AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 19:04:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Started Removing logging comments as its implied in user posts also if returning 1 field for logging use getFieldById Function flipped it so it validate CSRF before role permission check

Browse Source
This commit is contained in:
johnnyq
2025-08-01 18:30:32 -04:00
parent fae7e76721
commit ab8f51622f
2 changed files with 37 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
user/post/account.php
View File

@@ -7,6 +7,7 @@
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
@@ -17,7 +18,6 @@ if (isset($_POST['add_account'])) {
mysqli_query($mysqli,"INSERT INTO accounts SET account_name = '$name', opening_balance = $opening_balance, account_currency_code = '$currency_code', account_notes = '$notes'");
// Logging
logAction("Account", "Create", "$session_name created account $name");
flash_alert("Account <strong>$name</strong> created");
@@ -27,6 +27,7 @@ if (isset($_POST['add_account'])) {
}
if (isset($_POST['edit_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
@@ -36,7 +37,6 @@ if (isset($_POST['edit_account'])) {
mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_notes = '$notes' WHERE account_id = $account_id");
// Logging
logAction("Account", "Edit", "$session_name edited account $name");
flash_alert("Account <strong>$name</strong> edited");
@@ -46,22 +46,19 @@ if (isset($_POST['edit_account'])) {
}
if (isset($_GET['archive_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_GET['csrf_token']);
$account_id = intval($_GET['archive_account']);
// Get Account Name for logging
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
$row = mysqli_fetch_array($sql);
$account_name = sanitizeInput($row['account_name']);
$account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
// Logging
logAction("Account", "Archive", "$session_name archived account $account_name");
flash_alert("Account <strong>$account_name</strong> archived");
flash_alert("Account <strong>$account_name</strong> archived", 'error');
redirect();
@@ -69,18 +66,15 @@ if (isset($_GET['archive_account'])) {
// Not used anywhere?
if (isset($_GET['delete_account'])) {
enforceUserPermission('module_financial', 3);
$account_id = intval($_GET['delete_account']);
// Get Account Name for logging
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
$row = mysqli_fetch_array($sql);
$account_name = sanitizeInput($row['account_name']);
$account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");
//Logging
logAction("Account", "Delete", "$session_name deleted account $account_name");
flash_alert("Account <strong>$account_name</strong> deleted", 'error');