Tidying

- Move more things to new permissions system - Deduplicate assets post logic into model - Swap out some "SELECT *" queries when only a couple of rows are actually needed
2024-10-08 23:08:05 +01:00
parent e90200aebe
commit 987cd59764
25 changed files with 188 additions and 220 deletions
@@ -60,7 +60,7 @@ $decryptPW = randomString(160);
                                    <select class="form-control select2" name="client" required>
                                        <option value="0"> ALL CLIENTS </option>
                                        <?php
-                                        $sql = mysqli_query($mysqli, "SELECT * FROM clients ORDER BY client_name ASC");
+                                        $sql = mysqli_query($mysqli, "SELECT client_id, client_name FROM clients WHERE client_archived_at IS NULL ORDER BY client_name ASC");
                                        while ($row = mysqli_fetch_array($sql)) {
                                            $client_id = intval($row['client_id']);
                                            $client_name = nullable_htmlentities($row['client_name']); ?>
@@ -177,7 +177,7 @@ $document_client_visible = intval($row['document_client_visible']);
                </button>
            </h6>
            <?php
-            $sql_contacts = mysqli_query($mysqli, "SELECT * FROM contacts, contact_documents
+            $sql_contacts = mysqli_query($mysqli, "SELECT contacts.contact_id, contact_name FROM contacts, contact_documents
                WHERE contacts.contact_id = contact_documents.contact_id 
                AND contact_documents.document_id = $document_id
                ORDER BY contact_name ASC"
@@ -208,7 +208,7 @@ $document_client_visible = intval($row['document_client_visible']);
                </button>
            </h6>
            <?php
-            $sql_assets = mysqli_query($mysqli, "SELECT * FROM assets, asset_documents
+            $sql_assets = mysqli_query($mysqli, "SELECT assets.asset_id, asset_name FROM assets, asset_documents
                WHERE assets.asset_id = asset_documents.asset_id
                AND asset_documents.document_id = $document_id
                ORDER BY asset_name ASC"
@@ -239,7 +239,7 @@ $document_client_visible = intval($row['document_client_visible']);
                </button>
            </h6>
            <?php
-            $sql_software = mysqli_query($mysqli, "SELECT * FROM software, software_documents
+            $sql_software = mysqli_query($mysqli, "SELECT software.software_id, software_name FROM software, software_documents
                WHERE software.software_id = software_documents.software_id 
                AND software_documents.document_id = $document_id
                ORDER BY software_name ASC"
@@ -270,7 +270,7 @@ $document_client_visible = intval($row['document_client_visible']);
                </button>
            </h6>
            <?php
-            $sql_vendors = mysqli_query($mysqli, "SELECT * FROM vendors, vendor_documents
+            $sql_vendors = mysqli_query($mysqli, "SELECT vendors.vendor_id, vendor_name FROM vendors, vendor_documents
                WHERE vendors.vendor_id = vendor_documents.vendor_id 
                AND vendor_documents.document_id = $document_id
                ORDER BY vendor_name ASC"
@@ -28,7 +28,7 @@
                                    $exclude_condition = "";  // No condition if there are no displayed vendors
                                }
-                                $sql_software_select = mysqli_query($mysqli, "SELECT * FROM software
+                                $sql_software_select = mysqli_query($mysqli, "SELECT software_id, software_name FROM software
                                    WHERE software_client_id = $client_id 
                                    AND software_archived_at IS NULL
                                    $exclude_condition
@@ -28,7 +28,7 @@
                                    $exclude_condition = "";  // No condition if there are no displayed vendors
                                }
-                                $sql_vendors_select = mysqli_query($mysqli, "SELECT * FROM vendors 
+                                $sql_vendors_select = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors 
                                    WHERE vendor_client_id = $client_id 
                                    AND vendor_archived_at IS NULL
                                    $exclude_condition
@@ -28,7 +28,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
        <div class="card-header py-2">
            <h3 class="card-title mt-2"><i class="fa fa-fw fa-stream mr-2"></i>Services</h3>
            <div class="card-tools">
                <?php if (lookupUserPermission("module_services") >= 2) { ?>
                    <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addServiceModal"><i class="fas fa-plus mr-2"></i>New Service</button>
                <?php } ?>
            </div>
        </div>
@@ -121,9 +123,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editServiceModal<?php echo $service_id; ?>">
                                            <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                        </a>
-                                        <?php if ($session_user_role == 3) { ?>
+                                        <?php if (lookupUserPermission("module_credential") >= 3) { ?>
                                            <div class="dropdown-divider"></div>
-                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_service=<?php echo $service_id; ?>">
+                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_service=<?php echo $service_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token']; ?>">
                                                <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                            </a>
                                        <?php } ?>
@@ -10,48 +10,7 @@ if (isset($_POST['add_asset'])) {
    validateCSRFToken($_POST['csrf_token']);
-    $client_id = intval($_POST['client_id']);
+    require_once 'asset_model.php';
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
    $type = sanitizeInput($_POST['type']);
    $make = sanitizeInput($_POST['make']);
    $model = sanitizeInput($_POST['model']);
    $serial = sanitizeInput($_POST['serial']);
    $os = sanitizeInput($_POST['os']);
    $ip = sanitizeInput($_POST['ip']);
    if($_POST['dhcp'] == 1){
        $ip = 'DHCP';
    }
    $ipv6 = sanitizeInput($_POST['ipv6']);
    $nat_ip = sanitizeInput($_POST['nat_ip']);
    $mac = sanitizeInput($_POST['mac']);
    $uri = sanitizeInput($_POST['uri']);
    $uri_2 = sanitizeInput($_POST['uri_2']);
    $status = sanitizeInput($_POST['status']);
    $location = intval($_POST['location']);
    $physical_location = sanitizeInput($_POST['physical_location']);
    $vendor = intval($_POST['vendor']);
    $contact = intval($_POST['contact']);
    $network = intval($_POST['network']);
    $purchase_date = sanitizeInput($_POST['purchase_date']);
    if (empty($purchase_date)) {
        $purchase_date = "NULL";
    } else {
        $purchase_date = "'" . $purchase_date . "'";
    }
    $warranty_expire = sanitizeInput($_POST['warranty_expire']);
    if (empty($warranty_expire)) {
        $warranty_expire = "NULL";
    } else {
        $warranty_expire = "'" . $warranty_expire . "'";
    }
    $install_date = sanitizeInput($_POST['install_date']);
    if (empty($install_date)) {
        $install_date = "NULL";
    } else {
        $install_date = "'" . $install_date . "'";
    }
    $notes = sanitizeInput($_POST['notes']);
    $alert_extended = "";
@@ -111,49 +70,8 @@ if (isset($_POST['edit_asset'])) {
    validateCSRFToken($_POST['csrf_token']);
    require_once 'asset_model.php';
    $asset_id = intval($_POST['asset_id']);
    $client_id = intval($_POST['client_id']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
    $type = sanitizeInput($_POST['type']);
    $make = sanitizeInput($_POST['make']);
    $model = sanitizeInput($_POST['model']);
    $serial = sanitizeInput($_POST['serial']);
    $os = sanitizeInput($_POST['os']);
    $ip = sanitizeInput($_POST['ip']);
    if($_POST['dhcp'] == 1){
        $ip = 'DHCP';
    }
    $ipv6 = sanitizeInput($_POST['ipv6']);
    $nat_ip = sanitizeInput($_POST['nat_ip']);
    $mac = sanitizeInput($_POST['mac']);
    $uri = sanitizeInput($_POST['uri']);
    $uri_2 = sanitizeInput($_POST['uri_2']);
    $status = sanitizeInput($_POST['status']);
    $location = intval($_POST['location']);
    $physical_location = sanitizeInput($_POST['physical_location']);
    $vendor = intval($_POST['vendor']);
    $contact = intval($_POST['contact']);
    $network = intval($_POST['network']);
    $purchase_date = sanitizeInput($_POST['purchase_date']);
    if (empty($purchase_date)) {
        $purchase_date = "NULL";
    } else {
        $purchase_date = "'" . $purchase_date . "'";
    }
    $warranty_expire = sanitizeInput($_POST['warranty_expire']);
    if (empty($warranty_expire)) {
        $warranty_expire = "NULL";
    } else {
        $warranty_expire = "'" . $warranty_expire . "'";
    }
    $install_date = sanitizeInput($_POST['install_date']);
    if (empty($install_date)) {
        $install_date = "NULL";
    } else {
        $install_date = "'" . $install_date . "'";
    }
    $notes = sanitizeInput($_POST['notes']);
    // Get Existing Photo
    $sql = mysqli_query($mysqli,"SELECT asset_photo FROM assets WHERE asset_id = $asset_id");
@@ -734,7 +652,10 @@ if (isset($_POST['add_asset_interface'])) {
    validateCSRFToken($_POST['csrf_token']);
    // Interface info
    $interface_id = intval($_POST['interface_id']);
    $asset_id = intval($_POST['asset_id']);
    require_once 'asset_interface_model.php';
    // Get Asset Name and Client ID for logging and alert message
    $sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
@@ -742,17 +663,6 @@ if (isset($_POST['add_asset_interface'])) {
    $asset_name = sanitizeInput($row['asset_name']);
    $client_id = intval($row['asset_client_id']);
    $name = sanitizeInput($_POST['name']);
    $mac = sanitizeInput($_POST['mac']);
    $ip = sanitizeInput($_POST['ip']);
    if($_POST['dhcp'] == 1){
        $ip = 'DHCP';
    }
    $ipv6 = sanitizeInput($_POST['ipv6']);
    $port = sanitizeInput($_POST['port']);
    $network = intval($_POST['network']);
    $notes = sanitizeInput($_POST['notes']);
    mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = '$name', interface_mac = '$mac', interface_ip = '$ip', interface_ipv6 = '$ipv6', interface_port = '$port', interface_notes = '$notes', interface_network_id = $network, interface_asset_id = $asset_id");
    $interface_id = mysqli_insert_id($mysqli);
@@ -772,7 +682,9 @@ if (isset($_POST['edit_asset_interface'])) {
    validateCSRFToken($_POST['csrf_token']);
    // Interface info
    $interface_id = intval($_POST['interface_id']);
    require_once 'asset_interface_model.php';
    // Get Asset Name and Client ID for logging and alert message
    $sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id, asset_id FROM asset_interfaces LEFT JOIN assets ON asset_id = interface_asset_id WHERE interface_id = $interface_id");
@@ -781,17 +693,6 @@ if (isset($_POST['edit_asset_interface'])) {
    $asset_name = sanitizeInput($row['asset_name']);
    $client_id = intval($row['asset_client_id']);
    $name = sanitizeInput($_POST['name']);
    $mac = sanitizeInput($_POST['mac']);
    $ip = sanitizeInput($_POST['ip']);
    if($_POST['dhcp'] == 1){
        $ip = 'DHCP';
    }
    $ipv6 = sanitizeInput($_POST['ipv6']);
    $port = sanitizeInput($_POST['port']);
    $network = intval($_POST['network']);
    $notes = sanitizeInput($_POST['notes']);
    mysqli_query($mysqli,"UPDATE asset_interfaces SET interface_name = '$name', interface_mac = '$mac', interface_ip = '$ip', interface_ipv6 = '$ipv6', interface_port = '$port', interface_notes = '$notes', interface_network_id = $network WHERE interface_id = $interface_id");
    //Logging
@@ -0,0 +1,11 @@
 <?php
 $name = sanitizeInput($_POST['name']);
 $mac = sanitizeInput($_POST['mac']);
 $ip = sanitizeInput($_POST['ip']);
 if ($_POST['dhcp'] == 1){
    $ip = 'DHCP';
 }
 $ipv6 = sanitizeInput($_POST['ipv6']);
 $port = sanitizeInput($_POST['port']);
 $network = intval($_POST['network']);
 $notes = sanitizeInput($_POST['notes']);
@@ -0,0 +1,43 @@
 <?php
 $name = sanitizeInput($_POST['name']);
 $description = sanitizeInput($_POST['description']);
 $type = sanitizeInput($_POST['type']);
 $make = sanitizeInput($_POST['make']);
 $model = sanitizeInput($_POST['model']);
 $serial = sanitizeInput($_POST['serial']);
 $os = sanitizeInput($_POST['os']);
 $ip = sanitizeInput($_POST['ip']);
 if ($_POST['dhcp'] == 1) {
    $ip = 'DHCP';
 }
 $ipv6 = sanitizeInput($_POST['ipv6']);
 $nat_ip = sanitizeInput($_POST['nat_ip']);
 $mac = sanitizeInput($_POST['mac']);
 $uri = sanitizeInput($_POST['uri']);
 $uri_2 = sanitizeInput($_POST['uri_2']);
 $status = sanitizeInput($_POST['status']);
 $location = intval($_POST['location']);
 $physical_location = sanitizeInput($_POST['physical_location']);
 $vendor = intval($_POST['vendor']);
 $contact = intval($_POST['contact']);
 $network = intval($_POST['network']);
 $purchase_date = sanitizeInput($_POST['purchase_date']);
 if (empty($purchase_date)) {
    $purchase_date = "NULL";
 } else {
    $purchase_date = "'" . $purchase_date . "'";
 }
 $warranty_expire = sanitizeInput($_POST['warranty_expire']);
 if (empty($warranty_expire)) {
    $warranty_expire = "NULL";
 } else {
    $warranty_expire = "'" . $warranty_expire . "'";
 }
 $install_date = sanitizeInput($_POST['install_date']);
 if (empty($install_date)) {
    $install_date = "NULL";
 } else {
    $install_date = "'" . $install_date . "'";
 }
 $notes = sanitizeInput($_POST['notes']);
 $client_id = intval($_POST['client_id']);
@@ -158,7 +158,7 @@ if (isset($_POST['export_client_certificates_csv'])) {
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -159,7 +159,7 @@ if (isset($_GET['archive_client'])) {
    $client_id = intval($_GET['archive_client']);
    // Get Client Name
-    $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli, "SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = sanitizeInput($row['client_name']);
@@ -6,7 +6,7 @@
 if (isset($_POST['add_contact'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    require_once 'post/user/contact_model.php';
@@ -67,7 +67,7 @@ if (isset($_POST['add_contact'])) {
 if (isset($_POST['edit_contact'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    require_once 'post/user/contact_model.php';
@@ -184,7 +184,7 @@ if (isset($_POST['edit_contact'])) {
 if (isset($_POST['bulk_assign_contact_location'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    $location_id = intval($_POST['bulk_location_id']);
@@ -223,7 +223,7 @@ if (isset($_POST['bulk_assign_contact_location'])) {
 if (isset($_POST['bulk_edit_contact_phone'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    $phone = preg_replace("/[^0-9]/", '', $_POST['bulk_phone']);
@@ -257,7 +257,7 @@ if (isset($_POST['bulk_edit_contact_phone'])) {
 if (isset($_POST['bulk_edit_contact_department'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    $department = sanitizeInput($_POST['bulk_department']);
@@ -291,7 +291,7 @@ if (isset($_POST['bulk_edit_contact_department'])) {
 if (isset($_POST['bulk_edit_contact_role'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    $contact_important = intval($_POST['bulk_contact_important']);
    $contact_billing = intval($_POST['bulk_contact_billing']);
@@ -329,7 +329,7 @@ if (isset($_POST['bulk_edit_contact_role'])) {
 if (isset($_POST['bulk_assign_contact_tags'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    // Get Selected Contacts Count
    $count = count($_POST['contact_ids']);
@@ -373,7 +373,9 @@ if (isset($_POST['bulk_assign_contact_tags'])) {
 }
 if (isset($_POST['bulk_archive_contacts'])) {
-    validateAdminRole();
+
    enforceUserPermission('module_client', 2);
    //validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -416,7 +418,8 @@ if (isset($_POST['bulk_archive_contacts'])) {
 }
 if (isset($_POST['bulk_unarchive_contacts'])) {
-    validateAdminRole();
+
    enforceUserPermission('module_client', 2);
    //validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -455,7 +458,8 @@ if (isset($_POST['bulk_unarchive_contacts'])) {
 }
 if (isset($_POST['bulk_delete_contacts'])) {
-    validateAdminRole();
+
    enforceUserPermission('module_client', 3);
    validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -500,7 +504,7 @@ if (isset($_POST['bulk_delete_contacts'])) {
 if (isset($_GET['anonymize_contact'])) {
-    validateAdminRole();
+    enforceUserPermission('module_client', 3);
    $contact_id = intval($_GET['anonymize_contact']);
@@ -595,7 +599,7 @@ if (isset($_GET['anonymize_contact'])) {
 if (isset($_GET['archive_contact'])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    $contact_id = intval($_GET['archive_contact']);
@@ -641,7 +645,7 @@ if (isset($_GET['unarchive_contact'])) {
 }
 if (isset($_GET['delete_contact'])) {
-    validateAdminRole();
+    enforceUserPermission('module_client', 3);
    $contact_id = intval($_GET['delete_contact']);
@@ -671,10 +675,13 @@ if (isset($_GET['delete_contact'])) {
 }
 if (isset($_POST['export_client_contacts_csv'])) {
    enforceUserPermission('module_client');
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -721,7 +728,7 @@ if (isset($_POST['export_client_contacts_csv'])) {
 if (isset($_POST["import_client_contacts_csv"])) {
-    validateTechRole();
+    enforceUserPermission('module_client', 2);
    $client_id = intval($_POST['client_id']);
    $file_name = $_FILES["file"]["tmp_name"];
@@ -6,16 +6,9 @@
 if (isset($_POST['add_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
-    $client_id = intval($_POST['client_id']);
+    require_once 'document_model.php';
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
    $content = mysqli_real_escape_string($mysqli,$_POST['content']);
    $content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
    // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
    $folder = intval($_POST['folder']);
    // Document add query
    $add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
@@ -36,7 +29,7 @@ if (isset($_POST['add_document'])) {
 if (isset($_POST['add_document_from_template'])) {
    // ROLE Check
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    // GET POST Data
    $client_id = intval($_POST['client_id']);
@@ -73,18 +66,12 @@ if (isset($_POST['add_document_from_template'])) {
 if (isset($_POST['edit_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    require_once 'document_model.php';
    $document_id = intval($_POST['document_id']);
    $document_created_by = intval($_POST['created_by']);
    $document_parent = intval($_POST['document_parent']);
    $client_id = intval($_POST['client_id']);
    $name = sanitizeInput($_POST['name']);
    $description = sanitizeInput($_POST['description']);
    $content = mysqli_real_escape_string($mysqli,$_POST['content']);
    $content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
    // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
    $folder = intval($_POST['folder']);
    // Document add query
    mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $document_created_by, document_updated_by = $session_user_id, document_client_id = $client_id");
@@ -127,7 +114,7 @@ if (isset($_POST['edit_document'])) {
 if (isset($_POST['move_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $document_id = intval($_POST['document_id']);
    $client_id = intval($_POST['client_id']);
@@ -148,7 +135,7 @@ if (isset($_POST['move_document'])) {
 if (isset($_POST['rename_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $document_id = intval($_POST['document_id']);
    $client_id = intval($_POST['client_id']);
@@ -169,7 +156,7 @@ if (isset($_POST['rename_document'])) {
 if (isset($_POST['bulk_move_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $folder_id = intval($_POST['bulk_folder_id']);
@@ -207,7 +194,7 @@ if (isset($_POST['bulk_move_document'])) {
 if (isset($_POST['link_file_to_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $document_id = intval($_POST['document_id']);
@@ -227,7 +214,8 @@ if (isset($_POST['link_file_to_document'])) {
 if (isset($_GET['unlink_file_from_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $file_id = intval($_GET['file_id']);
    $document_id = intval($_GET['document_id']);
@@ -244,7 +232,7 @@ if (isset($_GET['unlink_file_from_document'])) {
 if (isset($_POST['link_vendor_to_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $document_id = intval($_POST['document_id']);
@@ -264,7 +252,8 @@ if (isset($_POST['link_vendor_to_document'])) {
 if (isset($_GET['unlink_vendor_from_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $vendor_id = intval($_GET['vendor_id']);
    $document_id = intval($_GET['document_id']);
@@ -281,7 +270,7 @@ if (isset($_GET['unlink_vendor_from_document'])) {
 if (isset($_POST['link_contact_to_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $document_id = intval($_POST['document_id']);
@@ -301,7 +290,8 @@ if (isset($_POST['link_contact_to_document'])) {
 if (isset($_GET['unlink_contact_from_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $contact_id = intval($_GET['contact_id']);
    $document_id = intval($_GET['document_id']);
@@ -318,7 +308,7 @@ if (isset($_GET['unlink_contact_from_document'])) {
 if (isset($_POST['link_asset_to_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $document_id = intval($_POST['document_id']);
@@ -338,7 +328,8 @@ if (isset($_POST['link_asset_to_document'])) {
 if (isset($_GET['unlink_asset_from_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $asset_id = intval($_GET['asset_id']);
    $document_id = intval($_GET['document_id']);
@@ -355,7 +346,7 @@ if (isset($_GET['unlink_asset_from_document'])) {
 if (isset($_POST['link_software_to_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $document_id = intval($_POST['document_id']);
@@ -375,7 +366,8 @@ if (isset($_POST['link_software_to_document'])) {
 if (isset($_GET['unlink_software_from_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $software_id = intval($_GET['software_id']);
    $document_id = intval($_GET['document_id']);
@@ -392,7 +384,7 @@ if (isset($_GET['unlink_software_from_document'])) {
 if (isset($_POST['edit_document_template'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $document_id = intval($_POST['document_id']);
    $name = sanitizeInput($_POST['name']);
@@ -415,7 +407,8 @@ if (isset($_POST['edit_document_template'])) {
 }
 if (isset($_POST['document_visible'])) {
-    validateTechRole();
+
    enforceUserPermission('module_support', 2);
    $document_id = intval($_POST['document_id']);
    $document_visible = intval($_POST['document_visible']);
@@ -433,7 +426,7 @@ if (isset($_POST['document_visible'])) {
 if (isset($_GET['archive_document'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $document_id = intval($_GET['archive_document']);
@@ -476,7 +469,7 @@ if (isset($_GET['archive_document'])) {
 if (isset($_GET['delete_document_version'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    $document_id = intval($_GET['delete_document_version']);
@@ -518,7 +511,7 @@ if (isset($_GET['delete_document_version'])) {
 if (isset($_GET['delete_document'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    $document_id = intval($_GET['delete_document']);
@@ -0,0 +1,8 @@
 <?php
 $client_id = intval($_POST['client_id']);
 $name = sanitizeInput($_POST['name']);
 $folder = intval($_POST['folder']);
 $description = sanitizeInput($_POST['description']);
 $content = mysqli_real_escape_string($mysqli,$_POST['content']);
 $content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
 // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
@@ -6,18 +6,11 @@
 if (isset($_POST['add_domain'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
-    $client_id = intval($_POST['client_id']);
+    require_once 'domain_model.php';
    $name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
    $description = sanitizeInput($_POST['description']);
    $registrar = intval($_POST['registrar']);
    $dnshost = intval($_POST['dnshost']);
    $webhost = intval($_POST['webhost']);
    $mailhost = intval($_POST['mailhost']);
    $extended_log_description = '';
-    $expire = sanitizeInput($_POST['expire']);
+    $client_id = intval($_POST['client_id']);
    $notes = sanitizeInput($_POST['notes']);
    // Set/check/lookup expiry date
    if (strtotime($expire)) {
@@ -68,17 +61,11 @@ if (isset($_POST['add_domain'])) {
 if (isset($_POST['edit_domain'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    require_once 'domain_model.php';
    $domain_id = intval($_POST['domain_id']);
-    $name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
+
    $description = sanitizeInput($_POST['description']);
    $registrar = intval($_POST['registrar']);
    $dnshost = intval($_POST['dnshost']);
    $webhost = intval($_POST['webhost']);
    $mailhost = intval($_POST['mailhost']);
    $expire = sanitizeInput($_POST['expire']);
    $notes = sanitizeInput($_POST['notes']);
 //    if (empty($expire) || (new DateTime($expire)) < (new DateTime())) {
 //        // Update domain expiry date
@@ -120,6 +107,9 @@ if (isset($_POST['edit_domain'])) {
 }
 if (isset($_GET['archive_domain'])) {
    enforceUserPermission('module_support', 2);
    $domain_id = intval($_GET['archive_domain']);
    //Get domain Name
@@ -141,6 +131,8 @@ if (isset($_GET['archive_domain'])) {
 if(isset($_GET['unarchive_domain'])){
    enforceUserPermission('module_support', 2);
    $domain_id = intval($_GET['unarchive_domain']);
    // Get Name and Client ID for logging and alert message
@@ -161,7 +153,7 @@ if(isset($_GET['unarchive_domain'])){
 if (isset($_GET['delete_domain'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    $domain_id = intval($_GET['delete_domain']);
@@ -184,7 +176,7 @@ if (isset($_GET['delete_domain'])) {
 }
 if (isset($_POST['bulk_archive_domains'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -222,7 +214,7 @@ if (isset($_POST['bulk_archive_domains'])) {
 }
 if (isset($_POST['bulk_unarchive_domains'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -261,7 +253,7 @@ if (isset($_POST['bulk_unarchive_domains'])) {
 }
 if (isset($_POST['bulk_delete_domains'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -292,12 +284,12 @@ if (isset($_POST['bulk_delete_domains'])) {
 if (isset($_POST['export_client_domains_csv'])) {
-    validateTechRole();
+    enforceUserPermission('module_support');
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -0,0 +1,10 @@
 <?php
 $name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
 $description = sanitizeInput($_POST['description']);
 $registrar = intval($_POST['registrar']);
 $dnshost = intval($_POST['dnshost']);
 $webhost = intval($_POST['webhost']);
 $mailhost = intval($_POST['mailhost']);
 $expire = sanitizeInput($_POST['expire']);
 $notes = sanitizeInput($_POST['notes']);
@@ -8,7 +8,6 @@ if (isset($_POST['add_expense'])) {
    require_once 'post/user/expense_model.php';
    mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference'");
    $expense_id = mysqli_insert_id($mysqli);
@@ -1227,7 +1227,7 @@ if (isset($_POST['export_client_invoices_csv'])) {
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -1319,7 +1319,7 @@ if (isset($_POST['export_client_recurring_csv'])) {
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -1360,7 +1360,7 @@ if (isset($_POST['export_client_payments_csv'])) {
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -6,7 +6,7 @@
 if (isset($_POST['add_network'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    require_once 'post/user/network_model.php';
@@ -25,10 +25,9 @@ if (isset($_POST['add_network'])) {
 if (isset($_POST['edit_network'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $network_id = intval($_POST['network_id']);
    require_once 'post/user/network_model.php';
    mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");
@@ -44,7 +43,7 @@ if (isset($_POST['edit_network'])) {
 if (isset($_GET['archive_network'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $network_id = intval($_GET['archive_network']);
@@ -67,7 +66,7 @@ if (isset($_GET['archive_network'])) {
 }
 if (isset($_GET['delete_network'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    $network_id = intval($_GET['delete_network']);
@@ -90,7 +89,7 @@ if (isset($_GET['delete_network'])) {
 }
 if (isset($_POST['bulk_delete_networks'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    validateCSRFToken($_POST['csrf_token']);
    $count = 0; // Default 0
@@ -121,12 +120,12 @@ if (isset($_POST['bulk_delete_networks'])) {
 if (isset($_POST['export_client_networks_csv'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -464,7 +464,7 @@ if(isset($_POST['export_client_quotes_csv'])){
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -6,7 +6,7 @@
 if (isset($_POST['add_service'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $service_name = sanitizeInput($_POST['name']);
@@ -108,7 +108,7 @@ if (isset($_POST['add_service'])) {
 if (isset($_POST['edit_service'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $service_id = intval($_POST['service_id']);
@@ -212,7 +212,8 @@ if (isset($_POST['edit_service'])) {
 if (isset($_GET['delete_service'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    validateCSRFToken($_GET['csrf_token']);
    $service_id = intval($_GET['delete_service']);
@@ -7,6 +7,8 @@
 if (isset($_POST['add_software_from_template'])) {
    enforceUserPermission('module_support', 2);
    // GET POST Data
    $client_id = intval($_POST['client_id']);
    $software_template_id = intval($_POST['software_template_id']);
@@ -37,7 +39,7 @@ if (isset($_POST['add_software_from_template'])) {
 if (isset($_POST['add_software'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $client_id = intval($_POST['client_id']);
    $name = sanitizeInput($_POST['name']);
@@ -95,7 +97,7 @@ if (isset($_POST['add_software'])) {
 if (isset($_POST['edit_software'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $software_id = intval($_POST['software_id']);
    $client_id = intval($_POST['client_id']);
@@ -153,7 +155,7 @@ if (isset($_POST['edit_software'])) {
 if (isset($_GET['archive_software'])) {
-    validateTechRole();
+    enforceUserPermission('module_support', 2);
    $software_id = intval($_GET['archive_software']);
@@ -181,7 +183,7 @@ if (isset($_GET['archive_software'])) {
 if (isset($_GET['delete_software'])) {
-    validateAdminRole();
+    enforceUserPermission('module_support', 3);
    $software_id = intval($_GET['delete_software']);
@@ -209,12 +211,12 @@ if (isset($_GET['delete_software'])) {
 if (isset($_POST['export_client_software_csv'])) {
-    validateTechRole();
+    enforceUserPermission('module_support');
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -109,7 +109,7 @@ if (isset($_POST['export_client_trips_csv'])) {
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -283,7 +283,7 @@ if (isset($_POST['export_client_vendors_csv'])) {
    $client_id = intval($_POST['client_id']);
    //get records from database
-    $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
+    $sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
    $row = mysqli_fetch_array($sql);
    $client_name = $row['client_name'];
@@ -18,7 +18,7 @@
                        <select class="form-control select2" name="assign_to">
                            <option value="0">Not Assigned</option>
                            <?php
-                            $sql_users_select = mysqli_query($mysqli, "SELECT * FROM users 
+                            $sql_users_select = mysqli_query($mysqli, "SELECT users.user_id, user_name FROM users 
                                LEFT JOIN user_settings on users.user_id = user_settings.user_id
                                WHERE user_role > 1
                                AND user_status = 1
@@ -83,7 +83,7 @@
                                            <select class="form-control select2" name="category">
                                                <option value="">- Ticket Category -</option>
                                                <?php
-                                                $sql_categories = mysqli_query($mysqli, "SELECT * FROM categories WHERE category_type = 'Ticket' AND categories.category_archived_at IS NULL");
+                                                $sql_categories = mysqli_query($mysqli, "SELECT category_id, category_name FROM categories WHERE category_type = 'Ticket' AND category_archived_at IS NULL");
                                                while ($row = mysqli_fetch_array($sql_categories)) {
                                                    $category_id = intval($row['category_id']);
                                                    $category_name = nullable_htmlentities($row['category_name']);