From 3043076dba551a83a3d3fa75ab658d38caf78a9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Thu, 29 Jan 2026 20:01:46 +0100 Subject: [PATCH 1/5] Refactor user role permission checks to utilize a unified 'user' scope for access control. Update user management permissions in user.php and users.php for consistency. Enhance listPartner function to apply hierarchy-based restrictions for partner retrieval. --- api/v2/post/user_role_assignments.php | 8 +++--- assets/functions.php | 41 ++++++++++++++++----------- user.php | 5 ++-- users.php | 4 --- 4 files changed, 31 insertions(+), 27 deletions(-) diff --git a/api/v2/post/user_role_assignments.php b/api/v2/post/user_role_assignments.php index cd663d9..06977a0 100644 --- a/api/v2/post/user_role_assignments.php +++ b/api/v2/post/user_role_assignments.php @@ -17,7 +17,7 @@ $date = date('Y-m-d H:i:s'); //------------------------------------------ // BATCH UPDATE - Update all roles for a user //------------------------------------------ -if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user_manage',$profile,$permission,'U') === 1){ +if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user',$profile,$permission,'U') === 1){ $user_id = $post_content['user_id']; $selected_roles = $post_content['roles'] ?? []; @@ -105,13 +105,13 @@ else { $input_insert = substr($input_insert, 1); //QUERY AND VERIFY ALLOWED - if ($command == 'update' && isAllowed('user_manage',$profile,$permission,'U') === 1){ + if ($command == 'update' && isAllowed('user',$profile,$permission,'U') === 1){ $sql = 'UPDATE user_role_assignments SET '.$clause.' WHERE rowID = ?'; $execute_input[] = $id; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } - elseif ($command == 'insert' && isAllowed('user_manage',$profile,$permission,'C') === 1){ + elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){ //Check if this user-role combination already exists (including inactive ones) $stmt = $pdo->prepare('SELECT rowID, is_active FROM user_role_assignments WHERE user_id = ? AND role_id = ? LIMIT 1'); $stmt->execute([$post_content['user_id'], $post_content['role_id']]); @@ -131,7 +131,7 @@ else { $stmt->execute($execute_input); } } - elseif ($command == 'delete' && isAllowed('user_manage',$profile,$permission,'D') === 1){ + elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){ //Soft delete by setting is_active to 0 $stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 0, updatedby = ?, updated = ? WHERE rowID = ?'); $stmt->execute([$username, $date, $id]); diff --git a/assets/functions.php b/assets/functions.php index 27d009e..897e2c8 100644 --- a/assets/functions.php +++ b/assets/functions.php @@ -2847,28 +2847,37 @@ function serviceReport($history, $request, $country_code) //------------------------------------------ // LIST PARTNER //------------------------------------------ -function listPartner($partnertype, $user_right, $input, $required) +function listPartner($partnertype, $user_right = null, $input, $required) { include dirname(__FILE__,2).'/settings/settings_redirector.php'; -//BASED ON USERRIGHT DEFINE SQL AND DATA RETURNED -if ($user_right != 3 || $user_right !=4) { - //NOT ADMIN USER - $partner = json_decode($_SESSION['authorization']['partnerhierarchy']); - //SoldTo is empty - if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} - //BUILD CONDITION - $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; + // Use hierarchy level instead of user_right + $partner = json_decode($_SESSION['authorization']['partnerhierarchy']); + $hierarchyLevel = getHierarchyLevel($partner); + + // Only apply restrictions if hierarchy level is not 0 or 1 + if ($hierarchyLevel != 0 && $hierarchyLevel != 1) { + // Build condition based on hierarchy + $condition = buildHierarchyConditionLvl2($partner, $hierarchyLevel); $whereclause = 'AND salesID like ?'; -} -else {//ADMIN USERS - $whereclause = ''; - } + } else { + // Level 0 or 1: No restrictions or salesid-only level + $whereclause = ''; + $condition = ''; + } $pdo = dbConnect($dbname); - $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1 '.$whereclause.''; - $stmt = $pdo->prepare($sql); - $stmt->execute([$partnertype, $condition]); + + if ($whereclause != '') { + $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1 '.$whereclause.''; + $stmt = $pdo->prepare($sql); + $stmt->execute([$partnertype, $condition]); + } else { + $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1'; + $stmt = $pdo->prepare($sql); + $stmt->execute([$partnertype]); + } + $partners = $stmt->fetchAll(PDO::FETCH_ASSOC); if ($input !='' && !empty($input)){ diff --git a/user.php b/user.php index 65b1504..99f621d 100644 --- a/user.php +++ b/user.php @@ -21,10 +21,9 @@ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authori } //PAGE Security -$page_manage = 'user_manage'; $update_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U'); -$delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D'); -$create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C'); +$delete_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D'); +$create_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C'); //GET Details from URL $user_ID = $_GET['id'] ?? ''; diff --git a/users.php b/users.php index 5cff75a..c78f55d 100644 --- a/users.php +++ b/users.php @@ -133,8 +133,6 @@ $view .= ' '.$User_service.' '.$User_username.' '.$User_partnerhierarchy.' - '.$User_permission.' - '.$User_profile.' '.$User_lastlogin.' @@ -164,8 +162,6 @@ $view .= ' '.(($response->service && $response->service !='')? ''.$enabled:''.$disabled).' '.$response->username.' '.$partner_hierarchy.' - '.$$permission_user.' - '.$response->settings.' '.getRelativeTime($response->lastlogin).' '; From 8df518d0a26ac8e75159ab7cef10628c3a3eee72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Thu, 29 Jan 2026 20:13:48 +0100 Subject: [PATCH 2/5] Refactor permission checks to utilize hierarchy levels for access control in equipment, partner, user, and mass update pages. Update conditions to validate permissions based on user hierarchy instead of fixed permission values. --- equipment.php | 4 ++-- equipments_mass_update.php | 6 ++++-- partner.php | 6 ++++-- user.php | 13 ++++++++----- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/equipment.php b/equipment.php index e52af6d..99faeb1 100644 --- a/equipment.php +++ b/equipment.php @@ -461,13 +461,13 @@ $shipto_id = explode("-",$partner_data->shipto) ?? ''; $partner_users_id = ($shipto_id[0] != '')? $shipto_id[0] : (($soldto_id[0] != '')? $soldto_id[0] : 1); $view_communication = ''; -if ($partner_users_id != 1 && ($_SESSION['authorization']['permission'] == 3 || $_SESSION['authorization']['permission'] == 4)){ +if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1){ $view_communication = ' '.$button_partner_assigned_communication.''; } //DISPLAY RELATED USERS $view_users =''; -if ($partner_users_id != 1 && ($_SESSION['authorization']['permission'] == 3 || $_SESSION['authorization']['permission'] == 4)){ +if ($partner_users_id != 1 && (isAllowed('users',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1)){ $view_users = ' '.$button_partner_assigned_users.''; } diff --git a/equipments_mass_update.php b/equipments_mass_update.php index 1bbc639..146818b 100644 --- a/equipments_mass_update.php +++ b/equipments_mass_update.php @@ -202,7 +202,9 @@ $view .='
'; // SHOW SALESID and SOLDTO ONLY TO ADMIN -if ($_SESSION['authorization']['permission'] == 3 || $_SESSION['authorization']['permission'] == 4){ +$hierarchyLevel = getHierarchyLevel(json_decode($_SESSION['authorization']['partnerhierarchy'])); + +if ($hierarchyLevel == 0 || $hierarchyLevel == 1){ $view .='
'.$salesid_dropdown.' @@ -227,7 +229,7 @@ $view .='
'; -if ($_SESSION['authorization']['permission'] == 3 || $_SESSION['authorization']['permission'] == 4 ){ +if ($hierarchyLevel == 0 || $hierarchyLevel == 1){ $view .= ' '; } @@ -171,7 +173,7 @@ $view .= '
$view .= '
'; -if ($_SESSION['authorization']['permission'] == 3 || $_SESSION['authorization']['permission'] == 4){ +if ($hierarchyLevel == 0 || $hierarchyLevel == 1){ $view .= ''; $view .= $salesid_dropdown; } diff --git a/user.php b/user.php index 99f621d..54c12d3 100644 --- a/user.php +++ b/user.php @@ -13,6 +13,8 @@ include_once './settings/settings_redirector.php'; //SET ORIGIN FOR NAVIGATION $_SESSION['prev_origin_user'] = $_SERVER['REQUEST_URI']; +$hierarchyLevel = getHierarchyLevel(json_decode($_SESSION['authorization']['partnerhierarchy'])); + $page = 'user'; //Check if allowed if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 0){ @@ -437,10 +439,10 @@ $view .= ' '; -if ($_SESSION['authorization']['permission'] == 3){ +if ($hierarchyLevel == 1){ $view .= ''; } -if ($_SESSION['authorization']['permission'] == 4){ +if ($hierarchyLevel == 0){ $view .= ' '; } @@ -453,7 +455,8 @@ $view .= ' '.($user->settings ?? '-').''; -if ($_SESSION['authorization']['permission'] == 3 || $_SESSION['authorization']['permission'] == 4){ + +if ($hierarchyLevel == 0 || $hierarchyLevel == 1){ $view .= ''; } else { $view .= ''; From b3327f21edf83c29f3dc3034ffd5a84b52381cc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Fri, 30 Jan 2026 09:17:54 +0100 Subject: [PATCH 3/5] Refactor user permission handling to utilize hierarchy levels across user credential retrieval and role management. Update permission checks in user_roles.php and enhance session management in index.php for improved security and consistency. --- api/v0/get/user_credentials.php | 2 +- api/v1/get/user_credentials.php | 2 +- api/v2/get/user_credentials.php | 2 +- api/v2/post/user_roles.php | 6 +++--- assets/functions.php | 1 + equipment.php | 2 +- index.php | 15 +++++++++++---- 7 files changed, 19 insertions(+), 11 deletions(-) diff --git a/api/v0/get/user_credentials.php b/api/v0/get/user_credentials.php index 6168639..09e202c 100644 --- a/api/v0/get/user_credentials.php +++ b/api/v0/get/user_credentials.php @@ -14,7 +14,6 @@ $stmt->execute([$userkey, $userkey]); $user_data = $stmt->fetch(); //Define User data $partnerhierarchy = $user_data['partnerhierarchy']; -$permission = userRights($user_data['view']); $profile= getUserPermissions($pdo, $user_data['id']); $username = $user_data['username']; $useremail = $user_data['email']; @@ -22,6 +21,7 @@ $servicekey = $user_data['service']; $partner = json_decode($partnerhierarchy); $language = $user_data['language']; $clientsecret = $user_data['userkey']; +$permission = getHierarchyLevel($partner); //upgrade from userrights(view) //Update Lastlogin $logindate = date('Y-m-d H:i:s'); diff --git a/api/v1/get/user_credentials.php b/api/v1/get/user_credentials.php index f7fa705..082436e 100644 --- a/api/v1/get/user_credentials.php +++ b/api/v1/get/user_credentials.php @@ -16,7 +16,6 @@ if ($stmt->rowCount() == 1) { $user_data = $stmt->fetch(); //Define User data $partnerhierarchy = $user_data['partnerhierarchy']; - $permission = userRights($user_data['view']); $profile= getUserPermissions($pdo, $user_data['id']); $username = $user_data['username']; $useremail = $user_data['email']; @@ -24,6 +23,7 @@ if ($stmt->rowCount() == 1) { $language = $user_data['language']; $partner = json_decode($partnerhierarchy); $clientsecret = $user_data['userkey']; + $permission = getHierarchyLevel($partner); //upgrade from userrights(view) //Update Lastlogin $logindate = date('Y-m-d H:i:s'); diff --git a/api/v2/get/user_credentials.php b/api/v2/get/user_credentials.php index d6ccdba..5301ac4 100644 --- a/api/v2/get/user_credentials.php +++ b/api/v2/get/user_credentials.php @@ -18,7 +18,6 @@ if ($stmt->rowCount() == 1) { $user_data = $stmt->fetch(); //Define User data $partnerhierarchy = $user_data['partnerhierarchy']; - $permission = userRights($user_data['view']); $profile= getUserPermissions($pdo, $user_data['id']); //getProfile($user_data['settings'],$permission); $username = $user_data['username']; $useremail = $user_data['email']; @@ -26,6 +25,7 @@ if ($stmt->rowCount() == 1) { $language = $user_data['language']; $partner = json_decode($partnerhierarchy); $clientsecret = $user_data['userkey']; + $permission = getHierarchyLevel($partner); //upgrade from userrights(view) //Update Lastlogin $logindate = date('Y-m-d H:i:s'); diff --git a/api/v2/post/user_roles.php b/api/v2/post/user_roles.php index da38722..035dff2 100644 --- a/api/v2/post/user_roles.php +++ b/api/v2/post/user_roles.php @@ -55,7 +55,7 @@ $clause_insert = substr($clause_insert, 2); $input_insert = substr($input_insert, 1); //QUERY AND VERIFY ALLOWED -if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U') === 1){ +if ($command == 'update' && isAllowed('user_roles',$profile,$permission,'U') === 1){ $sql = 'UPDATE user_roles SET '.$clause.' WHERE rowID = ?'; $execute_input[] = $id; $stmt = $pdo->prepare($sql); @@ -82,7 +82,7 @@ if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U } } } -elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permission,'C') === 1){ +elseif ($command == 'insert' && isAllowed('user_roles',$profile,$permission,'C') === 1){ $sql = 'INSERT INTO user_roles ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); @@ -106,7 +106,7 @@ elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permissio } } } -elseif ($command == 'delete' && isAllowed('user_role_manage',$profile,$permission,'D') === 1){ +elseif ($command == 'delete' && isAllowed('user_roles',$profile,$permission,'D') === 1){ //Delete role permissions first (foreign key constraint) $stmt = $pdo->prepare('DELETE FROM role_access_permissions WHERE role_id = ?'); $stmt->execute([$id]); diff --git a/assets/functions.php b/assets/functions.php index 897e2c8..7fb0d5b 100644 --- a/assets/functions.php +++ b/assets/functions.php @@ -1726,6 +1726,7 @@ function getProfile($profile, $permission){ $always_allowed = [ 'com_log' => 'CRU', 'application' => 'CRU', + 'user_roles' => 'R', 'user_role_assignments' => 'R', 'user_permissions' => 'R', 'products_software' => 'R', diff --git a/equipment.php b/equipment.php index 99faeb1..126dc18 100644 --- a/equipment.php +++ b/equipment.php @@ -461,7 +461,7 @@ $shipto_id = explode("-",$partner_data->shipto) ?? ''; $partner_users_id = ($shipto_id[0] != '')? $shipto_id[0] : (($soldto_id[0] != '')? $soldto_id[0] : 1); $view_communication = ''; -if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1){ +if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1)){ $view_communication = ' '.$button_partner_assigned_communication.''; } diff --git a/index.php b/index.php index 0a7f799..34fe8be 100644 --- a/index.php +++ b/index.php @@ -29,16 +29,23 @@ include_once dirname(__FILE__).'/settings/countries.php'; //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ //GET USER PERMISSION ASSIGNED //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -if (!isset($_SESSION['authorization']['id'])){ +if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization']['userkey'])){ $api_url = '/v2/user_permissions/userkey='.$_SESSION['authorization']['userkey']; $responses = ioServer($api_url,''); //Decode Payload if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;} - + //STORE DATA IN SESSION - foreach($responses as $key => $value){ - $_SESSION['authorization'][$key] = $value; + if (is_array($responses) && !isset($responses['error'])) { + foreach($responses as $key => $value){ + $_SESSION['authorization'][$key] = $value; + } + } else { + // API call failed or returned error - redirect to login + session_destroy(); + header('location: login.php'); + die(); } } From 162933affa52d4c42198602355de676a425f4d59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Fri, 30 Jan 2026 10:02:45 +0100 Subject: [PATCH 4/5] Refactor geolocation queries to use AND conditions for better accuracy. Update permission checks for equipment management to utilize unified 'equipment' scope. Enhance user role assignment logic to ensure correct username usage. Improve session error handling in login and index files for clearer user feedback. --- api/v1/get/application.php | 4 ++-- api/v1/post/equipments.php | 6 +++--- api/v2/get/application.php | 4 ++-- api/v2/post/equipments.php | 6 +++--- api/v2/post/user_role_assignments.php | 4 ++-- api/v2/post/users.php | 7 +++++++ equipment_manage.php | 2 +- equipments.php | 2 +- index.php | 6 +++--- login.php | 5 +++++ 10 files changed, 29 insertions(+), 17 deletions(-) diff --git a/api/v1/get/application.php b/api/v1/get/application.php index 4504962..0a663ff 100644 --- a/api/v1/get/application.php +++ b/api/v1/get/application.php @@ -179,9 +179,9 @@ switch ($action) { case 'geolocation': if ($whereclause == ''){ - $whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"'; + $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\''; } else { - $whereclause .= ' AND geolocation is not null OR geolocation != "["",""]'; + $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\''; } $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.''; diff --git a/api/v1/post/equipments.php b/api/v1/post/equipments.php index 198012c..1765a60 100644 --- a/api/v1/post/equipments.php +++ b/api/v1/post/equipments.php @@ -217,18 +217,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma //QUERY AND VERIFY ALLOWED -if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ +if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $execute_input[] = $id; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){ +elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){ $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ +elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ //delete equipment $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.''); $stmt->execute([ $id ]); diff --git a/api/v2/get/application.php b/api/v2/get/application.php index dd01c42..7fefbc5 100644 --- a/api/v2/get/application.php +++ b/api/v2/get/application.php @@ -179,9 +179,9 @@ switch ($action) { case 'geolocation': if ($whereclause == ''){ - $whereclause = 'WHERE geolocation is not null OR geolocation != "["",""]"'; + $whereclause = 'WHERE geolocation is not null AND geolocation != \'["",""]\''; } else { - $whereclause .= ' AND geolocation is not null OR geolocation != "["",""]'; + $whereclause .= ' AND geolocation is not null AND geolocation != \'["",""]\''; } $sql = 'SELECT distinct(geolocation) FROM equipment e '.$whereclause.''; diff --git a/api/v2/post/equipments.php b/api/v2/post/equipments.php index 9057ddb..bca84a5 100644 --- a/api/v2/post/equipments.php +++ b/api/v2/post/equipments.php @@ -224,18 +224,18 @@ $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma //QUERY AND VERIFY ALLOWED -if ($command == 'update' && (isAllowed('equipment_manage',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ +if ($command == 'update' && (isAllowed('equipment',$profile,$permission,'U') === 1 || isAllowed('equipments_mass_update',$profile,$permission,'U') === 1 || $owner_equipment === 1)){ $sql = 'UPDATE equipment SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $execute_input[] = $id; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'insert' && isAllowed('equipment_manage',$profile,$permission,'C') === 1){ +elseif ($command == 'insert' && isAllowed('equipment',$profile,$permission,'C') === 1){ $sql = 'INSERT INTO equipment ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); } -elseif ($command == 'delete' && (isAllowed('equipment_manage',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ +elseif ($command == 'delete' && (isAllowed('equipment',$profile,$permission,'D') === 1 || $owner_equipment === 1)){ //delete equipment $stmt = $pdo->prepare('DELETE FROM equipment WHERE rowID = ? '.$whereclause.''); $stmt->execute([ $id ]); diff --git a/api/v2/post/user_role_assignments.php b/api/v2/post/user_role_assignments.php index 06977a0..851ea02 100644 --- a/api/v2/post/user_role_assignments.php +++ b/api/v2/post/user_role_assignments.php @@ -48,11 +48,11 @@ if (isset($post_content['batch_update']) && isset($post_content['user_id']) && i if ($existing){ //Reactivate existing assignment $stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 1, assigned_by = ?, assigned_at = ?, updatedby = ?, updated = ? WHERE rowID = ?'); - $stmt->execute([$username, $date, $username, $date, $existing['rowID']]); + $stmt->execute([$username, $date, $username, $date, $$username]); } else { //Create new assignment $stmt = $pdo->prepare('INSERT INTO user_role_assignments (user_id, role_id, is_active, assigned_by, assigned_at, created, createdby) VALUES (?, ?, 1, ?, ?, ?, ?)'); - $stmt->execute([$user_id, $role_id, $username, $date, $date, $userkey]); + $stmt->execute([$user_id, $role_id, $username, $date, $date, $username]); } } } diff --git a/api/v2/post/users.php b/api/v2/post/users.php index 175e8f3..c8c1bc2 100644 --- a/api/v2/post/users.php +++ b/api/v2/post/users.php @@ -266,10 +266,17 @@ elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1 $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); + // Get the new user ID + $new_user_id = $pdo->lastInsertId(); + //STEP 2- Send to user $mail_location = (file_exists($_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php') ? $_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php' : './assets/mail/email_template_new.php'); include_once $mail_location; send_mail($post_content['email'],$subject,$message,'',''); + + // Return the new user ID + $result = json_encode(['id' => (int)$new_user_id], JSON_UNESCAPED_UNICODE); + echo $result; } else { //------------------------------------------ //JSON_ENCODE diff --git a/equipment_manage.php b/equipment_manage.php index c077f6e..8e8f031 100644 --- a/equipment_manage.php +++ b/equipment_manage.php @@ -7,7 +7,7 @@ if (debug && debug_id == $_SESSION['authorization']['id']){ error_reporting(E_ALL); } -$page = 'equipment_manage'; +$page = 'equipment'; $page_edit = 'equipment_manage_edit'; //Check if allowed if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 0){ diff --git a/equipments.php b/equipments.php index 31af2bf..cc999d6 100644 --- a/equipments.php +++ b/equipments.php @@ -22,7 +22,7 @@ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authori exit; } //PAGE Security -$page_manage = 'equipment_manage'; +$page_manage = 'equipment'; $update_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U'); $delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D'); $create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C'); diff --git a/index.php b/index.php index 34fe8be..7792cb9 100644 --- a/index.php +++ b/index.php @@ -37,14 +37,14 @@ if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization'] if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;} //STORE DATA IN SESSION - if (is_array($responses) && !isset($responses['error'])) { + if (is_array($responses) && !isset($responses['error_code'])) { foreach($responses as $key => $value){ $_SESSION['authorization'][$key] = $value; } } else { - // API call failed or returned error - redirect to login + // API call failed or returned error - redirect to login with error message session_destroy(); - header('location: login.php'); + header('location: login.php?error=session_expired'); die(); } } diff --git a/login.php b/login.php index db5d90b..64c0d34 100644 --- a/login.php +++ b/login.php @@ -53,6 +53,11 @@ $username = $password = ''; $username_err = $password_err = ''; $retry = 0; +// Check for error parameter from redirects +if (isset($_GET['error']) && $_GET['error'] === 'session_expired') { + $password_err = $password_err_2 ?? 'Session expired or invalid. Please login again.'; +} + // Process submitted form data if ($_SERVER['REQUEST_METHOD'] === 'POST') { From 2427d40273f583300905039d84779959bbf1b3a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Fri, 30 Jan 2026 10:56:34 +0100 Subject: [PATCH 5/5] Update salesid and soldto inclusion based on hierarchy level visibility in mass update form --- equipments_mass_update.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/equipments_mass_update.php b/equipments_mass_update.php index 146818b..565043e 100644 --- a/equipments_mass_update.php +++ b/equipments_mass_update.php @@ -68,8 +68,18 @@ if ($update_allowed === 1){ $output_excel[$val]['productname'] = ${$responses->productname} ?? $responses->productname; $output_excel[$val]['order_ref'] = $_POST['order_ref']; $output_excel[$val]['status'] = $_POST['status']; - $output_excel[$val]['salesid'] = $_POST['salesid']; - $output_excel[$val]['soldto'] = $_POST['soldto']; + + // Only include salesid/soldto if form fields were visible (hierarchy 0-1) + $hierarchyLevel = getHierarchyLevel(json_decode($_SESSION['authorization']['partnerhierarchy'])); + if ($hierarchyLevel == 0 || $hierarchyLevel == 1) { + if (isset($_POST['salesid'])) { + $output_excel[$val]['salesid'] = $_POST['salesid']; + } + if (isset($_POST['soldto'])) { + $output_excel[$val]['soldto'] = $_POST['soldto']; + } + } + if (!empty($_POST['shipto']) || $_POST['shipto'] !=''){ $output_excel[$val]['shipto'] = $_POST['shipto']; }