AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Trips: enforceClientAccess only if client is referenced

Browse Source
This commit is contained in:
johnnyq
2026-03-06 18:26:14 -05:00
parent 6e3a36d8c4
commit 74ce8f4e98
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
agent/post/trip.php
View File

@@ -14,6 +14,12 @@ if (isset($_POST['add_trip'])) {
require_once 'trip_model.php'; require_once 'trip_model.php';
$client_id = intval($_POST['client']);
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id"); mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id");
$trip_id = mysqli_insert_id($mysqli); $trip_id = mysqli_insert_id($mysqli);
@@ -34,6 +40,12 @@ if (isset($_POST['edit_trip'])) {
$trip_id = intval($_POST['trip_id']); $trip_id = intval($_POST['trip_id']);
$client_id = intval(getFieldById('trips', $trip_id, 'trip_client_id'));
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_user_id = $user_id, trip_client_id = $client_id WHERE trip_id = $trip_id"); mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_user_id = $user_id, trip_client_id = $client_id WHERE trip_id = $trip_id");
logAction("Trip", "Edit", "$session_name edited trip", $client_id , $trip_id); logAction("Trip", "Edit", "$session_name edited trip", $client_id , $trip_id);
@@ -58,6 +70,10 @@ if (isset($_GET['delete_trip'])) {
$trip_source = sanitizeInput($row['trip_source']); $trip_source = sanitizeInput($row['trip_source']);
$trip_destination = sanitizeInput($row['trip_destination']); $trip_destination = sanitizeInput($row['trip_destination']);
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id"); mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id");
logAction("Trip", "Delete", "$session_name deleted trip ($trip_source - $trip_destination)", $client_id); logAction("Trip", "Delete", "$session_name deleted trip ($trip_source - $trip_destination)", $client_id);
@@ -79,6 +95,7 @@ if (isset($_POST['export_trips_csv'])) {
$client_query = "AND trip_client_id = $client_id"; $client_query = "AND trip_client_id = $client_id";
$client_name = getFieldById('clients', $client_id, 'client_name'); $client_name = getFieldById('clients', $client_id, 'client_name');
$file_name_prepend = "$client_name-"; $file_name_prepend = "$client_name-";
enforceClientAccess();
} else { } else {
$client_query = ''; $client_query = '';
$client_name = ''; $client_name = '';
@@ -100,6 +117,7 @@ if (isset($_POST['export_trips_csv'])) {
LEFT JOIN clients ON trip_client_id = client_id LEFT JOIN clients ON trip_client_id = client_id
WHERE $date_query WHERE $date_query
$client_query $client_query
$access_permission_query
ORDER BY trip_date DESC" ORDER BY trip_date DESC"
); );

1
agent/post/trip_model.php
View File

@@ -8,4 +8,3 @@ $miles = floatval($_POST['miles']);
$roundtrip = intval($_POST['roundtrip'] ?? 0); $roundtrip = intval($_POST['roundtrip'] ?? 0);
$purpose = sanitizeInput($_POST['purpose']); $purpose = sanitizeInput($_POST['purpose']);
$user_id = intval($_POST['user']); $user_id = intval($_POST['user']);
$client_id = intval($_POST['client']);