AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enforce accountant or admin role to peform accounting related post requests

This commit is contained in:
Marcus Hill 2022-12-28 20:46:24 +00:00
parent a255441bc3
commit ea3a12bdd7
1 changed files with 75 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
post.php
View File

@ -43,7 +43,6 @@ if(isset($_GET['switch_company'])){
}
if(isset($_POST['add_user'])){
validateAdminRole();
// CSRF Check
@ -142,7 +141,6 @@ if(isset($_POST['add_user'])){
}
if(isset($_POST['edit_user'])){
validateAdminRole();
if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){
@ -354,7 +352,6 @@ if(isset($_POST['edit_profile'])){
}
if(isset($_POST['edit_user_companies'])){
validateAdminRole();
$user_id = intval($_POST['user_id']);
@ -380,7 +377,6 @@ if(isset($_POST['edit_user_companies'])){
}
if(isset($_GET['archive_user'])){
validateAdminRole();
// CSRF Check
@ -410,7 +406,6 @@ if(isset($_GET['archive_user'])){
// API Key
if(isset($_POST['add_api_key'])){
validateAdminRole();
// CSRF Check
@ -435,7 +430,6 @@ if(isset($_POST['add_api_key'])){
}
if(isset($_GET['delete_api_key'])){
validateAdminRole();
// CSRF Check
@ -460,7 +454,6 @@ if(isset($_GET['delete_api_key'])){
}
if(isset($_POST['add_company'])){
validateAdminRole();
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -560,8 +553,8 @@ if(isset($_POST['add_company'])){
}
if(isset($_POST['edit_company'])){
validateAdminRole();
$company_id = intval($_POST['company_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$address = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['address'])));
@ -658,7 +651,6 @@ if(isset($_GET['archive_company'])){
}
if(isset($_GET['delete_company'])){
validateAdminRole();
// CSRF Check
@ -785,7 +777,6 @@ if(isset($_POST['verify'])){
}
if(isset($_POST['edit_mail_settings'])){
validateAdminRole();
$config_smtp_host = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_smtp_host'])));
@ -837,7 +828,6 @@ if(isset($_POST['edit_mail_settings'])){
}
if(isset($_POST['test_email_smtp'])){
validateAdminRole();
$email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
@ -860,7 +850,6 @@ if(isset($_POST['test_email_smtp'])){
}
if(isset($_POST['test_email_imap'])){
validateAdminRole();
// Prepare connection string with encryption (TLS/SSL/<blank>)
@ -881,7 +870,6 @@ if(isset($_POST['test_email_imap'])){
}
if(isset($_POST['edit_invoice_settings'])){
validateAdminRole();
$config_invoice_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_invoice_prefix'])));
@ -905,7 +893,6 @@ if(isset($_POST['edit_invoice_settings'])){
}
if(isset($_POST['edit_quote_settings'])){
validateAdminRole();
$config_quote_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_quote_prefix'])));
@ -926,7 +913,6 @@ if(isset($_POST['edit_quote_settings'])){
}
if(isset($_POST['edit_ticket_settings'])){
validateAdminRole();
$config_ticket_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_ticket_prefix'])));
@ -948,7 +934,6 @@ if(isset($_POST['edit_ticket_settings'])){
}
if(isset($_POST['edit_default_settings'])){
validateAdminRole();
$expense_account = intval($_POST['expense_account']);
@ -971,7 +956,6 @@ if(isset($_POST['edit_default_settings'])){
}
if(isset($_POST['edit_alert_settings'])){
validateAdminRole();
$config_enable_cron = intval($_POST['config_enable_cron']);
@ -991,7 +975,6 @@ if(isset($_POST['edit_alert_settings'])){
}
if(isset($_POST['edit_online_payment_settings'])){
validateAdminRole();
$config_stripe_enable = intval($_POST['config_stripe_enable']);
@ -1009,7 +992,6 @@ if(isset($_POST['edit_online_payment_settings'])){
}
if(isset($_POST['edit_integrations_settings'])){
validateAdminRole();
$azure_client_id = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['azure_client_id'])));
@ -1027,7 +1009,6 @@ if(isset($_POST['edit_integrations_settings'])){
}
if(isset($_POST['edit_module_settings'])){
validateAdminRole();
$config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc']);
@ -1074,7 +1055,6 @@ if(isset($_POST['disable_2fa'])){
}
if(isset($_GET['download_database'])){
validateAdminRole();
// Get All Table Names From the Database
@ -1154,7 +1134,6 @@ if(isset($_GET['download_database'])){
}
if(isset($_POST['backup_master_key'])){
validateAdminRole();
$password = $_POST['password'];
@ -1186,7 +1165,6 @@ if(isset($_POST['backup_master_key'])){
}
if(isset($_GET['update'])){
validateAdminRole();
exec("git pull");
@ -1209,7 +1187,6 @@ if(isset($_GET['update'])){
}
if(isset($_GET['update_db'])){
validateAdminRole();
// Get the current version
@ -1227,7 +1204,6 @@ if(isset($_GET['update_db'])){
}
if(isset($_POST['add_client'])){
validateAdminRole();
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -1340,7 +1316,6 @@ if(isset($_POST['add_client'])){
}
if(isset($_POST['edit_client'])){
validateAdminRole();
$client_id = intval($_POST['client_id']);
@ -1373,7 +1348,6 @@ if(isset($_POST['edit_client'])){
}
if(isset($_GET['archive_client'])){
validateAdminRole();
$client_id = intval($_GET['archive_client']);
@ -1395,6 +1369,7 @@ if(isset($_GET['archive_client'])){
}
if(isset($_GET['undo_archive_client'])){
validateAdminRole();
$client_id = intval($_GET['undo_archive_client']);
@ -1414,7 +1389,6 @@ if(isset($_GET['undo_archive_client'])){
}
if(isset($_GET['delete_client'])){
validateAdminRole();
// CSRF Check
@ -1832,6 +1806,7 @@ if(isset($_GET['export_client_vendors_csv'])){
// Products
if(isset($_POST['add_product'])){
validateAccountantRole();
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$description = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['description'])));
@ -1851,6 +1826,7 @@ if(isset($_POST['add_product'])){
}
if(isset($_POST['edit_product'])){
validateAccountantRole();
$product_id = intval($_POST['product_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -1874,6 +1850,8 @@ if(isset($_POST['edit_product'])){
}
if(isset($_GET['delete_product'])){
validateAccountantRole();
$product_id = intval($_GET['delete_product']);
//Get Product Name
@ -1957,6 +1935,7 @@ if(isset($_GET['delete_trip'])){
}
if(isset($_POST['add_account'])){
validateAccountantRole();
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$opening_balance = floatval($_POST['opening_balance']);
@ -1975,6 +1954,7 @@ if(isset($_POST['add_account'])){
}
if(isset($_POST['edit_account'])){
validateAccountantRole();
$account_id = intval($_POST['account_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -1992,6 +1972,8 @@ if(isset($_POST['edit_account'])){
}
if(isset($_GET['archive_account'])){
validateAccountantRole();
$account_id = intval($_GET['archive_account']);
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
@ -2006,6 +1988,8 @@ if(isset($_GET['archive_account'])){
}
if(isset($_GET['delete_account'])){
validateAccountantRole();
$account_id = intval($_GET['delete_account']);
mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id AND company_id = $session_company_id");
@ -2142,6 +2126,7 @@ if(isset($_GET['delete_tag'])){
//Tax
if(isset($_POST['add_tax'])){
validateAccountantRole();
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$percent = floatval($_POST['percent']);
@ -2158,6 +2143,7 @@ if(isset($_POST['add_tax'])){
}
if(isset($_POST['edit_tax'])){
validateAccountantRole();
$tax_id = intval($_POST['tax_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -2175,6 +2161,8 @@ if(isset($_POST['edit_tax'])){
}
if(isset($_GET['archive_tax'])){
validateAccountantRole();
$tax_id = intval($_GET['archive_tax']);
mysqli_query($mysqli,"UPDATE taxes SET tax_archived_at = NOW() WHERE tax_id = $tax_id");
@ -2189,6 +2177,8 @@ if(isset($_GET['archive_tax'])){
}
if(isset($_GET['delete_tax'])){
validateAccountantRole();
$tax_id = intval($_GET['delete_tax']);
mysqli_query($mysqli,"DELETE FROM taxes WHERE tax_id = $tax_id AND company_id = $session_company_id");
@ -2244,6 +2234,7 @@ if(isset($_GET['dismiss_all_notifications'])){
}
if(isset($_POST['add_expense'])){
validateAccountantRole();
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
$amount = floatval($_POST['amount']);
@ -2309,6 +2300,7 @@ if(isset($_POST['add_expense'])){
}
if(isset($_POST['edit_expense'])){
validateAccountantRole();
$expense_id = intval($_POST['expense_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2377,6 +2369,8 @@ if(isset($_POST['edit_expense'])){
}
if(isset($_GET['delete_expense'])){
validateAccountantRole();
$expense_id = intval($_GET['delete_expense']);
$sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id AND company_id = $session_company_id");
@ -2397,6 +2391,8 @@ if(isset($_GET['delete_expense'])){
}
if(isset($_POST['export_expenses_csv'])){
validateAccountantRole();
$date_from = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date_from'])));
$date_to = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date_to'])));
if(!empty($date_from) && !empty($date_to)){
@ -2453,6 +2449,7 @@ if(isset($_POST['export_expenses_csv'])){
}
if(isset($_POST['add_transfer'])){
validateAccountantRole();
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
$amount = floatval($_POST['amount']);
@ -2478,6 +2475,7 @@ if(isset($_POST['add_transfer'])){
}
if(isset($_POST['edit_transfer'])){
validateAccountantRole();
$transfer_id = intval($_POST['transfer_id']);
$expense_id = intval($_POST['expense_id']);
@ -2504,6 +2502,8 @@ if(isset($_POST['edit_transfer'])){
}
if(isset($_GET['delete_transfer'])){
validateAccountantRole();
$transfer_id = intval($_GET['delete_transfer']);
//Query the transfer ID to get the Payment and Expense IDs so we can delete those as well
@ -2528,6 +2528,8 @@ if(isset($_GET['delete_transfer'])){
}
if(isset($_POST['add_invoice'])){
validateAccountantRole();
$client = intval($_POST['client']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
$category = intval($_POST['category']);
@ -2560,6 +2562,7 @@ if(isset($_POST['add_invoice'])){
}
if(isset($_POST['edit_invoice'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2579,6 +2582,7 @@ if(isset($_POST['edit_invoice'])){
}
if(isset($_POST['add_invoice_copy'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2635,6 +2639,7 @@ if(isset($_POST['add_invoice_copy'])){
}
if(isset($_POST['add_invoice_recurring'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$recurring_frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency'])));
@ -2685,6 +2690,7 @@ if(isset($_POST['add_invoice_recurring'])){
}
if(isset($_POST['add_quote'])){
validateAccountantRole();
$client = intval($_POST['client']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2716,6 +2722,7 @@ if(isset($_POST['add_quote'])){
}
if(isset($_POST['add_quote_copy'])){
validateAccountantRole();
$quote_id = intval($_POST['quote_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2768,6 +2775,7 @@ if(isset($_POST['add_quote_copy'])){
}
if(isset($_POST['add_quote_to_invoice'])){
validateAccountantRole();
$quote_id = intval($_POST['quote_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2823,6 +2831,7 @@ if(isset($_POST['add_quote_to_invoice'])){
}
if(isset($_POST['add_quote_item'])){
validateAccountantRole();
$quote_id = intval($_POST['quote_id']);
@ -2863,6 +2872,7 @@ if(isset($_POST['add_quote_item'])){
}
if(isset($_POST['quote_note'])){
validateAccountantRole();
$quote_id = intval($_POST['quote_id']);
$note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note'])));
@ -2876,6 +2886,7 @@ if(isset($_POST['quote_note'])){
}
if(isset($_POST['edit_quote'])){
validateAccountantRole();
$quote_id = intval($_POST['quote_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -2894,6 +2905,8 @@ if(isset($_POST['edit_quote'])){
}
if(isset($_GET['delete_quote'])){
validateAccountantRole();
$quote_id = intval($_GET['delete_quote']);
mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id");
@ -2922,6 +2935,8 @@ if(isset($_GET['delete_quote'])){
}
if(isset($_GET['delete_quote_item'])){
validateAccountantRole();
$item_id = intval($_GET['delete_quote_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
@ -2950,6 +2965,7 @@ if(isset($_GET['delete_quote_item'])){
}
if(isset($_GET['mark_quote_sent'])){
validateAccountantRole();
$quote_id = intval($_GET['mark_quote_sent']);
@ -2967,6 +2983,7 @@ if(isset($_GET['mark_quote_sent'])){
}
if(isset($_GET['accept_quote'])){
validateAccountantRole();
$quote_id = intval($_GET['accept_quote']);
@ -2984,6 +3001,7 @@ if(isset($_GET['accept_quote'])){
}
if(isset($_GET['decline_quote'])){
validateAccountantRole();
$quote_id = intval($_GET['decline_quote']);
@ -3001,6 +3019,8 @@ if(isset($_GET['decline_quote'])){
}
if(isset($_GET['email_quote'])){
validateAccountantRole();
$quote_id = intval($_GET['email_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes
@ -3073,6 +3093,7 @@ if(isset($_GET['email_quote'])){
}
if(isset($_POST['add_recurring'])){
validateAccountantRole();
$client = intval($_POST['client']);
$frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency'])));
@ -3102,6 +3123,7 @@ if(isset($_POST['add_recurring'])){
}
if(isset($_POST['edit_recurring'])){
validateAccountantRole();
$recurring_id = intval($_POST['recurring_id']);
$frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency'])));
@ -3123,6 +3145,7 @@ if(isset($_POST['edit_recurring'])){
}
if(isset($_POST['edit_recurring_next_date'])){
validateAccountantRole();
$recurring_id = intval($_POST['recurring_id']);
$next_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['next_date'])));
@ -3141,6 +3164,8 @@ if(isset($_POST['edit_recurring_next_date'])){
}
if(isset($_GET['delete_recurring'])){
validateAccountantRole();
$recurring_id = intval($_GET['delete_recurring']);
mysqli_query($mysqli,"DELETE FROM recurring WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
@ -3169,6 +3194,7 @@ if(isset($_GET['delete_recurring'])){
}
if(isset($_POST['add_recurring_item'])){
validateAccountantRole();
$recurring_id = intval($_POST['recurring_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -3208,6 +3234,7 @@ if(isset($_POST['add_recurring_item'])){
}
if(isset($_POST['recurring_note'])){
validateAccountantRole();
$recurring_id = intval($_POST['recurring_id']);
$note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note'])));
@ -3221,6 +3248,8 @@ if(isset($_POST['recurring_note'])){
}
if(isset($_GET['delete_recurring_item'])){
validateAccountantRole();
$item_id = intval($_GET['delete_recurring_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
@ -3249,6 +3278,7 @@ if(isset($_GET['delete_recurring_item'])){
}
if(isset($_GET['mark_invoice_sent'])){
validateAccountantRole();
$invoice_id = intval($_GET['mark_invoice_sent']);
@ -3266,6 +3296,7 @@ if(isset($_GET['mark_invoice_sent'])){
}
if(isset($_GET['cancel_invoice'])){
validateAccountantRole();
$invoice_id = intval($_GET['cancel_invoice']);
@ -3283,6 +3314,8 @@ if(isset($_GET['cancel_invoice'])){
}
if(isset($_GET['delete_invoice'])){
validateAccountantRole();
$invoice_id = intval($_GET['delete_invoice']);
mysqli_query($mysqli,"DELETE FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
@ -3318,6 +3351,7 @@ if(isset($_GET['delete_invoice'])){
}
if(isset($_POST['add_invoice_item'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@ -3358,6 +3392,7 @@ if(isset($_POST['add_invoice_item'])){
}
if(isset($_POST['invoice_note'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note'])));
@ -3371,6 +3406,7 @@ if(isset($_POST['invoice_note'])){
}
if(isset($_POST['edit_item'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$quote_id = intval($_POST['quote_id']);
@ -3431,6 +3467,8 @@ if(isset($_POST['edit_item'])){
}
if(isset($_GET['delete_invoice_item'])){
validateAccountantRole();
$item_id = intval($_GET['delete_invoice_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
@ -3459,6 +3497,7 @@ if(isset($_GET['delete_invoice_item'])){
}
if(isset($_POST['add_payment'])){
validateAccountantRole();
$invoice_id = intval($_POST['invoice_id']);
$balance = floatval($_POST['balance']);
@ -3597,6 +3636,8 @@ if(isset($_POST['add_payment'])){
}
if(isset($_GET['delete_payment'])){
validateAccountantRole();
$payment_id = intval($_GET['delete_payment']);
$sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id AND company_id = $session_company_id");
@ -3642,6 +3683,8 @@ if(isset($_GET['delete_payment'])){
}
if(isset($_GET['email_invoice'])){
validateAccountantRole();
$invoice_id = intval($_GET['email_invoice']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoices
@ -3732,6 +3775,7 @@ if(isset($_GET['email_invoice'])){
}
if(isset($_POST['add_revenue'])){
validateAccountantRole();
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
$amount = floatval($_POST['amount']);
@ -3754,6 +3798,7 @@ if(isset($_POST['add_revenue'])){
}
if(isset($_POST['edit_revenue'])){
validateAccountantRole();
$revenue_id = intval($_POST['revenue_id']);
$date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['date'])));
@ -3777,6 +3822,8 @@ if(isset($_POST['edit_revenue'])){
}
if(isset($_GET['delete_revenue'])){
validateAccountantRole();
$revenue_id = intval($_GET['delete_revenue']);
mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id AND company_id = $session_company_id");