Überarbeitete Version der 1. Version. Es bestehen noch grosse Feher in einzelnen Skripten.

2026-04-18 23:45:17 +02:00
parent a51fd9dbeb
commit 3731183654
85 changed files with 2965 additions and 3371 deletions
--- a/www/intern/wk-leitung/rechnungen.php
+++ b/www/intern/wk-leitung/rechnungen.php
@@ -7,13 +7,19 @@ ini_set('display_startup_errors', 1);
 // dependencies to versions compatible with your PHP runtime.
 error_reporting(E_ALL & ~E_DEPRECATED & ~E_USER_DEPRECATED);

+
 if (!isset($baseDir)) {
    $baseDir = $_SERVER['DOCUMENT_ROOT'];
 }

-if (session_status() !== PHP_SESSION_ACTIVE) {
-    session_start();
-}
+require_once $baseDir . '/../scripts/session_functions.php';
+
+ini_wkvs_session(true);
+
+$csrf_token = $_SESSION['csrf_token'] ?? '';
+
+$access_granted_wkl = check_user_permission('wk_leitung', true) ?? false;
+
 ?>
 <!DOCTYPE html>
 <html lang="de">
@@ -44,7 +50,6 @@ if (session_status() !== PHP_SESSION_ACTIVE) {
 </head>
 <body>
    <?php
-    $access_granted_wkl = $_SESSION['access_granted_wk_leitung'] ?? false;

    if ( ! $access_granted_wkl ) :

@@ -59,7 +64,7 @@ if (session_status() !== PHP_SESSION_ACTIVE) {

    require $baseDir . '/../scripts/db/db-functions.php';
    require $baseDir . '/../scripts/db/db-tables.php';
-    require $baseDir . '/../scripts/csrf_functions.php';
+


    $type = 'wkl';
@@ -320,7 +325,7 @@ if (session_status() !== PHP_SESSION_ACTIVE) {
                                            </label>
                                        </td>
                                        <td>
-                                            <?php if (file_exists($baseDir . "/../test-wkvs/rechnungen/" . intval($row['order_id']) . ".pdf")) : ?>
+                                            <?php if (file_exists($baseDir . "/../private-files/rechnungen/" . intval($row['order_id']) . ".pdf")) : ?>
                                            <a href="/intern/wk-leitung/rechnungen_viewer?order_id=<?= intval($row['order_id']) ?>" target="_blank">
                                                <?= intval($row['order_id']) ?>
                                            </a>
@@ -375,6 +380,7 @@ if (session_status() !== PHP_SESSION_ACTIVE) {
 <?php endif; ?>

 <script>
+const csrf_token = "<?= $csrf_token ?>";
 const $input = $('#scorNumber');
 const $rawInput = $('#scorNumberRaw');

@@ -414,6 +420,7 @@ $('#submitScorNumber').on('click', function(e) {
            'Content-Type': 'application/x-www-form-urlencoded'
        },
        body: new URLSearchParams({
+            csrf_token,
            scor: SCOR
        })
    })
@@ -456,6 +463,8 @@ $('.bulkSelectSubmit').on('click', function (e) {
                params.append('ids[]', id);
            });

+            params.append('csrf_token', csrf_token);
+

            fetch('/intern/scripts/rechnungen/ajax_delete_order.php', {
                method: 'POST',