From 74ce8f4e9898be79948adde36b56d664ee593dda Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Fri, 6 Mar 2026 18:26:14 -0500
Subject: [PATCH] Trips: enforceClientAccess only if client is referenced

---
 agent/post/trip.php       | 18 ++++++++++++++++++
 agent/post/trip_model.php |  1 -
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/agent/post/trip.php b/agent/post/trip.php
index b5a087a6..fc2d41e7 100644
--- a/agent/post/trip.php
+++ b/agent/post/trip.php
@@ -14,6 +14,12 @@ if (isset($_POST['add_trip'])) {
 
     require_once 'trip_model.php';
 
+    $client_id = intval($_POST['client']);
+
+    if ($client_id) {
+        enforceClientAccess();
+    }
+
     mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id");
 
     $trip_id = mysqli_insert_id($mysqli);
@@ -34,6 +40,12 @@ if (isset($_POST['edit_trip'])) {
 
     $trip_id = intval($_POST['trip_id']);
 
+    $client_id = intval(getFieldById('trips', $trip_id, 'trip_client_id'));
+
+    if ($client_id) {
+        enforceClientAccess();
+    }
+
     mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_user_id = $user_id, trip_client_id = $client_id WHERE trip_id = $trip_id");
 
     logAction("Trip", "Edit", "$session_name edited trip", $client_id , $trip_id);
@@ -58,6 +70,10 @@ if (isset($_GET['delete_trip'])) {
     $trip_source = sanitizeInput($row['trip_source']);
     $trip_destination = sanitizeInput($row['trip_destination']);
 
+    if ($client_id) {
+        enforceClientAccess();
+    }
+
     mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id");
 
     logAction("Trip", "Delete", "$session_name deleted trip ($trip_source - $trip_destination)", $client_id);
@@ -79,6 +95,7 @@ if (isset($_POST['export_trips_csv'])) {
         $client_query = "AND trip_client_id = $client_id";
         $client_name = getFieldById('clients', $client_id, 'client_name');
         $file_name_prepend = "$client_name-";
+        enforceClientAccess();
     } else {
         $client_query = '';
         $client_name = '';
@@ -100,6 +117,7 @@ if (isset($_POST['export_trips_csv'])) {
         LEFT JOIN clients ON trip_client_id = client_id
         WHERE $date_query
         $client_query
+        $access_permission_query
         ORDER BY trip_date DESC"
     );
 
diff --git a/agent/post/trip_model.php b/agent/post/trip_model.php
index 99b25803..2de5722d 100644
--- a/agent/post/trip_model.php
+++ b/agent/post/trip_model.php
@@ -8,4 +8,3 @@ $miles = floatval($_POST['miles']);
 $roundtrip = intval($_POST['roundtrip'] ?? 0);
 $purpose = sanitizeInput($_POST['purpose']);
 $user_id = intval($_POST['user']);
-$client_id = intval($_POST['client']);