AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Tidying 

- Move more things to new permissions system
- Deduplicate assets post logic into model
- Swap out some "SELECT *" queries when only a couple of rows are actually needed
This commit is contained in:
wrongecho 2024-10-08 23:08:05 +01:00
parent e90200aebe
commit 987cd59764
25 changed files with 188 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin_api_key_add_modal.php
View File

@ -60,7 +60,7 @@ $decryptPW = randomString(160);
<select class="form-control select2" name="client" required>
<option value="0"> ALL CLIENTS </option>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM clients ORDER BY client_name ASC");
$sql = mysqli_query($mysqli, "SELECT client_id, client_name FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
while ($row = mysqli_fetch_array($sql)) {
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']); ?>

8
client_document_details.php
View File

@ -177,7 +177,7 @@ $document_client_visible = intval($row['document_client_visible']);
</button>
</h6>
<?php
$sql_contacts = mysqli_query($mysqli, "SELECT * FROM contacts, contact_documents
$sql_contacts = mysqli_query($mysqli, "SELECT contacts.contact_id, contact_name FROM contacts, contact_documents
WHERE contacts.contact_id = contact_documents.contact_id
AND contact_documents.document_id = $document_id
ORDER BY contact_name ASC"
@ -208,7 +208,7 @@ $document_client_visible = intval($row['document_client_visible']);
</button>
</h6>
<?php
$sql_assets = mysqli_query($mysqli, "SELECT * FROM assets, asset_documents
$sql_assets = mysqli_query($mysqli, "SELECT assets.asset_id, asset_name FROM assets, asset_documents
WHERE assets.asset_id = asset_documents.asset_id
AND asset_documents.document_id = $document_id
ORDER BY asset_name ASC"
@ -239,7 +239,7 @@ $document_client_visible = intval($row['document_client_visible']);
</button>
</h6>
<?php
$sql_software = mysqli_query($mysqli, "SELECT * FROM software, software_documents
$sql_software = mysqli_query($mysqli, "SELECT software.software_id, software_name FROM software, software_documents
WHERE software.software_id = software_documents.software_id
AND software_documents.document_id = $document_id
ORDER BY software_name ASC"
@ -270,7 +270,7 @@ $document_client_visible = intval($row['document_client_visible']);
</button>
</h6>
<?php
$sql_vendors = mysqli_query($mysqli, "SELECT * FROM vendors, vendor_documents
$sql_vendors = mysqli_query($mysqli, "SELECT vendors.vendor_id, vendor_name FROM vendors, vendor_documents
WHERE vendors.vendor_id = vendor_documents.vendor_id
AND vendor_documents.document_id = $document_id
ORDER BY vendor_name ASC"

2
client_document_link_software_modal.php
View File

@ -28,7 +28,7 @@
$exclude_condition = ""; // No condition if there are no displayed vendors
}
$sql_software_select = mysqli_query($mysqli, "SELECT * FROM software
$sql_software_select = mysqli_query($mysqli, "SELECT software_id, software_name FROM software
WHERE software_client_id = $client_id
AND software_archived_at IS NULL
$exclude_condition

2
client_document_link_vendor_modal.php
View File

@ -28,7 +28,7 @@
$exclude_condition = ""; // No condition if there are no displayed vendors
}
$sql_vendors_select = mysqli_query($mysqli, "SELECT * FROM vendors
$sql_vendors_select = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors
WHERE vendor_client_id = $client_id
AND vendor_archived_at IS NULL
$exclude_condition

8
client_services.php
View File

@ -28,7 +28,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="card-header py-2">
<h3 class="card-title mt-2"><i class="fa fa-fw fa-stream mr-2"></i>Services</h3>
<div class="card-tools">
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addServiceModal"><i class="fas fa-plus mr-2"></i>New Service</button>
<?php if (lookupUserPermission("module_services") >= 2) { ?>
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addServiceModal"><i class="fas fa-plus mr-2"></i>New Service</button>
<?php } ?>
</div>
</div>
@ -121,9 +123,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editServiceModal<?php echo $service_id; ?>">
<i class="fas fa-fw fa-edit mr-2"></i>Edit
</a>
<?php if ($session_user_role == 3) { ?>
<?php if (lookupUserPermission("module_credential") >= 3) { ?>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_service=<?php echo $service_id; ?>">
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_service=<?php echo $service_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token']; ?>">
<i class="fas fa-fw fa-trash mr-2"></i>Delete
</a>
<?php } ?>

113
post/user/asset.php
View File

@ -10,48 +10,7 @@ if (isset($_POST['add_asset'])) {
validateCSRFToken($_POST['csrf_token']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$make = sanitizeInput($_POST['make']);
$model = sanitizeInput($_POST['model']);
$serial = sanitizeInput($_POST['serial']);
$os = sanitizeInput($_POST['os']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$nat_ip = sanitizeInput($_POST['nat_ip']);
$mac = sanitizeInput($_POST['mac']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$status = sanitizeInput($_POST['status']);
$location = intval($_POST['location']);
$physical_location = sanitizeInput($_POST['physical_location']);
$vendor = intval($_POST['vendor']);
$contact = intval($_POST['contact']);
$network = intval($_POST['network']);
$purchase_date = sanitizeInput($_POST['purchase_date']);
if (empty($purchase_date)) {
$purchase_date = "NULL";
} else {
$purchase_date = "'" . $purchase_date . "'";
}
$warranty_expire = sanitizeInput($_POST['warranty_expire']);
if (empty($warranty_expire)) {
$warranty_expire = "NULL";
} else {
$warranty_expire = "'" . $warranty_expire . "'";
}
$install_date = sanitizeInput($_POST['install_date']);
if (empty($install_date)) {
$install_date = "NULL";
} else {
$install_date = "'" . $install_date . "'";
}
$notes = sanitizeInput($_POST['notes']);
require_once 'asset_model.php';
$alert_extended = "";
@ -111,49 +70,8 @@ if (isset($_POST['edit_asset'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'asset_model.php';
$asset_id = intval($_POST['asset_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$make = sanitizeInput($_POST['make']);
$model = sanitizeInput($_POST['model']);
$serial = sanitizeInput($_POST['serial']);
$os = sanitizeInput($_POST['os']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$nat_ip = sanitizeInput($_POST['nat_ip']);
$mac = sanitizeInput($_POST['mac']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$status = sanitizeInput($_POST['status']);
$location = intval($_POST['location']);
$physical_location = sanitizeInput($_POST['physical_location']);
$vendor = intval($_POST['vendor']);
$contact = intval($_POST['contact']);
$network = intval($_POST['network']);
$purchase_date = sanitizeInput($_POST['purchase_date']);
if (empty($purchase_date)) {
$purchase_date = "NULL";
} else {
$purchase_date = "'" . $purchase_date . "'";
}
$warranty_expire = sanitizeInput($_POST['warranty_expire']);
if (empty($warranty_expire)) {
$warranty_expire = "NULL";
} else {
$warranty_expire = "'" . $warranty_expire . "'";
}
$install_date = sanitizeInput($_POST['install_date']);
if (empty($install_date)) {
$install_date = "NULL";
} else {
$install_date = "'" . $install_date . "'";
}
$notes = sanitizeInput($_POST['notes']);
// Get Existing Photo
$sql = mysqli_query($mysqli,"SELECT asset_photo FROM assets WHERE asset_id = $asset_id");
@ -734,7 +652,10 @@ if (isset($_POST['add_asset_interface'])) {
validateCSRFToken($_POST['csrf_token']);
// Interface info
$interface_id = intval($_POST['interface_id']);
$asset_id = intval($_POST['asset_id']);
require_once 'asset_interface_model.php';
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
@ -742,17 +663,6 @@ if (isset($_POST['add_asset_interface'])) {
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
$name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$port = sanitizeInput($_POST['port']);
$network = intval($_POST['network']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = '$name', interface_mac = '$mac', interface_ip = '$ip', interface_ipv6 = '$ipv6', interface_port = '$port', interface_notes = '$notes', interface_network_id = $network, interface_asset_id = $asset_id");
$interface_id = mysqli_insert_id($mysqli);
@ -772,7 +682,9 @@ if (isset($_POST['edit_asset_interface'])) {
validateCSRFToken($_POST['csrf_token']);
// Interface info
$interface_id = intval($_POST['interface_id']);
require_once 'asset_interface_model.php';
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id, asset_id FROM asset_interfaces LEFT JOIN assets ON asset_id = interface_asset_id WHERE interface_id = $interface_id");
@ -781,17 +693,6 @@ if (isset($_POST['edit_asset_interface'])) {
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
$name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$port = sanitizeInput($_POST['port']);
$network = intval($_POST['network']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE asset_interfaces SET interface_name = '$name', interface_mac = '$mac', interface_ip = '$ip', interface_ipv6 = '$ipv6', interface_port = '$port', interface_notes = '$notes', interface_network_id = $network WHERE interface_id = $interface_id");
//Logging

11
post/user/asset_interface_model.php Normal file
View File

@ -0,0 +1,11 @@
<?php
$name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);
if ($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$port = sanitizeInput($_POST['port']);
$network = intval($_POST['network']);
$notes = sanitizeInput($_POST['notes']);

43
post/user/asset_model.php Normal file
View File

@ -0,0 +1,43 @@
<?php
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$make = sanitizeInput($_POST['make']);
$model = sanitizeInput($_POST['model']);
$serial = sanitizeInput($_POST['serial']);
$os = sanitizeInput($_POST['os']);
$ip = sanitizeInput($_POST['ip']);
if ($_POST['dhcp'] == 1) {
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$nat_ip = sanitizeInput($_POST['nat_ip']);
$mac = sanitizeInput($_POST['mac']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$status = sanitizeInput($_POST['status']);
$location = intval($_POST['location']);
$physical_location = sanitizeInput($_POST['physical_location']);
$vendor = intval($_POST['vendor']);
$contact = intval($_POST['contact']);
$network = intval($_POST['network']);
$purchase_date = sanitizeInput($_POST['purchase_date']);
if (empty($purchase_date)) {
$purchase_date = "NULL";
} else {
$purchase_date = "'" . $purchase_date . "'";
}
$warranty_expire = sanitizeInput($_POST['warranty_expire']);
if (empty($warranty_expire)) {
$warranty_expire = "NULL";
} else {
$warranty_expire = "'" . $warranty_expire . "'";
}
$install_date = sanitizeInput($_POST['install_date']);
if (empty($install_date)) {
$install_date = "NULL";
} else {
$install_date = "'" . $install_date . "'";
}
$notes = sanitizeInput($_POST['notes']);
$client_id = intval($_POST['client_id']);

2
post/user/certificate.php
View File

@ -158,7 +158,7 @@ if (isset($_POST['export_client_certificates_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

2
post/user/client.php
View File

@ -159,7 +159,7 @@ if (isset($_GET['archive_client'])) {
$client_id = intval($_GET['archive_client']);
// Get Client Name
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli, "SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = sanitizeInput($row['client_name']);

37
post/user/contact.php
View File

@ -6,7 +6,7 @@
if (isset($_POST['add_contact'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
require_once 'post/user/contact_model.php';
@ -67,7 +67,7 @@ if (isset($_POST['add_contact'])) {
if (isset($_POST['edit_contact'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
require_once 'post/user/contact_model.php';
@ -184,7 +184,7 @@ if (isset($_POST['edit_contact'])) {
if (isset($_POST['bulk_assign_contact_location'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
$location_id = intval($_POST['bulk_location_id']);
@ -223,7 +223,7 @@ if (isset($_POST['bulk_assign_contact_location'])) {
if (isset($_POST['bulk_edit_contact_phone'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
$phone = preg_replace("/[^0-9]/", '', $_POST['bulk_phone']);
@ -257,7 +257,7 @@ if (isset($_POST['bulk_edit_contact_phone'])) {
if (isset($_POST['bulk_edit_contact_department'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
$department = sanitizeInput($_POST['bulk_department']);
@ -291,7 +291,7 @@ if (isset($_POST['bulk_edit_contact_department'])) {
if (isset($_POST['bulk_edit_contact_role'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
$contact_important = intval($_POST['bulk_contact_important']);
$contact_billing = intval($_POST['bulk_contact_billing']);
@ -329,7 +329,7 @@ if (isset($_POST['bulk_edit_contact_role'])) {
if (isset($_POST['bulk_assign_contact_tags'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
// Get Selected Contacts Count
$count = count($_POST['contact_ids']);
@ -373,7 +373,9 @@ if (isset($_POST['bulk_assign_contact_tags'])) {
}
if (isset($_POST['bulk_archive_contacts'])) {
validateAdminRole();
enforceUserPermission('module_client', 2);
//validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -416,7 +418,8 @@ if (isset($_POST['bulk_archive_contacts'])) {
}
if (isset($_POST['bulk_unarchive_contacts'])) {
validateAdminRole();
enforceUserPermission('module_client', 2);
//validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -455,7 +458,8 @@ if (isset($_POST['bulk_unarchive_contacts'])) {
}
if (isset($_POST['bulk_delete_contacts'])) {
validateAdminRole();
enforceUserPermission('module_client', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -500,7 +504,7 @@ if (isset($_POST['bulk_delete_contacts'])) {
if (isset($_GET['anonymize_contact'])) {
validateAdminRole();
enforceUserPermission('module_client', 3);
$contact_id = intval($_GET['anonymize_contact']);
@ -595,7 +599,7 @@ if (isset($_GET['anonymize_contact'])) {
if (isset($_GET['archive_contact'])) {
validateTechRole();
enforceUserPermission('module_client', 2);
$contact_id = intval($_GET['archive_contact']);
@ -641,7 +645,7 @@ if (isset($_GET['unarchive_contact'])) {
}
if (isset($_GET['delete_contact'])) {
validateAdminRole();
enforceUserPermission('module_client', 3);
$contact_id = intval($_GET['delete_contact']);
@ -671,10 +675,13 @@ if (isset($_GET['delete_contact'])) {
}
if (isset($_POST['export_client_contacts_csv'])) {
enforceUserPermission('module_client');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
@ -721,7 +728,7 @@ if (isset($_POST['export_client_contacts_csv'])) {
if (isset($_POST["import_client_contacts_csv"])) {
validateTechRole();
enforceUserPermission('module_client', 2);
$client_id = intval($_POST['client_id']);
$file_name = $_FILES["file"]["tmp_name"];

65
post/user/document.php
View File

@ -6,16 +6,9 @@
if (isset($_POST['add_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
$folder = intval($_POST['folder']);
require_once 'document_model.php';
// Document add query
$add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
@ -36,7 +29,7 @@ if (isset($_POST['add_document'])) {
if (isset($_POST['add_document_from_template'])) {
// ROLE Check
validateTechRole();
enforceUserPermission('module_support', 2);
// GET POST Data
$client_id = intval($_POST['client_id']);
@ -73,18 +66,12 @@ if (isset($_POST['add_document_from_template'])) {
if (isset($_POST['edit_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
require_once 'document_model.php';
$document_id = intval($_POST['document_id']);
$document_created_by = intval($_POST['created_by']);
$document_parent = intval($_POST['document_parent']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
$folder = intval($_POST['folder']);
// Document add query
mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $document_created_by, document_updated_by = $session_user_id, document_client_id = $client_id");
@ -127,7 +114,7 @@ if (isset($_POST['edit_document'])) {
if (isset($_POST['move_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$client_id = intval($_POST['client_id']);
@ -148,7 +135,7 @@ if (isset($_POST['move_document'])) {
if (isset($_POST['rename_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$client_id = intval($_POST['client_id']);
@ -169,7 +156,7 @@ if (isset($_POST['rename_document'])) {
if (isset($_POST['bulk_move_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$folder_id = intval($_POST['bulk_folder_id']);
@ -207,7 +194,7 @@ if (isset($_POST['bulk_move_document'])) {
if (isset($_POST['link_file_to_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
@ -227,7 +214,8 @@ if (isset($_POST['link_file_to_document'])) {
if (isset($_GET['unlink_file_from_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$file_id = intval($_GET['file_id']);
$document_id = intval($_GET['document_id']);
@ -244,7 +232,7 @@ if (isset($_GET['unlink_file_from_document'])) {
if (isset($_POST['link_vendor_to_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
@ -264,7 +252,8 @@ if (isset($_POST['link_vendor_to_document'])) {
if (isset($_GET['unlink_vendor_from_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$vendor_id = intval($_GET['vendor_id']);
$document_id = intval($_GET['document_id']);
@ -281,7 +270,7 @@ if (isset($_GET['unlink_vendor_from_document'])) {
if (isset($_POST['link_contact_to_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
@ -301,7 +290,8 @@ if (isset($_POST['link_contact_to_document'])) {
if (isset($_GET['unlink_contact_from_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$contact_id = intval($_GET['contact_id']);
$document_id = intval($_GET['document_id']);
@ -318,7 +308,7 @@ if (isset($_GET['unlink_contact_from_document'])) {
if (isset($_POST['link_asset_to_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
@ -338,7 +328,8 @@ if (isset($_POST['link_asset_to_document'])) {
if (isset($_GET['unlink_asset_from_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['asset_id']);
$document_id = intval($_GET['document_id']);
@ -355,7 +346,7 @@ if (isset($_GET['unlink_asset_from_document'])) {
if (isset($_POST['link_software_to_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
@ -375,7 +366,8 @@ if (isset($_POST['link_software_to_document'])) {
if (isset($_GET['unlink_software_from_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$software_id = intval($_GET['software_id']);
$document_id = intval($_GET['document_id']);
@ -392,7 +384,7 @@ if (isset($_GET['unlink_software_from_document'])) {
if (isset($_POST['edit_document_template'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$name = sanitizeInput($_POST['name']);
@ -415,7 +407,8 @@ if (isset($_POST['edit_document_template'])) {
}
if (isset($_POST['document_visible'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$document_visible = intval($_POST['document_visible']);
@ -433,7 +426,7 @@ if (isset($_POST['document_visible'])) {
if (isset($_GET['archive_document'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$document_id = intval($_GET['archive_document']);
@ -476,7 +469,7 @@ if (isset($_GET['archive_document'])) {
if (isset($_GET['delete_document_version'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
$document_id = intval($_GET['delete_document_version']);
@ -518,7 +511,7 @@ if (isset($_GET['delete_document_version'])) {
if (isset($_GET['delete_document'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
$document_id = intval($_GET['delete_document']);

8
post/user/document_model.php Normal file
View File

@ -0,0 +1,8 @@
<?php
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$folder = intval($_POST['folder']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.

42
post/user/domain.php
View File

@ -6,18 +6,11 @@
if (isset($_POST['add_domain'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']);
$dnshost = intval($_POST['dnshost']);
$webhost = intval($_POST['webhost']);
$mailhost = intval($_POST['mailhost']);
require_once 'domain_model.php';
$extended_log_description = '';
$expire = sanitizeInput($_POST['expire']);
$notes = sanitizeInput($_POST['notes']);
$client_id = intval($_POST['client_id']);
// Set/check/lookup expiry date
if (strtotime($expire)) {
@ -68,17 +61,11 @@ if (isset($_POST['add_domain'])) {
if (isset($_POST['edit_domain'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
require_once 'domain_model.php';
$domain_id = intval($_POST['domain_id']);
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']);
$dnshost = intval($_POST['dnshost']);
$webhost = intval($_POST['webhost']);
$mailhost = intval($_POST['mailhost']);
$expire = sanitizeInput($_POST['expire']);
$notes = sanitizeInput($_POST['notes']);
// if (empty($expire) || (new DateTime($expire)) < (new DateTime())) {
// // Update domain expiry date
@ -120,6 +107,9 @@ if (isset($_POST['edit_domain'])) {
}
if (isset($_GET['archive_domain'])) {
enforceUserPermission('module_support', 2);
$domain_id = intval($_GET['archive_domain']);
//Get domain Name
@ -141,6 +131,8 @@ if (isset($_GET['archive_domain'])) {
if(isset($_GET['unarchive_domain'])){
enforceUserPermission('module_support', 2);
$domain_id = intval($_GET['unarchive_domain']);
// Get Name and Client ID for logging and alert message
@ -161,7 +153,7 @@ if(isset($_GET['unarchive_domain'])){
if (isset($_GET['delete_domain'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
$domain_id = intval($_GET['delete_domain']);
@ -184,7 +176,7 @@ if (isset($_GET['delete_domain'])) {
}
if (isset($_POST['bulk_archive_domains'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -222,7 +214,7 @@ if (isset($_POST['bulk_archive_domains'])) {
}
if (isset($_POST['bulk_unarchive_domains'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -261,7 +253,7 @@ if (isset($_POST['bulk_unarchive_domains'])) {
}
if (isset($_POST['bulk_delete_domains'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -292,12 +284,12 @@ if (isset($_POST['bulk_delete_domains'])) {
if (isset($_POST['export_client_domains_csv'])) {
validateTechRole();
enforceUserPermission('module_support');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

10
post/user/domain_model.php Normal file
View File

@ -0,0 +1,10 @@
<?php
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']);
$dnshost = intval($_POST['dnshost']);
$webhost = intval($_POST['webhost']);
$mailhost = intval($_POST['mailhost']);
$expire = sanitizeInput($_POST['expire']);
$notes = sanitizeInput($_POST['notes']);

1
post/user/expense.php
View File

@ -8,7 +8,6 @@ if (isset($_POST['add_expense'])) {
require_once 'post/user/expense_model.php';
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference'");
$expense_id = mysqli_insert_id($mysqli);

6
post/user/invoice.php
View File

@ -1227,7 +1227,7 @@ if (isset($_POST['export_client_invoices_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
@ -1319,7 +1319,7 @@ if (isset($_POST['export_client_recurring_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
@ -1360,7 +1360,7 @@ if (isset($_POST['export_client_payments_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

15
post/user/network.php
View File

@ -6,7 +6,7 @@
if (isset($_POST['add_network'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
require_once 'post/user/network_model.php';
@ -25,10 +25,9 @@ if (isset($_POST['add_network'])) {
if (isset($_POST['edit_network'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$network_id = intval($_POST['network_id']);
require_once 'post/user/network_model.php';
mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");
@ -44,7 +43,7 @@ if (isset($_POST['edit_network'])) {
if (isset($_GET['archive_network'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$network_id = intval($_GET['archive_network']);
@ -67,7 +66,7 @@ if (isset($_GET['archive_network'])) {
}
if (isset($_GET['delete_network'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
$network_id = intval($_GET['delete_network']);
@ -90,7 +89,7 @@ if (isset($_GET['delete_network'])) {
}
if (isset($_POST['bulk_delete_networks'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
@ -121,12 +120,12 @@ if (isset($_POST['bulk_delete_networks'])) {
if (isset($_POST['export_client_networks_csv'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

2
post/user/quote.php
View File

@ -464,7 +464,7 @@ if(isset($_POST['export_client_quotes_csv'])){
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

7
post/user/service.php
View File

@ -6,7 +6,7 @@
if (isset($_POST['add_service'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$service_name = sanitizeInput($_POST['name']);
@ -108,7 +108,7 @@ if (isset($_POST['add_service'])) {
if (isset($_POST['edit_service'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$service_id = intval($_POST['service_id']);
@ -212,7 +212,8 @@ if (isset($_POST['edit_service'])) {
if (isset($_GET['delete_service'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
validateCSRFToken($_GET['csrf_token']);
$service_id = intval($_GET['delete_service']);

14
post/user/software.php
View File

@ -7,6 +7,8 @@
if (isset($_POST['add_software_from_template'])) {
enforceUserPermission('module_support', 2);
// GET POST Data
$client_id = intval($_POST['client_id']);
$software_template_id = intval($_POST['software_template_id']);
@ -37,7 +39,7 @@ if (isset($_POST['add_software_from_template'])) {
if (isset($_POST['add_software'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
@ -95,7 +97,7 @@ if (isset($_POST['add_software'])) {
if (isset($_POST['edit_software'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$software_id = intval($_POST['software_id']);
$client_id = intval($_POST['client_id']);
@ -153,7 +155,7 @@ if (isset($_POST['edit_software'])) {
if (isset($_GET['archive_software'])) {
validateTechRole();
enforceUserPermission('module_support', 2);
$software_id = intval($_GET['archive_software']);
@ -181,7 +183,7 @@ if (isset($_GET['archive_software'])) {
if (isset($_GET['delete_software'])) {
validateAdminRole();
enforceUserPermission('module_support', 3);
$software_id = intval($_GET['delete_software']);
@ -209,12 +211,12 @@ if (isset($_GET['delete_software'])) {
if (isset($_POST['export_client_software_csv'])) {
validateTechRole();
enforceUserPermission('module_support');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

2
post/user/trip.php
View File

@ -109,7 +109,7 @@ if (isset($_POST['export_client_trips_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

2
post/user/vendor.php
View File

@ -283,7 +283,7 @@ if (isset($_POST['export_client_vendors_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];

2
ticket_bulk_assign_modal.php
View File

@ -18,7 +18,7 @@
<select class="form-control select2" name="assign_to">
<option value="0">Not Assigned</option>
<?php
$sql_users_select = mysqli_query($mysqli, "SELECT * FROM users
$sql_users_select = mysqli_query($mysqli, "SELECT users.user_id, user_name FROM users
LEFT JOIN user_settings on users.user_id = user_settings.user_id
WHERE user_role > 1
AND user_status = 1

2
ticket_edit_modal.php
View File

@ -83,7 +83,7 @@
<select class="form-control select2" name="category">
<option value="">- Ticket Category -</option>
<?php
$sql_categories = mysqli_query($mysqli, "SELECT * FROM categories WHERE category_type = 'Ticket' AND categories.category_archived_at IS NULL");
$sql_categories = mysqli_query($mysqli, "SELECT category_id, category_name FROM categories WHERE category_type = 'Ticket' AND category_archived_at IS NULL");
while ($row = mysqli_fetch_array($sql_categories)) {
$category_id = intval($row['category_id']);
$category_name = nullable_htmlentities($row['category_name']);