From df5c3507650a7edb4f9a1955192edbf4ad8534bc Mon Sep 17 00:00:00 2001 From: johnnyq Date: Fri, 6 Mar 2026 15:43:44 -0500 Subject: [PATCH] Vendors: enforceClientAccess in POST only if vendor is assigned a client, as vendor_client_id 0 is for global vendors --- agent/post/vendor.php | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/agent/post/vendor.php b/agent/post/vendor.php index 7fc01309..755ca3e9 100644 --- a/agent/post/vendor.php +++ b/agent/post/vendor.php @@ -18,6 +18,7 @@ if (isset($_POST['add_vendor_from_template'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -69,6 +70,7 @@ if (isset($_POST['add_vendor'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -100,6 +102,7 @@ if (isset($_POST['edit_vendor'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -129,6 +132,7 @@ if (isset($_GET['archive_vendor'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -158,6 +162,7 @@ if(isset($_GET['restore_vendor'])){ // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -188,6 +193,7 @@ if (isset($_GET['delete_vendor'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 3); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 3); } @@ -230,6 +236,7 @@ if (isset($_POST['bulk_archive_vendors'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -272,6 +279,7 @@ if (isset($_POST['bulk_restore_vendors'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 2); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 2); } @@ -296,8 +304,6 @@ if (isset($_POST['bulk_delete_vendors'])) { validateCSRFToken($_POST['csrf_token']); - validateAdminRole(); - if (isset($_POST['vendor_ids'])) { // Get Selected Count @@ -318,6 +324,7 @@ if (isset($_POST['bulk_delete_vendors'])) { // Permission check if ($client_id) { enforceUserPermission('module_client', 3); + enforceClientAccess(); } else { enforceUserPermission('module_financial', 3); } @@ -352,20 +359,16 @@ if (isset($_POST['export_vendors_csv'])) { $client_query = "WHERE vendor_client_id = $client_id"; $client_name = getFieldById('clients', $client_id, 'client_name'); $file_name_prepend = "$client_name-"; + enforceUserPermission('module_client'); + enforceClientAccess(); } else { $client_query = "WHERE vendor_client_id = 0"; $client_name = ''; $file_name_prepend = "$session_company_name-"; - } - - // Permission check - if ($client_id) { - enforceUserPermission('module_client'); - } else { enforceUserPermission('module_financial'); } - $sql = mysqli_query($mysqli,"SELECT * FROM vendors $client_query ORDER BY vendor_name ASC"); + $sql = mysqli_query($mysqli,"SELECT * FROM vendors LEFT JOIN clients ON client_id = vendor_client_id $client_query ORDER BY vendor_name ASC"); $count = mysqli_num_rows($sql);