Small permissions fix for client-specific access

wrongecho · wrongecho · commit 8eea19d03ddd · 2025-02-22T17:59:24.000Z
diff --git a/invoice.php b/invoice.php
@@ -3,10 +3,18 @@
 // If client_id is in URI then show client Side Bar and client header
 if (isset($_GET['client_id'])) {
     require_once "includes/inc_all_client.php";
-} else { 
+} else {
     require_once "includes/inc_all.php";
 }
 
+// Perms
+enforceUserPermission('module_sales');
+$invoice_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
+}
+
+
 if (isset($_GET['invoice_id'])) {
 
     $invoice_id = intval($_GET['invoice_id']);
@@ -17,7 +25,8 @@
         LEFT JOIN clients ON invoice_client_id = client_id
         LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
         LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
-        WHERE invoice_id = $invoice_id"
+        WHERE invoice_id = $invoice_id
+        $invoice_permission_snippet"
     );
 
     if (mysqli_num_rows($sql) == 0) {
@@ -215,13 +224,13 @@
                             </a>
                         <?php } ?>
                     <?php } ?>
-                    
+
                     <?php if (($invoice_status == 'Sent' || $invoice_status == 'Viewed') && $invoice_amount == 0 && $invoice_status !== 'Non-Billable') { ?>
                         <a class="btn btn-dark" href="post.php?mark_invoice_non-billable=<?php echo $invoice_id; ?>">
                             Mark Non-Billable
                         </a>
                     <?php } ?>
-                
+
                 </div>
 
                 <div class="col-4">
diff --git a/invoices.php b/invoices.php
@@ -17,6 +17,10 @@
 
 // Perms
 enforceUserPermission('module_sales');
+$invoice_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $invoice_permission_snippet = "AND invoice_client_id IN ($client_access_string)";
+}
 
 $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('invoice_id') AS num FROM invoices WHERE invoice_status = 'Sent' $client_query"));
 $sent_count = $row['num'];
@@ -94,6 +98,7 @@
     $overdue_query
     AND DATE(invoice_date) BETWEEN '$dtf' AND '$dtt'
     AND (CONCAT(invoice_prefix,invoice_number) LIKE '%$q%' OR invoice_scope LIKE '%$q%' OR client_name LIKE '%$q%' OR invoice_status LIKE '%$q%' OR invoice_amount LIKE '%$q%' OR category_name LIKE '%$q%')
+    $invoice_permission_snippet
     $client_query
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
diff --git a/quote.php b/quote.php
@@ -3,10 +3,17 @@
 // If client_id is in URI then show client Side Bar and client header
 if (isset($_GET['client_id'])) {
     require_once "includes/inc_all_client.php";
-} else { 
+} else {
     require_once "includes/inc_all.php";
 }
 
+// Perms
+enforceUserPermission('module_sales');
+$quote_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
+}
+
 if (isset($_GET['quote_id'])) {
 
     $quote_id = intval($_GET['quote_id']);
@@ -17,7 +24,8 @@
         LEFT JOIN clients ON quote_client_id = client_id
         LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
         LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
-        WHERE quote_id = $quote_id"
+        WHERE quote_id = $quote_id
+        $quote_permission_snippet"
     );
 
     if (mysqli_num_rows($sql) == 0) {
@@ -186,7 +194,7 @@
                             </a>
                             <?php if (lookupUserPermission("module_sales") >= 2) { ?>
                                 <a class="dropdown-item" href="#"
-                                    data-toggle = "ajax-modal" 
+                                    data-toggle = "ajax-modal"
                                     data-ajax-url = "ajax/ajax_quote_copy.php"
                                     data-ajax-id = "<?php echo $quote_id; ?>"
                                     >
diff --git a/quotes.php b/quotes.php
@@ -17,6 +17,10 @@
 
 // Perms
 enforceUserPermission('module_sales');
+$quote_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $quote_permission_snippet = "AND quote_client_id IN ($client_access_string)";
+}
 
 $sql = mysqli_query(
     $mysqli,
@@ -25,6 +29,7 @@
     LEFT JOIN categories ON quote_category_id = category_id
     WHERE (CONCAT(quote_prefix,quote_number) LIKE '%$q%' OR quote_scope LIKE '%$q%' OR category_name LIKE '%$q%' OR quote_status LIKE '%$q%' OR quote_amount LIKE '%$q%' OR client_name LIKE '%$q%')
     AND DATE(quote_date) BETWEEN '$dtf' AND '$dtt'
+    $quote_permission_snippet
     $client_query
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
@@ -206,7 +211,7 @@
                     <tr>
                         <td class="text-bold">
                             <a href="quote.php?<?php echo $client_url; ?>quote_id=<?php echo $quote_id; ?>">
-                                <?php echo "$quote_prefix$quote_number"; ?>  
+                                <?php echo "$quote_prefix$quote_number"; ?>
                             </a>
                         </td>
                         <td><?php echo $quote_scope_display; ?></td>
@@ -231,15 +236,15 @@
                                 </button>
                                 <div class="dropdown-menu">
                                     <a class="dropdown-item" href="#"
-                                        data-toggle = "ajax-modal" 
+                                        data-toggle = "ajax-modal"
                                         data-ajax-url = "ajax/ajax_quote_edit.php"
                                         data-ajax-id = "<?php echo $quote_id; ?>"
                                         >
                                         <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                     </a>
                                     <?php if (lookupUserPermission("module_sales") >= 2) { ?>
                                         <a class="dropdown-item" href="#"
-                                            data-toggle = "ajax-modal" 
+                                            data-toggle = "ajax-modal"
                                             data-ajax-url = "ajax/ajax_quote_copy.php"
                                             data-ajax-id = "<?php echo $quote_id; ?>"
                                             >
diff --git a/ticket.php b/ticket.php
@@ -9,6 +9,10 @@
 
 // Perms
 enforceUserPermission('module_support');
+$ticket_permission_snippet = '';
+if (!empty($client_access_string)) {
+    $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
+}
 
 // Initialize the HTML Purifier to prevent XSS
 require_once "plugins/htmlpurifier/HTMLPurifier.standalone.php";
@@ -18,12 +22,6 @@
 $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
 $purifier = new HTMLPurifier($purifier_config);
 
-// Ticket client access snippet
-$ticket_permission_snippet = '';
-if (!empty($client_access_string)) {
-    $ticket_permission_snippet = "AND ticket_client_id IN ($client_access_string)";
-}
-
 if (isset($_GET['ticket_id'])) {
     $ticket_id = intval($_GET['ticket_id']);
 
@@ -49,7 +47,7 @@
     if (mysqli_num_rows($sql) == 0) {
         echo "<center><h1 class='text-secondary mt-5'>Nothing to see here</h1><a class='btn btn-lg btn-secondary mt-3' href='tickets.php'><i class='fa fa-fw fa-arrow-left'></i> Go Back</a></center>";
 
-        include_once "footer.php";
+        include_once "includes/footer.php";
     } else {
 
         $row = mysqli_fetch_array($sql);
@@ -979,7 +977,7 @@
                                 </td>
                             </tr>
                         <?php
-                        } 
+                        }
                         ?>
                     </table>
                 </div>
