From 10fafacefe7d68361fb0526c31f69ad76eba25db Mon Sep 17 00:00:00 2001 From: wrongecho Date: Fri, 20 Sep 2024 17:59:49 +0100 Subject: [PATCH 1/3] Custom Roles & Permissions Initial enforcement of custom roles & permissions - only on some pages via GET for now. --- accounts.php | 3 + admin_roles.php | 2 +- admin_side_nav.php | 6 + budget.php | 3 + check_login.php | 16 +- client_assets.php | 3 + client_certificates.php | 2 + client_documents.php | 2 + client_domains.php | 2 + client_invoices.php | 2 + client_logins.php | 3 + client_networks.php | 2 + client_payments.php | 2 + client_quotes.php | 2 + client_racks.php | 3 + client_recurring_invoices.php | 2 + client_recurring_tickets.php | 2 + client_services.php | 2 + client_side_nav.php | 401 +++++++++++++++++----------------- client_software.php | 2 + client_tickets.php | 3 + client_vendors.php | 2 + clients.php | 3 + expenses.php | 3 + functions.php | 8 +- inc_all_admin.php | 4 +- inc_all_client.php | 3 + inc_all_reports.php | 3 + invoices.php | 3 + payments.php | 2 + products.php | 3 + projects.php | 3 + quotes.php | 2 + recurring_expenses.php | 2 + recurring_invoices.php | 3 + recurring_tickets.php | 3 + report_assets.php | 3 +- reports_side_nav.php | 178 ++++++++------- revenues.php | 2 + side_nav.php | 110 +++++----- ticket.php | 3 + tickets.php | 3 + transfers.php | 3 + 43 files changed, 469 insertions(+), 345 deletions(-) diff --git a/accounts.php b/accounts.php index 9703d683..ff6cb037 100644 --- a/accounts.php +++ b/accounts.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_financial'); + //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/admin_roles.php b/admin_roles.php index 6a0e3f85..2a13b121 100644 --- a/admin_roles.php +++ b/admin_roles.php @@ -21,7 +21,7 @@ $sql = mysqli_query( $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); ?> -
Roles are not yet active/enforced - do not use.
+
Roles are still in development. Permissions may not be fully be enforced.
diff --git a/admin_side_nav.php b/admin_side_nav.php index 32c703bc..268e2d57 100644 --- a/admin_side_nav.php +++ b/admin_side_nav.php @@ -22,6 +22,12 @@

Users

+
  • + "> + +

    Roles

    +     +
  • "> diff --git a/budget.php b/budget.php index d4ccf9c5..1f136059 100644 --- a/budget.php +++ b/budget.php @@ -2,6 +2,9 @@ require_once "inc_all.php"; +// Perms +enforceUserPermission('module_financial'); + // Fetch categories $query = "SELECT category_id, category_name FROM categories WHERE category_type ='Expense' AND category_archived_at IS NULL"; $result = mysqli_query($mysqli, $query); diff --git a/check_login.php b/check_login.php index 301e98ea..d1be1ac3 100644 --- a/check_login.php +++ b/check_login.php @@ -38,20 +38,20 @@ $session_user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']); $session_user_id = intval($_SESSION['user_id']); -$sql = mysqli_query($mysqli, "SELECT * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND users.user_id = $session_user_id"); +$sql = mysqli_query( + $mysqli, + "SELECT * FROM USERS + LEFT JOIN user_settings ON users.user_id = user_settings.user_id + LEFT JOIN user_roles ON user_settings.user_role = user_roles.user_role_id + WHERE users.user_id = $session_user_id" +); $row = mysqli_fetch_array($sql); $session_name = sanitizeInput($row['user_name']); $session_email = $row['user_email']; $session_avatar = $row['user_avatar']; $session_token = $row['user_token']; $session_user_role = intval($row['user_role']); -if ($session_user_role == 3) { - $session_user_role_display = "Administrator"; -} elseif ($session_user_role == 2) { - $session_user_role_display = "Technician"; -} else { - $session_user_role_display = "Accountant"; -} +$session_user_role_display = sanitizeInput($row['user_role_name']); if (isset($row['user_role_is_admin']) && $row['user_role_is_admin'] == 1) { $session_is_admin = true; } diff --git a/client_assets.php b/client_assets.php index 88d3c586..ad9e70a4 100644 --- a/client_assets.php +++ b/client_assets.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); + //Asset Type from GET if (isset($_GET['type']) && ($_GET['type']) == 'workstation') { $type_query = "asset_type = 'desktop' OR asset_type = 'laptop'"; diff --git a/client_certificates.php b/client_certificates.php index 86eef3fe..33a4aef1 100644 --- a/client_certificates.php +++ b/client_certificates.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_documents.php b/client_documents.php index 439a2894..9d069f7f 100644 --- a/client_documents.php +++ b/client_documents.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); // Folder if (!empty($_GET['folder_id'])) { diff --git a/client_domains.php b/client_domains.php index 83b06fb0..cb64010b 100644 --- a/client_domains.php +++ b/client_domains.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_invoices.php b/client_invoices.php index 0d8172a6..5d8ed646 100644 --- a/client_invoices.php +++ b/client_invoices.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_sales'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_logins.php b/client_logins.php index 8e7c5806..289292c5 100644 --- a/client_logins.php +++ b/client_logins.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_credential'); + // Log when users load the Credentials/Logins page mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'View', log_description = '$session_name viewed the Credentials page for client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id"); diff --git a/client_networks.php b/client_networks.php index a582ae8d..394acc60 100644 --- a/client_networks.php +++ b/client_networks.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); //Rebuild URL $url_query_strings_sb = http_build_query(array_merge($_GET, array('sort' => $sort, 'order' => $order))); diff --git a/client_payments.php b/client_payments.php index d1ea1c68..765ef484 100644 --- a/client_payments.php +++ b/client_payments.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_financial'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_quotes.php b/client_quotes.php index fe1a2538..96dbb573 100644 --- a/client_quotes.php +++ b/client_quotes.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_sales'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_racks.php b/client_racks.php index 68cd0dab..f81407db 100644 --- a/client_racks.php +++ b/client_racks.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); + // Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_recurring_invoices.php b/client_recurring_invoices.php index ee7e125a..f6403e99 100644 --- a/client_recurring_invoices.php +++ b/client_recurring_invoices.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_sales'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_recurring_tickets.php b/client_recurring_tickets.php index e3acf9ac..7fdf87a4 100644 --- a/client_recurring_tickets.php +++ b/client_recurring_tickets.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_services.php b/client_services.php index 73690c0e..b9b00932 100644 --- a/client_services.php +++ b/client_services.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_side_nav.php b/client_side_nav.php index 266c6d8e..b778e1fc 100644 --- a/client_side_nav.php +++ b/client_side_nav.php @@ -51,37 +51,36 @@
    • + = 1) { ?> +
  • SUPPORT
    • - -
  • SUPPORT
    • +
  • + "> + +

    + Tickets + 0) { ?> + + -

  • - "> - -

    - Tickets - 0) { ?> - - +

    +     +
    • -

    - - +
  • + "> + +

    + Recurring + + + -

  • - "> - -

    - Recurring - - - - -

    -     -
    • +

    + + @@ -113,199 +112,207 @@ -
  • DOCUMENTATION
    • +
  • DOCUMENTATION
    • -
  • - "> - -

    - Assets - 0) { ?> - - -

    -     -
    • + = 1) { ?> +
  • + "> + +

    + Assets + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Licenses - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Licenses + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Credentials - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Credentials + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Networks - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Networks + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Racks - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Racks + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Certificates +

  • + "> + +

    + Certificates - 0) { ?> - - -

    -     -
    • + 0) { ?> + + +

    + + -
  • - "> - -

    - Domains +

  • + "> + +

    + Domains - 0) { ?> - - -

    -     -
    • + 0) { ?> + + +

    + + -
  • - "> - -

    - Services - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Services + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Documents - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Documents + 0) { ?> + + +

    +     +
    • + -
  • - "> - -

    - Files - 0) { ?> - - -

    -     -
    • + +
  • + "> + +

    + Files + 0) { ?> + + +

    +     +
    • - 2 && $config_module_enable_accounting == 1) { ?> +
  • FINANCE
    • -
  • - "> - -

    - Invoices - 0) { ?> - - -

    -     -
    • + = 1) { ?> -
  • - "> - -

    - Recurring - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Invoices + 0) { ?> + + +

    +     +
    • +
  • + "> + +

    + Recurring + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Quotes - 0) { ?> - - -

    -     -
    • +
  • + "> + +

    + Quotes + 0) { ?> + + +

    +     +
    • -
  • - "> - -

    - Payments - 0) { ?> - - -

    -     -
    • + + + = 1) { ?> +
  • + "> + +

    + Payments + 0) { ?> + + +

    +     +
    • +
  • "> diff --git a/client_software.php b/client_software.php index c95f4d7b..18fb4b3e 100644 --- a/client_software.php +++ b/client_software.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/client_tickets.php b/client_tickets.php index de2b951a..04d0d60e 100644 --- a/client_tickets.php +++ b/client_tickets.php @@ -7,6 +7,9 @@ $order = "DESC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_support'); + if (isset($_GET['status']) && ($_GET['status']) == 'Closed') { $status = 'Closed'; $ticket_status_snippet = "ticket_resolved_at IS NOT NULL"; diff --git a/client_vendors.php b/client_vendors.php index ddcbbb0f..4a522bd8 100644 --- a/client_vendors.php +++ b/client_vendors.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all_client.php"; +// Perms +enforceUserPermission('module_client'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/clients.php b/clients.php index 49cc56d2..6b7f5cbd 100644 --- a/clients.php +++ b/clients.php @@ -6,6 +6,9 @@ $order = "DESC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_client'); + // Leads Query $leads = 0; diff --git a/expenses.php b/expenses.php index 6db58804..10aac42e 100644 --- a/expenses.php +++ b/expenses.php @@ -6,6 +6,9 @@ $order = "DESC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_financial'); + // Account Filter if (isset($_GET['account']) & !empty($_GET['account'])) { $account_query = 'AND (expense_account_id = ' . intval($_GET['account']) . ')'; diff --git a/functions.php b/functions.php index 4518e8fa..6e895064 100644 --- a/functions.php +++ b/functions.php @@ -1322,7 +1322,11 @@ function enforceUserPermission($module, $check_access_level = 1) { if (!$permitted_access_level || $permitted_access_level < $check_access_level) { $_SESSION['alert_type'] = "danger"; $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; - header("Location: " . $_SERVER["HTTP_REFERER"]); - exit(WORDING_ROLECHECK_FAILED); + $map = [ + "1" => "read", + "2" => "write", + "3" => "full" + ]; + exit(WORDING_ROLECHECK_FAILED . "
    Tell your admin: $map[$check_access_level] access to $module is not permitted for your role."); } } diff --git a/inc_all_admin.php b/inc_all_admin.php index 8bfd19f5..feb7c16a 100644 --- a/inc_all_admin.php +++ b/inc_all_admin.php @@ -6,7 +6,9 @@ require_once "functions.php"; require_once "check_login.php"; -validateAdminRole(); +if (!isset($session_is_admin) || !$session_is_admin) { + exit(WORDING_ROLECHECK_FAILED . "
    Tell your admin: Your role does not have admin access."); +} require_once "header.php"; diff --git a/inc_all_client.php b/inc_all_client.php index 5240ae21..23bb4111 100644 --- a/inc_all_client.php +++ b/inc_all_client.php @@ -6,6 +6,9 @@ require_once "functions.php"; require_once "check_login.php"; +// Perms +enforceUserPermission('module_client'); + if (isset($_GET['client_id'])) { $client_id = intval($_GET['client_id']); diff --git a/inc_all_reports.php b/inc_all_reports.php index 1a37e30e..e3c75281 100644 --- a/inc_all_reports.php +++ b/inc_all_reports.php @@ -6,6 +6,9 @@ require_once "functions.php"; require_once "check_login.php"; +// Reporting Perms +enforceUserPermission('module_reporting'); + require_once "header.php"; require_once "top_nav.php"; diff --git a/invoices.php b/invoices.php index d3533780..5aafab69 100644 --- a/invoices.php +++ b/invoices.php @@ -6,6 +6,9 @@ $order = "DESC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_sales'); + $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent'")); $sent_count = $row['num']; diff --git a/payments.php b/payments.php index 69110afe..b2abd999 100644 --- a/payments.php +++ b/payments.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_financial'); // Payment Method Filter if (isset($_GET['method']) & !empty($_GET['method'])) { diff --git a/products.php b/products.php index 6b28f93e..b57171fe 100644 --- a/products.php +++ b/products.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_sales'); + // Category Filter if (isset($_GET['category']) & !empty($_GET['category'])) { $category_query = 'AND (category_id = ' . intval($_GET['category']) . ')'; diff --git a/projects.php b/projects.php index 0137660c..4cc43623 100644 --- a/projects.php +++ b/projects.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_support'); + // Status Query $status = 0; diff --git a/quotes.php b/quotes.php index 66bc2dcc..b0704adb 100644 --- a/quotes.php +++ b/quotes.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_sales'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/recurring_expenses.php b/recurring_expenses.php index 3cc3696b..67f99c91 100644 --- a/recurring_expenses.php +++ b/recurring_expenses.php @@ -6,6 +6,8 @@ $order = "ASC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_financial'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/recurring_invoices.php b/recurring_invoices.php index e27154d4..3f1094db 100644 --- a/recurring_invoices.php +++ b/recurring_invoices.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_sales'); + //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/recurring_tickets.php b/recurring_tickets.php index e57eaf64..0700d77b 100644 --- a/recurring_tickets.php +++ b/recurring_tickets.php @@ -6,6 +6,9 @@ $order = "ASC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_support'); + // Ticket client access snippet $rec_ticket_permission_snippet = ''; if (!empty($client_access_string)) { diff --git a/report_assets.php b/report_assets.php index 4c1b39af..6eef6f6f 100644 --- a/report_assets.php +++ b/report_assets.php @@ -6,7 +6,8 @@ $order = "ASC"; require_once "inc_all_reports.php"; -validateTechRole(); +// Perms +enforceUserPermission('module_support'); //Asset Type from GET if (isset($_GET['type']) && ($_GET['type']) == 'workstation') { diff --git a/reports_side_nav.php b/reports_side_nav.php index 33eae904..31e1199a 100644 --- a/reports_side_nav.php +++ b/reports_side_nav.php @@ -15,95 +15,106 @@     diff --git a/revenues.php b/revenues.php index 820559f5..c4bd7a4e 100644 --- a/revenues.php +++ b/revenues.php @@ -6,6 +6,8 @@ $order = "DESC"; require_once "inc_all.php"; +// Perms +enforceUserPermission('module_financial'); //Rebuild URL $url_query_strings_sort = http_build_query($get_copy); diff --git a/side_nav.php b/side_nav.php index 80c31e59..7a70a133 100644 --- a/side_nav.php +++ b/side_nav.php @@ -17,61 +17,66 @@

    Dashboard

    • -
  • - "> - -

    - Clients - - - -

    -     -
    • - - = 2 && $config_module_enable_ticketing == 1) { ?> -
  • SUPPORT
    • + = 1) { ?>
  • - "> - + "> +

    - Tickets - - - -

    -     -
    • -
  • - "> - -

    - Recurring - - - -

    -     -
    • -
  • - "> - -

    - Projects - - - + Clients + + +

    • + + = 1) { ?> + +
  • SUPPORT
    • +
  • + "> + +

    + Tickets + + + +

    +     +
    • +
  • + "> + +

    + Recurring + + + +

    +     +
    • +
  • + "> + +

    + Projects + + + +

    +     +
    • + + +
  • ">

    Calendar
    • - + = 1) { ?>
  • SALES
  • "> @@ -119,7 +124,7 @@
    • - + = 1) { ?>
  • FINANCE
  • "> @@ -175,13 +180,16 @@
    • -
  • - "> - -

    Reports

    - -     -
    • + + = 1) { ?> +
  • + "> + +

    Reports

    + +     +
    • + Date: Fri, 20 Sep 2024 18:09:00 +0100 Subject: [PATCH 2/3] Custom Roles & Permissions Initial enforcement of custom roles & permissions - only on some pages via GET for now. --- admin_roles.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_roles.php b/admin_roles.php index 2a13b121..d332b52e 100644 --- a/admin_roles.php +++ b/admin_roles.php @@ -21,7 +21,7 @@ $sql = mysqli_query( $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); ?> -
    Roles are still in development. Permissions may not be fully be enforced.
    +
    Roles are still in development. Permissions may not be fully enforced.
    From 3d1e333ff074deb32317039185139c1b4cbeada0 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Fri, 20 Sep 2024 18:17:59 +0100 Subject: [PATCH 3/3] Custom Roles & Permissions Initial enforcement of custom roles & permissions - only on some pages via GET for now. --- check_login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check_login.php b/check_login.php index d1be1ac3..73e52b26 100644 --- a/check_login.php +++ b/check_login.php @@ -40,7 +40,7 @@ $session_user_id = intval($_SESSION['user_id']); $sql = mysqli_query( $mysqli, - "SELECT * FROM USERS + "SELECT * FROM users LEFT JOIN user_settings ON users.user_id = user_settings.user_id LEFT JOIN user_roles ON user_settings.user_role = user_roles.user_role_id WHERE users.user_id = $session_user_id"