pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor geolocation queries to use AND conditions for better accuracy. Update permission checks for equipment management to utilize unified 'equipment' scope. Enhance user role assignment logic to ensure correct username usage. Improve session error handling in login and index files for clearer user feedback.

Browse Source
This commit is contained in:
“VeLiTi”
2026-01-30 10:02:45 +01:00
parent b3327f21ed
commit 162933affa
10 changed files with 29 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
api/v1/get/application.php
View File

@@ -179,9 +179,9 @@ switch ($action) {
case 'geolocation': case 'geolocation':
if ($whereclause == ''){ if ($whereclause == ''){
$whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"'; $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\'';
} else { } else {
$whereclause .= ' AND geolocation is not null OR geolocation != "["",""]'; $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\'';
} }
$sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.''; $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.'';

6
api/v1/post/equipments.php
View File

@@ -217,18 +217,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
$input_insert = substr($input_insert, 1); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma
//QUERY AND VERIFY ALLOWED //QUERY AND VERIFY ALLOWED
if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){
$sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.'';
$execute_input[] = $id; $execute_input[] = $id;
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
} }
elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){ elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){
$sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')'; $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')';
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
} }
elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){
//delete equipment //delete equipment
$stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.''); $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.'');
$stmt->execute([ $id ]); $stmt->execute([ $id ]);

4
api/v2/get/application.php
View File

@@ -179,9 +179,9 @@ switch ($action) {
case 'geolocation': case 'geolocation':
if ($whereclause == ''){ if ($whereclause == ''){
$whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"'; $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\'';
} else { } else {
$whereclause .= ' AND geolocation is not null OR geolocation != "["",""]'; $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\'';
} }
$sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.''; $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.'';

6
api/v2/post/equipments.php
View File

@@ -224,18 +224,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
$input_insert = substr($input_insert, 1); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma
//QUERY AND VERIFY ALLOWED //QUERY AND VERIFY ALLOWED
if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){
$sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.'';
$execute_input[] = $id; $execute_input[] = $id;
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
} }
elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){ elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){
$sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')'; $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')';
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
} }
elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){
//delete equipment //delete equipment
$stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.''); $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.'');
$stmt->execute([ $id ]); $stmt->execute([ $id ]);

4
api/v2/post/user_role_assignments.php
View File

@@ -48,11 +48,11 @@ if (isset($post_content['batch_update']) && isset($post_content['user_id']) && i
if ($existing){ if ($existing){
//Reactivate existing assignment //Reactivate existing assignment
$stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 1, assigned_by = ?, assigned_at = ?, updatedby = ?, updated = ? WHERE rowID = ?'); $stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 1, assigned_by = ?, assigned_at = ?, updatedby = ?, updated = ? WHERE rowID = ?');
$stmt->execute([$username, $date, $username, $date, $existing['rowID']]); $stmt->execute([$username, $date, $username, $date, $$username]);
} else { } else {
//Create new assignment //Create new assignment
$stmt = $pdo->prepare('INSERT INTO user_role_assignments (user_id, role_id, is_active, assigned_by, assigned_at, created, createdby) VALUES (?, ?, 1, ?, ?, ?, ?)'); $stmt = $pdo->prepare('INSERT INTO user_role_assignments (user_id, role_id, is_active, assigned_by, assigned_at, created, createdby) VALUES (?, ?, 1, ?, ?, ?, ?)');
$stmt->execute([$user_id, $role_id, $username, $date, $date, $userkey]); $stmt->execute([$user_id, $role_id, $username, $date, $date, $username]);
} }
} }
} }

7
api/v2/post/users.php
View File

@@ -266,10 +266,17 @@ elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
// Get the new user ID
$new_user_id = $pdo->lastInsertId();
//STEP 2- Send to user //STEP 2- Send to user
$mail_location = (file_exists($_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php') ? $_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php' : './assets/mail/email_template_new.php'); $mail_location = (file_exists($_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php') ? $_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php' : './assets/mail/email_template_new.php');
include_once $mail_location; include_once $mail_location;
send_mail($post_content['email'],$subject,$message,'',''); send_mail($post_content['email'],$subject,$message,'','');
// Return the new user ID
$result = json_encode(['id' => (int)$new_user_id], JSON_UNESCAPED_UNICODE);
echo $result;
} else { } else {
//------------------------------------------ //------------------------------------------
//JSON_ENCODE //JSON_ENCODE

2
equipment_manage.php
View File

@@ -7,7 +7,7 @@ if (debug && debug_id == $_SESSION['authorization']['id']){
error_reporting(E_ALL); error_reporting(E_ALL);
} }
$page = 'equipment_manage'; $page = 'equipment';
$page_edit = 'equipment_manage_edit'; $page_edit = 'equipment_manage_edit';
//Check if allowed //Check if allowed
if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 0){ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 0){

2
equipments.php
View File

@@ -22,7 +22,7 @@ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authori
exit; exit;
} }
//PAGE Security //PAGE Security
$page_manage = 'equipment_manage'; $page_manage = 'equipment';
$update_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U'); $update_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U');
$delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D'); $delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D');
$create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C'); $create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C');

6
index.php
View File

@@ -37,14 +37,14 @@ if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization']
if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;} if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;}
//STORE DATA IN SESSION //STORE DATA IN SESSION
if (is_array($responses) && !isset($responses['error'])) { if (is_array($responses) && !isset($responses['error_code'])) {
foreach($responses as $key => $value){ foreach($responses as $key => $value){
$_SESSION['authorization'][$key] = $value; $_SESSION['authorization'][$key] = $value;
} }
} else { } else {
// API call failed or returned error - redirect to login // API call failed or returned error - redirect to login with error message
session_destroy(); session_destroy();
header('location: login.php'); header('location: login.php?error=session_expired');
die(); die();
} }
} }

5
login.php
View File

@@ -53,6 +53,11 @@ $username = $password = '';
$username_err = $password_err = ''; $username_err = $password_err = '';
$retry = 0; $retry = 0;
// Check for error parameter from redirects
if (isset($_GET['error']) && $_GET['error'] === 'session_expired') {
$password_err = $password_err_2 ?? 'Session expired or invalid. Please login again.';
}
// Process submitted form data // Process submitted form data
if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($_SERVER['REQUEST_METHOD'] === 'POST') {