From 6aa06b438916e1e5cff90b45674b0e29e0460062 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 11:42:50 +0100 Subject: [PATCH 1/9] Add full text index & search for document contents (related to #440) --- client_documents.php | 17 +++++++++++++---- database_updates.php | 29 ++++++++++++++++++++++++----- database_version.php | 2 +- db.sql | 6 ++++++ global_search.php | 2 +- pagination_head.php | 2 +- post.php | 8 ++++++-- 7 files changed, 52 insertions(+), 14 deletions(-) diff --git a/client_documents.php b/client_documents.php index 7a3f797e..ef5f703c 100644 --- a/client_documents.php +++ b/client_documents.php @@ -1,12 +1,13 @@ $sb, 'o' => $o))); @@ -26,15 +35,15 @@ $sql_no_tag = "SELECT SQL_CALC_FOUND_ROWS * FROM documents WHERE document_client_id = $client_id AND documents.company_id = $session_company_id AND document_template = 0 - AND (document_name LIKE '%$q%' OR document_content LIKE '%$q%') + $query_snippet ORDER BY $sb $o LIMIT $record_from, $record_to"; $sql_with_tag = "SELECT SQL_CALC_FOUND_ROWS * FROM documents LEFT JOIN documents_tagged ON documents.document_id = documents_tagged.document_id WHERE document_client_id = $client_id - AND document_template = 0 AND documents.company_id = $session_company_id - AND (document_name LIKE '%$q%' OR document_content LIKE '%$q%') + AND document_template = 0 + $query_snippet AND documents_tagged.tag_id LIKE '%$tag%' ORDER BY $sb $o LIMIT $record_from, $record_to"; diff --git a/database_updates.php b/database_updates.php index 7321ac76..5137685c 100644 --- a/database_updates.php +++ b/database_updates.php @@ -19,24 +19,43 @@ if(LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION){ if(CURRENT_DATABASE_VERSION == '0.0.1'){ // Insert queries here required to update to DB version 0.0.2 - // mysqli_query($mysqli, "ALTER TABLE ....."); + mysqli_query($mysqli, "ALTER TABLE `settings` ADD `config_module_enable_itdoc` TINYINT(1) DEFAULT 1 AFTER `config_backup_path`"); mysqli_query($mysqli, "ALTER TABLE `settings` ADD `config_module_enable_ticketing` TINYINT(1) DEFAULT 1 AFTER `config_module_enable_itdoc`"); mysqli_query($mysqli, "ALTER TABLE `settings` ADD `config_module_enable_accounting` TINYINT(1) DEFAULT 1 AFTER `config_module_enable_ticketing`"); - // Then, update the database to the next sequential version - //mysqli_query($mysqli, "UPDATE settings SET config_current_database_version = '0.0.2' WHERE company_id = '1'"); - + // Update the database to the next sequential version mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '0.0.2'"); } if(CURRENT_DATABASE_VERSION == '0.0.2'){ // Insert queries here required to update to DB version 0.0.3 + + // Add document content raw column & index + mysqli_query($mysqli, "ALTER TABLE `documents` ADD `document_content_raw` LONGTEXT NOT NULL AFTER `document_content`, ADD FULLTEXT `document_content_raw` (`document_content_raw`)"); + + // Populate content raw column with existing document data + $documents_sql = mysqli_query($mysqli, "SELECT * FROM `documents`"); + while($row = mysqli_fetch_array($documents_sql)){ + $id = $row['document_id']; + $name = $row['document_name']; + $content = $row['document_content']; + $content_raw = trim(mysqli_real_escape_string($mysqli, strip_tags($name . " " . str_replace("<", " <", $content)))); + + mysqli_query($mysqli, "UPDATE `documents` SET `document_content_raw` = '$content_raw' WHERE `document_id` = '$id'"); + } + + // Then, update the database to the next sequential version + mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '0.0.3'"); + } + + if(CURRENT_DATABASE_VERSION == '0.0.3'){ + // Insert queries here required to update to DB version 0.0.4 // mysqli_query($mysqli, "ALTER TABLE ....."); // Then, update the database to the next sequential version - //mysqli_query($mysqli, "UPDATE settings SET config_current_database_version = '0.0.3' WHERE company_id = '1'"); + //mysqli_query($mysqli, "UPDATE settings SET config_current_database_version = '0.0.3'"); } diff --git a/database_version.php b/database_version.php index f0f59d6c..e0581015 100644 --- a/database_version.php +++ b/database_version.php @@ -5,4 +5,4 @@ * It is used in conjunction with database_updates.php */ -DEFINE("LATEST_DATABASE_VERSION", "0.0.2"); \ No newline at end of file +DEFINE("LATEST_DATABASE_VERSION", "0.0.3"); \ No newline at end of file diff --git a/db.sql b/db.sql index 6c02b03b..1dcd54af 100644 --- a/db.sql +++ b/db.sql @@ -397,6 +397,7 @@ CREATE TABLE `documents` ( `document_id` int(11) NOT NULL AUTO_INCREMENT, `document_name` varchar(200) NOT NULL, `document_content` longtext NOT NULL, + `document_content_raw` longtext NOT NULL, `document_created_at` datetime NOT NULL, `document_updated_at` datetime DEFAULT NULL, `document_archived_at` datetime DEFAULT NULL, @@ -409,6 +410,11 @@ CREATE TABLE `documents` ( ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; /*!40101 SET character_set_client = @saved_cs_client */; +-- +-- Indexes for table `documents` +-- +ALTER TABLE `documents` ADD FULLTEXT KEY `document_content_raw` (`document_content_raw`); + -- -- Table structure for table `documents_tagged` -- diff --git a/global_search.php b/global_search.php index 259173cf..4d012d43 100644 --- a/global_search.php +++ b/global_search.php @@ -15,7 +15,7 @@ if(isset($_GET['query'])){ $sql_contacts = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN clients ON client_id = contact_client_id LEFT JOIN departments ON contact_department_id = department_id WHERE (contact_name LIKE '%$query%' OR contact_title LIKE '%$query%' OR contact_email LIKE '%$query%' OR contact_phone LIKE '%$phone_query%' OR contact_mobile LIKE '%$phone_query%') AND contacts.company_id = $session_company_id ORDER BY contact_id DESC LIMIT 5"); $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE (vendor_name LIKE '%$query%' OR vendor_phone LIKE '%$phone_query%') AND company_id = $session_company_id ORDER BY vendor_id DESC LIMIT 5"); $sql_products = mysqli_query($mysqli,"SELECT * FROM products WHERE product_name LIKE '%$query%' AND company_id = $session_company_id ORDER BY product_id DESC LIMIT 5"); - $sql_documents = mysqli_query($mysqli, "SELECT * FROM documents LEFT JOIN clients on document_client_id = clients.client_id WHERE document_name LIKE '%$query%' AND documents.company_id = $session_company_id ORDER BY document_id DESC LIMIT 5"); + $sql_documents = mysqli_query($mysqli, "SELECT * FROM documents LEFT JOIN clients on document_client_id = clients.client_id WHERE MATCH(document_content_raw) AGAINST ('$query') AND documents.company_id = $session_company_id ORDER BY document_id DESC LIMIT 5"); $sql_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN clients on tickets.ticket_client_id = clients.client_id WHERE (ticket_subject LIKE '%$query%' OR ticket_number = '$query') AND tickets.company_id = $session_company_id ORDER BY ticket_id DESC LIMIT 5"); $sql_logins = mysqli_query($mysqli,"SELECT * FROM logins WHERE (login_name LIKE '%$query%' OR login_username LIKE '%$query%') AND company_id = $session_company_id ORDER BY login_id DESC LIMIT 5"); diff --git a/pagination_head.php b/pagination_head.php index ac4a8bfd..742f1689 100644 --- a/pagination_head.php +++ b/pagination_head.php @@ -34,7 +34,7 @@ if(isset($_GET['o'])){ // Search if(isset($_GET['q'])){ - $q = mysqli_real_escape_string($mysqli,$_GET['q']); + $q = mysqli_real_escape_string($mysqli,trim($_GET['q'])); }else{ $q = ""; } \ No newline at end of file diff --git a/post.php b/post.php index 0432295e..9d9d6b58 100644 --- a/post.php +++ b/post.php @@ -6927,11 +6927,13 @@ if(isset($_POST['add_document'])){ $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $tags_ids = $_POST['tags_ids']; $content = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['content'])))); + $content_raw = trim(mysqli_real_escape_string($mysqli, strip_tags($_POST['name'] . " " . str_replace("<", " <", $_POST['content'])))); + // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching. $template = intval($_POST['template']); $folder = intval($_POST['folder']); // Document add query - $add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_content = '$content', document_created_at = NOW(), document_template = $template, document_folder_id = $folder, document_client_id = $client_id, company_id = $session_company_id"); + $add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_content = '$content', document_content_raw = '$content_raw', document_created_at = NOW(), document_template = $template, document_folder_id = $folder, document_client_id = $client_id, company_id = $session_company_id"); $document_id = $mysqli->insert_id; // Logging @@ -6970,11 +6972,13 @@ if(isset($_POST['edit_document'])){ $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $tags_ids = $_POST['tags_ids']; $content = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['content'])))); + $content_raw = trim(mysqli_real_escape_string($mysqli, strip_tags($_POST['name'] . " " . str_replace("<", " <", $_POST['content'])))); + // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching. $template = intval($_POST['template']); $folder = intval($_POST['folder']); // Document edit query - mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_content = '$content', document_updated_at = NOW(), document_template = $template, document_folder_id = $folder WHERE document_id = $document_id AND company_id = $session_company_id"); + mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_content = '$content', document_content_raw = '$content_raw', document_updated_at = NOW(), document_template = $template, document_folder_id = $folder WHERE document_id = $document_id AND company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Note', log_action = 'Modify', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, log_user_id = $session_user_id"); From ac42cb82a843a8571051e9251b71b3ae1f860664 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 12:00:41 +0100 Subject: [PATCH 2/9] Fix closed by being in caps --- ticket.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ticket.php b/ticket.php index d7152550..656bd826 100644 --- a/ticket.php +++ b/ticket.php @@ -440,7 +440,7 @@ if(isset($_GET['ticket_id'])){ $row = mysqli_fetch_array($sql_closed_by); $ticket_closed_by_display = $row['user_name']; ?> -
Closed by:
+
Closed by:
Feedback:
@@ -599,7 +599,7 @@ if(isset($_GET['ticket_id'])){ include("ticket_edit_modal.php"); include("ticket_merge_modal.php"); include("ticket_invoice_add_modal.php"); - include("ticket_invoice_existing_add_modal.php"); + //include("ticket_invoice_existing_add_modal.php"); ?> Date: Fri, 15 Apr 2022 12:02:13 +0100 Subject: [PATCH 3/9] Redirect to ticket after creation --- post.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/post.php b/post.php index 9d9d6b58..06ad46d3 100644 --- a/post.php +++ b/post.php @@ -5975,13 +5975,14 @@ if(isset($_POST['add_ticket'])){ mysqli_query($mysqli,"UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_asset_id = $asset_id, ticket_created_at = NOW(), ticket_created_by = $session_user_id, ticket_assigned_to = $assigned_to, ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id"); + $id = mysqli_insert_id($mysqli); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = '$session_name created ticket $subject', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id"); $_SESSION['alert_message'] = "Ticket created"; - - header("Location: " . $_SERVER["HTTP_REFERER"]); + + header("Location: ticket.php?ticket_id=" . $id); } From 779153e099d5389d5fa71a9c6660c77a6ef4d89d Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 12:03:52 +0100 Subject: [PATCH 4/9] Adjust scheduled ticket behaviour in cron to account for cron being run at 1 AM rather than 11 PM. This is also better for daylight saving --- cron.php | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/cron.php b/cron.php index 3a3dd061..03ebb6f0 100644 --- a/cron.php +++ b/cron.php @@ -201,13 +201,12 @@ while($row = mysqli_fetch_array($sql_companies)){ // Scheduled tickets - // Get date now, and calculate tomorrow's date (presuming this is being run at 11 PM) - $now = new DateTime(); - $tomorrow = date_add($now, date_interval_create_from_date_string('1 day')); - $tomorrow_text = $tomorrow->format('Y-m-d'); + // Get date for search + $today = new DateTime(); + $today_text = $today->format('Y-m-d'); - // Get scheduled tickets for tomorrow - $sql_scheduled_tickets = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets WHERE scheduled_ticket_next_run = '$tomorrow_text'"); + // Get scheduled tickets for today + $sql_scheduled_tickets = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets WHERE scheduled_ticket_next_run = '$today_text'"); if(mysqli_num_rows($sql_scheduled_tickets) > 0){ while($row = mysqli_fetch_array($sql_scheduled_tickets)){ @@ -237,23 +236,23 @@ while($row = mysqli_fetch_array($sql_companies)){ if($frequency == "weekly"){ // Note: We seemingly have to initialize a new datetime for each loop to avoid stacking the dates $now = new DateTime(); - $next_run = date_add($now, date_interval_create_from_date_string('1 week 1 day')); + $next_run = date_add($now, date_interval_create_from_date_string('1 week')); } elseif($frequency == "monthly"){ $now = new DateTime(); - $next_run = date_add($now, date_interval_create_from_date_string('1 month 1 day')); + $next_run = date_add($now, date_interval_create_from_date_string('1 month')); } elseif($frequency == "quarterly"){ $now = new DateTime(); - $next_run = date_add($now, date_interval_create_from_date_string('3 months 1 day')); + $next_run = date_add($now, date_interval_create_from_date_string('3 months')); } elseif($frequency == "biannually"){ $now = new DateTime(); - $next_run = date_add($now, date_interval_create_from_date_string('6 months 1 day')); + $next_run = date_add($now, date_interval_create_from_date_string('6 months')); } elseif($frequency == "annually"){ $now = new DateTime(); - $next_run = date_add($now, date_interval_create_from_date_string('12 months 1 day')); + $next_run = date_add($now, date_interval_create_from_date_string('12 months')); } // Update the run date From fca1627c3319a3e664ef0c269b1b9dfb30795731 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 13:29:27 +0100 Subject: [PATCH 5/9] Remove delete user post.php code. Deleting users means we'll lose all tickets/replies which isn't great. Correct user archive behaviour so when users are archived they can no longer login. Need to add ability for quick disable/enable of user accounts, as using archive as permanent. Refactor "You are not permitted to do that!" wording into a constant instead. --- ajax.php | 12 +- api/v1/require_post_method.php | 8 ++ campaigns.php | 4 +- check_login.php | 161 ++++++++++----------- client_contact_edit_modal.php | 2 +- client_side_nav.php | 2 +- clients.php | 4 +- login.php | 12 +- post.php | 248 ++++++++++++++++----------------- users.php | 4 +- 10 files changed, 225 insertions(+), 232 deletions(-) create mode 100644 api/v1/require_post_method.php diff --git a/ajax.php b/ajax.php index ff0f1cd9..d5e212c2 100644 --- a/ajax.php +++ b/ajax.php @@ -60,7 +60,7 @@ if(isset($_GET['certificate_fetch_parse_json_details'])){ if(isset($_GET['certificate_get_json_details'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -89,7 +89,7 @@ if(isset($_GET['certificate_get_json_details'])){ if(isset($_GET['domain_get_json_details'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -118,7 +118,7 @@ if(isset($_GET['domain_get_json_details'])){ if(isset($_GET['merge_ticket_get_json_details'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -146,7 +146,7 @@ if(isset($_GET['merge_ticket_get_json_details'])){ if(isset($_GET['network_get_json_details'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -230,7 +230,7 @@ if(isset($_GET['ticket_query_views'])){ if(isset($_GET['share_generate_link'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -282,7 +282,7 @@ if(isset($_GET['share_generate_link'])){ if(isset($_GET['scheduled_ticket_get_json_details'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } diff --git a/api/v1/require_post_method.php b/api/v1/require_post_method.php new file mode 100644 index 00000000..10f500e7 --- /dev/null +++ b/api/v1/require_post_method.php @@ -0,0 +1,8 @@ + \ No newline at end of file diff --git a/client_contact_edit_modal.php b/client_contact_edit_modal.php index 88b7f951..fb0a446f 100644 --- a/client_contact_edit_modal.php +++ b/client_contact_edit_modal.php @@ -185,7 +185,7 @@
- "> + contact_photo"> diff --git a/client_side_nav.php b/client_side_nav.php index 269471fb..10699e48 100644 --- a/client_side_nav.php +++ b/client_side_nav.php @@ -228,7 +228,7 @@ - 2 AND $config_module_enable_accounting == 1){ ?> + 2 && $config_module_enable_accounting == 1){ ?>
  • ACCOUNTING
    • diff --git a/clients.php b/clients.php index 562fc091..f0ada755 100644 --- a/clients.php +++ b/clients.php @@ -167,7 +167,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); Name Address Contact - Billing + Billing Action @@ -310,7 +310,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); - + Balance
    diff --git a/login.php b/login.php index eeaabc52..38599ab5 100644 --- a/login.php +++ b/login.php @@ -8,17 +8,13 @@ if(!file_exists('config.php')){ include("config.php"); include("functions.php"); -//SESSION FINGERPRINT +// SESSION FINGERPRINT $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); -//$os = strip_tags(mysqli_real_escape_string($mysqli,get_os())); -//$browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser())); -//$device = strip_tags(mysqli_real_escape_string($mysqli,get_device())); +$os = strip_tags(mysqli_real_escape_string($mysqli,get_os())); -//$user_agent = "$os - $browser"; -// Get user agent +// User agent $user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); - // HTTP Only cookies ini_set("session.cookie_httponly", True); @@ -59,7 +55,7 @@ if(isset($_POST['login'])){ if(isset($_POST['current_code'])){ $current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code'])); } - $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email'"); + $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email' AND user_archived_at IS NULL"); $row = mysqli_fetch_array($sql); if (password_verify($password, $row['user_password'])) { diff --git a/post.php b/post.php index 06ad46d3..32252a76 100644 --- a/post.php +++ b/post.php @@ -53,7 +53,7 @@ if(isset($_POST['add_user'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -135,7 +135,7 @@ if(isset($_POST['edit_user'])){ if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -231,6 +231,13 @@ if(isset($_POST['edit_user'])){ if(isset($_POST['edit_profile'])){ + if($session_user_role != 3 && $_POST['user_id'] !== $session_user_id){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_POST['user_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); @@ -330,6 +337,13 @@ if(isset($_POST['edit_profile'])){ if(isset($_POST['edit_user_companies'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + $user_id = intval($_POST['user_id']); mysqli_query($mysqli,"DELETE FROM user_companies WHERE user_id = $user_id"); @@ -356,67 +370,39 @@ if(isset($_GET['archive_user'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } + // Variables from GET $user_id = intval($_GET['archive_user']); + $password = password_hash(key32gen(), PASSWORD_DEFAULT); - mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $user_id"); - - //Logging - //Get User Name + // Get user details $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_id = $user_id"); $row = mysqli_fetch_array($sql); $name = $row['user_name']; + + // Archive user query + mysqli_query($mysqli,"UPDATE users SET user_name = '$name (archived)', user_password = '$password', user_specific_encryption_ciphertext = '', user_archived_at = NOW() WHERE user_id = $user_id"); + + // Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Archive', log_description = '$session_name archived user $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "$name archived"; + $_SESSION['alert_message'] = "User $name archived"; header("Location: users.php"); } -if(isset($_GET['delete_user'])){ - - if($session_user_role != 3){ - $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; - header("Location: " . $_SERVER["HTTP_REFERER"]); - exit(); - } - - $user_id = intval($_GET['delete_user']); - - mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $user_id"); - mysqli_query($mysqli,"DELETE FROM user_settings WHERE user_id = $user_id"); - mysqli_query($mysqli,"DELETE FROM logs WHERE log_user_id = $user_id"); - mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_created_by = $user_id"); - mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_closed_by = $user_id"); - mysqli_query($mysqli,"DELETE FROM ticket_replies WHERE ticket_reply_by = $user_id"); - mysqli_query($mysqli,"DELETE FROM user_companies WHERE user_id = $user_id"); - - //Logging - //Get User Name - $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_id = $user_id"); - $row = mysqli_fetch_array($sql); - $name = $row['user_name']; - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Delete', log_description = '$session_name deleted user $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); - - $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "User $name deleted"; - - header("Location: " . $_SERVER["HTTP_REFERER"]); - -} // API Key if(isset($_POST['add_api_key'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -443,7 +429,7 @@ if(isset($_POST['edit_api_key'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -467,7 +453,7 @@ if(isset($_GET['delete_api_key'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -495,7 +481,7 @@ if(isset($_POST['add_company'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -601,7 +587,7 @@ if(isset($_POST['edit_company'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -704,7 +690,7 @@ if(isset($_GET['delete_company'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -798,7 +784,7 @@ if(isset($_POST['edit_general_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -820,7 +806,7 @@ if(isset($_POST['edit_mail_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -874,7 +860,7 @@ if(isset($_POST['test_email'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -918,7 +904,7 @@ if(isset($_POST['edit_invoice_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -947,7 +933,7 @@ if(isset($_POST['edit_quote_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -973,7 +959,7 @@ if(isset($_POST['edit_ticket_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -998,7 +984,7 @@ if(isset($_POST['edit_default_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1026,7 +1012,7 @@ if(isset($_POST['edit_alert_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1051,7 +1037,7 @@ if(isset($_POST['edit_online_payment_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1074,7 +1060,7 @@ if(isset($_POST['edit_integrations_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1100,7 +1086,7 @@ if(isset($_POST['edit_backup_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1123,7 +1109,7 @@ if(isset($_POST['edit_module_settings'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1175,7 +1161,7 @@ if(isset($_GET['download_database'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1260,7 +1246,7 @@ if(isset($_POST['backup_master_key'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1297,7 +1283,7 @@ if(isset($_GET['update'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1325,7 +1311,7 @@ if(isset($_GET['update_db'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1348,7 +1334,7 @@ if(isset($_POST['add_client'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1430,7 +1416,7 @@ if(isset($_POST['edit_client'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -1469,7 +1455,7 @@ if(isset($_GET['delete_client'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4193,7 +4179,7 @@ if(isset($_POST['add_contact'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4280,7 +4266,7 @@ if(isset($_POST['edit_contact'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4376,7 +4362,7 @@ if(isset($_GET['archive_contact'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4398,7 +4384,7 @@ if(isset($_GET['delete_contact'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4462,7 +4448,7 @@ if(isset($_POST['add_location'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4548,7 +4534,7 @@ if(isset($_POST['edit_location'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4638,7 +4624,7 @@ if(isset($_GET['delete_location'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4703,7 +4689,7 @@ if(isset($_POST['add_department'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4716,7 +4702,7 @@ if(isset($_POST['add_department'])){ $contact_id = mysqli_insert_id($mysqli); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Department', log_action = 'Create', log_description = '$department_name', log_created_at = NOW(), company_id = $session_company_id, log_client_id = $client_id, log_user_id = $session_user_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Department', log_action = 'Create', log_description = '$department_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id, log_client_id = $client_id, log_user_id = $session_user_id"); $_SESSION['alert_message'] .= "Department added"; @@ -4728,7 +4714,7 @@ if(isset($_POST['edit_department'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4740,7 +4726,7 @@ if(isset($_POST['edit_department'])){ mysqli_query($mysqli,"UPDATE departments SET department_name = '$department_name', department_updated_at = NOW() WHERE department_id = $department_id AND company_id = $session_company_id"); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Department', log_action = 'Modify', log_description = '$department_name', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Department', log_action = 'Modify', log_description = '$department_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id"); $_SESSION['alert_message'] .= "Department updated"; @@ -4752,7 +4738,7 @@ if(isset($_GET['archive_department'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4762,7 +4748,7 @@ if(isset($_GET['archive_department'])){ mysqli_query($mysqli,"UPDATE departments SET department_archived_at = NOW() WHERE department_id = $department_id"); //logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Department', log_action = 'Archive', log_description = '$department_id', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Department', log_action = 'Archive', log_description = '$department_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); $_SESSION['alert_message'] = "Department Archived!"; @@ -4774,7 +4760,7 @@ if(isset($_GET['delete_department'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4796,7 +4782,7 @@ if(isset($_POST['add_asset'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4852,7 +4838,7 @@ if(isset($_POST['edit_asset'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4915,7 +4901,7 @@ if(isset($_GET['delete_asset'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -4937,7 +4923,7 @@ if(isset($_POST["import_client_assets_csv"])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5074,7 +5060,7 @@ if(isset($_GET['export_client_assets_csv'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5123,7 +5109,7 @@ if(isset($_POST['add_software'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5187,7 +5173,7 @@ if(isset($_POST['edit_software'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5258,7 +5244,7 @@ if(isset($_GET['delete_software'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5284,7 +5270,7 @@ if(isset($_GET['export_client_software_csv'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5333,7 +5319,7 @@ if(isset($_POST['add_login'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5365,7 +5351,7 @@ if(isset($_POST['edit_login'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5397,7 +5383,7 @@ if(isset($_GET['delete_login'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5419,7 +5405,7 @@ if(isset($_GET['export_client_logins_csv'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5469,7 +5455,7 @@ if(isset($_POST['add_network'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5497,7 +5483,7 @@ if(isset($_POST['edit_network'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5524,7 +5510,7 @@ if(isset($_POST['edit_network'])){ if(isset($_GET['delete_network'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5546,7 +5532,7 @@ if(isset($_GET['export_client_networks_csv'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5595,7 +5581,7 @@ if(isset($_POST['add_certificate'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5637,7 +5623,7 @@ if(isset($_POST['edit_certificate'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5679,7 +5665,7 @@ if(isset($_GET['delete_certificate'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5701,7 +5687,7 @@ if(isset($_GET['export_client_certificates_csv'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5750,7 +5736,7 @@ if(isset($_POST['add_domain'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5827,7 +5813,7 @@ if(isset($_POST['edit_domain'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5872,7 +5858,7 @@ if(isset($_GET['delete_domain'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5894,7 +5880,7 @@ if(isset($_GET['export_client_domains_csv'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5944,7 +5930,7 @@ if(isset($_POST['add_ticket'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -5978,7 +5964,7 @@ if(isset($_POST['add_ticket'])){ $id = mysqli_insert_id($mysqli); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = '$session_name created ticket $subject', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = '$session_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id"); $_SESSION['alert_message'] = "Ticket created"; @@ -5990,7 +5976,7 @@ if(isset($_POST['add_scheduled_ticket'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6020,7 +6006,7 @@ if(isset($_POST['add_scheduled_ticket'])){ mysqli_query($mysqli, "INSERT INTO scheduled_tickets SET scheduled_ticket_subject = '$subject', scheduled_ticket_details = '$details', scheduled_ticket_priority = '$priority', scheduled_ticket_frequency = '$frequency', scheduled_ticket_start_date = '$start_date', scheduled_ticket_next_run = '$start_date', scheduled_ticket_created_at = NOW(), scheduled_ticket_created_by = '$session_user_id', scheduled_ticket_client_id = '$client_id', scheduled_ticket_contact_id = '$contact', scheduled_ticket_asset_id = '$asset_id', company_id = '$session_company_id'"); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Created scheduled ticket for $subject - $frequency', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Created scheduled ticket for $subject - $frequency', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id"); $_SESSION['alert_message'] = "Scheduled ticket created."; @@ -6032,7 +6018,7 @@ if(isset($_POST['edit_scheduled_ticket'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6068,7 +6054,7 @@ if(isset($_GET['delete_scheduled_ticket'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6090,7 +6076,7 @@ if(isset($_POST['edit_ticket'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6125,7 +6111,7 @@ if(isset($_POST['assign_ticket'])){ // Role check if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6176,7 +6162,7 @@ if(isset($_GET['delete_ticket'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6198,7 +6184,7 @@ if(isset($_POST['add_ticket_reply'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6292,7 +6278,7 @@ if(isset($_POST['edit_ticket_reply'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6321,7 +6307,7 @@ if(isset($_GET['archive_ticket_reply'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6343,7 +6329,7 @@ if(isset($_POST['merge_ticket'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6401,7 +6387,7 @@ if(isset($_GET['close_ticket'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6520,7 +6506,7 @@ if(isset($_GET['export_client_tickets_csv'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6569,7 +6555,7 @@ if(isset($_POST['add_service'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6676,7 +6662,7 @@ if(isset($_POST['edit_service'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6785,7 +6771,7 @@ if(isset($_GET['delete_service'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6883,7 +6869,7 @@ if(isset($_GET['delete_file'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6913,7 +6899,7 @@ if(isset($_POST['add_document'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -6958,7 +6944,7 @@ if(isset($_POST['edit_document'])){ if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -7005,7 +6991,7 @@ if(isset($_GET['delete_document'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -7030,7 +7016,7 @@ if (isset($_POST['add_document_tag'])) { if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -7048,7 +7034,7 @@ if (isset($_POST['delete_document_tag'])) { if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -7069,7 +7055,7 @@ if (isset($_POST['rename_document_tag'])) { if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -7088,7 +7074,7 @@ if (isset($_POST['rename_document_tag'])) { if(isset($_GET['deactivate_shared_item'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } @@ -7521,7 +7507,7 @@ if(isset($_GET['export_client_pdf'])){ if($session_user_role != 3){ $_SESSION['alert_type'] = "danger"; - $_SESSION['alert_message'] = "You are not permitted to do that!"; + $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED; header("Location: " . $_SERVER["HTTP_REFERER"]); exit(); } diff --git a/users.php b/users.php index 51dd8f84..cd60c733 100644 --- a/users.php +++ b/users.php @@ -12,6 +12,7 @@ $sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND (user_name LIKE '%$q%' OR user_email LIKE '%$q%') + AND user_archived_at IS NULL ORDER BY $sb $o LIMIT $record_from, $record_to"); $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); @@ -119,7 +120,7 @@
    Company Access
    - Archive + Archive @@ -129,6 +130,7 @@ include("user_edit_modal.php"); include("user_companies_modal.php"); + include("user_archive_modal.php"); } From bdd00c843db360378d1b909530026d996c8adbf5 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 17:00:47 +0100 Subject: [PATCH 6/9] Change wording to reflect that the module is just "hidden", not necessarily disabled. --- settings-modules.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/settings-modules.php b/settings-modules.php index e893f5b2..0c1cf904 100644 --- a/settings-modules.php +++ b/settings-modules.php @@ -9,17 +9,17 @@
    value="1" id="customSwitch1"> - +
    value="1" id="customSwitch2"> - +
    value="1" id="customSwitch3"> - +
    From e55622827dd2ee36661b0c05204f6a8b3c50d75f Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 17:43:06 +0100 Subject: [PATCH 7/9] Add support for client-specific API keys Refactoring API. Added a contact update endpoint. Small misc changes. --- api/v1/assets/asset_model.php | 27 ++++++++++++++++ api/v1/assets/create.php | 52 ++++++------------------------ api/v1/assets/read.php | 24 +++++++------- api/v1/certificates/read.php | 18 +++++------ api/v1/contacts/contact_model.php | 11 +++++++ api/v1/contacts/create.php | 51 +++++++++++++---------------- api/v1/contacts/read.php | 6 ++-- api/v1/contacts/update.php | 28 ++++++++++++++++ api/v1/create_output.php | 4 +-- api/v1/domains/read.php | 18 +++++------ api/v1/networks/read.php | 18 +++++------ api/v1/read_output.php | 2 +- api/v1/require_get_method.php | 5 +++ api/v1/require_post_method.php | 7 ++++ api/v1/software/read.php | 26 +++++++-------- api/v1/tickets/read.php | 4 +-- api/v1/update_output.php | 23 ++++++++++++++ api/v1/validate_api_key.php | 5 +-- api_key_add_modal.php | 53 ++++++++++++++++++++++++++++--- api_key_edit_modal.php | 43 ------------------------- client_contact_details_modal.php | 2 +- database_updates.php | 3 ++ db.sql | 1 + post.php | 6 ++-- settings-api.php | 27 ++++++++++------ user_archive_modal.php | 16 ++++++++++ 26 files changed, 286 insertions(+), 194 deletions(-) create mode 100644 api/v1/assets/asset_model.php create mode 100644 api/v1/contacts/contact_model.php create mode 100644 api/v1/contacts/update.php create mode 100644 api/v1/update_output.php delete mode 100644 api_key_edit_modal.php create mode 100644 user_archive_modal.php diff --git a/api/v1/assets/asset_model.php b/api/v1/assets/asset_model.php new file mode 100644 index 00000000..feb177ba --- /dev/null +++ b/api/v1/assets/asset_model.php @@ -0,0 +1,27 @@ +insert_id; + $insert_id = mysqli_insert_id($mysqli); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id"); - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id"); } } -else{ - $insert_id = FALSE; -} // Output include('../create_output.php'); \ No newline at end of file diff --git a/api/v1/assets/read.php b/api/v1/assets/read.php index 419ecfb1..5102f32b 100644 --- a/api/v1/assets/read.php +++ b/api/v1/assets/read.php @@ -5,37 +5,37 @@ require('../require_get_method.php'); // Asset via ID (single) if(isset($_GET['asset_id'])){ - $id = intval($_GET['asset_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND company_id = '$company_id'"); + $id = intval($_GET['asset_id']); + $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'"); } // Asset query via type elseif(isset($_GET['asset_type'])){ - $type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type'])); - $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); + $type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type'])); + $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); } // Asset query via name elseif(isset($_GET['asset_name'])){ - $name = mysqli_real_escape_string($mysqli,$_GET['asset_name']); - $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); + $name = mysqli_real_escape_string($mysqli,$_GET['asset_name']); + $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); } // Asset query via serial elseif(isset($_GET['asset_serial'])){ - $serial = mysqli_real_escape_string($mysqli,$_GET['asset_serial']); - $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); + $serial = mysqli_real_escape_string($mysqli,$_GET['asset_serial']); + $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); } // Asset query via client ID -elseif(isset($_GET['asset_client_id'])){ - $client = intval($_GET['asset_client_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id = '$client' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); +elseif(isset($_GET['client_id']) && $client_id == "%"){ + $client_id = intval($_GET['client_id']); + $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); } // All assets else{ - $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); + $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); } // Output diff --git a/api/v1/certificates/read.php b/api/v1/certificates/read.php index f07ef6bc..25b9b343 100644 --- a/api/v1/certificates/read.php +++ b/api/v1/certificates/read.php @@ -5,25 +5,25 @@ require('../require_get_method.php'); // Specific certificate via ID (single) if(isset($_GET['certificate_id'])){ - $id = intval($_GET['certificate_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND company_id = '$company_id'"); + $id = intval($_GET['certificate_id']); + $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'"); } // Certificate by name elseif(isset($_GET['certificate_name'])){ - $name = mysqli_real_escape_string($mysqli,$_GET['certificate_name']); - $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); + $name = mysqli_real_escape_string($mysqli,$_GET['certificate_name']); + $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); } -// Certificate via client ID -elseif(isset($_GET['certificate_client_id'])){ - $client = intval($_GET['certificate_client_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); +// Certificate via client ID (if allowed) +elseif(isset($_GET['client_id']) && $client_id == "%"){ + $client_id = intval($_GET['client_id']); + $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); } // All certificates else{ - $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); + $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); } // Output diff --git a/api/v1/contacts/contact_model.php b/api/v1/contacts/contact_model.php new file mode 100644 index 00000000..fb35f365 --- /dev/null +++ b/api/v1/contacts/contact_model.php @@ -0,0 +1,11 @@ +insert_id; +// Default +$insert_id = FALSE; + +if(!empty($name) && !empty($email) && !empty($client_id)){ + + // Check contact with $email doesn't already exist + $email_duplication_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id = '$client_id'"); + + if(mysqli_num_rows($email_duplication_sql) == 0){ + + // Insert contact + $insert_sql = mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id"); + + // Check insert & get insert ID + if($insert_sql){ + $insert_id = mysqli_insert_id($mysqli); + //Logging + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id"); + } - //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id"); - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id"); } } -else{ - $insert_id = FALSE; -} // Output include('../create_output.php'); \ No newline at end of file diff --git a/api/v1/contacts/read.php b/api/v1/contacts/read.php index 72bf3314..2de010b5 100644 --- a/api/v1/contacts/read.php +++ b/api/v1/contacts/read.php @@ -6,18 +6,18 @@ require('../require_get_method.php'); // Specific contact via ID (single) if(isset($_GET['contact_id'])){ $id = intval($_GET['contact_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND company_id = '$company_id'"); + $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'"); } // Specific contact via email (single) elseif(isset($_GET['contact_email'])){ $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['contact_email']))); - $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND company_id = '$company_id'"); + $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'"); } // All contacts else{ - $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset"); + $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset"); } // Output diff --git a/api/v1/contacts/update.php b/api/v1/contacts/update.php new file mode 100644 index 00000000..bf5c3152 --- /dev/null +++ b/api/v1/contacts/update.php @@ -0,0 +1,28 @@ + 0){ } else{ $return_arr['success'] = "False"; - $return_arr['message'] = "No resource (for this company) with the specified parameter(s)."; + $return_arr['message'] = "No resource (for this client and company) with the specified parameter(s)."; echo json_encode($return_arr); exit(); } \ No newline at end of file diff --git a/api/v1/require_get_method.php b/api/v1/require_get_method.php index a6391c9f..4667bed7 100644 --- a/api/v1/require_get_method.php +++ b/api/v1/require_get_method.php @@ -5,4 +5,9 @@ if($_SERVER['REQUEST_METHOD'] !== "GET"){ $return_arr['message'] = "Can only send GET requests to this endpoint."; echo json_encode($return_arr); exit(); +} + +// Wildcard client ID for most SELECT queries +if($client_id == 0){ + $client_id = "%"; } \ No newline at end of file diff --git a/api/v1/require_post_method.php b/api/v1/require_post_method.php index 10f500e7..cb13d64b 100644 --- a/api/v1/require_post_method.php +++ b/api/v1/require_post_method.php @@ -5,4 +5,11 @@ if($_SERVER['REQUEST_METHOD'] !== "POST"){ $return_arr['message'] = "Can only send POST requests to this endpoint."; echo json_encode($return_arr); exit(); +} + +// Client ID must be specific for INSERT/UPDATE/DELETE queries +// If this API key allows any client, set $client_id to the one specified, else leave it +if($client_id == 0){ + // + $client_id = intval($_POST['client_id']); } \ No newline at end of file diff --git a/api/v1/software/read.php b/api/v1/software/read.php index 52b16404..df229a48 100644 --- a/api/v1/software/read.php +++ b/api/v1/software/read.php @@ -5,37 +5,37 @@ require('../require_get_method.php'); // Specific software via ID (single) if(isset($_GET['software_id'])){ - $id = intval($_GET['software_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND company_id = '$company_id'"); + $id = intval($_GET['software_id']); + $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'"); } // Specific software via License ID if(isset($_GET['software_license'])){ - $license = mysqli_real_escape_string($mysqli,$_GET['software_license']); - $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license = '$license' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); + $license = mysqli_real_escape_string($mysqli,$_GET['software_license']); + $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license_type = '$license' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); } // Software by name elseif(isset($_GET['software_name'])){ - $name = mysqli_real_escape_string($mysqli,$_GET['software_name']); - $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); + $name = mysqli_real_escape_string($mysqli,$_GET['software_name']); + $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); } // Software via type elseif(isset($_GET['software_type'])){ - $type = intval($_GET['software_type']); - $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); + $type = intval($_GET['software_type']); + $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); } -// Software via client ID -elseif(isset($_GET['software_client_id'])){ - $client = intval($_GET['software_client_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id = '$client' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); +// Software via client ID (if allowed) +elseif(isset($_GET['client_id']) && $client_id == "%"){ + $client_id = intval($_GET['client_id']); + $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); } // All software(s) else{ - $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); + $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); } // Output diff --git a/api/v1/tickets/read.php b/api/v1/tickets/read.php index 74ccfa0e..4fa7247a 100644 --- a/api/v1/tickets/read.php +++ b/api/v1/tickets/read.php @@ -6,12 +6,12 @@ require('../require_get_method.php'); // Specific ticket via ID (single) if(isset($_GET['ticket_id'])){ $id = intval($_GET['ticket_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND company_id = '$company_id'"); + $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'"); } // All tickets else{ - $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset"); + $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset"); } // Output diff --git a/api/v1/update_output.php b/api/v1/update_output.php new file mode 100644 index 00000000..9c7802f0 --- /dev/null +++ b/api/v1/update_output.php @@ -0,0 +1,23 @@ + 0){ + // Insert successful + $return_arr['success'] = "True"; + $return_arr['count'] = $update_id; +} + +// Query returned false: something went wrong, or it was declined due to required variables missing +else{ + $return_arr['success'] = "False"; + $return_arr['message'] = "Auth success but update query failed/returned no results. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: non-existent module (contact/ticket/etc) id"; +} + +echo json_encode($return_arr); +exit(); \ No newline at end of file diff --git a/api/v1/validate_api_key.php b/api/v1/validate_api_key.php index 46ec587b..a026e42b 100644 --- a/api/v1/validate_api_key.php +++ b/api/v1/validate_api_key.php @@ -86,10 +86,11 @@ if(isset($api_key)){ // Success else{ - // Set company ID & key name + // Set client ID, company ID & key name $row = mysqli_fetch_array($sql); - $company_id = $row['company_id']; $api_key_name = $row['api_key_name']; + $client_id = $row['api_key_client_id']; + $company_id = $row['company_id']; // Set limit & offset for queries if(isset($_GET['limit'])){ diff --git a/api_key_add_modal.php b/api_key_add_modal.php index e72ecc7f..a06dc3aa 100644 --- a/api_key_add_modal.php +++ b/api_key_add_modal.php @@ -1,3 +1,6 @@ + \ No newline at end of file From 945288dfbd279193cae0922354b144e7138bcf3c Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 15 Apr 2022 17:54:23 +0100 Subject: [PATCH 8/9] Replace center with css text align --- user_archive_modal.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user_archive_modal.php b/user_archive_modal.php index fc405ede..cdf34f95 100644 --- a/user_archive_modal.php +++ b/user_archive_modal.php @@ -2,14 +2,14 @@
    -
    +

    Are you sure?

    Do you really want to archive ? This process cannot be undone.
    will no longer be able to login or use ITFlow, but all associated content will remain accessible.
    Yes, archive! -
    +
    From 633ce5d3421ab64620002497b5304391bea1a870 Mon Sep 17 00:00:00 2001 From: Johnny Date: Fri, 15 Apr 2022 15:37:37 -0400 Subject: [PATCH 9/9] Fix License Var --- client_contact_details_modal.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client_contact_details_modal.php b/client_contact_details_modal.php index 55d0a78a..895f4d99 100644 --- a/client_contact_details_modal.php +++ b/client_contact_details_modal.php @@ -85,7 +85,7 @@ $software_id = $row['software_id']; $software_name = $row['software_name']; $software_type = $row['software_type']; - $software_license = $row['software_license_type']; + $software_license = $row['software_license']; $software_notes = $row['software_notes']; ?> @@ -105,4 +105,4 @@ - \ No newline at end of file +