From 3043076dba551a83a3d3fa75ab658d38caf78a9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”>
Date: Thu, 29 Jan 2026 20:01:46 +0100
Subject: [PATCH] Refactor user role permission checks to utilize a unified
 'user' scope for access control. Update user management permissions in
 user.php and users.php for consistency. Enhance listPartner function to apply
 hierarchy-based restrictions for partner retrieval.

---
 api/v2/post/user_role_assignments.php |  8 +++---
 assets/functions.php                  | 41 ++++++++++++++++-----------
 user.php                              |  5 ++--
 users.php                             |  4 ---
 4 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/api/v2/post/user_role_assignments.php b/api/v2/post/user_role_assignments.php
index cd663d9..06977a0 100644
--- a/api/v2/post/user_role_assignments.php
+++ b/api/v2/post/user_role_assignments.php
@@ -17,7 +17,7 @@ $date = date('Y-m-d H:i:s');
 //------------------------------------------
 // BATCH UPDATE - Update all roles for a user
 //------------------------------------------
-if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user_manage',$profile,$permission,'U') === 1){
+if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user',$profile,$permission,'U') === 1){
     $user_id = $post_content['user_id'];
     $selected_roles = $post_content['roles'] ?? [];
 
@@ -105,13 +105,13 @@ else {
     $input_insert = substr($input_insert, 1);
 
     //QUERY AND VERIFY ALLOWED
-    if ($command == 'update' && isAllowed('user_manage',$profile,$permission,'U') === 1){
+    if ($command == 'update' && isAllowed('user',$profile,$permission,'U') === 1){
         $sql = 'UPDATE user_role_assignments SET '.$clause.' WHERE rowID = ?';
         $execute_input[] = $id;
         $stmt = $pdo->prepare($sql);
         $stmt->execute($execute_input);
     }
-    elseif ($command == 'insert' && isAllowed('user_manage',$profile,$permission,'C') === 1){
+    elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){
         //Check if this user-role combination already exists (including inactive ones)
         $stmt = $pdo->prepare('SELECT rowID, is_active FROM user_role_assignments WHERE user_id = ? AND role_id = ? LIMIT 1');
         $stmt->execute([$post_content['user_id'], $post_content['role_id']]);
@@ -131,7 +131,7 @@ else {
             $stmt->execute($execute_input);
         }
     }
-    elseif ($command == 'delete' && isAllowed('user_manage',$profile,$permission,'D') === 1){
+    elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){
         //Soft delete by setting is_active to 0
         $stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 0, updatedby = ?, updated = ? WHERE rowID = ?');
         $stmt->execute([$username, $date, $id]);
diff --git a/assets/functions.php b/assets/functions.php
index 27d009e..897e2c8 100644
--- a/assets/functions.php
+++ b/assets/functions.php
@@ -2847,28 +2847,37 @@ function serviceReport($history, $request, $country_code)
 //------------------------------------------
 // LIST PARTNER 
 //------------------------------------------
-function listPartner($partnertype, $user_right, $input, $required)
+function listPartner($partnertype, $user_right = null, $input, $required)
 {
   include dirname(__FILE__,2).'/settings/settings_redirector.php';
 
-//BASED ON USERRIGHT DEFINE SQL AND DATA RETURNED
-if ($user_right != 3 || $user_right !=4) {
-    //NOT ADMIN USER
-    $partner = json_decode($_SESSION['authorization']['partnerhierarchy']);
-    //SoldTo is empty
-    if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
-    //BUILD CONDITION
-    $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search;
+  // Use hierarchy level instead of user_right
+  $partner = json_decode($_SESSION['authorization']['partnerhierarchy']);
+  $hierarchyLevel = getHierarchyLevel($partner);
+
+  // Only apply restrictions if hierarchy level is not 0 or 1
+  if ($hierarchyLevel != 0 && $hierarchyLevel != 1) {
+    // Build condition based on hierarchy
+    $condition = buildHierarchyConditionLvl2($partner, $hierarchyLevel);
     $whereclause = 'AND salesID like ?';
-}
-else {//ADMIN USERS
-      $whereclause = '';
-      }
+  } else {
+    // Level 0 or 1: No restrictions or salesid-only level
+    $whereclause = '';
+    $condition = '';
+  }
 
   $pdo = dbConnect($dbname);
-  $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1 '.$whereclause.'';
-  $stmt = $pdo->prepare($sql);
-  $stmt->execute([$partnertype, $condition]);
+
+  if ($whereclause != '') {
+    $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1 '.$whereclause.'';
+    $stmt = $pdo->prepare($sql);
+    $stmt->execute([$partnertype, $condition]);
+  } else {
+    $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1';
+    $stmt = $pdo->prepare($sql);
+    $stmt->execute([$partnertype]);
+  }
+
   $partners = $stmt->fetchAll(PDO::FETCH_ASSOC);
 
 if ($input !='' && !empty($input)){
diff --git a/user.php b/user.php
index 65b1504..99f621d 100644
--- a/user.php
+++ b/user.php
@@ -21,10 +21,9 @@ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authori
 }
 
 //PAGE Security
-$page_manage = 'user_manage';
 $update_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U');
-$delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D');
-$create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C');
+$delete_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D');
+$create_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C');
 
 //GET Details from URL
 $user_ID = $_GET['id'] ?? '';
diff --git a/users.php b/users.php
index 5cff75a..c78f55d 100644
--- a/users.php
+++ b/users.php
@@ -133,8 +133,6 @@ $view .= '
                     <th class="responsive-hidden">'.$User_service.'</th>
                     <th>'.$User_username.'</th>
                     <th>'.$User_partnerhierarchy.'</th>
-                    <th>'.$User_permission.'</th>
-                    <th>'.$User_profile.'</th>
                     <th class="responsive-hidden">'.$User_lastlogin.'</th>
                 </tr>
             </thead>
@@ -164,8 +162,6 @@ $view .= '
                     <td class="responsive-hidden">'.(($response->service &&  $response->service !='')? '<span class="status enabled">'.$enabled:'<span class="status">'.$disabled).'</td>
                     <td>'.$response->username.'</td>
                     <td>'.$partner_hierarchy.'</td>
-                    <td>'.$$permission_user.'</td>
-                    <td>'.$response->settings.'</td>
                     <td class="responsive-hidden">'.getRelativeTime($response->lastlogin).'</td>
                 </tr>
                 ';