diff --git a/api/v0/get/user_credentials.php b/api/v0/get/user_credentials.php index 6168639..09e202c 100644 --- a/api/v0/get/user_credentials.php +++ b/api/v0/get/user_credentials.php @@ -14,7 +14,6 @@ $stmt->execute([$userkey, $userkey]); $user_data = $stmt->fetch(); //Define User data $partnerhierarchy = $user_data['partnerhierarchy']; -$permission = userRights($user_data['view']); $profile= getUserPermissions($pdo, $user_data['id']); $username = $user_data['username']; $useremail = $user_data['email']; @@ -22,6 +21,7 @@ $servicekey = $user_data['service']; $partner = json_decode($partnerhierarchy); $language = $user_data['language']; $clientsecret = $user_data['userkey']; +$permission = getHierarchyLevel($partner); //upgrade from userrights(view) //Update Lastlogin $logindate = date('Y-m-d H:i:s'); diff --git a/api/v1/get/user_credentials.php b/api/v1/get/user_credentials.php index f7fa705..082436e 100644 --- a/api/v1/get/user_credentials.php +++ b/api/v1/get/user_credentials.php @@ -16,7 +16,6 @@ if ($stmt->rowCount() == 1) { $user_data = $stmt->fetch(); //Define User data $partnerhierarchy = $user_data['partnerhierarchy']; - $permission = userRights($user_data['view']); $profile= getUserPermissions($pdo, $user_data['id']); $username = $user_data['username']; $useremail = $user_data['email']; @@ -24,6 +23,7 @@ if ($stmt->rowCount() == 1) { $language = $user_data['language']; $partner = json_decode($partnerhierarchy); $clientsecret = $user_data['userkey']; + $permission = getHierarchyLevel($partner); //upgrade from userrights(view) //Update Lastlogin $logindate = date('Y-m-d H:i:s'); diff --git a/api/v2/get/user_credentials.php b/api/v2/get/user_credentials.php index d6ccdba..5301ac4 100644 --- a/api/v2/get/user_credentials.php +++ b/api/v2/get/user_credentials.php @@ -18,7 +18,6 @@ if ($stmt->rowCount() == 1) { $user_data = $stmt->fetch(); //Define User data $partnerhierarchy = $user_data['partnerhierarchy']; - $permission = userRights($user_data['view']); $profile= getUserPermissions($pdo, $user_data['id']); //getProfile($user_data['settings'],$permission); $username = $user_data['username']; $useremail = $user_data['email']; @@ -26,6 +25,7 @@ if ($stmt->rowCount() == 1) { $language = $user_data['language']; $partner = json_decode($partnerhierarchy); $clientsecret = $user_data['userkey']; + $permission = getHierarchyLevel($partner); //upgrade from userrights(view) //Update Lastlogin $logindate = date('Y-m-d H:i:s'); diff --git a/api/v2/post/user_roles.php b/api/v2/post/user_roles.php index da38722..035dff2 100644 --- a/api/v2/post/user_roles.php +++ b/api/v2/post/user_roles.php @@ -55,7 +55,7 @@ $clause_insert = substr($clause_insert, 2); $input_insert = substr($input_insert, 1); //QUERY AND VERIFY ALLOWED -if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U') === 1){ +if ($command == 'update' && isAllowed('user_roles',$profile,$permission,'U') === 1){ $sql = 'UPDATE user_roles SET '.$clause.' WHERE rowID = ?'; $execute_input[] = $id; $stmt = $pdo->prepare($sql); @@ -82,7 +82,7 @@ if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U } } } -elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permission,'C') === 1){ +elseif ($command == 'insert' && isAllowed('user_roles',$profile,$permission,'C') === 1){ $sql = 'INSERT INTO user_roles ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); @@ -106,7 +106,7 @@ elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permissio } } } -elseif ($command == 'delete' && isAllowed('user_role_manage',$profile,$permission,'D') === 1){ +elseif ($command == 'delete' && isAllowed('user_roles',$profile,$permission,'D') === 1){ //Delete role permissions first (foreign key constraint) $stmt = $pdo->prepare('DELETE FROM role_access_permissions WHERE role_id = ?'); $stmt->execute([$id]); diff --git a/assets/functions.php b/assets/functions.php index 897e2c8..7fb0d5b 100644 --- a/assets/functions.php +++ b/assets/functions.php @@ -1726,6 +1726,7 @@ function getProfile($profile, $permission){ $always_allowed = [ 'com_log' => 'CRU', 'application' => 'CRU', + 'user_roles' => 'R', 'user_role_assignments' => 'R', 'user_permissions' => 'R', 'products_software' => 'R', diff --git a/equipment.php b/equipment.php index 99faeb1..126dc18 100644 --- a/equipment.php +++ b/equipment.php @@ -461,7 +461,7 @@ $shipto_id = explode("-",$partner_data->shipto) ?? ''; $partner_users_id = ($shipto_id[0] != '')? $shipto_id[0] : (($soldto_id[0] != '')? $soldto_id[0] : 1); $view_communication = ''; -if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1){ +if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1)){ $view_communication = ' '.$button_partner_assigned_communication.''; } diff --git a/index.php b/index.php index 0a7f799..34fe8be 100644 --- a/index.php +++ b/index.php @@ -29,16 +29,23 @@ include_once dirname(__FILE__).'/settings/countries.php'; //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ //GET USER PERMISSION ASSIGNED //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -if (!isset($_SESSION['authorization']['id'])){ +if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization']['userkey'])){ $api_url = '/v2/user_permissions/userkey='.$_SESSION['authorization']['userkey']; $responses = ioServer($api_url,''); //Decode Payload if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;} - + //STORE DATA IN SESSION - foreach($responses as $key => $value){ - $_SESSION['authorization'][$key] = $value; + if (is_array($responses) && !isset($responses['error'])) { + foreach($responses as $key => $value){ + $_SESSION['authorization'][$key] = $value; + } + } else { + // API call failed or returned error - redirect to login + session_destroy(); + header('location: login.php'); + die(); } }