ -1482,6 +1582,11 @@ if (isset($_POST['bulk_add_ticket_project'])) {
$current_ticket_priority = sanitizeInput($row['ticket_priority']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Update ticket & insert reply
mysqli_query($mysqli, "UPDATE tickets SET ticket_project_id = $project_id WHERE ticket_id = $ticket_id");
@@ -1550,6 +1655,11 @@ if (isset($_POST['bulk_add_asset_ticket'])) {
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
$subject_asset_prepended = "$asset_name - $subject";
// Atomically increment and get the new ticket number
@@ -1624,6 +1734,11 @@ if (isset($_POST['add_ticket_reply'])) {
$ticket_status = intval($_POST['status']);
$client_id = intval($_POST['client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Time tracking, inputs & combine into string
$hours = intval($_POST['hours']);
$minutes = intval($_POST['minutes']);
@@ -1805,6 +1920,11 @@ if (isset($_POST['edit_ticket_reply'])) {
$client_id = intval($_POST['client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE ticket_replies SET ticket_reply = '$ticket_reply', ticket_reply_type = '$ticket_reply_type', ticket_reply_time_worked = '$ticket_reply_time_worked' WHERE ticket_reply_id = $ticket_reply_id AND ticket_reply_type != 'Client'") or die(mysqli_error($mysqli));
logAction("Ticket", "Reply", "$session_name edited ticket_reply", $client_id, $ticket_reply_id);
@@ -1826,6 +1946,11 @@ if (isset($_POST['redact_ticket_reply'])) {
$client_id = intval($_POST['client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE ticket_replies SET ticket_reply = '$ticket_reply' WHERE ticket_reply_id = $ticket_reply_id");
logAction("Ticket", "Reply", "$session_name redacted ticket_reply", $client_id, $ticket_reply_id);
@@ -1844,9 +1969,17 @@ if (isset($_GET['archive_ticket_reply'])) {
$ticket_reply_id = intval($_GET['archive_ticket_reply']);
$ticket_id = intval(getFieldById('ticket_replies', $ticket_reply_id, 'ticket_reply_ticket_id'));
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE ticket_replies SET ticket_reply_archived_at = NOW() WHERE ticket_reply_id = $ticket_reply_id");
logAction("Ticket Reply", "Archive", "$session_name archived ticket_reply", 0, $ticket_reply_id);
logAction("Ticket Reply", "Archive", "$session_name archived ticket_reply", $client_id, $ticket_reply_id);
flash_alert("Ticket reply archived", 'error');
@@ -1889,6 +2022,10 @@ if (isset($_POST['merge_ticket'])) {
}
$merge_row = mysqli_fetch_assoc($sql);
$client_id = intval($merge_row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
$merge_into_ticket_number = intval($merge_row['ticket_number']);
if ($client_id) {
$has_client = "&client_id=$client_id";
@@ -1940,6 +2077,11 @@ if (isset($_POST['change_client_ticket'])) {
$client_id = intval($_POST['new_client_id']);
$contact_id = intval($_POST['new_contact_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Set any/all existing replies to internal
mysqli_query($mysqli, "UPDATE ticket_replies SET ticket_reply_type = 'Internal' WHERE ticket_reply_ticket_id = $ticket_id");
@@ -1969,6 +2111,12 @@ if (isset($_GET['resolve_ticket'])) {
$ticket_prefix = sanitizeInput($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_first_response_at = sanitizeInput($row['ticket_first_response_at']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Mark FR
if (empty($ticket_first_response_at)) {
@@ -1978,7 +2126,7 @@ if (isset($_GET['resolve_ticket'])) {
// Resolve
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 4, ticket_resolved_at = NOW() WHERE ticket_id = $ticket_id");
logAction("Ticket", "Resolved", "$session_name resolved ticket $ticket_prefix$ticket_number (ID: $ticket_id)", 0, $ticket_id);
logAction("Ticket", "Resolved", "$session_name resolved ticket $ticket_prefix$ticket_number (ID: $ticket_id)", $client_id, $ticket_id);
customAction('ticket_resolve', $ticket_id);
@@ -1986,7 +2134,7 @@ if (isset($_GET['resolve_ticket'])) {
if ((!empty($config_smtp_host) || !empty($config_smtp_provider)) && $config_ticket_client_general_notifications == 1) {
// Get details
$ticket_sql = mysqli_query($mysqli, "SELECT contact_name, contact_email, ticket_prefix, ticket_number, ticket_subject, ticket_status_name, ticket_assigned_to, ticket_url_key, ticket_client_id FROM tickets
$ticket_sql = mysqli_query($mysqli, "SELECT contact_name, contact_email, ticket_prefix, ticket_number, ticket_subject, ticket_status_name, ticket_assigned_to, ticket_url_key FROM tickets
LEFT JOIN clients ON ticket_client_id = client_id
LEFT JOIN contacts ON ticket_contact_id = contact_id
LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id
@@ -1999,7 +2147,6 @@ if (isset($_GET['resolve_ticket'])) {
$ticket_prefix = sanitizeInput($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_subject = sanitizeInput($row['ticket_subject']);
$client_id = intval($row['ticket_client_id']);
$ticket_assigned_to = intval($row['ticket_assigned_to']);
$ticket_status = sanitizeInput($row['ticket_status_name']);
$url_key = sanitizeInput($row['ticket_url_key']);
@@ -2070,12 +2217,18 @@ if (isset($_GET['close_ticket'])) {
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['close_ticket']);
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 5, ticket_closed_at = NOW(), ticket_closed_by = $session_user_id WHERE ticket_id = $ticket_id") or die(mysqli_error($mysqli));
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed.', ticket_reply_type = 'Internal', ticket_reply_time_worked = '00:01:00', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
logAction("Ticket", "Closed", "$session_name closed ticket ID $ticket_id", 0, $ticket_id);
logAction("Ticket", "Closed", "$session_name closed ticket ID $ticket_id", $client_id, $ticket_id);
customAction('ticket_close', $ticket_id);
@@ -2164,9 +2317,16 @@ if (isset($_GET['reopen_ticket'])) {
$ticket_id = intval($_GET['reopen_ticket']);
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 2, ticket_resolved_at = NULL WHERE ticket_id = $ticket_id");
logAction("Ticket", "Reopened", "$session_name reopened ticket ID $ticket_id", 0, $ticket_id);
logAction("Ticket", "Reopened", "$session_name reopened ticket ID $ticket_id", $client_id, $ticket_id);
customAction('ticket_update', $ticket_id);
@@ -2222,6 +2382,8 @@ if (isset($_POST['add_invoice_from_ticket'])) {
$location_name = sanitizeInput($row['location_name']);
enforceClientAccess();
if ($invoice_id == 0) {
$invoice_prefix = sanitizeInput($config_invoice_prefix);
@@ -2332,6 +2494,8 @@ if (isset($_POST['add_quote_from_ticket'])) {
$ticket_number = intval($row['ticket_number']);
$client_id = intval($row['ticket_client_id']);
enforceClientAccess();
// Atomically increment and get the new quote number
mysqli_query($mysqli, "
UPDATE settings
@@ -2445,6 +2609,11 @@ if (isset($_POST['edit_ticket_billable_status'])) {
$ticket_number = intval($row['ticket_number']);
$client_id = intval($row['ticket_client_id']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli,"UPDATE tickets SET ticket_billable = $billable_status WHERE ticket_id = $ticket_id");
logAction("Ticket", "Edit", "$session_name marked ticket $ticket_prefix$ticket_number as $billable_wording Billable", $client_id, $ticket_id);
@@ -2468,12 +2637,17 @@ if (isset($_POST['edit_ticket_schedule'])) {
$full_ticket_url = "https://$config_base_url/client/ticket.php?id=$ticket_id";
$ticket_link_html = "<a href=\"$full_ticket_url\">$ticket_link</a>";
$client_id = intval(getFieldById('tickets', $ticket_id, 'ticket_client_id'));
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli,"UPDATE tickets
SET ticket_schedule = '$schedule', ticket_onsite = $onsite
WHERE ticket_id = $ticket_id"
);
// Check for other conflicting scheduled items based on 2 hr window
//TODO make this configurable
$start = date('Y-m-d H:i:s', strtotime($schedule) - 7200);
@@ -2495,7 +2669,6 @@ if (isset($_POST['edit_ticket_schedule'])) {
$row = mysqli_fetch_assoc($sql);
$client_id = intval($row['ticket_client_id']);
$client_name = sanitizeInput($row['client_name']);
$ticket_details = sanitizeInput($row['ticket_details']);
$contact_name = sanitizeInput($row['contact_name']);
@@ -2647,6 +2820,11 @@ if (isset($_GET['cancel_ticket_schedule'])) {
$ticket_schedule = sanitizeInput($row['ticket_schedule']);
$ticket_cal_str = sanitizeInput($row['ticket_cal_str']);
// Don't Enforce Client Access if Ticket doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
if ($client_id) {
$client_uri = "&client_id=$client_id";
} else {