From ce0c394d3f1bcd18ffd857a11f0db30231fa95a7 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Fri, 10 May 2024 12:25:38 -0400
Subject: [PATCH] Feature: User Client Access Permissions logic has been added,
 next up is the defining access via user managment

---
 check_login.php | 39 +++++++++++++++++++++++++++++++++++----
 clients.php     |  1 +
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/check_login.php b/check_login.php
index 297208c2..992511b5 100644
--- a/check_login.php
+++ b/check_login.php
@@ -10,7 +10,8 @@ if (!isset($_SESSION)) {
     session_start();
 }
 
-//Check to see if setup is enabled
+
+// Check to see if setup is enabled
 if (!isset($config_enable_setup) || $config_enable_setup == 1) {
     header("Location: setup.php");
     exit;
@@ -26,9 +27,11 @@ if (!isset($_SESSION['logged']) || !$_SESSION['logged']) {
     exit;
 }
 
+
 // Set Timezone
 require_once "inc_set_timezone.php";
 
+
 // User IP & UA
 $session_ip = sanitizeInput(getIP());
 $session_user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
@@ -60,9 +63,34 @@ $session_company_country = $row['company_country'];
 $session_company_locale = $row['company_locale'];
 $session_company_currency = $row['company_currency'];
 
-//Set Currency Format
+
+// Set Currency Format
 $currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
 
+
+// Get User Client Access Permissions
+$user_client_access_sql = mysqli_query($mysqli, "SELECT client_id FROM user_permissions WHERE user_id = $session_user_id");
+
+$access_client_ids = [];
+if ($user_client_access_sql) {  // This ensures the codes wont break if user_permissions table does not exist. This can be removed once all ITFlow instances are updated
+    while($row = mysqli_fetch_assoc($user_client_access_sql)) {
+        $access_client_ids[] = $row['client_id'];
+    }
+} else {
+    // Handle error in query execution (e.g., table doesn't exist)
+    error_log('Error fetching client IDs: ' . mysqli_error($mysqli));
+}
+
+$client_access_string = implode(',', $access_client_ids);
+
+// Role / Client Access Permission Check
+if ($session_user_role < 3 && !empty($client_access_string)) {
+    $access_permission_query = "AND client_id IN ($client_access_string)";
+} else {
+    $access_permission_query = "";
+}
+
+// Include the settings vars
 require_once "get_settings.php";
 
 
@@ -77,13 +105,16 @@ if ($iPod || $iPhone || $iPad) {
     $session_map_source = "google";
 }
 
-//Check if mobile device
+
+// Check if mobile device
 $session_mobile = isMobile();
 
-//Get Notification Count for the badge on the top nav
+
+// Get Notification Count for the badge on the top nav
 $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('notification_id') AS num FROM notifications WHERE (notification_user_id = $session_user_id OR notification_user_id = 0) AND notification_dismissed_at IS NULL"));
 $num_notifications = $row['num'];
 
+
 // FORCE MFA Setup
 //if ($session_user_config_force_mfa == 1 && $session_token == NULL) {
 //    header("Location: force_mfa.php");
diff --git a/clients.php b/clients.php
index da3bd024..acf4de71 100644
--- a/clients.php
+++ b/clients.php
@@ -58,6 +58,7 @@ $sql = mysqli_query(
       AND clients.client_$archive_query
       AND DATE(clients.client_created_at) BETWEEN '$dtf' AND '$dtt'
       AND clients.client_lead = $leads
+      $access_permission_query
       $industry_query
       $referral_query
     GROUP BY clients.client_id