Refactor geolocation queries to use AND conditions for better accuracy. Update permission checks for equipment management to utilize unified 'equipment' scope. Enhance user role assignment logic to ensure correct username usage. Improve session error handling in login and index files for clearer user feedback.

2026-01-30 10:02:45 +01:00
parent b3327f21ed
commit 162933affa
10 changed files with 29 additions and 17 deletions
--- a/api/v1/get/application.php
+++ b/api/v1/get/application.php
@@ -179,9 +179,9 @@ switch ($action) {
    case 'geolocation':

        if ($whereclause == ''){
-            $whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"';
+            $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\'';
        } else {
-            $whereclause .= ' AND geolocation is not null OR  geolocation != "["",""]';
+            $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\'';
        }
        $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.'';
    
--- a/api/v1/post/equipments.php
+++ b/api/v1/post/equipments.php
@@ -217,18 +217,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
 $input_insert = substr($input_insert, 1); //Clean clause - remove first comma

 //QUERY AND VERIFY ALLOWED
-if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){
+if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){
    $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.'';
    $execute_input[] = $id;
    $stmt = $pdo->prepare($sql);
    $stmt->execute($execute_input);
 } 
-elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){
+elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){
    $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')';
    $stmt = $pdo->prepare($sql);
    $stmt->execute($execute_input);
 }
-elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){
+elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){
    //delete equipment
    $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.'');
    $stmt->execute([ $id ]);