AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Prevent post pages being accessed directly

This commit is contained in:
wrongecho 2025-01-09 16:09:39 +00:00
parent ec54b28b02
commit a67de7a8f1
91 changed files with 190 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -8,7 +8,9 @@ All notable changes to ITFlow will be documented in this file.
- Bugfix: Asset interface losing DHCP setting - Bugfix: Asset interface losing DHCP setting
- Bugfix: Editing / creating recurring expenses results in error 500 due to incorrect var name - Bugfix: Editing / creating recurring expenses results in error 500 due to incorrect var name
- Stripe online payment setup now prompts you to set the income/expense account - Stripe online payment setup now prompts you to set the income/expense account
- Admin pages now once again use the new admin rolecheck - Admin pages now once again use the new admin role-check
- Debug now shows the current git branch
- Individual POST handler logic pages can no longer be accessed directly
## 24.12 ## 24.12

7
admin_role.php
View File

@ -110,11 +110,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</a> </a>
<?php if (empty($role_archived_at) && $role_user_count == 0) { ?> <?php if (empty($role_archived_at) && $role_user_count == 0) { ?>
<!-- To be added -->
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<!-- <a class="dropdown-item text-danger confirm-link" href="post.php?archive_role=--><?php //echo $role_id; ?><!--&csrf_token=--><?php //echo $_SESSION['csrf_token'] ?><!--">--> <a class="dropdown-item text-danger confirm-link" href="post.php?archive_role=<?php echo $role_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
<!-- <i class="fas fa-fw fa-archive mr-2"></i>Archive--> <i class="fas fa-fw fa-archive mr-2"></i>Archive
<!-- </a>--> </a>
<?php } ?> <?php } ?>
</div> </div>

15
post.php
View File

@ -10,6 +10,9 @@ require_once "functions.php";
require_once "check_login.php"; require_once "check_login.php";
// Define a variable that we can use to only allow running post files via inclusion (prevents people/bots poking them)
define('FROM_POST_HANDLER', true);
// Determine which files we should load // Determine which files we should load
@ -28,13 +31,7 @@ if (str_contains($module, 'admin') && isset($session_is_admin) && $session_is_ad
// To add a new admin POST request handler, add a file named after the admin page // To add a new admin POST request handler, add a file named after the admin page
// e.g. changes made on the page http://itflow/admin_ticket_statues.php will load the page post/admin/admin_ticket_statues.php to handle the changes // e.g. changes made on the page http://itflow/admin_ticket_statues.php will load the page post/admin/admin_ticket_statues.php to handle the changes
if ($module !== 'admin_update') { require_once "post/admin/$module.php";
require_once "post/admin/$module.php";
}
// IF statement is temporary
} elseif (str_contains($module, 'xcustom')) { } elseif (str_contains($module, 'xcustom')) {
// Dynamically load any custom POST logic // Dynamically load any custom POST logic
@ -58,10 +55,6 @@ if (str_contains($module, 'admin') && isset($session_is_admin) && $session_is_ad
// Logout is the same for user and admin // Logout is the same for user and admin
require_once "post/logout.php"; require_once "post/logout.php";
// TODO: Move admin_update into the admin section to be auto-loaded
// We can't do this until everyone has the new database fields added in 1.4.9 on Sept 14th 2024
require_once "post/admin_update.php"; // Load updater
// TODO: Find a home for these // TODO: Find a home for these
require_once "post/ai.php"; require_once "post/ai.php";

2
post/admin/admin_api.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for API settings * ITFlow - GET/POST request handler for API settings
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_api_key'])) { if (isset($_POST['add_api_key'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_backup.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for DB / master key backup * ITFlow - GET/POST request handler for DB / master key backup
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['download_database'])) { if (isset($_GET['download_database'])) {
validateCSRFToken($_GET['csrf_token']); validateCSRFToken($_GET['csrf_token']);

3
post/admin/admin_bulk_mail.php
View File

@ -4,6 +4,9 @@
* ITFlow - GET/POST request handler for bulk email * ITFlow - GET/POST request handler for bulk email
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['send_bulk_mail_now'])) { if (isset($_POST['send_bulk_mail_now'])) {
if (isset($_POST['contact_ids'])) { if (isset($_POST['contact_ids'])) {

2
post/admin/admin_category.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for categories ('category') * ITFlow - GET/POST request handler for categories ('category')
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_category'])) { if (isset($_POST['add_category'])) {
require_once 'post/admin/admin_category_model.php'; require_once 'post/admin/admin_category_model.php';

2
post/admin/admin_category_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);
$color = sanitizeInput($_POST['color']); $color = sanitizeInput($_POST['color']);

2
post/admin/admin_custom_field.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for custom fields * ITFlow - GET/POST request handler for custom fields
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if(isset($_POST['create_custom_field'])){ if(isset($_POST['create_custom_field'])){
require_once 'post/admin/admin_custom_field_model.php'; require_once 'post/admin/admin_custom_field_model.php';

2
post/admin/admin_custom_field_model.php
View File

@ -1,3 +1,5 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$label = sanitizeInput($_POST['label']); $label = sanitizeInput($_POST['label']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);

2
post/admin/admin_custom_link.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for showing custom links on navbars * ITFlow - GET/POST request handler for showing custom links on navbars
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_custom_link'])) { if (isset($_POST['add_custom_link'])) {
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);

2
post/admin/admin_document_template.php
View File

@ -2,6 +2,8 @@
// Doc Templates // Doc Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side docs as we reuse functions // Import shared code from user-side docs as we reuse functions
require_once 'post/user/document.php'; require_once 'post/user/document.php';

2
post/admin/admin_mail_queue.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['send_failed_mail'])) { if (isset($_GET['send_failed_mail'])) {
$email_id = intval($_GET['send_failed_mail']); $email_id = intval($_GET['send_failed_mail']);

2
post/admin/admin_project_template.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_project_template'])) { if (isset($_POST['add_project_template'])) {
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);

10
post/admin/admin_role.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for roles * ITFlow - GET/POST request handler for roles
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_role'])) { if (isset($_POST['add_role'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);
@ -59,3 +61,11 @@ if (isset($_POST['edit_role'])) {
header("Location: " . $_SERVER["HTTP_REFERER"]); header("Location: " . $_SERVER["HTTP_REFERER"]);
} }
if (isset($_GET['archive_role'])) {
validateCSRFToken($_GET['csrf_token']);
}

2
post/admin/admin_settings_ai.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_ai_settings'])) { if (isset($_POST['edit_ai_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_company.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_company'])) { if (isset($_POST['edit_company'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_default.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_default_settings'])) { if (isset($_POST['edit_default_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_integration.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_integrations_settings'])) { if (isset($_POST['edit_integrations_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_invoice.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_invoice_settings'])) { if (isset($_POST['edit_invoice_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_localization.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_localization'])) { if (isset($_POST['edit_localization'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

1
post/admin/admin_settings_mail.php
View File

@ -1,5 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_mail_smtp_settings'])) { if (isset($_POST['edit_mail_smtp_settings'])) {

2
post/admin/admin_settings_module.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_module_settings'])) { if (isset($_POST['edit_module_settings'])) {
$config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0); $config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);

2
post/admin/admin_settings_notification.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_notification_settings'])) { if (isset($_POST['edit_notification_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_online_payment.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_online_payment_settings'])) { if (isset($_POST['edit_online_payment_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_project.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_project_settings'])) { if (isset($_POST['edit_project_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_quote.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_quote_settings'])) { if (isset($_POST['edit_quote_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_security.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_security_settings'])) { if (isset($_POST['edit_security_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_telemetry.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_telemetry_settings'])) { if (isset($_POST['edit_telemetry_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_theme.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_theme_settings'])) { if (isset($_POST['edit_theme_settings'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_settings_ticket.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_ticket_settings'])) { if (isset($_POST['edit_ticket_settings'])) {
$config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']); $config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);

2
post/admin/admin_software_template.php
View File

@ -2,6 +2,8 @@
// Software/License Templates // Software/License Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from software-side tickets as we reuse functions // Import shared code from software-side tickets as we reuse functions
require_once 'post/user/software.php'; require_once 'post/user/software.php';

2
post/admin/admin_tag.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tagging * ITFlow - GET/POST request handler for tagging
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tag'])) { if (isset($_POST['add_tag'])) {
require_once 'post/admin/admin_tag_model.php'; require_once 'post/admin/admin_tag_model.php';

2
post/admin/admin_tag_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']); $type = intval($_POST['type']);
$color = sanitizeInput($_POST['color']); $color = sanitizeInput($_POST['color']);

2
post/admin/admin_tax.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tax * ITFlow - GET/POST request handler for tax
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tax'])) { if (isset($_POST['add_tax'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_ticket_status.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket_status'])) { if (isset($_POST['add_ticket_status'])) {
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);

2
post/admin/admin_ticket_template.php
View File

@ -2,6 +2,8 @@
// Ticket Templates // Ticket Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side tickets/tasks as we reuse functions // Import shared code from user-side tickets/tasks as we reuse functions
require_once 'post/user/ticket.php'; require_once 'post/user/ticket.php';
require_once 'post/user/task.php'; require_once 'post/user/task.php';

2
post/admin_update.php → post/admin/admin_update.php
View File

@ -1,5 +1,7 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['update'])) { if (isset($_GET['update'])) {
validateAdminRole(); // Old function validateAdminRole(); // Old function

2
post/admin/admin_user.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for user (agent) management * ITFlow - GET/POST request handler for user (agent) management
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_user'])) { if (isset($_POST['add_user'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/admin/admin_user_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']); $email = sanitizeInput($_POST['email']);
$role = intval($_POST['role']); $role = intval($_POST['role']);

2
post/admin/admin_vendor_template.php
View File

@ -2,6 +2,8 @@
// Vendor Templates // Vendor Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side vendor management as we reuse functions // Import shared code from user-side vendor management as we reuse functions
require_once 'post/user/vendor.php'; require_once 'post/user/vendor.php';

2
post/user/account.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for account(s) (accounting related) * ITFlow - GET/POST request handler for account(s) (accounting related)
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_account'])) { if (isset($_POST['add_account'])) {
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/user/asset.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client assets * ITFlow - GET/POST request handler for client assets
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_asset'])) { if (isset($_POST['add_asset'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/asset_interface_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']); $mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']); $ip = sanitizeInput($_POST['ip']);

2
post/user/asset_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);

3
post/user/budget.php
View File

@ -4,6 +4,9 @@
* ITFlow - GET/POST request handler for budget * ITFlow - GET/POST request handler for budget
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['save_budget'])) { if (isset($_POST['save_budget'])) {
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);

2
post/user/certificate.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client SSL certificates * ITFlow - GET/POST request handler for client SSL certificates
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_certificate'])) { if (isset($_POST['add_certificate'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/certificate_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$domain = sanitizeInput($_POST['domain']); $domain = sanitizeInput($_POST['domain']);

2
post/user/client.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for clients/customers (overview) * ITFlow - GET/POST request handler for clients/customers (overview)
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_client'])) { if (isset($_POST['add_client'])) {
validateCSRFToken($_POST['csrf_token']); validateCSRFToken($_POST['csrf_token']);

2
post/user/client_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website'])); $website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));

2
post/user/contact.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client contacts * ITFlow - GET/POST request handler for client contacts
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_contact'])) { if (isset($_POST['add_contact'])) {
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);

1
post/user/contact_model.php
View File

@ -1,4 +1,5 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);

2
post/user/credential.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client credentials (formerly logins) * ITFlow - GET/POST request handler for client credentials (formerly logins)
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_login'])) { if (isset($_POST['add_login'])) {
enforceUserPermission('module_credential', 2); enforceUserPermission('module_credential', 2);

2
post/user/credential_model.php
View File

@ -1,5 +1,7 @@
<?php <?php
// Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process // Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);

2
post/user/document.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client documents * ITFlow - GET/POST request handler for client documents
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_document'])) { if (isset($_POST['add_document'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/document_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$folder = intval($_POST['folder']); $folder = intval($_POST['folder']);

2
post/user/domain.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client domains * ITFlow - GET/POST request handler for client domains
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_domain'])) { if (isset($_POST['add_domain'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/domain_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name'])); $name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']); $registrar = intval($_POST['registrar']);

2
post/user/event.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for calendar & events * ITFlow - GET/POST request handler for calendar & events
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_calendar'])) { if (isset($_POST['add_calendar'])) {
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);

2
post/user/event_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$calendar_id = intval($_POST['calendar']); $calendar_id = intval($_POST['calendar']);
$title = sanitizeInput($_POST['title']); $title = sanitizeInput($_POST['title']);
$location = sanitizeInput($_POST['location']); $location = sanitizeInput($_POST['location']);

2
post/user/expense.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for expenses * ITFlow - GET/POST request handler for expenses
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_expense'])) { if (isset($_POST['add_expense'])) {
require_once 'post/user/expense_model.php'; require_once 'post/user/expense_model.php';

2
post/user/expense_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']); $date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']); $amount = floatval($_POST['amount']);
$account = intval($_POST['account']); $account = intval($_POST['account']);

2
post/user/file.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client files/uploads * ITFlow - GET/POST request handler for client files/uploads
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['upload_files'])) { if (isset($_POST['upload_files'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/folder.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for folders * ITFlow - GET/POST request handler for folders
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['create_folder'])) { if (isset($_POST['create_folder'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/invoice.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for invoices & payments * ITFlow - GET/POST request handler for invoices & payments
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_invoice'])) { if (isset($_POST['add_invoice'])) {
require_once 'post/user/invoice_model.php'; require_once 'post/user/invoice_model.php';

1
post/user/invoice_model.php
View File

@ -1,4 +1,5 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']); $date = sanitizeInput($_POST['date']);
$category = intval($_POST['category']); $category = intval($_POST['category']);

2
post/user/location.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client physical locations/sites * ITFlow - GET/POST request handler for client physical locations/sites
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if(isset($_POST['add_location'])){ if(isset($_POST['add_location'])){
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);

2
post/user/location_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);

2
post/user/network.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client networks * ITFlow - GET/POST request handler for client networks
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_network'])) { if (isset($_POST['add_network'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/network_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']); $vlan = intval($_POST['vlan']);

2
post/user/product.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for products * ITFlow - GET/POST request handler for products
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Products // Products
if (isset($_POST['add_product'])) { if (isset($_POST['add_product'])) {

2
post/user/product_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$price = floatval($_POST['price']); $price = floatval($_POST['price']);

2
post/user/profile.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for user profiles (tech/agent) * ITFlow - GET/POST request handler for user profiles (tech/agent)
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_your_user_details'])) { if (isset($_POST['edit_your_user_details'])) {
// CSRF Check // CSRF Check

2
post/user/project.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tasks * ITFlow - GET/POST request handler for tasks
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_project'])) { if (isset($_POST['add_project'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/quote.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for quotes * ITFlow - GET/POST request handler for quotes
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_quote'])) { if (isset($_POST['add_quote'])) {
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);

2
post/user/quote_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']); $date = sanitizeInput($_POST['date']);
$expire = sanitizeInput($_POST['expire']); $expire = sanitizeInput($_POST['expire']);
$category = intval($_POST['category']); $category = intval($_POST['category']);

2
post/user/rack.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client racks * ITFlow - GET/POST request handler for client racks
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_rack'])) { if (isset($_POST['add_rack'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/revenue.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for revenue * ITFlow - GET/POST request handler for revenue
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_revenue'])) { if (isset($_POST['add_revenue'])) {
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);

2
post/user/service.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client service info * ITFlow - GET/POST request handler for client service info
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_service'])) { if (isset($_POST['add_service'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

1
post/user/software.php
View File

@ -4,6 +4,7 @@
* ITFlow - GET/POST request handler for client software & licenses * ITFlow - GET/POST request handler for client software & licenses
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_software_from_template'])) { if (isset($_POST['add_software_from_template'])) {

2
post/user/task.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for tasks * ITFlow - GET/POST request handler for tasks
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_task'])) { if (isset($_POST['add_task'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

2
post/user/ticket.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for client tickets * ITFlow - GET/POST request handler for client tickets
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket'])) { if (isset($_POST['add_ticket'])) {
enforceUserPermission('module_support', 2); enforceUserPermission('module_support', 2);

1
post/user/ticket_recurring_model.php
View File

@ -1,4 +1,5 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client']); $client_id = intval($_POST['client']);
$subject = sanitizeInput($_POST['subject']); $subject = sanitizeInput($_POST['subject']);

2
post/user/transfer.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for transfers (accounting) * ITFlow - GET/POST request handler for transfers (accounting)
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_transfer'])) { if (isset($_POST['add_transfer'])) {
enforceUserPermission('module_financial', 2); enforceUserPermission('module_financial', 2);

2
post/user/transfer_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']); $date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']); $amount = floatval($_POST['amount']);
$account_from = intval($_POST['account_from']); $account_from = intval($_POST['account_from']);

2
post/user/trip.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for trips (accounting related) * ITFlow - GET/POST request handler for trips (accounting related)
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_trip'])) { if (isset($_POST['add_trip'])) {
require_once 'post/user/trip_model.php'; require_once 'post/user/trip_model.php';

2
post/user/trip_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']); $date = sanitizeInput($_POST['date']);
$source = sanitizeInput($_POST['source']); $source = sanitizeInput($_POST['source']);
$destination = sanitizeInput($_POST['destination']); $destination = sanitizeInput($_POST['destination']);

2
post/user/vendor.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for vendors * ITFlow - GET/POST request handler for vendors
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_from_template'])) { if (isset($_POST['add_vendor_from_template'])) {
// GET POST Data // GET POST Data

2
post/user/vendor_contact.php
View File

@ -4,6 +4,8 @@
* ITFlow - GET/POST request handler for vendor contacts * ITFlow - GET/POST request handler for vendor contacts
*/ */
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_contact'])) { if (isset($_POST['add_vendor_contact'])) {
enforceUserPermission('module_client', 2); enforceUserPermission('module_client', 2);

1
post/user/vendor_contact_model.php
View File

@ -1,4 +1,5 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$vendor_id = intval($_POST['vendor_id']); $vendor_id = intval($_POST['vendor_id']);

2
post/user/vendor_model.php
View File

@ -1,4 +1,6 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']); $description = sanitizeInput($_POST['description']);
$account_number = sanitizeInput($_POST['account_number']); $account_number = sanitizeInput($_POST['account_number']);