From d5536e78f4e1646faa19a943b4849bb46396e349 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 11 May 2025 12:01:23 +0100
Subject: [PATCH] Ajax contacts - Enforce client access restrictions when
 getting client contacts

---
 ajax.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ajax.php b/ajax.php
index 32673e15..3dae8752 100644
--- a/ajax.php
+++ b/ajax.php
@@ -316,7 +316,9 @@ if (isset($_GET['get_client_contacts'])) {
     $contact_sql = mysqli_query(
         $mysqli,
         "SELECT contact_id, contact_name, contact_primary, contact_important, contact_technical FROM contacts
+        LEFT JOIN clients on contact_client_id = client_id
         WHERE contacts.contact_archived_at IS NULL AND contact_client_id = $client_id
+        $access_permission_query
         ORDER BY contact_primary DESC, contact_technical DESC, contact_important DESC, contact_name"
     );