AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

files, folders, documents: remove client_id post from edit and link modals as it should get the client_id in post, enforceClientAccess

Browse Source
This commit is contained in:
johnnyq
2026-03-06 17:16:04 -05:00
parent a1931f59f8
commit 8ad8fd07b3
9 changed files with 91 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
agent/post/file.php
View File

@@ -20,6 +20,8 @@ if (isset($_POST['upload_files'])) {
$asset_id = intval($_POST['asset'] ?? 0);
$client_dir = "../uploads/clients/$client_id";
enforceClientAccess();
// Create client directory if it doesn't exist
if (!is_dir($client_dir)) {
mkdir($client_dir, 0755, true);
@@ -117,6 +119,8 @@ if (isset($_POST['rename_file'])) {
$old_file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// file edit query
mysqli_query($mysqli,"UPDATE files SET file_name = '$file_name' ,file_description = '$file_description' WHERE file_id = $file_id");
@@ -143,6 +147,8 @@ if (isset($_POST['move_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// Get Folder Name for Logging
$folder_name = sanitizeInput(getFieldById('folders', $folder_id, 'folder_name'));
@@ -170,6 +176,8 @@ if (isset($_GET['archive_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NOW() WHERE file_id = $file_id");
logAction("File", "Archive", "$session_name archived file $file_name", $client_id, $file_id);
@@ -194,6 +202,8 @@ if (isset($_GET['restore_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NULL WHERE file_id = $file_id");
logAction("File", "Restore", "$session_name restored file $file_name", $client_id, $file_id);
@@ -220,6 +230,8 @@ if (isset($_POST['delete_file'])) {
$file_has_thumbnail = intval($row['file_has_thumbnail']);
$file_has_preview = intval($row['file_has_preview']);
enforceClientAccess();
unlink("../uploads/clients/$client_id/$file_reference_name");
if ($file_has_thumbnail == 1) {
@@ -260,6 +272,8 @@ if (isset($_POST['bulk_archive_files'])) {
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NOW() WHERE file_id = $file_id");
logAction("File", "Archive", "$session_name archived file $file_name", $client_id, $file_id);
@@ -282,6 +296,8 @@ if (isset($_POST['bulk_archive_files'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NOW(), document_updated_at = document_updated_at WHERE document_id = $document_id");
logAction("Document", "Archive", "$session_name archived document $document_name", $client_id, $document_id);
@@ -322,6 +338,8 @@ if (isset($_POST['bulk_delete_files'])) {
$file_has_thumbnail = intval($row['file_has_thumbnail']);
$file_has_preview = intval($row['file_has_preview']);
enforceClientAccess();
unlink("../uploads/clients/$client_id/$file_reference_name");
if ($file_has_thumbnail == 1) {
@@ -353,6 +371,8 @@ if (isset($_POST['bulk_delete_files'])) {
$client_id = intval($row['document_client_id']);
$document_name = sanitizeInput($row['document_name']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Delete all versions associated with the master document
@@ -396,6 +416,8 @@ if (isset($_POST['bulk_restore_files'])) {
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NULL WHERE file_id = $file_id");
logAction("File", "Restore", "$session_name restored file $file_name", $client_id, $file_id);
@@ -418,6 +440,8 @@ if (isset($_POST['bulk_restore_files'])) {
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NULL, document_updated_at = document_updated_at WHERE document_id = $document_id");
logAction("Document", "Restore", "$session_name restored document $document_name", $client_id, $document_id);
@@ -471,6 +495,9 @@ if (isset($_POST['bulk_move_files'])) {
// Get file name for logging
$file_name = sanitizeInput(getFieldById('files', $file_id, 'file_name'));
$client_id = intval(getFieldById('files', $file_id, 'file_client_id'));
enforceClientAccess();
// Move file
mysqli_query($mysqli,"UPDATE files SET file_folder_id = $folder_id WHERE file_id = $file_id");
@@ -506,6 +533,9 @@ if (isset($_POST['bulk_move_files'])) {
// Get document name for logging
$document_name = sanitizeInput(getFieldById('documents', $document_id, 'document_name'));
$client_id = intval(getFieldById('documents', $document_id, 'document_client_id'));
enforceClientAccess();
// Move document
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = $folder_id, document_updated_at = document_updated_at WHERE document_id = $document_id");
@@ -561,6 +591,8 @@ if (isset($_POST['link_asset_to_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// Get Asset Name for Logging
$asset_name = sanitizeInput(getFieldById('assets', $asset_id, 'asset_name'));
@@ -590,6 +622,8 @@ if (isset($_GET['unlink_asset_from_file'])) {
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
enforceClientAccess();
// Get Asset Name for Logging
$asset_name = sanitizeInput(getFieldById('assets', $asset_id, 'asset_name'));