Move more things to new role perms system

2024-12-20 11:23:41 +00:00 · 2024-12-20 11:23:41 +00:00 · bd7a156800
parent dacbc51f95
commit bd7a156800
2 changed files with 11 additions and 8 deletions
--- a/check_login.php
+++ b/check_login.php
@ -59,6 +59,8 @@ $session_user_role = intval($row['user_role']);
 $session_user_role_display = sanitizeInput($row['user_role_name']);
 if (isset($row['user_role_is_admin']) && $row['user_role_is_admin'] == 1) {
    $session_is_admin = true;
+} else {
+    $session_is_admin = false;
 }
 $session_user_config_force_mfa = intval($row['user_config_force_mfa']);
 $user_config_records_per_page = intval($row['user_config_records_per_page']);
@ -88,12 +90,13 @@ try {

    $client_access_string = implode(',', $client_access_array);

-    // Role / Client Access Permission Check
-    if ($session_user_role < 3 && !empty($client_access_string)) {
+    // Client access permission check
+    //  Default allow, if a list of allowed clients is set & the user isn't an admin, restrict them
+    $access_permission_query = "";
+    if ($client_access_string && !$session_is_admin) {
        $access_permission_query = "AND clients.client_id IN ($client_access_string)";
-    } else {
-        $access_permission_query = "";
    }
+
 } catch (Exception $e) {
    // Handle exception
    error_log('MySQL error: ' . $e->getMessage());
--- a/inc_all_client.php
+++ b/inc_all_client.php
@ -12,8 +12,9 @@ enforceUserPermission('module_client');
 if (isset($_GET['client_id'])) {
    $client_id = intval($_GET['client_id']);

-    // Check to see if the logged in user has permission to access this client (Admins have access to all no matter what perms are set)
-    if(!in_array($client_id, $client_access_array) AND !empty($client_access_string) AND $session_user_role < 3) {
+    // Client Access Check
+    //  Ensure the user has permission to access this client (admins ignored)
+    if (!in_array($client_id, $client_access_array) AND !empty($client_access_string) AND !$session_is_admin) {
        // Logging
        mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Access', log_description = '$session_name was denied permission from accessing client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $client_id");

@ -21,7 +22,6 @@ if (isset($_GET['client_id'])) {
        $_SESSION['alert_message'] = "Access Denied - You do not have permission to access that client!";

        echo "<script>window.history.back();</script>";
-
        exit();
    }

@ -310,4 +310,4 @@ require_once "filter_header.php";
 ?>

 <!-- Set the browser window title to the clients name -->
-<script>document.title = "<?php echo $client_name_title; ?>"</script>
+<script>document.title = "<?php echo $client_name_title; ?>"</script>