Refactor user permission handling to utilize hierarchy levels across user credential retrieval and role management. Update permission checks in user_roles.php and enhance session management in index.php for improved security and consistency.

api/v0/get/user_credentials.php

@@ -14,7 +14,6 @@ $stmt->execute([$userkey, $userkey]);
 $user_data = $stmt->fetch();
 //Define User data
 $partnerhierarchy = $user_data['partnerhierarchy'];
-$permission = userRights($user_data['view']);
 $profile= getUserPermissions($pdo, $user_data['id']);
 $username = $user_data['username'];
 $useremail = $user_data['email'];
@@ -22,6 +21,7 @@ $servicekey = $user_data['service'];
 $partner = json_decode($partnerhierarchy);  
 $language = $user_data['language'];
 $clientsecret = $user_data['userkey'];
+$permission = getHierarchyLevel($partner); //upgrade from userrights(view)
 
 //Update Lastlogin
 $logindate = date('Y-m-d H:i:s');

api/v1/get/user_credentials.php

@@ -16,7 +16,6 @@ if ($stmt->rowCount() == 1) {
     $user_data = $stmt->fetch();
     //Define User data
     $partnerhierarchy = $user_data['partnerhierarchy'];
-    $permission = userRights($user_data['view']);
     $profile= getUserPermissions($pdo, $user_data['id']);
     $username = $user_data['username'];
     $useremail = $user_data['email'];
@@ -24,6 +23,7 @@ if ($stmt->rowCount() == 1) {
     $language = $user_data['language'];
     $partner = json_decode($partnerhierarchy);  
     $clientsecret = $user_data['userkey'];
+    $permission = getHierarchyLevel($partner); //upgrade from userrights(view)
 
     //Update Lastlogin
     $logindate = date('Y-m-d H:i:s');

api/v2/get/user_credentials.php

@@ -18,7 +18,6 @@ if ($stmt->rowCount() == 1) {
     $user_data = $stmt->fetch();
     //Define User data
     $partnerhierarchy = $user_data['partnerhierarchy'];
-    $permission = userRights($user_data['view']);
     $profile= getUserPermissions($pdo, $user_data['id']); //getProfile($user_data['settings'],$permission);
     $username = $user_data['username'];
     $useremail = $user_data['email'];
@@ -26,6 +25,7 @@ if ($stmt->rowCount() == 1) {
     $language = $user_data['language'];
     $partner = json_decode($partnerhierarchy);  
     $clientsecret = $user_data['userkey'];
+    $permission = getHierarchyLevel($partner); //upgrade from userrights(view)
 
     //Update Lastlogin
     $logindate = date('Y-m-d H:i:s');

api/v2/post/user_roles.php

@@ -55,7 +55,7 @@ $clause_insert = substr($clause_insert, 2);
 $input_insert = substr($input_insert, 1);
 
 //QUERY AND VERIFY ALLOWED
-if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U') === 1){
+if ($command == 'update' && isAllowed('user_roles',$profile,$permission,'U') === 1){
     $sql = 'UPDATE user_roles SET '.$clause.' WHERE rowID = ?';
     $execute_input[] = $id;
     $stmt = $pdo->prepare($sql);
@@ -82,7 +82,7 @@ if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U
         }
     }
 }
-elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permission,'C') === 1){
+elseif ($command == 'insert' && isAllowed('user_roles',$profile,$permission,'C') === 1){
     $sql = 'INSERT INTO user_roles ('.$clause_insert.') VALUES ('.$input_insert.')';
     $stmt = $pdo->prepare($sql);
     $stmt->execute($execute_input);
@@ -106,7 +106,7 @@ elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permissio
         }
     }
 }
-elseif ($command == 'delete' && isAllowed('user_role_manage',$profile,$permission,'D') === 1){
+elseif ($command == 'delete' && isAllowed('user_roles',$profile,$permission,'D') === 1){
     //Delete role permissions first (foreign key constraint)
     $stmt = $pdo->prepare('DELETE FROM role_access_permissions WHERE role_id = ?');
     $stmt->execute([$id]);

assets/functions.php

@@ -1726,6 +1726,7 @@ function getProfile($profile, $permission){
     $always_allowed = [
         'com_log' => 'CRU',
         'application' => 'CRU',
+        'user_roles' => 'R',
         'user_role_assignments' => 'R',
         'user_permissions' => 'R',
         'products_software' => 'R',

equipment.php

@@ -461,7 +461,7 @@ $shipto_id = explode("-",$partner_data->shipto) ?? '';
 $partner_users_id = ($shipto_id[0] != '')? $shipto_id[0] : (($soldto_id[0] != '')? $soldto_id[0] : 1);
 
 $view_communication = '';
-if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1){
+if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1)){
     $view_communication = ' <a href="index.php?page=communications&partnerid='.$partner_users_id.'" class="btn">'.$button_partner_assigned_communication.'</a>';
 }
 

index.php

@@ -29,7 +29,7 @@ include_once dirname(__FILE__).'/settings/countries.php';
 //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 //GET USER PERMISSION ASSIGNED
 //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-if (!isset($_SESSION['authorization']['id'])){
+if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization']['userkey'])){
 
     $api_url = '/v2/user_permissions/userkey='.$_SESSION['authorization']['userkey'];
     $responses = ioServer($api_url,'');
@@ -37,8 +37,15 @@ if (!isset($_SESSION['authorization']['id'])){
     if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;}
 
     //STORE DATA IN SESSION
-    foreach($responses as $key => $value){
-        $_SESSION['authorization'][$key] = $value;
+    if (is_array($responses) && !isset($responses['error'])) {
+        foreach($responses as $key => $value){
+            $_SESSION['authorization'][$key] = $value;
+        }
+    } else {
+        // API call failed or returned error - redirect to login
+        session_destroy();
+        header('location: login.php');
+        die();
     }
 }