From 40789eff32e663a402991f7b9b20022512943c18 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 1 Jan 2023 13:40:18 +0000 Subject: [PATCH 1/9] Deduplicate sql payment years query --- dashboard_financial.php | 3 - dashboard_technical.php | 898 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 898 insertions(+), 3 deletions(-) create mode 100644 dashboard_technical.php diff --git a/dashboard_financial.php b/dashboard_financial.php index 696eab02..941970b9 100644 --- a/dashboard_financial.php +++ b/dashboard_financial.php @@ -27,9 +27,6 @@ if(isset($_GET['year'])){ //GET unique years from expenses, payments and revenues $sql_payment_years = mysqli_query($mysqli,"SELECT YEAR(expense_date) AS all_years FROM expenses WHERE company_id = $session_company_id UNION DISTINCT SELECT YEAR(payment_date) FROM payments WHERE company_id = $session_company_id UNION DISTINCT SELECT YEAR(revenue_date) FROM revenues WHERE company_id = $session_company_id ORDER BY all_years DESC"); - -//GET unique years from expenses, payments and revenues -$sql_payment_years = mysqli_query($mysqli,"SELECT YEAR(expense_date) AS all_years FROM expenses WHERE company_id = $session_company_id UNION DISTINCT SELECT YEAR(payment_date) FROM payments WHERE company_id = $session_company_id UNION DISTINCT SELECT YEAR(revenue_date) FROM revenues WHERE company_id = $session_company_id ORDER BY all_years DESC"); //Define var so it doesnt throw errors in logs $largest_income_month = 0; diff --git a/dashboard_technical.php b/dashboard_technical.php new file mode 100644 index 00000000..94f81745 --- /dev/null +++ b/dashboard_technical.php @@ -0,0 +1,898 @@ + + + 0 AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_total_revenues); +$total_revenues = $row['total_revenues']; + +$total_income = $total_payments_to_invoices + $total_revenues; + +//Get Total expenses and do not grab transfer expenses as these have a vendor of 0 +$sql_total_expenses = mysqli_query($mysqli,"SELECT SUM(expense_amount) AS total_expenses FROM expenses WHERE expense_vendor_id > 0 AND YEAR(expense_date) = $year AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_total_expenses); +$total_expenses = $row['total_expenses']; + +//Total up all the Invoices that are not draft or cancelled +$sql_invoice_totals = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS invoice_totals FROM invoices WHERE invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' AND YEAR(invoice_date) = $year AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_invoice_totals); +$invoice_totals = $row['invoice_totals']; + +//Quaeries from Receivables +$sql_total_payments_to_invoices_all_years = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments_to_invoices_all_years FROM payments WHERE company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_total_payments_to_invoices_all_years); +$total_payments_to_invoices_all_years = $row['total_payments_to_invoices_all_years']; + +$sql_invoice_totals_all_years = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS invoice_totals_all_years FROM invoices WHERE invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_invoice_totals_all_years); +$invoice_totals_all_years = $row['invoice_totals_all_years']; + +$receivables = $invoice_totals_all_years - $total_payments_to_invoices_all_years; + +$profit = $total_income - $total_expenses; + +$sql_accounts = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id"); + +$sql_latest_invoice_payments = mysqli_query($mysqli,"SELECT * FROM payments, invoices, clients + WHERE payment_invoice_id = invoice_id + AND invoice_client_id = client_id + AND clients.company_id = $session_company_id + ORDER BY payment_id DESC LIMIT 5" +); + +$sql_latest_expenses = mysqli_query($mysqli,"SELECT * FROM expenses, vendors, categories + WHERE expense_vendor_id = vendor_id + AND expense_category_id = category_id + AND expenses.company_id = $session_company_id + ORDER BY expense_id DESC LIMIT 5" +); + +//Get Monthly Recurring Total +$sql_recurring_monthly_total = mysqli_query($mysqli,"SELECT SUM(recurring_amount) AS recurring_monthly_total FROM recurring WHERE recurring_status = 1 AND recurring_frequency = 'month' AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_recurring_monthly_total); +$recurring_monthly_total = $row['recurring_monthly_total']; + +//Get Yearly Recurring Total +$sql_recurring_yearly_total = mysqli_query($mysqli,"SELECT SUM(recurring_amount) AS recurring_yearly_total FROM recurring WHERE recurring_status = 1 AND recurring_frequency = 'year' AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_recurring_yearly_total); +$recurring_yearly_total = $row['recurring_yearly_total']; + +//Get Total Miles Driven +$sql_miles_driven = mysqli_query($mysqli,"SELECT SUM(trip_miles) AS total_miles FROM trips WHERE YEAR(trip_date) = $year AND company_id = $session_company_id"); +$row = mysqli_fetch_array($sql_miles_driven); +$total_miles = $row['total_miles']; + +//Get Total Clients added +$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('client_id') AS clients_added FROM clients WHERE YEAR(client_created_at) = $year AND company_id = $session_company_id")); +$clients_added = $row['clients_added']; + +//Get Total Vendors added +$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('vendor_id') AS vendors_added FROM vendors WHERE YEAR(vendor_created_at) = $year AND vendor_client_id = 0 AND company_id = $session_company_id")); +$vendors_added = $row['vendors_added']; + +?> + +
+ +
+ + +
+
+ + +
+

+

Income

+
+ Receivables: +
+
+ +
+ +
+ + +
+ + +
+

+

Expenses

+
+
+ +
+ +
+ + +
+ +
+
+

+

Profit

+
+
+ +
+
+
+ + +
+ +
+
+

+

Monthly Recurring

+
+
+ +
+
+
+ + +
+ +
+
+

+

Yearly Recurring

+
+
+ +
+
+
+ + +
+ + +
+

+

Miles Traveled

+
+
+ +
+ +
+ + +
+ + +
+

+

New Clients

+
+
+ +
+ +
+ + +
+ + +
+

+

New Vendors

+
+
+ +
+ +
+ + +
+
+
+

Cash Flow

+
+ + + + +
+
+
+ +
+
+
+ +
+
+
+

Trip Flow

+
+ + + + +
+
+
+ +
+
+
+ +
+
+
+

Income By Category

+
+ +
+
+
+ +
+
+
+ +
+
+
+

Expenses By Category

+
+ +
+
+
+ +
+
+
+ +
+
+
+

Expenses By Vendor

+
+ +
+
+
+ +
+
+
+ +
+
+
+

Account Balance

+
+ +
+
+
+ + + + + + + + + + + +
+
+
+
+
+
+
+

Latest Income

+
+ +
+
+
+ + + + + + + + + + + + + + + + + + + +
DateCustomerInvoiceAmount
+
+
+
+
+
+
+

Latest Expenses

+
+ +
+
+
+ + + + + + + + + + + + + + + + + + + +
DateVendorCategoryAmount
+
+
+
+
+ + + \ No newline at end of file From 4ec88257d7707c5a0aecba8f2da2c23d47df1d33 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 1 Jan 2023 13:40:54 +0000 Subject: [PATCH 2/9] Add basic outline for technical dashboard --- dashboard_technical.php | 908 ++-------------------------------------- 1 file changed, 46 insertions(+), 862 deletions(-) diff --git a/dashboard_technical.php b/dashboard_technical.php index 94f81745..f1cc5e80 100644 --- a/dashboard_technical.php +++ b/dashboard_technical.php @@ -2,897 +2,81 @@ 0 AND company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_total_revenues); -$total_revenues = $row['total_revenues']; - -$total_income = $total_payments_to_invoices + $total_revenues; - -//Get Total expenses and do not grab transfer expenses as these have a vendor of 0 -$sql_total_expenses = mysqli_query($mysqli,"SELECT SUM(expense_amount) AS total_expenses FROM expenses WHERE expense_vendor_id > 0 AND YEAR(expense_date) = $year AND company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_total_expenses); -$total_expenses = $row['total_expenses']; - -//Total up all the Invoices that are not draft or cancelled -$sql_invoice_totals = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS invoice_totals FROM invoices WHERE invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' AND YEAR(invoice_date) = $year AND company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_invoice_totals); -$invoice_totals = $row['invoice_totals']; - -//Quaeries from Receivables -$sql_total_payments_to_invoices_all_years = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments_to_invoices_all_years FROM payments WHERE company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_total_payments_to_invoices_all_years); -$total_payments_to_invoices_all_years = $row['total_payments_to_invoices_all_years']; - -$sql_invoice_totals_all_years = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS invoice_totals_all_years FROM invoices WHERE invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' AND company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_invoice_totals_all_years); -$invoice_totals_all_years = $row['invoice_totals_all_years']; - -$receivables = $invoice_totals_all_years - $total_payments_to_invoices_all_years; - -$profit = $total_income - $total_expenses; - -$sql_accounts = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id"); - -$sql_latest_invoice_payments = mysqli_query($mysqli,"SELECT * FROM payments, invoices, clients - WHERE payment_invoice_id = invoice_id - AND invoice_client_id = client_id - AND clients.company_id = $session_company_id - ORDER BY payment_id DESC LIMIT 5" -); - -$sql_latest_expenses = mysqli_query($mysqli,"SELECT * FROM expenses, vendors, categories - WHERE expense_vendor_id = vendor_id - AND expense_category_id = category_id - AND expenses.company_id = $session_company_id - ORDER BY expense_id DESC LIMIT 5" -); +// Ticket count +$sql_tickets = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS active_tickets FROM tickets WHERE ticket_status != 'Closed'")); +$active_tickets = $sql_tickets['active_tickets']; //Get Monthly Recurring Total $sql_recurring_monthly_total = mysqli_query($mysqli,"SELECT SUM(recurring_amount) AS recurring_monthly_total FROM recurring WHERE recurring_status = 1 AND recurring_frequency = 'month' AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_recurring_monthly_total); $recurring_monthly_total = $row['recurring_monthly_total']; -//Get Yearly Recurring Total -$sql_recurring_yearly_total = mysqli_query($mysqli,"SELECT SUM(recurring_amount) AS recurring_yearly_total FROM recurring WHERE recurring_status = 1 AND recurring_frequency = 'year' AND company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_recurring_yearly_total); -$recurring_yearly_total = $row['recurring_yearly_total']; - -//Get Total Miles Driven -$sql_miles_driven = mysqli_query($mysqli,"SELECT SUM(trip_miles) AS total_miles FROM trips WHERE YEAR(trip_date) = $year AND company_id = $session_company_id"); -$row = mysqli_fetch_array($sql_miles_driven); -$total_miles = $row['total_miles']; - -//Get Total Clients added -$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('client_id') AS clients_added FROM clients WHERE YEAR(client_created_at) = $year AND company_id = $session_company_id")); -$clients_added = $row['clients_added']; - -//Get Total Vendors added -$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('vendor_id') AS vendors_added FROM vendors WHERE YEAR(vendor_created_at) = $year AND vendor_client_id = 0 AND company_id = $session_company_id")); -$vendors_added = $row['vendors_added']; ?>
- +
-
- - -
-

-

Income

-
- Receivables: -
-
- -
- -
- -
- - -
-

-

Expenses

-
-
- -
- -
- - -
- -
-
-

-

Profit

-
-
- -
+
+ + +
+

+

New Clients

+
+
+ +
+
-
- + -
- -
-
-

-

Monthly Recurring

-
-
- -
+
+ + +
+

+

Active Tickets

+
+
+ +
+
-
- + -
- -
-
-

-

Yearly Recurring

-
-
- -
-
-
- - -
- - -
-

-

Miles Traveled

-
-
- -
- -
- - -
- - -
-

-

New Clients

-
-
- -
- -
- - -
- - -
-

-

New Vendors

-
-
- -
- -
- - -
-
-
-

Cash Flow

-
- - - - -
-
-
- -
-
-
- -
-
-
-

Trip Flow

-
- - - - -
-
-
- -
-
-
- -
-
-
-

Income By Category

-
- -
-
-
- -
-
-
- -
-
-
-

Expenses By Category

-
- -
-
-
- -
-
-
- -
-
-
-

Expenses By Vendor

-
- -
-
-
- -
-
-
- -
-
-
-

Account Balance

-
- -
-
-
- - - - - - - - - - - -
-
-
-
-
-
-
-

Latest Income

-
- -
-
-
- - - - - - - - - - - - - - - - - - - -
DateCustomerInvoiceAmount
-
-
-
-
-
-
-

Latest Expenses

-
- -
-
-
- - - - - - - - - - - - - - - - - - - -
DateVendorCategoryAmount
-
-
-
- - \ No newline at end of file + \ No newline at end of file From 07986954f55b2d3727217a3e932b8ddeab75394d Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 1 Jan 2023 13:41:29 +0000 Subject: [PATCH 3/9] Redirect/show techs to technical dashboard on login/navbar --- login.php | 153 +++++++++++++---------- side_nav.php | 341 +++++++++++++++++++++++++++------------------------ 2 files changed, 263 insertions(+), 231 deletions(-) diff --git a/login.php b/login.php index 522d63af..88a5c64b 100644 --- a/login.php +++ b/login.php @@ -17,7 +17,7 @@ ini_set("session.cookie_httponly", True); // Tell client to only send cookie(s) over HTTPS if($config_https_only){ - ini_set("session.cookie_secure", True); + ini_set("session.cookie_secure", True); } // Handle POST login request @@ -28,22 +28,22 @@ if(isset($_POST['login'])){ // Check recent failed login attempts for this IP (more than 10 failed logins in 5 mins) $row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 5 MINUTE)")); - + $failed_login_count = $row['failed_login_count']; // Login brute force check if($failed_login_count >= 10){ - // Logging - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'"); + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'"); - // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company) - if($failed_login_count == 10){ - mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'"); - } + // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company) + if($failed_login_count == 10){ + mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'"); + } - // Inform user - $response = '
IP Lockout - Please try again later.
'; + // Inform user + $response = '
IP Lockout - Please try again later.
'; } // Passed login brute force check @@ -74,24 +74,34 @@ if(isset($_POST['login'])){ $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password); generateUserSessionKey($site_encryption_master_key); - // Setup extension + // Setup extension if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) { - // Extension cookie - // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. - setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']); + // Extension cookie + // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. + setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']); - // Set PHP session in DB so we can access the session encryption data (above) - $user_php_session = session_id(); - mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); + // Set PHP session in DB so we can access the session encryption data (above) + $user_php_session = session_id(); + mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); } } if (empty($token)) { + // Full Login successful + $_SESSION['logged'] = TRUE; mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id"); - header("Location: dashboard_financial.php"); + // Show start page/dashboard depending on role + if ($row['user_role'] == 2) { + header("Location: dashboard_technical.php"); + } else { + header("Location: dashboard_financial.php"); + } + } else { + // Prompt for MFA + $token_field = "
@@ -104,10 +114,17 @@ if(isset($_POST['login'])){ require_once("rfc6238.php"); if (TokenAuth6238::verify($token, $current_code)) { + // Full login (with MFA) successful $_SESSION['logged'] = TRUE; mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login 2FA', log_action = 'Success', log_description = '$user_name successfully logged in using 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); - //header("Location: $config_start_page"); - header("Location: dashboard_financial.php"); + + // Show start page/dashboard depending on role + if ($row['user_role'] == 2) { + header("Location: dashboard_technical.php"); + } else { + header("Location: dashboard_financial.php"); + } + } else { mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = '2FA Failed', log_description = '$user_name failed 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); @@ -138,60 +155,60 @@ if(isset($_POST['login'])){ - - - <?php echo $config_app_name; ?> | Login - - - - - - - - - - + + + <?php echo $config_app_name; ?> | Login + + + + + + + + + +