Rights and security audit

contacts.php

@@ -14,30 +14,33 @@
 		exit;
 	}
 
+	$formfix="";
 	if(isset($_REQUEST['contactid']) && ($_REQUEST['contactid']>0)) {
-		$contact->ContactID = $_REQUEST['contactid'];
-		$contact->GetContactByID( $facDB );
+		$contact->ContactID=(isset($_POST['contactid']) ? $_POST['contactid'] : $_GET['contactid']);
+		$contact->GetContactByID($facDB);
+
+		$formfix="?contactid=$contact->ContactID";
 	}
 
-	if(isset($_REQUEST['action']) && (($_REQUEST['action']=='Create') || ($_REQUEST['action']=='Update'))){
-		$contact->ContactID = $_REQUEST['contactid'];
-		$contact->UserID = $_REQUEST['UserID'];
-		$contact->LastName = $_REQUEST['lastname'];
-		$contact->FirstName = $_REQUEST['firstname'];
-		$contact->Phone1 = $_REQUEST['phone1'];
-		$contact->Phone2 = $_REQUEST['phone2'];
-		$contact->Phone3 = $_REQUEST['phone3'];
-		$contact->Email = $_REQUEST['email'];
+	if(isset($_POST['action']) && (($_POST['action']=='Create') || ($_POST['action']=='Update'))){
+		$contact->ContactID=$_POST['contactid'];
+		$contact->UserID=$_POST['UserID'];
+		$contact->LastName=$_POST['lastname'];
+		$contact->FirstName=$_POST['firstname'];
+		$contact->Phone1=$_POST['phone1'];
+		$contact->Phone2=$_POST['phone2'];
+		$contact->Phone3=$_POST['phone3'];
+		$contact->Email=$_POST['email'];
 
-		if($_REQUEST['action'] == 'Create'){
+		if($_POST['action'] == 'Create'){
 			if($contact->LastName != null && $contact->LastName != ''){
   				$contact->CreateContact($facDB);
 			}
 		}else{
-			$contact->UpdateContact( $facDB );
+			$contact->UpdateContact($facDB);
 		}
 	}
-	$contactList = $contact->GetContactList( $facDB );
+	$contactList=$contact->GetContactList($facDB);
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -61,18 +64,16 @@
 <h2><?php print $config->ParameterArray['OrgName']; ?></h2>
 <h3>Data Center Contact Detail</h3>
 <div class="center"><div>
-<form action="<?php print $_SERVER['PHP_SELF']; ?>" method="POST">
+<form action="<?php print $_SERVER['PHP_SELF'].$formfix; ?>" method="POST">
 <div class="table">
 <div>
    <div><label for="contactid">Contact</label></div>
    <div><input type="hidden" name="action" value="query"><select name="contactid" id="contactid" onChange="form.submit()">
    <option value=0>New Contact</option>
 <?php
 	foreach($contactList as $contactRow ) {
-		//print "<option value=\"$contactRow->ContactID\" selected>$contactRow->LastName, $contactRow->FirstName</option>";
-		print "<option value=\"$contactRow->ContactID\"";
-		if($contact->ContactID == $contactRow->ContactID){print ' selected="selected"';}
-		print ">$contactRow->LastName, $contactRow->FirstName</option>";
+		if($contact->ContactID == $contactRow->ContactID){$selected=' selected="selected"';}else{$selected='';}
+		print "<option value=\"$contactRow->ContactID\"$selected>$contactRow->LastName, $contactRow->FirstName</option>";
 	}
 ?>
 	</select></div>

customers.inc.php

@@ -207,23 +207,23 @@ function AssignContacts( $MemberList, $db ) {
 
     if ( is_array( $MemberList ) ) {
       foreach( $MemberList as $ContactID ) {
-  			$insertSQL = "insert into fac_DeptContacts set DeptID=\"" . intval($this->DeptID) . "\", ContactID=\"" . $ContactID . "\"";
+  			$insertSQL = "insert into fac_DeptContacts set DeptID=\"" . intval($this->DeptID) . "\", ContactID=\"" . intval($ContactID) . "\"";
 
   			mysql_query( $insertSQL, $db );
   		}
   	}
 	}
 
-	function GetDepartmentByContact( $VUnetID, $db ) {
-	 $searchSQL = "select a.* from fac_Department a, fac_DeptContacts b, fac_Contact c where a.DeptID=b.DeptID and b.ContactID=c.ContactID and c.UserID=\"" . $VUnetID . "\"";
+	function GetDepartmentByContact($UserID,$db){
+		$searchSQL="select a.* from fac_Department a, fac_DeptContacts b, fac_Contact c where a.DeptID=b.DeptID and b.ContactID=c.ContactID and c.UserID=\"".addslashes($UserID)."\"";
 
-   // If someone is assigned to more than one department, just return the first hit
-   if ( $result = mysql_query( $searchSQL, $db ) ) {
-	   $deptRow = mysql_fetch_array( $result );
-
-	   $this->DeptID = $deptRow["DeptID"];
-	   $this->GetDeptByID( $db );
-	  }
+		// If someone is assigned to more than one department, just return the first hit
+		if($result=mysql_query($searchSQL,$db)){
+			$deptRow=mysql_fetch_array($result);
+				   
+			$this->DeptID=$deptRow["DeptID"];
+			$this->GetDeptByID($db);
+		}
 	}
 }
 

departments.php

@@ -1,9 +1,9 @@
 <?php
-	require_once( 'db.inc.php' );
-	require_once( 'facilities.inc.php' );
+	require_once('db.inc.php');
+	require_once('facilities.inc.php');
 
-	$dept = new Department();
-	$user = new User();
+	$dept=new Department();
+	$user=new User();
 
 	$user->UserID=$_SERVER['REMOTE_USER'];
 	$user->GetUserRights($facDB);
@@ -15,28 +15,25 @@
 	}
 
 	if(isset($_REQUEST['deptid'])&&($_REQUEST['deptid']>0)){
-		$dept->DeptID = $_REQUEST['deptid'];
+		$dept->DeptID=(isset($_POST['deptid']) ? $_POST['deptid'] : $_GET['deptid']);
 		$dept->GetDeptByID( $facDB );
 	}
 
-	if(isset($_REQUEST['action'])&& (($_REQUEST['action']=='Create') || ($_REQUEST['action']=='Update'))){
-		$dept->DeptID = $_REQUEST['deptid'];
-		$dept->Name = $_REQUEST['name'];
-		$dept->ExecSponsor = $_REQUEST['execsponsor'];
-		$dept->SDM = $_REQUEST['sdm'];
-		$dept->Classification = $_REQUEST['classification'];
-		$dept->DeptColor = $_REQUEST['deptcolor'];
+	if(isset($_POST['action'])&& (($_POST['action']=='Create') || ($_POST['action']=='Update'))){
+		$dept->DeptID=$_POST['deptid'];
+		$dept->Name=$_POST['name'];
+		$dept->ExecSponsor=$_POST['execsponsor'];
+		$dept->SDM=$_POST['sdm'];
+		$dept->Classification=$_POST['classification'];
+		$dept->DeptColor=$_POST['deptcolor'];
 
-		if($_REQUEST['action']=='Create'){
-			// This data check should be moved up so that someone can't update a department to have an empty name either. Will leave as is until we have a delete department option.
-			if($dept->Name != '' && $dept->Name != null){
-				$dept->CreateDepartment($facDB);
-			}
+		if($_REQUEST['action']=='Create' && ($dept->Name != '' && $dept->Name != null)){
+			$dept->CreateDepartment($facDB);
 		}else{
 			$dept->UpdateDepartment($facDB);
 		}
 	}
-	$deptList = $dept->GetDepartmentList( $facDB );
+	$deptList=$dept->GetDepartmentList($facDB);
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -93,11 +90,8 @@ function showgroup(obj){
    <option value=0>New Department</option>
 <?php
 	foreach($deptList as $deptRow){
-		echo "<option value=\"$deptRow->DeptID\"";
-		if($dept->DeptID == $deptRow->DeptID){
-			echo ' selected';
-		}
-		echo ">$deptRow->Name</option>\n";
+		if($dept->DeptID == $deptRow->DeptID){$selected=" selected";}else{$selected="";}
+		print "   <option value=\"$deptRow->DeptID\"$selected>$deptRow->Name</option>\n";
 	}
 ?>
 	</select></div>
@@ -123,9 +117,8 @@ function showgroup(obj){
    <div><select name="classification" id="deptclass">
 <?php
   foreach($config->ParameterArray['ClassList'] as $className){
-	  echo "<option value=\"$className\"";
-	  if($dept->Classification==$className){echo ' selected';}
-      echo ">$className</option>";
+	  if($dept->Classification==$className){$selected=" selected";}else{$selected="";}
+	  print "   <option value=\"$className\"$selected>$className</option>\n";
   }
 ?>
     </select>
@@ -135,10 +128,7 @@ function showgroup(obj){
     <input type="submit" name="action" value="Create">
 <?php
 	if($dept->DeptID > 0){
-		echo '<input type="submit" name="action" value="Update">';
-		echo "<input type=\"button\" onClick=\"showgroup($dept->DeptID)\" value=\"Assign Contacts\">";
-//		print "<input type=\"button\" onClick=\"self.frames['groupadmin'].location.href='dept_groups.php?deptid=$dept->DeptID'\" value=\"Assign Contacts\">";
-//		print "<input type=\"button\" onClick=\"window.open('dept_groups.php?deptid=$dept->DeptID', 'popup')\" value=\"Assign Contacts\">";
+		print "<input type=\"submit\" name=\"action\" value=\"Update\">\n<input type=\"button\" onClick=\"showgroup($dept->DeptID)\" value=\"Assign Contacts\">";
 	}
 ?>
 </div>

dept_groups.php

@@ -7,9 +7,9 @@
 	$user=new User();
 
 	$user->UserID=$_SERVER['REMOTE_USER'];
-	$user->GetUserRights( $facDB );
+	$user->GetUserRights($facDB);
 
-	if(!$user->ReadAccess){
+	if(!$user->ContactAdmin){
 		// No soup for you.
 		header('Location: '.redirect());
 		exit;
@@ -20,17 +20,13 @@
 		echo "How'd you get here without a referral?";
 		exit;
 	}
-	$dept->DeptID=$_REQUEST['deptid'];
+	$dept->DeptID=(isset($_POST['deptid']) ? $_POST['deptid'] : $_GET['deptid']);
 	$dept->GetDeptByID($facDB);
 
 	// Update if form was submitted and action is set
-	if(isset($_REQUEST['action'])){
-		$action=$_REQUEST['action'];
-
-		if($action=="Submit"){
-			$grpMembers=$_REQUEST['chosen'];
-			$dept->AssignContacts($grpMembers,$facDB);
-		}
+	if(isset($_POST['action']) && $_POST['action']=="Submit"){
+		$grpMembers=$_POST['chosen'];
+		$dept->AssignContacts($grpMembers,$facDB);
 	}
 
 	$deptList=$contact->GetContactsForDepartment($dept->DeptID,$facDB);

escalations.php

@@ -13,26 +13,32 @@
 	}
 
 	$esc=new Escalations();
-
-	if(isset($_REQUEST["escalationid"]) && $_REQUEST["escalationid"] >0){
-		$esc->EscalationID = $_REQUEST["escalationid"];
-		$esc->GetEscalation($facDB);
-	}
-
 	$status="";
-	if(isset($_REQUEST["action"])&&(($_REQUEST["action"]=="Create")||($_REQUEST["action"]=="Update"))){
-		$esc->EscalationID = $_REQUEST["escalationid"];
-		$esc->Details = $_REQUEST["details"];
 
-		if($_REQUEST["action"] == "Create"){
-		  if($esc->Details != null && $esc->Details != "")
-  			$esc->CreateEscalation($facDB);
-		}else{
-			$status="Updated";
-			$esc->UpdateEscalation($facDB);
+	if(isset($_REQUEST['escalationid'])){
+		$esc->EscalationID=$_REQUEST['escalationid'];
+		if(isset($_POST['action'])){
+			if($_POST['details']!=null && $_POST['details']!=''){
+				switch($_POST['action']){
+					case 'Create':
+						$esc->Details=$_POST['details'];
+						$esc->CreateEscalation($facDB);
+						break;
+					case 'Update':
+						$esc->Details=$_POST['details'];
+						$status='Updated';
+						$esc->UpdateEscalation($facDB);
+						break;
+					case 'Delete':
+						$esc->DeleteEscalation($facDB);
+						header('Location: '.redirect("escalations.php"));
+						exit;
+				}
+			}
 		}
+		$esc->GetEscalation($facDB);
 	}
-	$escList = $esc->GetEscalationList( $facDB );
+	$escList=$esc->GetEscalationList($facDB);
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -65,11 +71,8 @@
    <option value=0>New Escalation Rule</option>
 <?php
 	foreach( $escList as $escRow ) {
-		echo "<option value=\"$escRow->EscalationID\"";
-		if($esc->EscalationID == $escRow->EscalationID){
-			echo " selected";
-		}
-		echo ">$escRow->Details</option>\n";
+		if($esc->EscalationID == $escRow->EscalationID){$selected=" selected";}else{$selected="";}
+		print "<option value=\"$escRow->EscalationID\"$selected>$escRow->Details</option>\n";
 	}
 ?>
 	</select></div>
@@ -79,10 +82,12 @@
    <div><input type="text" name="details" id="details" size="80" value="<?php echo $esc->Details; ?>"></div>
 </div>
 <div class="caption">
-   <input type="submit" name="action" value="Create">
 <?php
 	if($esc->EscalationID >0){
-		echo '   <input type="submit" name="action" value="Update">';
+		echo '   <input type="submit" name="action" value="Update">
+	 <input type="submit" name="action" value="Delete">';
+	}else{
+		echo '   <input type="submit" name="action" value="Create">';
 	}
 ?>
 </div>

power_connection.php

@@ -6,7 +6,8 @@
 	$user->UserID = $_SERVER['REMOTE_USER'];
 	$user->GetUserRights( $facDB );
 
-	if(!isset($_REQUEST['pdu']) && !isset($_REQUEST['conn']) && !$user->SiteAdmin){
+	// There is no need to access this screen if you don't have at least write rights.
+	if(!isset($_REQUEST['pdu']) && !isset($_REQUEST['conn']) && !$user->WriteAccess){
 		// No soup for you.
 		header('Location: '.redirect());
 		exit;
@@ -94,9 +95,10 @@
   <div><input type="text" name="inputnum" id="inputnum" value="<?php echo $connection->DeviceConnNumber; ?>"></div>
 </div>
 <div class="caption">
+  <input name="action" type="submit" value="Save">
 <?php
 	if($user->SiteAdmin){
-		echo '	<input name="action" type="submit" value="Save"><input name="action" type="submit" value="Delete">';
+		echo '	<input name="action" type="submit" value="Delete">';
 	}
 ?>
 	<button type="reset" onclick="document.location.href='pduinfo.php?pduid=<?php echo $connection->PDUID; ?>'; return false;">Cancel</button>