AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 02:44:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moved admin_ to /admin, user_ to user report_ to /reports each have their own post includes modals directories created seperate headers and footer. Also did the same for xcustom, more work to me done

Browse Source
This commit is contained in:
johnnyq
2025-07-28 13:32:28 -04:00
parent 4906e06bf1
commit 0494bfc1cf
178 changed files with 247 additions and 882 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
admin/post/ai_model.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/*
* ITFlow - GET/POST request handler for AI Models ('ai_model')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ai_model'])) {
validateCSRFToken($_POST['csrf_token']);
$provider_id = intval($_POST['provider']);
$model = sanitizeInput($_POST['model']);
$prompt = sanitizeInput($_POST['prompt']);
$use_case = sanitizeInput($_POST['use_case']);
mysqli_query($mysqli,"INSERT INTO ai_models SET ai_model_name = '$model', ai_model_prompt = '$prompt', ai_model_use_case = '$use_case', ai_model_ai_provider_id = $provider_id");
$ai_model_id = mysqli_insert_id($mysqli);
// Logging
logAction("AI Model", "Create", "$session_name created AI Model $model");
$_SESSION['alert_message'] = "AI Model <strong>$model</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ai_model'])) {
validateCSRFToken($_POST['csrf_token']);
$model_id = intval($_POST['model_id']);
$model = sanitizeInput($_POST['model']);
$prompt = sanitizeInput($_POST['prompt']);
$use_case = sanitizeInput($_POST['use_case']);
mysqli_query($mysqli,"UPDATE ai_models SET ai_model_name = '$model', ai_model_prompt = '$prompt', ai_model_use_case = '$use_case' WHERE ai_model_id = $model_id");
// Logging
logAction("AI Model", "Edit", "$session_name edited AI Model $model");
$_SESSION['alert_message'] = "AI Model <strong>$model</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_ai_model'])) {
validateCSRFToken($_GET['csrf_token']);
$model_id = intval($_GET['delete_ai_model']);
$sql = mysqli_query($mysqli,"SELECT ai_model_name FROM ai_models WHERE ai_model_id = $model_id");
$row = mysqli_fetch_array($sql);
$model_name = sanitizeInput($row['ai_model_name']);
mysqli_query($mysqli,"DELETE FROM ai_models WHERE ai_model_id = $model_id");
// Logging
logAction("AI Model", "Delete", "$session_name deleted AI Model $model_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "AI Model <strong>$model_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

72
admin/post/ai_provider.php Normal file
View File

@@ -0,0 +1,72 @@
<?php
/*
* ITFlow - GET/POST request handler for AI Providers ('ai_provider')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ai_provider'])) {
validateCSRFToken($_POST['csrf_token']);
$provider = sanitizeInput($_POST['provider']);
$url = sanitizeInput($_POST['url']);
$model = sanitizeInput($_POST['model']);
$api_key = sanitizeInput($_POST['api_key']);
mysqli_query($mysqli,"INSERT INTO ai_providers SET ai_provider_name = '$provider', ai_provider_api_url = '$url', ai_provider_api_key = '$api_key'");
$ai_provider_id = mysqli_insert_id($mysqli);
// Logging
logAction("AI Provider", "Create", "$session_name created AI Provider $provider");
$_SESSION['alert_message'] = "AI Model <strong>$provider</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ai_provider'])) {
validateCSRFToken($_POST['csrf_token']);
$provider_id = intval($_POST['provider_id']);
$provider = sanitizeInput($_POST['provider']);
$url = sanitizeInput($_POST['url']);
$api_key = sanitizeInput($_POST['api_key']);
mysqli_query($mysqli,"UPDATE ai_providers SET ai_provider_name = '$provider', ai_provider_api_url = '$url', ai_provider_api_key = '$api_key' WHERE ai_provider_id = $provider_id");
// Logging
logAction("AI Provider", "Edit", "$session_name edited AI Provider $provider");
$_SESSION['alert_message'] = "AI Model <strong>$provider</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_ai_provider'])) {
validateCSRFToken($_GET['csrf_token']);
$provider_id = intval($_GET['delete_ai_provider']);
$sql = mysqli_query($mysqli,"SELECT ai_provider_name FROM ai_providers WHERE ai_provider_id = $provider_id");
$row = mysqli_fetch_array($sql);
$provider_name = sanitizeInput($row['ai_provider_name']);
mysqli_query($mysqli,"DELETE FROM ai_providers WHERE ai_provider_id = $provider_id");
// Logging
logAction("AI Provider", "Delete", "$session_name deleted AI Provider $provider_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "AI Provider <strong>$provider_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

92
admin/post/api.php Normal file
View File

@@ -0,0 +1,92 @@
<?php
/*
* ITFlow - GET/POST request handler for API settings
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_api_key'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$expire = sanitizeInput($_POST['expire']);
$client_id = intval($_POST['client']);
$secret = sanitizeInput($_POST['key']); // API Key
// Credential decryption password
$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
$apikey_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_decrypt_hash = '$apikey_specific_encryption_ciphertext', api_key_expire = '$expire', api_key_client_id = $client_id");
$api_key_id = mysqli_insert_id($mysqli);
// Logging
logAction("API Key", "Create", "$session_name created API key $name set to expire on $expire", $client_id, $api_key_id);
$_SESSION['alert_message'] = "API Key <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_api_key'])) {
validateCSRFToken($_GET['csrf_token']);
$api_key_id = intval($_GET['delete_api_key']);
// Get API Key Name
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT api_key_name, api_key_client_id FROM api_keys WHERE api_key_id = $api_key_id"));
$api_key_name = sanitizeInput($row['api_key_name']);
$client_id = intval($row['api_key_client_id']);
mysqli_query($mysqli,"DELETE FROM api_keys WHERE api_key_id = $api_key_id");
// Logging
logAction("API Key", "Delete", "$session_name deleted API key $name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "API Key <strong>$name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_api_keys'])) {
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['api_key_ids'])) {
$count = count($_POST['api_key_ids']);
// Cycle through array and delete each record
foreach ($_POST['api_key_ids'] as $api_key_id) {
$api_key_id = intval($api_key_id);
// Get API Key Name
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT api_key_name, api_key_client_id FROM api_keys WHERE api_key_id = $api_key_id"));
$api_key_name = sanitizeInput($row['api_key_name']);
$client_id = intval($row['api_key_client_id']);
mysqli_query($mysqli, "DELETE FROM api_keys WHERE api_key_id = $api_key_id");
// Logging
logAction("API Key", "Delete", "$session_name deleted API key $name", $client_id);
}
// Logging
logAction("API Key", "Bulk Delete", "$session_name deleted $count API key(s)");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> API keys(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

216
admin/post/backup.php Normal file
View File

@@ -0,0 +1,216 @@
<?php
/*
* ITFlow - GET/POST request handler for DB / master key backup
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
require_once "includes/app_version.php";
if (isset($_GET['download_backup'])) {
validateCSRFToken($_GET['csrf_token']);
$timestamp = date('YmdHis');
$baseName = "itflow_$timestamp";
// === 0. Scoped cleanup ===
$cleanupFiles = [];
$registerTempFileForCleanup = function ($file) use (&$cleanupFiles) {
$cleanupFiles[] = $file;
};
register_shutdown_function(function () use (&$cleanupFiles) {
foreach ($cleanupFiles as $file) {
if (is_file($file)) {
@unlink($file);
}
}
});
// === 1. Local helper function: zipFolder
$zipFolder = function ($folderPath, $zipFilePath) {
$zip = new ZipArchive();
if ($zip->open($zipFilePath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
error_log("Failed to open zip file: $zipFilePath");
http_response_code(500);
exit("Internal Server Error: Cannot open zip archive.");
}
$folderPath = realpath($folderPath);
if (!$folderPath) {
error_log("Invalid folder path: $folderPath");
http_response_code(500);
exit("Internal Server Error: Invalid folder path.");
}
$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($folderPath),
RecursiveIteratorIterator::LEAVES_ONLY
);
foreach ($files as $file) {
if (!$file->isDir()) {
$filePath = $file->getRealPath();
$relativePath = substr($filePath, strlen($folderPath) + 1);
$zip->addFile($filePath, $relativePath);
}
}
$zip->close();
};
// === 2. Create all temp files
$sqlFile = tempnam(sys_get_temp_dir(), $baseName . "_sql_");
$uploadsZip = tempnam(sys_get_temp_dir(), $baseName . "_uploads_");
$versionFile = tempnam(sys_get_temp_dir(), $baseName . "_version_");
$finalZip = tempnam(sys_get_temp_dir(), $baseName . "_backup_");
foreach ([$sqlFile, $uploadsZip, $versionFile, $finalZip] as $f) {
$registerTempFileForCleanup($f);
chmod($f, 0600);
}
// === 3. Generate SQL Dump
$sqlContent = "-- UTF-8 + Foreign Key Safe Dump\n";
$sqlContent .= "SET NAMES 'utf8mb4';\n";
$sqlContent .= "SET foreign_key_checks = 0;\n\n";
$tables = [];
$res = $mysqli->query("SHOW TABLES");
if (!$res) {
error_log("MySQL Error: " . $mysqli->error);
exit("Error retrieving tables.");
}
while ($row = $res->fetch_row()) {
$tables[] = $row[0];
}
foreach ($tables as $table) {
$createRes = $mysqli->query("SHOW CREATE TABLE `$table`");
if (!$createRes) {
error_log("MySQL Error: " . $mysqli->error);
continue;
}
$createRow = $createRes->fetch_assoc();
$createSQL = array_values($createRow)[1];
$sqlContent .= "\n-- ----------------------------\n";
$sqlContent .= "-- Table structure for `$table`\n";
$sqlContent .= "-- ----------------------------\n";
$sqlContent .= "DROP TABLE IF EXISTS `$table`;\n";
$sqlContent .= $createSQL . ";\n\n";
$dataRes = $mysqli->query("SELECT * FROM `$table`");
if ($dataRes && $dataRes->num_rows > 0) {
$sqlContent .= "-- Dumping data for table `$table`\n";
while ($row = $dataRes->fetch_assoc()) {
$columns = array_map(fn($col) => '`' . $mysqli->real_escape_string($col) . '`', array_keys($row));
$values = array_map(function ($val) use ($mysqli) {
return is_null($val) ? "NULL" : "'" . $mysqli->real_escape_string($val) . "'";
}, array_values($row));
$sqlContent .= "INSERT INTO `$table` (" . implode(", ", $columns) . ") VALUES (" . implode(", ", $values) . ");\n";
}
$sqlContent .= "\n";
}
}
$sqlContent .= "SET foreign_key_checks = 1;\n";
file_put_contents($sqlFile, $sqlContent);
// === 4. Zip the uploads folder
$zipFolder("uploads", $uploadsZip);
// === 5. Create version.txt
$commitHash = trim(shell_exec('git log -1 --format=%H')) ?: 'N/A';
$gitBranch = trim(shell_exec('git rev-parse --abbrev-ref HEAD')) ?: 'N/A';
$versionContent = "ITFlow Backup Metadata\n";
$versionContent .= "-----------------------------\n";
$versionContent .= "Generated: " . date('Y-m-d H:i:s') . "\n";
$versionContent .= "Backup File: " . basename($finalZip) . "\n";
$versionContent .= "Generated By: $session_name\n";
$versionContent .= "Host: " . gethostname() . "\n";
$versionContent .= "Git Branch: $gitBranch\n";
$versionContent .= "Git Commit: $commitHash\n";
$versionContent .= "ITFlow Version: " . (defined('APP_VERSION') ? APP_VERSION : 'Unknown') . "\n";
$versionContent .= "Database Version: " . (defined('CURRENT_DATABASE_VERSION') ? CURRENT_DATABASE_VERSION : 'Unknown') . "\n";
$versionContent .= "Checksum (SHA256): \n";
file_put_contents($versionFile, $versionContent);
// === 6. Build final ZIP
$final = new ZipArchive();
if ($final->open($finalZip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
error_log("Failed to create final zip: $finalZip");
http_response_code(500);
exit("Internal Server Error: Unable to create backup archive.");
}
$final->addFile($sqlFile, "db.sql");
$final->addFile($uploadsZip, "uploads.zip");
$final->addFile($versionFile, "version.txt");
$final->close();
chmod($finalZip, 0600);
$checksum = hash_file('sha256', $finalZip);
file_put_contents($versionFile, $versionContent . "$checksum\n");
// === 7. Serve final ZIP
header('Content-Type: application/zip');
header('Content-Disposition: attachment; filename="' . basename($finalZip) . '"');
header('Content-Length: ' . filesize($finalZip));
header('Pragma: public');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Content-Transfer-Encoding: binary');
flush();
$fp = fopen($finalZip, 'rb');
fpassthru($fp);
fclose($fp);
logAction("System", "Backup Download", "$session_name downloaded full backup.");
$_SESSION['alert_message'] = "Full backup downloaded.";
exit;
}
if (isset($_POST['backup_master_key'])) {
validateCSRFToken($_POST['csrf_token']);
$password = $_POST['password'];
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $session_user_id");
$row = mysqli_fetch_array($sql);
if (password_verify($password, $row['user_password'])) {
$site_encryption_master_key = decryptUserSpecificKey($row['user_specific_encryption_ciphertext'], $password);
// Logging
logAction("Master Key", "Download", "$session_name retrieved the master encryption key");
// App Notify
appNotify("Master Key", "$session_name retrieved the master encryption key");
echo "==============================";
echo "<br>Master encryption key:<br>";
echo "<b>$site_encryption_master_key</b>";
echo "<br>==============================";
} else {
// Log the failure
logAction("Master Key", "Download", "$session_name attempted to retrieve the master encryption key but failed");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Incorrect password.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}

106
admin/post/category.php Normal file
View File

@@ -0,0 +1,106 @@
<?php
/*
* ITFlow - GET/POST request handler for categories ('category')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_category'])) {
require_once 'post/admin/admin_category_model.php';
mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
$category_id = mysqli_insert_id($mysqli);
// Logging
logAction("Category", "Create", "$session_name created category $type $name", 0, $category_id);
$_SESSION['alert_message'] = "Category $type <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_category'])) {
require_once 'post/admin/admin_category_model.php';
$category_id = intval($_POST['category_id']);
mysqli_query($mysqli,"UPDATE categories SET category_name = '$name', category_type = '$type', category_color = '$color' WHERE category_id = $category_id");
// Logging
logAction("Category", "Edit", "$session_name edited category $type $name", 0, $category_id);
$_SESSION['alert_message'] = "Category $type <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_category'])) {
$category_id = intval($_GET['archive_category']);
// Get Category Name and Type for logging
$sql = mysqli_query($mysqli,"SELECT category_name, category_type FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
$category_type = sanitizeInput($row['category_type']);
mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NOW() WHERE category_id = $category_id");
// Logging
logAction("Category", "Archive", "$session_name archived category $category_type $category_name", 0, $category_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Category $category_type <strong>$category_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_category'])) {
$category_id = intval($_GET['unarchive_category']);
// Get Category Name and Type for logging
$sql = mysqli_query($mysqli,"SELECT category_name, category_type FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
$category_type = sanitizeInput($row['category_type']);
mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NULL WHERE category_id = $category_id");
// Logging
logAction("Category", "Unarchive", "$session_name unarchived category $category_type $category_name", 0, $category_id);
$_SESSION['alert_message'] = "Category $category_type <strong>$category_name</strong> unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_category'])) {
$category_id = intval($_GET['delete_category']);
// Get Category Name and Type for logging
$sql = mysqli_query($mysqli,"SELECT category_name, category_type FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
$category_type = sanitizeInput($row['category_type']);
mysqli_query($mysqli,"DELETE FROM categories WHERE category_id = $category_id");
// Logging
logAction("Category", "Delete", "$session_name deleted category $category_type $category_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Category $category_type <strong>$category_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

6
admin/post/category_model.php Normal file
View File

@@ -0,0 +1,6 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$color = sanitizeInput($_POST['color']);

63
admin/post/custom_field.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
/*
* ITFlow - GET/POST request handler for custom fields
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if(isset($_POST['create_custom_field'])){
require_once 'post/admin/admin_custom_field_model.php';
$table = sanitizeInput($_POST['table']);
mysqli_query($mysqli,"INSERT INTO custom_fields SET custom_field_table = '$table', custom_field_label = '$label', custom_field_type = '$type'");
$custom_field_id = mysqli_insert_id($mysqli);
// Logging
logAction("Custom Field", "Create", "$session_name created custom field $label", 0, $custom_field_id);
$_SESSION['alert_message'] = "Custom field <strong>$label</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['edit_custom_field'])){
require_once 'post/admin/admin_custom_field_model.php';
$custom_field_id = intval($_POST['custom_field_id']);
mysqli_query($mysqli,"UPDATE custom_fields SET custom_field_label = '$label', custom_field_type = '$type' WHERE custom_field_id = $custom_field_id");
// Logging
logAction("Custom Field", "Edit", "$session_name edited custom field $label", 0, $custom_field_id);
$_SESSION['alert_message'] = "Custom field <strong>$label</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['delete_custom_field'])){
$custom_field_id = intval($_GET['delete_custom_field']);
// Get Custom Field Label for logging
$sql = mysqli_query($mysqli,"SELECT custom_field_label FROM custom_fields WHERE custom_field_id = $custom_field_id");
$row = mysqli_fetch_array($sql);
$custom_field_label = sanitizeInput($row['custom_field_label']);
mysqli_query($mysqli,"DELETE FROM custom_fields WHERE custom_field_id = $custom_field_id");
// Logging
logAction("Custom Field", "Delete", "$session_name deleted custom field $label");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Custom field <strong>$label</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

5
admin/post/custom_field_model.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$label = sanitizeInput($_POST['label']);
$type = sanitizeInput($_POST['type']);

71
admin/post/custom_link.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/*
* ITFlow - GET/POST request handler for showing custom links on navbars
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_custom_link'])) {
$name = sanitizeInput($_POST['name']);
$uri = sanitizeInput($_POST['uri']);
$new_tab = intval($_POST['new_tab'] ?? 0);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));
$order = intval($_POST['order'] ?? 0);
$location = intval($_POST['location']);
mysqli_query($mysqli,"INSERT INTO custom_links SET custom_link_name = '$name', custom_link_uri = '$uri', custom_link_new_tab = $new_tab, custom_link_icon = '$icon', custom_link_order = $order, custom_link_location = $location");
$custom_link_id = mysqli_insert_id($mysqli);
// Logging
logAction("Custom Link", "Create", "$session_name created custom link $name -> $uri", 0, $custom_link_id);
$_SESSION['alert_message'] = "Custom link <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_custom_link'])) {
$custom_link_id = intval($_POST['custom_link_id']);
$name = sanitizeInput($_POST['name']);
$uri = sanitizeInput($_POST['uri']);
$new_tab = intval($_POST['new_tab'] ?? 0);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));
$order = intval($_POST['order'] ?? 0);
$location = intval($_POST['location']);
mysqli_query($mysqli,"UPDATE custom_links SET custom_link_name = '$name', custom_link_uri = '$uri', custom_link_new_tab = $new_tab, custom_link_icon = '$icon', custom_link_order = $order, custom_link_location = $location WHERE custom_link_id = $custom_link_id");
// Logging
logAction("Custom Link", "Edit", "$session_name edited custom link $name -> $uri", 0, $custom_link_id);
$_SESSION['alert_message'] = "Custom Link <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_custom_link'])) {
$custom_link_id = intval($_GET['delete_custom_link']);
// Get Custom Link name and uri for logging
$sql = mysqli_query($mysqli,"SELECT custom_link_name, custom_link_uri FROM custom_links WHERE custom_link_id = $custom_link_id");
$row = mysqli_fetch_array($sql);
$custom_link_name = sanitizeInput($row['custom_link_name']);
$custom_link_uri = sanitizeInput($row['custom_link_uri']);
mysqli_query($mysqli,"DELETE FROM custom_links WHERE custom_link_id = $custom_link_id");
// Logging
logAction("Custom Link", "Delete", "$session_name deleted custom link $custom_link_name -> $custom_link_uri");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Custom Link <strong>$name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

65
admin/post/document_template.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
// Doc Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_document_template'])) {
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
// Document create query
mysqli_query($mysqli,"INSERT INTO document_templates SET document_template_name = '$name', document_template_description = '$description', document_template_content = '$content', document_template_created_by = $session_user_id");
$document_template_id = mysqli_insert_id($mysqli);
// Logging
logAction("Document Template", "Create", "$session_name created document template $name", 0, $document_template_id);
$_SESSION['alert_message'] = "Document template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_document_template'])) {
$document_template_id = intval($_POST['document_template_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
// Document edit query
mysqli_query($mysqli,"UPDATE document_templates SET document_template_name = '$name', document_template_description = '$description', document_template_content = '$content', document_template_updated_by = $session_user_id WHERE document_template_id = $document_template_id");
// Logging
logAction("Document Template", "Edit", "$session_name edited document template $name", 0, $document_template_id);
$_SESSION['alert_message'] = "Document Template <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_document_template'])) {
$document_template_id = intval($_GET['delete_document_template']);
// Get Document Template Name for logging
$sql = mysqli_query($mysqli,"SELECT document_template_name FROM document_templates WHERE document_template_id = $document_template_id");
$row = mysqli_fetch_array($sql);
$document_template_name = sanitizeInput($row['document_template_name']);
mysqli_query($mysqli,"DELETE FROM document_templates WHERE document_template_id = $document_template_id");
//Logging
logAction("Document Template", "Delete", "$session_name deleted document template $document_template_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Document Template <strong>$document_template_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

21
admin/post/identity_provider.php Normal file
View File

@@ -0,0 +1,21 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_identity_provider'])) {
validateCSRFToken($_POST['csrf_token']);
$azure_client_id = sanitizeInput($_POST['azure_client_id']);
$azure_client_secret = sanitizeInput($_POST['azure_client_secret']);
mysqli_query($mysqli,"UPDATE settings SET config_azure_client_id = '$azure_client_id', config_azure_client_secret = '$azure_client_secret' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited identity provider settings");
$_SESSION['alert_message'] = "Identity Provider Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

93
admin/post/mail_queue.php Normal file
View File

@@ -0,0 +1,93 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['send_failed_mail'])) {
$email_id = intval($_GET['send_failed_mail']);
mysqli_query($mysqli,"UPDATE email_queue SET email_status = 0, email_attempts = 3 WHERE email_id = $email_id");
// Logging
logAction("Email", "Send", "$session_name attempted to force send email id: $email_id in the mail queue", 0, $email_id);
$_SESSION['alert_message'] = "Email Force Sent, give it a minute to resend";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['cancel_mail'])) {
$email_id = intval($_GET['cancel_mail']);
mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");
// Logging
logAction("Email", "Send", "$session_name canceled send email id: $email_id in the mail queue", 0, $email_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Email cancelled and marked as failed.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_cancel_emails'])) {
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['email_ids'])) {
$count = count($_POST['email_ids']);
// Cycle through array and mark each email as failed
foreach ($_POST['email_ids'] as $email_id) {
$email_id = intval($email_id);
mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");
// Logging
logAction("Email", "Cancel", "$session_name cancelled email id: $email_id in the mail queue", 0, $email_id);
}
// Logging
logAction("Email", "Bulk Cancel", "$session_name cancelled $count email(s) in the mail queue");
$_SESSION['alert_message'] = "Cancelled <strong>$count</strong> email(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_emails'])) {
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['email_ids'])) {
$count = count($_POST['email_ids']);
// Cycle through array and delete each email
foreach ($_POST['email_ids'] as $email_id) {
$email_id = intval($email_id);
mysqli_query($mysqli,"DELETE FROM email_queue WHERE email_id = $email_id");
// Logging
logAction("Email", "Delete", "$session_name deleted email id: $email_id from the mail queue");
}
// Logging
logAction("Email", "Bulk Delete", "$session_name deleted $count email(s) from the mail queue");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> email(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

64
admin/post/payment_method.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
/*
* ITFlow - GET/POST request handler for AI Providers ('ai_providers')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_payment_method'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
mysqli_query($mysqli,"INSERT INTO payment_methods SET payment_method_name = '$name', payment_method_description = '$description'");
// Logging
logAction("Payment Method", "Create", "$session_name created Payment Method $name");
$_SESSION['alert_message'] = "Payment Method <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_payment_method'])) {
validateCSRFToken($_POST['csrf_token']);
$payment_method_id = intval($_POST['payment_method_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
mysqli_query($mysqli,"UPDATE payment_methods SET payment_method_name = '$name', payment_method_description = '$description' WHERE payment_method_id = $payment_method_id");
// Logging
logAction("Payment Method", "Edit", "$session_name edited Payment Method $name");
$_SESSION['alert_message'] = "Payment Method <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_payment_method'])) {
$payment_method_id = intval($_GET['delete_payment_method']);
$sql = mysqli_query($mysqli,"SELECT payment_method_name FROM payment_methods WHERE payment_method_id = $payment_method_id");
$row = mysqli_fetch_array($sql);
$payment_method_name = sanitizeInput($row['payment_method_name']);
mysqli_query($mysqli,"DELETE FROM payment_methods WHERE payment_method_id = $payment_method_id");
// Logging
logAction("Payment Method", "Delete", "$session_name deleted Payment Method $payment_method_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Payment Method <strong>$payment_method_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

106
admin/post/payment_provider.php Normal file
View File

@@ -0,0 +1,106 @@
<?php
/*
* ITFlow - GET/POST request handler for AI Providers ('ai_providers')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_payment_provider'])) {
validateCSRFToken($_POST['csrf_token']);
$provider = sanitizeInput($_POST['provider']);
$public_key = sanitizeInput($_POST['public_key']);
$private_key = sanitizeInput($_POST['private_key']);
$threshold = floatval($_POST['threshold']);
$enable_expense = intval($_POST['enable_expense'] ?? 0);
$percentage_fee = floatval($_POST['percentage_fee']) / 100;
$flat_fee = floatval($_POST['flat_fee']);
// Check for Stripe Account if not create it
$sql_account = mysqli_query($mysqli,"SELECT account_id FROM accounts WHERE account_name = '$provider' AND account_archived_at IS NULL LIMIT 1");
if (mysqli_num_rows($sql_account) == 0) {
$account_id = mysqli_insert_id($mysqli);
} else {
$row = mysqli_fetch_array($sql_account);
$account_id = intval($row['account_id']);
}
if ($enable_expense) {
// Category
$sql_category = mysqli_query($mysqli,"SELECT category_id FROM categories WHERE category_name = 'Payment Processing' AND category_type = 'Expense' AND category_archived_at IS NULL LIMIT 1");
if (mysqli_num_rows($sql_category) == 0) {
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Processing Fee', category_type = 'Payment Processing', category_color = 'gray'");
$category_id = mysqli_insert_id($mysqli);
} else {
$row = mysqli_fetch_array($sql_category);
$category_id = intval($row['category_id']);
}
//Vendor
$sql_vendor = mysqli_query($mysqli,"SELECT vendor_id FROM vendors WHERE vendor_name = '$provider' AND vendor_client_id = 0 AND vendor_archived_at IS NULL LIMIT 1");
if (mysqli_num_rows($sql_vendor) == 0) {
mysqli_query($mysqli,"INSERT INTO vendors SET vendor_name = '$provider', vendor_descripion = 'Payment Processor Provider', vendor_client_id = 0");
$vendor_id = mysqli_insert_id($mysqli);
} else {
$row = mysqli_fetch_array($sql_vendor);
$vendor_id = intval($row['vendor_id']);
}
}
mysqli_query($mysqli,"INSERT INTO payment_providers SET payment_provider_name = '$provider', payment_provider_public_key = '$public_key', payment_provider_private_key = '$private_key', payment_provider_account = $account_id, payment_provider_expense_vendor = $vendor_id, payment_provider_expense_category = $category_id, payment_provider_expense_percentage_fee = $percentage_fee, payment_provider_expense_flat_fee = $flat_fee");
$provider_id = mysqli_insert_id($mysqli);
// Logging
logAction("Payment Provider", "Create", "$session_name created AI Provider $provider");
$_SESSION['alert_message'] = "AI Model <strong>$provider</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_payment_provider'])) {
validateCSRFToken($_POST['csrf_token']);
$provider_id = intval($_POST['provider_id']);
$description = sanitizeInput($_POST['description']);
$public_key = sanitizeInput($_POST['public_key']);
$private_key = sanitizeInput($_POST['private_key']);
$threshold = floatval($_POST['threshold']);
$enable_expense = intval($_POST['enable_expense'] ?? 0);
$percentage_fee = floatval($_POST['percentage_fee']) / 100;
$flat_fee = floatval($_POST['flat_fee']);
mysqli_query($mysqli,"UPDATE payment_providers SET payment_provider_public_key = '$public_key', payment_provider_private_key = '$private_key', payment_provider_expense_percentage_fee = $percentage_fee, payment_provider_expense_flat_fee = $flat_fee WHERE payment_provider_id = $provider_id");
// Logging
logAction("Payment Provider", "Edit", "$session_name edited Payment Provider $provider");
$_SESSION['alert_message'] = "Payment Provider <strong>$provider</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_payment_provider'])) {
$provider_id = intval($_GET['delete_payment_provider']);
$sql = mysqli_query($mysqli,"SELECT payment_provider_name FROM payment_providers WHERE payment_provider_id = $provider_id");
$row = mysqli_fetch_array($sql);
$provider_name = sanitizeInput($row['payment_provider_name']);
mysqli_query($mysqli,"DELETE FROM payment_providers WHERE payment_provider_id = $provider_id");
// Logging
logAction("Payment Provider", "Delete", "$session_name deleted Payment Provider $provider_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Payment Provider <strong>$provider_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

104
admin/post/project_template.php Normal file
View File

@@ -0,0 +1,104 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_project_template'])) {
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
mysqli_query($mysqli, "INSERT INTO project_templates SET project_template_name = '$name', project_template_description = '$description'");
$project_template_id = mysqli_insert_id($mysqli);
// Logging
logAction("Project Template", "Create", "$session_name created project template $name", 0, $project_template_id);
$_SESSION['alert_message'] = "Project Template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_project_template'])) {
$project_template_id = intval($_POST['project_template_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
mysqli_query($mysqli, "UPDATE project_templates SET project_template_name = '$name', project_template_description = '$description' WHERE project_template_id = $project_template_id");
// Logging
logAction("Project Template", "Edit", "$session_name edited project template $name", 0, $project_template_id);
$_SESSION['alert_message'] = "Project Template <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_template_order'])) {
$ticket_template_id = intval($_POST['ticket_template_id']);
$project_template_id = intval($_POST['project_template_id']);
$order = intval($_POST['order']);
mysqli_query($mysqli, "UPDATE project_template_ticket_templates SET ticket_template_order = $order WHERE ticket_template_id = $ticket_template_id AND project_template_id = $project_template_id");
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_ticket_template_to_project_template'])) {
$project_template_id = intval($_POST['project_template_id']);
$ticket_template_id = intval($_POST['ticket_template_id']);
$order = intval($_POST['order']);
mysqli_query($mysqli, "INSERT INTO project_template_ticket_templates SET project_template_id = $project_template_id, ticket_template_id = $ticket_template_id, ticket_template_order = $order");
// Logging
logAction("Project Template", "Edit", "$session_name added ticket template to project_template", 0, $project_template_id);
$_SESSION['alert_message'] = "Ticket template added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['remove_ticket_template_from_project_template'])) {
validateTechRole();
$ticket_template_id = intval($_POST['ticket_template_id']);
$project_template_id = intval($_POST['project_template_id']);
mysqli_query($mysqli, "DELETE FROM project_template_ticket_templates WHERE project_template_id = $project_template_id AND ticket_template_id = $ticket_template_id");
// Logging
logAction("Project Template", "Edit", "$session_name removed ticket template from project template", 0, $project_template_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Ticket template removed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_project_template'])) {
$project_template_id = intval($_GET['delete_project_template']);
// Get project template name
$sql = mysqli_query($mysqli, "SELECT * FROM project_templates WHERE project_template_id = $project_template_id");
$row = mysqli_fetch_array($sql);
$project_template_name = sanitizeInput($row['project_template_name']);
mysqli_query($mysqli, "DELETE FROM project_templates WHERE project_template_id = $project_template_id");
// Remove Associated Ticket Templates
mysqli_query($mysqli, "DELETE FROM project_template_ticket_templates WHERE project_template_id = $project_template_id");
// Logging
logAction("Project Template", "Delete", "$session_name deleted project template $project_template_name and its associated ticket templates and tasks");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Project Template <strong>$project_template_name</strong> and its associated ticket templates and tasks deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

68
admin/post/saved_payment_method.php Normal file
View File

@@ -0,0 +1,68 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['delete_saved_payment'])) {
validateCSRFToken($_GET['csrf_token']);
$saved_payment_id = intval($_GET['delete_saved_payment']);
$sql = mysqli_query($mysqli, "
SELECT
client_saved_payment_methods.saved_payment_id,
client_saved_payment_methods.saved_payment_client_id,
client_saved_payment_methods.saved_payment_provider_id,
client_saved_payment_methods.saved_payment_provider_method,
client_saved_payment_methods.saved_payment_description,
client_payment_provider.payment_provider_client,
payment_providers.payment_provider_name,
payment_providers.payment_provider_private_key
FROM client_saved_payment_methods
LEFT JOIN client_payment_provider
ON client_payment_provider.client_id = client_saved_payment_methods.saved_payment_client_id
AND client_payment_provider.payment_provider_id = client_saved_payment_methods.saved_payment_provider_id
LEFT JOIN payment_providers
ON payment_providers.payment_provider_id = client_saved_payment_methods.saved_payment_provider_id
WHERE client_saved_payment_methods.saved_payment_id = $saved_payment_id"
);
$row = mysqli_fetch_array($sql);
$client_id = intval($row['saved_payment_client_id']);
$provider_id = intval($row['saved_payment_provider_id']);
$payment_provider_name = nullable_htmlentities($row['payment_provider_name']);
$saved_payment_description = nullable_htmlentities($row['saved_payment_description']);
$provider_client = nullable_htmlentities($row['payment_provider_client']);
$payment_method = $row['saved_payment_provider_method'];
$private_key = $row['payment_provider_private_key'];
// Seperate logic for each Payment Provider
if ($payment_provider_name == 'Stripe') {
try {
// Initialize stripe
require_once 'plugins/stripe-php/init.php';
$stripe = new \Stripe\StripeClient($private_key);
// Detach PM
$stripe->paymentMethods->detach($payment_method, []);
} catch (Exception $e) {
$error = $e->getMessage();
error_log("Stripe payment error - encountered exception when removing payment method info for $payment_method: $error");
logApp("Stripe", "error", "Exception removing payment method for $payment_method: $error");
}
}
// Remove payment method from ITFlow
mysqli_query($mysqli, "DELETE FROM client_saved_payment_methods WHERE saved_payment_id = $saved_payment_id");
// SQL Cascade delete will Remove All Associated Auto Payment Methods on recurring invoices in the recurring payments table.
// Logging & Redirect
logAction("Payment Provider", "Update", "$session_name deleted saved payment method $saved_payment_description (PM: $payment_method)", $client_id);
$_SESSION['alert_message'] = "Payment method <strong>$saved_payment_description</strong> removed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

28
admin/post/settings_ai.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_ai_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$provider = sanitizeInput($_POST['provider']);
if($provider){
$ai_enable = 1;
} else {
$ai_enable = 0;
}
$model = sanitizeInput($_POST['model']);
$url = sanitizeInput($_POST['url']);
$api_key = sanitizeInput($_POST['api_key']);
mysqli_query($mysqli,"UPDATE settings SET config_ai_enable = $ai_enable, config_ai_provider = '$provider', config_ai_model = '$model', config_ai_url = '$url', config_ai_api_key = '$api_key' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited AI settings");
$_SESSION['alert_message'] = "AI Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

74
admin/post/settings_company.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_company'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$address = sanitizeInput($_POST['address']);
$city = sanitizeInput($_POST['city']);
$state = sanitizeInput($_POST['state']);
$zip = sanitizeInput($_POST['zip']);
$country = sanitizeInput($_POST['country']);
$phone_country_code = preg_replace("/[^0-9]/", '',$_POST['phone_country_code']);
$phone = preg_replace("/[^0-9]/", '',$_POST['phone']);
$email = sanitizeInput($_POST['email']);
$website = sanitizeInput($_POST['website']);
$tax_id = sanitizeInput($_POST['tax_id']);
$sql = mysqli_query($mysqli,"SELECT company_logo FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['company_logo']);
// Company logo
if (isset($_FILES['file']['tmp_name'])) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/settings/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Delete old file
unlink("uploads/settings/$existing_file_name");
// Set Logo
mysqli_query($mysqli,"UPDATE companies SET company_logo = '$new_file_name' WHERE company_id = 1");
}
}
mysqli_query($mysqli,"UPDATE companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone_country_code = '$phone_country_code', company_phone = '$phone', company_email = '$email', company_website = '$website', company_tax_id = '$tax_id' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited company details");
$_SESSION['alert_message'] = "Company <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['remove_company_logo'])) {
$sql = mysqli_query($mysqli,"SELECT company_logo FROM companies");
$row = mysqli_fetch_array($sql);
$company_logo = $row['company_logo']; // FileSystem Operation Logo is already sanitized
unlink("uploads/settings/$company_logo");
mysqli_query($mysqli,"UPDATE companies SET company_logo = NULL WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name deleted company logo");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Removed company logo";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

28
admin/post/settings_default.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_default_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$start_page = sanitizeInput($_POST['start_page']);
$expense_account = intval($_POST['expense_account']);
$payment_account = intval($_POST['payment_account']);
$payment_method = sanitizeInput($_POST['payment_method']);
$expense_payment_method = sanitizeInput($_POST['expense_payment_method']);
$transfer_from_account = intval($_POST['transfer_from_account']);
$transfer_to_account = intval($_POST['transfer_to_account']);
$calendar = intval($_POST['calendar']);
$net_terms = intval($_POST['net_terms']);
$hourly_rate = floatval($_POST['hourly_rate']);
mysqli_query($mysqli,"UPDATE settings SET config_start_page = '$start_page', config_default_expense_account = $expense_account, config_default_payment_account = $payment_account, config_default_payment_method = '$payment_method', config_default_expense_payment_method = '$expense_payment_method', config_default_transfer_from_account = $transfer_from_account, config_default_transfer_to_account = $transfer_to_account, config_default_calendar = $calendar, config_default_net_terms = $net_terms, config_default_hourly_rate = $hourly_rate WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited default settings");
$_SESSION['alert_message'] = "Default settings edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

31
admin/post/settings_invoice.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_invoice_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_invoice_prefix = sanitizeInput($_POST['config_invoice_prefix']);
$config_invoice_next_number = intval($_POST['config_invoice_next_number']);
$config_invoice_footer = sanitizeInput($_POST['config_invoice_footer']);
$config_invoice_show_tax_id = intval($_POST['config_invoice_show_tax_id'] ?? 0);
$config_invoice_late_fee_enable = intval($_POST['config_invoice_late_fee_enable'] ?? 0);
$config_invoice_late_fee_percent = floatval($_POST['config_invoice_late_fee_percent']);
$config_recurring_invoice_prefix = sanitizeInput($_POST['config_recurring_invoice_prefix']);
$config_recurring_invoice_next_number = intval($_POST['config_recurring_invoice_next_number']);
$config_invoice_paid_notification_email = '';
if (filter_var($_POST['config_invoice_paid_notification_email'], FILTER_VALIDATE_EMAIL)) {
$config_invoice_paid_notification_email = sanitizeInput($_POST['config_invoice_paid_notification_email']);
}
mysqli_query($mysqli,"UPDATE settings SET config_invoice_prefix = '$config_invoice_prefix', config_invoice_next_number = $config_invoice_next_number, config_invoice_footer = '$config_invoice_footer', config_invoice_show_tax_id = $config_invoice_show_tax_id, config_invoice_late_fee_enable = $config_invoice_late_fee_enable, config_invoice_late_fee_percent = $config_invoice_late_fee_percent, config_invoice_paid_notification_email = '$config_invoice_paid_notification_email', config_recurring_invoice_prefix = '$config_recurring_invoice_prefix', config_recurring_invoice_next_number = $config_recurring_invoice_next_number WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited invoice settings");
$_SESSION['alert_message'] = "Invoice Settings edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

24
admin/post/settings_localization.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_localization'])) {
validateCSRFToken($_POST['csrf_token']);
$locale = sanitizeInput($_POST['locale']);
$currency_code = sanitizeInput($_POST['currency_code']);
$timezone = sanitizeInput($_POST['timezone']);
mysqli_query($mysqli,"UPDATE companies SET company_locale = '$locale', company_currency = '$currency_code' WHERE company_id = 1");
mysqli_query($mysqli,"UPDATE settings SET config_timezone = '$timezone' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited localization settings");
$_SESSION['alert_message'] = "Company localization updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

143
admin/post/settings_mail.php Normal file
View File

@@ -0,0 +1,143 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_mail_smtp_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_smtp_host = sanitizeInput($_POST['config_smtp_host']);
$config_smtp_port = intval($_POST['config_smtp_port']);
$config_smtp_encryption = sanitizeInput($_POST['config_smtp_encryption']);
$config_smtp_username = sanitizeInput($_POST['config_smtp_username']);
$config_smtp_password = sanitizeInput($_POST['config_smtp_password']);
mysqli_query($mysqli,"UPDATE settings SET config_smtp_host = '$config_smtp_host', config_smtp_port = $config_smtp_port, config_smtp_encryption = '$config_smtp_encryption', config_smtp_username = '$config_smtp_username', config_smtp_password = '$config_smtp_password' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited SMTP mail settings");
$_SESSION['alert_message'] = "SMTP Mail Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_mail_imap_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_imap_host = sanitizeInput($_POST['config_imap_host']);
$config_imap_username = sanitizeInput($_POST['config_imap_username']);
$config_imap_password = sanitizeInput($_POST['config_imap_password']);
$config_imap_port = intval($_POST['config_imap_port']);
$config_imap_encryption = sanitizeInput($_POST['config_imap_encryption']);
mysqli_query($mysqli,"UPDATE settings SET config_imap_host = '$config_imap_host', config_imap_port = $config_imap_port, config_imap_encryption = '$config_imap_encryption', config_imap_username = '$config_imap_username', config_imap_password = '$config_imap_password' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited IMAP mail settings");
$_SESSION['alert_message'] = "IMAP Mail Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_mail_from_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_mail_from_email = sanitizeInput(filter_var($_POST['config_mail_from_email'], FILTER_VALIDATE_EMAIL));
$config_mail_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_mail_from_name']));
$config_invoice_from_email = sanitizeInput(filter_var($_POST['config_invoice_from_email'], FILTER_VALIDATE_EMAIL));
$config_invoice_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_invoice_from_name']));
$config_quote_from_email = sanitizeInput(filter_var($_POST['config_quote_from_email'], FILTER_VALIDATE_EMAIL));
$config_quote_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_quote_from_name']));
$config_ticket_from_email = sanitizeInput(filter_var($_POST['config_ticket_from_email'], FILTER_VALIDATE_EMAIL));
$config_ticket_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_ticket_from_name']));
mysqli_query($mysqli,"UPDATE settings SET config_mail_from_email = '$config_mail_from_email', config_mail_from_name = '$config_mail_from_name', config_invoice_from_email = '$config_invoice_from_email', config_invoice_from_name = '$config_invoice_from_name', config_quote_from_email = '$config_quote_from_email', config_quote_from_name = '$config_quote_from_name', config_ticket_from_email = '$config_ticket_from_email', config_ticket_from_name = '$config_ticket_from_name' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited mail from settings");
$_SESSION['alert_message'] = "Mail From Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['test_email_smtp'])) {
validateCSRFToken($_POST['csrf_token']);
$test_email = intval($_POST['test_email']);
if($test_email == 1) {
$email_from = sanitizeInput($config_mail_from_email);
$email_from_name = sanitizeInput($config_mail_from_name);
} elseif ($test_email == 2) {
$email_from = sanitizeInput($config_invoice_from_email);
$email_from_name = sanitizeInput($config_invoice_from_name);
} elseif ($test_email == 3) {
$email_from = sanitizeInput($config_quote_from_email);
$email_from_name = sanitizeInput($config_quote_from_name);
} else {
$email_from = sanitizeInput($config_ticket_from_email);
$email_from_name = sanitizeInput($config_ticket_from_name);
}
$email_to = sanitizeInput($_POST['email_to']);
$subject = "Test email from ITFlow";
$body = "This is a test email from ITFlow. If you are reading this, it worked!";
$data = [
[
'from' => $email_from,
'from_name' => $email_from_name,
'recipient' => $email_to,
'recipient_name' => 'Chap',
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($data);
if ($mail === true) {
$_SESSION['alert_message'] = "Test email queued! <a class='text-bold text-light' href='admin_mail_queue.php'>Check Admin > Mail queue</a>";
} else {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Failed to add test mail to queue";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['test_email_imap'])) {
validateCSRFToken($_POST['csrf_token']);
// Setup your IMAP connection parameters
$hostname = "{" . $config_imap_host . ":" . $config_imap_port . "/" . $config_imap_encryption . "/novalidate-cert}INBOX";
$username = $config_imap_username;
$password = $config_imap_password;
try {
$inbox = @imap_open($hostname, $username, $password);
if ($inbox) {
imap_close($inbox);
$_SESSION['alert_message'] = "Connected successfully";
} else {
throw new Exception(imap_last_error());
}
} catch (Exception $e) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Test IMAP connection failed: " . $e->getMessage();
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

29
admin/post/settings_module.php Normal file
View File

@@ -0,0 +1,29 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_module_settings'])) {
$config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc'] ?? 0);
$config_module_enable_ticketing = intval($_POST['config_module_enable_ticketing'] ?? 0);
$config_module_enable_accounting = intval($_POST['config_module_enable_accounting'] ?? 0);
$config_client_portal_enable = intval($_POST['config_client_portal_enable'] ?? 0);
$config_whitelabel_key = sanitizeInput($_POST['config_whitelabel_key']);
mysqli_query($mysqli,"UPDATE settings SET config_module_enable_itdoc = $config_module_enable_itdoc, config_module_enable_ticketing = $config_module_enable_ticketing, config_module_enable_accounting = $config_module_enable_accounting, config_client_portal_enable = $config_client_portal_enable WHERE company_id = 1");
// Validate white label key
if (!empty($config_whitelabel_key && validateWhitelabelKey($config_whitelabel_key))) {
mysqli_query($mysqli, "UPDATE settings SET config_whitelabel_enabled = 1, config_whitelabel_key = '$config_whitelabel_key' WHERE company_id = 1");
} else {
mysqli_query($mysqli, "UPDATE settings SET config_whitelabel_enabled = 0, config_whitelabel_key = '' WHERE company_id = 1");
}
// Logging
logAction("Settings", "Edit", "$session_name edited module settings");
$_SESSION['alert_message'] = "Module Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

24
admin/post/settings_notification.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_notification_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_enable_cron = intval($_POST['config_enable_cron'] ?? 0);
$config_enable_alert_domain_expire = intval($_POST['config_enable_alert_domain_expire'] ?? 0);
$config_send_invoice_reminders = intval($_POST['config_send_invoice_reminders'] ?? 0);
$config_recurring_auto_send_invoice = intval($_POST['config_recurring_auto_send_invoice'] ?? 0);
$config_ticket_client_general_notifications = intval($_POST['config_ticket_client_general_notifications'] ?? 0);
mysqli_query($mysqli,"UPDATE settings SET config_send_invoice_reminders = $config_send_invoice_reminders, config_recurring_auto_send_invoice = $config_recurring_auto_send_invoice, config_enable_cron = $config_enable_cron, config_enable_alert_domain_expire = $config_enable_alert_domain_expire, config_ticket_client_general_notifications = $config_ticket_client_general_notifications WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited notification settings");
$_SESSION['alert_message'] = "Notification Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

31
admin/post/settings_online_payment.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_online_payment_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_stripe_enable = intval($_POST['config_stripe_enable'] ?? 0);
$config_stripe_publishable = sanitizeInput($_POST['config_stripe_publishable']);
$config_stripe_secret = sanitizeInput($_POST['config_stripe_secret']);
$config_stripe_account = intval($_POST['config_stripe_account']);
$config_stripe_expense_vendor = intval($_POST['config_stripe_expense_vendor']);
$config_stripe_expense_category = intval($_POST['config_stripe_expense_category']);
$config_stripe_percentage_fee = floatval($_POST['config_stripe_percentage_fee']) / 100;
$config_stripe_flat_fee = floatval($_POST['config_stripe_flat_fee']);
mysqli_query($mysqli,"UPDATE settings SET config_stripe_enable = $config_stripe_enable, config_stripe_publishable = '$config_stripe_publishable', config_stripe_secret = '$config_stripe_secret', config_stripe_account = $config_stripe_account, config_stripe_expense_vendor = $config_stripe_expense_vendor, config_stripe_expense_category = $config_stripe_expense_category, config_stripe_percentage_fee = $config_stripe_percentage_fee, config_stripe_flat_fee = $config_stripe_flat_fee WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited online payment settings");
if ($config_stripe_enable && $config_stripe_account == 0) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Stripe payment account must be specified!";
} else {
$_SESSION['alert_message'] = "Online Payment Settings updated";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

70
admin/post/settings_online_payment_clients.php Normal file
View File

@@ -0,0 +1,70 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['stripe_remove_pm'])) {
validateCSRFToken($_GET['csrf_token']);
if (!$config_stripe_enable) {
$_SESSION['alert_message'] = "Stripe not enabled";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$client_id = intval($_GET['client_id']);
$payment_method = sanitizeInput($_GET['pm']);
try {
// Initialize stripe
require_once 'plugins/stripe-php/init.php';
$stripe = new \Stripe\StripeClient($config_stripe_secret);
// Detach PM
$stripe->paymentMethods->detach($payment_method, []);
} catch (Exception $e) {
$error = $e->getMessage();
error_log("Stripe payment error - encountered exception when removing payment method info for $payment_method: $error");
logApp("Stripe", "error", "Exception removing payment method for $payment_method: $error");
}
// Remove payment method from ITFlow
mysqli_query($mysqli, "UPDATE client_stripe SET stripe_pm = NULL WHERE client_id = $client_id LIMIT 1");
// Remove Auto Pay on recurring invoices that are stripe
$sql_recurring_invoices = mysqli_query($mysqli, "SELECT recurring_invoice_id FROM recurring_invoices WHERE recurring_invoice_client_id = $client_id");
while ($row = mysqli_fetch_array($sql_recurring_invoices)) {
$recurring_invoice_id = intval($row['recurring_invoice_id']);
mysqli_query($mysqli, "DELETE FROM recurring_payments WHERE recurring_payment_method = 'Stripe' AND recurring_payment_recurring_invoice_id = $recurring_invoice_id");
}
// Logging & Redirect
logAction("Stripe", "Update", "$session_name deleted saved Stripe payment method (PM: $payment_method)", $client_id);
$_SESSION['alert_message'] = "Payment method removed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['stripe_reset_customer'])) {
validateCSRFToken($_GET['csrf_token']);
$client_id = intval($_GET['client_id']);
// Delete the customer id and payment method id stored in ITFlow, allowing the client to set these up again
mysqli_query($mysqli, "DELETE FROM client_stripe WHERE client_id = $client_id");
// Remove Auto Pay on recurring invoices that are stripe
$sql_recurring_invoices = mysqli_query($mysqli, "SELECT recurring_invoice_id FROM recurring_invoices WHERE recurring_invoice_client_id = $client_id");
while ($row = mysqli_fetch_array($sql_recurring_invoices)) {
$recurring_invoice_id = intval($row['recurring_invoice_id']);
mysqli_query($mysqli, "DELETE FROM recurring_payments WHERE recurring_payment_method = 'Stripe' AND recurring_payment_recurring_invoice_id = $recurring_invoice_id");
}
// Logging
logAction("Stripe", "Delete", "$session_name reset Stripe settings for client", $client_id);
$_SESSION['alert_message'] = "Reset client Stripe settings";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

21
admin/post/settings_project.php Normal file
View File

@@ -0,0 +1,21 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_project_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_project_prefix = sanitizeInput($_POST['config_project_prefix']);
$config_project_next_number = intval($_POST['config_project_next_number']);
mysqli_query($mysqli,"UPDATE settings SET config_project_prefix = '$config_project_prefix', config_project_next_number = $config_project_next_number WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited project settings");
$_SESSION['alert_message'] = "Project Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

26
admin/post/settings_quote.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_quote_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_quote_prefix = sanitizeInput($_POST['config_quote_prefix']);
$config_quote_next_number = intval($_POST['config_quote_next_number']);
$config_quote_footer = sanitizeInput($_POST['config_quote_footer']);
$config_quote_notification_email = '';
if (filter_var($_POST['config_quote_notification_email'], FILTER_VALIDATE_EMAIL)) {
$config_quote_notification_email = sanitizeInput($_POST['config_quote_notification_email']);
}
mysqli_query($mysqli,"UPDATE settings SET config_quote_prefix = '$config_quote_prefix', config_quote_next_number = $config_quote_next_number, config_quote_footer = '$config_quote_footer', config_quote_notification_email = '$config_quote_notification_email' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited Quote settings");
$_SESSION['alert_message'] = "Quote Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

28
admin/post/settings_security.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_security_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_login_message = sanitizeInput($_POST['config_login_message']);
$config_login_key_required = intval($_POST['config_login_key_required'] ?? 0);
$config_login_key_secret = sanitizeInput($_POST['config_login_key_secret']);
$config_login_remember_me_expire = intval($_POST['config_login_remember_me_expire']);
$config_log_retention = intval($_POST['config_log_retention']);
// Disallow turning on login key without a secret
if (empty($config_login_key_secret)) {
$config_login_key_required = 0;
}
mysqli_query($mysqli,"UPDATE settings SET config_login_message = '$config_login_message', config_login_key_required = '$config_login_key_required', config_login_key_secret = '$config_login_key_secret', config_login_remember_me_expire = $config_login_remember_me_expire, config_log_retention = $config_log_retention WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited security settings");
$_SESSION['alert_message'] = "Security settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

20
admin/post/settings_telemetry.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_telemetry_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_telemetry = intval($_POST['config_telemetry']);
mysqli_query($mysqli,"UPDATE settings SET config_telemetry = $config_telemetry WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited telemetry settings");
$_SESSION['alert_message'] = "Telemetry Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

54
admin/post/settings_theme.php Normal file
View File

@@ -0,0 +1,54 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_theme_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$dark_mode = intval($_POST['dark_mode'] ?? 0);
$theme = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['edit_theme_settings']));
mysqli_query($mysqli,"UPDATE settings SET config_theme = '$theme', config_theme_dark = $dark_mode WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited theme settings $dark_mode");
$_SESSION['alert_message'] = "Changed theme to <strong>$theme</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_favicon_settings'])) {
validateCSRFToken($_POST['csrf_token']);
// Check to see if a file is attached
if (isset($_FILES['file']['tmp_name'])) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('ico'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// Delete old file
if(file_exists("uploads/favicon.ico")) {
unlink("uploads/favicon.ico");
}
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/";
//Force File Name
$new_file_name = "favicon.ico";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
}
}
// Logging
logAction("Settings", "Edit", "$session_name changed the favicon");
$_SESSION['alert_message'] = "Favicon Updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

31
admin/post/settings_ticket.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_ticket_settings'])) {
$config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);
$config_ticket_next_number = intval($_POST['config_ticket_next_number']);
$config_ticket_email_parse = intval($_POST['config_ticket_email_parse'] ?? 0);
$config_ticket_email_parse_unknown_senders = intval($_POST['config_ticket_email_parse_unknown_senders'] ?? 0);
$config_ticket_default_billable = intval($_POST['config_ticket_default_billable'] ?? 0);
$config_ticket_autoclose_hours = intval($_POST['config_ticket_autoclose_hours']);
$config_ticket_new_ticket_notification_email = '';
if (filter_var($_POST['config_ticket_new_ticket_notification_email'], FILTER_VALIDATE_EMAIL)) {
$config_ticket_new_ticket_notification_email = sanitizeInput($_POST['config_ticket_new_ticket_notification_email']);
}
$config_ticket_default_view = intval($_POST['config_ticket_default_view']);
$config_ticket_moving_columns = intval($_POST['config_ticket_moving_columns']);
$config_ticket_ordering = intval($_POST['config_ticket_ordering']);
$config_ticket_timer_autostart = intval($_POST['config_ticket_timer_autostart']);
mysqli_query($mysqli,"UPDATE settings SET config_ticket_prefix = '$config_ticket_prefix', config_ticket_next_number = $config_ticket_next_number, config_ticket_email_parse = $config_ticket_email_parse, config_ticket_email_parse_unknown_senders = $config_ticket_email_parse_unknown_senders, config_ticket_autoclose_hours = $config_ticket_autoclose_hours, config_ticket_new_ticket_notification_email = '$config_ticket_new_ticket_notification_email', config_ticket_default_billable = $config_ticket_default_billable, config_ticket_default_view = $config_ticket_default_view, config_ticket_moving_columns = $config_ticket_moving_columns, config_ticket_ordering = $config_ticket_ordering, config_ticket_timer_autostart = $config_ticket_timer_autostart WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name edited ticket settings");
$_SESSION['alert_message'] = "Ticket Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

69
admin/post/software_template.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
// Software/License Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_software_template'])) {
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO software_templates SET software_template_name = '$name', software_template_version = '$version', software_template_description = '$description', software_template_type = '$type', software_template_license_type = '$license_type', software_template_notes = '$notes'");
$software_template_id = mysqli_insert_id($mysqli);
// Logging
logAction("Software Template", "Create", "$session_name created software template $name", 0, $software_template_id);
$_SESSION['alert_message'] = "Software template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_software_template'])) {
$software_template_id = intval($_POST['software_template_id']);
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE software_templates SET software_template_name = '$name', software_template_version = '$version', software_template_description = '$description', software_template_type = '$type', software_template_license_type = '$license_type', software_template_notes = '$notes' WHERE software_template_id = $software_template_id");
// Logging
logAction("Software Template", "Edit", "$session_name edited software template $name", 0, $software_template_id);
$_SESSION['alert_message'] = "Software template <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_software_template'])) {
$software_template_id = intval($_GET['delete_software_template']);
// Get Software Template Name for logging and alert message
$sql = mysqli_query($mysqli,"SELECT software_template_name FROM software_templates WHERE software_template_id = $software_template_id");
$row = mysqli_fetch_array($sql);
$software_template_name = sanitizeInput($row['software_template_name']);
mysqli_query($mysqli,"DELETE FROM software_templates WHERE software_template_id = $software_template_id");
//Logging
logAction("Software Template", "Delete", "$session_name deleted software template $software_template_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Software Template <strong>$software_template_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

61
admin/post/tag.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
/*
* ITFlow - GET/POST request handler for tagging
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tag'])) {
require_once 'post/admin/admin_tag_model.php';
mysqli_query($mysqli,"INSERT INTO tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon'");
$tag_id = mysqli_insert_id($mysqli);
// Logging
logAction("Tag", "Create", "$session_name created tag $name", 0, $tag_id);
$_SESSION['alert_message'] = "Tag <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_tag'])) {
require_once 'post/admin/admin_tag_model.php';
$tag_id = intval($_POST['tag_id']);
mysqli_query($mysqli,"UPDATE tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon' WHERE tag_id = $tag_id");
// Logging
logAction("Tag", "Edit", "$session_name edited tag $name", 0, $tag_id);
$_SESSION['alert_message'] = "Tag <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_tag'])) {
$tag_id = intval($_GET['delete_tag']);
// Get Tag Name for logging
$sql = mysqli_query($mysqli,"SELECT tag_name FROM tags WHERE tag_id = $tag_id");
$row = mysqli_fetch_array($sql);
$tag_name = sanitizeInput($row['tag_name']);
mysqli_query($mysqli,"DELETE FROM tags WHERE tag_id = $tag_id");
// Logging
logAction("Tag", "Delete", "$session_name deleted tag $tag_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Tag <strong>$tag_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

7
admin/post/tag_model.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']);
$color = sanitizeInput($_POST['color']);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));

85
admin/post/tax.php Normal file
View File

@@ -0,0 +1,85 @@
<?php
/*
* ITFlow - GET/POST request handler for tax
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tax'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$percent = floatval($_POST['percent']);
mysqli_query($mysqli,"INSERT INTO taxes SET tax_name = '$name', tax_percent = $percent");
$tax_id = mysqli_insert_id($mysqli);
// Logging
logAction("Tax", "Create", "$session_name created tax $name - $percent%", 0, $tax_id);
$_SESSION['alert_message'] = "Tax <strong>$name</strong> ($percent%) created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_tax'])) {
validateCSRFToken($_POST['csrf_token']);
$tax_id = intval($_POST['tax_id']);
$name = sanitizeInput($_POST['name']);
$percent = floatval($_POST['percent']);
mysqli_query($mysqli,"UPDATE taxes SET tax_name = '$name', tax_percent = $percent WHERE tax_id = $tax_id");
// Logging
logAction("Tax", "Edit", "$session_name edited tax $name - $percent%", 0, $tax_id);
$_SESSION['alert_message'] = "Tax <strong>$name</strong> ($percent%) edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_tax'])) {
validateCSRFToken($_GET['csrf_token']);
$tax_id = intval($_GET['archive_tax']);
// Get Tax Name for logging
$sql = mysqli_query($mysqli,"SELECT tax_name FROM taxes WHERE tax_id = $tax_id");
$row = mysqli_fetch_array($sql);
$tax_name = sanitizeInput($row['tax_name']);
mysqli_query($mysqli,"UPDATE taxes SET tax_archived_at = NOW() WHERE tax_id = $tax_id");
// Logging
logAction("Tax", "Archive", "$session_name archived tax $tax_name", 0, $tax_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Tax <strong>$tax_name</strong> Archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_tax'])) {
$tax_id = intval($_GET['delete_tax']);
// Get Tax Name for logging
$sql = mysqli_query($mysqli,"SELECT tax_name FROM taxs WHERE tax_id = $tax_id");
$row = mysqli_fetch_array($sql);
$tax_name = sanitizeInput($row['tax_name']);
mysqli_query($mysqli,"DELETE FROM taxes WHERE tax_id = $tax_id");
// Logging
logAction("Tax", "Delete", "$session_name deleted tax $tax_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Tax <strong>$tax_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

66
admin/post/ticket_status.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_ticket_status'])) {
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = '$name', ticket_status_color = '$color'");
$ticket_status_id = mysqli_insert_id($mysqli);
// Logging
logAction("Ticket Status", "Create", "$session_name created custom ticket status $name", 0, $ticket_status_id);
$_SESSION['alert_message'] = "Custom Ticket Status <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_status'])) {
$ticket_status_id = intval($_POST['ticket_status_id']);
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
$order = intval($_POST['order']);
$status = intval($_POST['status']);
mysqli_query($mysqli, "UPDATE ticket_statuses SET ticket_status_name = '$name', ticket_status_color = '$color', ticket_status_order = $order, ticket_status_active = $status WHERE ticket_status_id = $ticket_status_id");
// Logging
logAction("Ticket Status", "Edit", "$session_name edited custom ticket status $name", 0, $ticket_status_id);
$_SESSION['alert_message'] = "Custom Ticket Status <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_ticket_status'])) {
validateCSRFToken($_GET['csrf_token']);
$ticket_status_id = intval($_GET['delete_ticket_status']);
if ($ticket_status_id <= 5) {
exit("Can't delete built-in statuses");
}
// Get ticket status name for logging and notification
$sql = mysqli_query($mysqli, "SELECT * FROM ticket_statuses WHERE ticket_status_id = $ticket_status_id");
$row = mysqli_fetch_array($sql);
$ticket_status_name = sanitizeInput($row['ticket_status_name']);
mysqli_query($mysqli, "DELETE FROM ticket_statuses WHERE ticket_status_id = $ticket_status_id");
// Logging
logAction("Ticket Status", "Delete", "$session_name deleted custom ticket status $ticket_status_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Custom Ticket Status <strong>$ticket_status_name</strong> Deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

119
admin/post/ticket_template.php Normal file
View File

@@ -0,0 +1,119 @@
<?php
// Ticket Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side tickets/tasks as we reuse functions
require_once 'post/user/ticket.php';
require_once 'post/user/task.php';
if (isset($_POST['add_ticket_template'])) {
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$subject = sanitizeInput($_POST['subject']);
$details = mysqli_real_escape_string($mysqli, $_POST['details']);
$project_template_id = intval($_POST['project_template']);
mysqli_query($mysqli, "INSERT INTO ticket_templates SET ticket_template_name = '$name', ticket_template_description = '$description', ticket_template_subject = '$subject', ticket_template_details = '$details'");
$ticket_template_id = mysqli_insert_id($mysqli);
if($project_template_id) {
mysqli_query($mysqli, "INSERT INTO project_template_ticket_templates SET project_template_id = $project_template_id, ticket_template_id = $ticket_template_id");
}
// Logging
logAction("Ticket Template", "Create", "$session_name created ticket template $name", 0, $ticket_template_id);
$_SESSION['alert_message'] = "Ticket Template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_template'])) {
$ticket_template_id = intval($_POST['ticket_template_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$subject = sanitizeInput($_POST['subject']);
$details = mysqli_real_escape_string($mysqli, $_POST['details']);
mysqli_query($mysqli, "UPDATE ticket_templates SET ticket_template_name = '$name', ticket_template_description = '$description', ticket_template_subject = '$subject', ticket_template_details = '$details' WHERE ticket_template_id = $ticket_template_id");
// Logging
logAction("Ticket Template", "Edit", "$session_name edited ticket template $name", 0, $ticket_template_id);
$_SESSION['alert_message'] = "Ticket Template <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_ticket_template'])) {
$ticket_template_id = intval($_GET['delete_ticket_template']);
// Get ticket template name
$sql = mysqli_query($mysqli, "SELECT * FROM ticket_templates WHERE ticket_template_id = $ticket_template_id");
$row = mysqli_fetch_array($sql);
$ticket_template_name = sanitizeInput($row['ticket_template_name']);
mysqli_query($mysqli, "DELETE FROM ticket_templates WHERE ticket_template_id = $ticket_template_id");
// Delete Associated Tasks
mysqli_query($mysqli, "DELETE FROM task_templates WHERE task_template_ticket_template_id = $ticket_template_id");
// Remove from Associated Project Templates
mysqli_query($mysqli, "DELETE FROM project_template_ticket_templates WHERE ticket_template_id = $ticket_template_id");
// Logging
logAction("Ticket Template", "Delete", "$session_name deleted ticket template $ticket_template_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Ticket Template <strong>$ticket_template_name</strong> and its associated tasks deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_ticket_template_task'])) {
$ticket_template_id = intval($_POST['ticket_template_id']);
$task_name = sanitizeInput($_POST['task_name']);
mysqli_query($mysqli, "INSERT INTO task_templates SET task_template_name = '$task_name', task_template_ticket_template_id = $ticket_template_id");
$task_template_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task Template', log_action = 'Create', log_description = '$session_name created task template $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_template_id");
// Logging
logAction("Ticket Template", "Edit", "$session_name added task $task_name to ticket template", 0, $ticket_template_id);
$_SESSION['alert_message'] = "Added Task <strong>$task_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_task_template'])) {
$task_template_id = intval($_GET['delete_task_template']);
// Get task template name
$sql = mysqli_query($mysqli, "SELECT * FROM task_templates WHERE task_template_id = $task_template_id");
$row = mysqli_fetch_array($sql);
$task_template_name = sanitizeInput($row['task_template_name']);
mysqli_query($mysqli, "DELETE FROM task_templates WHERE task_template_id = $task_template_id");
// Logging
logAction("Ticket Template", "Edit", "$session_name deleted task $task_template_name from ticket template");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Task <strong>$task_template_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

304
admin/post/update.php Normal file
View File

@@ -0,0 +1,304 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_GET['update'])) {
validateAdminRole(); // Old function
//git fetch downloads the latest from remote without trying to merge or rebase anything. Then the git reset resets the master branch to what you just fetched. The --hard option changes all the files in your working tree to match the files in origin/master
if (isset($_GET['force_update']) == 1) {
exec("git fetch --all");
exec("git reset --hard origin/master");
} else {
exec("git pull");
}
//header("Location: post.php?update_db");
// Send Telemetry if enabled during update
if ($config_telemetry > 0 OR $config_telemetry = 2) {
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = sanitizeInput($row['company_name']);
$website = sanitizeInput($row['company_website']);
$city = sanitizeInput($row['company_city']);
$state = sanitizeInput($row['company_state']);
$country = sanitizeInput($row['company_country']);
$currency = sanitizeInput($row['company_currency']);
$current_version = exec("git rev-parse HEAD");
// Client Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('client_id') AS num FROM clients"));
$client_count = $row['num'];
// Ticket Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('recurring_id') AS num FROM tickets"));
$ticket_count = $row['num'];
// Recurring Ticket Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('recurring_ticket_id') AS num FROM recurring_tickets"));
$recurring_ticket_count = $row['num'];
// Calendar Event Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('event_id') AS num FROM calendar_events"));
$calendar_event_count = $row['num'];
// Quote Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('quote_id') AS num FROM quotes"));
$quote_count = $row['num'];
// Invoice Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('invoice_id') AS num FROM invoices"));
$invoice_count = $row['num'];
// Revenue Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('revenue_id') AS num FROM revenues"));
$revenue_count = $row['num'];
// Recurring Invoice Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('recurring_invoice_id') AS num FROM recurring_invoices"));
$recurring_invoice_count = $row['num'];
// Account Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('account_id') AS num FROM accounts"));
$account_count = $row['num'];
// Tax Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('tax_id') AS num FROM taxes"));
$tax_count = $row['num'];
// Product Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('product_id') AS num FROM products"));
$product_count = $row['num'];
// Payment Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('payment_id') AS num FROM payments WHERE payment_invoice_id > 0"));
$payment_count = $row['num'];
// Company Vendor Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('vendor_id') AS num FROM vendors WHERE vendor_client_id = 0"));
$company_vendor_count = $row['num'];
// Expense Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('expense_id') AS num FROM expenses WHERE expense_vendor_id > 0"));
$expense_count = $row['num'];
// Trip Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('trip_id') AS num FROM trips"));
$trip_count = $row['num'];
// Transfer Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('transfer_id') AS num FROM transfers"));
$transfer_count = $row['num'];
// Contact Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('contact_id') AS num FROM contacts"));
$contact_count = $row['num'];
// Location Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('location_id') AS num FROM locations"));
$location_count = $row['num'];
// Asset Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('asset_id') AS num FROM assets"));
$asset_count = $row['num'];
// Software Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('software_id') AS num FROM software"));
$software_count = $row['num'];
// Software Template Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('software_template_id') AS num FROM software_templates"));
$software_template_count = $row['num'];
// Password Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('credential_id') AS num FROM credentials"));
$credential_count = $row['num'];
// Network Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('network_id') AS num FROM networks"));
$network_count = $row['num'];
// Certificate Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('certificate_id') AS num FROM certificates"));
$certificate_count = $row['num'];
// Domain Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('domain_id') AS num FROM domains"));
$domain_count = $row['num'];
// Service Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('service_id') AS num FROM services"));
$service_count = $row['num'];
// Client Vendor Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('vendor_id') AS num FROM vendors WHERE vendor_client_id > 0"));
$client_vendor_count = $row['num'];
// Vendor Template Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('vendor_template_id') AS num FROM vendor_templates"));
$vendor_template_count = $row['num'];
// File Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('file_id') AS num FROM files"));
$file_count = $row['num'];
// Document Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('document_id') AS num FROM documents"));
$document_count = $row['num'];
// Document Template Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('document_template_id') AS num FROM document_templates"));
$document_template_count = $row['num'];
// Shared Item Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('item_id') AS num FROM shared_items"));
$shared_item_count = $row['num'];
// Company Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('company_id') AS num FROM companies"));
$company_count = $row['num'];
// User Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('user_id') AS num FROM users"));
$user_count = $row['num'];
// Category Expense Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('category_id') AS num FROM categories WHERE category_type = 'Expense'"));
$category_expense_count = $row['num'];
// Category Income Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('category_id') AS num FROM categories WHERE category_type = 'Income'"));
$category_income_count = $row['num'];
// Category Referral Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('category_id') AS num FROM categories WHERE category_type = 'Referral'"));
$category_referral_count = $row['num'];
// Category Payment Method Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('category_id') AS num FROM categories WHERE category_type = 'Payment Method'"));
$category_payment_method_count = $row['num'];
// Tag Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('tag_id') AS num FROM tags"));
$tag_count = $row['num'];
// API Key Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('api_key_id') AS num FROM api_keys"));
$api_key_count = $row['num'];
// Log Count
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('log_id') AS num FROM logs"));
$log_count = $row['num'];
$postdata = http_build_query(
array(
'installation_id' => "$installation_id",
'version' => "$current_version",
'company_name' => "$company_name",
'website' => "$website",
'city' => "$city",
'state' => "$state",
'country' => "$country",
'currency' => "$currency",
'comments' => "$comments",
'client_count' => $client_count,
'ticket_count' => $ticket_count,
'recurring_ticket_count' => $recurring_ticket_count,
'calendar_event_count' => $calendar_event_count,
'quote_count' => $quote_count,
'invoice_count' => $invoice_count,
'revenue_count' => $revenue_count,
'recurring_invoice_count' => $recurring_invoice_count,
'account_count' => $account_count,
'tax_count' => $tax_count,
'product_count' => $product_count,
'payment_count' => $payment_count,
'company_vendor_count' => $company_vendor_count,
'expense_count' => $expense_count,
'trip_count' => $trip_count,
'transfer_count' => $transfer_count,
'contact_count' => $contact_count,
'location_count' => $location_count,
'asset_count' => $asset_count,
'software_count' => $software_count,
'software_template_count' => $software_template_count,
'credential_count' => $credential_count,
'network_count' => $network_count,
'certificate_count' => $certificate_count,
'domain_count' => $domain_count,
'service_count' => $service_count,
'client_vendor_count' => $client_vendor_count,
'vendor_template_count' => $vendor_template_count,
'file_count' => $file_count,
'document_count' => $document_count,
'document_template_count' => $document_template_count,
'shared_item_count' => $shared_item_count,
'company_count' => $company_count,
'user_count' => $user_count,
'category_expense_count' => $category_expense_count,
'category_income_count' => $category_income_count,
'category_referral_count' => $category_referral_count,
'category_payment_method_count' => $category_payment_method_count,
'tag_count' => $tag_count,
'api_key_count' => $api_key_count,
'log_count' => $log_count,
'config_theme' => "$config_theme",
'config_enable_cron' => $config_enable_cron,
'config_ticket_email_parse' => $config_ticket_email_parse,
'config_module_enable_itdoc' => $config_module_enable_itdoc,
'config_module_enable_ticketing' => $config_module_enable_ticketing,
'config_module_enable_accounting' => $config_module_enable_accounting,
'config_telemetry' => $config_telemetry,
'collection_method' => 4
)
);
$opts = array('http' =>
array(
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => $postdata
)
);
$context = stream_context_create($opts);
$result = file_get_contents('https://telemetry.itflow.org', false, $context);
}
// Logging
logAction("App", "Update", "$session_name ran updates");
$_SESSION['alert_message'] = "Update successful";
sleep(1);
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['update_db'])) {
//validateAdminRole(); // Old function
// Get the current version
require_once ('includes/database_version.php');
// Perform upgrades, if required
require_once ('database_updates.php');
// Logging
logAction("Database", "Update", "$session_name updated the database structure");
$_SESSION['alert_message'] = "Database structure update successful";
sleep(1);
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

2
admin/post/user_model.php
View File

@@ -1,5 +1,7 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']);
$role = intval($_POST['role']);

4
admin/post/user.php → admin/post/users.php
View File

@@ -4,9 +4,7 @@
* ITFlow - GET/POST request handler for user (agent) management
*/
require_once "../../config.php";
require_once "../../functions.php";
require_once "../../includes/check_login.php";
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_user'])) {

162
admin/post/vendor_template.php Normal file
View File

@@ -0,0 +1,162 @@
<?php
// Vendor Templates
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Import shared code from user-side vendor management as we reuse functions
require_once 'post/user/vendor.php';
if (isset($_POST['add_vendor_template'])) {
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$account_number = sanitizeInput($_POST['account_number']);
$contact_name = sanitizeInput($_POST['contact_name']);
$phone_country_code = preg_replace("/[^0-9]/", '', $_POST['phone_country_code']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$email = sanitizeInput($_POST['email']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
$hours = sanitizeInput($_POST['hours']);
$sla = sanitizeInput($_POST['sla']);
$code = sanitizeInput($_POST['code']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO vendor_templates SET vendor_template_name = '$name', vendor_template_description = '$description', vendor_template_contact_name = '$contact_name', vendor_template_phone = '$phone', vendor_template_extension = '$extension', vendor_template_email = '$email', vendor_template_website = '$website', vendor_template_hours = '$hours', vendor_template_sla = '$sla', vendor_template_code = '$code', vendor_template_account_number = '$account_number', vendor_template_notes = '$notes'");
$vendor_template_id = mysqli_insert_id($mysqli);
// Logging
logAction("Vendor Template", "Create", "$session_name created vendor template $name", 0, $vendor_template_id);
$_SESSION['alert_message'] = "Vendor template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_vendor_template'])) {
$vendor_template_id = intval($_POST['vendor_template_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$account_number = sanitizeInput($_POST['account_number']);
$contact_name = sanitizeInput($_POST['contact_name']);
$phone_country_code = preg_replace("/[^0-9]/", '', $_POST['phone_country_code']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$email = sanitizeInput($_POST['email']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
$hours = sanitizeInput($_POST['hours']);
$sla = sanitizeInput($_POST['sla']);
$code = sanitizeInput($_POST['code']);
$notes = sanitizeInput($_POST['notes']);
if ($_POST['global_update_vendor_name'] == 1) {
$sql_global_update_vendor_name = ", vendor_name = '$name'";
} else {
$sql_global_update_vendor_name = "";
}
if ($_POST['global_update_vendor_description'] == 1) {
$sql_global_update_vendor_description = ", vendor_description = '$description'";
} else {
$sql_global_update_vendor_description = "";
}
if ($_POST['global_update_vendor_account_number'] == 1) {
$sql_global_update_vendor_account_number = ", vendor_account_number = '$account_number'";
} else {
$sql_global_update_vendor_account_number = "";
}
if ($_POST['global_update_vendor_contact_name'] == 1) {
$sql_global_update_vendor_contact_name = ", vendor_contact_name = '$contact_name'";
} else {
$sql_global_update_vendor_contact_name = "";
}
if ($_POST['global_update_vendor_phone'] == 1) {
$sql_global_update_vendor_phone = ", vendor_phone_country_code = '$phone_country_code', vendor_phone = '$phone', vendor_extension = '$extension'";
} else {
$sql_global_update_vendor_phone = "";
}
if ($_POST['global_update_vendor_hours'] == 1) {
$sql_global_update_vendor_hours = ", vendor_hours = '$hours'";
} else {
$sql_global_update_vendor_hours = "";
}
if ($_POST['global_update_vendor_email'] == 1) {
$sql_global_update_vendor_email = ", vendor_email = '$email'";
} else {
$sql_global_update_vendor_email = "";
}
if ($_POST['global_update_vendor_website'] == 1) {
$sql_global_update_vendor_website = ", vendor_website = '$website'";
} else {
$sql_global_update_vendor_website = "";
}
if ($_POST['global_update_vendor_sla'] == 1) {
$sql_global_update_vendor_sla = ", vendor_sla = '$sla'";
} else {
$sql_global_update_vendor_sla = "";
}
if ($_POST['global_update_vendor_code'] == 1) {
$sql_global_update_vendor_code = ", vendor_code = '$code'";
} else {
$sql_global_update_vendor_code = "";
}
if ($_POST['global_update_vendor_notes'] == 1) {
$sql_global_update_vendor_notes = ", vendor_notes = '$notes'";
} else {
$sql_global_update_vendor_notes = "";
}
// Update just the template
mysqli_query($mysqli,"UPDATE vendor_templates SET vendor_template_name = '$name', vendor_template_description = '$description', vendor_template_contact_name = '$contact_name', vendor_template_phone_country_code = '$phone_country_code', vendor_template_phone = '$phone', vendor_template_extension = '$extension', vendor_template_email = '$email', vendor_template_website = '$website', vendor_template_hours = '$hours', vendor_template_sla = '$sla', vendor_template_code = '$code', vendor_template_account_number = '$account_number', vendor_template_notes = '$notes' WHERE vendor_template_id = $vendor_template_id");
if ($_POST['update_base_vendors'] == 1) {
// Update client related vendors if anything is checked
$sql = "$sql_global_update_vendor_name $sql_global_update_vendor_description $sql_global_update_vendor_account_number $sql_global_update_vendor_contact_name $sql_global_update_vendor_phone $sql_global_update_vendor_hours $sql_global_update_vendor_email $sql_global_update_vendor_website $sql_global_update_vendor_sla $sql_global_update_vendor_code $sql_global_update_vendor_notes";
// Remove the first comma to prevent MySQL error
$sql = preg_replace('/,/', '', $sql, 1);
mysqli_query($mysqli,"UPDATE vendors SET $sql WHERE vendor_template_id = $vendor_template_id");
}
// Logging
logAction("Vendor Template", "Edit", "$session_name edited vendor template $name", 0, $vendor_template_id);
$_SESSION['alert_message'] = "Vendor template <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_vendor_template'])) {
$vendor_template_id = intval($_GET['delete_vendor_template']);
//Get Vendor Template Name
$sql = mysqli_query($mysqli,"SELECT vendor_template_name FROM vendor_templates WHERE vendor_template_id = $vendor_template_id");
$row = mysqli_fetch_array($sql);
$vendor_template_name = sanitizeInput($row['vendor_template_name']);
// If its a template reset all vendors based off this template to no template base
mysqli_query($mysqli,"UPDATE vendors SET vendor_template_id = 0 WHERE vendor_template_id = $vendor_template_id");
mysqli_query($mysqli,"DELETE FROM vendor_templates WHERE vendor_template_id = $vendor_template_id");
// Logging
logAction("Vendor Template", "Delete", "$session_name deleted vendor template $vendor_template_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Vendor Template <strong>$vendor_template_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}