Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix: unprivileged user can add invoice to a client
  • Loading branch information
Ahmad Gneady committed Jul 3, 2021
1 parent d74504b commit 4464095
Showing 1 changed file with 60 additions and 56 deletions.
116 changes: 60 additions & 56 deletions app/hooks/invoices.php
Expand Up @@ -40,10 +40,10 @@ function load_invoice_templates(){
* an error message to the user and stop displaying any data).
*/

function invoices_init(&$options, $memberInfo, &$args) {
/* Inserted by Search Page Maker for AppGini on 2020-11-25 06:38:04 */
$options->FilterPage = 'hooks/invoices_filter.php';
/* End of Search Page Maker for AppGini code */
function invoices_init(&$options, $memberInfo, &$args) {
/* Inserted by Search Page Maker for AppGini on 2020-11-25 06:38:04 */
$options->FilterPage = 'hooks/invoices_filter.php';
/* End of Search Page Maker for AppGini code */

load_invoice_templates();

Expand Down Expand Up @@ -174,6 +174,8 @@ function invoices_footer($contentType, $memberInfo, &$args) {
*/

function invoices_before_insert(&$data, $memberInfo, &$args) {
// can current user view the client to which this invoice is assigned?
if(!check_record_permission('clients', $data['client'])) return false;

return TRUE;
}
Expand Down Expand Up @@ -227,6 +229,8 @@ function invoices_after_insert($data, $memberInfo, &$args) {
*/

function invoices_before_update(&$data, $memberInfo, &$args) {
// can current user view the client to which this invoice is assigned?
if(!check_record_permission('clients', $data['client'])) return false;

return TRUE;
}
Expand Down Expand Up @@ -376,58 +380,58 @@ function invoices_csv($query, $memberInfo, &$args) {
* )
*/

function invoices_batch_actions(&$args) {
/* Inserted by Mass Update on 2020-11-25 06:59:16 */

/*
* Q: How do I return other custom batch commands not defined in mass_update plugin?
*
* A: Define your commands ABOVE the 'Inserted by Mass Update' comment above
* in an array named $custom_actions_top to display them above the commands
* created by the mass_update plugin.
*
* You can also define commands in an array named $custom_actions_bottom
* (also ABOVE the 'Inserted by Mass Update' comment block) to display them
* below the commands created by the mass_update plugin.
*
*/

if(!isset($custom_actions_top) || !is_array($custom_actions_top))
$custom_actions_top = array();

if(!isset($custom_actions_bottom) || !is_array($custom_actions_bottom))
$custom_actions_bottom = array();

$command = array(
'1nvkk0q0ckqc7b8migay' => array(
'title' => "Mark as paid",
'function' => 'massUpdateCommand_1nvkk0q0ckqc7b8migay',
'icon' => 'ok'
),
'xe0xlisfn56ps9sp3p76' => array(
'title' => "Mark as cancelled",
'function' => 'massUpdateCommand_xe0xlisfn56ps9sp3p76',
'icon' => 'remove'
),
);

$mi = getMemberInfo();
switch($mi['group']) {
default:
/* for all other logged users, enable the following commands */
if($mi['username'] && $mi['username'] != 'guest')
return array_merge(
$custom_actions_top,
array(
$command['1nvkk0q0ckqc7b8migay'],
$command['xe0xlisfn56ps9sp3p76']
),
$custom_actions_bottom
);
}


/* End of Mass Update code */
function invoices_batch_actions(&$args) {
/* Inserted by Mass Update on 2020-11-25 06:59:16 */

/*
* Q: How do I return other custom batch commands not defined in mass_update plugin?
*
* A: Define your commands ABOVE the 'Inserted by Mass Update' comment above
* in an array named $custom_actions_top to display them above the commands
* created by the mass_update plugin.
*
* You can also define commands in an array named $custom_actions_bottom
* (also ABOVE the 'Inserted by Mass Update' comment block) to display them
* below the commands created by the mass_update plugin.
*
*/

if(!isset($custom_actions_top) || !is_array($custom_actions_top))
$custom_actions_top = array();

if(!isset($custom_actions_bottom) || !is_array($custom_actions_bottom))
$custom_actions_bottom = array();

$command = array(
'1nvkk0q0ckqc7b8migay' => array(
'title' => "Mark as paid",
'function' => 'massUpdateCommand_1nvkk0q0ckqc7b8migay',
'icon' => 'ok'
),
'xe0xlisfn56ps9sp3p76' => array(
'title' => "Mark as cancelled",
'function' => 'massUpdateCommand_xe0xlisfn56ps9sp3p76',
'icon' => 'remove'
),
);

$mi = getMemberInfo();
switch($mi['group']) {
default:
/* for all other logged users, enable the following commands */
if($mi['username'] && $mi['username'] != 'guest')
return array_merge(
$custom_actions_top,
array(
$command['1nvkk0q0ckqc7b8migay'],
$command['xe0xlisfn56ps9sp3p76']
),
$custom_actions_bottom
);
}


/* End of Mass Update code */


return array();
Expand Down

0 comments on commit 4464095

Please sign in to comment.