From 162933affa52d4c42198602355de676a425f4d59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Fri, 30 Jan 2026 10:02:45 +0100 Subject: [PATCH] Refactor geolocation queries to use AND conditions for better accuracy. Update permission checks for equipment management to utilize unified 'equipment' scope. Enhance user role assignment logic to ensure correct username usage. Improve session error handling in login and index files for clearer user feedback. --- api/v1/get/application.php | 4 ++-- api/v1/post/equipments.php | 6 +++--- api/v2/get/application.php | 4 ++-- api/v2/post/equipments.php | 6 +++--- api/v2/post/user_role_assignments.php | 4 ++-- api/v2/post/users.php | 7 +++++++ equipment_manage.php | 2 +- equipments.php | 2 +- index.php | 6 +++--- login.php | 5 +++++ 10 files changed, 29 insertions(+), 17 deletions(-) diff --git a/api/v1/get/application.php b/api/v1/get/application.php index 4504962..0a663ff 100644 --- a/api/v1/get/application.php +++ b/api/v1/get/application.php @@ -179,9 +179,9 @@ switch ($action) { case 'geolocation': if ($whereclause == ''){ - $whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"'; + $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\''; } else { - $whereclause .= ' AND geolocation is not null OR geolocation != "["",""]'; + $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\''; } $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.''; diff --git a/api/v1/post/equipments.php b/api/v1/post/equipments.php index 198012c..1765a60 100644 --- a/api/v1/post/equipments.php +++ b/api/v1/post/equipments.php @@ -217,18 +217,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma //QUERY AND VERIFY ALLOWED -if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ +if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $execute_input[] = $id; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){ +elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){ $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ +elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ //delete equipment $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.''); $stmt->execute([ $id ]); diff --git a/api/v2/get/application.php b/api/v2/get/application.php index dd01c42..7fefbc5 100644 --- a/api/v2/get/application.php +++ b/api/v2/get/application.php @@ -179,9 +179,9 @@ switch ($action) { case 'geolocation': if ($whereclause == ''){ - $whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"'; + $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\''; } else { - $whereclause .= ' AND geolocation is not null OR geolocation != "["",""]'; + $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\''; } $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.''; diff --git a/api/v2/post/equipments.php b/api/v2/post/equipments.php index 9057ddb..bca84a5 100644 --- a/api/v2/post/equipments.php +++ b/api/v2/post/equipments.php @@ -224,18 +224,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma //QUERY AND VERIFY ALLOWED -if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ +if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $execute_input[] = $id; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){ +elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){ $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ +elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ //delete equipment $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.''); $stmt->execute([ $id ]); diff --git a/api/v2/post/user_role_assignments.php b/api/v2/post/user_role_assignments.php index 06977a0..851ea02 100644 --- a/api/v2/post/user_role_assignments.php +++ b/api/v2/post/user_role_assignments.php @@ -48,11 +48,11 @@ if (isset($post_content['batch_update']) && isset($post_content['user_id']) && i if ($existing){ //Reactivate existing assignment $stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 1, assigned_by = ?, assigned_at = ?, updatedby = ?, updated = ? WHERE rowID = ?'); - $stmt->execute([$username, $date, $username, $date, $existing['rowID']]); + $stmt->execute([$username, $date, $username, $date, $$username]); } else { //Create new assignment $stmt = $pdo->prepare('INSERT INTO user_role_assignments (user_id, role_id, is_active, assigned_by, assigned_at, created, createdby) VALUES (?, ?, 1, ?, ?, ?, ?)'); - $stmt->execute([$user_id, $role_id, $username, $date, $date, $userkey]); + $stmt->execute([$user_id, $role_id, $username, $date, $date, $username]); } } } diff --git a/api/v2/post/users.php b/api/v2/post/users.php index 175e8f3..c8c1bc2 100644 --- a/api/v2/post/users.php +++ b/api/v2/post/users.php @@ -266,10 +266,17 @@ elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1 $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); + // Get the new user ID + $new_user_id = $pdo->lastInsertId(); + //STEP 2- Send to user $mail_location = (file_exists($_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php') ? $_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php' : './assets/mail/email_template_new.php'); include_once $mail_location; send_mail($post_content['email'],$subject,$message,'',''); + + // Return the new user ID + $result = json_encode(['id' => (int)$new_user_id], JSON_UNESCAPED_UNICODE); + echo $result; } else { //------------------------------------------ //JSON_ENCODE diff --git a/equipment_manage.php b/equipment_manage.php index c077f6e..8e8f031 100644 --- a/equipment_manage.php +++ b/equipment_manage.php @@ -7,7 +7,7 @@ if (debug && debug_id == $_SESSION['authorization']['id']){ error_reporting(E_ALL); } -$page = 'equipment_manage'; +$page = 'equipment'; $page_edit = 'equipment_manage_edit'; //Check if allowed if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 0){ diff --git a/equipments.php b/equipments.php index 31af2bf..cc999d6 100644 --- a/equipments.php +++ b/equipments.php @@ -22,7 +22,7 @@ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authori exit; } //PAGE Security -$page_manage = 'equipment_manage'; +$page_manage = 'equipment'; $update_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U'); $delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D'); $create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C'); diff --git a/index.php b/index.php index 34fe8be..7792cb9 100644 --- a/index.php +++ b/index.php @@ -37,14 +37,14 @@ if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization'] if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;} //STORE DATA IN SESSION - if (is_array($responses) && !isset($responses['error'])) { + if (is_array($responses) && !isset($responses['error_code'])) { foreach($responses as $key => $value){ $_SESSION['authorization'][$key] = $value; } } else { - // API call failed or returned error - redirect to login + // API call failed or returned error - redirect to login with error message session_destroy(); - header('location: login.php'); + header('location: login.php?error=session_expired'); die(); } } diff --git a/login.php b/login.php index db5d90b..64c0d34 100644 --- a/login.php +++ b/login.php @@ -53,6 +53,11 @@ $username = $password = ''; $username_err = $password_err = ''; $retry = 0; +// Check for error parameter from redirects +if (isset($_GET['error']) && $_GET['error'] === 'session_expired') { + $password_err = $password_err_2 ?? 'Session expired or invalid. Please login again.'; +} + // Process submitted form data if ($_SERVER['REQUEST_METHOD'] === 'POST') {