From e6a314d2332310fafea0f73728f4f33978b02f00 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 27 Mar 2022 15:32:40 +0100 Subject: [PATCH 1/4] Prevent tech/accountant from performing certain tasks as per access matrix --- client.php | 30 ++- client_assets.php | 8 +- client_certificates.php | 6 +- client_contacts.php | 10 +- client_documents.php | 6 +- client_domains.php | 6 +- client_logins.php | 4 +- client_networks.php | 6 +- client_services.php | 6 +- client_software.php | 6 +- client_tickets.php | 6 +- client_vendors.php | 6 +- clients.php | 48 ++-- inc_all_admin.php | 8 + post.php | 574 +++++++++++++++++++++++++++++++++++++++- side_nav.php | 4 +- ticket.php | 12 +- tickets.php | 8 +- 18 files changed, 678 insertions(+), 76 deletions(-) diff --git a/client.php b/client.php index 76139efa..e04cbcc0 100644 --- a/client.php +++ b/client.php @@ -235,7 +235,7 @@ $location_phone = formatPhoneNumber($location_phone); } ?> - 2){ ?> +

Billing

Paid
@@ -248,20 +248,22 @@ $location_phone = formatPhoneNumber($location_phone);
Open Tickets
-
- -
- Print - Export PDF
(without passwords) - Export PDF
(with passwords) -
- Edit -
- Delete + +
+ +
+ Print + Export PDF
(without passwords) + Export PDF
(with passwords) +
+ Edit +
+ Delete +
-
+
diff --git a/client_assets.php b/client_assets.php index 87992935..0fead289 100644 --- a/client_assets.php +++ b/client_assets.php @@ -346,10 +346,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); Edit Copy 0){ ?> - Tickets () + Tickets () + + +
+ Delete -
- Delete diff --git a/client_certificates.php b/client_certificates.php index df820aa0..19f00f85 100644 --- a/client_certificates.php +++ b/client_certificates.php @@ -112,8 +112,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
)" data-target="#editCertificateModal">Edit -
- Delete + +
+ Delete +
diff --git a/client_contacts.php b/client_contacts.php index 680d148e..b883b1e4 100644 --- a/client_contacts.php +++ b/client_contacts.php @@ -219,10 +219,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
View Details Edit -
- Archive -
- Delete + +
+ Archive +
+ Delete +
diff --git a/client_documents.php b/client_documents.php index bbe50682..86afb59f 100644 --- a/client_documents.php +++ b/client_documents.php @@ -179,8 +179,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit )">Share -
- Delete + +
+ Delete +
diff --git a/client_domains.php b/client_domains.php index 94b7d38c..3ddd7dc3 100644 --- a/client_domains.php +++ b/client_domains.php @@ -124,8 +124,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
)" data-target="#editDomainModal">Edit -
- Delete + +
+ Delete +
diff --git a/client_logins.php b/client_logins.php index 1db58013..477e45be 100644 --- a/client_logins.php +++ b/client_logins.php @@ -148,8 +148,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit )">Share +
- Delete + Delete +
diff --git a/client_networks.php b/client_networks.php index dbf9218a..4e599a46 100644 --- a/client_networks.php +++ b/client_networks.php @@ -138,8 +138,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
)" data-target="#editNetworkModal">Edit -
- Delete + +
+ Delete +
diff --git a/client_services.php b/client_services.php index d72b405e..e137baf1 100644 --- a/client_services.php +++ b/client_services.php @@ -91,8 +91,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit -
- Delete + +
+ Delete +
diff --git a/client_software.php b/client_software.php index 75ac57f8..740b6bbc 100644 --- a/client_software.php +++ b/client_software.php @@ -186,8 +186,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit -
- Delete + +
+ Delete +
diff --git a/client_tickets.php b/client_tickets.php index a5f58320..534df573 100644 --- a/client_tickets.php +++ b/client_tickets.php @@ -191,8 +191,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit -
- Delete + +
+ Delete +
diff --git a/client_vendors.php b/client_vendors.php index 7e0cb211..ae9dcfab 100644 --- a/client_vendors.php +++ b/client_vendors.php @@ -175,8 +175,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit -
- Delete + +
+ Delete +
diff --git a/clients.php b/clients.php index 5de1d043..47fbf741 100644 --- a/clients.php +++ b/clients.php @@ -107,7 +107,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));

Clients

- + + +
@@ -165,8 +167,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); Name Address Contact - Billing - Action + Billing + Action @@ -306,23 +308,31 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); } ?> - - Balance -
- Paid - - -
- -
- Edit -
- Delete + + + + + Balance +
+ Paid + + + + + + +
+ +
+ Edit +
+ Delete +
-
- + + set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); @@ -5701,7 +6131,14 @@ if(isset($_POST['add_ticket_reply'])){ if(isset($_POST['edit_ticket_reply'])){ - // HTML Purifier + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + + // HTML Purifier require("plugins/htmlpurifier/HTMLPurifier.standalone.php"); $purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); @@ -5722,6 +6159,14 @@ if(isset($_POST['edit_ticket_reply'])){ } if(isset($_GET['archive_ticket_reply'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $ticket_reply_id = intval($_GET['archive_ticket_reply']); mysqli_query($mysqli,"UPDATE ticket_replies SET ticket_reply_archived_at = NOW() WHERE ticket_reply_id = $ticket_reply_id AND company_id = $session_company_id"); @@ -5736,6 +6181,14 @@ if(isset($_GET['archive_ticket_reply'])){ } if(isset($_POST['merge_ticket'])){ + + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $ticket_id = intval($_POST['ticket_id']); $merge_into_ticket_number = intval($_POST['merge_into_ticket_number']); $merge_comment = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['merge_comment']))); @@ -5787,6 +6240,13 @@ if(isset($_POST['merge_ticket'])){ if(isset($_GET['close_ticket'])){ + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $ticket_id = intval($_GET['close_ticket']); mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW(), ticket_closed_by = $session_user_id WHERE ticket_id = $ticket_id AND company_id = $session_company_id") or die(mysqli_error($mysqli)); @@ -5895,6 +6355,14 @@ if(isset($_POST['add_invoice_from_ticket'])){ } if(isset($_GET['export_client_tickets_csv'])){ + + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $client_id = intval($_GET['export_client_tickets_csv']); //get records from database @@ -5936,6 +6404,14 @@ if(isset($_GET['export_client_tickets_csv'])){ } if(isset($_POST['add_service'])){ + + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $client_id = intval($_POST['client_id']); $service_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $service_description = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['description']))); @@ -6028,6 +6504,14 @@ if(isset($_POST['add_service'])){ } if(isset($_POST['edit_service'])){ + + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $client_id = intval($_POST['client_id']); $service_id = intval($_POST['service_id']); $service_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -6122,6 +6606,14 @@ if(isset($_POST['edit_service'])){ } if(isset($_GET['delete_service'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $service_id = intval($_GET['delete_service']); // Delete service @@ -6210,6 +6702,14 @@ if(isset($_POST['add_file'])){ } if(isset($_GET['delete_file'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $file_id = intval($_GET['delete_file']); $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id"); @@ -6232,7 +6732,14 @@ if(isset($_GET['delete_file'])){ if(isset($_POST['add_document'])){ - // HTML Purifier + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + + // HTML Purifier require("plugins/htmlpurifier/HTMLPurifier.standalone.php"); $purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); @@ -6267,7 +6774,14 @@ if(isset($_POST['add_document'])){ if(isset($_POST['edit_document'])){ - // HTML Purifier + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + + // HTML Purifier require("plugins/htmlpurifier/HTMLPurifier.standalone.php"); $purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); @@ -6303,6 +6817,14 @@ if(isset($_POST['edit_document'])){ } if(isset($_GET['delete_document'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $document_id = intval($_GET['delete_document']); mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id AND company_id = $session_company_id"); @@ -6320,6 +6842,14 @@ if(isset($_GET['delete_document'])){ } if (isset($_POST['add_document_tag'])) { + + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $client_id = intval($_POST['client_id']); $tag_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['tag_name']))); @@ -6330,6 +6860,14 @@ if (isset($_POST['add_document_tag'])) { } if (isset($_POST['delete_document_tag'])) { + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $tag_id = intval($_POST['tag_id']); // Delete the tag ID @@ -6343,6 +6881,14 @@ if (isset($_POST['delete_document_tag'])) { } if (isset($_POST['rename_document_tag'])) { + + if($session_user_role == 1){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $tag_id = intval($_POST['tag_id']); $tag_new_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['tag_new_name']))); @@ -6760,6 +7306,14 @@ if(isset($_GET['export_client_trips_csv'])){ } if(isset($_GET['export_client_pdf'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $client_id = intval($_GET['export_client_pdf']); //get records from database diff --git a/side_nav.php b/side_nav.php index 7eaab778..d9eb4677 100644 --- a/side_nav.php +++ b/side_nav.php @@ -74,7 +74,7 @@ - 2){ ?> + = 2){ ?>
  • SUPPORT
  • @@ -105,7 +105,7 @@ - 2){ ?> +
  • SALES
  • diff --git a/ticket.php b/ticket.php index d085e5bd..2fd43c81 100644 --- a/ticket.php +++ b/ticket.php @@ -192,8 +192,10 @@ if(isset($_GET['ticket_id'])){
    Edit Merge -
    - Delete + +
    + Delete +
    • @@ -325,8 +327,10 @@ if(isset($_GET['ticket_id'])){
    Edit -
    - Archive + +
    + Archive +
    diff --git a/tickets.php b/tickets.php index 58ff9247..a2a2c3f9 100644 --- a/tickets.php +++ b/tickets.php @@ -434,9 +434,11 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];
    Edit -
    - Delete + +
    + Delete +
    From a6a7bf1f309105f5fca2a845581b64b690654fce Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 27 Mar 2022 15:39:27 +0100 Subject: [PATCH 2/4] Restrict user (agent) create/edit/delete actions to admins only --- post.php | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/post.php b/post.php index 5f7fac53..22d26bec 100644 --- a/post.php +++ b/post.php @@ -51,6 +51,13 @@ if(isset($_GET['switch_company'])){ if(isset($_POST['add_user'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $password = password_hash($_POST['password'], PASSWORD_DEFAULT); @@ -126,6 +133,13 @@ if(isset($_POST['add_user'])){ if(isset($_POST['edit_user'])){ + if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_POST['user_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); @@ -333,6 +347,14 @@ if(isset($_POST['edit_user_companies'])){ } if(isset($_GET['archive_user'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_GET['archive_user']); mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $user_id"); @@ -352,6 +374,14 @@ if(isset($_GET['archive_user'])){ } if(isset($_GET['delete_user'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_GET['delete_user']); mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $user_id"); @@ -435,6 +465,13 @@ if(isset($_GET['delete_api_key'])){ if(isset($_POST['add_company'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); $city = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['city']))); @@ -533,6 +570,13 @@ if(isset($_POST['add_company'])){ } if(isset($_POST['edit_company'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } $company_id = intval($_POST['company_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); @@ -629,6 +673,14 @@ if(isset($_GET['archive_company'])){ } if(isset($_GET['delete_company'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $company_id = intval($_GET['delete_company']); //Get Company Name From 747baf5548eb690313e8cfcc823c76cce6a68dc6 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 27 Mar 2022 15:47:30 +0100 Subject: [PATCH 3/4] Add role-based access control --- client_routes.php | 62 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 47 insertions(+), 15 deletions(-) diff --git a/client_routes.php b/client_routes.php index 7eb796e3..0a2e87a2 100644 --- a/client_routes.php +++ b/client_routes.php @@ -14,58 +14,90 @@ if(isset($_GET['tab'])){ include("client_departments.php"); } elseif($_GET['tab'] == "assets"){ - include("client_assets.php"); + if($session_user_role > 1) { + include("client_assets.php"); + } } elseif($_GET['tab'] == "workstations"){ - include("client_assets_workstations.php"); + if($session_user_role > 1) { + include("client_assets_workstations.php"); + } } elseif($_GET['tab'] == "tickets"){ - include("client_tickets.php"); + if($session_user_role > 1) { + include("client_tickets.php"); + } } elseif($_GET['tab'] == "vendors"){ include("client_vendors.php"); } elseif($_GET['tab'] == "logins"){ - include("client_logins.php"); + if($session_user_role > 1) { + include("client_logins.php"); + } } elseif($_GET['tab'] == "networks"){ - include("client_networks.php"); + if($session_user_role > 1) { + include("client_networks.php"); + } } elseif($_GET['tab'] == "domains"){ - include("client_domains.php"); + if($session_user_role > 1) { + include("client_domains.php"); + } } elseif($_GET['tab'] == "certificates"){ - include("client_certificates.php"); + if($session_user_role > 1) { + include("client_certificates.php"); + } } elseif($_GET['tab'] == "software"){ - include("client_software.php"); + if($session_user_role > 1) { + include("client_software.php"); + } } elseif($_GET['tab'] == "invoices"){ - include("client_invoices.php"); + if($session_user_role == 1 OR $session_user_role == 3) { + include("client_invoices.php"); + } } elseif($_GET['tab'] == "recurring_invoices"){ - include("client_recurring_invoices.php"); + if($session_user_role == 1 OR $session_user_role == 3) { + include("client_recurring_invoices.php"); + } } elseif($_GET['tab'] == "payments"){ - include("client_payments.php"); + if($session_user_role == 1 OR $session_user_role == 3) { + include("client_payments.php"); + } } elseif($_GET['tab'] == "quotes"){ - include("client_quotes.php"); + if($session_user_role == 1 OR $session_user_role == 3) { + include("client_quotes.php"); + } } elseif($_GET['tab'] == "trips"){ - include("client_trips.php"); + if($session_user_role == 1 OR $session_user_role == 3) { + include("client_trips.php"); + } } elseif($_GET['tab'] == "events"){ include("client_events.php"); } elseif($_GET['tab'] == "files"){ - include("client_files.php"); + if($session_user_role > 1) { + include("client_files.php"); + } } elseif($_GET['tab'] == "documents"){ - include("client_documents.php"); + if($session_user_role > 1) { + include("client_documents.php"); + } } elseif($_GET['tab'] == "services"){ + if($session_user_role > 1) { include("client_services.php"); + } } elseif($_GET['tab'] == "logs"){ include("client_logs.php"); From c3fadfab3bd9764628b839d966cb8ce113a8a545 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 27 Mar 2022 16:03:41 +0100 Subject: [PATCH 4/4] Add role based access for API functions --- post.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/post.php b/post.php index 22d26bec..c0ef8434 100644 --- a/post.php +++ b/post.php @@ -408,6 +408,13 @@ if(isset($_GET['delete_user'])){ // API Key if(isset($_POST['add_api_key'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['expire']))); // Gen a Key @@ -428,6 +435,13 @@ if(isset($_POST['add_api_key'])){ if(isset($_POST['edit_api_key'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $api_key_id = intval($_POST['api_key_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['expire']))); @@ -444,6 +458,14 @@ if(isset($_POST['edit_api_key'])){ } if(isset($_GET['delete_api_key'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $api_key_id = intval($_GET['delete_api_key']); // Get API Key Name