From 0723df45160b7da9400106465e1e1698a6af574e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Thu, 29 Jan 2026 10:58:03 +0100 Subject: [PATCH] Refactor permission handling to utilize hierarchy levels for access control across multiple API endpoints, enhancing permission validation logic in contracts, history, application, and user management. --- api/v1/get/contracts.php | 14 ++++++++++---- api/v1/get/history.php | 15 +++++++++++---- api/v1/post/application.php | 14 ++++++++++---- api/v2/get/contracts.php | 14 ++++++++++---- api/v2/get/history.php | 16 +++++++++++----- api/v2/post/users.php | 9 ++++++--- 6 files changed, 58 insertions(+), 24 deletions(-) diff --git a/api/v1/get/contracts.php b/api/v1/get/contracts.php index 4591407..9e04cd6 100644 --- a/api/v1/get/contracts.php +++ b/api/v1/get/contracts.php @@ -17,11 +17,13 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause $whereclause = ''; -switch ($permission) { - case '4': +$hierarchy_level = getHierarchyLevel($partner); + +switch ($hierarchy_level) { + case '0': $whereclause = ''; break; - case '3': + case '1': $condition = '__salesid___'.$partner->salesid.'___soldto___%'; $whereclause = 'WHERE c.accounthierarchy like :condition AND u.view IN (4,5)'; break; @@ -29,7 +31,11 @@ switch ($permission) { $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; $whereclause = 'WHERE c.accounthierarchy like :condition AND u.view IN (1,2,3)'; break; - default: + case '3': + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%'; + $whereclause = 'WHERE c.accounthierarchy like :condition AND u.view IN (1,2,3)'; + break; + case '4': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%'; $whereclause = 'WHERE c.accounthierarchy like :condition AND u.view IN (1,2,3)'; break; diff --git a/api/v1/get/history.php b/api/v1/get/history.php index c1667e0..b844c71 100644 --- a/api/v1/get/history.php +++ b/api/v1/get/history.php @@ -14,11 +14,13 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause $whereclause = ''; -switch ($permission) { - case '4': +$hierarchy_level = getHierarchyLevel($partner); + +switch ($hierarchy_level) { + case '0': $whereclause = ''; break; - case '3': + case '1': $condition = '__salesid___'.$partner->salesid.'___soldto___%'; $whereclause = 'WHERE e.accounthierarchy like :condition '; break; @@ -26,11 +28,16 @@ switch ($permission) { $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; $whereclause = 'WHERE e.accounthierarchy like :condition AND (type = "'.$type1.'" or type = "'.$type2.'" or type = "'.$type3.'" or type = "'.$type9.'" or type = "'.$type14.'" or type = "'.$type16.'")'; break; - default: + case '3': + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.$soldto_search; + $whereclause = 'WHERE e.accounthierarchy like :condition AND (type = "'.$type1.'" or type = "'.$type2.'" or type = "'.$type3.'" or type = "'.$type14.'" or type = "'.$type16.'")'; + break; + case '4': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%'; $whereclause = 'WHERE e.accounthierarchy like :condition AND (type = "'.$type1.'" or type = "'.$type2.'" or type = "'.$type3.'" or type = "'.$type14.'" or type = "'.$type16.'")'; break; } + //NEW ARRAY $criterias = []; $clause = ''; diff --git a/api/v1/post/application.php b/api/v1/post/application.php index 73730fa..afd1e3d 100644 --- a/api/v1/post/application.php +++ b/api/v1/post/application.php @@ -27,11 +27,13 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause $whereclause = 'WHERE'; -switch ($permission) { - case '4': +$hierarchy_level = getHierarchyLevel($partner); + +switch ($hierarchy_level) { + case '0': $whereclause .= ''; break; - case '3': + case '1': $condition = '__salesid___'.$partner->salesid.'___soldto___%'; $whereclause = ' e.accounthierarchy like "'.$condition.'" AND '; break; @@ -39,7 +41,11 @@ switch ($permission) { $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; $whereclause .= ' e.accounthierarchy like "'.$condition.'" AND '; break; - default: + case '3': + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%'; + $whereclause .= ' e.accounthierarchy like "'.$condition.'" AND '; + break; + case '4': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%'; $whereclause .= ' e.accounthierarchy like "'.$condition.'" AND '; break; diff --git a/api/v2/get/contracts.php b/api/v2/get/contracts.php index 2362582..f5da5bc 100644 --- a/api/v2/get/contracts.php +++ b/api/v2/get/contracts.php @@ -17,19 +17,25 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause $whereclause = ''; -switch ($permission) { - case '4': +$hierarchy_level = getHierarchyLevel($partner); + +switch ($hierarchy_level) { + case '0': $whereclause = ''; break; - case '3': + case '1': $condition = '__salesid___'.$partner->salesid.'___soldto___%'; $whereclause = 'WHERE accounthierarchy like :condition AND u.view IN (4,5)'; break; case '2': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; $whereclause = 'WHERE accounthierarchy like :condition AND u.view IN (1,2,3)'; + break; + case '3': + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%'; + $whereclause = 'WHERE accounthierarchy like :condition AND u.view IN (1,2,3)'; break; - default: + case '4': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%'; $whereclause = 'WHERE accounthierarchy like :condition AND u.view IN (1,2,3)'; break; diff --git a/api/v2/get/history.php b/api/v2/get/history.php index 9994a48..aa81a11 100644 --- a/api/v2/get/history.php +++ b/api/v2/get/history.php @@ -13,24 +13,30 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause $whereclause = ''; +$hierarchy_level = getHierarchyLevel($partner); -switch ($permission) { - case '4': +switch ($hierarchy_level) { + case '0': $whereclause = ''; break; - case '3': + case '1': $condition = '__salesid___'.$partner->salesid.'___soldto___%'; - $whereclause = 'WHERE e.accounthierarchy like :condition'; + $whereclause = 'WHERE e.accounthierarchy like :condition '; break; case '2': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; $whereclause = 'WHERE e.accounthierarchy like :condition AND (type = "'.$type1.'" or type = "'.$type2.'" or type = "'.$type3.'" or type = "'.$type9.'" or type = "'.$type14.'" or type = "'.$type16.'")'; break; - default: + case '3': + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.$soldto_search; + $whereclause = 'WHERE e.accounthierarchy like :condition AND (type = "'.$type1.'" or type = "'.$type2.'" or type = "'.$type3.'" or type = "'.$type14.'" or type = "'.$type16.'")'; + break; + case '4': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%'; $whereclause = 'WHERE e.accounthierarchy like :condition AND (type = "'.$type1.'" or type = "'.$type2.'" or type = "'.$type3.'" or type = "'.$type14.'" or type = "'.$type16.'")'; break; } + //NEW ARRAY $criterias = []; $clause = ''; diff --git a/api/v2/post/users.php b/api/v2/post/users.php index 5f608d0..175e8f3 100644 --- a/api/v2/post/users.php +++ b/api/v2/post/users.php @@ -154,12 +154,15 @@ else { //+++++++++++++++++++++++++++++++++++++++++++++ //RESET VIEW/PERMISSION BASED ON USER PERMISSION //+++++++++++++++++++++++++++++++++++++++++++++ + +$hierarchy_level = getHierarchyLevel($partner); + if($post_content['view']){ - switch ($permission) { - case '4': + switch ($hierarchy_level) { + case '0': //ADMIN+ no override break; - case '3': + case '1': //ADMINS cannot set ADMIN+ => reset to admin $post_content['view'] = ($post_content['view'] == 5) ? 4 : $post_content['view']; break;