AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 08:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Racks: remove client_id post from edit rack and add rack device modal as it should get the client_id in post, enforceClientAccess

Browse Source
This commit is contained in:
johnnyq
2026-03-06 16:43:56 -05:00
parent 7d41782013
commit a252ff717e
5 changed files with 38 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
agent/modals/rack/rack_device_add.php
View File

@@ -22,7 +22,6 @@ ob_start();
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off"> <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>"> <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="rack_id" value="<?php echo $rack_id; ?>"> <input type="hidden" name="rack_id" value="<?php echo $rack_id; ?>">
<div class="modal-body"> <div class="modal-body">

1
agent/modals/rack/rack_edit.php
View File

@@ -33,7 +33,6 @@ ob_start();
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off"> <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>"> <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
<input type="hidden" name="rack_id" value="<?php echo $rack_id; ?>"> <input type="hidden" name="rack_id" value="<?php echo $rack_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body"> <div class="modal-body">

22
agent/post/network.php
View File

@@ -14,6 +14,10 @@ if (isset($_POST['add_network'])) {
require_once 'network_model.php'; require_once 'network_model.php';
$client_id = intval($_POST['client_id']);
enforceClientAccess();
mysqli_query($mysqli,"INSERT INTO networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_notes = '$notes', network_location_id = $location_id, network_client_id = $client_id"); mysqli_query($mysqli,"INSERT INTO networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_notes = '$notes', network_location_id = $location_id, network_client_id = $client_id");
$network_id = mysqli_insert_id($mysqli); $network_id = mysqli_insert_id($mysqli);
@@ -32,9 +36,14 @@ if (isset($_POST['edit_network'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$network_id = intval($_POST['network_id']);
require_once 'network_model.php'; require_once 'network_model.php';
$network_id = intval($_POST['network_id']);
$client_id = intval(getFieldById('networks', $network_id, 'network_client_id'));
enforceClientAccess();
mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id"); mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");
logAction("Network", "Edit", "$session_name edited network $name", $client_id, $network_id); logAction("Network", "Edit", "$session_name edited network $name", $client_id, $network_id);
@@ -59,6 +68,8 @@ if (isset($_GET['archive_network'])) {
$network_name = sanitizeInput($row['network_name']); $network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']); $client_id = intval($row['network_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NOW() WHERE network_id = $network_id"); mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NOW() WHERE network_id = $network_id");
logAction("Network", "Archive", "$session_name archived network $network_name", $client_id, $network_id); logAction("Network", "Archive", "$session_name archived network $network_name", $client_id, $network_id);
@@ -83,6 +94,8 @@ if (isset($_GET['restore_network'])) {
$network_name = sanitizeInput($row['network_name']); $network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']); $client_id = intval($row['network_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NULL WHERE network_id = $network_id"); mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NULL WHERE network_id = $network_id");
logAction("Network", "Restore", "$session_name restored contact $contact_name", $client_id, $network_id); logAction("Network", "Restore", "$session_name restored contact $contact_name", $client_id, $network_id);
@@ -107,6 +120,8 @@ if (isset($_GET['delete_network'])) {
$network_name = sanitizeInput($row['network_name']); $network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']); $client_id = intval($row['network_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id"); mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id");
logAction("Network", "Delete", "$session_name deleted network $network_name", $client_id); logAction("Network", "Delete", "$session_name deleted network $network_name", $client_id);
@@ -139,6 +154,8 @@ if (isset($_POST['bulk_delete_networks'])) {
$network_name = sanitizeInput($row['network_name']); $network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']); $client_id = intval($row['network_client_id']);
enforceClientAccess();
mysqli_query($mysqli, "DELETE FROM networks WHERE network_id = $network_id AND network_client_id = $client_id"); mysqli_query($mysqli, "DELETE FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
logAction("Network", "Delete", "$session_name deleted network $network_name", $client_id); logAction("Network", "Delete", "$session_name deleted network $network_name", $client_id);
@@ -164,13 +181,14 @@ if (isset($_POST['export_networks_csv'])) {
$client_query = "AND network_client_id = $client_id"; $client_query = "AND network_client_id = $client_id";
$client_name = getFieldById('clients', $client_id, 'client_name'); $client_name = getFieldById('clients', $client_id, 'client_name');
$file_name_prepend = "$client_name-"; $file_name_prepend = "$client_name-";
enforceClientAccess();
} else { } else {
$client_query = ''; $client_query = '';
$client_id = 0; $client_id = 0;
$file_name_prepend = "$session_company_name-"; $file_name_prepend = "$session_company_name-";
} }
$sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_archived_at IS NULL $client_query ORDER BY network_name ASC"); $sql = mysqli_query($mysqli,"SELECT * FROM networks LEFT JOIN client ON client_id = network_client_id WHERE network_archived_at IS NULL $client_query $access_permission_query ORDER BY network_name ASC");
$num_rows = mysqli_num_rows($sql); $num_rows = mysqli_num_rows($sql);

1
agent/post/network_model.php
View File

@@ -11,4 +11,3 @@ $secondary_dns = sanitizeInput($_POST['secondary_dns']);
$dhcp_range = sanitizeInput($_POST['dhcp_range']); $dhcp_range = sanitizeInput($_POST['dhcp_range']);
$notes = sanitizeInput($_POST['notes']); $notes = sanitizeInput($_POST['notes']);
$location_id = intval($_POST['location'] ?? 0); $location_id = intval($_POST['location'] ?? 0);
$client_id = intval($_POST['client_id']);

21
agent/post/rack.php
View File

@@ -23,6 +23,8 @@ if (isset($_POST['add_rack'])) {
$location = intval($_POST['location']); $location = intval($_POST['location']);
$notes = sanitizeInput($_POST['notes']); $notes = sanitizeInput($_POST['notes']);
enforceClientAccess();
mysqli_query($mysqli,"INSERT INTO racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes', rack_client_id = $client_id"); mysqli_query($mysqli,"INSERT INTO racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes', rack_client_id = $client_id");
$rack_id = mysqli_insert_id($mysqli); $rack_id = mysqli_insert_id($mysqli);
@@ -58,7 +60,6 @@ if (isset($_POST['edit_rack'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$rack_id = intval($_POST['rack_id']); $rack_id = intval($_POST['rack_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);
@@ -69,6 +70,10 @@ if (isset($_POST['edit_rack'])) {
$location = intval($_POST['location']); $location = intval($_POST['location']);
$notes = sanitizeInput($_POST['notes']); $notes = sanitizeInput($_POST['notes']);
$client_id = intval(getFieldById('racks', $rack_id, 'rack_client_id'));
enforceClientAccess();
mysqli_query($mysqli,"UPDATE racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes' WHERE rack_id = $rack_id"); mysqli_query($mysqli,"UPDATE racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes' WHERE rack_id = $rack_id");
// Add Photo // Add Photo
@@ -103,6 +108,8 @@ if (isset($_GET['archive_rack'])) {
$rack_id = intval($_GET['archive_rack']); $rack_id = intval($_GET['archive_rack']);
enforceClientAccess();
// Get Name and Client ID for logging and alert message // Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id"); $sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
@@ -133,6 +140,8 @@ if (isset($_GET['restore_rack'])) {
$rack_name = sanitizeInput($row['rack_name']); $rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']); $client_id = intval($row['rack_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NULL WHERE rack_id = $rack_id"); mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NULL WHERE rack_id = $rack_id");
logAction("Rack", "Restore", "$session_name restored rack $rack_name", $client_id, $rack_id); logAction("Rack", "Restore", "$session_name restored rack $rack_name", $client_id, $rack_id);
@@ -158,6 +167,8 @@ if (isset($_GET['delete_rack'])) {
$rack_photo = sanitizeInput($row['rack_photo']); $rack_photo = sanitizeInput($row['rack_photo']);
$client_id = intval($row['rack_client_id']); $client_id = intval($row['rack_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM racks WHERE rack_id = $rack_id"); mysqli_query($mysqli,"DELETE FROM racks WHERE rack_id = $rack_id");
// Delete Photo if exists // Delete Photo if exists
@@ -179,7 +190,6 @@ if (isset($_POST['add_rack_unit'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$rack_id = intval($_POST['rack_id']); $rack_id = intval($_POST['rack_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$unit_start = intval($_POST['unit_start']); $unit_start = intval($_POST['unit_start']);
@@ -192,6 +202,8 @@ if (isset($_POST['add_rack_unit'])) {
$rack_name = sanitizeInput($row['rack_name']); $rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']); $client_id = intval($row['rack_client_id']);
enforceClientAccess();
// **New Validation Check** // **New Validation Check**
if ($unit_start > $unit_end) { if ($unit_start > $unit_end) {
flash_alert("Unit Start number cannot be higher than Unit End number.", 'error'); flash_alert("Unit Start number cannot be higher than Unit End number.", 'error');
@@ -227,7 +239,6 @@ if (isset($_POST['edit_rack_unit'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);
$unit_id = intval($_POST['unit_id']); $unit_id = intval($_POST['unit_id']);
$client_id = intval($_POST['client_id']);
$rack_id = intval($_POST['rack_id']); $rack_id = intval($_POST['rack_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$unit_start = intval($_POST['unit_start']); $unit_start = intval($_POST['unit_start']);
@@ -240,6 +251,8 @@ if (isset($_POST['edit_rack_unit'])) {
$rack_name = sanitizeInput($row['rack_name']); $rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']); $client_id = intval($row['rack_client_id']);
enforceClientAccess();
mysqli_query($mysqli,"UPDATE rack_units SET unit_device = '$name', unit_asset_id = $asset, unit_start_number = $unit_start, unit_end_number = $unit_end WHERE unit_id = $unit_id"); mysqli_query($mysqli,"UPDATE rack_units SET unit_device = '$name', unit_asset_id = $asset, unit_start_number = $unit_start, unit_end_number = $unit_end WHERE unit_id = $unit_id");
logAction("Rack", "Edit", "$session_name edited device $name in rack $rack_name", $client_id, $rack_id); logAction("Rack", "Edit", "$session_name edited device $name in rack $rack_name", $client_id, $rack_id);
@@ -266,6 +279,8 @@ if (isset($_GET['remove_rack_unit'])) {
$client_id = intval($row['rack_client_id']); $client_id = intval($row['rack_client_id']);
$rack_id = intval($row['rack_id']); $rack_id = intval($row['rack_id']);
enforceClientAccess();
mysqli_query($mysqli,"DELETE FROM rack_units WHERE unit_id = $unit_id"); mysqli_query($mysqli,"DELETE FROM rack_units WHERE unit_id = $unit_id");
logAction("Rack", "Edit", "$session_name removed device $device_name from rack $rack_name", $client_id, $rack_id); logAction("Rack", "Edit", "$session_name removed device $device_name from rack $rack_name", $client_id, $rack_id);