Bugfix: Client Access Permissions

Fix bug that allows users to view recurring tickets and projects they shouldn't have access to
itflow-org · Aug 28, 2024 · 26d6737 · 26d6737
1 parent a4a110f
commit 26d6737
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 4 deletions.
diff --git a/project_add_modal.php b/project_add_modal.php
@@ -98,7 +98,7 @@
                             <select class="form-control select2" name="client_id" required>
                                 <option value="">- Client -</option>
                                 <?php
-                                $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                                $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                                 while ($row = mysqli_fetch_array($sql)) {
                                     $client_id = intval($row['client_id']);
                                     $client_name = nullable_htmlentities($row['client_name']);

diff --git a/projects.php b/projects.php
@@ -20,6 +20,11 @@
     $status_query = "IS NULL";
 }
 
+// Ticket client access snippet
+$project_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $project_permission_snippet = "AND project_client_id IN ($client_access_string)";
+}
 
 //Rebuild URL
 $url_query_strings_sort = http_build_query($get_copy);
@@ -33,6 +38,7 @@
     AND (project_name LIKE '%$q%' OR project_description LIKE '%$q%' OR user_name LIKE '%$q%')
     AND project_archived_at IS NULL
     AND project_completed_at $status_query
+    $project_permission_snippet
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
 

diff --git a/recurring_ticket_add_modal.php b/recurring_ticket_add_modal.php
@@ -111,7 +111,7 @@
                                         <option value="">- Client -</option>
                                         <?php
 
-                                        $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                                        $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                                         while ($row = mysqli_fetch_array($sql)) {
                                             $selectable_client_id = intval($row['client_id']);
                                             $client_name = nullable_htmlentities($row['client_name']); ?>

diff --git a/recurring_tickets.php b/recurring_tickets.php
@@ -6,6 +6,11 @@
 
 require_once "inc_all.php";
 
+// Ticket client access snippet
+$rec_ticket_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $rec_ticket_permission_snippet = "AND scheduled_ticket_client_id IN ($client_access_string)";
+}
 
 //Rebuild URL
 $url_query_strings_sort = http_build_query($get_copy);
@@ -16,6 +21,7 @@
     "SELECT SQL_CALC_FOUND_ROWS * FROM scheduled_tickets
     LEFT JOIN clients on scheduled_ticket_client_id = client_id
     WHERE scheduled_tickets.scheduled_ticket_subject LIKE '%$q%'
+    $rec_ticket_permission_snippet
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
 

diff --git a/ticket_add_from_template_modal.php b/ticket_add_from_template_modal.php
@@ -87,7 +87,7 @@
                                             <option value="">- Client -</option>
                                             <?php
 
-                                            $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                                            $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                                             while ($row = mysqli_fetch_array($sql)) {
                                                 $client_id = intval($row['client_id']);
                                                 $client_name = nullable_htmlentities($row['client_name']); ?>

diff --git a/ticket_add_modal.php b/ticket_add_modal.php
@@ -81,7 +81,7 @@
                                             <option value="">- Client -</option>
                                             <?php
 
-                                            $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                                            $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                                             while ($row = mysqli_fetch_array($sql)) {
                                                 $client_id = intval($row['client_id']);
                                                 $client_name = nullable_htmlentities($row['client_name']); ?>