AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-03 20:34:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict user (agent) create/edit/delete actions to admins only

Browse Source
This commit is contained in:
Marcus Hill
2022-03-27 15:39:27 +01:00
parent e6a314d233
commit a6a7bf1f30
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
post.php
View File

@@ -51,6 +51,13 @@ if(isset($_GET['switch_company'])){
if(isset($_POST['add_user'])){ if(isset($_POST['add_user'])){
if($session_user_role != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
@@ -126,6 +133,13 @@ if(isset($_POST['add_user'])){
if(isset($_POST['edit_user'])){ if(isset($_POST['edit_user'])){
if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$user_id = intval($_POST['user_id']); $user_id = intval($_POST['user_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
@@ -333,6 +347,14 @@ if(isset($_POST['edit_user_companies'])){
} }
if(isset($_GET['archive_user'])){ if(isset($_GET['archive_user'])){
if($session_user_role != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$user_id = intval($_GET['archive_user']); $user_id = intval($_GET['archive_user']);
mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $user_id"); mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $user_id");
@@ -352,6 +374,14 @@ if(isset($_GET['archive_user'])){
} }
if(isset($_GET['delete_user'])){ if(isset($_GET['delete_user'])){
if($session_user_role != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$user_id = intval($_GET['delete_user']); $user_id = intval($_GET['delete_user']);
mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $user_id"); mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $user_id");
@@ -435,6 +465,13 @@ if(isset($_GET['delete_api_key'])){
if(isset($_POST['add_company'])){ if(isset($_POST['add_company'])){
if($session_user_role != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address'])));
$city = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['city']))); $city = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['city'])));
@@ -533,6 +570,13 @@ if(isset($_POST['add_company'])){
} }
if(isset($_POST['edit_company'])){ if(isset($_POST['edit_company'])){
if($session_user_role != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$company_id = intval($_POST['company_id']); $company_id = intval($_POST['company_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address']))); $address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address'])));
@@ -629,6 +673,14 @@ if(isset($_GET['archive_company'])){
} }
if(isset($_GET['delete_company'])){ if(isset($_GET['delete_company'])){
if($session_user_role != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "You are not permitted to do that!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$company_id = intval($_GET['delete_company']); $company_id = intval($_GET['delete_company']);
//Get Company Name //Get Company Name