Skip to content

Commit 23f776e

Browse files
author
wrongecho
committed
Permissions - clients and tickets
Enforce new permissions model in clients and tickets
1 parent 847870a commit 23f776e

File tree

9 files changed

+121
-106
lines changed

9 files changed

+121
-106
lines changed

client_add_modal.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
</button>
99
</div>
1010
<form action="post.php" method="post" autocomplete="off">
11+
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
1112
<input type="hidden" name="lead" value="0">
1213
<input type="hidden" name="net_terms" value="0">
1314
<input type="hidden" name="currency_code" value="<?php echo $session_company_currency; ?>">

client_tickets.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@
119119
<th><a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=ticket_number&order=<?php echo $disp; ?>">Number</a></th>
120120
<th><a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=ticket_subject&order=<?php echo $disp; ?>">Subject</a></th>
121121
<th><a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=contact_name&order=<?php echo $disp; ?>">Contact</a></th>
122-
<?php if ($config_module_enable_accounting) { ?>
122+
<?php if ($config_module_enable_accounting && lookupUserPermission("module_sales") >= 2) { ?>
123123
<th class="text-center"><a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=ticket_billable&order=<?php echo $disp; ?>">Billable</a></th>
124124
<?php } ?>
125125
<th><a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=ticket_priority&order=<?php echo $disp; ?>">Priority</a></th>
@@ -237,8 +237,8 @@
237237
<a href="#" data-toggle="modal" data-target="#editTicketContactModal<?php echo $ticket_id; ?>"><?php echo $contact_display; ?></a>
238238
</td>
239239

240-
<!-- Ticket Billable (if accounting enabled -->
241-
<?php if ($config_module_enable_accounting) { ?>
240+
<!-- Ticket Billable (if accounting perms & enabled) -->
241+
<?php if ($config_module_enable_accounting && lookupUserPermission("module_sales") >= 2) { ?>
242242
<td class="text-center">
243243
<a href="#" data-toggle="modal" data-target="#editTicketBillableModal<?php echo $ticket_id; ?>">
244244
<?php

clients.php

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -96,11 +96,11 @@
9696
<div class="card-header py-2">
9797
<h3 class="card-title mt-2"><i class="fa fa-fw fa-user-friends mr-2"></i><?php if($leads == 0){ echo "Client"; } else { echo "Lead"; } ?> Management</h3>
9898
<div class="card-tools">
99-
<?php if ($session_user_role == 3) { ?>
99+
<?php if (lookupUserPermission("module_client") >= 2) { ?>
100100
<div class="btn-group">
101101
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addClientModal">
102102
<i class="fas fa-plus mr-2"></i>New
103-
<?php if($leads == 0){ echo "Client"; } else { echo "Lead"; } ?>
103+
<?php if ($leads == 0) { echo "Client"; } else { echo "Lead"; } ?>
104104
</button>
105105
<button type="button" class="btn btn-primary dropdown-toggle dropdown-toggle-split" data-toggle="dropdown"></button>
106106
<div class="dropdown-menu">
@@ -134,13 +134,13 @@
134134
<div class="col-md-8">
135135
<div class="btn-toolbar float-right">
136136
<div class="btn-group mr-2">
137-
<a href="?leads=0" class="btn btn-<?php if($leads == 0){ echo "primary"; } else { echo "default"; } ?>"><i class="fa fa-fw fa-user-friends mr-2"></i>Clients</a>
138-
<a href="?leads=1" class="btn btn-<?php if($leads == 1){ echo "primary"; } else { echo "default"; } ?>"><i class="fa fa-fw fa-bullhorn mr-2"></i>Leads</a>
137+
<a href="?leads=0" class="btn btn-<?php if ($leads == 0){ echo "primary"; } else { echo "default"; } ?>"><i class="fa fa-fw fa-user-friends mr-2"></i>Clients</a>
138+
<a href="?leads=1" class="btn btn-<?php if ($leads == 1){ echo "primary"; } else { echo "default"; } ?>"><i class="fa fa-fw fa-bullhorn mr-2"></i>Leads</a>
139139
</div>
140140

141141
<div class="btn-group mr-2">
142142
<a href="?<?php echo $url_query_strings_sort ?>&archived=<?php if($archived == 1){ echo 0; } else { echo 1; } ?>"
143-
class="btn btn-<?php if($archived == 1){ echo "primary"; } else { echo "default"; } ?>">
143+
class="btn btn-<?php if ($archived == 1) { echo "primary"; } else { echo "default"; } ?>">
144144
<i class="fa fa-fw fa-archive mr-2"></i>Archived
145145
</a>
146146
</div>
@@ -270,8 +270,8 @@ class="collapse mt-3
270270
<?php if ($sort == 'contact_name') { echo $order_icon; } ?>
271271
</a>
272272
</th>
273-
<?php if (($session_user_role == 3 || $session_user_role == 1) && $config_module_enable_accounting == 1) { ?> <th class="text-right">Billing</th> <?php } ?>
274-
<?php if ($session_user_role == 3) { ?> <th class="text-center">Action</th> <?php } ?>
273+
<?php if ((lookupUserPermission("module_financial") >= 1) && $config_module_enable_accounting == 1) { ?> <th class="text-right">Billing</th> <?php } ?>
274+
<?php if (lookupUserPermission("module_client") >= 2) { ?> <th class="text-center">Action</th> <?php } ?>
275275
</tr>
276276
</thead>
277277
<tbody>
@@ -387,7 +387,7 @@ class="collapse mt-3
387387
</div>
388388
<?php } ?>
389389
<div class="mt-1 text-secondary">
390-
<small><strong>Created:</strong> <?php echo $client_created_at; ?></small>
390+
<small><strong>Created: </strong> <?php echo $client_created_at; ?></small>
391391
</div>
392392

393393
</td>
@@ -425,8 +425,8 @@ class="collapse mt-3
425425
<?php } ?>
426426
</td>
427427

428-
<!-- Show Billing for Admin/Accountant roles only and if accounting module is enabled -->
429-
<?php if (($session_user_role == 3 || $session_user_role == 1) && $config_module_enable_accounting == 1) { ?>
428+
<!-- Show Billing if perms & if accounting module is enabled -->
429+
<?php if ((lookupUserPermission("module_financial") >= 1) && $config_module_enable_accounting == 1) { ?>
430430
<td class="text-right">
431431
<div class="mt-1">
432432
<span class="text-secondary">Balance</span> <span class="<?php echo $balance_text_color; ?>"><?php echo numfmt_format_currency($currency_format, $balance, $session_company_currency); ?></span>
@@ -443,8 +443,8 @@ class="collapse mt-3
443443
</td>
444444
<?php } ?>
445445

446-
<!-- Show actions for Admin role only -->
447-
<?php if ($session_user_role == 3) { ?>
446+
<!-- Actions -->
447+
<?php if (lookupUserPermission("module_client") >= 2) { ?>
448448
<td>
449449
<div class="dropdown dropleft text-center">
450450
<button class="btn btn-secondary btn-sm" type="button" data-toggle="dropdown">
@@ -457,7 +457,7 @@ class="collapse mt-3
457457

458458
<?php if (empty($client_archived_at)) { ?>
459459
<div class="dropdown-divider"></div>
460-
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_client=<?php echo $client_id; ?>">
460+
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_client=<?php echo $client_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
461461
<i class="fas fa-fw fa-archive mr-2"></i>Archive
462462
</a>
463463
<?php } ?>

inc_client_top_head.php

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
<a href="#" data-toggle="collapse" data-target="#clientHeader"><h4 class="text-secondary" data-toggle="tooltip" data-placement="right" title="Client ID: <?php echo $client_id; ?>"><strong><?php echo $client_name; ?></strong> <?php if ($client_archived_at) { echo "(archived)"; } ?></h4></a>
66
</div>
77
<div class="col">
8-
<?php if ($session_user_role == 3) { ?>
8+
<?php if (lookupUserPermission("module_client") >= 2) { ?>
99
<div class="dropdown dropleft text-center">
1010
<button class="btn btn-dark btn-sm float-right" type="button" data-toggle="dropdown">
1111
<i class="fas fa-fw fa-ellipsis-v"></i>
@@ -14,14 +14,16 @@
1414
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editClientModal<?php echo $client_id; ?>">
1515
<i class="fas fa-fw fa-edit mr-2"></i>Edit Client
1616
</a>
17-
<div class="dropdown-divider"></div>
18-
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#exportClientPDFModal">
19-
<i class="fas fa-fw fa-file-pdf mr-2"></i>Export Data
20-
</a>
17+
<?php if (lookupUserPermission("module_client") >= 3) { ?>
18+
<div class="dropdown-divider"></div>
19+
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#exportClientPDFModal">
20+
<i class="fas fa-fw fa-file-pdf mr-2"></i>Export Data
21+
</a>
22+
<?php } ?>
2123

2224
<?php if (empty($client_archived_at)) { ?>
2325
<div class="dropdown-divider"></div>
24-
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_client=<?php echo $client_id; ?>">
26+
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_client=<?php echo $client_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
2527
<i class="fas fa-fw fa-archive mr-2"></i>Archive Client
2628
</a>
2729
<?php } else { ?>
@@ -31,7 +33,7 @@
3133
</a>
3234
<?php } ?>
3335

34-
<?php if ($session_user_role == 3 && $client_archived_at) { ?>
36+
<?php if (lookupUserPermission("module_client") >= 3 && $client_archived_at) { ?>
3537
<div class="dropdown-divider"></div>
3638
<a class="dropdown-item text-danger text-bold" href="#" data-toggle="modal" data-target="#deleteClientModal<?php echo $client_id; ?>">
3739
<i class="fas fa-fw fa-trash mr-2"></i>Delete Client
@@ -115,8 +117,8 @@
115117

116118
</div>
117119

118-
<?php if ($session_user_role == 1 || $session_user_role == 3 && $config_module_enable_accounting == 1) { ?>
119-
<div class="col-md border-left border-top">
120+
<?php if (lookupUserPermission("module_financial") >= 1 && $config_module_enable_accounting == 1) { ?>
121+
<div class="col-md border-left border-top">
120122
<h5 class="text-secondary mt-1">Billing</h5>
121123
<div class="ml-1 text-secondary">Hourly Rate
122124
<span class="text-dark float-right"> <?php echo numfmt_format_currency($currency_format, $client_rate, $client_currency_code); ?></span>
@@ -141,8 +143,8 @@
141143
</div>
142144
<?php } ?>
143145

144-
145-
<div class="col-md border-left border-top">
146+
<?php if (lookupUserPermission("module_support") >= 1 && $config_module_enable_ticketing == 1) { ?>
147+
<div class="col-md border-left border-top">
146148
<h5 class="text-secondary mt-1">Support</h5>
147149
<div class="ml-1 text-secondary">Open Tickets
148150
<span class="text-dark float-right"><?php echo $num_active_tickets; ?></span>
@@ -156,6 +158,7 @@
156158
<?php echo $client_tags_display; ?>
157159
<?php } ?>
158160
</div>
161+
<?php } ?>
159162

160163
</div>
161164
</div>

post/client.php

Lines changed: 22 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@
66

77
if (isset($_POST['add_client'])) {
88

9-
require_once 'post/client_model.php';
10-
9+
validateCSRFToken($_POST['csrf_token']);
10+
enforceUserPermission('module_client', 2);
1111

12-
validateAdminRole();
12+
require_once 'post/client_model.php';
1313

1414
$location_phone = preg_replace("/[^0-9]/", '', $_POST['location_phone']);
1515
$address = sanitizeInput($_POST['address']);
@@ -117,9 +117,9 @@
117117

118118
if (isset($_POST['edit_client'])) {
119119

120-
require_once 'post/client_model.php';
120+
enforceUserPermission('module_client', 2);
121121

122-
validateAdminRole();
122+
require_once 'post/client_model.php';
123123

124124
$client_id = intval($_POST['client_id']);
125125

@@ -153,7 +153,8 @@
153153

154154
if (isset($_GET['archive_client'])) {
155155

156-
validateAdminRole();
156+
validateCSRFToken($_GET['csrf_token']);
157+
enforceUserPermission('module_client', 2);
157158

158159
$client_id = intval($_GET['archive_client']);
159160

@@ -175,6 +176,8 @@
175176

176177
if (isset($_GET['undo_archive_client'])) {
177178

179+
enforceUserPermission('module_client', 2);
180+
178181
$client_id = intval($_GET['undo_archive_client']);
179182

180183
// Get Client Name
@@ -194,10 +197,8 @@
194197

195198
if (isset($_GET['delete_client'])) {
196199

197-
validateAdminRole();
198-
199-
// CSRF Check
200200
validateCSRFToken($_GET['csrf_token']);
201+
enforceUserPermission('module_client', 3);
201202

202203
$client_id = intval($_GET['delete_client']);
203204

@@ -337,6 +338,8 @@
337338

338339
if (isset($_POST['export_clients_csv'])) {
339340

341+
enforceUserPermission('module_client', 1);
342+
340343
//get records from database
341344
$sql = mysqli_query($mysqli, "SELECT * FROM clients
342345
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
@@ -377,7 +380,7 @@
377380

378381
if (isset($_POST["import_clients_csv"])) {
379382

380-
validateTechRole();
383+
enforceUserPermission('module_client', 2);
381384

382385
$file_name = $_FILES["file"]["tmp_name"];
383386
$error = false;
@@ -604,14 +607,21 @@
604607

605608
if (isset($_POST['export_client_pdf'])) {
606609

607-
validateAdminRole();
610+
// TODO: Enforce perms based on which individual boxes are ticked
611+
enforceUserPermission('module_client', 3);
612+
enforceUserPermission('module_support', 1);
613+
enforceUserPermission('module_sales', 1);
614+
enforceUserPermission('module_financial', 1);
608615

609616
$client_id = intval($_POST['client_id']);
610617
$export_contacts = intval($_POST['export_contacts']);
611618
$export_locations = intval($_POST['export_locations']);
612619
$export_assets = intval($_POST['export_assets']);
613620
$export_software = intval($_POST['export_software']);
614-
$export_logins = intval($_POST['export_logins']);
621+
$export_logins = 0;
622+
if (lookupUserPermission("module_credential") >= 1) {
623+
$export_logins = intval($_POST['export_logins']);
624+
}
615625
$export_networks = intval($_POST['export_networks']);
616626
$export_certificates = intval($_POST['export_certificates']);
617627
$export_domains = intval($_POST['export_domains']);

0 commit comments

Comments
 (0)