From cab2cc923add92585b6e6f7e898ea08ae301ba44 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 2 Apr 2022 15:37:17 +0100
Subject: [PATCH 1/3] Improve share features: default modal to 1, cleanup
 expired/used links

---
 ajax.php        | 45 +++++++++++++++++++++++++++++++++++++++++++++
 cron.php        |  8 +++++++-
 post.php        | 43 +------------------------------------------
 share_modal.php | 10 +++++-----
 4 files changed, 58 insertions(+), 48 deletions(-)

diff --git a/ajax.php b/ajax.php
index 1841be1c..8d6265c7 100644
--- a/ajax.php
+++ b/ajax.php
@@ -194,4 +194,49 @@ if(isset($_GET['ticket_query_views'])){
     $response['message'] = "";
   }
   echo json_encode($response);
+}
+
+/*
+ * Generates public/guest links for sharing logins/docs
+ */
+if(isset($_GET['share_generate_link'])){
+  $client_id = intval($_GET['client_id']);
+  $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
+  $item_id = intval($_GET['id']);
+  $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
+  $item_view_limit = intval($_GET['views']);
+  $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
+  $item_key = keygen();
+
+  if($item_type == "Login"){
+    $login = mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
+    $row = mysqli_fetch_array($login);
+
+    $login_password_cleartext = decryptLoginEntry($row['login_password']);
+    $login_encryption_key = keygen();
+    $iv = keygen();
+    $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
+
+    $item_encrypted_credential = $iv . $ciphertext;
+  }
+  else{
+    $item_encrypted_credential = '';
+  }
+
+  // Insert entry into DB
+  $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
+  $share_id = $mysqli->insert_id;
+
+  // Return URL
+  if($item_type == "Login"){
+    $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
+  }
+  else{
+    $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
+  }
+  echo json_encode($url);
+
+  // Logging
+  mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - Item ID: $item_id', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");
+
 }
\ No newline at end of file
diff --git a/cron.php b/cron.php
index 0b30aa70..e0e4b93f 100644
--- a/cron.php
+++ b/cron.php
@@ -48,7 +48,7 @@ while($row = mysqli_fetch_array($sql_companies)){
 
     if($config_backup_enable == 1){
       // DATABASE BACKUP
-      // This needs to be set to the full file sytem path or else when cron runs php it will break cron.php and cron will not run properly
+      // This needs to be set to the full file system path or else when cron runs php it will break cron.php and cron will not run properly
       //$backup_dir = "backups/";
       $backup_dir = "$config_backup_path/";
 
@@ -265,6 +265,12 @@ while($row = mysqli_fetch_array($sql_companies)){
     // Clean-up ticket views table used for collision detection
     mysqli_query($mysqli, "TRUNCATE TABLE ticket_views");
 
+    // Clean-up shared items that have been used
+    mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_views = item_view_limit");
+
+    // Clean-up shared items that have expired
+    mysqli_query($mysqli, "DELETE FROM shared_items WHERE item_expire_at < NOW()");
+
     // PAST DUE INVOICE Notifications
     //$invoiceAlertArray = [$config_invoice_overdue_reminders];
     $invoiceAlertArray = [30,60,90,120,150,180,210,240,270,300,330,360,390,420,450,480,510,540,570,590,620];
diff --git a/post.php b/post.php
index 9e563c69..8b25dc1e 100644
--- a/post.php
+++ b/post.php
@@ -1456,6 +1456,7 @@ if(isset($_GET['delete_client'])){
     mysqli_query($mysqli,"DELETE FROM vendors WHERE vendor_client_id = $client_id");
     mysqli_query($mysqli,"DELETE FROM client_tags WHERE client_id = $client_id");
     mysqli_query($mysqli,"DELETE FROM scheduled_tickets WHERE scheduled_ticket_client_id = $client_id");
+    mysqli_query($mysqli,"DELETE FROM shared_items WHERE item_client_id = $client_id");
 
   $sql = mysqli_query($mysqli,"SELECT recurring_id FROM recurring WHERE recurring_client_id = $client_id");
     while($row = mysqli_fetch_array($sql)){
@@ -1516,48 +1517,6 @@ if(isset($_GET['delete_client'])){
     header("Location: " . $_SERVER["HTTP_REFERER"]); 
 }
 
-if(isset($_GET['share_generate_link'])){
-    $client_id = intval($_GET['client_id']);
-    $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
-    $item_id = intval($_GET['id']);
-    $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
-    $item_view_limit = intval($_GET['views']);
-    $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
-    $item_key = keygen();
-
-    if($item_type == "Login"){
-        $login = mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
-        $row = mysqli_fetch_array($login);
-
-        $login_password_cleartext = decryptLoginEntry($row['login_password']);
-        $login_encryption_key = keygen();
-        $iv = keygen();
-        $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
-
-        $item_encrypted_credential = $iv . $ciphertext;
-    }
-    else{
-        $item_encrypted_credential = '';
-    }
-
-    // Insert entry into DB
-    $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
-    $share_id = $mysqli->insert_id;
-
-    // Return URL
-    if($item_type == "Login"){
-        $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
-    }
-    else{
-        $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
-    }
-    echo json_encode($url);
-
-    // Logging
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - Item ID: $item_id', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");
-
-}
-
 if(isset($_POST['add_calendar'])){
 
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
diff --git a/share_modal.php b/share_modal.php
index e7fb6f05..893283bd 100644
--- a/share_modal.php
+++ b/share_modal.php
@@ -15,13 +15,13 @@
 
         // Check values are provided
         if(item_views && item_expires && item_note){
-            // Send a GET request to post.php as post.php?share_generate_link=true....
+            // Send a GET request to ajax.php as ajax.php?share_generate_link=true....
             jQuery.get(
-                "post.php",
+                "ajax.php",
                 {share_generate_link: 'true', client_id: client_id, type: item_type, id: item_ref_id, note: item_note ,views: item_views, expires: item_expires},
                 function(data){
 
-                    // If we get a response from post.php, parse it as JSON
+                    // If we get a response from ajax.php, parse it as JSON
                     const response = JSON.parse(data);
 
                     document.getElementById("share_link_header").hidden = false;
@@ -44,13 +44,13 @@
             <div class="modal-body bg-white">
 
                 <h2>Get Share URL</h2>
-                <form action="post.php" method="GET" id="newShareLink">
+                <form action="ajax.php" method="GET" id="newShareLink">
                     <input type="hidden" name="client_id" id="share_client_id"  value="">
                     <input type="hidden" name="item_type" id="share_item_type"  value="">
                     <input type="hidden" name="item_ref_id" id="share_item_ref_id"  value="">
                     <div class="form-group">
                         <label for="views">Number of views allowed <strong class="text-danger">*</strong></label>
-                        <input type="number" class="form-control" name="views" id="share_views" placeholder="Views before link expires" required autofocus>
+                        <input type="number" class="form-control" name="views" id="share_views" placeholder="Views before link expires" value="1" required autofocus>
                     </div>
                     <div class="form-group">
                         <label for="views">Link Expiry date <strong class="text-danger">*</strong></label>

From 2c632a85d0540e6b19a369e25dde8a96fcd3ce38 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 2 Apr 2022 16:41:07 +0100
Subject: [PATCH 2/3] Create shared links page for each client, with option to
 deactivate links

---
 client_routes.php       |   5 ++
 client_shared_items.php | 152 ++++++++++++++++++++++++++++++++++++++++
 client_side_nav.php     |   7 ++
 post.php                |  27 +++++++
 4 files changed, 191 insertions(+)
 create mode 100644 client_shared_items.php

diff --git a/client_routes.php b/client_routes.php
index 0a2e87a2..c3c4d505 100644
--- a/client_routes.php
+++ b/client_routes.php
@@ -102,6 +102,11 @@ if(isset($_GET['tab'])){
   elseif($_GET['tab'] == "logs"){
       include("client_logs.php");
   }
+  elseif($_GET['tab'] == "shared-items"){
+    if($session_user_role > 1){
+      include("client_shared_items.php");
+    }
+  }
 }
 else{
   include("client_overview.php");
diff --git a/client_shared_items.php b/client_shared_items.php
new file mode 100644
index 00000000..ee1c5fa6
--- /dev/null
+++ b/client_shared_items.php
@@ -0,0 +1,152 @@
+<?php
+
+//Paging
+if(isset($_GET['p'])){
+  $p = intval($_GET['p']);
+  $record_from = (($p)-1)*$_SESSION['records_per_page'];
+  $record_to = $_SESSION['records_per_page'];
+}else{
+  $record_from = 0;
+  $record_to = $_SESSION['records_per_page'];
+  $p = 1;
+}
+
+if(isset($_GET['q'])){
+  $q = mysqli_real_escape_string($mysqli,$_GET['q']);
+  //Phone Numbers
+  $phone_query = preg_replace("/[^0-9]/", '',$q);
+  if(empty($phone_query)){
+    $phone_query = $q;
+  }
+}else{
+  $q = "";
+  $phone_query = "";
+}
+
+// Sort
+$sb = "item_created_at";
+
+if(isset($_GET['o'])){
+  if($_GET['o'] == 'ASC'){
+    $o = "ASC";
+    $disp = "DESC";
+  }else{
+    $o = "DESC";
+    $disp = "ASC";
+  }
+}else{
+  $o = "ASC";
+  $disp = "DESC";
+}
+
+//Rebuild URL
+$url_query_strings_sb = http_build_query(array_merge($_GET,array('sb' => $sb, 'o' => $o)));
+
+$sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM shared_items 
+  WHERE item_client_id = $client_id  
+  AND item_active = '1'
+  AND item_views != item_view_limit
+  AND item_expire_at > NOW()  
+  AND (item_note LIKE '%$q%') ORDER BY $sb $o LIMIT $record_from, $record_to");
+
+$num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
+
+?>
+
+  <div class="card card-dark">
+    <div class="card-header">
+      <h3 class="card-title mt-2"><i class="fa fa-fw fa-share"></i> Shared Items (Links)</h3>
+    </div>
+    <div class="card-body">
+      <form autocomplete="off">
+        <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
+        <input type="hidden" name="tab" value="<?php echo strip_tags($_GET['tab']); ?>">
+        <div class="row">
+
+          <div class="col-md-4">
+            <div class="input-group mb-3 mb-md-0">
+              <input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords(strip_tags($_GET['tab'])); ?>">
+              <div class="input-group-append">
+                <button class="btn btn-dark"><i class="fa fa-search"></i></button>
+              </div>
+            </div>
+          </div>
+
+        </div>
+      </form>
+      <hr>
+      <div class="table-responsive">
+        <table class="table table-striped table-borderless table-hover">
+          <thead class="text-dark <?php if($num_rows[0] == 0){ echo "d-none"; } ?>">
+          <tr>
+            <th>Item Name</th>
+            <th>Item Type</th>
+            <th>Share Note</th>
+            <th>Views</th>
+            <th>Expires</th>
+            <th class="text-center">Action</th>
+          </tr>
+          </thead>
+          <tbody>
+          <?php
+
+          while($row = mysqli_fetch_array($sql)){
+            $item_id = $row['item_id'];
+            $item_active = $row['item_active'];
+            $item_key = $row['item_key'];
+            $item_type = $row['item_type'];
+            $item_related_id = $row['item_related_id'];
+            $item_note = $row['item_note'];
+            $item_views = $row['item_views'];
+            $item_view_limit = $row['item_view_limit'];
+            $item_created_at = $row['item_created_at'];
+            $item_expire_at = $row['item_expire_at'];
+
+            if($item_type == 'Login'){
+              $share_item_sql = mysqli_query($mysqli, "SELECT login_name FROM logins WHERE login_id = '$item_related_id' AND login_client_id = '$client_id'");
+              $share_item = mysqli_fetch_array($share_item_sql);
+              $item_name = $share_item['login_name'];
+            }
+            elseif($item_type == 'Document'){
+              $share_item_sql = mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_related_id' AND document_client_id = '$client_id'");
+              $share_item = mysqli_fetch_array($share_item_sql);
+              $item_name = $share_item['document_name'];
+            }
+            elseif($item_type == 'File'){
+              $share_item_sql = mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_related_id' AND file_client_id = '$client_id'");
+              $share_item = mysqli_fetch_array($share_item_sql);
+              $item_name = $share_item['file_name'];
+            }
+
+
+            ?>
+            <tr>
+              <td><?php echo $item_name; ?></td>
+              <td><?php echo $item_type ?></td>
+              <td><?php echo $item_note ?></td>
+              <td><?php echo "$item_views / $item_view_limit" ?></td>
+              <td><?php echo $item_expire_at ?></td>
+              <td>
+                <?php if($session_user_role == 3) { ?>
+                  <div class="dropdown dropleft text-center">
+                    <button class="btn btn-secondary btn-sm" type="button" data-toggle="dropdown">
+                      <i class="fas fa-ellipsis-h"></i>
+                    </button>
+                    <div class="dropdown-menu">
+                      <a class="dropdown-item text-danger" href="post.php?deactivate_shared_item=<?php echo $item_id; ?>">Deactivate</a>
+                    </div>
+                  </div>
+                <?php } ?>
+              </td>
+            </tr>
+
+            <?php
+          }
+          ?>
+
+          </tbody>
+        </table>
+      </div>
+      <?php include("pagination.php"); ?>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/client_side_nav.php b/client_side_nav.php
index e77b0fc4..523e29af 100644
--- a/client_side_nav.php
+++ b/client_side_nav.php
@@ -306,6 +306,13 @@
           </a>
         </li>
 
+        <li class="nav-item">
+          <a href="?client_id=<?php echo $client_id; ?>&tab=shared-items" class="nav-link <?php if($_GET['tab'] == "shared-items") { echo "active"; } ?>">
+            <i class="nav-icon fas fa-share"></i>
+            <p>Shared Links</p>
+          </a>
+        </li>
+
       </ul>
     </nav>
     <!-- /.sidebar-menu -->
diff --git a/post.php b/post.php
index 8b25dc1e..c6d230ce 100644
--- a/post.php
+++ b/post.php
@@ -6974,6 +6974,33 @@ if (isset($_POST['rename_document_tag'])) {
 
 }
 
+if(isset($_GET['deactivate_shared_item'])){
+    if($session_user_role != 3){
+        $_SESSION['alert_type'] = "danger";
+        $_SESSION['alert_message'] = "You are not permitted to do that!";
+        header("Location: " . $_SERVER["HTTP_REFERER"]);
+        exit();
+    }
+
+    $item_id = intval($_GET['deactivate_shared_item']);
+
+    // Get details of the shared link
+    $sql = mysqli_query($mysqli, "SELECT item_type, item_related_id, item_client_id FROM shared_items WHERE item_id = '$item_id'");
+    $row = mysqli_fetch_array($sql);
+    $item_type = $row['item_type'];
+    $item_related_id = $row['item_related_id'];
+    $item_client_id = $row['item_client_id'];
+
+    // Deactivate item id
+    mysqli_query($mysqli, "UPDATE shared_items SET item_active = '0' WHERE item_id = '$item_id'");
+
+    // Logging
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Delete', log_description = '$session_name deactivated shared $item_type link. Item ID: $item_related_id. Share ID $item_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = '$item_client_id', log_user_id = $session_user_id, company_id = $session_company_id");
+
+    $_SESSION['alert_message'] = "Link deactivated";
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+}
+
 if(isset($_GET['force_recurring'])){
     $recurring_id = intval($_GET['force_recurring']);
 

From 87cdc1929aa6f899a6b618be9d3eca9f2dde6ada Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 2 Apr 2022 16:49:23 +0100
Subject: [PATCH 3/3] Move logs after shared links in side nav

---
 client_side_nav.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/client_side_nav.php b/client_side_nav.php
index 523e29af..5c422a1d 100644
--- a/client_side_nav.php
+++ b/client_side_nav.php
@@ -300,16 +300,16 @@
         <li class="nav-header mt-3">MORE</li>
 
         <li class="nav-item">
-          <a href="?client_id=<?php echo $client_id; ?>&tab=logs" class="nav-link <?php if($_GET['tab'] == "logs") { echo "active"; } ?>">
-            <i class="nav-icon fas fa-eye"></i>
-            <p>Logs</p>
+          <a href="?client_id=<?php echo $client_id; ?>&tab=shared-items" class="nav-link <?php if($_GET['tab'] == "shared-items") { echo "active"; } ?>">
+            <i class="nav-icon fas fa-share"></i>
+            <p>Shared Links</p>
           </a>
         </li>
 
         <li class="nav-item">
-          <a href="?client_id=<?php echo $client_id; ?>&tab=shared-items" class="nav-link <?php if($_GET['tab'] == "shared-items") { echo "active"; } ?>">
-            <i class="nav-icon fas fa-share"></i>
-            <p>Shared Links</p>
+          <a href="?client_id=<?php echo $client_id; ?>&tab=logs" class="nav-link <?php if($_GET['tab'] == "logs") { echo "active"; } ?>">
+            <i class="nav-icon fas fa-eye"></i>
+            <p>Logs</p>
           </a>
         </li>