From a6a7bf1f309105f5fca2a845581b64b690654fce Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 27 Mar 2022 15:39:27 +0100 Subject: [PATCH] Restrict user (agent) create/edit/delete actions to admins only --- post.php | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/post.php b/post.php index 5f7fac53..22d26bec 100644 --- a/post.php +++ b/post.php @@ -51,6 +51,13 @@ if(isset($_GET['switch_company'])){ if(isset($_POST['add_user'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $password = password_hash($_POST['password'], PASSWORD_DEFAULT); @@ -126,6 +133,13 @@ if(isset($_POST['add_user'])){ if(isset($_POST['edit_user'])){ + if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_POST['user_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); @@ -333,6 +347,14 @@ if(isset($_POST['edit_user_companies'])){ } if(isset($_GET['archive_user'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_GET['archive_user']); mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $user_id"); @@ -352,6 +374,14 @@ if(isset($_GET['archive_user'])){ } if(isset($_GET['delete_user'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_GET['delete_user']); mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $user_id"); @@ -435,6 +465,13 @@ if(isset($_GET['delete_api_key'])){ if(isset($_POST['add_company'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); $city = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['city']))); @@ -533,6 +570,13 @@ if(isset($_POST['add_company'])){ } if(isset($_POST['edit_company'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } $company_id = intval($_POST['company_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); @@ -629,6 +673,14 @@ if(isset($_GET['archive_company'])){ } if(isset($_GET['delete_company'])){ + + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $company_id = intval($_GET['delete_company']); //Get Company Name