diff --git a/agent/blank.php b/agent/blank.php deleted file mode 100644 index e69de29b..00000000 diff --git a/agent/files_legacy.php b/agent/files_legacy.php deleted file mode 100644 index e2f3f647..00000000 --- a/agent/files_legacy.php +++ /dev/null @@ -1,622 +0,0 @@ - 0) { - $sql_folder = mysqli_query($mysqli, "SELECT folder_name, parent_folder FROM folders WHERE folder_id = $folder_id"); - if ($row_folder = mysqli_fetch_assoc($sql_folder)) { - $folder_name = nullable_htmlentities($row_folder['folder_name']); - $parent_folder = intval($row_folder['parent_folder']); - - // Prepend the folder to the beginning of the array - array_unshift($folder_path, array('folder_id' => $folder_id, 'folder_name' => $folder_name)); - - // Move up to the parent folder - $folder_id = $parent_folder; - } else { - // If the folder is not found, break the loop - break; - } -} - -?> - -
- -
-

Files

- -
-
- - -
- - New Folder - -
-
-
-
- -
-
-
-

Folders

-
- - -
- - -
- -
- - - -
-
-
- "> -
- -
-
-
-
-
- "> - "> - - - -
-
-
-
- - - -
- - - -
- - $file_id, - 'name' => $file_name, - 'preview' => "../uploads/clients/$client_id/$file_reference_name" - ]; - - ?> - -
- - - " alt=""> - - - -
- - - -
- - - -
- - -
- - - "> - - - - - - - - - - - - - - NOW() - AND item_type = 'File' - AND item_related_id = $file_id - LIMIT 1" - ); - $file_shared = (mysqli_num_rows($sql_shared) > 0) ? true : false; - if ($file_shared) { - $row = mysqli_fetch_assoc($sql_shared); - $item_id = intval($row['item_id']); - $item_active = nullable_htmlentities($row['item_active']); - $item_key = nullable_htmlentities($row['item_key']); - $item_type = nullable_htmlentities($row['item_type']); - $item_related_id = intval($row['item_related_id']); - $item_note = nullable_htmlentities($row['item_note']); - $item_recipient = nullable_htmlentities($row['item_recipient']); - $item_views = nullable_htmlentities($row['item_views']); - $item_view_limit = nullable_htmlentities($row['item_view_limit']); - $item_created_at = nullable_htmlentities($row['item_created_at']); - $item_expire_at = nullable_htmlentities($row['item_expire_at']); - $item_expire_at_human = timeAgo($row['item_expire_at']); - } - - ?> - - - - - - - - - - - - - -
-
- -
- 		- - Name - - - - Type - - - - Size - - - - Uploaded - - Action
-
- -
- 		- " target="_blank"> -
- -
-

- -
- -

-
-
- - 		KB - -
- 		- -
- -
Shared -
- -
-
- - 		-
- -
- " download=""> - Download - - )"> - Share - - - Rename - - - Move - - - Asset - -
- - Archive - - -
- )"> - Delete - - -
-
-
-
-
- - - - - -
-
-
-
- - - - - -window.history.back();"; - exit(); - } + enforceClientAccess(); $sql = mysqli_query($mysqli, "UPDATE clients SET client_accessed_at = NOW() WHERE client_id = $client_id"); @@ -136,7 +126,6 @@ if (isset($_GET['client_id'])) { $credit_balance = floatval($row['credit_balance']); // Badge Counts - $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('contact_id') AS num FROM contacts WHERE contact_archived_at IS NULL AND contact_client_id = $client_id")); $num_contacts = $row['num']; diff --git a/agent/post/contact.php b/agent/post/contact.php index d00bae98..112c110a 100644 --- a/agent/post/contact.php +++ b/agent/post/contact.php @@ -14,6 +14,8 @@ if (isset($_POST['add_contact'])) { require_once 'contact_model.php'; + enforceClientAccess($client_id); + // Create User Account $user_id = 0; if ($name && $email && $auth_method) { @@ -86,6 +88,8 @@ if (isset($_POST['edit_contact'])) { require_once 'contact_model.php'; + enforceClientAccess(); + $contact_id = intval($_POST['contact_id']); $send_email = intval($_POST['send_email'] ?? 0); @@ -236,6 +240,8 @@ if (isset($_POST['add_contact_note'])) { $contact_name = sanitizeInput($row['contact_name']); $client_id = intval($row['contact_client_id']); + enforceClientAccess(); + mysqli_query($mysqli, "INSERT INTO contact_notes SET contact_note_type = '$type', contact_note = '$note', contact_note_created_by = $session_user_id, contact_note_contact_id = $contact_id"); $contact_note_id = mysqli_insert_id($mysqli); @@ -265,6 +271,8 @@ if (isset($_GET['archive_contact_note'])) { $client_id = intval($row['contact_client_id']); $contact_id = intval($row['contact_id']); + enforceClientAccess(); + mysqli_query($mysqli,"UPDATE contact_notes SET contact_note_archived_at = NOW() WHERE contact_note_id = $contact_note_id"); logAction("Contact", "Edit", "$session_name archived note $contact_note_type for $contact_name", $client_id, $contact_id); @@ -291,6 +299,8 @@ if (isset($_GET['restore_contact_note'])) { $client_id = intval($row['contact_client_id']); $contact_id = intval($row['contact_id']); + enforceClientAccess(); + mysqli_query($mysqli,"UPDATE contact_notes SET contact_note_archived_at = NULL WHERE contact_note_id = $contact_note_id"); logAction("Contact", "Edit", "$session_name restored note $contact_note_type for $contact_name", $client_id, $contact_id); @@ -317,6 +327,8 @@ if (isset($_GET['delete_contact_note'])) { $client_id = intval($row['contact_client_id']); $contact_id = intval($row['contact_id']); + enforceClientAccess(); + mysqli_query($mysqli,"DELETE FROM contact_notes WHERE contact_note_id = $contact_note_id"); logAction("Contact", "Edit", "$session_name deleted $contact_note_type note for $contact_name", $client_id, $contact_id); @@ -341,6 +353,8 @@ if (isset($_POST['bulk_assign_contact_location'])) { $location_name = sanitizeInput($row['location_name']); $client_id = intval($row['location_client_id']); + enforceClientAccess(); + // Assign Location to Selected Contacts if (isset($_POST['contact_ids'])) { @@ -393,6 +407,8 @@ if (isset($_POST['bulk_edit_contact_phone'])) { $contact_name = sanitizeInput($row['contact_name']); $client_id = intval($row['contact_client_id']); + enforceClientAccess(); + mysqli_query($mysqli,"UPDATE contacts SET contact_phone = '$phone' WHERE contact_id = $contact_id"); logAction("Contact", "Edit", "$session_name set Phone Number to $phone for $contact_name", $client_id, $contact_id); @@ -431,6 +447,8 @@ if (isset($_POST['bulk_edit_contact_department'])) { $contact_name = sanitizeInput($row['contact_name']); $client_id = intval($row['contact_client_id']); + enforceClientAccess(); + mysqli_query($mysqli,"UPDATE contacts SET contact_department = '$department' WHERE contact_id = $contact_id"); logAction("Contact", "Edit", "$session_name set Department to $department for $contact_name", $client_id, $contact_id); @@ -471,6 +489,8 @@ if (isset($_POST['bulk_edit_contact_role'])) { $contact_name = sanitizeInput($row['contact_name']); $client_id = intval($row['contact_client_id']); + enforceClientAccess(); + mysqli_query($mysqli,"UPDATE contacts SET contact_important = $contact_important, contact_billing = $contact_billing, contact_technical = $contact_technical WHERE contact_id = $contact_id"); logAction("Contact", "Edit", "$session_name updated the contact role for $contact_name", $client_id, $contact_id); @@ -509,6 +529,8 @@ if (isset($_POST['bulk_assign_contact_tags'])) { $contact_name = sanitizeInput($row['contact_name']); $client_id = intval($row['contact_client_id']); + enforceClientAccess(); + if($_POST['bulk_remove_tags']) { // Delete tags if chosed to do so mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id"); @@ -565,6 +587,8 @@ if (isset($_POST['send_bulk_mail_now'])) { $contact_email = sanitizeInput($row['contact_email']); $client_id = intval($row['contact_client_id']); + enforceClientAccess(); + // Queue Mail $data[] = [ 'from' => $mail_from, @@ -611,6 +635,8 @@ if (isset($_POST['bulk_archive_contacts'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // Archive Contact User if ($contact_user_id > 0) { mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $contact_user_id"); @@ -660,6 +686,8 @@ if (isset($_POST['bulk_restore_contacts'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // unArchive Contact User if ($contact_user_id > 0) { mysqli_query($mysqli,"UPDATE users SET user_archived_at = NULL WHERE user_id = $contact_user_id"); @@ -703,6 +731,8 @@ if (isset($_POST['bulk_delete_contacts'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // Delete Contact User if ($contact_user_id > 0) { mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $contact_user_id"); @@ -745,6 +775,8 @@ if (isset($_GET['anonymize_contact'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // Redact name with asterisks mysqli_query($mysqli,"UPDATE contacts SET contact_name = '*****' WHERE contact_id = $contact_id"); @@ -845,6 +877,8 @@ if (isset($_GET['archive_contact'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // Archive Contact User if ($contact_user_id > 0) { mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $contact_user_id"); @@ -875,6 +909,8 @@ if (isset($_GET['restore_contact'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // unArchive Contact User if ($contact_user_id > 0) { mysqli_query($mysqli,"UPDATE users SET user_archived_at = NULL WHERE user_id = $contact_user_id"); @@ -905,6 +941,8 @@ if (isset($_GET['delete_contact'])) { $client_id = intval($row['contact_client_id']); $contact_user_id = intval($row['contact_user_id']); + enforceClientAccess(); + // Delete User if ($contact_user_id > 0) { mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $contact_user_id"); @@ -935,6 +973,8 @@ if (isset($_POST['link_contact_to_asset'])) { $asset_name = sanitizeInput($row['asset_name']); $client_id = intval($row['asset_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -963,6 +1003,8 @@ if (isset($_GET['unlink_asset_from_contact'])) { $asset_name = sanitizeInput($row['asset_name']); $client_id = intval($row['asset_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -991,6 +1033,8 @@ if (isset($_POST['link_software_to_contact'])) { $software_name = sanitizeInput($row['software_name']); $client_id = intval($row['software_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1019,6 +1063,8 @@ if (isset($_GET['unlink_software_from_contact'])) { $software_name = sanitizeInput($row['software_name']); $client_id = intval($row['software_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1047,6 +1093,8 @@ if (isset($_POST['link_contact_to_credential'])) { $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1075,6 +1123,8 @@ if (isset($_GET['unlink_credential_from_contact'])) { $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1103,6 +1153,8 @@ if (isset($_POST['link_service_to_contact'])) { $service_name = sanitizeInput($row['service_name']); $client_id = intval($row['service_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1131,6 +1183,8 @@ if (isset($_GET['unlink_service_from_contact'])) { $service_name = sanitizeInput($row['service_name']); $client_id = intval($row['service_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1159,6 +1213,8 @@ if (isset($_POST['link_contact_to_file'])) { $file_name = sanitizeInput($row['file_name']); $client_id = intval($row['file_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1188,6 +1244,8 @@ if (isset($_GET['unlink_contact_from_file'])) { $file_name = sanitizeInput($row['file_name']); $client_id = intval($row['file_client_id']); + enforceClientAccess(); + // Get Contact Name for logging $contact_name = sanitizeInput(getFieldById('contacts', $contact_id, 'contact_name')); @@ -1219,7 +1277,7 @@ if (isset($_POST['export_contacts_csv'])) { } //Contacts - $sql = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN locations ON location_id = contact_location_id WHERE contact_archived_at IS NULL $client_query ORDER BY contact_name ASC"); + $sql = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN locations ON location_id = contact_location_id LEFT JOIN clients ON client_id = contact_client_id WHERE contact_archived_at IS NULL $client_query $access_permission_query ORDER BY contact_name ASC"); $num_rows = mysqli_num_rows($sql); if ($num_rows > 0) { @@ -1266,6 +1324,9 @@ if (isset($_POST["import_contacts_csv"])) { enforceUserPermission('module_client', 2); $client_id = intval($_POST['client_id']); + + enforceClientAccess(); + $error = false; if (!empty($_FILES["file"]["tmp_name"])) { diff --git a/functions.php b/functions.php index e6b2acb8..ae38369d 100644 --- a/functions.php +++ b/functions.php @@ -1391,6 +1391,64 @@ function enforceUserPermission($module, $check_access_level = 1) { } } +function enforceClientAccess($client_id = null) { + global $mysqli, $session_user_id, $session_is_admin, $session_name; + + // Use global $client_id if none passed + if ($client_id === null) { + global $client_id; + } + + if ($session_is_admin) { + return true; + } + + $client_id = (int) $client_id; + $session_user_id = (int) $session_user_id; + + if (empty($client_id) || empty($session_user_id)) { + flash_alert('Access Denied.', 'error'); + redirect('clients.php'); + } + + // Check if this user has any client permissions set + $permissions_sql = "SELECT client_id + FROM user_client_permissions + WHERE user_id = $session_user_id + LIMIT 1"; + + $permissions_result = mysqli_query($mysqli, $permissions_sql); + + // If no permission rows exist for this user, allow access by default + if ($permissions_result && mysqli_num_rows($permissions_result) == 0) { + return true; + } + + // If permission rows exist, require this client + $access_sql = "SELECT client_id + FROM user_client_permissions + WHERE user_id = $session_user_id + AND client_id = $client_id + LIMIT 1"; + + $access_result = mysqli_query($mysqli, $access_sql); + + if ($access_result && mysqli_num_rows($access_result) > 0) { + return true; + } + + logAction( + 'Client', + 'Access', + "$session_name was denied permission from accessing client", + $client_id, + $client_id + ); + + flash_alert('Access Denied - You do not have permission to access that client!', 'error'); + redirect('clients.php'); +} + // TODO: Probably remove this function enforceAdminPermission() { global $session_is_admin;