Merge pull request #1072 from itflow-org/post-perms-maint

More enforcing user permissions
itflow-org · Sep 29, 2024 · 635b1f9 · 635b1f9
2 parents e94aae7 + 928d723
commit 635b1f9
Show file tree

Hide file tree

Showing 24 changed files with 137 additions and 95 deletions.
diff --git a/client_asset_edit_modal.php b/client_asset_edit_modal.php
@@ -37,7 +37,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pills-details<?php echo $asset_id; ?>">
 

diff --git a/client_asset_interface_edit_modal.php b/client_asset_interface_edit_modal.php
@@ -12,7 +12,7 @@
                 <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="interface_id" value="<?php echo $interface_id; ?>">
 
-                <div class="modal-body bg-white">
+                <div class="modal-body bg-white" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                     <div class="form-group">
                         <label>Interface Name</label>

diff --git a/client_certificate_edit_modal.php b/client_certificate_edit_modal.php
@@ -26,7 +26,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pillsEditDetails">
 

diff --git a/client_domain_edit_modal.php b/client_domain_edit_modal.php
@@ -26,7 +26,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pills-overview">
 

diff --git a/client_location_edit_modal.php b/client_location_edit_modal.php
@@ -30,7 +30,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_client') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pills-details<?php echo $location_id; ?>">
 

diff --git a/client_login_edit_modal.php b/client_login_edit_modal.php
@@ -26,7 +26,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_credential') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pills-details<?php echo $login_id; ?>">
 

diff --git a/client_logins.php b/client_logins.php
@@ -49,7 +49,8 @@
     <div class="card-header py-2">
         <h3 class="card-title mt-2"><i class="fa fa-fw fa-key mr-2"></i>Credentials</h3>
         <div class="card-tools">
-            <div class="btn-group">
+            <?php if (lookupUserPermission("module_credential") >= 2) { ?>
+                <div class="btn-group">
                 <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addLoginModal" <?php if (!isset($_COOKIE['user_encryption_session_key'])) { echo "disabled"; } ?>>
                     <i class="fas fa-plus mr-2"></i>New Credential
                 </button>
@@ -66,6 +67,7 @@
                     <?php } ?>
                 </div>
             </div>
+            <?php } ?>
         </div>
     </div>
     <div class="card-body">
@@ -296,23 +298,23 @@ class="btn btn-<?php if($archived == 1){ echo "primary"; } else { echo "default"
                                                 <a class="dropdown-item" href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'Login', $login_id"; ?>)">
                                                     <i class="fas fa-fw fa-share mr-2"></i>Share
                                                 </a>
-                                                <?php if ($session_user_role == 3) { ?>
+                                                <?php  if (lookupUserPermission("module_credential") >= 2) { ?>
                                                     <?php if ($login_archived_at) { ?>
-                                                    <div class="dropdown-divider"></div>
-                                                    <a class="dropdown-item text-info confirm-link" href="post.php?unarchive_login=<?php echo $login_id; ?>">
-                                                        <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
-                                                    </a>
-                                                    <?php if ($config_destructive_deletes_enable) { ?>
-                                                    <div class="dropdown-divider"></div>
-                                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_login=<?php echo $login_id; ?>">
-                                                        <i class="fas fa-fw fa-trash mr-2"></i>Delete
-                                                    </a>
-                                                    <?php } ?>
+                                                        <div class="dropdown-divider"></div>
+                                                        <a class="dropdown-item text-info confirm-link" href="post.php?unarchive_login=<?php echo $login_id; ?>">
+                                                            <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                                        </a>
+                                                        <?php if (lookupUserPermission("module_credential") >= 3) { ?>
+                                                            <div class="dropdown-divider"></div>
+                                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_login=<?php echo $login_id; ?>">
+                                                                <i class="fas fa-fw fa-trash mr-2"></i>Delete
+                                                        <?php } ?>
+                                                        </a>
                                                     <?php } else { ?>
-                                                    <div class="dropdown-divider"></div>
-                                                    <a class="dropdown-item text-danger confirm-link" href="post.php?archive_login=<?php echo $login_id; ?>">
-                                                        <i class="fas fa-fw fa-archive mr-2"></i>Archive
-                                                    </a>
+                                                        <div class="dropdown-divider"></div>
+                                                        <a class="dropdown-item text-danger confirm-link" href="post.php?archive_login=<?php echo $login_id; ?>">
+                                                            <i class="fas fa-fw fa-archive mr-2"></i>Archive
+                                                        </a>
                                                     <?php } ?>
                                                 <?php } ?>
                                             </div>

diff --git a/client_network_edit_modal.php b/client_network_edit_modal.php
@@ -29,7 +29,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pillsEditDetails">
 

diff --git a/client_rack_edit_modal.php b/client_rack_edit_modal.php
@@ -26,7 +26,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pills-rack-details<?php echo $rack_id; ?>">
 

diff --git a/client_service_edit_modal.php b/client_service_edit_modal.php
@@ -28,7 +28,7 @@
 
           <hr>
 
-          <div class="tab-content">
+            <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
             <div class="tab-pane fade show active" id="pills-overview<?php echo $service_id ?>">
 

diff --git a/client_software_edit_modal.php b/client_software_edit_modal.php
@@ -32,7 +32,7 @@
 
                     <hr>
 
-                    <div class="tab-content">
+                    <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
 
                         <div class="tab-pane fade show active" id="pills-details<?php echo $software_id; ?>">
 

diff --git a/invoice_edit_modal.php b/invoice_edit_modal.php
@@ -10,7 +10,7 @@
             <form action="post.php" method="post" autocomplete="off">
                 <input type="hidden" name="invoice_id" value="<?php echo $invoice_id; ?>">
 
-                <div class="modal-body bg-white">
+                <div class="modal-body bg-white" <?php if (lookupUserPermission('module_sales') <= 1) { echo 'inert'; } ?>>
 
                     <div class="form-group">
                         <label>Invoice Date <strong class="text-danger">*</strong></label>

diff --git a/post/location.php b/post/location.php
@@ -8,7 +8,7 @@
 
     validateTechRole();
 
-    require_once 'post/client_locations_model.php';
+    require_once 'post/location_model.php';
 
 
     if(!file_exists("uploads/clients/$client_id")) {
@@ -67,7 +67,7 @@
 
     validateTechRole();
 
-    require_once 'post/client_locations_model.php';
+    require_once 'post/location_model.php';
 
 
     $location_id = intval($_POST['location_id']);

diff --git a/post/client_locations_model.php → post/location_model.php b/post/client_locations_model.php → post/location_model.php
@@ -11,4 +11,4 @@
 $hours = sanitizeInput($_POST['hours']);
 $notes = sanitizeInput($_POST['notes']);
 $contact = intval($_POST['contact']);
-$location_primary = intval($_POST['location_primary']);
+$location_primary = intval($_POST['location_primary']);
diff --git a/post/login.php b/post/login.php
@@ -6,10 +6,9 @@
 
 if (isset($_POST['add_login'])) {
 
-    validateTechRole();
-
-    require_once 'post/client_logins_model.php';
+    enforceUserPermission('module_credential', 2);
 
+    require_once 'post/login_model.php';
 
     mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id");
 
@@ -26,10 +25,9 @@
 
 if (isset($_POST['edit_login'])) {
 
-    validateTechRole();
-
-    require_once 'post/client_logins_model.php';
+    enforceUserPermission('module_credential', 2);
 
+    require_once 'post/login_model.php';
 
     $login_id = intval($_POST['login_id']);
 
@@ -55,7 +53,7 @@
 
 if(isset($_GET['archive_login'])){
 
-    validateTechRole();
+    enforceUserPermission('module_credential', 2);
 
     $login_id = intval($_GET['archive_login']);
 
@@ -79,6 +77,8 @@
 
 if(isset($_GET['unarchive_login'])){
 
+    enforceUserPermission('module_credential', 2);
+
     $login_id = intval($_GET['unarchive_login']);
 
     // Get Name and Client ID for logging and alert message
@@ -99,7 +99,7 @@
 
 if (isset($_GET['delete_login'])) {
 
-    validateAdminRole();
+    enforceUserPermission('module_credential', 3);
 
     $login_id = intval($_GET['delete_login']);
 
@@ -128,7 +128,8 @@
 }
 
 if (isset($_POST['bulk_archive_logins'])) {
-    validateAdminRole();
+
+    enforceUserPermission('module_credential', 2);
     validateCSRFToken($_POST['csrf_token']);
 
     $count = 0; // Default 0
@@ -166,7 +167,9 @@
 }
 
 if (isset($_POST['bulk_unarchive_logins'])) {
-    validateAdminRole();
+
+    enforceUserPermission('module_credential', 2);
+
     validateCSRFToken($_POST['csrf_token']);
 
     $count = 0; // Default 0
@@ -205,7 +208,9 @@
 }
 
 if (isset($_POST['bulk_delete_logins'])) {
-    validateAdminRole();
+
+    enforceUserPermission('module_credential', 3);
+
     validateCSRFToken($_POST['csrf_token']);
 
     $count = 0; // Default 0
@@ -250,7 +255,7 @@
 
 if (isset($_POST['export_client_logins_csv'])) {
 
-    validateAdminRole();
+    enforceUserPermission('module_credential');
 
     $client_id = intval($_POST['client_id']);
 
@@ -301,7 +306,7 @@
 
 if (isset($_POST["import_client_logins_csv"])) {
 
-    validateTechRole();
+    enforceUserPermission('module_credential', 2);
 
     $client_id = intval($_POST['client_id']);
     $file_name = $_FILES["file"]["tmp_name"];

diff --git a/post/client_logins_model.php → post/login_model.php b/post/client_logins_model.php → post/login_model.php
@@ -1,4 +1,5 @@
 <?php
+// Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);

diff --git a/post/network.php b/post/network.php
@@ -8,18 +8,7 @@
 
     validateTechRole();
 
-    $client_id = intval($_POST['client_id']);
-    $name = sanitizeInput($_POST['name']);
-    $description = sanitizeInput($_POST['description']);
-    $vlan = intval($_POST['vlan']);
-    $network = sanitizeInput($_POST['network']);
-    $subnet = sanitizeInput($_POST['subnet']);
-    $gateway = sanitizeInput($_POST['gateway']);
-    $primary_dns = sanitizeInput($_POST['primary_dns']);
-    $secondary_dns = sanitizeInput($_POST['secondary_dns']);
-    $dhcp_range = sanitizeInput($_POST['dhcp_range']);
-    $notes = sanitizeInput($_POST['notes']);
-    $location_id = intval($_POST['location']);
+    require_once 'post/login_model.php';
 
     mysqli_query($mysqli,"INSERT INTO networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id, network_client_id = $client_id");
 
@@ -39,18 +28,8 @@
     validateTechRole();
 
     $network_id = intval($_POST['network_id']);
-    $name = sanitizeInput($_POST['name']);
-    $description = sanitizeInput($_POST['description']);
-    $vlan = intval($_POST['vlan']);
-    $network = sanitizeInput($_POST['network']);
-    $subnet = sanitizeInput($_POST['subnet']);
-    $gateway = sanitizeInput($_POST['gateway']);
-    $primary_dns = sanitizeInput($_POST['primary_dns']);
-    $secondary_dns = sanitizeInput($_POST['secondary_dns']);
-    $dhcp_range = sanitizeInput($_POST['dhcp_range']);
-    $notes = sanitizeInput($_POST['notes']);
-    $location_id = intval($_POST['location']);
-    $client_id = intval($_POST['client_id']);
+
+    require_once 'post/login_model.php';
 
     mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");
 

diff --git a/post/network_model.php b/post/network_model.php
@@ -0,0 +1,13 @@
+<?php
+$name = sanitizeInput($_POST['name']);
+$description = sanitizeInput($_POST['description']);
+$vlan = intval($_POST['vlan']);
+$network = sanitizeInput($_POST['network']);
+$subnet = sanitizeInput($_POST['subnet']);
+$gateway = sanitizeInput($_POST['gateway']);
+$primary_dns = sanitizeInput($_POST['primary_dns']);
+$secondary_dns = sanitizeInput($_POST['secondary_dns']);
+$dhcp_range = sanitizeInput($_POST['dhcp_range']);
+$notes = sanitizeInput($_POST['notes']);
+$location_id = intval($_POST['location']);
+$client_id = intval($_POST['client_id']);
-Original file line number
+Diff line change
@@ Expand Up / @@ -37,7 +37,7 @@ @@
                         <hr>
-                        <div class="tab-content">
+                        <div class="tab-content" <?php if (lookupUserPermission('module_support') <= 1) { echo 'inert'; } ?>>
                             <div class="tab-pane fade show active" id="pills-details<?php echo $asset_id; ?>">
@@ Expand Down @@