AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 16:24:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Locations and tickets enforceClientAccess in POST fix a few missing client_id vars which were bale to be used for logging too

Browse Source
This commit is contained in:
johnnyq
2026-03-06 14:09:51 -05:00
parent 8fc3dfed1f
commit 71b19e125e
3 changed files with 212 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
agent/post/location.php
View File

@@ -14,6 +14,8 @@ if(isset($_POST['add_location'])){
require_once 'location_model.php';
enforceClientAccess();
if(!file_exists("../uploads/clients/$client_id")) {
mkdir("../uploads/clients/$client_id");
}
@@ -71,9 +73,12 @@ if(isset($_POST['edit_location'])){
$location_id = intval($_POST['location_id']);
// Get old location photo
$sql = mysqli_query($mysqli,"SELECT location_photo FROM locations WHERE location_id = $location_id");
$sql = mysqli_query($mysqli,"SELECT location_photo, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_assoc($sql);
$existing_file_name = sanitizeInput($row['location_photo']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
if(!file_exists("../uploads/clients/$client_id")) {
mkdir("../uploads/clients/$client_id");
@@ -138,6 +143,8 @@ if(isset($_GET['archive_location'])){
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
logAction("Location", "Archive", "$session_name archived location $location_name", $client_id, $location_id);
@@ -162,6 +169,8 @@ if(isset($_GET['restore_location'])){
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
@@ -186,6 +195,8 @@ if(isset($_GET['delete_location'])){
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id");
logAction("Location", "Delete", "$session_name deleted location $location_name", $client_id);
@@ -217,6 +228,8 @@ if (isset($_POST['bulk_assign_location_tags'])) {
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
@@ -270,6 +283,8 @@ if (isset($_POST['bulk_archive_locations'])) {
$location_primary = intval($row['location_primary']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
if($location_primary == 0) {
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
@@ -313,6 +328,8 @@ if (isset($_POST['bulk_restore_locations'])) {
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
logAction("Location", "Restore", "$session_name restored location $location_name", $client_id, $location_id);
@@ -351,6 +368,8 @@ if (isset($_POST['bulk_delete_locations'])) {
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
enforceClientAccess();
mysqli_query($mysqli, "DELETE FROM locations WHERE location_id = $location_id AND location_client_id = $client_id");
logAction("Location", "Delete", "$session_name deleted location $location_name", $client_id);
@@ -385,7 +404,7 @@ if(isset($_POST['export_locations_csv'])){
}
//Locations
$sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_archived_at IS NULL $client_query ORDER BY location_name ASC");
$sql = mysqli_query($mysqli,"SELECT * FROM locations LEFT JOIN clients ON client_id = location_client_id WHERE location_archived_at IS NULL AND client_archived_at IS NULL $client_query $access_permission_query ORDER BY location_name ASC");
$num_rows = mysqli_num_rows($sql);
@@ -432,6 +451,9 @@ if (isset($_POST["import_locations_csv"])) {
enforceUserPermission('module_client', 2);
$client_id = intval($_POST['client_id']);
enforceClientAccess();
$error = false;
if (!empty($_FILES["file"]["tmp_name"])) {