mirror of
https://github.com/itflow-org/itflow
synced 2026-03-09 15:24:51 +00:00
Started Removing logging comments as its implied in user posts also if returning 1 field for logging use getFieldById Function flipped it so it validate CSRF before role permission check
This commit is contained in:
johnnyq
@@ -7,6 +7,7 @@
|
|||||||
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||||
|
|
||||||
if (isset($_POST['add_account'])) {
|
if (isset($_POST['add_account'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_financial', 2);
|
enforceUserPermission('module_financial', 2);
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
@@ -17,7 +18,6 @@ if (isset($_POST['add_account'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"INSERT INTO accounts SET account_name = '$name', opening_balance = $opening_balance, account_currency_code = '$currency_code', account_notes = '$notes'");
|
mysqli_query($mysqli,"INSERT INTO accounts SET account_name = '$name', opening_balance = $opening_balance, account_currency_code = '$currency_code', account_notes = '$notes'");
|
||||||
|
|
||||||
// Logging
|
|
||||||
logAction("Account", "Create", "$session_name created account $name");
|
logAction("Account", "Create", "$session_name created account $name");
|
||||||
|
|
||||||
flash_alert("Account <strong>$name</strong> created");
|
flash_alert("Account <strong>$name</strong> created");
|
||||||
@@ -27,6 +27,7 @@ if (isset($_POST['add_account'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['edit_account'])) {
|
if (isset($_POST['edit_account'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_financial', 2);
|
enforceUserPermission('module_financial', 2);
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
@@ -36,7 +37,6 @@ if (isset($_POST['edit_account'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_notes = '$notes' WHERE account_id = $account_id");
|
mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_notes = '$notes' WHERE account_id = $account_id");
|
||||||
|
|
||||||
// Logging
|
|
||||||
logAction("Account", "Edit", "$session_name edited account $name");
|
logAction("Account", "Edit", "$session_name edited account $name");
|
||||||
|
|
||||||
flash_alert("Account <strong>$name</strong> edited");
|
flash_alert("Account <strong>$name</strong> edited");
|
||||||
@@ -46,22 +46,19 @@ if (isset($_POST['edit_account'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_GET['archive_account'])) {
|
if (isset($_GET['archive_account'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_financial', 2);
|
enforceUserPermission('module_financial', 2);
|
||||||
|
|
||||||
validateCSRFToken($_GET['csrf_token']);
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
$account_id = intval($_GET['archive_account']);
|
$account_id = intval($_GET['archive_account']);
|
||||||
|
|
||||||
// Get Account Name for logging
|
$account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
|
||||||
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
|
|
||||||
$row = mysqli_fetch_array($sql);
|
|
||||||
$account_name = sanitizeInput($row['account_name']);
|
|
||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
|
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
|
||||||
|
|
||||||
// Logging
|
|
||||||
logAction("Account", "Archive", "$session_name archived account $account_name");
|
logAction("Account", "Archive", "$session_name archived account $account_name");
|
||||||
|
|
||||||
flash_alert("Account <strong>$account_name</strong> archived");
|
flash_alert("Account <strong>$account_name</strong> archived", 'error');
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
@@ -69,18 +66,15 @@ if (isset($_GET['archive_account'])) {
|
|||||||
|
|
||||||
// Not used anywhere?
|
// Not used anywhere?
|
||||||
if (isset($_GET['delete_account'])) {
|
if (isset($_GET['delete_account'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_financial', 3);
|
enforceUserPermission('module_financial', 3);
|
||||||
|
|
||||||
$account_id = intval($_GET['delete_account']);
|
$account_id = intval($_GET['delete_account']);
|
||||||
|
|
||||||
// Get Account Name for logging
|
$account_name = sanitizeInput(getFieldById('accounts', $account_id, 'account_name'));
|
||||||
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
|
|
||||||
$row = mysqli_fetch_array($sql);
|
|
||||||
$account_name = sanitizeInput($row['account_name']);
|
|
||||||
|
|
||||||
mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");
|
mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");
|
||||||
|
|
||||||
//Logging
|
|
||||||
logAction("Account", "Delete", "$session_name deleted account $account_name");
|
logAction("Account", "Delete", "$session_name deleted account $account_name");
|
||||||
|
|
||||||
flash_alert("Account <strong>$account_name</strong> deleted", 'error');
|
flash_alert("Account <strong>$account_name</strong> deleted", 'error');
|
||||||
|
|||||||
@@ -8,9 +8,9 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
|||||||
|
|
||||||
if (isset($_POST['add_asset'])) {
|
if (isset($_POST['add_asset'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
require_once 'asset_model.php';
|
require_once 'asset_model.php';
|
||||||
|
|
||||||
@@ -41,7 +41,6 @@ if (isset($_POST['add_asset'])) {
|
|||||||
// Add Primary Interface
|
// Add Primary Interface
|
||||||
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = '01', interface_mac = '$mac', interface_ip = '$ip', interface_nat_ip = '$nat_ip', interface_ipv6 = '$ipv6', interface_primary = 1, interface_network_id = $network, interface_asset_id = $asset_id");
|
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = '01', interface_mac = '$mac', interface_ip = '$ip', interface_nat_ip = '$nat_ip', interface_ipv6 = '$ipv6', interface_primary = 1, interface_network_id = $network, interface_asset_id = $asset_id");
|
||||||
|
|
||||||
|
|
||||||
if (!empty($_POST['username'])) {
|
if (!empty($_POST['username'])) {
|
||||||
$username = trim(mysqli_real_escape_string($mysqli, encryptCredentialEntry($_POST['username'])));
|
$username = trim(mysqli_real_escape_string($mysqli, encryptCredentialEntry($_POST['username'])));
|
||||||
$password = trim(mysqli_real_escape_string($mysqli, encryptCredentialEntry($_POST['password'])));
|
$password = trim(mysqli_real_escape_string($mysqli, encryptCredentialEntry($_POST['password'])));
|
||||||
@@ -50,7 +49,6 @@ if (isset($_POST['add_asset'])) {
|
|||||||
|
|
||||||
$credential_id = mysqli_insert_id($mysqli);
|
$credential_id = mysqli_insert_id($mysqli);
|
||||||
|
|
||||||
//Logging
|
|
||||||
logAction("Credential", "Create", "$session_name created login credential for asset $asset_name", $client_id, $credential_id);
|
logAction("Credential", "Create", "$session_name created login credential for asset $asset_name", $client_id, $credential_id);
|
||||||
|
|
||||||
$alert_extended = " along with login credentials";
|
$alert_extended = " along with login credentials";
|
||||||
@@ -60,10 +58,9 @@ if (isset($_POST['add_asset'])) {
|
|||||||
// Add to History
|
// Add to History
|
||||||
mysqli_query($mysqli,"INSERT INTO asset_history SET asset_history_status = '$status', asset_history_description = '$session_name created $name', asset_history_asset_id = $asset_id");
|
mysqli_query($mysqli,"INSERT INTO asset_history SET asset_history_status = '$status', asset_history_description = '$session_name created $name', asset_history_asset_id = $asset_id");
|
||||||
|
|
||||||
//Logging
|
|
||||||
logAction("Asset", "Create", "$session_name created asset $name", $client_id, $asset_id);
|
logAction("Asset", "Create", "$session_name created asset $name", $client_id, $asset_id);
|
||||||
|
|
||||||
$_SESSION['alert_message'] = "Asset <strong>$name</strong> created $alert_extended";
|
flash_alert("Asset <strong>$name</strong> created $alert_extended");
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
@@ -71,10 +68,10 @@ if (isset($_POST['add_asset'])) {
|
|||||||
|
|
||||||
if (isset($_POST['edit_asset'])) {
|
if (isset($_POST['edit_asset'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
require_once 'asset_model.php';
|
require_once 'asset_model.php';
|
||||||
$asset_id = intval($_POST['asset_id']);
|
$asset_id = intval($_POST['asset_id']);
|
||||||
|
|
||||||
@@ -122,9 +119,9 @@ if (isset($_POST['edit_asset'])) {
|
|||||||
|
|
||||||
if (isset($_GET['archive_asset'])) {
|
if (isset($_GET['archive_asset'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_GET['csrf_token']);
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
$asset_id = intval($_GET['archive_asset']);
|
$asset_id = intval($_GET['archive_asset']);
|
||||||
|
|
||||||
@@ -136,11 +133,9 @@ if (isset($_GET['archive_asset'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NOW() WHERE asset_id = $asset_id");
|
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NOW() WHERE asset_id = $asset_id");
|
||||||
|
|
||||||
//logging
|
|
||||||
logAction("Asset", "Archive", "$session_name archived asset $asset_name", $client_id, $asset_id);
|
logAction("Asset", "Archive", "$session_name archived asset $asset_name", $client_id, $asset_id);
|
||||||
|
|
||||||
$_SESSION['alert_type'] = "error";
|
flash_alert("Asset <strong>$asset_name</strong> archived", 'error');
|
||||||
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> archived";
|
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
@@ -148,9 +143,9 @@ if (isset($_GET['archive_asset'])) {
|
|||||||
|
|
||||||
if (isset($_GET['unarchive_asset'])) {
|
if (isset($_GET['unarchive_asset'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_GET['csrf_token']);
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
$asset_id = intval($_GET['unarchive_asset']);
|
$asset_id = intval($_GET['unarchive_asset']);
|
||||||
|
|
||||||
@@ -162,10 +157,9 @@ if (isset($_GET['unarchive_asset'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NULL WHERE asset_id = $asset_id");
|
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NULL WHERE asset_id = $asset_id");
|
||||||
|
|
||||||
// Logging
|
|
||||||
logAction("Asset", "Unarchive", "$session_name unarchived asset $asset_name", $client_id, $asset_id);
|
logAction("Asset", "Unarchive", "$session_name unarchived asset $asset_name", $client_id, $asset_id);
|
||||||
|
|
||||||
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> Unarchived";
|
flash_alert("Asset <strong>$asset_name</strong> Unarchived");
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
@@ -173,9 +167,9 @@ if (isset($_GET['unarchive_asset'])) {
|
|||||||
|
|
||||||
if (isset($_GET['delete_asset'])) {
|
if (isset($_GET['delete_asset'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 3);
|
|
||||||
|
|
||||||
validateCSRFToken($_GET['csrf_token']);
|
validateCSRFToken($_GET['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 3);
|
||||||
|
|
||||||
$asset_id = intval($_GET['delete_asset']);
|
$asset_id = intval($_GET['delete_asset']);
|
||||||
|
|
||||||
@@ -187,11 +181,9 @@ if (isset($_GET['delete_asset'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id");
|
mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id");
|
||||||
|
|
||||||
// Logging
|
|
||||||
logAction("Asset", "Delete", "$session_name deleted asset $asset_name", $client_id);
|
logAction("Asset", "Delete", "$session_name deleted asset $asset_name", $client_id);
|
||||||
|
|
||||||
$_SESSION['alert_type'] = "error";
|
flash_alert("Asset <strong>$asset_name</strong> deleted");
|
||||||
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> deleted";
|
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
@@ -199,10 +191,10 @@ if (isset($_GET['delete_asset'])) {
|
|||||||
|
|
||||||
if (isset($_POST['bulk_assign_asset_location'])) {
|
if (isset($_POST['bulk_assign_asset_location'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
$location_id = intval($_POST['bulk_location_id']);
|
$location_id = intval($_POST['bulk_location_id']);
|
||||||
|
|
||||||
// Get Location name and client id for logging and alert
|
// Get Location name and client id for logging and alert
|
||||||
@@ -221,21 +213,20 @@ if (isset($_POST['bulk_assign_asset_location'])) {
|
|||||||
$asset_id = intval($asset_id);
|
$asset_id = intval($asset_id);
|
||||||
|
|
||||||
// Get Asset Details for Logging
|
// Get Asset Details for Logging
|
||||||
$sql = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
|
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
|
||||||
$row = mysqli_fetch_array($sql);
|
$row = mysqli_fetch_array($sql);
|
||||||
$asset_name = sanitizeInput($row['asset_name']);
|
$asset_name = sanitizeInput($row['asset_name']);
|
||||||
|
$client_id = intval($row['asset_client_id']);
|
||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE assets SET asset_location_id = $location_id WHERE asset_id = $asset_id");
|
mysqli_query($mysqli,"UPDATE assets SET asset_location_id = $location_id WHERE asset_id = $asset_id");
|
||||||
|
|
||||||
//Logging
|
|
||||||
logAction("Asset", "Edit", "$session_name assigned asset $asset_name to location $location_name", $client_id, $asset_id);
|
logAction("Asset", "Edit", "$session_name assigned asset $asset_name to location $location_name", $client_id, $asset_id);
|
||||||
|
|
||||||
} // End Assign Location Loop
|
} // End Assign Location Loop
|
||||||
|
|
||||||
// Bulk Logging
|
|
||||||
logAction("Asset", "Bulk Edit", "$session_name assigned $asset_count assets to location $location_name", $client_id);
|
logAction("Asset", "Bulk Edit", "$session_name assigned $asset_count assets to location $location_name", $client_id);
|
||||||
|
|
||||||
$_SESSION['alert_message'] = "You assigned <strong>$asset_count</strong> assets to location <strong>$location_name</strong>";
|
flash_alert("You assigned <strong>$asset_count</strong> assets to location <strong>$location_name</strong>");
|
||||||
}
|
}
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
@@ -244,10 +235,10 @@ if (isset($_POST['bulk_assign_asset_location'])) {
|
|||||||
|
|
||||||
if (isset($_POST['bulk_assign_asset_physical_location'])) {
|
if (isset($_POST['bulk_assign_asset_physical_location'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
$physical_location = sanitizeInput($_POST['physical_location']);
|
$physical_location = sanitizeInput($_POST['physical_location']);
|
||||||
|
|
||||||
// Assign Physical Location to Selected Assets
|
// Assign Physical Location to Selected Assets
|
||||||
@@ -267,26 +258,25 @@ if (isset($_POST['bulk_assign_asset_physical_location'])) {
|
|||||||
|
|
||||||
mysqli_query($mysqli,"UPDATE assets SET asset_physical_location = '$physical_location' WHERE asset_id = $asset_id");
|
mysqli_query($mysqli,"UPDATE assets SET asset_physical_location = '$physical_location' WHERE asset_id = $asset_id");
|
||||||
|
|
||||||
//Logging
|
|
||||||
logAction("Asset", "Edit", "$session_name set asset $asset_name to physical location $physical_location", $client_id, $asset_id);
|
logAction("Asset", "Edit", "$session_name set asset $asset_name to physical location $physical_location", $client_id, $asset_id);
|
||||||
|
|
||||||
} // End Assign Location Loop
|
} // End Assign Location Loop
|
||||||
|
|
||||||
// Bulk Logging
|
|
||||||
logAction("Asset", "Bulk Edit", "$session_name set $asset_count assets to physical location $physical_location", $client_id);
|
logAction("Asset", "Bulk Edit", "$session_name set $asset_count assets to physical location $physical_location", $client_id);
|
||||||
|
|
||||||
$_SESSION['alert_message'] = "You moved <strong>$asset_count</strong> assets to location <strong>$physical_location</strong>";
|
flash_alert("You moved <strong>$asset_count</strong> assets to location <strong>$physical_location</strong>");
|
||||||
}
|
}
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['bulk_transfer_client_asset'])) {
|
if (isset($_POST['bulk_transfer_client_asset'])) {
|
||||||
|
|
||||||
enforceUserPermission('module_support', 2);
|
|
||||||
|
|
||||||
validateCSRFToken($_POST['csrf_token']);
|
validateCSRFToken($_POST['csrf_token']);
|
||||||
|
|
||||||
|
enforceUserPermission('module_support', 2);
|
||||||
|
|
||||||
$new_client_id = intval($_POST['bulk_client_id']);
|
$new_client_id = intval($_POST['bulk_client_id']);
|
||||||
|
|
||||||
// Transfer selected asset to new client
|
// Transfer selected asset to new client
|
||||||
@@ -310,8 +300,7 @@ if (isset($_POST['bulk_transfer_client_asset'])) {
|
|||||||
$current_client_name = sanitizeInput($row['client_name']);
|
$current_client_name = sanitizeInput($row['client_name']);
|
||||||
|
|
||||||
// Get new client name for logging
|
// Get new client name for logging
|
||||||
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $new_client_id"));
|
$new_client_name = sanitizeInput(getFieldById('clients', $new_client_id, 'client_name'));
|
||||||
$new_client_name = sanitizeInput($row['client_name']);
|
|
||||||
|
|
||||||
// Create new asset
|
// Create new asset
|
||||||
mysqli_query($mysqli, "
|
mysqli_query($mysqli, "
|
||||||
@@ -357,13 +346,13 @@ if (isset($_POST['bulk_transfer_client_asset'])) {
|
|||||||
|
|
||||||
} // End Transfer to Client Loop
|
} // End Transfer to Client Loop
|
||||||
|
|
||||||
// Bulk Logging
|
|
||||||
logAction("Asset", "Bulk Transfer", "$session_name transferred $asset_count assets to $new_client_name", $new_client_id);
|
logAction("Asset", "Bulk Transfer", "$session_name transferred $asset_count assets to $new_client_name", $new_client_id);
|
||||||
|
|
||||||
$_SESSION['alert_message'] = "Transferred <strong>$asset_count</strong> assets to <strong>$new_client_name</strong>.";
|
flash_alert("Transferred <strong>$asset_count</strong> assets to <strong>$new_client_name</strong>.");
|
||||||
}
|
}
|
||||||
|
|
||||||
redirect();
|
redirect();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_POST['bulk_assign_asset_contact'])) {
|
if (isset($_POST['bulk_assign_asset_contact'])) {
|
||||||
|
|||||||
Reference in New Issue
Block a user