diff --git a/invoice.php b/invoice.php index 18913183..ee6f23c9 100644 --- a/invoice.php +++ b/invoice.php @@ -3,10 +3,18 @@ // If client_id is in URI then show client Side Bar and client header if (isset($_GET['client_id'])) { require_once "includes/inc_all_client.php"; -} else { +} else { require_once "includes/inc_all.php"; } +// Perms +enforceUserPermission('module_sales'); +$invoice_permission_snippet = ''; +if (!empty($client_access_string)) { + $invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)"; +} + + if (isset($_GET['invoice_id'])) { $invoice_id = intval($_GET['invoice_id']); @@ -17,7 +25,8 @@ if (isset($_GET['invoice_id'])) { LEFT JOIN clients ON invoice_client_id = client_id LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1 - WHERE invoice_id = $invoice_id" + WHERE invoice_id = $invoice_id + $invoice_permission_snippet" ); if (mysqli_num_rows($sql) == 0) { @@ -215,13 +224,13 @@ if (isset($_GET['invoice_id'])) { - + Mark Non-Billable - +
diff --git a/invoices.php b/invoices.php index 18d32f02..a59d4112 100644 --- a/invoices.php +++ b/invoices.php @@ -17,6 +17,10 @@ if (isset($_GET['client_id'])) { // Perms enforceUserPermission('module_sales'); +$invoice_permission_snippet = ''; +if (!empty($client_access_string)) { + $invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)"; +} $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query")); $sent_count = $row['num']; @@ -94,6 +98,7 @@ $sql = mysqli_query( $overdue_query AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt' AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%') + $invoice_permission_snippet $client_query ORDER BY $sort $order LIMIT $record_from, $record_to" ); diff --git a/quote.php b/quote.php index 002512a9..29a62563 100644 --- a/quote.php +++ b/quote.php @@ -3,10 +3,17 @@ // If client_id is in URI then show client Side Bar and client header if (isset($_GET['client_id'])) { require_once "includes/inc_all_client.php"; -} else { +} else { require_once "includes/inc_all.php"; } +// Perms +enforceUserPermission('module_sales'); +$quote_permission_snippet = ''; +if (!empty($client_access_string)) { + $quote_permission_snippet = "AND quote_client_id IN ($client_access_string)"; +} + if (isset($_GET['quote_id'])) { $quote_id = intval($_GET['quote_id']); @@ -17,7 +24,8 @@ if (isset($_GET['quote_id'])) { LEFT JOIN clients ON quote_client_id = client_id LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1 - WHERE quote_id = $quote_id" + WHERE quote_id = $quote_id + $quote_permission_snippet" ); if (mysqli_num_rows($sql) == 0) { @@ -186,7 +194,7 @@ if (isset($_GET['quote_id'])) { = 2) { ?> diff --git a/quotes.php b/quotes.php index 2a2b40d3..99b594ce 100644 --- a/quotes.php +++ b/quotes.php @@ -17,6 +17,10 @@ if (isset($_GET['client_id'])) { // Perms enforceUserPermission('module_sales'); +$quote_permission_snippet = ''; +if (!empty($client_access_string)) { + $quote_permission_snippet = "AND quote_client_id IN ($client_access_string)"; +} $sql = mysqli_query( $mysqli, @@ -25,6 +29,7 @@ $sql = mysqli_query( LEFT JOIN categories ON quote_category_id = category_id WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%') AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt' + $quote_permission_snippet $client_query ORDER BY $sort $order LIMIT $record_from, $record_to" ); @@ -206,7 +211,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); - + @@ -231,7 +236,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
@@ -239,7 +244,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); = 2) { ?> diff --git a/ticket.php b/ticket.php index 1e0dddcc..cef7edac 100644 --- a/ticket.php +++ b/ticket.php @@ -9,6 +9,10 @@ if (isset($_GET['client_id'])) { // Perms enforceUserPermission('module_support'); +$ticket_permission_snippet = ''; +if (!empty($client_access_string)) { + $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)"; +} // Initialize the HTML Purifier to prevent XSS require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php"; @@ -18,12 +22,6 @@ $purifier_config->set('Cache.DefinitionImpl', null); // Disable cache by setting $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); $purifier = new HTMLPurifier($purifier_config); -// Ticket client access snippet -$ticket_permission_snippet = ''; -if (!empty($client_access_string)) { - $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)"; -} - if (isset($_GET['ticket_id'])) { $ticket_id = intval($_GET['ticket_id']); @@ -49,7 +47,7 @@ if (isset($_GET['ticket_id'])) { if (mysqli_num_rows($sql) == 0) { echo "

Nothing to see here

 Go Back
"; - include_once "footer.php"; + include_once "includes/footer.php"; } else { $row = mysqli_fetch_array($sql); @@ -979,7 +977,7 @@ if (isset($_GET['ticket_id'])) {