Add file & login sharing functionality & ip/ua view tracking

client_files.php

@@ -45,7 +45,9 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_
               <div class="card-footer bg-dark text-white p-1">
                 <center>
                   <a href="<?php echo "uploads/clients/$session_company_id/$client_id/$file_reference_name"; ?>" download="<?php echo $file_name; ?>" class="text-white float-left ml-1"><i class="fa fa-cloud-download-alt"></i></a>
-                  <small><?php echo $file_name; ?></small>
+                  <a href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'File', $file_id"; ?>)" class="text-white float-left ml-1"><i class="fa fa-share"></i></a>
+
+                    <small><?php echo $file_name; ?></small>
 
                   <a href="post.php?delete_file=<?php echo $file_id; ?>" class="text-white float-right mr-1"><i class="fa fa-times"></i></a>
                 </center>
@@ -90,6 +92,7 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_
             <td><a href="<?php echo "uploads/clients/$session_company_id/$client_id/$file_reference_name"; ?>" target="_blank" class="text-secondary"><i class="fa fa-fw fa-2x fa-<?php echo $file_icon; ?> mr-3"></i> <?php echo basename($file_name); ?></a></td>
             <td>
               <a href="<?php echo "uploads/clients/$session_company_id/$client_id/$file_reference_name"; ?>" download="<?php echo $file_name; ?>" class="text-secondary float-left ml-1"><i class="fa fa-cloud-download-alt"></i></a>
+              <a href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'File', $file_id"; ?>)" class="text-secondary float-left ml-1"><i class="fa fa-share"></i></a>
               <a href="post.php?delete_file=<?php echo $file_id; ?>" class="text-secondary float-right mr-1"><i class="fa fa-times"></i></a>
             </td>
           </tr>
@@ -101,4 +104,7 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_
   </div>
 </div>
 
-<?php include("client_file_add_modal.php"); ?>
+<?php
+include("client_file_add_modal.php");
+include("share_modal.php");
+?>

client_logins.php

@@ -146,7 +146,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 </button>
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editLoginModal<?php echo $login_id; ?>">Edit</a>
-                  <div class="dropdown-divider"></div>
+                  <a class="dropdown-item" href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'Login', $login_id"; ?>)">Share</a>
+                    <div class="dropdown-divider"></div>
                   <a class="dropdown-item text-danger" href="post.php?delete_login=<?php echo $login_id; ?>">Delete</a>
                 </div>
               </div> 
@@ -167,4 +168,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
   </div>
 </div>
 
-<?php include("client_login_add_modal.php"); ?>
+<?php
+include("client_login_add_modal.php");
+include("share_modal.php");
+?>

guest_download_file.php

@@ -1,6 +1,10 @@
 <?php
+// Not including the guest header as we don't want any HTML output
 include("config.php");
 include("functions.php");
+$ip = trim(strip_tags(mysqli_real_escape_string($mysqli,get_ip())));
+$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
+
 if(isset($_GET['id']) AND isset($_GET['key'])){
     $item_id = intval($_GET['id']);
     $item_key = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['key'])));
@@ -53,12 +57,12 @@ if(isset($_GET['id']) AND isset($_GET['key'])){
     header('Content-Disposition: attachment; filename=download.' .$file_ext);
     readfile($file_path);
 
-
-    // Update file view count & logging
+    // Update file view count
     $new_item_views = $item_views + 1;
     mysqli_query($mysqli, "UPDATE shared_items SET item_views = '$new_item_views' WHERE item_id = '$item_id'");
 
-
+    // Logging
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Downloaded shared file via link - Item ID: $item_id', log_client_id = '$client_id', log_created_at = NOW(), log_ip = '$ip', log_user_agent = '$user_agent', company_id = '1'");
 
 
 }

guest_header.php

@@ -3,6 +3,9 @@
   include("config.php");
   include("functions.php");
 
+$ip = trim(strip_tags(mysqli_real_escape_string($mysqli,get_ip())));
+$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
+
 ?>
 
 <!DOCTYPE html>

guest_view_item.php

@@ -47,10 +47,10 @@ $item_note = $row['item_note'];
 $item_views = intval($row['item_views']);
 $item_created = $row['item_created_at'];
 $item_expire = $row['item_expire_at'];
-$item_client_id = $row['item_client_id'];
+$client_id = $row['item_client_id'];
 
 if($item_type == "Document"){
-    $doc_sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$item_related_id' AND document_client_id = '$item_client_id' LIMIT 1");
+    $doc_sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$item_related_id' AND document_client_id = '$client_id' LIMIT 1");
     $doc_row = mysqli_fetch_array($doc_sql);
 
     if(mysqli_num_rows($doc_sql) !== 1 OR !$doc_row){
@@ -73,13 +73,12 @@ if($item_type == "Document"){
     $new_item_views = $item_views + 1;
     mysqli_query($mysqli, "UPDATE shared_items SET item_views = '$new_item_views' WHERE item_id = '$item_id'");
 
-    // Logging // TODO: Need to add IP, etc.
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Viewed', log_description = 'Viewed shared $item_type link - Item ID: $item_id', log_client_id = '$item_client_id', log_created_at = NOW(), company_id = '1'");
-
+    // Logging
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Viewed shared $item_type via link - Item ID: $item_id', log_client_id = '$client_id', log_created_at = NOW(), log_ip = '$ip', log_user_agent = '$user_agent', company_id = '1'");
 
 }
 elseif($item_type == "File"){
-    $file_sql = mysqli_query($mysqli, "SELECT * FROM files WHERE file_id = '$item_related_id' AND file_client_id = '$item_client_id' LIMIT 1");
+    $file_sql = mysqli_query($mysqli, "SELECT * FROM files WHERE file_id = '$item_related_id' AND file_client_id = '$client_id' LIMIT 1");
     $file_row = mysqli_fetch_array($file_sql);
 
     if(mysqli_num_rows($file_sql) !== 1 OR !$file_row){
@@ -101,7 +100,7 @@ elseif($item_type == "File"){
 elseif($item_type == "Login"){
     $encryption_key = $_GET['ek'];
 
-    $login_sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$item_related_id' AND login_client_id = '$item_client_id' LIMIT 1");
+    $login_sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$item_related_id' AND login_client_id = '$client_id' LIMIT 1");
     $login_row = mysqli_fetch_array($login_sql);
     if(mysqli_num_rows($login_sql) !== 1 OR !$login_row){
         echo "<div class=\"alert alert-danger\" role=\"alert\">Error retrieving login.</div>";
@@ -130,6 +129,12 @@ elseif($item_type == "Login"){
     echo "<p>OTP: $login_otp</p>";
     echo "<p>Notes: $login_notes</p>";
 
+    // Update login view count
+    $new_item_views = $item_views + 1;
+    mysqli_query($mysqli, "UPDATE shared_items SET item_views = '$new_item_views' WHERE item_id = '$item_id'");
+
+    // Logging
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Viewed shared $item_type via link - Item ID: $item_id', log_client_id = '$client_id', log_created_at = NOW(), log_ip = '$ip', log_user_agent = '$user_agent', company_id = '1'");
 
 }
 

post.php

@@ -1308,12 +1308,32 @@ if(isset($_GET['share_generate_link'])){
     $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
     $item_key = keygen();
 
+    if($item_type == "Login"){
+        $login = mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
+        $row = mysqli_fetch_array($login);
+
+        $login_password_cleartext = decryptLoginEntry($row['login_password']);
+        $login_encryption_key = keygen();
+        $iv = keygen();
+        $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
+
+        $item_encrypted_credential = $iv . $ciphertext;
+    }
+    else{
+        $item_encrypted_credential = '';
+    }
+
     // Insert entry into DB
-    $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_note = '$item_note', item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
+    $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
     $share_id = $mysqli->insert_id;
 
     // Return URL
-    $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
+    if($item_type == "Login"){
+        $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
+    }
+    else{
+        $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
+    }
     echo json_encode($url);
 
     // Logging

share_modal.php

@@ -62,6 +62,7 @@
                     </div>
                     <button class="form-control" onclick="event.preventDefault(); generateShareLink()">Share</button>
                 </form>
+                <p><i>Note: Login passwords are shared "as is" and will not update</i></p>
 
                 <hr>