From 18889d228aa2bfcdf8c2363e76e855cf85d25908 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Thu, 3 Oct 2024 19:42:48 +0100 Subject: [PATCH] Move account/asset post logic to new permissions system --- client_assets.php | 4 +++- post/user/account.php | 6 ++++++ post/user/asset.php | 48 ++++++++++++++++++++++++++++--------------- 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/client_assets.php b/client_assets.php index 7c3569eec..f4c5ec1df 100644 --- a/client_assets.php +++ b/client_assets.php @@ -99,7 +99,8 @@

Assets

-
+ = 2) { ?> +
@@ -116,6 +117,7 @@
+
diff --git a/post/user/account.php b/post/user/account.php index ba8437361..dbf1eb982 100644 --- a/post/user/account.php +++ b/post/user/account.php @@ -5,6 +5,7 @@ */ if (isset($_POST['add_account'])) { + enforceUserPermission('module_financial', 2); validateCSRFToken($_POST['csrf_token']); $name = sanitizeInput($_POST['name']); @@ -24,6 +25,7 @@ } if (isset($_POST['edit_account'])) { + enforceUserPermission('module_financial', 2); validateCSRFToken($_POST['csrf_token']); $account_id = intval($_POST['account_id']); @@ -42,6 +44,8 @@ } if (isset($_GET['archive_account'])) { + enforceUserPermission('module_financial', 2); + validateCSRFToken($_GET['csrf_token']); $account_id = intval($_GET['archive_account']); @@ -58,6 +62,8 @@ // Not used anywhere? if (isset($_GET['delete_account'])) { + enforceUserPermission('module_financial', 3); + $account_id = intval($_GET['delete_account']); mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id"); diff --git a/post/user/asset.php b/post/user/asset.php index 1bbc735e5..c7ff1881b 100644 --- a/post/user/asset.php +++ b/post/user/asset.php @@ -6,8 +6,9 @@ if (isset($_POST['add_asset'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $client_id = intval($_POST['client_id']); $name = sanitizeInput($_POST['name']); @@ -106,8 +107,9 @@ if (isset($_POST['edit_asset'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $asset_id = intval($_POST['asset_id']); $client_id = intval($_POST['client_id']); @@ -199,8 +201,9 @@ if (isset($_POST['change_client_asset'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $current_asset_id = intval($_POST['current_asset_id']); $new_client_id = intval($_POST['new_client_id']); @@ -247,8 +250,9 @@ if (isset($_GET['archive_asset'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_GET['csrf_token']); - validateTechRole(); $asset_id = intval($_GET['archive_asset']); @@ -272,8 +276,9 @@ if (isset($_GET['unarchive_asset'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_GET['csrf_token']); - validateTechRole(); $asset_id = intval($_GET['unarchive_asset']); @@ -296,8 +301,9 @@ if (isset($_GET['delete_asset'])) { + enforceUserPermission('module_support', 3); + validateCSRFToken($_GET['csrf_token']); - validateAdminRole(); $asset_id = intval($_GET['delete_asset']); @@ -324,8 +330,9 @@ if (isset($_POST['bulk_assign_asset_location'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $location_id = intval($_POST['bulk_location_id']); @@ -364,8 +371,9 @@ if (isset($_POST['bulk_assign_asset_contact'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $contact_id = intval($_POST['bulk_contact_id']); @@ -404,8 +412,9 @@ if (isset($_POST['bulk_edit_asset_status'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $status = sanitizeInput($_POST['bulk_status']); @@ -439,8 +448,9 @@ if (isset($_POST['bulk_archive_assets'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateAdminRole(); $count = 0; // Default 0 $asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted @@ -480,8 +490,9 @@ if (isset($_POST['bulk_unarchive_assets'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateAdminRole(); $count = 0; // Default 0 $asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted @@ -520,8 +531,9 @@ if (isset($_POST["import_client_assets_csv"])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $client_id = intval($_POST['client_id']); $file_name = $_FILES["file"]["tmp_name"]; @@ -667,8 +679,9 @@ if (isset($_POST['export_client_assets_csv'])) { + enforceUserPermission('module_support'); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $client_id = intval($_POST['client_id']); @@ -717,8 +730,9 @@ if (isset($_POST['add_asset_interface'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $asset_id = intval($_POST['asset_id']); @@ -754,8 +768,9 @@ if (isset($_POST['edit_asset_interface'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_POST['csrf_token']); - validateTechRole(); $interface_id = intval($_POST['interface_id']); @@ -790,8 +805,9 @@ if (isset($_GET['delete_asset_interface'])) { + enforceUserPermission('module_support', 2); + validateCSRFToken($_GET['csrf_token']); - validateAdminRole(); $interface_id = intval($_GET['delete_asset_interface']);