AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

files, folders, documents: remove client_id post from edit and link modals as it should get the client_id in post, enforceClientAccess

Browse Source
This commit is contained in:
johnnyq
2026-03-06 17:16:04 -05:00
parent a1931f59f8
commit 8ad8fd07b3
9 changed files with 91 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/document/document_add_file_relation.php
View File

@@ -9,7 +9,6 @@
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
<div class="modal-body">

2
agent/modals/document/document_edit.php
View File

@@ -27,7 +27,7 @@ ob_start();
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body">
<div class="form-group">

2
agent/modals/document/document_edit_visibility.php
View File

@@ -28,8 +28,8 @@ ob_start();
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="document_id" value="<?= $document_id ?>">
<div class="modal-body">
<input type="hidden" name="document_id" value="<?= $document_id ?>">
<div class="form-group">
<label>Visibility</label>
<p>Should this document be visible in the portal to client contacts with the 'Technical' role?</p>

1
agent/modals/document/document_rename.php
View File

@@ -23,7 +23,6 @@ ob_start();
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body">
<div class="form-group">

1
agent/modals/file/file_upload.php
View File

@@ -18,7 +18,6 @@ ob_start();
</div>
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="contact" value="<?php echo $contact_id; ?>">
<input type="hidden" name="asset" value="<?php echo $asset_id; ?>">
<div class="modal-body">

51
agent/post/document.php
View File

@@ -13,10 +13,12 @@ if (isset($_POST['add_document'])) {
enforceUserPermission('module_support', 2);
require_once 'document_model.php';
$client_id = intval($_POST['client_id']);
$contact_id = intval($_POST['contact'] ?? 0);
$asset_id = intval($_POST['asset'] ?? 0);
enforceClientAccess();
// Document add query
mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '', document_content_raw = '$content_raw', document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
@@ -63,6 +65,8 @@ if (isset($_POST['add_document_from_template'])) {
$document_template_id = intval($_POST['document_template_id']);
$folder = intval($_POST['folder']);
enforceClientAccess();
// Get template
$sql_document = mysqli_query(
$mysqli,
@@ -143,6 +147,10 @@ if (isset($_POST['edit_document'])) {
$document_id = intval($_POST['document_id']);
$client_id = intval(getFieldById('documents', $document_id, 'document_client_id'));
enforceClientAccess();
// 1) Load the current document to create a version
$sql_original_document = mysqli_query(
$mysqli,
@@ -249,6 +257,8 @@ if (isset($_POST['move_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Folder Name for logging
$sql_folder = mysqli_query($mysqli,"SELECT folder_name FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_assoc($sql_folder);
@@ -272,9 +282,12 @@ if (isset($_POST['rename_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$client_id = intval(getFieldById('documents', $document_id, 'document_client_id'));
enforceClientAccess();
// Get Document Name before renaming for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_assoc($sql_document);
@@ -306,6 +319,8 @@ if (isset($_POST['bulk_move_document'])) {
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
enforceClientAccess();
// Move Documents to Folder Loop
if (isset($_POST['document_ids'])) {
@@ -347,6 +362,8 @@ if (isset($_POST['link_file_to_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get File Name for logging
$file_name = sanitizeInput(getFieldById('files', $file_id, 'file_name'));
@@ -376,6 +393,8 @@ if (isset($_GET['unlink_file_from_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get File Name for logging
$file_name = sanitizeInput(getFieldById('files', $file_id, 'file_name'));
@@ -404,6 +423,8 @@ if (isset($_POST['link_vendor_to_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Vendor Name for logging
$vendor_name = sanitizeInput(getFieldById('vendors', $vendor_id, 'vendor_name'));
@@ -433,6 +454,8 @@ if (isset($_GET['unlink_vendor_from_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Vendor Name for logging
$vendor_name = sanitizeInput(getFieldById('vendors', $vendor_id, 'vendor_name'));
@@ -462,6 +485,8 @@ if (isset($_POST['link_contact_to_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Contact Name for logging
$contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name'));
@@ -491,6 +516,8 @@ if (isset($_GET['unlink_contact_from_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Contact Name for logging
$contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name'));
@@ -519,6 +546,8 @@ if (isset($_POST['link_asset_to_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Asset Name for logging
$asset_name = sanitizeInput(getFieldById('assets', $asset_id, 'asset_name'));
@@ -547,6 +576,8 @@ if (isset($_GET['unlink_asset_from_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Asset Name for logging
$asset_name = sanitizeInput(getFieldById('assets', $asset_id, 'asset_name'));
@@ -575,6 +606,8 @@ if (isset($_POST['link_software_to_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Software Name for logging
$software_name = sanitizeInput(getFieldById('software', $software_id, 'software_name'));
@@ -604,6 +637,8 @@ if (isset($_GET['unlink_software_from_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Get Software Name for logging
$software_name = sanitizeInput(getFieldById('software', $software_id, 'software_name'));
@@ -638,6 +673,8 @@ if (isset($_POST['toggle_document_visibility'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_client_visible = $document_visible, document_updated_at = document_updated_at WHERE document_id = $document_id");
logAction("Document", "Edit", "$session_name changed document $document_name visibilty to $visable_wording in the client portal", $client_id, $document_id);
@@ -663,6 +700,8 @@ if (isset($_GET['export_document'])) {
$document_content = $row['document_content'];
$client_id = intval($row['document_client_id']);
enforceClientAccess();
// Include the TCPDF class
require_once('../plugins/TCPDF/tcpdf.php');
@@ -708,6 +747,8 @@ if (isset($_GET['archive_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NOW(), document_updated_at = document_updated_at WHERE document_id = $document_id");
// Remove Associations
@@ -751,6 +792,8 @@ if (isset($_GET['restore_document'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NULL, document_updated_at = document_updated_at WHERE document_id = $document_id");
logAction("Document", "Restore", "$session_name restored document $document_name", $client_id, $document_id);
@@ -775,6 +818,8 @@ if (isset($_GET['delete_document_version'])) {
$client_id = intval($row['document_client_id']);
$document_version_name = sanitizeInput($row['document_version_name']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM document_versions WHERE document_version_id = $document_version_id");
logAction("Document Version", "Delete", "$session_name deleted document version $document_version_name", $client_id);
@@ -799,6 +844,8 @@ if (isset($_GET['delete_document'])) {
$client_id = intval($row['document_client_id']);
$document_name = sanitizeInput($row['document_name']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Delete all versions associated with the master document

1
agent/post/document_model.php
View File

@@ -1,7 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$folder = intval($_POST['folder']);
$description = sanitizeInput($_POST['description']);

34
agent/post/file.php
View File

@@ -20,6 +20,8 @@ if (isset($_POST['upload_files'])) {
$asset_id = intval($_POST['asset'] ?? 0);
$client_dir = "../uploads/clients/$client_id";
enforceClientAccess();
// Create client directory if it doesn't exist
if (!is_dir($client_dir)) {
mkdir($client_dir, 0755, true);
@@ -117,6 +119,8 @@ if (isset($_POST['rename_file'])) {
$old_file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// file edit query
mysqli_query($mysqli,"UPDATE files SET file_name = '$file_name' ,file_description = '$file_description' WHERE file_id = $file_id");
@@ -143,6 +147,8 @@ if (isset($_POST['move_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// Get Folder Name for Logging
$folder_name = sanitizeInput(getFieldById('folders', $folder_id, 'folder_name'));
@@ -170,6 +176,8 @@ if (isset($_GET['archive_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NOW() WHERE file_id = $file_id");
logAction("File", "Archive", "$session_name archived file $file_name", $client_id, $file_id);
@@ -194,6 +202,8 @@ if (isset($_GET['restore_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NULL WHERE file_id = $file_id");
logAction("File", "Restore", "$session_name restored file $file_name", $client_id, $file_id);
@@ -220,6 +230,8 @@ if (isset($_POST['delete_file'])) {
$file_has_thumbnail = intval($row['file_has_thumbnail']);
$file_has_preview = intval($row['file_has_preview']);
enforceClientAccess();
unlink("../uploads/clients/$client_id/$file_reference_name");
if ($file_has_thumbnail == 1) {
@@ -260,6 +272,8 @@ if (isset($_POST['bulk_archive_files'])) {
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NOW() WHERE file_id = $file_id");
logAction("File", "Archive", "$session_name archived file $file_name", $client_id, $file_id);
@@ -282,6 +296,8 @@ if (isset($_POST['bulk_archive_files'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NOW(), document_updated_at = document_updated_at WHERE document_id = $document_id");
logAction("Document", "Archive", "$session_name archived document $document_name", $client_id, $document_id);
@@ -322,6 +338,8 @@ if (isset($_POST['bulk_delete_files'])) {
$file_has_thumbnail = intval($row['file_has_thumbnail']);
$file_has_preview = intval($row['file_has_preview']);
enforceClientAccess();
unlink("../uploads/clients/$client_id/$file_reference_name");
if ($file_has_thumbnail == 1) {
@@ -353,6 +371,8 @@ if (isset($_POST['bulk_delete_files'])) {
$client_id = intval($row['document_client_id']);
$document_name = sanitizeInput($row['document_name']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Delete all versions associated with the master document
@@ -396,6 +416,8 @@ if (isset($_POST['bulk_restore_files'])) {
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NULL WHERE file_id = $file_id");
logAction("File", "Restore", "$session_name restored file $file_name", $client_id, $file_id);
@@ -418,6 +440,8 @@ if (isset($_POST['bulk_restore_files'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NULL, document_updated_at = document_updated_at WHERE document_id = $document_id");
logAction("Document", "Restore", "$session_name restored document $document_name", $client_id, $document_id);
@@ -471,6 +495,9 @@ if (isset($_POST['bulk_move_files'])) {
// Get file name for logging
$file_name = sanitizeInput(getFieldById('files', $file_id, 'file_name'));
$client_id = intval(getFieldById('files', $file_id, 'file_client_id'));
enforceClientAccess();
// Move file
mysqli_query($mysqli,"UPDATE files SET file_folder_id = $folder_id WHERE file_id = $file_id");
@@ -506,6 +533,9 @@ if (isset($_POST['bulk_move_files'])) {
// Get document name for logging
$document_name = sanitizeInput(getFieldById('documents', $document_id, 'document_name'));
$client_id = intval(getFieldById('documents', $document_id, 'document_client_id'));
enforceClientAccess();
// Move document
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = $folder_id, document_updated_at = document_updated_at WHERE document_id = $document_id");
@@ -561,6 +591,8 @@ if (isset($_POST['link_asset_to_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// Get Asset Name for Logging
$asset_name = sanitizeInput(getFieldById('assets', $asset_id, 'asset_name'));
@@ -590,6 +622,8 @@ if (isset($_GET['unlink_asset_from_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// Get Asset Name for Logging
$asset_name = sanitizeInput(getFieldById('assets', $asset_id, 'asset_name'));

6
agent/post/folder.php
View File

@@ -17,6 +17,8 @@ if (isset($_POST['create_folder'])) {
$folder_name = sanitizeInput($_POST['folder_name']);
$parent_folder = intval($_POST['parent_folder']);
enforceClientAccess();
// Document folder add query
$add_folder = mysqli_query($mysqli,"INSERT INTO folders SET folder_name = '$folder_name', parent_folder = $parent_folder, folder_location = $folder_location, folder_client_id = $client_id");
$folder_id = mysqli_insert_id($mysqli);
@@ -44,6 +46,8 @@ if (isset($_POST['rename_folder'])) {
$old_folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
enforceClientAccess();
// Folder edit query
mysqli_query($mysqli,"UPDATE folders SET folder_name = '$folder_name' WHERE folder_id = $folder_id");
@@ -69,6 +73,8 @@ if (isset($_GET['delete_folder'])) {
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM folders WHERE folder_id = $folder_id");
// Move files in deleted folder back to the root folder /