mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 00:04:50 +00:00
Contacts: Add missing CSRF checks, add missing permission checks, renamed unarchive to restore
This commit is contained in:
johnnyq
@@ -476,7 +476,7 @@ if (isset($_GET['contact_id'])) {
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item"
|
||||
href="post.php?unlink_asset_from_contact&contact_id=<?= $contact_id ?>&asset_id=<?= $asset_id ?>"
|
||||
href="post.php?unlink_asset_from_contact&contact_id=<?= $contact_id ?>&asset_id=<?= $asset_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"
|
||||
class="btn btn-secondary btn-sm" title="Unlink">
|
||||
<i class="fas fa-fw fa-unlink mr-2"></i>Unlink
|
||||
</a>
|
||||
@@ -616,13 +616,13 @@ if (isset($_GET['contact_id'])) {
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item"
|
||||
href="post.php?unlink_credential_from_contact&contact_id=<?php echo $contact_id; ?>&credential_id=<?php echo $credential_id; ?>"
|
||||
href="post.php?unlink_credential_from_contact&contact_id=<?php echo $contact_id; ?>&credential_id=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>"
|
||||
class="btn btn-secondary btn-sm" title="Unlink">
|
||||
<i class="fas fa-fw fa-unlink mr-2"></i>Unlink
|
||||
</a>
|
||||
<?php if ($session_user_role == 3) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold" href="post.php?delete_credential=<?php echo $credential_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold" href="post.php?delete_credential=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
@@ -709,7 +709,7 @@ if (isset($_GET['contact_id'])) {
|
||||
<td><?php echo $software_license_type; ?></td>
|
||||
<td><?php echo "$seat_count / $software_seats"; ?></td>
|
||||
<td class="text-center">
|
||||
<a href="post.php?unlink_software_from_contact&contact_id=<?php echo $contact_id; ?>&software_id=<?php echo $software_id; ?>" class="btn btn-secondary btn-sm" title="Remove License"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
<a href="post.php?unlink_software_from_contact&contact_id=<?php echo $contact_id; ?>&software_id=<?php echo $software_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Remove License"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@@ -778,7 +778,7 @@ if (isset($_GET['contact_id'])) {
|
||||
<?php
|
||||
if ($session_user_role == 3) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_ticket=<?php echo $recurring_ticket_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_recurring_ticket=<?php echo $recurring_ticket_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
</div>
|
||||
@@ -931,7 +931,7 @@ if (isset($_GET['contact_id'])) {
|
||||
<td><?php echo $service_category; ?></td>
|
||||
<td><?php echo $service_importance; ?></td>
|
||||
<td class="text-center">
|
||||
<a href="post.php?unlink_service_from_contact&contact_id=<?php echo $contact_id; ?>&service_id=<?php echo $service_id; ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
<a href="post.php?unlink_service_from_contact&contact_id=<?php echo $contact_id; ?>&service_id=<?php echo $service_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@@ -997,7 +997,7 @@ if (isset($_GET['contact_id'])) {
|
||||
data-modal-url="modals/document/document_view.php?id=<?= $document_id ?>">
|
||||
<i class="fas fa-fw fa-eye"></i>
|
||||
</a>
|
||||
<a href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
<a href="post.php?unlink_contact_from_document&contact_id=<?php echo $contact_id; ?>&document_id=<?php echo $document_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@@ -1060,7 +1060,7 @@ if (isset($_GET['contact_id'])) {
|
||||
<td><?php echo $file_size_KB; ?> KB</td>
|
||||
<td><?php echo $file_created_at; ?></td>
|
||||
<td class="text-center">
|
||||
<a href="post.php?unlink_contact_from_file&contact_id=<?php echo $contact_id; ?>&file_id=<?php echo $file_id; ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
<a href="post.php?unlink_contact_from_file&contact_id=<?php echo $contact_id; ?>&file_id=<?php echo $file_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-secondary btn-sm" title="Unlink"><i class="fas fa-fw fa-unlink"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@@ -1124,12 +1124,12 @@ if (isset($_GET['contact_id'])) {
|
||||
<i class="fas fa-ellipsis-h"></i>
|
||||
</button>
|
||||
<div class="dropdown-menu">
|
||||
<a class="dropdown-item text-danger" href="post.php?archive_contact_note=<?php echo $contact_note_id; ?>">
|
||||
<a class="dropdown-item text-danger" href="post.php?archive_contact_note=<?php echo $contact_note_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||
</a>
|
||||
<?php if ($session_user_role == 3) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold" href="post.php?delete_contact_note=<?php echo $contact_note_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold" href="post.php?delete_contact_note=<?php echo $contact_note_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
@@ -262,8 +262,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<?php if ($archived) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<button class="dropdown-item text-info"
|
||||
type="submit" form="bulkActions" name="bulk_unarchive_contacts">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
||||
type="submit" form="bulkActions" name="bulk_restore_contacts">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||
</button>
|
||||
<div class="dropdown-divider"></div>
|
||||
<button class="dropdown-item text-danger text-bold"
|
||||
@@ -526,23 +526,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<?php if ($session_user_role == 3 && $contact_primary == 0) { ?>
|
||||
<?php if ($contact_archived_at) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-info confirm-link" href="post.php?unarchive_contact=<?php echo $contact_id; ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
||||
<a class="dropdown-item text-info confirm-link" href="post.php?restore_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||
</a>
|
||||
<?php } else { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_contact=<?php echo $contact_id; ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||
</a>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?anonymize_contact=<?php echo $contact_id; ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?anonymize_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-user-secret mr-2"></i>Anonymize & Archive
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
<?php if ($config_destructive_deletes_enable) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_contact=<?php echo $contact_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_contact=<?= $contact_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
@@ -23,6 +23,8 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
<ul class="nav nav-pills nav-justified mb-3">
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -23,7 +24,7 @@
|
||||
<label class="custom-control-label" for="unassignAssetsCheckbox<?php echo $contact_id; ?>">Assets</label>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
<div class="form-group">
|
||||
<div class="custom-control custom-checkbox">
|
||||
<input type="checkbox" class="custom-control-input" id="unassignLicensesCheckbox<?php echo $contact_id; ?>" name="unassign_licenses" value="1">
|
||||
@@ -44,7 +45,7 @@
|
||||
<label class="custom-control-label" for="anonymizeCheckbox<?php echo $contact_id; ?>">Anonymize Contact</label>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<button type="submit" name="archive_contact" class="btn btn-danger text-bold"><i class="fas fa-check mr-2"></i>Arhive</button>
|
||||
@@ -53,4 +54,4 @@
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -53,6 +53,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -15,6 +15,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?= $client_id ?>">
|
||||
<div class="modal-body">
|
||||
<p><strong>Format csv file with headings & data:</strong><br>Name, Title, Department, Email, Phone, Extension, Mobile, Location</p>
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
</div>
|
||||
|
||||
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
@@ -81,4 +82,4 @@
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -13,7 +13,6 @@ $row = mysqli_fetch_assoc($sql);
|
||||
$contact_name = nullable_htmlentities($row['contact_name']);
|
||||
$client_id = intval($row['contact_client_id']);
|
||||
|
||||
// Generate the HTML form content using output buffering.
|
||||
ob_start();
|
||||
|
||||
?>
|
||||
@@ -25,6 +24,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -8,8 +8,8 @@ $sql = mysqli_query($mysqli, "SELECT contact_name FROM contacts WHERE contact_id
|
||||
$row = mysqli_fetch_assoc($sql);
|
||||
$contact_name = nullable_htmlentities($row['contact_name']);
|
||||
|
||||
// Generate the HTML form content using output buffering.
|
||||
ob_start();
|
||||
|
||||
?>
|
||||
|
||||
<div class="modal-header bg-dark">
|
||||
@@ -20,6 +20,7 @@ ob_start();
|
||||
</div>
|
||||
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if (isset($_POST['add_contact'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
require_once 'contact_model.php';
|
||||
@@ -78,6 +80,8 @@ if (isset($_POST['add_contact'])) {
|
||||
|
||||
if (isset($_POST['edit_contact'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
require_once 'contact_model.php';
|
||||
@@ -218,6 +222,8 @@ if (isset($_POST['edit_contact'])) {
|
||||
|
||||
if (isset($_POST['add_contact_note'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
@@ -245,6 +251,8 @@ if (isset($_POST['add_contact_note'])) {
|
||||
|
||||
if (isset($_GET['archive_contact_note'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_note_id = intval($_GET['archive_contact_note']);
|
||||
@@ -267,7 +275,9 @@ if (isset($_GET['archive_contact_note'])) {
|
||||
|
||||
}
|
||||
|
||||
if (isset($_GET['unarchive_contact_note'])) {
|
||||
if (isset($_GET['restore_contact_note'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
@@ -293,6 +303,8 @@ if (isset($_GET['unarchive_contact_note'])) {
|
||||
|
||||
if (isset($_GET['delete_contact_note'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 3);
|
||||
|
||||
$contact_note_id = intval($_GET['delete_contact_note']);
|
||||
@@ -317,6 +329,8 @@ if (isset($_GET['delete_contact_note'])) {
|
||||
|
||||
if (isset($_POST['bulk_assign_contact_location'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$location_id = intval($_POST['bulk_location_id']);
|
||||
@@ -358,6 +372,8 @@ if (isset($_POST['bulk_assign_contact_location'])) {
|
||||
|
||||
if (isset($_POST['bulk_edit_contact_phone'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$phone = preg_replace("/[^0-9]/", '', $_POST['bulk_phone']);
|
||||
@@ -394,6 +410,8 @@ if (isset($_POST['bulk_edit_contact_phone'])) {
|
||||
|
||||
if (isset($_POST['bulk_edit_contact_department'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$department = sanitizeInput($_POST['bulk_department']);
|
||||
@@ -430,6 +448,8 @@ if (isset($_POST['bulk_edit_contact_department'])) {
|
||||
|
||||
if (isset($_POST['bulk_edit_contact_role'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_important = intval($_POST['bulk_contact_important']);
|
||||
@@ -470,6 +490,8 @@ if (isset($_POST['bulk_edit_contact_role'])) {
|
||||
|
||||
if (isset($_POST['bulk_assign_contact_tags'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
// Assign Location to Selected Contacts
|
||||
@@ -519,6 +541,10 @@ if (isset($_POST['bulk_assign_contact_tags'])) {
|
||||
|
||||
if (isset($_POST['send_bulk_mail_now'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client');
|
||||
|
||||
if (isset($_POST['contact_ids'])) {
|
||||
|
||||
$count = count($_POST['contact_ids']);
|
||||
@@ -564,9 +590,9 @@ if (isset($_POST['send_bulk_mail_now'])) {
|
||||
|
||||
if (isset($_POST['bulk_archive_contacts'])) {
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
//validateCSRFToken($_POST['csrf_token']);
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
if (isset($_POST['contact_ids'])) {
|
||||
|
||||
@@ -611,10 +637,11 @@ if (isset($_POST['bulk_archive_contacts'])) {
|
||||
redirect();
|
||||
}
|
||||
|
||||
if (isset($_POST['bulk_unarchive_contacts'])) {
|
||||
if (isset($_POST['bulk_restore_contacts'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
//validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
if (isset($_POST['contact_ids'])) {
|
||||
|
||||
@@ -699,6 +726,8 @@ if (isset($_POST['bulk_delete_contacts'])) {
|
||||
|
||||
if (isset($_GET['anonymize_contact'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 3);
|
||||
|
||||
$contact_id = intval($_GET['anonymize_contact']);
|
||||
@@ -803,6 +832,8 @@ if (isset($_GET['anonymize_contact'])) {
|
||||
|
||||
if (isset($_GET['archive_contact'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['archive_contact']);
|
||||
@@ -829,11 +860,13 @@ if (isset($_GET['archive_contact'])) {
|
||||
|
||||
}
|
||||
|
||||
if (isset($_GET['unarchive_contact'])) {
|
||||
if (isset($_GET['restore_contact'])) {
|
||||
|
||||
validateAdminRole();
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
$contact_id = intval($_GET['unarchive_contact']);
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['restore_contact']);
|
||||
|
||||
// Get Contact Name and Client ID for logging and alert message
|
||||
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
|
||||
@@ -849,9 +882,9 @@ if (isset($_GET['unarchive_contact'])) {
|
||||
|
||||
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
|
||||
|
||||
logAction("Contact", "Unarchive", "$session_name unarchived contact $contact_name", $client_id, $contact_id);
|
||||
logAction("Contact", "Restore", "$session_name restored contact $contact_name", $client_id, $contact_id);
|
||||
|
||||
flash_alert("Contact <strong>$contact_name</strong> has been Unarchived");
|
||||
flash_alert("Contact <strong>$contact_name</strong> Restored");
|
||||
|
||||
redirect();
|
||||
|
||||
@@ -859,6 +892,8 @@ if (isset($_GET['unarchive_contact'])) {
|
||||
|
||||
if (isset($_GET['delete_contact'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 3);
|
||||
|
||||
$contact_id = intval($_GET['delete_contact']);
|
||||
@@ -887,7 +922,9 @@ if (isset($_GET['delete_contact'])) {
|
||||
|
||||
if (isset($_POST['link_contact_to_asset'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$asset_id = intval($_POST['asset_id']);
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
@@ -913,7 +950,9 @@ if (isset($_POST['link_contact_to_asset'])) {
|
||||
|
||||
if (isset($_GET['unlink_asset_from_contact'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['contact_id']);
|
||||
$asset_id = intval($_GET['asset_id']);
|
||||
@@ -939,7 +978,9 @@ if (isset($_GET['unlink_asset_from_contact'])) {
|
||||
|
||||
if (isset($_POST['link_software_to_contact'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$software_id = intval($_POST['software_id']);
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
@@ -965,7 +1006,9 @@ if (isset($_POST['link_software_to_contact'])) {
|
||||
|
||||
if (isset($_GET['unlink_software_from_contact'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['contact_id']);
|
||||
$software_id = intval($_GET['software_id']);
|
||||
@@ -991,7 +1034,9 @@ if (isset($_GET['unlink_software_from_contact'])) {
|
||||
|
||||
if (isset($_POST['link_contact_to_credential'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$credential_id = intval($_POST['credential_id']);
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
@@ -1017,7 +1062,9 @@ if (isset($_POST['link_contact_to_credential'])) {
|
||||
|
||||
if (isset($_GET['unlink_credential_from_contact'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['contact_id']);
|
||||
$credential_id = intval($_GET['credential_id']);
|
||||
@@ -1043,7 +1090,9 @@ if (isset($_GET['unlink_credential_from_contact'])) {
|
||||
|
||||
if (isset($_POST['link_service_to_contact'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$service_id = intval($_POST['service_id']);
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
@@ -1069,7 +1118,9 @@ if (isset($_POST['link_service_to_contact'])) {
|
||||
|
||||
if (isset($_GET['unlink_service_from_contact'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['contact_id']);
|
||||
$service_id = intval($_GET['service_id']);
|
||||
@@ -1095,7 +1146,9 @@ if (isset($_GET['unlink_service_from_contact'])) {
|
||||
|
||||
if (isset($_POST['link_contact_to_file'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$file_id = intval($_POST['file_id']);
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
@@ -1122,7 +1175,9 @@ if (isset($_POST['link_contact_to_file'])) {
|
||||
|
||||
if (isset($_GET['unlink_contact_from_file'])) {
|
||||
|
||||
enforceUserPermission('module_support', 2);
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$contact_id = intval($_GET['contact_id']);
|
||||
$file_id = intval($_GET['file_id']);
|
||||
@@ -1148,6 +1203,8 @@ if (isset($_GET['unlink_contact_from_file'])) {
|
||||
|
||||
if (isset($_POST['export_contacts_csv'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client');
|
||||
|
||||
if ($_POST['client_id']) {
|
||||
@@ -1204,6 +1261,8 @@ if (isset($_POST['export_contacts_csv'])) {
|
||||
|
||||
if (isset($_POST["import_contacts_csv"])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_client', 2);
|
||||
|
||||
$client_id = intval($_POST['client_id']);
|
||||
|
||||
Reference in New Issue
Block a user