From ab8f51622f06d019a3fd02a9a9b50afad1ec08f1 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Fri, 1 Aug 2025 18:30:32 -0400 Subject: [PATCH] Started Removing logging comments as its implied in user posts also if returning 1 field for logging use getFieldById Function flipped it so it validate CSRF before role permission check --- user/post/account.php | 20 +++++------- user/post/asset.php | 71 ++++++++++++++++++------------------------- 2 files changed, 37 insertions(+), 54 deletions(-) diff --git a/user/post/account.php b/user/post/account.php index 3bacab76..d0e5626c 100644 --- a/user/post/account.php +++ b/user/post/account.php @@ -7,6 +7,7 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_account'])) { + enforceUserPermission('module_financial', 2); validateCSRFToken($_POST['csrf_token']); @@ -17,7 +18,6 @@ if (isset($_POST['add_account'])) { mysqli_query($mysqli,"INSERT INTO accounts SET account_name = '$name', opening_balance = $opening_balance, account_currency_code = '$currency_code', account_notes = '$notes'"); - // Logging logAction("Account", "Create", "$session_name created account $name"); flash_alert("Account $name created"); @@ -27,6 +27,7 @@ if (isset($_POST['add_account'])) { } if (isset($_POST['edit_account'])) { + enforceUserPermission('module_financial', 2); validateCSRFToken($_POST['csrf_token']); @@ -36,7 +37,6 @@ if (isset($_POST['edit_account'])) { mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_notes = '$notes' WHERE account_id = $account_id"); - // Logging logAction("Account", "Edit", "$session_name edited account $name"); flash_alert("Account $name edited"); @@ -46,22 +46,19 @@ if (isset($_POST['edit_account'])) { } if (isset($_GET['archive_account'])) { + enforceUserPermission('module_financial', 2); validateCSRFToken($_GET['csrf_token']); $account_id = intval($_GET['archive_account']); - // Get Account Name for logging - $sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id"); - $row = mysqli_fetch_array($sql); - $account_name = sanitizeInput($row['account_name']); + $account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name')); mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id"); - // Logging logAction("Account", "Archive", "$session_name archived account $account_name"); - flash_alert("Account $account_name archived"); + flash_alert("Account $account_name archived", 'error'); redirect(); @@ -69,18 +66,15 @@ if (isset($_GET['archive_account'])) { // Not used anywhere? if (isset($_GET['delete_account'])) { + enforceUserPermission('module_financial', 3); $account_id = intval($_GET['delete_account']); - // Get Account Name for logging - $sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id"); - $row = mysqli_fetch_array($sql); - $account_name = sanitizeInput($row['account_name']); + $account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name')); mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id"); - //Logging logAction("Account", "Delete", "$session_name deleted account $account_name"); flash_alert("Account $account_name deleted", 'error'); diff --git a/user/post/asset.php b/user/post/asset.php index baaefcf1..e79954e6 100644 --- a/user/post/asset.php +++ b/user/post/asset.php @@ -8,9 +8,9 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_asset'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_support', 2); require_once 'asset_model.php'; @@ -41,7 +41,6 @@ if (isset($_POST['add_asset'])) { // Add Primary Interface mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = '01', interface_mac = '$mac', interface_ip = '$ip', interface_nat_ip = '$nat_ip', interface_ipv6 = '$ipv6', interface_primary = 1, interface_network_id = $network, interface_asset_id = $asset_id"); - if (!empty($_POST['username'])) { $username = trim(mysqli_real_escape_string($mysqli, encryptCredentialEntry($_POST['username']))); $password = trim(mysqli_real_escape_string($mysqli, encryptCredentialEntry($_POST['password']))); @@ -50,7 +49,6 @@ if (isset($_POST['add_asset'])) { $credential_id = mysqli_insert_id($mysqli); - //Logging logAction("Credential", "Create", "$session_name created login credential for asset $asset_name", $client_id, $credential_id); $alert_extended = " along with login credentials"; @@ -60,10 +58,9 @@ if (isset($_POST['add_asset'])) { // Add to History mysqli_query($mysqli,"INSERT INTO asset_history SET asset_history_status = '$status', asset_history_description = '$session_name created $name', asset_history_asset_id = $asset_id"); - //Logging logAction("Asset", "Create", "$session_name created asset $name", $client_id, $asset_id); - $_SESSION['alert_message'] = "Asset $name created $alert_extended"; + flash_alert("Asset $name created $alert_extended"); redirect(); @@ -71,10 +68,10 @@ if (isset($_POST['add_asset'])) { if (isset($_POST['edit_asset'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_POST['csrf_token']); - + + enforceUserPermission('module_support', 2); + require_once 'asset_model.php'; $asset_id = intval($_POST['asset_id']); @@ -122,9 +119,9 @@ if (isset($_POST['edit_asset'])) { if (isset($_GET['archive_asset'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_support', 2); $asset_id = intval($_GET['archive_asset']); @@ -136,11 +133,9 @@ if (isset($_GET['archive_asset'])) { mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NOW() WHERE asset_id = $asset_id"); - //logging logAction("Asset", "Archive", "$session_name archived asset $asset_name", $client_id, $asset_id); - $_SESSION['alert_type'] = "error"; - $_SESSION['alert_message'] = "Asset $asset_name archived"; + flash_alert("Asset $asset_name archived", 'error'); redirect(); @@ -148,9 +143,9 @@ if (isset($_GET['archive_asset'])) { if (isset($_GET['unarchive_asset'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_support', 2); $asset_id = intval($_GET['unarchive_asset']); @@ -162,10 +157,9 @@ if (isset($_GET['unarchive_asset'])) { mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NULL WHERE asset_id = $asset_id"); - // Logging logAction("Asset", "Unarchive", "$session_name unarchived asset $asset_name", $client_id, $asset_id); - $_SESSION['alert_message'] = "Asset $asset_name Unarchived"; + flash_alert("Asset $asset_name Unarchived"); redirect(); @@ -173,9 +167,9 @@ if (isset($_GET['unarchive_asset'])) { if (isset($_GET['delete_asset'])) { - enforceUserPermission('module_support', 3); - validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_support', 3); $asset_id = intval($_GET['delete_asset']); @@ -187,11 +181,9 @@ if (isset($_GET['delete_asset'])) { mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id"); - // Logging logAction("Asset", "Delete", "$session_name deleted asset $asset_name", $client_id); - $_SESSION['alert_type'] = "error"; - $_SESSION['alert_message'] = "Asset $asset_name deleted"; + flash_alert("Asset $asset_name deleted"); redirect(); @@ -199,10 +191,10 @@ if (isset($_GET['delete_asset'])) { if (isset($_POST['bulk_assign_asset_location'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_POST['csrf_token']); - + + enforceUserPermission('module_support', 2); + $location_id = intval($_POST['bulk_location_id']); // Get Location name and client id for logging and alert @@ -221,21 +213,20 @@ if (isset($_POST['bulk_assign_asset_location'])) { $asset_id = intval($asset_id); // Get Asset Details for Logging - $sql = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id"); + $sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id"); $row = mysqli_fetch_array($sql); $asset_name = sanitizeInput($row['asset_name']); + $client_id = intval($row['asset_client_id']); mysqli_query($mysqli,"UPDATE assets SET asset_location_id = $location_id WHERE asset_id = $asset_id"); - //Logging logAction("Asset", "Edit", "$session_name assigned asset $asset_name to location $location_name", $client_id, $asset_id); } // End Assign Location Loop - // Bulk Logging logAction("Asset", "Bulk Edit", "$session_name assigned $asset_count assets to location $location_name", $client_id); - $_SESSION['alert_message'] = "You assigned $asset_count assets to location $location_name"; + flash_alert("You assigned $asset_count assets to location $location_name"); } redirect(); @@ -244,10 +235,10 @@ if (isset($_POST['bulk_assign_asset_location'])) { if (isset($_POST['bulk_assign_asset_physical_location'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_support', 2); + $physical_location = sanitizeInput($_POST['physical_location']); // Assign Physical Location to Selected Assets @@ -267,26 +258,25 @@ if (isset($_POST['bulk_assign_asset_physical_location'])) { mysqli_query($mysqli,"UPDATE assets SET asset_physical_location = '$physical_location' WHERE asset_id = $asset_id"); - //Logging logAction("Asset", "Edit", "$session_name set asset $asset_name to physical location $physical_location", $client_id, $asset_id); } // End Assign Location Loop - // Bulk Logging logAction("Asset", "Bulk Edit", "$session_name set $asset_count assets to physical location $physical_location", $client_id); - $_SESSION['alert_message'] = "You moved $asset_count assets to location $physical_location"; + flash_alert("You moved $asset_count assets to location $physical_location"); } redirect(); + } if (isset($_POST['bulk_transfer_client_asset'])) { - enforceUserPermission('module_support', 2); - validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_support', 2); + $new_client_id = intval($_POST['bulk_client_id']); // Transfer selected asset to new client @@ -310,8 +300,7 @@ if (isset($_POST['bulk_transfer_client_asset'])) { $current_client_name = sanitizeInput($row['client_name']); // Get new client name for logging - $row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $new_client_id")); - $new_client_name = sanitizeInput($row['client_name']); + $new_client_name = sanitizeInput(getFieldById('clients', $new_client_id, 'client_name')); // Create new asset mysqli_query($mysqli, " @@ -357,13 +346,13 @@ if (isset($_POST['bulk_transfer_client_asset'])) { } // End Transfer to Client Loop - // Bulk Logging logAction("Asset", "Bulk Transfer", "$session_name transferred $asset_count assets to $new_client_name", $new_client_id); - $_SESSION['alert_message'] = "Transferred $asset_count assets to $new_client_name."; + flash_alert("Transferred $asset_count assets to $new_client_name."); } redirect(); + } if (isset($_POST['bulk_assign_asset_contact'])) {