AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Prevent post pages being accessed directly

This commit is contained in:
wrongecho 2025-01-09 16:09:39 +00:00
parent ec54b28b02
commit a67de7a8f1
91 changed files with 190 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -8,7 +8,9 @@ All notable changes to ITFlow will be documented in this file.
- Bugfix: Asset interface losing DHCP setting
- Bugfix: Editing / creating recurring expenses results in error 500 due to incorrect var name
- Stripe online payment setup now prompts you to set the income/expense account
- Admin pages now once again use the new admin rolecheck
- Admin pages now once again use the new admin role-check
- Debug now shows the current git branch
- Individual POST handler logic pages can no longer be accessed directly
## 24.12

7
admin_role.php
View File

@ -110,11 +110,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</a>
<?php if (empty($role_archived_at) && $role_user_count == 0) { ?>
<!-- To be added -->
<div class="dropdown-divider"></div>
<!-- <a class="dropdown-item text-danger confirm-link" href="post.php?archive_role=--><?php //echo $role_id; ?><!--&csrf_token=--><?php //echo $_SESSION['csrf_token'] ?><!--">-->
<!-- <i class="fas fa-fw fa-archive mr-2"></i>Archive-->
<!-- </a>-->
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_role=<?php echo $role_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
<i class="fas fa-fw fa-archive mr-2"></i>Archive
</a>
<?php } ?>
</div>

15
post.php
View File

@ -10,6 +10,9 @@ require_once "functions.php";
require_once "check_login.php";
// Define a variable that we can use to only allow running post files via inclusion (prevents people/bots poking them)
define('FROM_POST_HANDLER', true);
// Determine which files we should load
@ -28,13 +31,7 @@ if (str_contains($module, 'admin') && isset($session_is_admin) && $session_is_ad
// To add a new admin POST request handler, add a file named after the admin page
// e.g. changes made on the page http://itflow/admin_ticket_statues.php will load the page post/admin/admin_ticket_statues.php to handle the changes
if ($module !== 'admin_update') {
require_once "post/admin/$module.php";
}
// IF statement is temporary
require_once "post/admin/$module.php";
} elseif (str_contains($module, 'xcustom')) {
// Dynamically load any custom POST logic
@ -58,10 +55,6 @@ if (str_contains($module, 'admin') && isset($session_is_admin) && $session_is_ad
// Logout is the same for user and admin
require_once "post/logout.php";
// TODO: Move admin_update into the admin section to be auto-loaded
// We can't do this until everyone has the new database fields added in 1.4.9 on Sept 14th 2024
require_once "post/admin_update.php"; // Load updater
// TODO: Find a home for these
require_once "post/ai.php";

2
post/admin/admin_api.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for API settings
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_api_key'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_backup.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for DB / master key backup
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['download_database'])) {
validateCSRFToken($_GET['csrf_token']);

3
post/admin/admin_bulk_mail.php
View File

@ -4,6 +4,9 @@
* ITFlow - GET/POST request handler for bulk email
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['send_bulk_mail_now'])) {
if (isset($_POST['contact_ids'])) {

2
post/admin/admin_category.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for categories ('category')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_category'])) {
require_once 'post/admin/admin_category_model.php';

2
post/admin/admin_category_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$color = sanitizeInput($_POST['color']);

2
post/admin/admin_custom_field.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for custom fields
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if(isset($_POST['create_custom_field'])){
require_once 'post/admin/admin_custom_field_model.php';

2
post/admin/admin_custom_field_model.php
View File

@ -1,3 +1,5 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$label = sanitizeInput($_POST['label']);
$type = sanitizeInput($_POST['type']);

2
post/admin/admin_custom_link.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for showing custom links on navbars
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_custom_link'])) {
$name = sanitizeInput($_POST['name']);

2
post/admin/admin_document_template.php
View File

@ -2,6 +2,8 @@
// Doc Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side docs as we reuse functions
require_once 'post/user/document.php';

2
post/admin/admin_mail_queue.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['send_failed_mail'])) {
$email_id = intval($_GET['send_failed_mail']);

2
post/admin/admin_project_template.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_project_template'])) {
$name = sanitizeInput($_POST['name']);

10
post/admin/admin_role.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for roles
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_role'])) {
validateCSRFToken($_POST['csrf_token']);
@ -59,3 +61,11 @@ if (isset($_POST['edit_role'])) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_role'])) {
validateCSRFToken($_GET['csrf_token']);
}

2
post/admin/admin_settings_ai.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_ai_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_company.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_company'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_default.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_default_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_integration.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_integrations_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_invoice.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_invoice_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_localization.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_localization'])) {
validateCSRFToken($_POST['csrf_token']);

1
post/admin/admin_settings_mail.php
View File

@ -1,5 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_mail_smtp_settings'])) {

2
post/admin/admin_settings_module.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_module_settings'])) {
$config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);

2
post/admin/admin_settings_notification.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_notification_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_online_payment.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_online_payment_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_project.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_project_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_quote.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_quote_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_security.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_security_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_telemetry.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_telemetry_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_theme.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_theme_settings'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_ticket.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_ticket_settings'])) {
$config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);

2
post/admin/admin_software_template.php
View File

@ -2,6 +2,8 @@
// Software/License Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from software-side tickets as we reuse functions
require_once 'post/user/software.php';

2
post/admin/admin_tag.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tagging
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tag'])) {
require_once 'post/admin/admin_tag_model.php';

2
post/admin/admin_tag_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']);
$color = sanitizeInput($_POST['color']);

2
post/admin/admin_tax.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tax
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tax'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_ticket_status.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket_status'])) {
$name = sanitizeInput($_POST['name']);

2
post/admin/admin_ticket_template.php
View File

@ -2,6 +2,8 @@
// Ticket Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side tickets/tasks as we reuse functions
require_once 'post/user/ticket.php';
require_once 'post/user/task.php';

2
post/admin_update.php → post/admin/admin_update.php
View File

@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['update'])) {
validateAdminRole(); // Old function

2
post/admin/admin_user.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for user (agent) management
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_user'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_user_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']);
$role = intval($_POST['role']);

2
post/admin/admin_vendor_template.php
View File

@ -2,6 +2,8 @@
// Vendor Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side vendor management as we reuse functions
require_once 'post/user/vendor.php';

2
post/user/account.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for account(s) (accounting related)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);

2
post/user/asset.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client assets
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_asset'])) {
enforceUserPermission('module_support', 2);

2
post/user/asset_interface_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);

2
post/user/asset_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);

3
post/user/budget.php
View File

@ -4,6 +4,9 @@
* ITFlow - GET/POST request handler for budget
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['save_budget'])) {
enforceUserPermission('module_financial', 2);

2
post/user/certificate.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client SSL certificates
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_certificate'])) {
enforceUserPermission('module_support', 2);

2
post/user/certificate_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$domain = sanitizeInput($_POST['domain']);

2
post/user/client.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for clients/customers (overview)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_client'])) {
validateCSRFToken($_POST['csrf_token']);

2
post/user/client_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));

2
post/user/contact.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client contacts
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_contact'])) {
enforceUserPermission('module_client', 2);

1
post/user/contact_model.php
View File

@ -1,4 +1,5 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);

2
post/user/credential.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client credentials (formerly logins)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_login'])) {
enforceUserPermission('module_credential', 2);

2
post/user/credential_model.php
View File

@ -1,5 +1,7 @@
<?php
// Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);

2
post/user/document.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client documents
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_document'])) {
enforceUserPermission('module_support', 2);

2
post/user/document_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$folder = intval($_POST['folder']);

2
post/user/domain.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client domains
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_domain'])) {
enforceUserPermission('module_support', 2);

2
post/user/domain_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']);

2
post/user/event.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for calendar & events
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_calendar'])) {
$name = sanitizeInput($_POST['name']);

2
post/user/event_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$calendar_id = intval($_POST['calendar']);
$title = sanitizeInput($_POST['title']);
$location = sanitizeInput($_POST['location']);

2
post/user/expense.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for expenses
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_expense'])) {
require_once 'post/user/expense_model.php';

2
post/user/expense_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account = intval($_POST['account']);

2
post/user/file.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client files/uploads
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['upload_files'])) {
enforceUserPermission('module_support', 2);

2
post/user/folder.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for folders
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['create_folder'])) {
enforceUserPermission('module_support', 2);

2
post/user/invoice.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for invoices & payments
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_invoice'])) {
require_once 'post/user/invoice_model.php';

1
post/user/invoice_model.php
View File

@ -1,4 +1,5 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$category = intval($_POST['category']);

2
post/user/location.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client physical locations/sites
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if(isset($_POST['add_location'])){
enforceUserPermission('module_client', 2);

2
post/user/location_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);

2
post/user/network.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client networks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_network'])) {
enforceUserPermission('module_support', 2);

2
post/user/network_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']);

2
post/user/product.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for products
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Products
if (isset($_POST['add_product'])) {

2
post/user/product_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$price = floatval($_POST['price']);

2
post/user/profile.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for user profiles (tech/agent)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_your_user_details'])) {
// CSRF Check

2
post/user/project.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tasks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_project'])) {
enforceUserPermission('module_support', 2);

2
post/user/quote.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for quotes
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_quote'])) {
enforceUserPermission('module_sales', 2);

2
post/user/quote_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$expire = sanitizeInput($_POST['expire']);
$category = intval($_POST['category']);

2
post/user/rack.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client racks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_rack'])) {
enforceUserPermission('module_support', 2);

2
post/user/revenue.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for revenue
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_revenue'])) {
enforceUserPermission('module_sales', 2);

2
post/user/service.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client service info
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_service'])) {
enforceUserPermission('module_support', 2);

1
post/user/software.php
View File

@ -4,6 +4,7 @@
* ITFlow - GET/POST request handler for client software & licenses
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_software_from_template'])) {

2
post/user/task.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tasks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_task'])) {
enforceUserPermission('module_support', 2);

2
post/user/ticket.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client tickets
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket'])) {
enforceUserPermission('module_support', 2);

1
post/user/ticket_recurring_model.php
View File

@ -1,4 +1,5 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client']);
$subject = sanitizeInput($_POST['subject']);

2
post/user/transfer.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for transfers (accounting)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_transfer'])) {
enforceUserPermission('module_financial', 2);

2
post/user/transfer_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account_from = intval($_POST['account_from']);

2
post/user/trip.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for trips (accounting related)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_trip'])) {
require_once 'post/user/trip_model.php';

2
post/user/trip_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$source = sanitizeInput($_POST['source']);
$destination = sanitizeInput($_POST['destination']);

2
post/user/vendor.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for vendors
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_from_template'])) {
// GET POST Data

2
post/user/vendor_contact.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for vendor contacts
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_contact'])) {
enforceUserPermission('module_client', 2);

1
post/user/vendor_contact_model.php
View File

@ -1,4 +1,5 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$vendor_id = intval($_POST['vendor_id']);

2
post/user/vendor_model.php
View File

@ -1,4 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$account_number = sanitizeInput($_POST['account_number']);