AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #545 from wrongecho/tidy 

Code Style Tidying
This commit is contained in:
Johnny 2023-01-01 15:56:34 -05:00 committed by GitHub
parent 94d8ec5360 dd00f48e5b
commit 3fd62cd16e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 1552 additions and 1561 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

362
ajax.php
View File

@ -6,161 +6,159 @@
* Always returns data in JSON format, unless otherwise specified
*/
include("config.php");
include("functions.php");
include("check_login.php");
require_once("config.php");
require_once("functions.php");
require_once("check_login.php");
require_once("rfc6238.php");
/*
* Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key)
*/
if(isset($_GET['certificate_fetch_parse_json_details'])){
// PHP doesn't appreciate attempting SSL sockets to non-existent domains
if(empty($_GET['domain'])){
exit();
}
$domain = $_GET['domain'];
if (isset($_GET['certificate_fetch_parse_json_details'])) {
// PHP doesn't appreciate attempting SSL sockets to non-existent domains
if (empty($_GET['domain'])) {
exit();
}
$domain = $_GET['domain'];
// FQDNs in database shouldn't have a URL scheme, adding one
$domain = "https://".$domain;
// FQDNs in database shouldn't have a URL scheme, adding one
$domain = "https://".$domain;
// Parse host and port
$url = parse_url($domain, PHP_URL_HOST);
$port = parse_url($domain, PHP_URL_PORT);
// Default port
if(!$port){
$port = "443";
}
// Parse host and port
$url = parse_url($domain, PHP_URL_HOST);
$port = parse_url($domain, PHP_URL_PORT);
// Default port
if (!$port) {
$port = "443";
}
// Get certificate (using verify peer false to allow for self-signed certs)
$socket = "ssl://$url:$port";
$get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE, "verify_peer" => FALSE,)));
$read = stream_socket_client($socket, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get);
$cert = stream_context_get_params($read);
$cert_public_key_obj = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
openssl_x509_export($cert['options']['ssl']['peer_certificate'], $export);
// Get certificate (using verify peer false to allow for self-signed certs)
$socket = "ssl://$url:$port";
$get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE, "verify_peer" => FALSE,)));
$read = stream_socket_client($socket, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get);
$cert = stream_context_get_params($read);
$cert_public_key_obj = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
openssl_x509_export($cert['options']['ssl']['peer_certificate'], $export);
// Process data
if($cert_public_key_obj){
$response['success'] = "TRUE";
$response['expire'] = date('Y-m-d', $cert_public_key_obj['validTo_time_t']);
$response['issued_by'] = strip_tags($cert_public_key_obj['issuer']['O']);
$response['public_key'] = $export; //nl2br
}
else{
$response['success'] = "FALSE";
}
// Process data
if ($cert_public_key_obj) {
$response['success'] = "TRUE";
$response['expire'] = date('Y-m-d', $cert_public_key_obj['validTo_time_t']);
$response['issued_by'] = strip_tags($cert_public_key_obj['issuer']['O']);
$response['public_key'] = $export; //nl2br
} else {
$response['success'] = "FALSE";
}
echo json_encode($response);
echo json_encode($response);
}
/*
* Looks up info for a given certificate ID from the database, used to dynamically populate modal fields
*/
if(isset($_GET['certificate_get_json_details'])){
validateTechRole();
if (isset($_GET['certificate_get_json_details'])) {
validateTechRole();
$certificate_id = intval($_GET['certificate_id']);
$client_id = intval($_GET['client_id']);
$certificate_id = intval($_GET['certificate_id']);
$client_id = intval($_GET['client_id']);
// Individual certificate lookup
$cert_sql = mysqli_query($mysqli,"SELECT * FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id");
while($row = mysqli_fetch_array($cert_sql)){
$response['certificate'][] = $row;
}
// Individual certificate lookup
$cert_sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id");
while ($row = mysqli_fetch_array($cert_sql)) {
$response['certificate'][] = $row;
}
// Get all domains for this client that could be linked to this certificate
$domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'");
while($row = mysqli_fetch_array($domains_sql)){
$response['domains'][] = $row;
}
// Get all domains for this client that could be linked to this certificate
$domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'");
while ($row = mysqli_fetch_array($domains_sql)) {
$response['domains'][] = $row;
}
echo json_encode($response);
echo json_encode($response);
}
/*
* Looks up info for a given domain ID from the database, used to dynamically populate modal fields
*/
if(isset($_GET['domain_get_json_details'])){
validateTechRole();
if (isset($_GET['domain_get_json_details'])) {
validateTechRole();
$domain_id = intval($_GET['domain_id']);
$client_id = intval($_GET['client_id']);
$domain_id = intval($_GET['domain_id']);
$client_id = intval($_GET['client_id']);
// Individual domain lookup
$cert_sql = mysqli_query($mysqli,"SELECT * FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id");
while($row = mysqli_fetch_array($cert_sql)){
$response['domain'][] = $row;
}
// Individual domain lookup
$cert_sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id");
while ($row = mysqli_fetch_array($cert_sql)) {
$response['domain'][] = $row;
}
// Get all registrars/webhosts (vendors) for this client that could be linked to this domain
$vendor_sql = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors WHERE vendor_client_id = $client_id");
while($row = mysqli_fetch_array($vendor_sql)){
$response['vendors'][] = $row;
}
// Get all registrars/webhosts (vendors) for this client that could be linked to this domain
$vendor_sql = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors WHERE vendor_client_id = $client_id");
while ($row = mysqli_fetch_array($vendor_sql)) {
$response['vendors'][] = $row;
}
echo json_encode($response);
echo json_encode($response);
}
/*
* Looks up info on the ticket number provided, used to populate the ticket merge modal
*/
if(isset($_GET['merge_ticket_get_json_details'])){
validateTechRole();
if (isset($_GET['merge_ticket_get_json_details'])) {
validateTechRole();
$merge_into_ticket_number = intval($_GET['merge_into_ticket_number']);
$merge_into_ticket_number = intval($_GET['merge_into_ticket_number']);
$sql = mysqli_query($mysqli,"SELECT * FROM tickets
$sql = mysqli_query($mysqli, "SELECT * FROM tickets
LEFT JOIN clients ON ticket_client_id = client_id
LEFT JOIN contacts ON ticket_contact_id = contact_id
WHERE ticket_number = '$merge_into_ticket_number' AND tickets.company_id = '$session_company_id'");
if(mysqli_num_rows($sql) == 0){
//Do nothing.
}
else {
//Return ticket, client and contact details for the given ticket number
$response = mysqli_fetch_array($sql);
echo json_encode($response);
}
if (mysqli_num_rows($sql) == 0) {
//Do nothing.
} else {
//Return ticket, client and contact details for the given ticket number
$response = mysqli_fetch_array($sql);
echo json_encode($response);
}
}
/*
* Looks up info for a given network ID from the database, used to dynamically populate modal fields
*/
if(isset($_GET['network_get_json_details'])){
validateTechRole();
if (isset($_GET['network_get_json_details'])) {
validateTechRole();
$network_id = intval($_GET['network_id']);
$client_id = intval($_GET['client_id']);
$network_id = intval($_GET['network_id']);
$client_id = intval($_GET['client_id']);
// Individual network lookup
$network_sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
while($row = mysqli_fetch_array($network_sql)){
$response['network'][] = $row;
}
// Individual network lookup
$network_sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
while ($row = mysqli_fetch_array($network_sql)) {
$response['network'][] = $row;
}
// Lookup all client locations, as networks can be associated with any client location
$locations_sql = mysqli_query($mysqli, "SELECT location_id, location_name FROM locations
// Lookup all client locations, as networks can be associated with any client location
$locations_sql = mysqli_query($mysqli, "SELECT location_id, location_name FROM locations
WHERE location_client_id = '$client_id' AND company_id = '$session_company_id'"
);
while($row = mysqli_fetch_array($locations_sql)){
$response['locations'][] = $row;
}
);
while ($row = mysqli_fetch_array($locations_sql)) {
$response['locations'][] = $row;
}
echo json_encode($response);
echo json_encode($response);
}
if(isset($_POST['client_set_notes'])){
$client_id = intval($_POST['client_id']);
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes'])));
if (isset($_POST['client_set_notes'])) {
$client_id = intval($_POST['client_id']);
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes'])));
// Update notes
mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'");
// Update notes
mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id");
}
@ -169,10 +167,10 @@ if(isset($_POST['client_set_notes'])){
* Called upon loading a ticket, and every 2 mins thereafter
* Is used in conjunction with ticket_query_views to show who is currently viewing a ticket
*/
if(isset($_GET['ticket_add_view'])){
$ticket_id = intval($_GET['ticket_id']);
if (isset($_GET['ticket_add_view'])) {
$ticket_id = intval($_GET['ticket_id']);
mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()");
mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()");
}
/*
@ -180,112 +178,112 @@ if(isset($_GET['ticket_add_view'])){
* Returns formatted text of the agents currently viewing a ticket
* Called upon loading a ticket, and every 2 mins thereafter
*/
if(isset($_GET['ticket_query_views'])){
$ticket_id = intval($_GET['ticket_id']);
if (isset($_GET['ticket_query_views'])) {
$ticket_id = intval($_GET['ticket_id']);
$query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)");
while($row = mysqli_fetch_array($query)){
$users[] = $row['user_name'];
}
if(!empty($users)){
$users = array_unique($users);
if(count($users) > 1){
// Multiple viewers
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
$query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)");
while ($row = mysqli_fetch_array($query)) {
$users[] = $row['user_name'];
}
else{
// Single viewer
$response['message'] = implode("", $users) . " is viewing this ticket.";
if (!empty($users)) {
$users = array_unique($users);
if (count($users) > 1) {
// Multiple viewers
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
} else {
// Single viewer
$response['message'] = implode("", $users) . " is viewing this ticket.";
}
} else {
// No viewers
$response['message'] = "";
}
}
else{
// No viewers
$response['message'] = "";
}
echo json_encode($response);
echo json_encode($response);
}
/*
* Generates public/guest links for sharing logins/docs
*/
if(isset($_GET['share_generate_link'])){
validateTechRole();
if (isset($_GET['share_generate_link'])) {
validateTechRole();
$item_encrypted_credential = ''; // Default empty
$item_encrypted_credential = ''; // Default empty
$client_id = intval($_GET['client_id']);
$item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
$item_id = intval($_GET['id']);
$item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
$item_view_limit = intval($_GET['views']);
$item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
$item_key = bin2hex(random_bytes(78));
$client_id = intval($_GET['client_id']);
$item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
$item_id = intval($_GET['id']);
$item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
$item_view_limit = intval($_GET['views']);
$item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
$item_key = bin2hex(random_bytes(78));
if($item_type == "Document"){
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
$item_name = $row['document_name'];
}
if ($item_type == "Document") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
$item_name = $row['document_name'];
}
if($item_type == "File"){
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1"));
$item_name = $row['file_name'];
}
if ($item_type == "File") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1"));
$item_name = $row['file_name'];
}
if($item_type == "Login"){
$login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
$row = mysqli_fetch_array($login);
if ($item_type == "Login") {
$login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
$row = mysqli_fetch_array($login);
$item_name = $row['login_name'];
$item_name = $row['login_name'];
// Decrypt & re-encrypt password for sharing
$login_password_cleartext = decryptLoginEntry($row['login_password']);
$login_encryption_key = bin2hex(random_bytes(8));
$iv = bin2hex(random_bytes(8));
$ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
// Decrypt & re-encrypt password for sharing
$login_password_cleartext = decryptLoginEntry($row['login_password']);
$login_encryption_key = bin2hex(random_bytes(8));
$iv = bin2hex(random_bytes(8));
$ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
$item_encrypted_credential = $iv . $ciphertext;
}
$item_encrypted_credential = $iv . $ciphertext;
}
// Insert entry into DB
$sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
$share_id = $mysqli->insert_id;
// Insert entry into DB
$sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
$share_id = $mysqli->insert_id;
// Return URL
if($item_type == "Login"){
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
}
else{
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
}
echo json_encode($url);
// Return URL
if ($item_type == "Login") {
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
}
else {
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
}
echo json_encode($url);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
}
/*
* Looks up info for a given scheduled ticket ID from the database, used to dynamically populate modal edit fields
*/
if(isset($_GET['scheduled_ticket_get_json_details'])){
validateTechRole();
if (isset($_GET['scheduled_ticket_get_json_details'])) {
validateTechRole();
$client_id = intval($_GET['client_id']);
$ticket_id = intval($_GET['ticket_id']);
$client_id = intval($_GET['client_id']);
$ticket_id = intval($_GET['ticket_id']);
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets
WHERE scheduled_ticket_id = $ticket_id
AND scheduled_ticket_client_id = $client_id LIMIT 1");
while($row = mysqli_fetch_array($ticket_sql)){
$response['ticket'][] = $row;
}
while ($row = mysqli_fetch_array($ticket_sql)) {
$response['ticket'][] = $row;
}
$asset_sql = mysqli_query($mysqli, "SELECT asset_id, asset_name FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL");
while($row = mysqli_fetch_array($asset_sql)){
$response['assets'][] = $row;
}
$asset_sql = mysqli_query($mysqli, "SELECT asset_id, asset_name FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL");
while ($row = mysqli_fetch_array($asset_sql)) {
$response['assets'][] = $row;
}
echo json_encode($response);
echo json_encode($response);
}
@ -293,8 +291,8 @@ if(isset($_GET['scheduled_ticket_get_json_details'])){
* Dynamic TOTP for client login page
* When provided with a TOTP secret, returns a 6-digit code
*/
if(isset($_GET['get_totp_token'])){
$otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
if (isset($_GET['get_totp_token'])) {
$otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
echo json_encode($otp);
echo json_encode($otp);
}

154
api/v1/assets/create.php
View File

@ -1,107 +1,107 @@
<?php
require('../validate_api_key.php');
require('../require_post_method.php');
require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse info
// Variable assignment - assigning blank if a value is not provided
if(isset($_POST['asset_name'])){
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_name'])));
} else{
$name = '';
if (isset($_POST['asset_name'])) {
$name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_name'])));
} else {
$name = '';
}
if(isset($_POST['asset_type'])){
$type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_type'])));
} else{
$type = '';
if (isset($_POST['asset_type'])) {
$type = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_type'])));
} else {
$type = '';
}
if(isset($_POST['asset_make'])){
$make = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_make'])));
} else{
$make = '';
if (isset($_POST['asset_make'])) {
$make = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_make'])));
} else {
$make = '';
}
if(isset($_POST['asset_model'])){
$model = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_model'])));
} else{
$model = '';
if (isset($_POST['asset_model'])) {
$model = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_model'])));
} else {
$model = '';
}
if(isset($_POST['asset_serial'])){
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_serial'])));
} else{
$serial = '';
if (isset($_POST['asset_serial'])) {
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_serial'])));
} else {
$serial = '';
}
if(isset($_POST['asset_os'])){
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os'])));
} else{
$os = '';
if (isset($_POST['asset_os'])) {
$os = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_os'])));
} else {
$os = '';
}
if(isset($_POST['asset_ip'])){
$aip = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_ip'])));
} else{
$aip = '';
if (isset($_POST['asset_ip'])) {
$aip = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_ip'])));
} else {
$aip = '';
}
if(isset($_POST['asset_mac'])){
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_mac'])));
} else{
$mac = '';
if (isset($_POST['asset_mac'])) {
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_mac'])));
} else {
$mac = '';
}
if(isset($_POST['asset_purchase_date'])){
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_purchase_date'])));
} else{
$purchase_date = "0000-00-00";
if (isset($_POST['asset_purchase_date'])) {
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_purchase_date'])));
} else {
$purchase_date = "0000-00-00";
}
if(isset($_POST['asset_warranty_expire'])){
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_warranty_expire'])));
} else{
$warranty_expire = "0000-00-00";
if (isset($_POST['asset_warranty_expire'])) {
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_warranty_expire'])));
} else {
$warranty_expire = "0000-00-00";
}
if(isset($_POST['asset_install_date'])){
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_install_date'])));
} else{
$install_date = "0000-00-00";
if (isset($_POST['asset_install_date'])) {
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_install_date'])));
} else {
$install_date = "0000-00-00";
}
if(isset($_POST['asset_notes'])){
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_notes'])));
} else{
$notes = '';
if (isset($_POST['asset_notes'])) {
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_notes'])));
} else {
$notes = '';
}
if(isset($_POST['asset_vendor_id'])){
$vendor = intval($_POST['asset_vendor_id']);
} else{
$vendor = '0';
if (isset($_POST['asset_vendor_id'])) {
$vendor = intval($_POST['asset_vendor_id']);
} else {
$vendor = '0';
}
if(isset($_POST['asset_location_id'])){
$location = intval($_POST['asset_location_id']);
} else{
$location = '0';
if (isset($_POST['asset_location_id'])) {
$location = intval($_POST['asset_location_id']);
} else {
$location = '0';
}
if(isset($_POST['asset_contact_id'])){
$contact = intval($_POST['asset_contact_id']);
} else{
$contact = '0';
if (isset($_POST['asset_contact_id'])) {
$contact = intval($_POST['asset_contact_id']);
} else {
$contact = '0';
}
if(isset($_POST['asset_network_id'])){
$network = intval($_POST['asset_network_id']);
} else{
$network = '0';
if (isset($_POST['asset_network_id'])) {
$network = intval($_POST['asset_network_id']);
} else {
$network = '0';
}
// Default
$insert_id = FALSE;
$insert_id = false;
if(!empty($name) && !empty($client_id)){
// Insert into Database
$insert_sql = mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_created_at = NOW(), asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'");
if (!empty($name) && !empty($client_id)) {
// Insert into Database
$insert_sql = mysqli_query($mysqli, "INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_created_at = NOW(), asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'");
if($insert_sql){
$insert_id = mysqli_insert_id($mysqli);
if ($insert_sql) {
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
}
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
}
}
// Output
include('../create_output.php');
require_once('../create_output.php');

28
api/v1/assets/delete.php
View File

@ -1,28 +1,28 @@
<?php
require('../validate_api_key.php');
require_once('../validate_api_key.php');
require('../require_post_method.php');
require_once('../require_post_method.php');
// Parse ID
$asset_id = intval($_POST['asset_id']);
// Default
$delete_count = FALSE;
$delete_count = false;
if(!empty($asset_id)){
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$asset_name = $row['asset_name'];
if (!empty($asset_id)) {
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$asset_name = $row['asset_name'];
$delete_sql = mysqli_query($mysqli, "DELETE FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
$delete_sql = mysqli_query($mysqli, "DELETE FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
// Check delete & get affected rows
if($delete_sql && !empty($asset_name)){
$delete_count = mysqli_affected_rows($mysqli);
// Check delete & get affected rows
if ($delete_sql && !empty($asset_name)) {
$delete_count = mysqli_affected_rows($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Deleted', log_description = '$asset_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
}
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Deleted', log_description = '$asset_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
}
}
// Output
include('../delete_output.php');
require_once('../delete_output.php');

40
api/v1/assets/read.php
View File

@ -1,42 +1,42 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Asset via ID (single)
if(isset($_GET['asset_id'])){
$id = intval($_GET['asset_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['asset_id'])) {
$id = intval($_GET['asset_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Asset query via type
elseif(isset($_GET['asset_type'])){
$type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type']));
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['asset_type'])) {
$type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type']));
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Asset query via name
elseif(isset($_GET['asset_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['asset_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['asset_name'])) {
$name = mysqli_real_escape_string($mysqli, $_GET['asset_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Asset query via serial
elseif(isset($_GET['asset_serial'])){
$serial = mysqli_real_escape_string($mysqli,$_GET['asset_serial']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['asset_serial'])) {
$serial = mysqli_real_escape_string($mysqli, $_GET['asset_serial']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Asset query via client ID
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// All assets
else{
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

200
api/v1/assets/update.php
View File

@ -1,116 +1,116 @@
<?php
require('../validate_api_key.php');
require('../require_post_method.php');
require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse ID
$asset_id = intval($_POST['asset_id']);
// Default
$update_count = FALSE;
$update_count = false;
if(!empty($asset_id)){
if (!empty($asset_id)) {
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$asset_id' AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$asset_id' AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
// Variable assignment - assigning the current database value if a value is not provided
if(isset($_POST['asset_name'])){
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_name'])));
} else{
$name = $row['asset_name'];
}
if(isset($_POST['asset_type'])){
$type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_type'])));
} else{
$type = $row['asset_type'];
}
if(isset($_POST['asset_make'])){
$make = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_make'])));
} else{
$make = $row['asset_make'];
}
if(isset($_POST['asset_model'])){
$model = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_model'])));
} else{
$model = $row['asset_model'];
}
if(isset($_POST['asset_serial'])){
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_serial'])));
} else{
$serial = $row['asset_serial'];
}
if(isset($_POST['asset_os'])){
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os'])));
} else{
$os = $row['asset_os'];
}
if(isset($_POST['asset_os'])){
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os'])));
} else{
$os = $row['asset_os'];
}
if(isset($_POST['asset_ip'])){
$aip = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_ip'])));
} else{
$aip = $row['asset_ip'];
}
if(isset($_POST['asset_mac'])){
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_mac'])));
} else{
$mac = $row['asset_mac'];
}
if(isset($_POST['asset_purchase_date'])){
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_purchase_date'])));
} else{
$purchase_date = $row['asset_purchase_date'];
}
if(isset($_POST['asset_warranty_expire'])){
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_warranty_expire'])));
} else{
$warranty_expire = $row['asset_warranty_expire'];
}
if(isset($_POST['asset_install_date'])){
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_install_date'])));
} else{
$install_date = $row['asset_install_date'];
}
if(isset($_POST['asset_notes'])){
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_notes'])));
} else{
$notes = $row['asset_notes'];
}
if(isset($_POST['asset_vendor_id'])){
$vendor = intval($_POST['asset_vendor_id']);
} else{
$vendor = $row['asset_vendor_id'];
}
if(isset($_POST['asset_location_id'])){
$location = intval($_POST['asset_location_id']);
} else{
$location = $row['asset_location_id'];
}
if(isset($_POST['asset_contact_id'])){
$contact = intval($_POST['asset_contact_id']);
} else{
$contact = $row['asset_contact_id'];
}
if(isset($_POST['asset_network_id'])){
$network = intval($_POST['asset_network_id']);
} else{
$network = $row['asset_network_id'];
}
// Variable assignment - assigning the current database value if a value is not provided
if (isset($_POST['asset_name'])) {
$name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_name'])));
} else {
$name = $row['asset_name'];
}
if (isset($_POST['asset_type'])) {
$type = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_type'])));
} else {
$type = $row['asset_type'];
}
if (isset($_POST['asset_make'])) {
$make = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_make'])));
} else {
$make = $row['asset_make'];
}
if (isset($_POST['asset_model'])) {
$model = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_model'])));
} else {
$model = $row['asset_model'];
}
if (isset($_POST['asset_serial'])) {
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_serial'])));
} else {
$serial = $row['asset_serial'];
}
if (isset($_POST['asset_os'])) {
$os = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_os'])));
} else {
$os = $row['asset_os'];
}
if (isset($_POST['asset_os'])) {
$os = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_os'])));
} else {
$os = $row['asset_os'];
}
if (isset($_POST['asset_ip'])) {
$aip = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_ip'])));
} else {
$aip = $row['asset_ip'];
}
if (isset($_POST['asset_mac'])) {
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_mac'])));
} else {
$mac = $row['asset_mac'];
}
if (isset($_POST['asset_purchase_date'])) {
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_purchase_date'])));
} else {
$purchase_date = $row['asset_purchase_date'];
}
if (isset($_POST['asset_warranty_expire'])) {
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_warranty_expire'])));
} else {
$warranty_expire = $row['asset_warranty_expire'];
}
if (isset($_POST['asset_install_date'])) {
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_install_date'])));
} else {
$install_date = $row['asset_install_date'];
}
if (isset($_POST['asset_notes'])) {
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_notes'])));
} else {
$notes = $row['asset_notes'];
}
if (isset($_POST['asset_vendor_id'])) {
$vendor = intval($_POST['asset_vendor_id']);
} else {
$vendor = $row['asset_vendor_id'];
}
if (isset($_POST['asset_location_id'])) {
$location = intval($_POST['asset_location_id']);
} else {
$location = $row['asset_location_id'];
}
if (isset($_POST['asset_contact_id'])) {
$contact = intval($_POST['asset_contact_id']);
} else {
$contact = $row['asset_contact_id'];
}
if (isset($_POST['asset_network_id'])) {
$network = intval($_POST['asset_network_id']);
} else {
$network = $row['asset_network_id'];
}
$update_sql = mysqli_query($mysqli,"UPDATE assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_updated_at = NOW(), asset_network_id = $network WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
$update_sql = mysqli_query($mysqli, "UPDATE assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_updated_at = NOW(), asset_network_id = $network WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
// Check insert & get insert ID
if($update_sql){
$update_count = mysqli_affected_rows($mysqli);
// Check insert & get insert ID
if ($update_sql) {
$update_count = mysqli_affected_rows($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated asset $name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
}
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated asset $name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
}
}
// Output
include('../update_output.php');
require_once('../update_output.php');

28
api/v1/certificates/read.php
View File

@ -1,30 +1,30 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific certificate via ID (single)
if(isset($_GET['certificate_id'])){
$id = intval($_GET['certificate_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['certificate_id'])) {
$id = intval($_GET['certificate_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Certificate by name
elseif(isset($_GET['certificate_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['certificate_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['certificate_name'])) {
$name = mysqli_real_escape_string($mysqli, $_GET['certificate_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
}
// Certificate via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
}
// All certificates
else{
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

22
api/v1/clients/read.php
View File

@ -1,24 +1,24 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific client via ID (single)
if(isset($_GET['client_id'])){
$id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$id' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['client_id'])) {
$id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$id' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Specific client via name (single)
elseif(isset($_GET['client_name'])){
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['client_name'])));
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_name = '$name' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
elseif (isset($_GET['client_name'])) {
$name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client_name'])));
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_name = '$name' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// All clients
else{
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY client_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY client_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

12
api/v1/contacts/contact_model.php
View File

@ -1,13 +1,13 @@
<?php
define('number_regex', '/[^0-9]/');
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_name'])));
$title = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_title'])));
$department = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_department'])));
$name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_name'])));
$title = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_title'])));
$department = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_department'])));
$phone = preg_replace(number_regex, '', $_POST['contact_phone']);
$extension = preg_replace(number_regex, '', $_POST['contact_extension']);
$mobile = preg_replace(number_regex, '', $_POST['contact_mobile']);
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_email'])));
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_notes'])));
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_auth_method'])));
$email = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_email'])));
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_notes'])));
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_auth_method'])));
$location_id = intval($_POST['contact_location_id']);

36
api/v1/contacts/create.php
View File

@ -1,34 +1,34 @@
<?php
require('../validate_api_key.php');
require('../require_post_method.php');
require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse Info
include('contact_model.php');
require_once('contact_model.php');
// Default
$insert_id = FALSE;
if(!empty($name) && !empty($email) && !empty($client_id)){
if (!empty($name) && !empty($email) && !empty($client_id)) {
// Check contact with $email doesn't already exist
$email_duplication_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id = '$client_id'");
// Check contact with $email doesn't already exist
$email_duplication_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id = '$client_id'");
if(mysqli_num_rows($email_duplication_sql) == 0){
if (mysqli_num_rows($email_duplication_sql) == 0) {
// Insert contact
$insert_sql = mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department = '$department', contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id");
// Insert contact
$insert_sql = mysqli_query($mysqli, "INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department = '$department', contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id");
// Check insert & get insert ID
if ($insert_sql) {
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
// Check insert & get insert ID
if($insert_sql){
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
}
}
// Output
include('../create_output.php');
require_once('../create_output.php');

26
api/v1/contacts/delete.php
View File

@ -1,7 +1,7 @@
<?php
require('../validate_api_key.php');
require('../require_post_method.php');
require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse ID
$contact_id = intval($_POST['contact_id']);
@ -9,20 +9,20 @@ $contact_id = intval($_POST['contact_id']);
// Default
$delete_count = FALSE;
if(!empty($contact_id)){
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$contact_name = $row['contact_name'];
if (!empty($contact_id)) {
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$contact_name = $row['contact_name'];
$delete_sql = mysqli_query($mysqli, "DELETE FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
$delete_sql = mysqli_query($mysqli, "DELETE FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
// Check delete & get affected rows
if($delete_sql && !empty($contact_name)){
$delete_count = mysqli_affected_rows($mysqli);
// Check delete & get affected rows
if ($delete_sql && !empty($contact_name)) {
$delete_count = mysqli_affected_rows($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Deleted', log_description = '$contact_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
}
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Deleted', log_description = '$contact_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
}
}
// Output
include('../delete_output.php');
require_once('../delete_output.php');

14
api/v1/contacts/read.php
View File

@ -1,24 +1,24 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific contact via ID (single)
if(isset($_GET['contact_id'])){
if (isset($_GET['contact_id'])) {
$id = intval($_GET['contact_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Specific contact via email (single)
elseif(isset($_GET['contact_email'])){
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['contact_email'])));
elseif (isset($_GET['contact_email'])) {
$email = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['contact_email'])));
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// All contacts
else{
else {
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

26
api/v1/contacts/update.php
View File

@ -1,28 +1,28 @@
<?php
require('../validate_api_key.php');
require('../require_post_method.php');
require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse Info
$contact_id = intval($_POST['contact_id']);
include('contact_model.php');
require_once('contact_model.php');
// Default
$update_count = FALSE;
if(!empty($name) && !empty($email)){
if (!empty($name) && !empty($email)) {
$update_sql = mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_updated_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id WHERE contact_id = $contact_id LIMIT 1");
$update_sql = mysqli_query($mysqli, "UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_updated_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id WHERE contact_id = $contact_id LIMIT 1");
// Check insert & get insert ID
if($update_sql){
$update_count = mysqli_affected_rows($mysqli);
// Check insert & get insert ID
if ($update_sql) {
$update_count = mysqli_affected_rows($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
}
// Output
include('../update_output.php');
require_once('../update_output.php');

20
api/v1/create_output.php
View File

@ -7,19 +7,19 @@
*/
// Check if the insert query was successful
if(isset($insert_id) && is_numeric($insert_id)){
// Insert successful
$return_arr['success'] = "True";
$return_arr['count'] = '1';
$return_arr['data'][] = [
'insert_id' => $insert_id
];
if (isset($insert_id) && is_numeric($insert_id)) {
// Insert successful
$return_arr['success'] = "True";
$return_arr['count'] = '1';
$return_arr['data'][] = [
'insert_id' => $insert_id
];
}
// Query returned false: something went wrong, or it was declined due to required variables missing
else{
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but insert query failed, ensure ALL required variables are provided (and aren't duplicates where applicable) and database schema is up-to-date. Turn on error logging and look for 'undefined index'.";
else {
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but insert query failed, ensure ALL required variables are provided (and aren't duplicates where applicable) and database schema is up-to-date. Turn on error logging and look for 'undefined index'.";
}
echo json_encode($return_arr);

14
api/v1/delete_output.php
View File

@ -7,16 +7,16 @@
*/
// Check if delete query was successful
if(isset($delete_count) && is_numeric($delete_count) && $delete_count > 0){
// Delete was successful
$return_arr['success'] = "True";
$return_arr['count'] = $delete_count;
if (isset($delete_count) && is_numeric($delete_count) && $delete_count > 0) {
// Delete was successful
$return_arr['success'] = "True";
$return_arr['count'] = $delete_count;
}
// Delete query returned false: something went wrong, or it was declined due to required variables missing
else{
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but delete query failed. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: asset/client/company ID mismatch.";
else {
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but delete query failed. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: asset/client/company ID mismatch.";
}
echo json_encode($return_arr);

28
api/v1/domains/read.php
View File

@ -1,30 +1,30 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific domain via ID (single)
if(isset($_GET['domain_id'])){
$id = intval($_GET['domain_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['domain_id'])) {
$id = intval($_GET['domain_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Domain by name
elseif(isset($_GET['domain_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['domain_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['domain_name'])) {
$name = mysqli_real_escape_string($mysqli, $_GET['domain_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Domain via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
}
// All domains
else{
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

28
api/v1/networks/read.php
View File

@ -1,30 +1,30 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific network via ID (single)
if(isset($_GET['network_id'])){
$id = intval($_GET['network_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND network_client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['network_id'])) {
$id = intval($_GET['network_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND network_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Network by name
elseif(isset($_GET['network_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['network_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['network_name'])) {
$name = mysqli_real_escape_string($mysqli, $_GET['network_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
}
// Network via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
}
// All networks
else{
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

28
api/v1/read_output.php
View File

@ -6,21 +6,21 @@
* Returns success & data messages
*/
if($sql && mysqli_num_rows($sql) > 0){
$return_arr['success'] = "True";
$return_arr['count'] = mysqli_num_rows($sql);
if ($sql && mysqli_num_rows($sql) > 0) {
$return_arr['success'] = "True";
$return_arr['count'] = mysqli_num_rows($sql);
$row = array();
while($row = mysqli_fetch_array($sql)){
$return_arr['data'][] = $row;
}
$row = array();
while ($row = mysqli_fetch_array($sql)) {
$return_arr['data'][] = $row;
}
echo json_encode($return_arr);
exit();
echo json_encode($return_arr);
exit();
}
else{
$return_arr['success'] = "False";
$return_arr['message'] = "No resource (for this client and company) with the specified parameter(s).";
echo json_encode($return_arr);
exit();
else {
$return_arr['success'] = "False";
$return_arr['message'] = "No resource (for this client and company) with the specified parameter(s).";
echo json_encode($return_arr);
exit();
}

16
api/v1/require_get_method.php
View File

@ -1,13 +1,13 @@
<?php
if($_SERVER['REQUEST_METHOD'] !== "GET"){
header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False";
$return_arr['message'] = "Can only send GET requests to this endpoint.";
echo json_encode($return_arr);
exit();
if ($_SERVER['REQUEST_METHOD'] !== "GET") {
header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False";
$return_arr['message'] = "Can only send GET requests to this endpoint.";
echo json_encode($return_arr);
exit();
}
// Wildcard client ID for most SELECT queries
if($client_id == 0){
$client_id = "%";
if ($client_id == 0) {
$client_id = "%";
}

16
api/v1/require_post_method.php
View File

@ -1,14 +1,14 @@
<?php
if($_SERVER['REQUEST_METHOD'] !== "POST"){
header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False";
$return_arr['message'] = "Can only send POST requests to this endpoint.";
echo json_encode($return_arr);
exit();
if ($_SERVER['REQUEST_METHOD'] !== "POST") {
header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False";
$return_arr['message'] = "Can only send POST requests to this endpoint.";
echo json_encode($return_arr);
exit();
}
// Client ID must be specific for INSERT/UPDATE/DELETE queries
// If this API key allows any client, set $client_id to the one specified, else leave it
if($client_id == 0){
$client_id = intval($_POST['client_id']);
if ($client_id == 0) {
$client_id = intval($_POST['client_id']);
}

40
api/v1/software/read.php
View File

@ -1,42 +1,42 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific software via ID (single)
if(isset($_GET['software_id'])){
$id = intval($_GET['software_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['software_id'])) {
$id = intval($_GET['software_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Specific software via License ID
if(isset($_GET['software_license'])){
$license = mysqli_real_escape_string($mysqli,$_GET['software_license']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license_type = '$license' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
if (isset($_GET['software_license'])) {
$license = mysqli_real_escape_string($mysqli, $_GET['software_license']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license_type = '$license' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// Software by name
elseif(isset($_GET['software_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['software_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['software_name'])) {
$name = mysqli_real_escape_string($mysqli, $_GET['software_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Software via type
elseif(isset($_GET['software_type'])){
$type = intval($_GET['software_type']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['software_type'])) {
$type = intval($_GET['software_type']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// Software via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// All software(s)
else{
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

16
api/v1/tickets/read.php
View File

@ -1,18 +1,18 @@
<?php
require('../validate_api_key.php');
require('../require_get_method.php');
require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific ticket via ID (single)
if(isset($_GET['ticket_id'])){
$id = intval($_GET['ticket_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'");
if (isset($_GET['ticket_id'])) {
$id = intval($_GET['ticket_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// All tickets
else{
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
else {
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
}
// Output
include("../read_output.php");
require_once("../read_output.php");

14
api/v1/update_output.php
View File

@ -7,16 +7,16 @@
*/
// Check if the insert query was successful
if(isset($update_count) && is_numeric($update_count) && $update_count > 0){
// Insert successful
$return_arr['success'] = "True";
$return_arr['count'] = $update_count;
if (isset($update_count) && is_numeric($update_count) && $update_count > 0) {
// Insert successful
$return_arr['success'] = "True";
$return_arr['count'] = $update_count;
}
// Query returned false: something went wrong, or it was declined due to required variables missing
else{
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but update query failed/returned no results. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: non-existent module ID (contact ID/ticket ID/etc)";
else {
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but update query failed/returned no results. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: non-existent module ID (contact ID/ticket ID/etc)";
}
echo json_encode($return_arr);

116
api/v1/validate_api_key.php
View File

@ -7,8 +7,8 @@
*/
// Includes
include( __DIR__ . '../../../functions.php');
include(__DIR__ . "../../../config.php");
require_once( __DIR__ . '../../../functions.php');
require_once(__DIR__ . "../../../config.php");
// JSON header
header('Content-Type: application/json');
@ -17,9 +17,9 @@ header('Content-Type: application/json');
$_POST = json_decode(file_get_contents('php://input'), true);
// Get user IP
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$ip = strip_tags(mysqli_real_escape_string($mysqli, get_ip()));
// Get user agent
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
// Setup return array
$return_arr = array();
@ -43,75 +43,75 @@ DEFINE("WORDING_UNAUTHORIZED", "HTTP/1.1 401 Unauthorized");
*/
// Decline methods other than GET/POST
if($_SERVER['REQUEST_METHOD'] !== "GET" && $_SERVER['REQUEST_METHOD'] !== "POST"){
header("HTTP/1.1 405 Method Not Allowed");
var_dump($_SERVER['REQUEST_METHOD']);
exit();
if ($_SERVER['REQUEST_METHOD'] !== "GET" && $_SERVER['REQUEST_METHOD'] !== "POST") {
header("HTTP/1.1 405 Method Not Allowed");
var_dump($_SERVER['REQUEST_METHOD']);
exit();
}
// Check API key is provided
if(!isset($_GET['api_key']) && !isset($_POST['api_key'])){
header(WORDING_UNAUTHORIZED);
exit();
if (!isset($_GET['api_key']) && !isset($_POST['api_key'])) {
header(WORDING_UNAUTHORIZED);
exit();
}
// Set API key variable
if(isset($_GET['api_key'])){
$api_key = $_GET['api_key'];
if (isset($_GET['api_key'])) {
$api_key = $_GET['api_key'];
}
if(isset($_POST['api_key'])){
$api_key = $_POST['api_key'];
if (isset($_POST['api_key'])) {
$api_key = $_POST['api_key'];
}
// Validate API key
if(isset($api_key)){
$api_key = mysqli_real_escape_string($mysqli,$api_key);
if (isset($api_key)) {
$api_key = mysqli_real_escape_string($mysqli, $api_key);
$sql = mysqli_query($mysqli,"SELECT * FROM api_keys WHERE api_key_secret = '$api_key' AND api_key_expire > NOW() LIMIT 1");
$sql = mysqli_query($mysqli, "SELECT * FROM api_keys WHERE api_key_secret = '$api_key' AND api_key_expire > NOW() LIMIT 1");
// Failed
if(mysqli_num_rows($sql) !== 1){
// Invalid Key
header(WORDING_UNAUTHORIZED);
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired Key', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
// Failed
if (mysqli_num_rows($sql) !== 1) {
// Invalid Key
header(WORDING_UNAUTHORIZED);
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired Key', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$return_arr['success'] = "False";
$return_arr['message'] = "API Key authentication failure or expired.";
$return_arr['success'] = "False";
$return_arr['message'] = "API Key authentication failure or expired.";
header(WORDING_UNAUTHORIZED);
echo json_encode($return_arr);
exit();
}
// Success
else{
// Set client ID, company ID & key name
$row = mysqli_fetch_array($sql);
$api_key_name = $row['api_key_name'];
$client_id = $row['api_key_client_id'];
$company_id = $row['company_id'];
// Set limit & offset for queries
if(isset($_GET['limit'])){
$limit = intval($_GET['limit']);
}
elseif(isset($_POST['limit'])){
$limit = intval($_POST['limit']);
}
else{
$limit = 50;
header(WORDING_UNAUTHORIZED);
echo json_encode($return_arr);
exit();
}
if(isset($_GET['offset'])){
$offset = intval($_GET['offset']);
}
elseif(isset($_POST['offset'])){
$offset = intval($_POST['offset']);
}
else{
$offset = 0;
}
// Success
else {
}
// Set client ID, company ID & key name
$row = mysqli_fetch_array($sql);
$api_key_name = $row['api_key_name'];
$client_id = $row['api_key_client_id'];
$company_id = $row['company_id'];
// Set limit & offset for queries
if (isset($_GET['limit'])) {
$limit = intval($_GET['limit']);
}
elseif (isset($_POST['limit'])) {
$limit = intval($_POST['limit']);
}
else {
$limit = 50;
}
if (isset($_GET['offset'])) {
$offset = intval($_GET['offset']);
}
elseif (isset($_POST['offset'])) {
$offset = intval($_POST['offset']);
}
else {
$offset = 0;
}
}
}

49
get_credential.php
View File

@ -18,17 +18,16 @@
// Headers to allow extensions access (CORS)
$chrome_id = "chrome-extension://afgpakhonllnmnomchjhidealcpmnegc";
//$firefox_id = "moz-extension://857479e9-3992-4e99-9a5e-b514d2ad0a82"; // Firefox rejected the extension. They are still using manifest v2 so will just focus on Chrome/Edge with v3 for now until Mozilla catches up
if (isset($_SERVER['HTTP_ORIGIN'])) {
if($_SERVER['HTTP_ORIGIN'] == $chrome_id){
if ($_SERVER['HTTP_ORIGIN'] == $chrome_id) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
}
}
include("config.php");
include("functions.php");
include_once("config.php");
include_once("functions.php");
// IP & User Agent for logging
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
@ -41,13 +40,13 @@ DEFINE("WORDING_BAD_EXT_COOKIE_KEY", "ITFlow - You are not logged into ITFlow, d
// Check user is logged in & has extension access
// We're not using the PHP session as we don't want to potentially expose the session cookie with SameSite None
if(!isset($_COOKIE['user_extension_key'])){
if (!isset($_COOKIE['user_extension_key'])) {
$data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data));
echo json_encode($data);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit();
}
@ -56,13 +55,13 @@ if(!isset($_COOKIE['user_extension_key'])){
$user_extension_key = $_COOKIE['user_extension_key'];
// Check the key isn't empty, less than 17 characters or the word "disabled".
if(empty($user_extension_key) || strlen($user_extension_key) < 16 || strtolower($user_extension_key) == "disabled"){
if (empty($user_extension_key) || strlen($user_extension_key) < 16 || strtolower($user_extension_key) == "disabled") {
$data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data));
echo json_encode($data);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit();
}
@ -74,25 +73,25 @@ $auth_user = mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings
$row = mysqli_fetch_array($auth_user);
// Check SQL query state
if(mysqli_num_rows($auth_user) < 1 || !$auth_user){
if (mysqli_num_rows($auth_user) < 1 || !$auth_user) {
$data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data));
echo json_encode($data);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit();
}
// Sanity check
if(hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])){
if (hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])) {
$data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data));
echo json_encode($data);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit();
}
@ -110,28 +109,28 @@ $session_company_id = $row['user_default_company'];
$session_user_role = $row['user_role'];
// Check user access level is correct (not an accountant)
if($session_user_role < 1){
if ($session_user_role < 1) {
$data['found'] = "FALSE";
$data['message'] = WORDING_ROLECHECK_FAILED;
echo(json_encode($data));
echo json_encode($data);
//Logging
$user_name = mysqli_real_escape_string($mysqli, $session_name);
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = '$user_name not authorised to use extension', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $session_user_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = '$user_name not authorised to use extension', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $session_user_id");
exit();
}
// Lets go!
if(isset($_GET['host'])){
if (isset($_GET['host'])) {
if(!empty($_GET['host'])){
$url = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['host'])));
if (!empty($_GET['host'])) {
$url = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['host'])));
$sql_logins = mysqli_query($mysqli, "SELECT * FROM logins WHERE (login_uri = '$url' AND company_id = '$session_company_id') LIMIT 1");
if(mysqli_num_rows($sql_logins) > 0){
if (mysqli_num_rows($sql_logins) > 0) {
$row = mysqli_fetch_array($sql_logins);
$data['found'] = "TRUE";
$data['username'] = htmlentities($row['login_username']);

28
portal/check_login.php
View File

@ -5,27 +5,27 @@
* Checks if the client is logged in or not
*/
if(!isset($_SESSION)){
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if($config_https_only){
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
if (!isset($_SESSION)) {
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
}
if(!$_SESSION['client_logged_in']){
header("Location: login.php");
die;
if (!$_SESSION['client_logged_in']) {
header("Location: login.php");
die;
}
// SESSION FINGERPRINT
$session_ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$session_os = strip_tags(mysqli_real_escape_string($mysqli,get_os()));
$session_ip = strip_tags(mysqli_real_escape_string($mysqli, get_ip()));
$session_os = strip_tags(mysqli_real_escape_string($mysqli, get_os()));
// Get user agent
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
// Get info from session
$session_client_id = $_SESSION['client_id'];

26
portal/inc_portal.php
View File

@ -4,19 +4,19 @@
* Includes for all pages (except login)
*/
include('../config.php');
include('../functions.php');
include('check_login.php');
include('portal_functions.php');
require_once('../config.php');
require_once('../functions.php');
require_once('check_login.php');
require_once('portal_functions.php');
if(!isset($_SESSION)){
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if($config_https_only){
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
if (!isset($_SESSION)) {
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
}
include("portal_header.php");
require_once("portal_header.php");

146
portal/index.php
View File

@ -8,18 +8,18 @@ require_once("inc_portal.php");
// Ticket status from GET
if (!isset($_GET['status'])) {
// If nothing is set, assume we only want to see open tickets
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
// If nothing is set, assume we only want to see open tickets
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Open') {
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Closed') {
$status = 'Closed';
$ticket_status_snippet = "ticket_status = 'Closed'";
$status = 'Closed';
$ticket_status_snippet = "ticket_status = 'Closed'";
} else {
$status = '%';
$ticket_status_snippet = "ticket_status LIKE '%'";
$status = '%';
$ticket_status_snippet = "ticket_status LIKE '%'";
}
$contact_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_contact_id = '$session_contact_id' AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC");
@ -41,39 +41,39 @@ $total_tickets = $row['total_tickets'];
?>
<table>
<tr>
<th class="text-center">
<?php if(!empty($session_contact_photo)){ ?>
<img src="<?php echo "../uploads/clients/$session_company_id/$session_client_id/$session_contact_photo"; ?>" alt="..." class=" img-size-50 img-circle">
<?php }else{ ?>
<span class="fa-stack fa-2x rounded-left">
<table>
<tr>
<th class="text-center">
<?php if (!empty($session_contact_photo)) { ?>
<img src="<?php echo "../uploads/clients/$session_company_id/$session_client_id/$session_contact_photo"; ?>" alt="..." class=" img-size-50 img-circle">
<?php } else { ?>
<span class="fa-stack fa-2x rounded-left">
<i class="fa fa-circle fa-stack-2x text-secondary"></i>
<span class="fa fa-stack-1x text-white"><?php echo $session_contact_initials; ?></span>
</span>
<br>
<?php } ?>
<div class="text-dark"><?php echo $session_contact_name; ?></div>
<div><?php echo $session_contact_title; ?></div>
</th>
<th>
<div class="">
<h4 class="">Welcome, <b><?php echo $session_contact_name ?></b>!</h4>
<hr>
</div>
</th>
</tr>
</table>
<br>
<br>
<?php } ?>
<div class="text-dark"><?php echo $session_contact_name; ?></div>
<div><?php echo $session_contact_title; ?></div>
</th>
<th>
<div class="">
<h4 class="">Welcome, <b><?php echo $session_contact_name ?></b>!</h4>
<hr>
</div>
</th>
</tr>
</table>
<div class="row">
<div class="col-10">
<div class="card">
<br>
<div class="row">
<div class="col-10">
<div class="card">
<span class="border border-secondary">
<table class="table">
<thead class="thead-dark">
@ -86,46 +86,46 @@ $total_tickets = $row['total_tickets'];
<tbody>
<?php
while($ticket = mysqli_fetch_array($contact_tickets)){
echo "<tr>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_number]</a></td>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
echo "<td>$ticket[ticket_status]</td>";
echo "</tr>";
while ($ticket = mysqli_fetch_array($contact_tickets)) {
echo "<tr>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_number]</a></td>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
echo "<td>$ticket[ticket_status]</td>";
echo "</tr>";
}
?>
</tbody>
</table>
</span>
</div>
</div>
<div class="col-2">
<div class="card">
<a href="ticket_add.php" class="btn btn-primary">New ticket</a>
</div>
<hr>
<a href="?status=Open">
<div class="card text-white bg-danger mb-3" style="max-width: 18rem;">
<div class="card-header">My Open tickets | <b><?php echo $total_tickets_open ?></b></div>
</div>
</a>
<a href="?status=Closed">
<div class="card text-white bg-success mb-3" style="max-width: 18rem;">
<div class="card-header">Resolved tickets | <b><?php echo $total_tickets_closed ?></b></div>
</div>
</a>
<a href="?status=%">
<div class="card text-white bg-secondary mb-3" style="max-width: 18rem;">
<div class="card-header">All my tickets | <b><?php echo $total_tickets ?></b></div>
</div>
</a>
</div>
</div>
</div>
<div class="col-2">
<div class="card">
<a href="ticket_add.php" class="btn btn-primary">New ticket</a>
</div>
<hr>
<a href="?status=Open">
<div class="card text-white bg-danger mb-3" style="max-width: 18rem;">
<div class="card-header">My Open tickets | <b><?php echo $total_tickets_open ?></b></div>
</div>
</a>
<a href="?status=Closed">
<div class="card text-white bg-success mb-3" style="max-width: 18rem;">
<div class="card-header">Resolved tickets | <b><?php echo $total_tickets_closed ?></b></div>
</div>
</a>
<a href="?status=%">
<div class="card text-white bg-secondary mb-3" style="max-width: 18rem;">
<div class="card-header">All my tickets | <b><?php echo $total_tickets ?></b></div>
</div>
</a>
</div>
</div>
<?php include("portal_footer.php"); ?>
<?php require_once("portal_footer.php"); ?>

206
portal/login.php
View File

@ -9,20 +9,20 @@ require_once('../config.php');
require_once('../functions.php');
require_once ('../get_settings.php');
if(!isset($_SESSION)){
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if($config_https_only){
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
if (!isset($_SESSION)) {
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
}
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$sql_settings = mysqli_query($mysqli,"SELECT config_azure_client_id FROM settings WHERE company_id = '1'");
$sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id FROM settings WHERE company_id = '1'");
$settings = mysqli_fetch_array($sql_settings);
$client_id = $settings['config_azure_client_id'];
@ -30,119 +30,119 @@ $company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE c
$company_results = mysqli_fetch_array($company_sql);
$company_name = $company_results['company_name'];
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])){
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$password = $_POST['password'];
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$_SESSION['login_message'] = 'Invalid e-mail';
}
else{
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' LIMIT 1");
$row = mysqli_fetch_array($sql);
if($row['contact_auth_method'] == 'local'){
if(password_verify($password, $row['contact_password_hash'])){
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "local";
header("Location: index.php");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $row[contact_email] successfully logged in locally', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
}
else{
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$password = $_POST['password'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$_SESSION['login_message'] = 'Invalid e-mail';
}
else{
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
else {
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' LIMIT 1");
$row = mysqli_fetch_array($sql);
if ($row['contact_auth_method'] == 'local') {
if (password_verify($password, $row['contact_password_hash'])) {
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "local";
header("Location: index.php");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $row[contact_email] successfully logged in locally', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
}
else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
}
else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $company_name; ?> | Client Portal Login</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $company_name; ?> | Client Portal Login</title>
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex">
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex">
<!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
<!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
</head>
<body class="hold-transition login-page">
<div class="login-box">
<div class="login-logo"><b><?=$company_name?></b> <br>Client Portal Login</h2></div>
<div class="card">
<div class="card-body login-card-body">
<p class="login-box-msg text-danger">
<?php
if(!empty($_SESSION['login_message'])){
echo $_SESSION['login_message'];
unset($_SESSION['login_message']);
}
?>
</p>
<form method="post">
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Client Email" name="email" required autofocus>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-envelope"></span>
</div>
</div>
<div class="login-logo"><b><?=$company_name?></b> <br>Client Portal Login</h2></div>
<div class="card">
<div class="card-body login-card-body">
<p class="login-box-msg text-danger">
<?php
if (!empty($_SESSION['login_message'])) {
echo $_SESSION['login_message'];
unset($_SESSION['login_message']);
}
?>
</p>
<form method="post">
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Client Email" name="email" required autofocus>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-envelope"></span>
</div>
</div>
</div>
<div class="input-group mb-3">
<input type="password" class="form-control" placeholder="Client Password" name="password" required>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<button type="submit" class="btn btn-success btn-block mb-3" name="login">Login</button>
<?php
if (!empty($config_smtp_host)) { ?>
<a href="login_reset.php">Forgotten password?</a>
<?php } ?>
</form>
<?php
if (!empty($client_id)) { ?>
<hr>
<div class="col text-center">
<button type="button" class="btn btn-secondary" onclick="location.href = 'login_microsoft.php';">Login with Microsoft Azure AD</button>
</div>
<?php } ?>
</div>
<div class="input-group mb-3">
<input type="password" class="form-control" placeholder="Client Password" name="password" required>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<button type="submit" class="btn btn-success btn-block mb-3" name="login">Login</button>
<?php
if (!empty($config_smtp_host)) { ?>
<a href="login_reset.php">Forgotten password?</a>
<?php } ?>
</form>
<?php
if(!empty($client_id)){ ?>
<hr>
<div class="col text-center">
<button type="button" class="btn btn-secondary" onclick="location.href = 'login_microsoft.php';">Login with Microsoft Azure AD</button>
</div>
<?php } ?>
<!-- /.login-card-body -->
</div>
<!-- /.login-card-body -->
</div>
<!-- /.div.card -->
<!-- /.div.card -->
</div>
<!-- /.login-box -->
@ -158,7 +158,7 @@ if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])){
<!-- Prevents resubmit on refresh or back -->
<script>
if(window.history.replaceState){
if (window.history.replaceState) {
window.history.replaceState(null,null,window.location.href);
}
</script>

167
portal/login_microsoft.php
View File

@ -4,20 +4,20 @@
* OAuth Login via Microsoft IDP
*/
include('../config.php');
include('../functions.php');
require_once('../config.php');
require_once('../functions.php');
if(!isset($_SESSION)){
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if($config_https_only){
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
if (!isset($_SESSION)) {
// HTTP Only cookies
ini_set("session.cookie_httponly", true);
if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", true);
}
session_start();
}
$sql_settings = mysqli_query($mysqli,"SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'");
$sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'");
$settings = mysqli_fetch_array($sql_settings);
$client_id = $settings['config_azure_client_id'];
@ -31,96 +31,93 @@ $token_grant_url = "https://login.microsoftonline.com/organizations/oauth2/v2.0/
// Initial Login Request, via Microsoft
// Returns a authorization code if login was successful
if ($_SERVER['REQUEST_METHOD'] == "GET"){
if ($_SERVER['REQUEST_METHOD'] == "GET") {
$params = array (
'client_id' => $client_id,
'redirect_uri' => $redirect_uri,
'response_type' => 'code',
'response_mode' =>'form_post',
'scope' => 'https://graph.microsoft.com/User.Read',
'state' => session_id());
$params = array (
'client_id' => $client_id,
'redirect_uri' => $redirect_uri,
'response_type' => 'code',
'response_mode' =>'form_post',
'scope' => 'https://graph.microsoft.com/User.Read',
'state' => session_id());
header ('Location: '.$auth_code_url.'?'.http_build_query ($params));
header('Location: '.$auth_code_url.'?'.http_build_query($params));
}
// Login was successful, Microsoft has returned us a authorization code via POST
// Request an access token using authorization code (& client secret) (server side)
if (isset($_POST['code']) && $_POST['state'] == session_id()){
if (isset($_POST['code']) && $_POST['state'] == session_id()) {
$params = array (
'client_id' =>$client_id,
'code' => $_POST['code'],
'redirect_uri' => $redirect_uri,
'grant_type' => 'authorization_code',
'client_secret' => $client_secret
);
// Send request via CURL (server side) so user cannot see the client secret
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$token_grant_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$access_token_response = json_decode(curl_exec($ch),1);
// Check if we have an access token
// If we do, send a request to Microsoft Graph API to get user info
if (isset($access_token_response['access_token'])){
$params = array (
'client_id' =>$client_id,
'code' => $_POST['code'],
'redirect_uri' => $redirect_uri,
'grant_type' => 'authorization_code',
'client_secret' => $client_secret
);
// Send request via CURL (server side) so user cannot see the client secret
$ch = curl_init();
curl_setopt ($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'],
'Content-type: application/json'));
curl_setopt ($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $token_grant_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$msgraph_response = json_decode (curl_exec ($ch), 1);
$access_token_response = json_decode(curl_exec($ch), 1);
if (isset($msgraph_response['error'])){
// Something went wrong verifying the token/using the Graph API - quit
echo "Error with MS Graph API. Details:";
var_dump ($msgraph_response['error']);
exit();
// Check if we have an access token
// If we do, send a request to Microsoft Graph API to get user info
if (isset($access_token_response['access_token'])) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'],
'Content-type: application/json'));
curl_setopt($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$msgraph_response = json_decode(curl_exec($ch), 1);
if (isset($msgraph_response['error'])) {
// Something went wrong verifying the token/using the Graph API - quit
echo "Error with MS Graph API. Details:";
var_dump($msgraph_response['error']);
exit();
} elseif (isset($msgraph_response['id'])) {
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
$row = mysqli_fetch_array($sql);
if ($row['contact_auth_method'] == 'azure') {
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "azure";
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $upn successfully logged in via Azure', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
header("Location: index.php");
} else {
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
header("Location: index.php");
}
}
header('Location: index.php');
} else {
echo "Error getting access_token";
}
elseif(isset($msgraph_response['id'])){
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
$row = mysqli_fetch_array($sql);
if($row['contact_auth_method'] == 'azure'){
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "azure";
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $upn successfully logged in via Azure', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
header("Location: index.php");
}
else{
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
header("Location: index.php");
}
}
header ('Location: index.php');
}
else{
echo "Error getting access_token";
}
}
// If the user is just sat on the page, redirect them to login to try again
if(empty($_GET)){
echo "<script> setTimeout(function(){ window.location = \"login.php\"; },1000);</script>";
if (empty($_GET)) {
echo "<script> setTimeout(function() { window.location = \"login.php\"; },1000);</script>";
}

365
portal/login_reset.php
View File

@ -7,25 +7,25 @@
$session_company_id = 1;
require_once('../config.php');
require_once('../functions.php');
require_once ('../get_settings.php');
require_once('../get_settings.php');
if (empty($config_smtp_host)) {
header("Location: login.php");
exit();
header("Location: login.php");
exit();
}
if(!isset($_SESSION)){
// HTTP Only cookies
ini_set("session.cookie_httponly", True);
if($config_https_only){
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True);
}
session_start();
if (!isset($_SESSION)) {
// HTTP Only cookies
ini_set("session.cookie_httponly", true);
if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", true);
}
session_start();
}
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE company_id = '1'");
$company_results = mysqli_fetch_array($company_sql);
@ -35,107 +35,106 @@ DEFINE("WORDING_ERROR", "Something went wrong! Your link may have expired. Pleas
if ($_SERVER['REQUEST_METHOD'] == "POST") {
/*
* Send password reset email
*/
if(isset($_POST['password_reset_email_request'])){
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id, company_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' LIMIT 1");
$row = mysqli_fetch_assoc($sql);
$id = $row['contact_id'];
$name = $row['contact_name'];
$client = $row['contact_client_id'];
$company = $row['company_id'];
if ($row['contact_email'] == $email) {
$token = key32gen();
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send reset email
$subject = "Password reset for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Someone (probably you) has requested a new password for your account on $company_name's ITFlow Client Portal. <br><br><b>Please <a href='$url'>click here</a> to reset your password.</b> <br><br>Alternatively, copy and paste this URL into your browser: $url<br><br><i>If you didn't request this change, you can safely ignore this email.</i><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
//End Mail IF
} else {
sleep(rand(2, 4)); // Mimic the e-mail send delay even if email is invalid to help prevent user enumeration
}
$_SESSION['login_message'] = "If your account exists, a reset link is on it's way!";
/*
* Do password reset
* Send password reset email
*/
}
elseif(isset($_POST['password_reset_set_password'])){
if (isset($_POST['password_reset_email_request'])) {
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id, company_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' LIMIT 1");
$row = mysqli_fetch_assoc($sql);
$id = $row['contact_id'];
$name = $row['contact_name'];
$client = $row['contact_client_id'];
$company = $row['company_id'];
if ($row['contact_email'] == $email) {
$token = key32gen();
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send reset email
$subject = "Password reset for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Someone (probably you) has requested a new password for your account on $company_name's ITFlow Client Portal. <br><br><b>Please <a href='$url'>click here</a> to reset your password.</b> <br><br>Alternatively, copy and paste this URL into your browser: $url<br><br><i>If you didn't request this change, you can safely ignore this email.</i><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
//End Mail IF
} else {
sleep(rand(2, 4)); // Mimic the e-mail send delay even if email is invalid to help prevent user enumeration
}
$_SESSION['login_message'] = "If your account exists, a reset link is on it's way!";
/*
* Do password reset
*/
} elseif (isset($_POST['password_reset_set_password'])) {
if (!isset($_POST['new_password']) || !isset($_POST['email']) || !isset($_POST['token']) || !isset($_POST['client'])) {
$_SESSION['login_message'] = WORDING_ERROR;
}
$token = strip_tags(mysqli_real_escape_string($mysqli, $_POST['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_POST['client'])));
// Query user
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
$contact_id = $contact_row['contact_id'];
$name = $contact_row['contact_name'];
$company = $contact_row['company_id'];
// Ensure the token is correct
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) {
// Set password, invalidate token, logging
$password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send confirmation email
$subject = "Password reset confirmation for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Your password for your account on $company_name's ITFlow Client Portal was successfully reset. You should be all set! <br><br><b>If you didn't reset your password, please get in touch ASAP.</b><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
// Redirect to login page
$_SESSION['login_message'] = "Password reset successfully!";
header("Location: login.php");
exit();
} else {
$_SESSION['login_message'] = WORDING_ERROR;
}
if(!isset($_POST['new_password']) || !isset($_POST['email']) || !isset($_POST['token']) || !isset($_POST['client'])) {
$_SESSION['login_message'] = WORDING_ERROR;
}
$token = strip_tags(mysqli_real_escape_string($mysqli, $_POST['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_POST['client'])));
// Query user
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
$contact_id = $contact_row['contact_id'];
$name = $contact_row['contact_name'];
$company = $contact_row['company_id'];
// Ensure the token is correct
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) {
// Set password, invalidate token, logging
$password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send confirmation email
$subject = "Password reset confirmation for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Your password for your account on $company_name's ITFlow Client Portal was successfully reset. You should be all set! <br><br><b>If you didn't reset your password, please get in touch ASAP.</b><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
// Redirect to login page
$_SESSION['login_message'] = "Password reset successfully!";
header("Location: login.php");
exit();
} else {
$_SESSION['login_message'] = WORDING_ERROR;
}
}
}
@ -143,110 +142,110 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $company_name; ?> | Password Reset</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $company_name; ?> | Password Reset</title>
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex">
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex">
<!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
<!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
</head>
<body class="hold-transition login-page">
<div class="login-box">
<div class="login-logo"><b><?=$company_name?></b> <br>Password Reset</h2></div>
<div class="card">
<div class="card-body login-card-body">
<div class="login-logo"><b><?=$company_name?></b> <br>Password Reset</h2></div>
<div class="card">
<div class="card-body login-card-body">
<form method="post">
<form method="post">
<?php
/*
* Password reset form
*/
if (isset($_GET['token']) && isset($_GET['email']) && isset($_GET['client'])) {
<?php
/*
* Password reset form
*/
if (isset($_GET['token']) && isset($_GET['email']) && isset($_GET['client'])) {
$token = strip_tags(mysqli_real_escape_string($mysqli, $_GET['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_GET['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client'])));
$token = strip_tags(mysqli_real_escape_string($mysqli, $_GET['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_GET['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client'])));
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
// Sanity check
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) { ?>
// Sanity check
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) { ?>
<div class="input-group mb-3">
<input type="password" class="form-control" placeholder="New Password" name="new_password" required minlength="8">
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<div class="input-group mb-3">
<input type="password" class="form-control" placeholder="New Password" name="new_password" required minlength="8">
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<input type="hidden" name="token" value="<?=$token?>">
<input type="hidden" name="email" value="<?=$email?>">
<input type="hidden" name="client" value="<?=$client?>">
<input type="hidden" name="token" value="<?=$token?>">
<input type="hidden" name="email" value="<?=$email?>">
<input type="hidden" name="client" value="<?=$client?>">
<button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_set_password">Reset password</button>
<button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_set_password">Reset password</button>
<?php } else {
<?php } else {
$_SESSION['login_message'] = WORDING_ERROR;
$_SESSION['login_message'] = WORDING_ERROR;
}
}
/*
* Else: Just show the form to request a reset token email
*/
} else { ?>
/*
* Else: Just show the form to request a reset token email
*/
} else { ?>
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Registered Client Email" name="email" required autofocus>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-envelope"></span>
</div>
</div>
</div>
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Registered Client Email" name="email" required autofocus>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-envelope"></span>
</div>
</div>
</div>
<button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_email_request">Reset my password</button>
<button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_email_request">Reset my password</button>
<?php }
?>
<?php }
?>
</form>
</form>
<p class="login-box-msg text-danger">
<?php
// Show feedback from session
if(!empty($_SESSION['login_message'])){
echo $_SESSION['login_message'];
unset($_SESSION['login_message']);
}
?>
</p>
<p class="login-box-msg text-danger">
<?php
// Show feedback from session
if (!empty($_SESSION['login_message'])) {
echo $_SESSION['login_message'];
unset($_SESSION['login_message']);
}
?>
</p>
<a href="login.php">Back to login</a>
<a href="login.php">Back to login</a>
</div>
<!-- /.login-card-body -->
</div>
<!-- /.login-card-body -->
</div>
<!-- /.div.card -->
<!-- /.div.card -->
</div>
<!-- /.login-box -->
@ -262,10 +261,10 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
<!-- Prevents resubmit on refresh or back -->
<script>
if(window.history.replaceState){
if (window.history.replaceState) {
window.history.replaceState(null,null,window.location.href);
}
</script>
</body>
</html>
</html>

44
portal/portal_functions.php
View File

@ -7,32 +7,32 @@
/*
* Verifies a contact has access to a particular ticket ID, and that the ticket is in the correct state (open/closed) to perform an action
*/
function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state){
function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state) {
// Access the global variables
global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_client_id;
// Access the global variables
global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_client_id;
// Setup
if($expected_ticket_state == "Closed"){
// Closed tickets
$ticket_state_snippet = "ticket_status = 'Closed'";
}
else{
// Open (working/hold) tickets
$ticket_state_snippet = "ticket_status != 'Closed'";
}
// Setup
if ($expected_ticket_state == "Closed") {
// Closed tickets
$ticket_state_snippet = "ticket_status = 'Closed'";
}
else {
// Open (working/hold) tickets
$ticket_state_snippet = "ticket_status != 'Closed'";
}
// Verify the contact has access to the provided ticket ID
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND $ticket_state_snippet AND ticket_client_id = '$session_client_id' LIMIT 1");
$row = mysqli_fetch_array($sql);
$ticket_id = $row['ticket_id'];
// Verify the contact has access to the provided ticket ID
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND $ticket_state_snippet AND ticket_client_id = '$session_client_id' LIMIT 1");
$row = mysqli_fetch_array($sql);
$ticket_id = $row['ticket_id'];
if(intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) {
// Client is ticket owner, or primary contact
return TRUE;
}
if (intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) {
// Client is ticket owner, or primary contact
return TRUE;
}
// Client is NOT ticket owner or primary contact
return FALSE;
// Client is NOT ticket owner or primary contact
return FALSE;
}

88
portal/portal_header.php
View File

@ -8,61 +8,61 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $config_app_name; ?> | Client Portal - Tickets</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $config_app_name; ?> | Client Portal - Tickets</title>
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex">
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex">
<!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
<!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
</head>
<!-- Navbar -->
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<div class="container">
<a class="navbar-brand" href="index.php"><?php echo $config_app_name ?></a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="container">
<a class="navbar-brand" href="index.php"><?php echo $config_app_name ?></a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav mr-auto">
<li class="nav-item <?php if(basename($_SERVER['PHP_SELF']) == "index.php") {echo "active";} ?>">
<a class="nav-link" href="index.php">Home</a>
</li>
<?php if($session_contact_id == $session_client_primary_contact_id) { ?>
<li class="nav-item">
<a class="nav-link" href="ticket_view_all.php">All Tickets</a>
</li>
<?php } ?>
<li class="nav-item">
<a class="nav-link" href="ticket_add.php">New Ticket</a>
</li>
</ul>
<ul class="nav navbar-nav pull-right">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<?php echo $session_contact_name ?>
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="profile.php">Profile</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item" href="portal_post.php?logout">Logout</a>
</div>
</li>
</ul>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav mr-auto">
<li class="nav-item <?php if (basename($_SERVER['PHP_SELF']) == "index.php") {echo "active";} ?>">
<a class="nav-link" href="index.php">Home</a>
</li>
<?php if ($session_contact_id == $session_client_primary_contact_id) { ?>
<li class="nav-item">
<a class="nav-link" href="ticket_view_all.php">All Tickets</a>
</li>
<?php } ?>
<li class="nav-item">
<a class="nav-link" href="ticket_add.php">New Ticket</a>
</li>
</ul>
<ul class="nav navbar-nav pull-right">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<?php echo $session_contact_name ?>
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="profile.php">Profile</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item" href="portal_post.php?logout">Logout</a>
</div>
</li>
</ul>
</div>
</div>
</div>
</nav>
<br>

257
portal/portal_post.php
View File

@ -6,156 +6,151 @@
require_once("inc_portal.php");
if(isset($_POST['add_ticket'])){
if (isset($_POST['add_ticket'])) {
// Get ticket prefix/number
$sql_settings = mysqli_query($mysqli,"SELECT * FROM settings WHERE company_id = $session_company_id");
$row = mysqli_fetch_array($sql_settings);
$config_ticket_prefix = $row['config_ticket_prefix'];
$config_ticket_next_number = $row['config_ticket_next_number'];
// Get ticket prefix/number
$sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = $session_company_id");
$row = mysqli_fetch_array($sql_settings);
$config_ticket_prefix = $row['config_ticket_prefix'];
$config_ticket_next_number = $row['config_ticket_next_number'];
// HTML Purifier
require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
// HTML Purifier
require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
$client_id = $session_client_id;
$contact = $session_contact_id;
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject'])));
$details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
$client_id = $session_client_id;
$contact = $session_contact_id;
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['subject'])));
$details = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
// Ensure priority is low/med/high (as can be user defined)
if($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High"){
$priority = "Low";
}
else{
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
}
// Get the next Ticket Number and add 1 for the new ticket number
$ticket_number = $config_ticket_next_number;
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
$id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
}
if(isset($_POST['add_ticket_comment'])){
// HTML Purifier
require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
$ticket_id = intval($_POST['ticket_id']);
// Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
// In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
// So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
$comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
// After stripping bad HTML, check the comment isn't just empty
if(empty($comment)){
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Open")) {
// Add the comment
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
// Update Ticket Last Response Field & set ticket to open as client has replied
mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
}
if(isset($_POST['add_ticket_feedback'])){
$ticket_id = intval($_POST['ticket_id']);
$feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback'])));
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
// Notify on bad feedback
if($feedback == "Bad"){
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
// Ensure priority is low/med/high (as can be user defined)
if ($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High") {
$priority = "Low";
} else {
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['priority'])));
}
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
// Get the next Ticket Number and add 1 for the new ticket number
$ticket_number = $config_ticket_next_number;
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
$id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
}
if(isset($_GET['close_ticket'])){
$ticket_id = intval($_GET['close_ticket']);
if (isset($_POST['add_ticket_comment'])) {
// HTML Purifier
require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Open")) {
$ticket_id = intval($_POST['ticket_id']);
// Close ticket
mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'");
// Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
// In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
// So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
$comment = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
// Add reply
mysqli_query($mysqli,"INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id");
// After stripping bad HTML, check the comment isn't just empty
if (empty($comment)) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id");
// Verify the contact has access to the provided ticket ID
if (verifyContactTicketAccess($ticket_id, "Open")) {
header("Location: ticket.php?id=" . $ticket_id);
}
else {
// The client does not have access to this ticket
// This is only a GET request, might just be a mistake
header("Location: index.php");
exit();
}
// Add the comment
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
// Update Ticket Last Response Field & set ticket to open as client has replied
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
}
if(isset($_GET['logout'])){
setcookie("PHPSESSID", '', time() - 3600, "/");
unset($_COOKIE['PHPSESSID']);
if (isset($_POST['add_ticket_feedback'])) {
$ticket_id = intval($_POST['ticket_id']);
$feedback = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['add_ticket_feedback'])));
session_unset();
session_destroy();
// Verify the contact has access to the provided ticket ID
if (verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
// Notify on bad feedback
if ($feedback == "Bad") {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
}
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
header('Location: login.php');
}
if(isset($_POST['edit_profile'])){
$new_password = $_POST['new_password'];
if(!empty($new_password)){
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
if (isset($_GET['close_ticket'])) {
$ticket_id = intval($_GET['close_ticket']);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id");
}
header('Location: index.php');
// Verify the contact has access to the provided ticket ID
if (verifyContactTicketAccess($ticket_id, "Open")) {
// Close ticket
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id");
header("Location: ticket.php?id=" . $ticket_id);
} else {
// The client does not have access to this ticket - send them home
header("Location: index.php");
exit();
}
}
if (isset($_GET['logout'])) {
setcookie("PHPSESSID", '', time() - 3600, "/");
unset($_COOKIE['PHPSESSID']);
session_unset();
session_destroy();
header('Location: login.php');
}
if (isset($_POST['edit_profile'])) {
$new_password = $_POST['new_password'];
if (!empty($new_password)) {
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id");
}
header('Location: index.php');
}

40
portal/profile.php
View File

@ -12,30 +12,30 @@ require('inc_portal.php');
<p>Name: <?php echo $session_contact_name ?></p>
<p>Email: <?php echo $session_contact_email ?></p>
<p>Client: <?php echo $session_client_name ?></p>
<p>Client Primary Contact: <?php if($session_client_primary_contact_id == $session_contact_id) {echo "Yes"; } else {echo "No";} ?></p>
<p>Client Primary Contact: <?php if ($session_client_primary_contact_id == $session_contact_id) {echo "Yes"; } else {echo "No";} ?></p>
<p>Login via: <?php echo $_SESSION['login_method'] ?> </p>
<!-- // Show option to change password if auth provider is local -->
<?php if($_SESSION['login_method'] == 'local'): ?>
<hr>
<div class="col-md-6">
<h4>Password</h4>
<form action="portal_post.php" method="post" autocomplete="off">
<div class="form-group">
<label>New Password</label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
</div>
<input type="password" class="form-control" minlength="6" required data-toggle="password" name="new_password" placeholder="Leave blank for no change" autocomplete="new-password">
</div>
</div>
<button type="submit" name="edit_profile" class="btn btn-primary mt-3"><i class="fa fa-fw fa-check"></i> Save password</button>
</form>
</div>
<!-- // Show option to change password if auth provider is local -->
<?php if ($_SESSION['login_method'] == 'local'): ?>
<hr>
<div class="col-md-6">
<h4>Password</h4>
<form action="portal_post.php" method="post" autocomplete="off">
<div class="form-group">
<label>New Password</label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
</div>
<input type="password" class="form-control" minlength="6" required data-toggle="password" name="new_password" placeholder="Leave blank for no change" autocomplete="new-password">
</div>
</div>
<button type="submit" name="edit_profile" class="btn btn-primary mt-3"><i class="fa fa-fw fa-check"></i> Save password</button>
</form>
</div>
<?php endif ?>
<?php
include('portal_footer.php');
require_once('portal_footer.php');

239
portal/ticket.php
View File

@ -6,160 +6,157 @@
require_once("inc_portal.php");
if(isset($_GET['id']) && intval($_GET['id'])) {
$ticket_id = intval($_GET['id']);
if (isset($_GET['id']) && intval($_GET['id'])) {
$ticket_id = intval($_GET['id']);
if($session_contact_id == $session_client_primary_contact_id){
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'");
}
else{
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'");
}
if ($session_contact_id == $session_client_primary_contact_id) {
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'");
} else {
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'");
}
$ticket = mysqli_fetch_array($ticket_sql);
$ticket = mysqli_fetch_array($ticket_sql);
if ($ticket) {
?>
<nav class="navbar navbar-dark bg-dark">
<i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a>
<span class="navbar-text">
if ($ticket) {
?>
<nav class="navbar navbar-dark bg-dark">
<i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a>
<span class="navbar-text">
<?php
if($ticket['ticket_status'] !== "Closed"){ ?>
<button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i> Close ticket</a></button>
<?php } ?>
if ($ticket['ticket_status'] !== "Closed") { ?>
<button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i> Close ticket</a></button>
<?php } ?>
</span>
</nav>
<div class="card">
<div class="card-header">
<h3 class="card-title"><b>Subject:</b> <?php echo $ticket['ticket_subject'] ?></h3>
</div>
<div class="card-body">
<p>
<b>State:</b> <?php echo $ticket['ticket_status'] ?>
<br>
<b>Priority:</b> <?php echo $ticket['ticket_priority'] ?>
</p>
<b>Issue:</b> <?php echo $ticket['ticket_details'] ?>
</div>
</div>
</nav>
<!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback -->
<div class="card">
<div class="card-header">
<h3 class="card-title"><b>Subject:</b> <?php echo $ticket['ticket_subject'] ?></h3>
</div>
<div class="card-body">
<p>
<b>State:</b> <?php echo $ticket['ticket_status'] ?>
<br>
<b>Priority:</b> <?php echo $ticket['ticket_priority'] ?>
</p>
<b>Issue:</b> <?php echo $ticket['ticket_details'] ?>
</div>
</div>
<?php if($ticket['ticket_status'] !== "Closed") { ?>
<div class="form-group">
<form action="portal_post.php" method="post">
<div class="form-group">
<textarea class="form-control" name="comment" placeholder="Add comments.."></textarea>
</div>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary" name="add_ticket_comment">Save reply</button>
</form>
</div>
<?php }
elseif(empty($ticket['ticket_feedback'])) { ?>
<!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback -->
<h4>Rate your ticket</h4>
<?php if ($ticket['ticket_status'] !== "Closed") { ?>
<div class="form-group">
<form action="portal_post.php" method="post">
<div class="form-group">
<textarea class="form-control" name="comment" placeholder="Add comments.."></textarea>
</div>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary" name="add_ticket_comment">Save reply</button>
</form>
</div>
<?php }
<form action="portal_post.php" method="post">
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
elseif (empty($ticket['ticket_feedback'])) { ?>
<button type="submit" class="btn btn-primary btn-lg" name="add_ticket_feedback" value="Good" onclick="this.form.submit()">
<span class="fa fa-smile" aria-hidden="true"></span> Good
</button>
<h4>Rate your ticket</h4>
<button type="submit" class="btn btn-danger btn-lg" name="add_ticket_feedback" value="Bad" onclick="this.form.submit()">
<span class="fa fa-frown" aria-hidden="true"></span> Bad
</button>
</form>
<form action="portal_post.php" method="post">
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<?php }
<button type="submit" class="btn btn-primary btn-lg" name="add_ticket_feedback" value="Good" onclick="this.form.submit()">
<span class="fa fa-smile" aria-hidden="true"></span> Good
</button>
else{ ?>
<button type="submit" class="btn btn-danger btn-lg" name="add_ticket_feedback" value="Bad" onclick="this.form.submit()">
<span class="fa fa-frown" aria-hidden="true"></span> Bad
</button>
</form>
<h4>Rated <?php echo $ticket['ticket_feedback'] ?> -- Thanks for your feedback!</h4>
<?php }
<?php } ?>
else { ?>
<!-- End comments/feedback -->
<h4>Rated <?php echo $ticket['ticket_feedback'] ?> -- Thanks for your feedback!</h4>
<hr><br>
<?php } ?>
<?php
$sql = mysqli_query($mysqli,"SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
<!-- End comments/feedback -->
while($row = mysqli_fetch_array($sql)){
$ticket_reply_id = $row['ticket_reply_id'];
$ticket_reply = $row['ticket_reply'];
$ticket_reply_created_at = $row['ticket_reply_created_at'];
$ticket_reply_updated_at = $row['ticket_reply_updated_at'];
$ticket_reply_by = $row['ticket_reply_by'];
$ticket_reply_type = $row['ticket_reply_type'];
<hr><br>
if($ticket_reply_type == "Client"){
$ticket_reply_by_display = $row['contact_name'];
$user_initials = initials($row['contact_name']);
$user_avatar = $row['contact_photo'];
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
}
else{
$ticket_reply_by_display = $row['user_name'];
$user_id = $row['user_id'];
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";
}
?>
<?php
$sql = mysqli_query($mysqli, "SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
<div class="card card-outline <?php if($ticket_reply_type == 'Client') {echo "card-warning"; } else{ echo "card-info"; } ?> mb-3">
<div class="card-header">
<h3 class="card-title">
<div class="media">
<?php if(!empty($user_avatar)){ ?>
<img src="<?php echo $avatar_link ?>" alt="User Avatar" class="img-size-50 mr-3 img-circle">
<?php }else{ ?>
<span class="fa-stack fa-2x">
while ($row = mysqli_fetch_array($sql)) {
$ticket_reply_id = $row['ticket_reply_id'];
$ticket_reply = $row['ticket_reply'];
$ticket_reply_created_at = $row['ticket_reply_created_at'];
$ticket_reply_updated_at = $row['ticket_reply_updated_at'];
$ticket_reply_by = $row['ticket_reply_by'];
$ticket_reply_type = $row['ticket_reply_type'];
if ($ticket_reply_type == "Client") {
$ticket_reply_by_display = $row['contact_name'];
$user_initials = initials($row['contact_name']);
$user_avatar = $row['contact_photo'];
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
} else {
$ticket_reply_by_display = $row['user_name'];
$user_id = $row['user_id'];
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";
}
?>
<div class="card card-outline <?php if ($ticket_reply_type == 'Client') { echo "card-warning"; } else { echo "card-info"; } ?> mb-3">
<div class="card-header">
<h3 class="card-title">
<div class="media">
<?php if (!empty($user_avatar)) { ?>
<img src="<?php echo $avatar_link ?>" alt="User Avatar" class="img-size-50 mr-3 img-circle">
<?php } else { ?>
<span class="fa-stack fa-2x">
<i class="fa fa-circle fa-stack-2x text-secondary"></i>
<span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span>
</span>
<?php
}
?>
<?php
}
?>
<div class="media-body">
<?php echo $ticket_reply_by_display; ?>
<br>
<small class="text-muted"><?php echo $ticket_reply_created_at; ?> <?php if(!empty($ticket_reply_updated_at)){ echo "(edited: $ticket_reply_updated_at)"; } ?></small>
</div>
<div class="media-body">
<?php echo $ticket_reply_by_display; ?>
<br>
<small class="text-muted"><?php echo $ticket_reply_created_at; ?> <?php if (!empty($ticket_reply_updated_at)) { echo "(edited: $ticket_reply_updated_at)"; } ?></small>
</div>
</div>
</h3>
</div>
<div class="card-body">
<?php echo $ticket_reply; ?>
</div>
</div>
</h3>
</div>
<div class="card-body">
<?php echo $ticket_reply; ?>
</div>
</div>
<?php
<?php
}
?>
<?php
} else {
echo "Ticket ID not found!";
}
?>
<?php
}
else{
echo "Ticket ID not found!";
}
}
else{
header("Location: index.php");
} else {
header("Location: index.php");
}
require_once("portal_footer.php");

72
portal/ticket_add.php
View File

@ -7,44 +7,44 @@
require('inc_portal.php');
?>
<h2>Raise a new ticket</h2>
<h2>Raise a new ticket</h2>
<div class="col-8">
<form action="portal_post.php" method="post">
<div class="col-8">
<form action="portal_post.php" method="post">
<div class="form-group">
<label>Subject <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-tag"></i></span>
</div>
<input type="text" class="form-control" name="subject" placeholder="Subject" required>
</div>
<div class="form-group">
<label>Subject <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-tag"></i></span>
</div>
<input type="text" class="form-control" name="subject" placeholder="Subject" required>
</div>
</div>
<div class="form-group">
<label>Priority <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-thermometer-half"></i></span>
</div>
<select class="form-control select2" name="priority" required>
<option>Low</option>
<option>Medium</option>
<option>High</option>
</select>
</div>
</div>
<div class="form-group">
<label>Details <strong class="text-danger">*</strong></label>
<textarea class="form-control" rows="4" name="details" required></textarea>
</div>
<button class="btn btn-primary" name="add_ticket">Raise ticket</button>
</form>
</div>
<div class="form-group">
<label>Priority <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-thermometer-half"></i></span>
</div>
<select class="form-control select2" name="priority" required>
<option>Low</option>
<option>Medium</option>
<option>High</option>
</select>
</div>
</div>
<div class="form-group">
<label>Details <strong class="text-danger">*</strong></label>
<textarea class="form-control" rows="4" name="details" required></textarea>
</div>
<button class="btn btn-primary" name="add_ticket">Raise ticket</button>
</form>
</div>
<?php
include('portal_footer.php');
require_once('portal_footer.php');

96
portal/ticket_view_all.php
View File

@ -6,67 +6,67 @@
require('inc_portal.php');
if($session_contact_id !== $session_client_primary_contact_id){
header("Location: portal_post.php?logout");
exit();
if ($session_contact_id !== $session_client_primary_contact_id) {
header("Location: portal_post.php?logout");
exit();
}
// Ticket status from GET
if (!isset($_GET['status'])) {
// If nothing is set, assume we only want to see open tickets
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
// If nothing is set, assume we only want to see open tickets
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Open') {
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
$status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Closed') {
$status = 'Closed';
$ticket_status_snippet = "ticket_status = 'Closed'";
$status = 'Closed';
$ticket_status_snippet = "ticket_status = 'Closed'";
} else {
$status = '%';
$ticket_status_snippet = "ticket_status LIKE '%'";
$status = '%';
$ticket_status_snippet = "ticket_status LIKE '%'";
}
$all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC");
?>
<h2>All tickets</h2>
<div class="col-md-2">
<div class="form-group">
<form method="get">
<label>Ticket Status</label>
<select class="form-control" name="status" onchange="this.form.submit()">
<option value="%" <?php if($status == "%"){echo "selected";}?> >Any</option>
<option value="Open" <?php if($status == "Open"){echo "selected";}?> >Open</option>
<option value="Closed" <?php if($status == "Closed"){echo "selected";}?> >Closed</option>
</select>
</form>
<h2>All tickets</h2>
<div class="col-md-2">
<div class="form-group">
<form method="get">
<label>Ticket Status</label>
<select class="form-control" name="status" onchange="this.form.submit()">
<option value="%" <?php if ($status == "%") {echo "selected";}?> >Any</option>
<option value="Open" <?php if ($status == "Open") {echo "selected";}?> >Open</option>
<option value="Closed" <?php if ($status == "Closed") {echo "selected";}?> >Closed</option>
</select>
</form>
</div>
</div>
</div>
<table class="table">
<thead>
<tr>
<th scope="col">#</th>
<th scope="col">Subject</th>
<th scope="col">Contact</th>
<th scope="col">Status</th>
</tr>
</thead>
<tbody>
<table class="table">
<thead>
<tr>
<th scope="col">#</th>
<th scope="col">Subject</th>
<th scope="col">Contact</th>
<th scope="col">Status</th>
</tr>
</thead>
<tbody>
<?php
while($ticket = mysqli_fetch_array($all_tickets)){
echo "<tr>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_id]</a></td>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
echo "<td>$ticket[contact_name]</td>";
echo "<td>$ticket[ticket_status]</td>";
echo "</tr>";
}
?>
</tbody>
</table>
</div>
<?php
while ($ticket = mysqli_fetch_array($all_tickets)) {
echo "<tr>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_id]</a></td>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
echo "<td>$ticket[contact_name]</td>";
echo "<td>$ticket[ticket_status]</td>";
echo "</tr>";
}
?>
</tbody>
</table>
</div>
<?php
include('portal_footer.php');
require_once('portal_footer.php');

1
uploads/clients/index.php
View File

@ -0,0 +1 @@

1
uploads/expenses/index.php
View File

@ -0,0 +1 @@

1
uploads/index.php
View File

@ -0,0 +1 @@

1
uploads/settings/index.php
View File

@ -0,0 +1 @@

1
uploads/tmp/index.php
View File

@ -0,0 +1 @@

1
uploads/users/index.php
View File

@ -0,0 +1 @@