diff --git a/ajax.php b/ajax.php index 1841be1c..8d6265c7 100644 --- a/ajax.php +++ b/ajax.php @@ -194,4 +194,49 @@ if(isset($_GET['ticket_query_views'])){ $response['message'] = ""; } echo json_encode($response); +} + +/* + * Generates public/guest links for sharing logins/docs + */ +if(isset($_GET['share_generate_link'])){ + $client_id = intval($_GET['client_id']); + $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type']))); + $item_id = intval($_GET['id']); + $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note']))); + $item_view_limit = intval($_GET['views']); + $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires']))); + $item_key = keygen(); + + if($item_type == "Login"){ + $login = mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1"); + $row = mysqli_fetch_array($login); + + $login_password_cleartext = decryptLoginEntry($row['login_password']); + $login_encryption_key = keygen(); + $iv = keygen(); + $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv); + + $item_encrypted_credential = $iv . $ciphertext; + } + else{ + $item_encrypted_credential = ''; + } + + // Insert entry into DB + $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'"); + $share_id = $mysqli->insert_id; + + // Return URL + if($item_type == "Login"){ + $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key"; + } + else{ + $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key"; + } + echo json_encode($url); + + // Logging + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - Item ID: $item_id', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); + } \ No newline at end of file diff --git a/client_routes.php b/client_routes.php index 0a2e87a2..c3c4d505 100644 --- a/client_routes.php +++ b/client_routes.php @@ -102,6 +102,11 @@ if(isset($_GET['tab'])){ elseif($_GET['tab'] == "logs"){ include("client_logs.php"); } + elseif($_GET['tab'] == "shared-items"){ + if($session_user_role > 1){ + include("client_shared_items.php"); + } + } } else{ include("client_overview.php"); diff --git a/client_shared_items.php b/client_shared_items.php new file mode 100644 index 00000000..ee1c5fa6 --- /dev/null +++ b/client_shared_items.php @@ -0,0 +1,152 @@ + $sb, 'o' => $o))); + +$sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM shared_items + WHERE item_client_id = $client_id + AND item_active = '1' + AND item_views != item_view_limit + AND item_expire_at > NOW() + AND (item_note LIKE '%$q%') ORDER BY $sb $o LIMIT $record_from, $record_to"); + +$num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); + +?> + +
+
+

Shared Items (Links)

+
+
+
+ + +
+ +
+
+ +
+ +
+
+
+ +
+
+
+
+ + "> + + + + + + + + + + + + + + + + + + + + + + + +
Item NameItem TypeShare NoteViewsExpiresAction
+ +
+ +
+ Deactivate +
+
+ +
+
+ +
+
\ No newline at end of file diff --git a/client_side_nav.php b/client_side_nav.php index e77b0fc4..5c422a1d 100644 --- a/client_side_nav.php +++ b/client_side_nav.php @@ -299,6 +299,13 @@
  • MORE
    • +
  • + "> + +

    Shared Links

    +     +
    • +
  • "> diff --git a/cron.php b/cron.php index 0b30aa70..e0e4b93f 100644 --- a/cron.php +++ b/cron.php @@ -48,7 +48,7 @@ while($row = mysqli_fetch_array($sql_companies)){ if($config_backup_enable == 1){ // DATABASE BACKUP - // This needs to be set to the full file sytem path or else when cron runs php it will break cron.php and cron will not run properly + // This needs to be set to the full file system path or else when cron runs php it will break cron.php and cron will not run properly //$backup_dir = "backups/"; $backup_dir = "$config_backup_path/"; @@ -265,6 +265,12 @@ while($row = mysqli_fetch_array($sql_companies)){ // Clean-up ticket views table used for collision detection mysqli_query($mysqli, "TRUNCATE TABLE ticket_views"); + // Clean-up shared items that have been used + mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_views = item_view_limit"); + + // Clean-up shared items that have expired + mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_expire_at < NOW()"); + // PAST DUE INVOICE Notifications //$invoiceAlertArray = [$config_invoice_overdue_reminders]; $invoiceAlertArray = [30,60,90,120,150,180,210,240,270,300,330,360,390,420,450,480,510,540,570,590,620]; diff --git a/post.php b/post.php index a9d6be73..13582954 100644 --- a/post.php +++ b/post.php @@ -1483,6 +1483,7 @@ if(isset($_GET['delete_client'])){ mysqli_query($mysqli,"DELETE FROM vendors WHERE vendor_client_id = $client_id"); mysqli_query($mysqli,"DELETE FROM client_tags WHERE client_id = $client_id"); mysqli_query($mysqli,"DELETE FROM scheduled_tickets WHERE scheduled_ticket_client_id = $client_id"); + mysqli_query($mysqli,"DELETE FROM shared_items WHERE item_client_id = $client_id"); $sql = mysqli_query($mysqli,"SELECT recurring_id FROM recurring WHERE recurring_client_id = $client_id"); while($row = mysqli_fetch_array($sql)){ @@ -1543,48 +1544,6 @@ if(isset($_GET['delete_client'])){ header("Location: " . $_SERVER["HTTP_REFERER"]); } -if(isset($_GET['share_generate_link'])){ - $client_id = intval($_GET['client_id']); - $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type']))); - $item_id = intval($_GET['id']); - $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note']))); - $item_view_limit = intval($_GET['views']); - $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires']))); - $item_key = keygen(); - - if($item_type == "Login"){ - $login = mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1"); - $row = mysqli_fetch_array($login); - - $login_password_cleartext = decryptLoginEntry($row['login_password']); - $login_encryption_key = keygen(); - $iv = keygen(); - $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv); - - $item_encrypted_credential = $iv . $ciphertext; - } - else{ - $item_encrypted_credential = ''; - } - - // Insert entry into DB - $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'"); - $share_id = $mysqli->insert_id; - - // Return URL - if($item_type == "Login"){ - $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key"; - } - else{ - $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key"; - } - echo json_encode($url); - - // Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - Item ID: $item_id', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); - -} - if(isset($_POST['add_calendar'])){ $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); @@ -7078,6 +7037,33 @@ if (isset($_POST['rename_document_tag'])) { } +if(isset($_GET['deactivate_shared_item'])){ + if($session_user_role != 3){ + $_SESSION['alert_type'] = "danger"; + $_SESSION['alert_message'] = "You are not permitted to do that!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit(); + } + + $item_id = intval($_GET['deactivate_shared_item']); + + // Get details of the shared link + $sql = mysqli_query($mysqli, "SELECT item_type, item_related_id, item_client_id FROM shared_items WHERE item_id = '$item_id'"); + $row = mysqli_fetch_array($sql); + $item_type = $row['item_type']; + $item_related_id = $row['item_related_id']; + $item_client_id = $row['item_client_id']; + + // Deactivate item id + mysqli_query($mysqli, "UPDATE shared_items SET item_active = '0' WHERE item_id = '$item_id'"); + + // Logging + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Delete', log_description = '$session_name deactivated shared $item_type link. Item ID: $item_related_id. Share ID $item_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = '$item_client_id', log_user_id = $session_user_id, company_id = $session_company_id"); + + $_SESSION['alert_message'] = "Link deactivated"; + header("Location: " . $_SERVER["HTTP_REFERER"]); +} + if(isset($_GET['force_recurring'])){ $recurring_id = intval($_GET['force_recurring']); diff --git a/share_modal.php b/share_modal.php index e7fb6f05..893283bd 100644 --- a/share_modal.php +++ b/share_modal.php @@ -15,13 +15,13 @@ // Check values are provided if(item_views && item_expires && item_note){ - // Send a GET request to post.php as post.php?share_generate_link=true.... + // Send a GET request to ajax.php as ajax.php?share_generate_link=true.... jQuery.get( - "post.php", + "ajax.php", {share_generate_link: 'true', client_id: client_id, type: item_type, id: item_ref_id, note: item_note ,views: item_views, expires: item_expires}, function(data){ - // If we get a response from post.php, parse it as JSON + // If we get a response from ajax.php, parse it as JSON const response = JSON.parse(data); document.getElementById("share_link_header").hidden = false; @@ -44,13 +44,13 @@

    Get Share URL

    -