Credential: remove client_id post from edit credential modal as it should get the client_id in post, enforceClientAccess

agent/modals/credential/credential_edit.php

@@ -46,7 +46,6 @@ ob_start();
 <form action="post.php" method="post" autocomplete="off">
     <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
     <input type="hidden" name="credential_id" value="<?php echo $credential_id; ?>">
-    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
     <div class="modal-body">
 
         <ul class="nav nav-pills nav-justified mb-3">

agent/post/credential.php

@@ -14,6 +14,10 @@ if (isset($_POST['add_credential'])) {
 
     require_once 'credential_model.php';
 
+    $client_id = intval($_POST['client_id']);
+
+    enforceClientAccess();
+
     mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_uri_2 = '$uri_2', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$otp_secret', credential_note = '$note', credential_favorite = $favorite, credential_contact_id = $contact_id, credential_asset_id = $asset_id, credential_client_id = $client_id");
 
     $credential_id = mysqli_insert_id($mysqli);
@@ -44,6 +48,10 @@ if (isset($_POST['edit_credential'])) {
 
     $credential_id = intval($_POST['credential_id']);
 
+    $client_id = intval(getFieldById('credentials', $credential_id, 'credential_client_id'));
+
+    enforceClientAccess();
+
     // Determine if the password has actually changed (salt is rotated on all updates, so have to dencrypt both and compare)
     $current_password = decryptCredentialEntry(mysqli_fetch_row(mysqli_query($mysqli, "SELECT credential_password FROM credentials WHERE credential_id = $credential_id"))[0]); // Get current credential password
     $new_password = decryptCredentialEntry($password); // Get the new password being set (already encrypted by the credential model)
@@ -89,6 +97,8 @@ if(isset($_GET['archive_credential'])){
     $credential_name = sanitizeInput($row['credential_name']);
     $client_id = intval($row['credential_client_id']);
 
+    enforceClientAccess();
+
     mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id");
 
     logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id);
@@ -113,6 +123,8 @@ if(isset($_GET['restore_credential'])){
     $credential_name = sanitizeInput($row['credential_name']);
     $client_id = intval($row['credential_client_id']);
 
+    enforceClientAccess();
+
     mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");
 
     logAction("Credential", "Restore", "$session_name restored credential $credential_name", $client_id, $credential_id);
@@ -137,6 +149,8 @@ if (isset($_GET['delete_credential'])) {
     $credential_name = sanitizeInput($row['credential_name']);
     $client_id = intval($row['credential_client_id']);
 
+    enforceClientAccess();
+
     mysqli_query($mysqli,"DELETE FROM credentials WHERE credential_id = $credential_id");
 
     logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id);
@@ -168,6 +182,8 @@ if (isset($_POST['bulk_assign_credential_tags'])) {
             $credential_name = sanitizeInput($row['credential_name']);
             $client_id = intval($row['credential_client_id']);
 
+            enforceClientAccess();
+
             if($_POST['bulk_remove_tags']) {
                 // Delete tags if chosed to do so
                 mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id");
@@ -219,6 +235,8 @@ if (isset($_POST['bulk_favorite_credentials'])) {
             $credential_name = sanitizeInput($row['credential_name']);
             $client_id = intval($row['credential_client_id']);
 
+            enforceClientAccess();
+
             mysqli_query($mysqli,"UPDATE credentials SET credential_favorite = 1 WHERE credential_id = $credential_id");
 
             logAction("Credential", "Edit", "$session_name marked credential $credential_name a favorite", $client_id, $credential_id);
@@ -255,6 +273,8 @@ if (isset($_POST['bulk_unfavorite_credentials'])) {
             $credential_name = sanitizeInput($row['credential_name']);
             $client_id = intval($row['credential_client_id']);
 
+            enforceClientAccess();
+
             mysqli_query($mysqli,"UPDATE credentials SET credential_favorite = 0 WHERE credential_id = $credential_id");
 
             logAction("Credential", "Edit", "$session_name unfavorited credential $credential_name", $client_id, $credential_id);
@@ -293,6 +313,8 @@ if (isset($_POST['bulk_archive_credentials'])) {
             $credential_name = sanitizeInput($row['credential_name']);
             $client_id = intval($row['credential_client_id']);
 
+            enforceClientAccess();
+
             mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id");
 
             logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id);
@@ -330,6 +352,8 @@ if (isset($_POST['bulk_restore_credentials'])) {
             $credential_name = sanitizeInput($row['credential_name']);
             $client_id = intval($row['credential_client_id']);
 
+            enforceClientAccess();
+
             mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");
 
             logAction("Credential", "Restore", "$session_name restored credential $credential_name", $client_id, $credential_id);
@@ -368,6 +392,8 @@ if (isset($_POST['bulk_delete_credentials'])) {
             $credential_name = sanitizeInput($row['credential_name']);
             $client_id = intval($row['credential_client_id']);
 
+            enforceClientAccess();
+
             mysqli_query($mysqli, "DELETE FROM credentials WHERE credential_id = $credential_id AND credential_client_id = $client_id");
 
             logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id);
@@ -395,6 +421,7 @@ if (isset($_POST['export_credentials_csv'])) {
         $client_query = "AND credential_client_id = $client_id";
         $client_name = getFieldById('clients', $client_id, 'client_name');
         $file_name_prepend = "$client_name-";
+        enforceClientAccess();
     } else {
         $client_query = '';
         $client_id = 0;
@@ -402,7 +429,7 @@ if (isset($_POST['export_credentials_csv'])) {
     }
 
     //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM credentials LEFT JOIN clients ON client_id = credential_client_id WHERE credential_archived_at IS NULL $client_query ORDER BY credential_name ASC");
+    $sql = mysqli_query($mysqli,"SELECT * FROM credentials LEFT JOIN clients ON client_id = credential_client_id WHERE credential_archived_at IS NULL $client_query $access_permission_query ORDER BY credential_name ASC");
     $num_rows = mysqli_num_rows($sql);
 
     if ($num_rows > 0) {
@@ -450,6 +477,9 @@ if (isset($_POST["import_credentials_csv"])) {
     enforceUserPermission('module_credential', 2);
 
     $client_id = intval($_POST['client_id']);
+
+    enforceClientAccess();
+
     $error = false;
 
     if (!empty($_FILES["file"]["tmp_name"])) {

agent/post/credential_model.php

@@ -2,7 +2,6 @@
 // Model of reusable variables for client credentials - not to be confused with the ITFLow login process
 defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
-$client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $uri = sanitizeInput($_POST['uri']);