Add Some Client Permission Checks to the new Global View and some tidying

Author: johnnyq

asset_details.php

@@ -11,7 +11,6 @@
     $client_url = '';
 }
 
-
 if (isset($_GET['asset_id'])) {
     $asset_id = intval($_GET['asset_id']);
 
@@ -25,7 +24,7 @@
     ");
 
     $row = mysqli_fetch_array($sql);
-    $client_id = intval($row['asset_client_id']);
+    $client_id = intval($row['client_id']);
     $client_name = nullable_htmlentities($row['client_name']);
     $asset_id = intval($row['asset_id']);
     $asset_type = nullable_htmlentities($row['asset_type']);

assets.php

@@ -66,11 +66,13 @@
         SUM(CASE WHEN asset_type IN ('Firewall/Router', 'switch', 'access point') THEN 1 ELSE 0 END) AS network_count,
         SUM(CASE WHEN asset_type NOT IN ('laptop', 'desktop', 'server', 'virtual machine', 'Firewall/Router', 'switch', 'access point') THEN 1 ELSE 0 END) AS other_count
     FROM (
-        SELECT assets.* FROM assets 
+        SELECT assets.* FROM assets
+        LEFT JOIN clients ON client_id = asset_client_id
         LEFT JOIN contacts ON asset_contact_id = contact_id 
         LEFT JOIN locations ON asset_location_id = location_id 
         LEFT JOIN asset_interfaces ON interface_asset_id = asset_id AND interface_primary = 1
         WHERE asset_$archive_query
+        $access_permission_query
         $client_query
     ) AS filtered_assets;
 "));
@@ -106,8 +108,10 @@
     WHERE asset_$archive_query
     AND (asset_name LIKE '%$q%' OR asset_description LIKE '%$q%' OR asset_type LIKE '%$q%' OR interface_ip LIKE '%$q%' OR interface_ipv6 LIKE '%$q%' OR asset_make LIKE '%$q%' OR asset_model LIKE '%$q%' OR asset_serial LIKE '%$q%' OR asset_os LIKE '%$q%' OR contact_name LIKE '%$q%' OR location_name LIKE '%$q%' OR client_name LIKE '%$q%')
     AND ($type_query)
+    $access_permission_query
     $location_query
     $client_query
+
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );
 
@@ -226,7 +230,7 @@
                             <option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option>
 
                             <?php
-                            $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                            $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                             while ($row = mysqli_fetch_array($sql_clients_filter)) {
                                 $client_id = intval($row['client_id']);
                                 $client_name = nullable_htmlentities($row['client_name']);

certificates.php

@@ -25,6 +25,7 @@
     LEFT JOIN clients ON client_id = certificate_client_id
     WHERE certificate_archived_at IS NULL
     AND (certificate_name LIKE '%$q%' OR certificate_domain LIKE '%$q%' OR certificate_issued_by LIKE '%$q%' OR client_name LIKE '%$q%')
+    $access_permission_query
     $client_query
     ORDER BY $sort $order LIMIT $record_from, $record_to"
 );

check_login.php

@@ -77,30 +77,22 @@
 // Set Currency Format
 $currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
 
+// Get User Client Access Permissions
+$user_client_access_sql = "SELECT client_id FROM user_permissions WHERE user_id = $session_user_id";
+$user_client_access_result = mysqli_query($mysqli, $user_client_access_sql);
 
-try {
-    // Get User Client Access Permissions
-    $user_client_access_sql = "SELECT client_id FROM user_permissions WHERE user_id = $session_user_id";
-    $user_client_access_result = mysqli_query($mysqli, $user_client_access_sql);
-
-    $client_access_array = [];
-    while ($row = mysqli_fetch_assoc($user_client_access_result)) {
-        $client_access_array[] = $row['client_id'];
-    }
-
-    $client_access_string = implode(',', $client_access_array);
+$client_access_array = [];
+while ($row = mysqli_fetch_assoc($user_client_access_result)) {
+    $client_access_array[] = $row['client_id'];
+}
 
-    // Client access permission check
-    //  Default allow, if a list of allowed clients is set & the user isn't an admin, restrict them
-    $access_permission_query = "";
-    if ($client_access_string && !$session_is_admin) {
-        $access_permission_query = "AND clients.client_id IN ($client_access_string)";
-    }
+$client_access_string = implode(',', $client_access_array);
 
-} catch (Exception $e) {
-    // Handle exception
-    error_log('MySQL error: ' . $e->getMessage());
-    $access_permission_query = ""; // Ensure safe default if query fails
+// Client access permission check
+//  Default allow, if a list of allowed clients is set & the user isn't an admin, restrict them
+$access_permission_query = "";
+if ($client_access_string && !$session_is_admin) {
+    $access_permission_query = "AND clients.client_id IN ($client_access_string)";
 }
 
 // Include the settings vars

contacts.php

@@ -65,6 +65,7 @@
     WHERE contact_$archive_query
     $tag_query
     AND (contact_name LIKE '%$q%' OR contact_title LIKE '%$q%' OR location_name LIKE '%$q%'  OR contact_email LIKE '%$q%' OR contact_department LIKE '%$q%' OR contact_phone LIKE '%$phone_query%' OR contact_extension LIKE '%$q%' OR contact_mobile LIKE '%$phone_query%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%')
+    $access_permission_query
     $client_query
     $location_query
     GROUP BY contact_id
@@ -158,7 +159,7 @@
                                 <option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option>
 
                                 <?php
-                                $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                                $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                                 while ($row = mysqli_fetch_array($sql_clients_filter)) {
                                     $client_id = intval($row['client_id']);
                                     $client_name = nullable_htmlentities($row['client_name']);

credentials.php

@@ -74,6 +74,7 @@
     $tag_query
     AND (l.login_name LIKE '%$q%' OR l.login_description LIKE '%$q%' OR l.login_uri LIKE '%$q%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%')
     $location_query
+    $access_permission_query
     $client_query
     GROUP BY l.login_id
     ORDER BY l.login_important DESC, $sort $order LIMIT $record_from, $record_to"
@@ -151,7 +152,7 @@
                             <option value="" <?php if ($client == "") { echo "selected"; } ?>>- All Clients -</option>
 
                             <?php
-                            $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
+                            $sql_clients_filter = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_archived_at IS NULL $access_permission_query ORDER BY client_name ASC");
                             while ($row = mysqli_fetch_array($sql_clients_filter)) {
                                 $client_id = intval($row['client_id']);
                                 $client_name = nullable_htmlentities($row['client_name']);

domains.php

@@ -32,8 +32,9 @@
     LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id
     LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id
     LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id
+    WHERE (domains.domain_name LIKE '%$q%' OR domains.domain_description LIKE '%$q%' OR registrar.vendor_name LIKE '%$q%' OR dnshost.vendor_name LIKE '%$q%' OR mailhost.vendor_name LIKE '%$q%' OR webhost.vendor_name LIKE '%$q%' OR client_name LIKE '%$q%')
     AND domain_$archive_query
-    AND (domains.domain_name LIKE '%$q%' OR domains.domain_description LIKE '%$q%' OR registrar.vendor_name LIKE '%$q%' OR dnshost.vendor_name LIKE '%$q%' OR mailhost.vendor_name LIKE '%$q%' OR webhost.vendor_name LIKE '%$q%' OR client_name LIKE '%$q%')
+    $access_permission_query
     $client_query
     ORDER BY $sort $order LIMIT $record_from, $record_to");
 
@@ -43,7 +44,7 @@
 
     <div class="card card-dark">
         <div class="card-header py-2">
-            <h3 class="card-title mt-2"><i class="fa fa-fw fa-globe mr-2"></i>Domain Management</h3>
+            <h3 class="card-title mt-2"><i class="fa fa-fw fa-globe mr-2"></i>Domains</h3>
             <div class="card-tools">
                 <div class="btn-group">
                     <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addDomainModal"><i class="fas fa-plus mr-2"></i>New Domain</button>

global_search.php

@@ -93,8 +93,8 @@
 
     $sql_recurring_tickets = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets
         LEFT JOIN clients ON scheduled_ticket_client_id = client_id
-        WHERE scheduled_ticket_subject LIKE '%$query%'
-            OR scheduled_ticket_details LIKE '%$query%'
+        WHERE (scheduled_ticket_subject LIKE '%$query%'
+            OR scheduled_ticket_details LIKE '%$query%')
             $access_permission_query
         ORDER BY scheduled_ticket_id DESC LIMIT 5"
     );

includes/get_side_nav_counts.php

@@ -6,11 +6,11 @@
 $num_active_clients = $row['num'];
 
 // Active Ticket Count
-$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('ticket_id') AS num FROM tickets WHERE ticket_archived_at IS NULL AND ticket_closed_at IS NULL AND ticket_status != 4"));
+$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('ticket_id') AS num FROM tickets LEFT JOIN clients ON client_id = ticket_client_id WHERE ticket_archived_at IS NULL AND ticket_closed_at IS NULL AND ticket_status != 4 $access_permission_query"));
 $num_active_tickets = $row['num'];
 
 // Recurring Ticket Count
-$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('scheduled_ticket_id') AS num FROM scheduled_tickets"));
+$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('scheduled_ticket_id') AS num FROM scheduled_tickets LEFT JOIN clients ON client_id = scheduled_ticket_client_id WHERE 1 = 1 $access_permission_query"));
 $num_recurring_tickets = $row['num'];
 
 // Active Project Count

locations.php

@@ -43,6 +43,7 @@
     WHERE location_$archive_query
     $tag_query
     AND (location_name LIKE '%$q%' OR location_description LIKE '%$q%' OR location_address LIKE '%$q%' OR location_phone LIKE '%$phone_query%' OR tag_name LIKE '%$q%' OR client_name LIKE '%$q%')
+    $access_permission_query
     $client_query
     GROUP BY location_id
     ORDER BY location_primary DESC, $sort $order LIMIT $record_from, $record_to"