AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-11 00:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Projects: enforceClientAccess in POST only if a client is assigned to the project

Browse Source
This commit is contained in:
johnnyq
2026-03-06 15:25:30 -05:00
parent 3be815c749
commit de8b9df4da
1 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
agent/post/project.php
View File

@@ -19,6 +19,11 @@ if (isset($_POST['add_project'])) {
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$project_template_id = intval($_POST['project_template_id']); $project_template_id = intval($_POST['project_template_id']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Sanitize Project Prefix // Sanitize Project Prefix
$config_project_prefix = sanitizeInput($config_project_prefix); $config_project_prefix = sanitizeInput($config_project_prefix);
@@ -102,6 +107,11 @@ if (isset($_POST['edit_project'])) {
$project_manager = intval($_POST['project_manager']); $project_manager = intval($_POST['project_manager']);
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE projects SET project_name = '$project_name', project_description = '$project_description', project_due = '$due_date', project_manager = $project_manager, project_client_id = $client_id WHERE project_id = $project_id"); mysqli_query($mysqli, "UPDATE projects SET project_name = '$project_name', project_description = '$project_description', project_due = '$due_date', project_manager = $project_manager, project_client_id = $client_id WHERE project_id = $project_id");
logAction("Project", "Edit", "$session_name edited project $project_name", $client_id, $project_id); logAction("Project", "Edit", "$session_name edited project $project_name", $client_id, $project_id);
@@ -126,6 +136,11 @@ if (isset($_GET['close_project'])) {
$project_name = sanitizeInput($row['project_name']); $project_name = sanitizeInput($row['project_name']);
$client_id = intval($row['project_client_id']); $client_id = intval($row['project_client_id']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE projects SET project_completed_at = NOW() WHERE project_id = $project_id"); mysqli_query($mysqli, "UPDATE projects SET project_completed_at = NOW() WHERE project_id = $project_id");
logAction("Project", "Close", "$session_name closed project $project_name", $client_id, $project_id); logAction("Project", "Close", "$session_name closed project $project_name", $client_id, $project_id);
@@ -150,6 +165,11 @@ if (isset($_GET['archive_project'])) {
$project_name = sanitizeInput($row['project_name']); $project_name = sanitizeInput($row['project_name']);
$client_id = intval($row['project_client_id']); $client_id = intval($row['project_client_id']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE projects SET project_archived_at = NOW() WHERE project_id = $project_id"); mysqli_query($mysqli, "UPDATE projects SET project_archived_at = NOW() WHERE project_id = $project_id");
logAction("Project", "Archive", "$session_name archived project $project_name", $client_id, $project_id); logAction("Project", "Archive", "$session_name archived project $project_name", $client_id, $project_id);
@@ -174,6 +194,11 @@ if (isset($_GET['restore_project'])) {
$project_name = sanitizeInput($row['project_name']); $project_name = sanitizeInput($row['project_name']);
$client_id = sanitizeInput($row['project_client_id']); $client_id = sanitizeInput($row['project_client_id']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "UPDATE projects SET project_archived_at = NULL WHERE project_id = $project_id"); mysqli_query($mysqli, "UPDATE projects SET project_archived_at = NULL WHERE project_id = $project_id");
logAction("Project", "Restore", "$session_name restored project $project_name", $client_id, $project_id); logAction("Project", "Restore", "$session_name restored project $project_name", $client_id, $project_id);
@@ -198,6 +223,11 @@ if (isset($_GET['delete_project'])) {
$project_name = sanitizeInput($row['project_name']); $project_name = sanitizeInput($row['project_name']);
$client_id = intval($row['project_client_id']); $client_id = intval($row['project_client_id']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
mysqli_query($mysqli, "DELETE FROM projects WHERE project_id = $project_id"); mysqli_query($mysqli, "DELETE FROM projects WHERE project_id = $project_id");
logAction("Project", "Delete", "$session_name deleted project $project_name", $client_id, $project_id); logAction("Project", "Delete", "$session_name deleted project $project_name", $client_id, $project_id);
@@ -222,6 +252,11 @@ if (isset($_POST['link_ticket_to_project'])) {
$client_id = intval($row['project_client_id']); $client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']); $project_name = sanitizeInput($row['project_name']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Add Tickets // Add Tickets
if (isset($_POST['tickets'])) { if (isset($_POST['tickets'])) {
@@ -268,6 +303,11 @@ if (isset($_POST['link_closed_ticket_to_project'])) {
$client_id = intval($row['project_client_id']); $client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']); $project_name = sanitizeInput($row['project_name']);
// Don't Enforce Client Access if Project doesn't have an assigned client
if ($client_id) {
enforceClientAccess();
}
// Get ticket details // Get ticket details
$sql = mysqli_query($mysqli, "SELECT ticket_id, ticket_prefix, ticket_number, ticket_subject, ticket_updated_at FROM tickets WHERE ticket_number = $ticket_number"); $sql = mysqli_query($mysqli, "SELECT ticket_id, ticket_prefix, ticket_number, ticket_subject, ticket_updated_at FROM tickets WHERE ticket_number = $ticket_number");
if (mysqli_num_rows($sql) == 0) { if (mysqli_num_rows($sql) == 0) {