From bd7a15680054d2e67b96ddb02351c4df8b55e08d Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Fri, 20 Dec 2024 11:23:41 +0000
Subject: [PATCH] Move more things to new role perms system

---
 check_login.php    | 11 +++++++----
 inc_all_client.php |  8 ++++----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/check_login.php b/check_login.php
index 05e6cd943..bd9570df1 100644
--- a/check_login.php
+++ b/check_login.php
@@ -59,6 +59,8 @@
 $session_user_role_display = sanitizeInput($row['user_role_name']);
 if (isset($row['user_role_is_admin']) && $row['user_role_is_admin'] == 1) {
     $session_is_admin = true;
+} else {
+    $session_is_admin = false;
 }
 $session_user_config_force_mfa = intval($row['user_config_force_mfa']);
 $user_config_records_per_page = intval($row['user_config_records_per_page']);
@@ -88,12 +90,13 @@
 
     $client_access_string = implode(',', $client_access_array);
 
-    // Role / Client Access Permission Check
-    if ($session_user_role < 3 && !empty($client_access_string)) {
+    // Client access permission check
+    //  Default allow, if a list of allowed clients is set & the user isn't an admin, restrict them
+    $access_permission_query = "";
+    if ($client_access_string && !$session_is_admin) {
         $access_permission_query = "AND clients.client_id IN ($client_access_string)";
-    } else {
-        $access_permission_query = "";
     }
+
 } catch (Exception $e) {
     // Handle exception
     error_log('MySQL error: ' . $e->getMessage());
diff --git a/inc_all_client.php b/inc_all_client.php
index d8337b290..064ec7af3 100644
--- a/inc_all_client.php
+++ b/inc_all_client.php
@@ -12,8 +12,9 @@
 if (isset($_GET['client_id'])) {
     $client_id = intval($_GET['client_id']);
 
-    // Check to see if the logged in user has permission to access this client (Admins have access to all no matter what perms are set)
-    if(!in_array($client_id, $client_access_array) AND !empty($client_access_string) AND $session_user_role < 3) {
+    // Client Access Check
+    //  Ensure the user has permission to access this client (admins ignored)
+    if (!in_array($client_id, $client_access_array) AND !empty($client_access_string) AND !$session_is_admin) {
         // Logging
         mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Access', log_description = '$session_name was denied permission from accessing client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $client_id");
 
@@ -21,7 +22,6 @@
         $_SESSION['alert_message'] = "Access Denied - You do not have permission to access that client!";
 
         echo "<script>window.history.back();</script>";
-
         exit();
     }
 
@@ -310,4 +310,4 @@
 ?>
 
 <!-- Set the browser window title to the clients name -->
-<script>document.title = "<?php echo $client_name_title; ?>"</script>
\ No newline at end of file
+<script>document.title = "<?php echo $client_name_title; ?>"</script>