AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-06-17 23:31:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: AS1024:v26.05
Branches Tags
AS1024:master AS1024:dependabot/composer/plugins/symfony/http-foundation-8.1.0 AS1024:develop AS1024:ticket-task-approvals AS1024:duplicate-numbering-racecondition AS1024:undefined-asset-handling AS1024:revert-1176-Whit3XLightning-patch-2 AS1024:Before-Multi-Company-Removal
AS1024:v26.05 AS1024:v26.04 AS1024:v26.4 AS1024:v26.3 AS1024:v26.02 AS1024:v25.12 AS1024:v25.11 AS1024:v25.10 AS1024:v25.09 AS1024:v25.06 AS1024:v25.05 AS1024:v25.03 AS1024:v25.02.4 AS1024:v25.02.3 AS1024:v25.02.1 AS1024:v25.02 AS1024:v25.01.3 AS1024:v25.02.2 AS1024:v25.01.2 AS1024:v25.01
...
compare: AS1024:dependabot/composer/plugins/symfony/http-foundation-8.1.0
Branches Tags
AS1024:dependabot/composer/plugins/symfony/http-foundation-8.1.0 AS1024:develop AS1024:master AS1024:ticket-task-approvals AS1024:duplicate-numbering-racecondition AS1024:undefined-asset-handling AS1024:revert-1176-Whit3XLightning-patch-2 AS1024:Before-Multi-Company-Removal
AS1024:v26.05 AS1024:v26.04 AS1024:v26.4 AS1024:v26.3 AS1024:v26.02 AS1024:v25.12 AS1024:v25.11 AS1024:v25.10 AS1024:v25.09 AS1024:v25.06 AS1024:v25.05 AS1024:v25.03 AS1024:v25.02.4 AS1024:v25.02.3 AS1024:v25.02.1 AS1024:v25.02 AS1024:v25.01.3 AS1024:v25.02.2 AS1024:v25.01.2 AS1024:v25.01

6 Commits
v26.05 ... dependabot

Author SHA1 Message Date
dependabot[bot]
220f766779 Bump symfony/http-foundation from 7.3.7 to 8.1.0 in /plugins 
Bumps [symfony/http-foundation](https://github.com/symfony/http-foundation) from 7.3.7 to 8.1.0.
- [Release notes](https://github.com/symfony/http-foundation/releases)
- [Changelog](https://github.com/symfony/http-foundation/blob/8.2/CHANGELOG.md)
- [Commits](https://github.com/symfony/http-foundation/compare/v7.3.7...v8.1.0)

---
updated-dependencies:
- dependency-name: symfony/http-foundation
  dependency-version: 8.1.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-06-16 04:51:04 +00:00
Johnny
60563e3392 Merge pull request #1284 from itflow-org/develop 
Bump Version
 2026-05-21 10:53:48 -04:00
johnnyq
a02d78bde5 Bump Version 2026-05-21 10:38:56 -04:00
wrongecho
bd15cbe375 - Stripe saved cards - lock down invoice and client IDs 
- Stop app log handling from breaking due to quotes
 2026-05-20 17:51:54 +01:00
wrongecho
c5d67cd4f9 Kanban - Enforce per-client perms (ajax) 2026-05-20 14:01:55 +01:00
wrongecho
7211426292 Invoices - Secure date/frequency input handling 2026-05-20 13:32:21 +01:00
8 changed files with 80 additions and 60 deletions
Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -2,6 +2,9 @@
This file documents all notable changes made to ITFlow. This file documents all notable changes made to ITFlow.
## [26.05.1] Stable Release
- Security Fixes.
## [26.05] Stable Release ## [26.05] Stable Release
### Bug Fixes ### Bug Fixes
- Stripe Payment: Fix adding saved cards on client portal. - Stripe Payment: Fix adding saved cards on client portal.

6
agent/ajax.php
View File

@@ -454,6 +454,12 @@ if (isset($_POST['update_kanban_ticket'])) {
foreach ($positions as $position) { foreach ($positions as $position) {
$ticket_id = intval($position['ticket_id']); $ticket_id = intval($position['ticket_id']);
// Client perms check
$client_query = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT ticket_client_id FROM tickets WHERE ticket_id = $ticket_id"));
$client_id = intval($client_query['ticket_client_id']);
enforceClientAccess();
$kanban = intval($position['ticket_order']); // ticket kanban position $kanban = intval($position['ticket_order']); // ticket kanban position
$status = intval($position['ticket_status']); // ticket statuses $status = intval($position['ticket_status']); // ticket statuses
$oldStatus = intval($position['ticket_oldStatus']); // ticket old status if moved $oldStatus = intval($position['ticket_oldStatus']); // ticket old status if moved

4
agent/post/invoice.php
View File

@@ -542,8 +542,8 @@ if (isset($_GET['email_invoice'])) {
$invoice_number = intval($row['invoice_number']); $invoice_number = intval($row['invoice_number']);
$invoice_scope = sanitizeInput($row['invoice_scope']); $invoice_scope = sanitizeInput($row['invoice_scope']);
$invoice_status = sanitizeInput($row['invoice_status']); $invoice_status = sanitizeInput($row['invoice_status']);
$invoice_date = sanitizeInput($row['invoice_date']); $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
$invoice_due = sanitizeInput($row['invoice_due']); $invoice_due = sanitizeInput(validateDate($row['invoice_due']));
$invoice_amount = floatval($row['invoice_amount']); $invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']); $invoice_url_key = sanitizeInput($row['invoice_url_key']);
$invoice_currency_code = sanitizeInput($row['invoice_currency_code']); $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);

8
agent/post/recurring_invoice.php
View File

@@ -13,13 +13,13 @@ if (isset($_POST['add_invoice_recurring'])) {
enforceUserPermission('module_sales', 2); enforceUserPermission('module_sales', 2);
$invoice_id = intval($_POST['invoice_id']); $invoice_id = intval($_POST['invoice_id']);
$recurring_invoice_frequency = sanitizeInput($_POST['frequency']); $recurring_invoice_frequency = ($_POST['frequency'] === 'year') ? 'year' : 'month';
$sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id"); $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
$invoice_prefix = sanitizeInput($row['invoice_prefix']); $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']); $invoice_number = intval($row['invoice_number']);
$invoice_date = sanitizeInput($row['invoice_date']); $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
$invoice_amount = floatval($row['invoice_amount']); $invoice_amount = floatval($row['invoice_amount']);
$invoice_currency_code = sanitizeInput($row['invoice_currency_code']); $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
$invoice_scope = sanitizeInput($row['invoice_scope']); $invoice_scope = sanitizeInput($row['invoice_scope']);
@@ -394,7 +394,7 @@ if (isset($_GET['force_recurring'])) {
$row = mysqli_fetch_assoc($sql_recurring_invoices); $row = mysqli_fetch_assoc($sql_recurring_invoices);
$recurring_invoice_id = intval($row['recurring_invoice_id']); $recurring_invoice_id = intval($row['recurring_invoice_id']);
$recurring_invoice_scope = sanitizeInput($row['recurring_invoice_scope']); $recurring_invoice_scope = sanitizeInput($row['recurring_invoice_scope']);
$recurring_invoice_frequency = sanitizeInput($row['recurring_invoice_frequency']); $recurring_invoice_frequency = ($_POST['frequency'] === 'year') ? 'year' : 'month';
$recurring_invoice_status = sanitizeInput($row['recurring_invoice_status']); $recurring_invoice_status = sanitizeInput($row['recurring_invoice_status']);
$recurring_invoice_last_sent = sanitizeInput($row['recurring_invoice_last_sent']); $recurring_invoice_last_sent = sanitizeInput($row['recurring_invoice_last_sent']);
$recurring_invoice_next_date = sanitizeInput($row['recurring_invoice_next_date']); $recurring_invoice_next_date = sanitizeInput($row['recurring_invoice_next_date']);
@@ -480,7 +480,7 @@ if (isset($_GET['force_recurring'])) {
$invoice_prefix = sanitizeInput($row['invoice_prefix']); $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']); $invoice_number = intval($row['invoice_number']);
$invoice_scope = sanitizeInput($row['invoice_scope']); $invoice_scope = sanitizeInput($row['invoice_scope']);
$invoice_date = sanitizeInput($row['invoice_date']); $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
$invoice_due = sanitizeInput($row['invoice_due']); $invoice_due = sanitizeInput($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']); $invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']); $invoice_url_key = sanitizeInput($row['invoice_url_key']);

18
client/post.php
View File

@@ -524,12 +524,6 @@ if (isset($_GET['add_payment_by_provider'])) {
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']); $contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
$contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code'])); $contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code']));
// Check to make sure saved payment method belongs to logged in client
if ($client_id !== $session_client_id) {
flash_alert("Saved Payment method does not belong to you!", 'danger');
redirect();
}
// Get ITFlow company details // Get ITFlow company details
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1"); $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
@@ -548,7 +542,7 @@ if (isset($_GET['add_payment_by_provider'])) {
$config_invoice_from_email = sanitizeInput($config_invoice_from_email); $config_invoice_from_email = sanitizeInput($config_invoice_from_email);
// Get Client Payment Details // Get Client Payment Details
$sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id LIMIT 1"); $sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id AND saved_payment_client_id = $session_client_id LIMIT 1");
$row = mysqli_fetch_assoc($sql); $row = mysqli_fetch_assoc($sql);
$public_key = sanitizeInput($row['payment_provider_public_key']); $public_key = sanitizeInput($row['payment_provider_public_key']);
@@ -561,9 +555,17 @@ if (isset($_GET['add_payment_by_provider'])) {
$payment_provider_client = sanitizeInput($row['payment_provider_client']); $payment_provider_client = sanitizeInput($row['payment_provider_client']);
$saved_payment_method = sanitizeInput($row['saved_payment_provider_method']); $saved_payment_method = sanitizeInput($row['saved_payment_provider_method']);
$saved_payment_description = sanitizeInput($row['saved_payment_description']); $saved_payment_description = sanitizeInput($row['saved_payment_description']);
$payment_client_id = intval($row['saved_payment_client_id']);
// Sanity checks // Sanity checks
if (!$payment_provider_client || !$saved_payment_method) { // Check to make invoice belongs to logged in client
if ($client_id !== $session_client_id) {
flash_alert("Invoice does not belong to you!", 'danger');
redirect();
} elseif ($payment_client_id !== $session_client_id) {
flash_alert("Saved Payment method does not belong to you!", 'danger');
redirect();
} elseif (!$payment_provider_client || !$saved_payment_method) {
flash_alert("Stripe not enabled or no client card saved", 'error'); flash_alert("Stripe not enabled or no client card saved", 'error');
redirect(); redirect();
} elseif ($invoice_status !== 'Sent' && $invoice_status !== 'Viewed') { } elseif ($invoice_status !== 'Sent' && $invoice_status !== 'Viewed') {

11
functions.php
View File

@@ -1512,8 +1512,8 @@ function logAction($type, $action, $description, $client_id = 0, $entity_id = 0)
function logApp($category, $type, $details) { function logApp($category, $type, $details) {
global $mysqli; global $mysqli;
$category = substr($category, 0, 200); $category = mysqli_real_escape_string($mysqli, substr($category, 0, 200));
$details = substr($details, 0, 1000); $details = mysqli_real_escape_string($mysqli, substr($details, 0, 1000));
mysqli_query($mysqli, "INSERT INTO app_logs SET app_log_category = '$category', app_log_type = '$type', app_log_details = '$details'"); mysqli_query($mysqli, "INSERT INTO app_logs SET app_log_category = '$category', app_log_type = '$type', app_log_details = '$details'");
} }
@@ -2073,3 +2073,10 @@ function formatDuration($time) {
return implode(' ', $parts); return implode(' ', $parts);
} }
function validateDate($date) {
if (preg_match('/^\d{4}-\d{2}-\d{2}$/', $date)) {
return $date;
}
return date('Y-m-d'); // Fallback
}

2
includes/app_version.php
View File

@@ -5,4 +5,4 @@
* Update this file each time we merge develop into master. Format is YY.MM (add a .v if there is more than one release a month. * Update this file each time we merge develop into master. Format is YY.MM (add a .v if there is more than one release a month.
*/ */
DEFINE("APP_VERSION", "26.05"); DEFINE("APP_VERSION", "26.05.1");

88
plugins/composer.lock generated
View File

@@ -826,16 +826,16 @@
}, },
{ {
"name": "symfony/deprecation-contracts", "name": "symfony/deprecation-contracts",
"version": "v3.6.0", "version": "v3.7.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/deprecation-contracts.git", "url": "https://github.com/symfony/deprecation-contracts.git",
"reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62" "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62", "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/50f59d1f3ca46d41ac911f97a78626b6756af35b",
"reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62", "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@@ -848,7 +848,7 @@
"name": "symfony/contracts" "name": "symfony/contracts"
}, },
"branch-alias": { "branch-alias": {
"dev-main": "3.6-dev" "dev-main": "3.7-dev"
} }
}, },
"autoload": { "autoload": {
@@ -873,7 +873,7 @@
"description": "A generic function and convention to trigger deprecation notices", "description": "A generic function and convention to trigger deprecation notices",
"homepage": "https://symfony.com", "homepage": "https://symfony.com",
"support": { "support": {
"source": "https://github.com/symfony/deprecation-contracts/tree/v3.6.0" "source": "https://github.com/symfony/deprecation-contracts/tree/v3.7.0"
}, },
"funding": [ "funding": [
{ {
@@ -884,47 +884,49 @@
"url": "https://github.com/fabpot", "url": "https://github.com/fabpot",
"type": "github" "type": "github"
}, },
{
"url": "https://github.com/nicolas-grekas",
"type": "github"
},
{ {
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-09-25T14:21:43+00:00" "time": "2026-04-13T15:52:40+00:00"
}, },
{ {
"name": "symfony/http-foundation", "name": "symfony/http-foundation",
"version": "v7.3.7", "version": "v8.1.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/http-foundation.git", "url": "https://github.com/symfony/http-foundation.git",
"reference": "db488a62f98f7a81d5746f05eea63a74e55bb7c4" "reference": "af11474600f06718086c2cda4fa6fa8d0a672e7e"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/http-foundation/zipball/db488a62f98f7a81d5746f05eea63a74e55bb7c4", "url": "https://api.github.com/repos/symfony/http-foundation/zipball/af11474600f06718086c2cda4fa6fa8d0a672e7e",
"reference": "db488a62f98f7a81d5746f05eea63a74e55bb7c4", "reference": "af11474600f06718086c2cda4fa6fa8d0a672e7e",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
"php": ">=8.2", "php": ">=8.4.1",
"symfony/deprecation-contracts": "^2.5|^3.0", "symfony/deprecation-contracts": "^2.5|^3",
"symfony/polyfill-mbstring": "~1.1", "symfony/polyfill-mbstring": "^1.1"
"symfony/polyfill-php83": "^1.27"
}, },
"conflict": { "conflict": {
"doctrine/dbal": "<3.6", "doctrine/dbal": "<4.3"
"symfony/cache": "<6.4.12|>=7.0,<7.1.5"
}, },
"require-dev": { "require-dev": {
"doctrine/dbal": "^3.6|^4", "doctrine/dbal": "^4.3",
"predis/predis": "^1.1|^2.0", "predis/predis": "^1.1|^2.0",
"symfony/cache": "^6.4.12|^7.1.5", "symfony/cache": "^7.4|^8.0",
"symfony/clock": "^6.4|^7.0", "symfony/clock": "^7.4|^8.0",
"symfony/dependency-injection": "^6.4|^7.0", "symfony/dependency-injection": "^7.4|^8.0",
"symfony/expression-language": "^6.4|^7.0", "symfony/expression-language": "^7.4|^8.0",
"symfony/http-kernel": "^6.4|^7.0", "symfony/http-kernel": "^7.4|^8.0",
"symfony/mime": "^6.4|^7.0", "symfony/mime": "^7.4|^8.0",
"symfony/rate-limiter": "^6.4|^7.0" "symfony/rate-limiter": "^7.4|^8.0"
}, },
"type": "library", "type": "library",
"autoload": { "autoload": {
@@ -952,7 +954,7 @@
"description": "Defines an object-oriented layer for the HTTP specification", "description": "Defines an object-oriented layer for the HTTP specification",
"homepage": "https://symfony.com", "homepage": "https://symfony.com",
"support": { "support": {
"source": "https://github.com/symfony/http-foundation/tree/v7.3.7" "source": "https://github.com/symfony/http-foundation/tree/v8.1.0"
}, },
"funding": [ "funding": [
{ {
@@ -972,20 +974,20 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2025-11-08T16:41:12+00:00" "time": "2026-05-29T05:06:50+00:00"
}, },
{ {
"name": "symfony/polyfill-mbstring", "name": "symfony/polyfill-mbstring",
"version": "v1.33.0", "version": "v1.38.2",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/polyfill-mbstring.git", "url": "https://github.com/symfony/polyfill-mbstring.git",
"reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493" "reference": "d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493", "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6",
"reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493", "reference": "d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@@ -1037,7 +1039,7 @@
"shim" "shim"
], ],
"support": { "support": {
"source": "https://github.com/symfony/polyfill-mbstring/tree/v1.33.0" "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.38.2"
}, },
"funding": [ "funding": [
{ {
@@ -1057,20 +1059,20 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-12-23T08:48:59+00:00" "time": "2026-05-27T06:59:30+00:00"
}, },
{ {
"name": "symfony/polyfill-php83", "name": "symfony/polyfill-php83",
"version": "v1.33.0", "version": "v1.38.2",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/polyfill-php83.git", "url": "https://github.com/symfony/polyfill-php83.git",
"reference": "17f6f9a6b1735c0f163024d959f700cfbc5155e5" "reference": "796a26abb75ce49f3a84433cd81bf1009d73d5f8"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/polyfill-php83/zipball/17f6f9a6b1735c0f163024d959f700cfbc5155e5", "url": "https://api.github.com/repos/symfony/polyfill-php83/zipball/796a26abb75ce49f3a84433cd81bf1009d73d5f8",
"reference": "17f6f9a6b1735c0f163024d959f700cfbc5155e5", "reference": "796a26abb75ce49f3a84433cd81bf1009d73d5f8",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@@ -1117,7 +1119,7 @@
"shim" "shim"
], ],
"support": { "support": {
"source": "https://github.com/symfony/polyfill-php83/tree/v1.33.0" "source": "https://github.com/symfony/polyfill-php83/tree/v1.38.2"
}, },
"funding": [ "funding": [
{ {
@@ -1137,7 +1139,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2025-07-08T02:45:35+00:00" "time": "2026-05-27T06:51:48+00:00"
}, },
{ {
"name": "symfony/polyfill-php84", "name": "symfony/polyfill-php84",
@@ -1636,10 +1638,10 @@
"packages-dev": [], "packages-dev": [],
"aliases": [], "aliases": [],
"minimum-stability": "stable", "minimum-stability": "stable",
"stability-flags": [], "stability-flags": {},
"prefer-stable": false, "prefer-stable": false,
"prefer-lowest": false, "prefer-lowest": false,
"platform": [], "platform": {},
"platform-dev": [], "platform-dev": {},
"plugin-api-version": "2.2.0" "plugin-api-version": "2.9.0"
} }