webui: Disabled editing device notes for non-admin users (#5341)

2024-10-07 16:52:45 +00:00 · 2017-01-08 13:05:37 +00:00
parent 1e655c4e03
commit 36e1cc82f6
2 changed files with 29 additions and 11 deletions
--- a/html/includes/forms/update-notes.inc.php
+++ b/html/includes/forms/update-notes.inc.php
@@ -17,16 +17,20 @@ $message   = 'unknown error';
 $device_id = mres($_POST['device_id']);
 $notes = $_POST['notes'];

-if (isset($notes) && (dbUpdate(array('notes' => $notes), 'devices', 'device_id = ?', array($device_id)))) {
+if (is_admin() === false) {
+    $message = 'Only admin accounts can update notes';
+} elseif (isset($notes) && (dbUpdate(array('notes' => $notes), 'devices', 'device_id = ?', array($device_id)))) {
    $status  = 'ok';
    $message = 'Updated';
 } else {
    $status  = 'error';
    $message = 'ERROR: Could not update';
 }
-die(json_encode(array(
-    'status'       => $status,
-    'message'      => $message,
-    'notes'        => $notes,
-    'device_id'    => $device_id
-)));
+echo _json_encode(
+    array(
+        'status'       => $status,
+        'message'      => $message,
+        'notes'        => $notes,
+        'device_id'    => $device_id,
+    )
+);
--- a/html/pages/device/notes.inc.php
+++ b/html/pages/device/notes.inc.php
@@ -13,6 +13,12 @@
 $data = dbFetchRow("SELECT `notes` FROM `devices` WHERE device_id = ?", array(
    $device['device_id']
 ));
+
+$disabled = '';
+if (is_admin() === false) {
+    $disabled = 'disabled';
+}
+
 ?>

 <form class="form-horizontal" action="" method="post">
@@ -20,14 +26,14 @@ $data = dbFetchRow("SELECT `notes` FROM `devices` WHERE device_id = ?", array(
    <hr>
    <div class="form-group">
        <div class="col-sm-12">
-            <textarea class="form-control" rows="6" name="notes" id="device-notes"><?php echo htmlentities($data['notes']); ?></textarea>
+            <textarea class="form-control" rows="6" name="notes" id="device-notes" <?php echo $disabled; ?>><?php echo htmlentities($data['notes']); ?></textarea>
        </div>
    </div>
    <div class="row">
        <div class="col-md-1 col-md-offset-5">
            <?php
            echo '
-                <button type="submit" name="btn-update-notes" id="btn-update-notes" class="btn btn-default" data-device_id="' . $device['device_id'] . '"><i class="fa fa-check"></i> Save</button>
+                <button type="submit" name="btn-update-notes" id="btn-update-notes" class="btn btn-default ' . $disabled . '" data-device_id="' . $device['device_id'] . '"><i class="fa fa-check"></i> Save</button>
            ';
            ?>
        </div>
@@ -43,9 +49,13 @@ $("[name='btn-update-notes']").on('click', function(event) {
        type: 'POST',
        url: 'ajax_form.php',
        data: { type: "update-notes", notes: notes, device_id: device_id},
-        dataType: "html",
+        dataType: "json",
        success: function(data){
-            toastr.success('Saved');
+            if (data.status == "error") {
+                toastr.error(data.message);
+            } else {
+                toastr.success('Saved');
+            }
        },
        error:function(){
            toastr.error('Error');
@@ -53,3 +63,7 @@ $("[name='btn-update-notes']").on('click', function(event) {
    });
 });
 </script>
+
+<?php
+unset($disabled);
+?>