AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small permissions fix for client-specific access

This commit is contained in:
Marcus Hill 2025-02-22 17:59:24 +00:00
parent 2a974c28b0
commit 8eea19d03d
5 changed files with 43 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
invoice.php
View File

@ -3,10 +3,18 @@
// If client_id is in URI then show client Side Bar and client header // If client_id is in URI then show client Side Bar and client header
if (isset($_GET['client_id'])) { if (isset($_GET['client_id'])) {
require_once "includes/inc_all_client.php"; require_once "includes/inc_all_client.php";
} else { } else {
require_once "includes/inc_all.php"; require_once "includes/inc_all.php";
} }
// Perms
enforceUserPermission('module_sales');
$invoice_permission_snippet = '';
if (!empty($client_access_string)) {
$invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
}
if (isset($_GET['invoice_id'])) { if (isset($_GET['invoice_id'])) {
$invoice_id = intval($_GET['invoice_id']); $invoice_id = intval($_GET['invoice_id']);
@ -17,7 +25,8 @@ if (isset($_GET['invoice_id'])) {
LEFT JOIN clients ON invoice_client_id = client_id LEFT JOIN clients ON invoice_client_id = client_id
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1 LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
WHERE invoice_id = $invoice_id" WHERE invoice_id = $invoice_id
$invoice_permission_snippet"
); );
if (mysqli_num_rows($sql) == 0) { if (mysqli_num_rows($sql) == 0) {
@ -215,13 +224,13 @@ if (isset($_GET['invoice_id'])) {
</a> </a>
<?php } ?> <?php } ?>
<?php } ?> <?php } ?>
<?php if (($invoice_status == 'Sent' || $invoice_status == 'Viewed') && $invoice_amount == 0 && $invoice_status !== 'Non-Billable') { ?> <?php if (($invoice_status == 'Sent' || $invoice_status == 'Viewed') && $invoice_amount == 0 && $invoice_status !== 'Non-Billable') { ?>
<a class="btn btn-dark" href="post.php?mark_invoice_non-billable=<?php echo $invoice_id; ?>"> <a class="btn btn-dark" href="post.php?mark_invoice_non-billable=<?php echo $invoice_id; ?>">
Mark Non-Billable Mark Non-Billable
</a> </a>
<?php } ?> <?php } ?>
</div> </div>
<div class="col-4"> <div class="col-4">

5
invoices.php
View File

@ -17,6 +17,10 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_sales'); enforceUserPermission('module_sales');
$invoice_permission_snippet = '';
if (!empty($client_access_string)) {
$invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
}
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query"));
$sent_count = $row['num']; $sent_count = $row['num'];
@ -94,6 +98,7 @@ $sql = mysqli_query(
$overdue_query $overdue_query
AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt' AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt'
AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%') AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%')
$invoice_permission_snippet
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );

14
quote.php
View File

@ -3,10 +3,17 @@
// If client_id is in URI then show client Side Bar and client header // If client_id is in URI then show client Side Bar and client header
if (isset($_GET['client_id'])) { if (isset($_GET['client_id'])) {
require_once "includes/inc_all_client.php"; require_once "includes/inc_all_client.php";
} else { } else {
require_once "includes/inc_all.php"; require_once "includes/inc_all.php";
} }
// Perms
enforceUserPermission('module_sales');
$quote_permission_snippet = '';
if (!empty($client_access_string)) {
$quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
}
if (isset($_GET['quote_id'])) { if (isset($_GET['quote_id'])) {
$quote_id = intval($_GET['quote_id']); $quote_id = intval($_GET['quote_id']);
@ -17,7 +24,8 @@ if (isset($_GET['quote_id'])) {
LEFT JOIN clients ON quote_client_id = client_id LEFT JOIN clients ON quote_client_id = client_id
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1 LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
WHERE quote_id = $quote_id" WHERE quote_id = $quote_id
$quote_permission_snippet"
); );
if (mysqli_num_rows($sql) == 0) { if (mysqli_num_rows($sql) == 0) {
@ -186,7 +194,7 @@ if (isset($_GET['quote_id'])) {
</a> </a>
<?php if (lookupUserPermission("module_sales") >= 2) { ?> <?php if (lookupUserPermission("module_sales") >= 2) { ?>
<a class="dropdown-item" href="#" <a class="dropdown-item" href="#"
data-toggle = "ajax-modal" data-toggle = "ajax-modal"
data-ajax-url = "ajax/ajax_quote_copy.php" data-ajax-url = "ajax/ajax_quote_copy.php"
data-ajax-id = "<?php echo $quote_id; ?>" data-ajax-id = "<?php echo $quote_id; ?>"
> >

11
quotes.php
View File

@ -17,6 +17,10 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_sales'); enforceUserPermission('module_sales');
$quote_permission_snippet = '';
if (!empty($client_access_string)) {
$quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
}
$sql = mysqli_query( $sql = mysqli_query(
$mysqli, $mysqli,
@ -25,6 +29,7 @@ $sql = mysqli_query(
LEFT JOIN categories ON quote_category_id = category_id LEFT JOIN categories ON quote_category_id = category_id
WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%') WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%')
AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt' AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt'
$quote_permission_snippet
$client_query $client_query
ORDER BY $sort $order LIMIT $record_from, $record_to" ORDER BY $sort $order LIMIT $record_from, $record_to"
); );
@ -206,7 +211,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<tr> <tr>
<td class="text-bold"> <td class="text-bold">
<a href="quote.php?<?php echo $client_url; ?>quote_id=<?php echo $quote_id; ?>"> <a href="quote.php?<?php echo $client_url; ?>quote_id=<?php echo $quote_id; ?>">
<?php echo "$quote_prefix$quote_number"; ?> <?php echo "$quote_prefix$quote_number"; ?>
</a> </a>
</td> </td>
<td><?php echo $quote_scope_display; ?></td> <td><?php echo $quote_scope_display; ?></td>
@ -231,7 +236,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</button> </button>
<div class="dropdown-menu"> <div class="dropdown-menu">
<a class="dropdown-item" href="#" <a class="dropdown-item" href="#"
data-toggle = "ajax-modal" data-toggle = "ajax-modal"
data-ajax-url = "ajax/ajax_quote_edit.php" data-ajax-url = "ajax/ajax_quote_edit.php"
data-ajax-id = "<?php echo $quote_id; ?>" data-ajax-id = "<?php echo $quote_id; ?>"
> >
@ -239,7 +244,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</a> </a>
<?php if (lookupUserPermission("module_sales") >= 2) { ?> <?php if (lookupUserPermission("module_sales") >= 2) { ?>
<a class="dropdown-item" href="#" <a class="dropdown-item" href="#"
data-toggle = "ajax-modal" data-toggle = "ajax-modal"
data-ajax-url = "ajax/ajax_quote_copy.php" data-ajax-url = "ajax/ajax_quote_copy.php"
data-ajax-id = "<?php echo $quote_id; ?>" data-ajax-id = "<?php echo $quote_id; ?>"
> >

14
ticket.php
View File

@ -9,6 +9,10 @@ if (isset($_GET['client_id'])) {
// Perms // Perms
enforceUserPermission('module_support'); enforceUserPermission('module_support');
$ticket_permission_snippet = '';
if (!empty($client_access_string)) {
$ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
}
// Initialize the HTML Purifier to prevent XSS // Initialize the HTML Purifier to prevent XSS
require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php"; require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php";
@ -18,12 +22,6 @@ $purifier_config->set('Cache.DefinitionImpl', null); // Disable cache by setting
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config); $purifier = new HTMLPurifier($purifier_config);
// Ticket client access snippet
$ticket_permission_snippet = '';
if (!empty($client_access_string)) {
$ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
}
if (isset($_GET['ticket_id'])) { if (isset($_GET['ticket_id'])) {
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
@ -49,7 +47,7 @@ if (isset($_GET['ticket_id'])) {
if (mysqli_num_rows($sql) == 0) { if (mysqli_num_rows($sql) == 0) {
echo "<center><h1 class='text-secondary mt-5'>Nothing to see here</h1><a class='btn btn-lg btn-secondary mt-3' href='tickets.php'><i class='fa fa-fw fa-arrow-left'></i> Go Back</a></center>"; echo "<center><h1 class='text-secondary mt-5'>Nothing to see here</h1><a class='btn btn-lg btn-secondary mt-3' href='tickets.php'><i class='fa fa-fw fa-arrow-left'></i> Go Back</a></center>";
include_once "footer.php"; include_once "includes/footer.php";
} else { } else {
$row = mysqli_fetch_array($sql); $row = mysqli_fetch_array($sql);
@ -979,7 +977,7 @@ if (isset($_GET['ticket_id'])) {
</td> </td>
</tr> </tr>
<?php <?php
} }
?> ?>
</table> </table>
</div> </div>