AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix Document Update API

This commit is contained in:
johnnyq 2026-01-17 13:17:17 -05:00
parent 3ed2582a9b
commit 0a658d7cab
1 changed files with 98 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
api/v1/documents/update.php
View File

@ -1,41 +1,121 @@
<?php
require_once '../validate_api_key.php';
require_once '../require_post_method.php';
// Parse ID
$document_id = intval($_POST['document_id']);
$document_id = intval($_POST['document_id'] ?? 0);
// Default
$update_count = false;
if (!empty($document_id)) {
$document_row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$document_id' AND document_client_id = $client_id LIMIT 1"));
// Variable assignment from POST - assigning the current database value if a value is not provided
require_once 'document_model.php';
$processed_content = mysqli_escape_string(
// 1) Load the current document (scoped to this client)
$sql_original_document = mysqli_query(
$mysqli,
saveBase64Images(
$content,
"SELECT * FROM documents
WHERE document_client_id = $client_id
AND document_id = $document_id
LIMIT 1"
);
if ($sql_original_document && mysqli_num_rows($sql_original_document) === 1) {
$row = mysqli_fetch_assoc($sql_original_document);
// Pull original fields for versioning
$original_document_name = sanitizeInput($row['document_name']);
$original_document_description = sanitizeInput($row['document_description']);
$original_document_content = mysqli_real_escape_string($mysqli, $row['document_content']);
$original_document_created_by = intval($row['document_created_by']);
$original_document_updated_by = intval($row['document_updated_by']);
$original_document_created_at = sanitizeInput($row['document_created_at']);
$original_document_updated_at = sanitizeInput($row['document_updated_at']);
// Determine who/when created the version (same logic as app)
if (!empty($original_document_updated_at)) {
$document_version_created_at = $original_document_updated_at;
} else {
$document_version_created_at = $original_document_created_at;
}
if (!empty($original_document_updated_by)) {
$document_version_created_by = $original_document_updated_by;
} else {
$document_version_created_by = $original_document_created_by;
}
// 2) Save the current version into document_versions
mysqli_query(
$mysqli,
"INSERT INTO document_versions SET
document_version_name = '$original_document_name',
document_version_description = '$original_document_description',
document_version_content = '$original_document_content',
document_version_created_by = $document_version_created_by,
document_version_created_at = '$document_version_created_at',
document_version_document_id = $document_id"
);
$document_version_id = mysqli_insert_id($mysqli);
// 3) Variable assignment from POST (uses trigger you already have)
// This should set: $name, $description, $content (raw html), $folder, etc.
require_once 'document_model.php';
// Process NEW HTML content: save base64 images to /uploads/documents/<document_id>/
// In-app uses $_POST['content'] as raw; in API you likely map to $content in document_model.php
$raw_post_content = $content;
$processed_html = saveBase64Images(
$raw_post_content,
$_SERVER['DOCUMENT_ROOT'] . "/uploads/documents/",
"uploads/documents/",
$document_id
)
);
);
$update_insert_sql = mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_description = '$description', document_content = '$processed_content', document_content_raw = '$content_raw', document_folder_id = $folder, document_updated_by = 0, document_client_id = $client_id");
// Escape for DB
$content_db = mysqli_real_escape_string($mysqli, $processed_html);
// Logging
logAction("Document", "Edit", "$name via API ($api_key_name)", $client_id, $document_id);
logAction("API", "Success", "Edited document $name via API ($api_key_name)", $client_id);
// Rebuild content_raw for full-text search (same technique as app)
$content_raw = sanitizeInput($name . " " . str_replace("<", " <", $processed_html));
$content_raw = mysqli_real_escape_string($mysqli, $content_raw);
// Override update count to 1 for API to report a success (as we inserted a document, not "updated" an existing row)
$update_count = 1;
// Escape name/description too (document_model.php may already sanitize; do DB escaping here regardless)
$name_db = mysqli_real_escape_string($mysqli, $name);
$description_db = mysqli_real_escape_string($mysqli, $description);
$folder_id = intval($folder);
// 4) Update the document (IMPORTANT: proper WHERE + scope to client)
mysqli_query(
$mysqli,
"UPDATE documents SET
document_name = '$name_db',
document_description = '$description_db',
document_content = '$content_db',
document_content_raw = '$content_raw',
document_folder_id = $folder_id,
document_updated_by = 0
WHERE document_id = $document_id
AND document_client_id = $client_id
LIMIT 1"
);
// For API: treat success as "updated row" OR "query ran but values unchanged"
if (mysqli_errno($mysqli) === 0) {
$update_count = 1;
}
// Logging
logAction("Document", "Edit", "$name_db via API ($api_key_name), previous version kept", $client_id, $document_version_id);
logAction("API", "Success", "Edited document $name_db via API ($api_key_name)", $client_id);
} else {
// Not found (or not this client's doc)
$update_count = false;
logAction("API", "Error", "Document update failed (not found or unauthorized) via API ($api_key_name)", $client_id);
}
}
// Output