AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #545 from wrongecho/tidy 

Code Style Tidying
This commit is contained in:
Johnny 2023-01-01 15:56:34 -05:00 committed by GitHub
parent 94d8ec5360 dd00f48e5b
commit 3fd62cd16e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 1552 additions and 1561 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

362
ajax.php
View File

@ -6,161 +6,159 @@
* Always returns data in JSON format, unless otherwise specified * Always returns data in JSON format, unless otherwise specified
*/ */
include("config.php"); require_once("config.php");
include("functions.php"); require_once("functions.php");
include("check_login.php"); require_once("check_login.php");
require_once("rfc6238.php"); require_once("rfc6238.php");
/* /*
* Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key) * Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key)
*/ */
if(isset($_GET['certificate_fetch_parse_json_details'])){ if (isset($_GET['certificate_fetch_parse_json_details'])) {
// PHP doesn't appreciate attempting SSL sockets to non-existent domains // PHP doesn't appreciate attempting SSL sockets to non-existent domains
if(empty($_GET['domain'])){ if (empty($_GET['domain'])) {
exit(); exit();
} }
$domain = $_GET['domain']; $domain = $_GET['domain'];
// FQDNs in database shouldn't have a URL scheme, adding one // FQDNs in database shouldn't have a URL scheme, adding one
$domain = "https://".$domain; $domain = "https://".$domain;
// Parse host and port // Parse host and port
$url = parse_url($domain, PHP_URL_HOST); $url = parse_url($domain, PHP_URL_HOST);
$port = parse_url($domain, PHP_URL_PORT); $port = parse_url($domain, PHP_URL_PORT);
// Default port // Default port
if(!$port){ if (!$port) {
$port = "443"; $port = "443";
} }
// Get certificate (using verify peer false to allow for self-signed certs) // Get certificate (using verify peer false to allow for self-signed certs)
$socket = "ssl://$url:$port"; $socket = "ssl://$url:$port";
$get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE, "verify_peer" => FALSE,))); $get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE, "verify_peer" => FALSE,)));
$read = stream_socket_client($socket, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get); $read = stream_socket_client($socket, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get);
$cert = stream_context_get_params($read); $cert = stream_context_get_params($read);
$cert_public_key_obj = openssl_x509_parse($cert['options']['ssl']['peer_certificate']); $cert_public_key_obj = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
openssl_x509_export($cert['options']['ssl']['peer_certificate'], $export); openssl_x509_export($cert['options']['ssl']['peer_certificate'], $export);
// Process data // Process data
if($cert_public_key_obj){ if ($cert_public_key_obj) {
$response['success'] = "TRUE"; $response['success'] = "TRUE";
$response['expire'] = date('Y-m-d', $cert_public_key_obj['validTo_time_t']); $response['expire'] = date('Y-m-d', $cert_public_key_obj['validTo_time_t']);
$response['issued_by'] = strip_tags($cert_public_key_obj['issuer']['O']); $response['issued_by'] = strip_tags($cert_public_key_obj['issuer']['O']);
$response['public_key'] = $export; //nl2br $response['public_key'] = $export; //nl2br
} } else {
else{ $response['success'] = "FALSE";
$response['success'] = "FALSE"; }
}
echo json_encode($response); echo json_encode($response);
} }
/* /*
* Looks up info for a given certificate ID from the database, used to dynamically populate modal fields * Looks up info for a given certificate ID from the database, used to dynamically populate modal fields
*/ */
if(isset($_GET['certificate_get_json_details'])){ if (isset($_GET['certificate_get_json_details'])) {
validateTechRole(); validateTechRole();
$certificate_id = intval($_GET['certificate_id']); $certificate_id = intval($_GET['certificate_id']);
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
// Individual certificate lookup // Individual certificate lookup
$cert_sql = mysqli_query($mysqli,"SELECT * FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id"); $cert_sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id");
while($row = mysqli_fetch_array($cert_sql)){ while ($row = mysqli_fetch_array($cert_sql)) {
$response['certificate'][] = $row; $response['certificate'][] = $row;
} }
// Get all domains for this client that could be linked to this certificate // Get all domains for this client that could be linked to this certificate
$domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'"); $domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'");
while($row = mysqli_fetch_array($domains_sql)){ while ($row = mysqli_fetch_array($domains_sql)) {
$response['domains'][] = $row; $response['domains'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
/* /*
* Looks up info for a given domain ID from the database, used to dynamically populate modal fields * Looks up info for a given domain ID from the database, used to dynamically populate modal fields
*/ */
if(isset($_GET['domain_get_json_details'])){ if (isset($_GET['domain_get_json_details'])) {
validateTechRole(); validateTechRole();
$domain_id = intval($_GET['domain_id']); $domain_id = intval($_GET['domain_id']);
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
// Individual domain lookup // Individual domain lookup
$cert_sql = mysqli_query($mysqli,"SELECT * FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id"); $cert_sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id");
while($row = mysqli_fetch_array($cert_sql)){ while ($row = mysqli_fetch_array($cert_sql)) {
$response['domain'][] = $row; $response['domain'][] = $row;
} }
// Get all registrars/webhosts (vendors) for this client that could be linked to this domain // Get all registrars/webhosts (vendors) for this client that could be linked to this domain
$vendor_sql = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors WHERE vendor_client_id = $client_id"); $vendor_sql = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors WHERE vendor_client_id = $client_id");
while($row = mysqli_fetch_array($vendor_sql)){ while ($row = mysqli_fetch_array($vendor_sql)) {
$response['vendors'][] = $row; $response['vendors'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
/* /*
* Looks up info on the ticket number provided, used to populate the ticket merge modal * Looks up info on the ticket number provided, used to populate the ticket merge modal
*/ */
if(isset($_GET['merge_ticket_get_json_details'])){ if (isset($_GET['merge_ticket_get_json_details'])) {
validateTechRole(); validateTechRole();
$merge_into_ticket_number = intval($_GET['merge_into_ticket_number']); $merge_into_ticket_number = intval($_GET['merge_into_ticket_number']);
$sql = mysqli_query($mysqli,"SELECT * FROM tickets $sql = mysqli_query($mysqli, "SELECT * FROM tickets
LEFT JOIN clients ON ticket_client_id = client_id LEFT JOIN clients ON ticket_client_id = client_id
LEFT JOIN contacts ON ticket_contact_id = contact_id LEFT JOIN contacts ON ticket_contact_id = contact_id
WHERE ticket_number = '$merge_into_ticket_number' AND tickets.company_id = '$session_company_id'"); WHERE ticket_number = '$merge_into_ticket_number' AND tickets.company_id = '$session_company_id'");
if(mysqli_num_rows($sql) == 0){ if (mysqli_num_rows($sql) == 0) {
//Do nothing. //Do nothing.
} } else {
else { //Return ticket, client and contact details for the given ticket number
//Return ticket, client and contact details for the given ticket number $response = mysqli_fetch_array($sql);
$response = mysqli_fetch_array($sql); echo json_encode($response);
echo json_encode($response); }
}
} }
/* /*
* Looks up info for a given network ID from the database, used to dynamically populate modal fields * Looks up info for a given network ID from the database, used to dynamically populate modal fields
*/ */
if(isset($_GET['network_get_json_details'])){ if (isset($_GET['network_get_json_details'])) {
validateTechRole(); validateTechRole();
$network_id = intval($_GET['network_id']); $network_id = intval($_GET['network_id']);
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
// Individual network lookup // Individual network lookup
$network_sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_id = $network_id AND network_client_id = $client_id"); $network_sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
while($row = mysqli_fetch_array($network_sql)){ while ($row = mysqli_fetch_array($network_sql)) {
$response['network'][] = $row; $response['network'][] = $row;
} }
// Lookup all client locations, as networks can be associated with any client location // Lookup all client locations, as networks can be associated with any client location
$locations_sql = mysqli_query($mysqli, "SELECT location_id, location_name FROM locations $locations_sql = mysqli_query($mysqli, "SELECT location_id, location_name FROM locations
WHERE location_client_id = '$client_id' AND company_id = '$session_company_id'" WHERE location_client_id = '$client_id' AND company_id = '$session_company_id'"
); );
while($row = mysqli_fetch_array($locations_sql)){ while ($row = mysqli_fetch_array($locations_sql)) {
$response['locations'][] = $row; $response['locations'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
if(isset($_POST['client_set_notes'])){ if (isset($_POST['client_set_notes'])) {
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes']))); $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes'])));
// Update notes // Update notes
mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'"); mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'");
// Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id");
} }
@ -169,10 +167,10 @@ if(isset($_POST['client_set_notes'])){
* Called upon loading a ticket, and every 2 mins thereafter * Called upon loading a ticket, and every 2 mins thereafter
* Is used in conjunction with ticket_query_views to show who is currently viewing a ticket * Is used in conjunction with ticket_query_views to show who is currently viewing a ticket
*/ */
if(isset($_GET['ticket_add_view'])){ if (isset($_GET['ticket_add_view'])) {
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()"); mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()");
} }
/* /*
@ -180,112 +178,112 @@ if(isset($_GET['ticket_add_view'])){
* Returns formatted text of the agents currently viewing a ticket * Returns formatted text of the agents currently viewing a ticket
* Called upon loading a ticket, and every 2 mins thereafter * Called upon loading a ticket, and every 2 mins thereafter
*/ */
if(isset($_GET['ticket_query_views'])){ if (isset($_GET['ticket_query_views'])) {
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
$query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)"); $query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)");
while($row = mysqli_fetch_array($query)){ while ($row = mysqli_fetch_array($query)) {
$users[] = $row['user_name']; $users[] = $row['user_name'];
}
if(!empty($users)){
$users = array_unique($users);
if(count($users) > 1){
// Multiple viewers
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
} }
else{
// Single viewer if (!empty($users)) {
$response['message'] = implode("", $users) . " is viewing this ticket."; $users = array_unique($users);
if (count($users) > 1) {
// Multiple viewers
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
} else {
// Single viewer
$response['message'] = implode("", $users) . " is viewing this ticket.";
}
} else {
// No viewers
$response['message'] = "";
} }
}
else{ echo json_encode($response);
// No viewers
$response['message'] = "";
}
echo json_encode($response);
} }
/* /*
* Generates public/guest links for sharing logins/docs * Generates public/guest links for sharing logins/docs
*/ */
if(isset($_GET['share_generate_link'])){ if (isset($_GET['share_generate_link'])) {
validateTechRole(); validateTechRole();
$item_encrypted_credential = ''; // Default empty $item_encrypted_credential = ''; // Default empty
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type']))); $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
$item_id = intval($_GET['id']); $item_id = intval($_GET['id']);
$item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note']))); $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
$item_view_limit = intval($_GET['views']); $item_view_limit = intval($_GET['views']);
$item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires']))); $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
$item_key = bin2hex(random_bytes(78)); $item_key = bin2hex(random_bytes(78));
if($item_type == "Document"){ if ($item_type == "Document") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1")); $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
$item_name = $row['document_name']; $item_name = $row['document_name'];
} }
if($item_type == "File"){ if ($item_type == "File") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1")); $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1"));
$item_name = $row['file_name']; $item_name = $row['file_name'];
} }
if($item_type == "Login"){ if ($item_type == "Login") {
$login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1"); $login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
$row = mysqli_fetch_array($login); $row = mysqli_fetch_array($login);
$item_name = $row['login_name']; $item_name = $row['login_name'];
// Decrypt & re-encrypt password for sharing // Decrypt & re-encrypt password for sharing
$login_password_cleartext = decryptLoginEntry($row['login_password']); $login_password_cleartext = decryptLoginEntry($row['login_password']);
$login_encryption_key = bin2hex(random_bytes(8)); $login_encryption_key = bin2hex(random_bytes(8));
$iv = bin2hex(random_bytes(8)); $iv = bin2hex(random_bytes(8));
$ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv); $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
$item_encrypted_credential = $iv . $ciphertext; $item_encrypted_credential = $iv . $ciphertext;
} }
// Insert entry into DB // Insert entry into DB
$sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'"); $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
$share_id = $mysqli->insert_id; $share_id = $mysqli->insert_id;
// Return URL // Return URL
if($item_type == "Login"){ if ($item_type == "Login") {
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key"; $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
} }
else{ else {
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key"; $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
} }
echo json_encode($url); echo json_encode($url);
// Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
} }
/* /*
* Looks up info for a given scheduled ticket ID from the database, used to dynamically populate modal edit fields * Looks up info for a given scheduled ticket ID from the database, used to dynamically populate modal edit fields
*/ */
if(isset($_GET['scheduled_ticket_get_json_details'])){ if (isset($_GET['scheduled_ticket_get_json_details'])) {
validateTechRole(); validateTechRole();
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets $ticket_sql = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets
WHERE scheduled_ticket_id = $ticket_id WHERE scheduled_ticket_id = $ticket_id
AND scheduled_ticket_client_id = $client_id LIMIT 1"); AND scheduled_ticket_client_id = $client_id LIMIT 1");
while($row = mysqli_fetch_array($ticket_sql)){ while ($row = mysqli_fetch_array($ticket_sql)) {
$response['ticket'][] = $row; $response['ticket'][] = $row;
} }
$asset_sql = mysqli_query($mysqli, "SELECT asset_id, asset_name FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL"); $asset_sql = mysqli_query($mysqli, "SELECT asset_id, asset_name FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL");
while($row = mysqli_fetch_array($asset_sql)){ while ($row = mysqli_fetch_array($asset_sql)) {
$response['assets'][] = $row; $response['assets'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
@ -293,8 +291,8 @@ if(isset($_GET['scheduled_ticket_get_json_details'])){
* Dynamic TOTP for client login page * Dynamic TOTP for client login page
* When provided with a TOTP secret, returns a 6-digit code * When provided with a TOTP secret, returns a 6-digit code
*/ */
if(isset($_GET['get_totp_token'])){ if (isset($_GET['get_totp_token'])) {
$otp = TokenAuth6238::getTokenCode($_GET['totp_secret']); $otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
echo json_encode($otp); echo json_encode($otp);
} }

154
api/v1/assets/create.php
View File

@ -1,107 +1,107 @@
<?php <?php
require('../validate_api_key.php');
require('../require_post_method.php'); require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse info // Parse info
// Variable assignment - assigning blank if a value is not provided // Variable assignment - assigning blank if a value is not provided
if(isset($_POST['asset_name'])){ if (isset($_POST['asset_name'])) {
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_name'])));
} else{ } else {
$name = ''; $name = '';
} }
if(isset($_POST['asset_type'])){ if (isset($_POST['asset_type'])) {
$type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_type']))); $type = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_type'])));
} else{ } else {
$type = ''; $type = '';
} }
if(isset($_POST['asset_make'])){ if (isset($_POST['asset_make'])) {
$make = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_make']))); $make = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_make'])));
} else{ } else {
$make = ''; $make = '';
} }
if(isset($_POST['asset_model'])){ if (isset($_POST['asset_model'])) {
$model = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_model']))); $model = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_model'])));
} else{ } else {
$model = ''; $model = '';
} }
if(isset($_POST['asset_serial'])){ if (isset($_POST['asset_serial'])) {
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_serial']))); $serial = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_serial'])));
} else{ } else {
$serial = ''; $serial = '';
} }
if(isset($_POST['asset_os'])){ if (isset($_POST['asset_os'])) {
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os']))); $os = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_os'])));
} else{ } else {
$os = ''; $os = '';
} }
if(isset($_POST['asset_ip'])){ if (isset($_POST['asset_ip'])) {
$aip = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_ip']))); $aip = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_ip'])));
} else{ } else {
$aip = ''; $aip = '';
} }
if(isset($_POST['asset_mac'])){ if (isset($_POST['asset_mac'])) {
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_mac']))); $mac = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_mac'])));
} else{ } else {
$mac = ''; $mac = '';
} }
if(isset($_POST['asset_purchase_date'])){ if (isset($_POST['asset_purchase_date'])) {
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_purchase_date']))); $purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_purchase_date'])));
} else{ } else {
$purchase_date = "0000-00-00"; $purchase_date = "0000-00-00";
} }
if(isset($_POST['asset_warranty_expire'])){ if (isset($_POST['asset_warranty_expire'])) {
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_warranty_expire']))); $warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_warranty_expire'])));
} else{ } else {
$warranty_expire = "0000-00-00"; $warranty_expire = "0000-00-00";
} }
if(isset($_POST['asset_install_date'])){ if (isset($_POST['asset_install_date'])) {
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_install_date']))); $install_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_install_date'])));
} else{ } else {
$install_date = "0000-00-00"; $install_date = "0000-00-00";
} }
if(isset($_POST['asset_notes'])){ if (isset($_POST['asset_notes'])) {
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_notes']))); $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_notes'])));
} else{ } else {
$notes = ''; $notes = '';
} }
if(isset($_POST['asset_vendor_id'])){ if (isset($_POST['asset_vendor_id'])) {
$vendor = intval($_POST['asset_vendor_id']); $vendor = intval($_POST['asset_vendor_id']);
} else{ } else {
$vendor = '0'; $vendor = '0';
} }
if(isset($_POST['asset_location_id'])){ if (isset($_POST['asset_location_id'])) {
$location = intval($_POST['asset_location_id']); $location = intval($_POST['asset_location_id']);
} else{ } else {
$location = '0'; $location = '0';
} }
if(isset($_POST['asset_contact_id'])){ if (isset($_POST['asset_contact_id'])) {
$contact = intval($_POST['asset_contact_id']); $contact = intval($_POST['asset_contact_id']);
} else{ } else {
$contact = '0'; $contact = '0';
} }
if(isset($_POST['asset_network_id'])){ if (isset($_POST['asset_network_id'])) {
$network = intval($_POST['asset_network_id']); $network = intval($_POST['asset_network_id']);
} else{ } else {
$network = '0'; $network = '0';
} }
// Default // Default
$insert_id = FALSE; $insert_id = false;
if(!empty($name) && !empty($client_id)){ if (!empty($name) && !empty($client_id)) {
// Insert into Database // Insert into Database
$insert_sql = mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_created_at = NOW(), asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'"); $insert_sql = mysqli_query($mysqli, "INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_created_at = NOW(), asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'");
if($insert_sql){ if ($insert_sql) {
$insert_id = mysqli_insert_id($mysqli); $insert_id = mysqli_insert_id($mysqli);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
} }
} }
// Output // Output
include('../create_output.php'); require_once('../create_output.php');

28
api/v1/assets/delete.php
View File

@ -1,28 +1,28 @@
<?php <?php
require('../validate_api_key.php'); require_once('../validate_api_key.php');
require('../require_post_method.php'); require_once('../require_post_method.php');
// Parse ID // Parse ID
$asset_id = intval($_POST['asset_id']); $asset_id = intval($_POST['asset_id']);
// Default // Default
$delete_count = FALSE; $delete_count = false;
if(!empty($asset_id)){ if (!empty($asset_id)) {
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$asset_name = $row['asset_name']; $asset_name = $row['asset_name'];
$delete_sql = mysqli_query($mysqli, "DELETE FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"); $delete_sql = mysqli_query($mysqli, "DELETE FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
// Check delete & get affected rows // Check delete & get affected rows
if($delete_sql && !empty($asset_name)){ if ($delete_sql && !empty($asset_name)) {
$delete_count = mysqli_affected_rows($mysqli); $delete_count = mysqli_affected_rows($mysqli);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Deleted', log_description = '$asset_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Deleted', log_description = '$asset_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
} }
} }
// Output // Output
include('../delete_output.php'); require_once('../delete_output.php');

40
api/v1/assets/read.php
View File

@ -1,42 +1,42 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Asset via ID (single) // Asset via ID (single)
if(isset($_GET['asset_id'])){ if (isset($_GET['asset_id'])) {
$id = intval($_GET['asset_id']); $id = intval($_GET['asset_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Asset query via type // Asset query via type
elseif(isset($_GET['asset_type'])){ elseif (isset($_GET['asset_type'])) {
$type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type'])); $type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type']));
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// Asset query via name // Asset query via name
elseif(isset($_GET['asset_name'])){ elseif (isset($_GET['asset_name'])) {
$name = mysqli_real_escape_string($mysqli,$_GET['asset_name']); $name = mysqli_real_escape_string($mysqli, $_GET['asset_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// Asset query via serial // Asset query via serial
elseif(isset($_GET['asset_serial'])){ elseif (isset($_GET['asset_serial'])) {
$serial = mysqli_real_escape_string($mysqli,$_GET['asset_serial']); $serial = mysqli_real_escape_string($mysqli, $_GET['asset_serial']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// Asset query via client ID // Asset query via client ID
elseif(isset($_GET['client_id']) && $client_id == "%"){ elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// All assets // All assets
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

200
api/v1/assets/update.php
View File

@ -1,116 +1,116 @@
<?php <?php
require('../validate_api_key.php');
require('../require_post_method.php'); require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse ID // Parse ID
$asset_id = intval($_POST['asset_id']); $asset_id = intval($_POST['asset_id']);
// Default // Default
$update_count = FALSE; $update_count = false;
if(!empty($asset_id)){ if (!empty($asset_id)) {
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$asset_id' AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$asset_id' AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
// Variable assignment - assigning the current database value if a value is not provided // Variable assignment - assigning the current database value if a value is not provided
if(isset($_POST['asset_name'])){ if (isset($_POST['asset_name'])) {
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_name'])));
} else{ } else {
$name = $row['asset_name']; $name = $row['asset_name'];
} }
if(isset($_POST['asset_type'])){ if (isset($_POST['asset_type'])) {
$type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_type']))); $type = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_type'])));
} else{ } else {
$type = $row['asset_type']; $type = $row['asset_type'];
} }
if(isset($_POST['asset_make'])){ if (isset($_POST['asset_make'])) {
$make = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_make']))); $make = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_make'])));
} else{ } else {
$make = $row['asset_make']; $make = $row['asset_make'];
} }
if(isset($_POST['asset_model'])){ if (isset($_POST['asset_model'])) {
$model = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_model']))); $model = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_model'])));
} else{ } else {
$model = $row['asset_model']; $model = $row['asset_model'];
} }
if(isset($_POST['asset_serial'])){ if (isset($_POST['asset_serial'])) {
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_serial']))); $serial = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_serial'])));
} else{ } else {
$serial = $row['asset_serial']; $serial = $row['asset_serial'];
} }
if(isset($_POST['asset_os'])){ if (isset($_POST['asset_os'])) {
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os']))); $os = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_os'])));
} else{ } else {
$os = $row['asset_os']; $os = $row['asset_os'];
} }
if(isset($_POST['asset_os'])){ if (isset($_POST['asset_os'])) {
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os']))); $os = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_os'])));
} else{ } else {
$os = $row['asset_os']; $os = $row['asset_os'];
} }
if(isset($_POST['asset_ip'])){ if (isset($_POST['asset_ip'])) {
$aip = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_ip']))); $aip = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_ip'])));
} else{ } else {
$aip = $row['asset_ip']; $aip = $row['asset_ip'];
} }
if(isset($_POST['asset_mac'])){ if (isset($_POST['asset_mac'])) {
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_mac']))); $mac = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_mac'])));
} else{ } else {
$mac = $row['asset_mac']; $mac = $row['asset_mac'];
} }
if(isset($_POST['asset_purchase_date'])){ if (isset($_POST['asset_purchase_date'])) {
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_purchase_date']))); $purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_purchase_date'])));
} else{ } else {
$purchase_date = $row['asset_purchase_date']; $purchase_date = $row['asset_purchase_date'];
} }
if(isset($_POST['asset_warranty_expire'])){ if (isset($_POST['asset_warranty_expire'])) {
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_warranty_expire']))); $warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_warranty_expire'])));
} else{ } else {
$warranty_expire = $row['asset_warranty_expire']; $warranty_expire = $row['asset_warranty_expire'];
} }
if(isset($_POST['asset_install_date'])){ if (isset($_POST['asset_install_date'])) {
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_install_date']))); $install_date = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_install_date'])));
} else{ } else {
$install_date = $row['asset_install_date']; $install_date = $row['asset_install_date'];
} }
if(isset($_POST['asset_notes'])){ if (isset($_POST['asset_notes'])) {
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_notes']))); $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['asset_notes'])));
} else{ } else {
$notes = $row['asset_notes']; $notes = $row['asset_notes'];
} }
if(isset($_POST['asset_vendor_id'])){ if (isset($_POST['asset_vendor_id'])) {
$vendor = intval($_POST['asset_vendor_id']); $vendor = intval($_POST['asset_vendor_id']);
} else{ } else {
$vendor = $row['asset_vendor_id']; $vendor = $row['asset_vendor_id'];
} }
if(isset($_POST['asset_location_id'])){ if (isset($_POST['asset_location_id'])) {
$location = intval($_POST['asset_location_id']); $location = intval($_POST['asset_location_id']);
} else{ } else {
$location = $row['asset_location_id']; $location = $row['asset_location_id'];
} }
if(isset($_POST['asset_contact_id'])){ if (isset($_POST['asset_contact_id'])) {
$contact = intval($_POST['asset_contact_id']); $contact = intval($_POST['asset_contact_id']);
} else{ } else {
$contact = $row['asset_contact_id']; $contact = $row['asset_contact_id'];
} }
if(isset($_POST['asset_network_id'])){ if (isset($_POST['asset_network_id'])) {
$network = intval($_POST['asset_network_id']); $network = intval($_POST['asset_network_id']);
} else{ } else {
$network = $row['asset_network_id']; $network = $row['asset_network_id'];
} }
$update_sql = mysqli_query($mysqli,"UPDATE assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_updated_at = NOW(), asset_network_id = $network WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"); $update_sql = mysqli_query($mysqli, "UPDATE assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_updated_at = NOW(), asset_network_id = $network WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
// Check insert & get insert ID // Check insert & get insert ID
if($update_sql){ if ($update_sql) {
$update_count = mysqli_affected_rows($mysqli); $update_count = mysqli_affected_rows($mysqli);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated asset $name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated asset $name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
} }
} }
// Output // Output
include('../update_output.php'); require_once('../update_output.php');

28
api/v1/certificates/read.php
View File

@ -1,30 +1,30 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific certificate via ID (single) // Specific certificate via ID (single)
if(isset($_GET['certificate_id'])){ if (isset($_GET['certificate_id'])) {
$id = intval($_GET['certificate_id']); $id = intval($_GET['certificate_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Certificate by name // Certificate by name
elseif(isset($_GET['certificate_name'])){ elseif (isset($_GET['certificate_name'])) {
$name = mysqli_real_escape_string($mysqli,$_GET['certificate_name']); $name = mysqli_real_escape_string($mysqli, $_GET['certificate_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
} }
// Certificate via client ID (if allowed) // Certificate via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){ elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
} }
// All certificates // All certificates
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

22
api/v1/clients/read.php
View File

@ -1,24 +1,24 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific client via ID (single) // Specific client via ID (single)
if(isset($_GET['client_id'])){ if (isset($_GET['client_id'])) {
$id = intval($_GET['client_id']); $id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$id' AND client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$id' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Specific client via name (single) // Specific client via name (single)
elseif(isset($_GET['client_name'])){ elseif (isset($_GET['client_name'])) {
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['client_name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client_name'])));
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_name = '$name' AND client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_name = '$name' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// All clients // All clients
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY client_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY client_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

12
api/v1/contacts/contact_model.php
View File

@ -1,13 +1,13 @@
<?php <?php
define('number_regex', '/[^0-9]/'); define('number_regex', '/[^0-9]/');
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_name'])));
$title = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_title']))); $title = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_title'])));
$department = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_department']))); $department = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_department'])));
$phone = preg_replace(number_regex, '', $_POST['contact_phone']); $phone = preg_replace(number_regex, '', $_POST['contact_phone']);
$extension = preg_replace(number_regex, '', $_POST['contact_extension']); $extension = preg_replace(number_regex, '', $_POST['contact_extension']);
$mobile = preg_replace(number_regex, '', $_POST['contact_mobile']); $mobile = preg_replace(number_regex, '', $_POST['contact_mobile']);
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_email']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_email'])));
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_notes']))); $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_notes'])));
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_auth_method']))); $auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['contact_auth_method'])));
$location_id = intval($_POST['contact_location_id']); $location_id = intval($_POST['contact_location_id']);

36
api/v1/contacts/create.php
View File

@ -1,34 +1,34 @@
<?php <?php
require('../validate_api_key.php');
require('../require_post_method.php'); require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse Info // Parse Info
include('contact_model.php'); require_once('contact_model.php');
// Default // Default
$insert_id = FALSE; $insert_id = FALSE;
if(!empty($name) && !empty($email) && !empty($client_id)){ if (!empty($name) && !empty($email) && !empty($client_id)) {
// Check contact with $email doesn't already exist // Check contact with $email doesn't already exist
$email_duplication_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id = '$client_id'"); $email_duplication_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id = '$client_id'");
if(mysqli_num_rows($email_duplication_sql) == 0){ if (mysqli_num_rows($email_duplication_sql) == 0) {
// Insert contact // Insert contact
$insert_sql = mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department = '$department', contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id"); $insert_sql = mysqli_query($mysqli, "INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department = '$department', contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id");
// Check insert & get insert ID
if ($insert_sql) {
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
// Check insert & get insert ID
if($insert_sql){
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
} }
}
} }
// Output // Output
include('../create_output.php'); require_once('../create_output.php');

26
api/v1/contacts/delete.php
View File

@ -1,7 +1,7 @@
<?php <?php
require('../validate_api_key.php');
require('../require_post_method.php'); require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse ID // Parse ID
$contact_id = intval($_POST['contact_id']); $contact_id = intval($_POST['contact_id']);
@ -9,20 +9,20 @@ $contact_id = intval($_POST['contact_id']);
// Default // Default
$delete_count = FALSE; $delete_count = FALSE;
if(!empty($contact_id)){ if (!empty($contact_id)) {
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
$contact_name = $row['contact_name']; $contact_name = $row['contact_name'];
$delete_sql = mysqli_query($mysqli, "DELETE FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1"); $delete_sql = mysqli_query($mysqli, "DELETE FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
// Check delete & get affected rows // Check delete & get affected rows
if($delete_sql && !empty($contact_name)){ if ($delete_sql && !empty($contact_name)) {
$delete_count = mysqli_affected_rows($mysqli); $delete_count = mysqli_affected_rows($mysqli);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Deleted', log_description = '$contact_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Deleted', log_description = '$contact_name via API ($api_key_name)', log_ip = '$ip', log_client_id = $client_id, company_id = $company_id");
} }
} }
// Output // Output
include('../delete_output.php'); require_once('../delete_output.php');

14
api/v1/contacts/read.php
View File

@ -1,24 +1,24 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific contact via ID (single) // Specific contact via ID (single)
if(isset($_GET['contact_id'])){ if (isset($_GET['contact_id'])) {
$id = intval($_GET['contact_id']); $id = intval($_GET['contact_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Specific contact via email (single) // Specific contact via email (single)
elseif(isset($_GET['contact_email'])){ elseif (isset($_GET['contact_email'])) {
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['contact_email']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['contact_email'])));
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// All contacts // All contacts
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

26
api/v1/contacts/update.php
View File

@ -1,28 +1,28 @@
<?php <?php
require('../validate_api_key.php');
require('../require_post_method.php'); require_once('../validate_api_key.php');
require_once('../require_post_method.php');
// Parse Info // Parse Info
$contact_id = intval($_POST['contact_id']); $contact_id = intval($_POST['contact_id']);
include('contact_model.php'); require_once('contact_model.php');
// Default // Default
$update_count = FALSE; $update_count = FALSE;
if(!empty($name) && !empty($email)){ if (!empty($name) && !empty($email)) {
$update_sql = mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_updated_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id WHERE contact_id = $contact_id LIMIT 1"); $update_sql = mysqli_query($mysqli, "UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_updated_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id WHERE contact_id = $contact_id LIMIT 1");
// Check insert & get insert ID // Check insert & get insert ID
if($update_sql){ if ($update_sql) {
$update_count = mysqli_affected_rows($mysqli); $update_count = mysqli_affected_rows($mysqli);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
} }
} }
// Output // Output
include('../update_output.php'); require_once('../update_output.php');

20
api/v1/create_output.php
View File

@ -7,19 +7,19 @@
*/ */
// Check if the insert query was successful // Check if the insert query was successful
if(isset($insert_id) && is_numeric($insert_id)){ if (isset($insert_id) && is_numeric($insert_id)) {
// Insert successful // Insert successful
$return_arr['success'] = "True"; $return_arr['success'] = "True";
$return_arr['count'] = '1'; $return_arr['count'] = '1';
$return_arr['data'][] = [ $return_arr['data'][] = [
'insert_id' => $insert_id 'insert_id' => $insert_id
]; ];
} }
// Query returned false: something went wrong, or it was declined due to required variables missing // Query returned false: something went wrong, or it was declined due to required variables missing
else{ else {
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "Auth success but insert query failed, ensure ALL required variables are provided (and aren't duplicates where applicable) and database schema is up-to-date. Turn on error logging and look for 'undefined index'."; $return_arr['message'] = "Auth success but insert query failed, ensure ALL required variables are provided (and aren't duplicates where applicable) and database schema is up-to-date. Turn on error logging and look for 'undefined index'.";
} }
echo json_encode($return_arr); echo json_encode($return_arr);

14
api/v1/delete_output.php
View File

@ -7,16 +7,16 @@
*/ */
// Check if delete query was successful // Check if delete query was successful
if(isset($delete_count) && is_numeric($delete_count) && $delete_count > 0){ if (isset($delete_count) && is_numeric($delete_count) && $delete_count > 0) {
// Delete was successful // Delete was successful
$return_arr['success'] = "True"; $return_arr['success'] = "True";
$return_arr['count'] = $delete_count; $return_arr['count'] = $delete_count;
} }
// Delete query returned false: something went wrong, or it was declined due to required variables missing // Delete query returned false: something went wrong, or it was declined due to required variables missing
else{ else {
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "Auth success but delete query failed. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: asset/client/company ID mismatch."; $return_arr['message'] = "Auth success but delete query failed. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: asset/client/company ID mismatch.";
} }
echo json_encode($return_arr); echo json_encode($return_arr);

28
api/v1/domains/read.php
View File

@ -1,30 +1,30 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific domain via ID (single) // Specific domain via ID (single)
if(isset($_GET['domain_id'])){ if (isset($_GET['domain_id'])) {
$id = intval($_GET['domain_id']); $id = intval($_GET['domain_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Domain by name // Domain by name
elseif(isset($_GET['domain_name'])){ elseif (isset($_GET['domain_name'])) {
$name = mysqli_real_escape_string($mysqli,$_GET['domain_name']); $name = mysqli_real_escape_string($mysqli, $_GET['domain_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// Domain via client ID (if allowed) // Domain via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){ elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
} }
// All domains // All domains
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

28
api/v1/networks/read.php
View File

@ -1,30 +1,30 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific network via ID (single) // Specific network via ID (single)
if(isset($_GET['network_id'])){ if (isset($_GET['network_id'])) {
$id = intval($_GET['network_id']); $id = intval($_GET['network_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND network_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND network_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Network by name // Network by name
elseif(isset($_GET['network_name'])){ elseif (isset($_GET['network_name'])) {
$name = mysqli_real_escape_string($mysqli,$_GET['network_name']); $name = mysqli_real_escape_string($mysqli, $_GET['network_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
} }
// Network via client ID (if allowed) // Network via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){ elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
} }
// All networks // All networks
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

28
api/v1/read_output.php
View File

@ -6,21 +6,21 @@
* Returns success & data messages * Returns success & data messages
*/ */
if($sql && mysqli_num_rows($sql) > 0){ if ($sql && mysqli_num_rows($sql) > 0) {
$return_arr['success'] = "True"; $return_arr['success'] = "True";
$return_arr['count'] = mysqli_num_rows($sql); $return_arr['count'] = mysqli_num_rows($sql);
$row = array(); $row = array();
while($row = mysqli_fetch_array($sql)){ while ($row = mysqli_fetch_array($sql)) {
$return_arr['data'][] = $row; $return_arr['data'][] = $row;
} }
echo json_encode($return_arr); echo json_encode($return_arr);
exit(); exit();
} }
else{ else {
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "No resource (for this client and company) with the specified parameter(s)."; $return_arr['message'] = "No resource (for this client and company) with the specified parameter(s).";
echo json_encode($return_arr); echo json_encode($return_arr);
exit(); exit();
} }

16
api/v1/require_get_method.php
View File

@ -1,13 +1,13 @@
<?php <?php
if($_SERVER['REQUEST_METHOD'] !== "GET"){ if ($_SERVER['REQUEST_METHOD'] !== "GET") {
header("HTTP/1.1 405 Method Not Allowed"); header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "Can only send GET requests to this endpoint."; $return_arr['message'] = "Can only send GET requests to this endpoint.";
echo json_encode($return_arr); echo json_encode($return_arr);
exit(); exit();
} }
// Wildcard client ID for most SELECT queries // Wildcard client ID for most SELECT queries
if($client_id == 0){ if ($client_id == 0) {
$client_id = "%"; $client_id = "%";
} }

16
api/v1/require_post_method.php
View File

@ -1,14 +1,14 @@
<?php <?php
if($_SERVER['REQUEST_METHOD'] !== "POST"){ if ($_SERVER['REQUEST_METHOD'] !== "POST") {
header("HTTP/1.1 405 Method Not Allowed"); header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "Can only send POST requests to this endpoint."; $return_arr['message'] = "Can only send POST requests to this endpoint.";
echo json_encode($return_arr); echo json_encode($return_arr);
exit(); exit();
} }
// Client ID must be specific for INSERT/UPDATE/DELETE queries // Client ID must be specific for INSERT/UPDATE/DELETE queries
// If this API key allows any client, set $client_id to the one specified, else leave it // If this API key allows any client, set $client_id to the one specified, else leave it
if($client_id == 0){ if ($client_id == 0) {
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
} }

40
api/v1/software/read.php
View File

@ -1,42 +1,42 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific software via ID (single) // Specific software via ID (single)
if(isset($_GET['software_id'])){ if (isset($_GET['software_id'])) {
$id = intval($_GET['software_id']); $id = intval($_GET['software_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// Specific software via License ID // Specific software via License ID
if(isset($_GET['software_license'])){ if (isset($_GET['software_license'])) {
$license = mysqli_real_escape_string($mysqli,$_GET['software_license']); $license = mysqli_real_escape_string($mysqli, $_GET['software_license']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license_type = '$license' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license_type = '$license' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
} }
// Software by name // Software by name
elseif(isset($_GET['software_name'])){ elseif (isset($_GET['software_name'])) {
$name = mysqli_real_escape_string($mysqli,$_GET['software_name']); $name = mysqli_real_escape_string($mysqli, $_GET['software_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
} }
// Software via type // Software via type
elseif(isset($_GET['software_type'])){ elseif (isset($_GET['software_type'])) {
$type = intval($_GET['software_type']); $type = intval($_GET['software_type']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
} }
// Software via client ID (if allowed) // Software via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){ elseif (isset($_GET['client_id']) && $client_id == "%") {
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
} }
// All software(s) // All software(s)
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

16
api/v1/tickets/read.php
View File

@ -1,18 +1,18 @@
<?php <?php
require('../validate_api_key.php');
require('../require_get_method.php'); require_once('../validate_api_key.php');
require_once('../require_get_method.php');
// Specific ticket via ID (single) // Specific ticket via ID (single)
if(isset($_GET['ticket_id'])){ if (isset($_GET['ticket_id'])) {
$id = intval($_GET['ticket_id']); $id = intval($_GET['ticket_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'"); $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'");
} }
// All tickets // All tickets
else{ else {
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
} }
// Output // Output
include("../read_output.php"); require_once("../read_output.php");

14
api/v1/update_output.php
View File

@ -7,16 +7,16 @@
*/ */
// Check if the insert query was successful // Check if the insert query was successful
if(isset($update_count) && is_numeric($update_count) && $update_count > 0){ if (isset($update_count) && is_numeric($update_count) && $update_count > 0) {
// Insert successful // Insert successful
$return_arr['success'] = "True"; $return_arr['success'] = "True";
$return_arr['count'] = $update_count; $return_arr['count'] = $update_count;
} }
// Query returned false: something went wrong, or it was declined due to required variables missing // Query returned false: something went wrong, or it was declined due to required variables missing
else{ else {
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "Auth success but update query failed/returned no results. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: non-existent module ID (contact ID/ticket ID/etc)"; $return_arr['message'] = "Auth success but update query failed/returned no results. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: non-existent module ID (contact ID/ticket ID/etc)";
} }
echo json_encode($return_arr); echo json_encode($return_arr);

116
api/v1/validate_api_key.php
View File

@ -7,8 +7,8 @@
*/ */
// Includes // Includes
include( __DIR__ . '../../../functions.php'); require_once( __DIR__ . '../../../functions.php');
include(__DIR__ . "../../../config.php"); require_once(__DIR__ . "../../../config.php");
// JSON header // JSON header
header('Content-Type: application/json'); header('Content-Type: application/json');
@ -17,9 +17,9 @@ header('Content-Type: application/json');
$_POST = json_decode(file_get_contents('php://input'), true); $_POST = json_decode(file_get_contents('php://input'), true);
// Get user IP // Get user IP
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); $ip = strip_tags(mysqli_real_escape_string($mysqli, get_ip()));
// Get user agent // Get user agent
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); $user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
// Setup return array // Setup return array
$return_arr = array(); $return_arr = array();
@ -43,75 +43,75 @@ DEFINE("WORDING_UNAUTHORIZED", "HTTP/1.1 401 Unauthorized");
*/ */
// Decline methods other than GET/POST // Decline methods other than GET/POST
if($_SERVER['REQUEST_METHOD'] !== "GET" && $_SERVER['REQUEST_METHOD'] !== "POST"){ if ($_SERVER['REQUEST_METHOD'] !== "GET" && $_SERVER['REQUEST_METHOD'] !== "POST") {
header("HTTP/1.1 405 Method Not Allowed"); header("HTTP/1.1 405 Method Not Allowed");
var_dump($_SERVER['REQUEST_METHOD']); var_dump($_SERVER['REQUEST_METHOD']);
exit(); exit();
} }
// Check API key is provided // Check API key is provided
if(!isset($_GET['api_key']) && !isset($_POST['api_key'])){ if (!isset($_GET['api_key']) && !isset($_POST['api_key'])) {
header(WORDING_UNAUTHORIZED); header(WORDING_UNAUTHORIZED);
exit(); exit();
} }
// Set API key variable // Set API key variable
if(isset($_GET['api_key'])){ if (isset($_GET['api_key'])) {
$api_key = $_GET['api_key']; $api_key = $_GET['api_key'];
} }
if(isset($_POST['api_key'])){ if (isset($_POST['api_key'])) {
$api_key = $_POST['api_key']; $api_key = $_POST['api_key'];
} }
// Validate API key // Validate API key
if(isset($api_key)){ if (isset($api_key)) {
$api_key = mysqli_real_escape_string($mysqli,$api_key); $api_key = mysqli_real_escape_string($mysqli, $api_key);
$sql = mysqli_query($mysqli,"SELECT * FROM api_keys WHERE api_key_secret = '$api_key' AND api_key_expire > NOW() LIMIT 1"); $sql = mysqli_query($mysqli, "SELECT * FROM api_keys WHERE api_key_secret = '$api_key' AND api_key_expire > NOW() LIMIT 1");
// Failed // Failed
if(mysqli_num_rows($sql) !== 1){ if (mysqli_num_rows($sql) !== 1) {
// Invalid Key // Invalid Key
header(WORDING_UNAUTHORIZED); header(WORDING_UNAUTHORIZED);
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired Key', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired Key', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$return_arr['success'] = "False"; $return_arr['success'] = "False";
$return_arr['message'] = "API Key authentication failure or expired."; $return_arr['message'] = "API Key authentication failure or expired.";
header(WORDING_UNAUTHORIZED); header(WORDING_UNAUTHORIZED);
echo json_encode($return_arr); echo json_encode($return_arr);
exit(); exit();
}
// Success
else{
// Set client ID, company ID & key name
$row = mysqli_fetch_array($sql);
$api_key_name = $row['api_key_name'];
$client_id = $row['api_key_client_id'];
$company_id = $row['company_id'];
// Set limit & offset for queries
if(isset($_GET['limit'])){
$limit = intval($_GET['limit']);
}
elseif(isset($_POST['limit'])){
$limit = intval($_POST['limit']);
}
else{
$limit = 50;
} }
if(isset($_GET['offset'])){ // Success
$offset = intval($_GET['offset']); else {
}
elseif(isset($_POST['offset'])){
$offset = intval($_POST['offset']);
}
else{
$offset = 0;
}
} // Set client ID, company ID & key name
$row = mysqli_fetch_array($sql);
$api_key_name = $row['api_key_name'];
$client_id = $row['api_key_client_id'];
$company_id = $row['company_id'];
// Set limit & offset for queries
if (isset($_GET['limit'])) {
$limit = intval($_GET['limit']);
}
elseif (isset($_POST['limit'])) {
$limit = intval($_POST['limit']);
}
else {
$limit = 50;
}
if (isset($_GET['offset'])) {
$offset = intval($_GET['offset']);
}
elseif (isset($_POST['offset'])) {
$offset = intval($_POST['offset']);
}
else {
$offset = 0;
}
}
} }

49
get_credential.php
View File

@ -18,17 +18,16 @@
// Headers to allow extensions access (CORS) // Headers to allow extensions access (CORS)
$chrome_id = "chrome-extension://afgpakhonllnmnomchjhidealcpmnegc"; $chrome_id = "chrome-extension://afgpakhonllnmnomchjhidealcpmnegc";
//$firefox_id = "moz-extension://857479e9-3992-4e99-9a5e-b514d2ad0a82"; // Firefox rejected the extension. They are still using manifest v2 so will just focus on Chrome/Edge with v3 for now until Mozilla catches up
if (isset($_SERVER['HTTP_ORIGIN'])) { if (isset($_SERVER['HTTP_ORIGIN'])) {
if($_SERVER['HTTP_ORIGIN'] == $chrome_id){ if ($_SERVER['HTTP_ORIGIN'] == $chrome_id) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true'); header('Access-Control-Allow-Credentials: true');
} }
} }
include("config.php"); include_once("config.php");
include("functions.php"); include_once("functions.php");
// IP & User Agent for logging // IP & User Agent for logging
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
@ -41,13 +40,13 @@ DEFINE("WORDING_BAD_EXT_COOKIE_KEY", "ITFlow - You are not logged into ITFlow, d
// Check user is logged in & has extension access // Check user is logged in & has extension access
// We're not using the PHP session as we don't want to potentially expose the session cookie with SameSite None // We're not using the PHP session as we don't want to potentially expose the session cookie with SameSite None
if(!isset($_COOKIE['user_extension_key'])){ if (!isset($_COOKIE['user_extension_key'])) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
@ -56,13 +55,13 @@ if(!isset($_COOKIE['user_extension_key'])){
$user_extension_key = $_COOKIE['user_extension_key']; $user_extension_key = $_COOKIE['user_extension_key'];
// Check the key isn't empty, less than 17 characters or the word "disabled". // Check the key isn't empty, less than 17 characters or the word "disabled".
if(empty($user_extension_key) || strlen($user_extension_key) < 16 || strtolower($user_extension_key) == "disabled"){ if (empty($user_extension_key) || strlen($user_extension_key) < 16 || strtolower($user_extension_key) == "disabled") {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
@ -74,25 +73,25 @@ $auth_user = mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings
$row = mysqli_fetch_array($auth_user); $row = mysqli_fetch_array($auth_user);
// Check SQL query state // Check SQL query state
if(mysqli_num_rows($auth_user) < 1 || !$auth_user){ if (mysqli_num_rows($auth_user) < 1 || !$auth_user) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
// Sanity check // Sanity check
if(hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])){ if (hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
@ -110,28 +109,28 @@ $session_company_id = $row['user_default_company'];
$session_user_role = $row['user_role']; $session_user_role = $row['user_role'];
// Check user access level is correct (not an accountant) // Check user access level is correct (not an accountant)
if($session_user_role < 1){ if ($session_user_role < 1) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_ROLECHECK_FAILED; $data['message'] = WORDING_ROLECHECK_FAILED;
echo(json_encode($data)); echo json_encode($data);
//Logging //Logging
$user_name = mysqli_real_escape_string($mysqli, $session_name); $user_name = mysqli_real_escape_string($mysqli, $session_name);
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = '$user_name not authorised to use extension', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $session_user_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = '$user_name not authorised to use extension', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $session_user_id");
exit(); exit();
} }
// Lets go! // Lets go!
if(isset($_GET['host'])){ if (isset($_GET['host'])) {
if(!empty($_GET['host'])){ if (!empty($_GET['host'])) {
$url = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['host']))); $url = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['host'])));
$sql_logins = mysqli_query($mysqli, "SELECT * FROM logins WHERE (login_uri = '$url' AND company_id = '$session_company_id') LIMIT 1"); $sql_logins = mysqli_query($mysqli, "SELECT * FROM logins WHERE (login_uri = '$url' AND company_id = '$session_company_id') LIMIT 1");
if(mysqli_num_rows($sql_logins) > 0){ if (mysqli_num_rows($sql_logins) > 0) {
$row = mysqli_fetch_array($sql_logins); $row = mysqli_fetch_array($sql_logins);
$data['found'] = "TRUE"; $data['found'] = "TRUE";
$data['username'] = htmlentities($row['login_username']); $data['username'] = htmlentities($row['login_username']);

28
portal/check_login.php
View File

@ -5,27 +5,27 @@
* Checks if the client is logged in or not * Checks if the client is logged in or not
*/ */
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", True);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", True);
} }
session_start(); session_start();
} }
if(!$_SESSION['client_logged_in']){ if (!$_SESSION['client_logged_in']) {
header("Location: login.php"); header("Location: login.php");
die; die;
} }
// SESSION FINGERPRINT // SESSION FINGERPRINT
$session_ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); $session_ip = strip_tags(mysqli_real_escape_string($mysqli, get_ip()));
$session_os = strip_tags(mysqli_real_escape_string($mysqli,get_os())); $session_os = strip_tags(mysqli_real_escape_string($mysqli, get_os()));
// Get user agent // Get user agent
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); $session_user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
// Get info from session // Get info from session
$session_client_id = $_SESSION['client_id']; $session_client_id = $_SESSION['client_id'];

26
portal/inc_portal.php
View File

@ -4,19 +4,19 @@
* Includes for all pages (except login) * Includes for all pages (except login)
*/ */
include('../config.php'); require_once('../config.php');
include('../functions.php'); require_once('../functions.php');
include('check_login.php'); require_once('check_login.php');
include('portal_functions.php'); require_once('portal_functions.php');
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", True);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", True);
} }
session_start(); session_start();
} }
include("portal_header.php"); require_once("portal_header.php");

146
portal/index.php
View File

@ -8,18 +8,18 @@ require_once("inc_portal.php");
// Ticket status from GET // Ticket status from GET
if (!isset($_GET['status'])) { if (!isset($_GET['status'])) {
// If nothing is set, assume we only want to see open tickets // If nothing is set, assume we only want to see open tickets
$status = 'Open'; $status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'"; $ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Open') { } elseif (isset($_GET['status']) && ($_GET['status']) == 'Open') {
$status = 'Open'; $status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'"; $ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Closed') { } elseif (isset($_GET['status']) && ($_GET['status']) == 'Closed') {
$status = 'Closed'; $status = 'Closed';
$ticket_status_snippet = "ticket_status = 'Closed'"; $ticket_status_snippet = "ticket_status = 'Closed'";
} else { } else {
$status = '%'; $status = '%';
$ticket_status_snippet = "ticket_status LIKE '%'"; $ticket_status_snippet = "ticket_status LIKE '%'";
} }
$contact_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_contact_id = '$session_contact_id' AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC"); $contact_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_contact_id = '$session_contact_id' AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC");
@ -41,39 +41,39 @@ $total_tickets = $row['total_tickets'];
?> ?>
<table> <table>
<tr> <tr>
<th class="text-center"> <th class="text-center">
<?php if(!empty($session_contact_photo)){ ?> <?php if (!empty($session_contact_photo)) { ?>
<img src="<?php echo "../uploads/clients/$session_company_id/$session_client_id/$session_contact_photo"; ?>" alt="..." class=" img-size-50 img-circle"> <img src="<?php echo "../uploads/clients/$session_company_id/$session_client_id/$session_contact_photo"; ?>" alt="..." class=" img-size-50 img-circle">
<?php }else{ ?> <?php } else { ?>
<span class="fa-stack fa-2x rounded-left"> <span class="fa-stack fa-2x rounded-left">
<i class="fa fa-circle fa-stack-2x text-secondary"></i> <i class="fa fa-circle fa-stack-2x text-secondary"></i>
<span class="fa fa-stack-1x text-white"><?php echo $session_contact_initials; ?></span> <span class="fa fa-stack-1x text-white"><?php echo $session_contact_initials; ?></span>
</span> </span>
<br> <br>
<?php } ?>
<div class="text-dark"><?php echo $session_contact_name; ?></div>
<div><?php echo $session_contact_title; ?></div>
</th>
<th>
<div class="">
<h4 class="">Welcome, <b><?php echo $session_contact_name ?></b>!</h4>
<hr>
</div>
</th>
</tr>
</table>
<br> <?php } ?>
<div class="text-dark"><?php echo $session_contact_name; ?></div>
<div><?php echo $session_contact_title; ?></div>
</th>
<th>
<div class="">
<h4 class="">Welcome, <b><?php echo $session_contact_name ?></b>!</h4>
<hr>
</div>
</th>
</tr>
</table>
<div class="row"> <br>
<div class="col-10"> <div class="row">
<div class="card">
<div class="col-10">
<div class="card">
<span class="border border-secondary"> <span class="border border-secondary">
<table class="table"> <table class="table">
<thead class="thead-dark"> <thead class="thead-dark">
@ -86,46 +86,46 @@ $total_tickets = $row['total_tickets'];
<tbody> <tbody>
<?php <?php
while($ticket = mysqli_fetch_array($contact_tickets)){ while ($ticket = mysqli_fetch_array($contact_tickets)) {
echo "<tr>"; echo "<tr>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_number]</a></td>"; echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_number]</a></td>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>"; echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
echo "<td>$ticket[ticket_status]</td>"; echo "<td>$ticket[ticket_status]</td>";
echo "</tr>"; echo "</tr>";
} }
?> ?>
</tbody> </tbody>
</table> </table>
</span> </span>
</div>
</div>
<div class="col-2">
<div class="card">
<a href="ticket_add.php" class="btn btn-primary">New ticket</a>
</div>
<hr>
<a href="?status=Open">
<div class="card text-white bg-danger mb-3" style="max-width: 18rem;">
<div class="card-header">My Open tickets | <b><?php echo $total_tickets_open ?></b></div>
</div>
</a>
<a href="?status=Closed">
<div class="card text-white bg-success mb-3" style="max-width: 18rem;">
<div class="card-header">Resolved tickets | <b><?php echo $total_tickets_closed ?></b></div>
</div>
</a>
<a href="?status=%">
<div class="card text-white bg-secondary mb-3" style="max-width: 18rem;">
<div class="card-header">All my tickets | <b><?php echo $total_tickets ?></b></div>
</div>
</a>
</div>
</div> </div>
</div>
<div class="col-2">
<div class="card">
<a href="ticket_add.php" class="btn btn-primary">New ticket</a>
</div>
<hr>
<a href="?status=Open">
<div class="card text-white bg-danger mb-3" style="max-width: 18rem;">
<div class="card-header">My Open tickets | <b><?php echo $total_tickets_open ?></b></div>
</div>
</a>
<a href="?status=Closed"> <?php require_once("portal_footer.php"); ?>
<div class="card text-white bg-success mb-3" style="max-width: 18rem;">
<div class="card-header">Resolved tickets | <b><?php echo $total_tickets_closed ?></b></div>
</div>
</a>
<a href="?status=%">
<div class="card text-white bg-secondary mb-3" style="max-width: 18rem;">
<div class="card-header">All my tickets | <b><?php echo $total_tickets ?></b></div>
</div>
</a>
</div>
</div>
<?php include("portal_footer.php"); ?>

206
portal/login.php
View File

@ -9,20 +9,20 @@ require_once('../config.php');
require_once('../functions.php'); require_once('../functions.php');
require_once ('../get_settings.php'); require_once ('../get_settings.php');
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", True);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", True);
} }
session_start(); session_start();
} }
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); $user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$sql_settings = mysqli_query($mysqli,"SELECT config_azure_client_id FROM settings WHERE company_id = '1'"); $sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id FROM settings WHERE company_id = '1'");
$settings = mysqli_fetch_array($sql_settings); $settings = mysqli_fetch_array($sql_settings);
$client_id = $settings['config_azure_client_id']; $client_id = $settings['config_azure_client_id'];
@ -30,119 +30,119 @@ $company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE c
$company_results = mysqli_fetch_array($company_sql); $company_results = mysqli_fetch_array($company_sql);
$company_name = $company_results['company_name']; $company_name = $company_results['company_name'];
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])){ if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email'])); $email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$password = $_POST['password']; $password = $_POST['password'];
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$_SESSION['login_message'] = 'Invalid e-mail';
}
else{
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' LIMIT 1");
$row = mysqli_fetch_array($sql);
if($row['contact_auth_method'] == 'local'){
if(password_verify($password, $row['contact_password_hash'])){
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "local";
header("Location: index.php");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $row[contact_email] successfully logged in locally', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
}
else{
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$_SESSION['login_message'] = 'Invalid e-mail';
} }
else{ else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()"); $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' LIMIT 1");
$_SESSION['login_message'] = 'Incorrect username or password.'; $row = mysqli_fetch_array($sql);
if ($row['contact_auth_method'] == 'local') {
if (password_verify($password, $row['contact_password_hash'])) {
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "local";
header("Location: index.php");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $row[contact_email] successfully logged in locally', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
}
else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
}
else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
} }
}
} }
?> ?>
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $company_name; ?> | Client Portal Login</title> <title><?php echo $company_name; ?> | Client Portal Login</title>
<!-- Tell the browser to be responsive to screen width --> <!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex"> <meta name="robots" content="noindex">
<!-- Font Awesome --> <!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css"> <link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Theme style --> <!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css"> <link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Google Font: Source Sans Pro --> <!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet"> <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
</head> </head>
<body class="hold-transition login-page"> <body class="hold-transition login-page">
<div class="login-box"> <div class="login-box">
<div class="login-logo"><b><?=$company_name?></b> <br>Client Portal Login</h2></div> <div class="login-logo"><b><?=$company_name?></b> <br>Client Portal Login</h2></div>
<div class="card"> <div class="card">
<div class="card-body login-card-body"> <div class="card-body login-card-body">
<p class="login-box-msg text-danger"> <p class="login-box-msg text-danger">
<?php <?php
if(!empty($_SESSION['login_message'])){ if (!empty($_SESSION['login_message'])) {
echo $_SESSION['login_message']; echo $_SESSION['login_message'];
unset($_SESSION['login_message']); unset($_SESSION['login_message']);
} }
?> ?>
</p> </p>
<form method="post"> <form method="post">
<div class="input-group mb-3"> <div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Client Email" name="email" required autofocus> <input type="text" class="form-control" placeholder="Client Email" name="email" required autofocus>
<div class="input-group-append"> <div class="input-group-append">
<div class="input-group-text"> <div class="input-group-text">
<span class="fas fa-envelope"></span> <span class="fas fa-envelope"></span>
</div> </div>
</div> </div>
</div>
<div class="input-group mb-3">
<input type="password" class="form-control" placeholder="Client Password" name="password" required>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<button type="submit" class="btn btn-success btn-block mb-3" name="login">Login</button>
<?php
if (!empty($config_smtp_host)) { ?>
<a href="login_reset.php">Forgotten password?</a>
<?php } ?>
</form>
<?php
if (!empty($client_id)) { ?>
<hr>
<div class="col text-center">
<button type="button" class="btn btn-secondary" onclick="location.href = 'login_microsoft.php';">Login with Microsoft Azure AD</button>
</div>
<?php } ?>
</div> </div>
<div class="input-group mb-3"> <!-- /.login-card-body -->
<input type="password" class="form-control" placeholder="Client Password" name="password" required>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<button type="submit" class="btn btn-success btn-block mb-3" name="login">Login</button>
<?php
if (!empty($config_smtp_host)) { ?>
<a href="login_reset.php">Forgotten password?</a>
<?php } ?>
</form>
<?php
if(!empty($client_id)){ ?>
<hr>
<div class="col text-center">
<button type="button" class="btn btn-secondary" onclick="location.href = 'login_microsoft.php';">Login with Microsoft Azure AD</button>
</div>
<?php } ?>
</div> </div>
<!-- /.login-card-body --> <!-- /.div.card -->
</div>
<!-- /.div.card -->
</div> </div>
<!-- /.login-box --> <!-- /.login-box -->
@ -158,7 +158,7 @@ if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])){
<!-- Prevents resubmit on refresh or back --> <!-- Prevents resubmit on refresh or back -->
<script> <script>
if(window.history.replaceState){ if (window.history.replaceState) {
window.history.replaceState(null,null,window.location.href); window.history.replaceState(null,null,window.location.href);
} }
</script> </script>

167
portal/login_microsoft.php
View File

@ -4,20 +4,20 @@
* OAuth Login via Microsoft IDP * OAuth Login via Microsoft IDP
*/ */
include('../config.php'); require_once('../config.php');
include('../functions.php'); require_once('../functions.php');
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", true);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", true);
} }
session_start(); session_start();
} }
$sql_settings = mysqli_query($mysqli,"SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'"); $sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'");
$settings = mysqli_fetch_array($sql_settings); $settings = mysqli_fetch_array($sql_settings);
$client_id = $settings['config_azure_client_id']; $client_id = $settings['config_azure_client_id'];
@ -31,96 +31,93 @@ $token_grant_url = "https://login.microsoftonline.com/organizations/oauth2/v2.0/
// Initial Login Request, via Microsoft // Initial Login Request, via Microsoft
// Returns a authorization code if login was successful // Returns a authorization code if login was successful
if ($_SERVER['REQUEST_METHOD'] == "GET"){ if ($_SERVER['REQUEST_METHOD'] == "GET") {
$params = array ( $params = array (
'client_id' => $client_id, 'client_id' => $client_id,
'redirect_uri' => $redirect_uri, 'redirect_uri' => $redirect_uri,
'response_type' => 'code', 'response_type' => 'code',
'response_mode' =>'form_post', 'response_mode' =>'form_post',
'scope' => 'https://graph.microsoft.com/User.Read', 'scope' => 'https://graph.microsoft.com/User.Read',
'state' => session_id()); 'state' => session_id());
header ('Location: '.$auth_code_url.'?'.http_build_query ($params)); header('Location: '.$auth_code_url.'?'.http_build_query($params));
} }
// Login was successful, Microsoft has returned us a authorization code via POST // Login was successful, Microsoft has returned us a authorization code via POST
// Request an access token using authorization code (& client secret) (server side) // Request an access token using authorization code (& client secret) (server side)
if (isset($_POST['code']) && $_POST['state'] == session_id()){ if (isset($_POST['code']) && $_POST['state'] == session_id()) {
$params = array ( $params = array (
'client_id' =>$client_id, 'client_id' =>$client_id,
'code' => $_POST['code'], 'code' => $_POST['code'],
'redirect_uri' => $redirect_uri, 'redirect_uri' => $redirect_uri,
'grant_type' => 'authorization_code', 'grant_type' => 'authorization_code',
'client_secret' => $client_secret 'client_secret' => $client_secret
); );
// Send request via CURL (server side) so user cannot see the client secret
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$token_grant_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$access_token_response = json_decode(curl_exec($ch),1);
// Check if we have an access token
// If we do, send a request to Microsoft Graph API to get user info
if (isset($access_token_response['access_token'])){
// Send request via CURL (server side) so user cannot see the client secret
$ch = curl_init(); $ch = curl_init();
curl_setopt ($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'], curl_setopt($ch, CURLOPT_URL, $token_grant_url);
'Content-type: application/json')); curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/"); curl_setopt($ch, CURLOPT_POSTFIELDS,
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP #curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$msgraph_response = json_decode (curl_exec ($ch), 1); $access_token_response = json_decode(curl_exec($ch), 1);
if (isset($msgraph_response['error'])){ // Check if we have an access token
// Something went wrong verifying the token/using the Graph API - quit // If we do, send a request to Microsoft Graph API to get user info
echo "Error with MS Graph API. Details:"; if (isset($access_token_response['access_token'])) {
var_dump ($msgraph_response['error']);
exit(); $ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'],
'Content-type: application/json'));
curl_setopt($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$msgraph_response = json_decode(curl_exec($ch), 1);
if (isset($msgraph_response['error'])) {
// Something went wrong verifying the token/using the Graph API - quit
echo "Error with MS Graph API. Details:";
var_dump($msgraph_response['error']);
exit();
} elseif (isset($msgraph_response['id'])) {
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
$row = mysqli_fetch_array($sql);
if ($row['contact_auth_method'] == 'azure') {
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "azure";
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $upn successfully logged in via Azure', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
header("Location: index.php");
} else {
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
header("Location: index.php");
}
}
header('Location: index.php');
} else {
echo "Error getting access_token";
} }
elseif(isset($msgraph_response['id'])){
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
$row = mysqli_fetch_array($sql);
if($row['contact_auth_method'] == 'azure'){
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "azure";
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $upn successfully logged in via Azure', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
header("Location: index.php");
}
else{
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
header("Location: index.php");
}
}
header ('Location: index.php');
}
else{
echo "Error getting access_token";
}
} }
// If the user is just sat on the page, redirect them to login to try again // If the user is just sat on the page, redirect them to login to try again
if(empty($_GET)){ if (empty($_GET)) {
echo "<script> setTimeout(function(){ window.location = \"login.php\"; },1000);</script>"; echo "<script> setTimeout(function() { window.location = \"login.php\"; },1000);</script>";
} }

365
portal/login_reset.php
View File

@ -7,25 +7,25 @@
$session_company_id = 1; $session_company_id = 1;
require_once('../config.php'); require_once('../config.php');
require_once('../functions.php'); require_once('../functions.php');
require_once ('../get_settings.php'); require_once('../get_settings.php');
if (empty($config_smtp_host)) { if (empty($config_smtp_host)) {
header("Location: login.php"); header("Location: login.php");
exit(); exit();
} }
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", true);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", true);
} }
session_start(); session_start();
} }
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); $user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE company_id = '1'"); $company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE company_id = '1'");
$company_results = mysqli_fetch_array($company_sql); $company_results = mysqli_fetch_array($company_sql);
@ -35,107 +35,106 @@ DEFINE("WORDING_ERROR", "Something went wrong! Your link may have expired. Pleas
if ($_SERVER['REQUEST_METHOD'] == "POST") { if ($_SERVER['REQUEST_METHOD'] == "POST") {
/*
* Send password reset email
*/
if(isset($_POST['password_reset_email_request'])){
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id, company_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' LIMIT 1");
$row = mysqli_fetch_assoc($sql);
$id = $row['contact_id'];
$name = $row['contact_name'];
$client = $row['contact_client_id'];
$company = $row['company_id'];
if ($row['contact_email'] == $email) {
$token = key32gen();
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send reset email
$subject = "Password reset for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Someone (probably you) has requested a new password for your account on $company_name's ITFlow Client Portal. <br><br><b>Please <a href='$url'>click here</a> to reset your password.</b> <br><br>Alternatively, copy and paste this URL into your browser: $url<br><br><i>If you didn't request this change, you can safely ignore this email.</i><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
//End Mail IF
} else {
sleep(rand(2, 4)); // Mimic the e-mail send delay even if email is invalid to help prevent user enumeration
}
$_SESSION['login_message'] = "If your account exists, a reset link is on it's way!";
/* /*
* Do password reset * Send password reset email
*/ */
} if (isset($_POST['password_reset_email_request'])) {
elseif(isset($_POST['password_reset_set_password'])){
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id, company_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' LIMIT 1");
$row = mysqli_fetch_assoc($sql);
$id = $row['contact_id'];
$name = $row['contact_name'];
$client = $row['contact_client_id'];
$company = $row['company_id'];
if ($row['contact_email'] == $email) {
$token = key32gen();
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send reset email
$subject = "Password reset for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Someone (probably you) has requested a new password for your account on $company_name's ITFlow Client Portal. <br><br><b>Please <a href='$url'>click here</a> to reset your password.</b> <br><br>Alternatively, copy and paste this URL into your browser: $url<br><br><i>If you didn't request this change, you can safely ignore this email.</i><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
//End Mail IF
} else {
sleep(rand(2, 4)); // Mimic the e-mail send delay even if email is invalid to help prevent user enumeration
}
$_SESSION['login_message'] = "If your account exists, a reset link is on it's way!";
/*
* Do password reset
*/
} elseif (isset($_POST['password_reset_set_password'])) {
if (!isset($_POST['new_password']) || !isset($_POST['email']) || !isset($_POST['token']) || !isset($_POST['client'])) {
$_SESSION['login_message'] = WORDING_ERROR;
}
$token = strip_tags(mysqli_real_escape_string($mysqli, $_POST['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_POST['client'])));
// Query user
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
$contact_id = $contact_row['contact_id'];
$name = $contact_row['contact_name'];
$company = $contact_row['company_id'];
// Ensure the token is correct
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) {
// Set password, invalidate token, logging
$password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send confirmation email
$subject = "Password reset confirmation for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Your password for your account on $company_name's ITFlow Client Portal was successfully reset. You should be all set! <br><br><b>If you didn't reset your password, please get in touch ASAP.</b><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
// Redirect to login page
$_SESSION['login_message'] = "Password reset successfully!";
header("Location: login.php");
exit();
} else {
$_SESSION['login_message'] = WORDING_ERROR;
}
if(!isset($_POST['new_password']) || !isset($_POST['email']) || !isset($_POST['token']) || !isset($_POST['client'])) {
$_SESSION['login_message'] = WORDING_ERROR;
} }
$token = strip_tags(mysqli_real_escape_string($mysqli, $_POST['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_POST['client'])));
// Query user
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
$contact_id = $contact_row['contact_id'];
$name = $contact_row['contact_name'];
$company = $contact_row['company_id'];
// Ensure the token is correct
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) {
// Set password, invalidate token, logging
$password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send confirmation email
$subject = "Password reset confirmation for $company_name ITFlow Portal";
$body = "Hello, $name<br><br>Your password for your account on $company_name's ITFlow Client Portal was successfully reset. You should be all set! <br><br><b>If you didn't reset your password, please get in touch ASAP.</b><br><br>~<br>$company_name<br>Support Department<br>$config_mail_from_email";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$email, $name,
$subject, $body);
// Error handling
if ($mail !== true) {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
// Redirect to login page
$_SESSION['login_message'] = "Password reset successfully!";
header("Location: login.php");
exit();
} else {
$_SESSION['login_message'] = WORDING_ERROR;
}
}
} }
@ -143,110 +142,110 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $company_name; ?> | Password Reset</title> <title><?php echo $company_name; ?> | Password Reset</title>
<!-- Tell the browser to be responsive to screen width --> <!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex"> <meta name="robots" content="noindex">
<!-- Font Awesome --> <!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css"> <link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Theme style --> <!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css"> <link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Google Font: Source Sans Pro --> <!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet"> <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
</head> </head>
<body class="hold-transition login-page"> <body class="hold-transition login-page">
<div class="login-box"> <div class="login-box">
<div class="login-logo"><b><?=$company_name?></b> <br>Password Reset</h2></div> <div class="login-logo"><b><?=$company_name?></b> <br>Password Reset</h2></div>
<div class="card"> <div class="card">
<div class="card-body login-card-body"> <div class="card-body login-card-body">
<form method="post"> <form method="post">
<?php <?php
/* /*
* Password reset form * Password reset form
*/ */
if (isset($_GET['token']) && isset($_GET['email']) && isset($_GET['client'])) { if (isset($_GET['token']) && isset($_GET['email']) && isset($_GET['client'])) {
$token = strip_tags(mysqli_real_escape_string($mysqli, $_GET['token'])); $token = strip_tags(mysqli_real_escape_string($mysqli, $_GET['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_GET['email'])); $email = strip_tags(mysqli_real_escape_string($mysqli, $_GET['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client']))); $client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client'])));
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client LIMIT 1"); $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client LIMIT 1");
$contact_row = mysqli_fetch_array($sql); $contact_row = mysqli_fetch_array($sql);
// Sanity check // Sanity check
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) { ?> if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) { ?>
<div class="input-group mb-3"> <div class="input-group mb-3">
<input type="password" class="form-control" placeholder="New Password" name="new_password" required minlength="8"> <input type="password" class="form-control" placeholder="New Password" name="new_password" required minlength="8">
<div class="input-group-append"> <div class="input-group-append">
<div class="input-group-text"> <div class="input-group-text">
<span class="fas fa-lock"></span> <span class="fas fa-lock"></span>
</div> </div>
</div> </div>
</div> </div>
<input type="hidden" name="token" value="<?=$token?>"> <input type="hidden" name="token" value="<?=$token?>">
<input type="hidden" name="email" value="<?=$email?>"> <input type="hidden" name="email" value="<?=$email?>">
<input type="hidden" name="client" value="<?=$client?>"> <input type="hidden" name="client" value="<?=$client?>">
<button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_set_password">Reset password</button> <button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_set_password">Reset password</button>
<?php } else { <?php } else {
$_SESSION['login_message'] = WORDING_ERROR; $_SESSION['login_message'] = WORDING_ERROR;
} }
/* /*
* Else: Just show the form to request a reset token email * Else: Just show the form to request a reset token email
*/ */
} else { ?> } else { ?>
<div class="input-group mb-3"> <div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Registered Client Email" name="email" required autofocus> <input type="text" class="form-control" placeholder="Registered Client Email" name="email" required autofocus>
<div class="input-group-append"> <div class="input-group-append">
<div class="input-group-text"> <div class="input-group-text">
<span class="fas fa-envelope"></span> <span class="fas fa-envelope"></span>
</div> </div>
</div> </div>
</div> </div>
<button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_email_request">Reset my password</button> <button type="submit" class="btn btn-success btn-block mb-3" name="password_reset_email_request">Reset my password</button>
<?php } <?php }
?> ?>
</form> </form>
<p class="login-box-msg text-danger"> <p class="login-box-msg text-danger">
<?php <?php
// Show feedback from session // Show feedback from session
if(!empty($_SESSION['login_message'])){ if (!empty($_SESSION['login_message'])) {
echo $_SESSION['login_message']; echo $_SESSION['login_message'];
unset($_SESSION['login_message']); unset($_SESSION['login_message']);
} }
?> ?>
</p> </p>
<a href="login.php">Back to login</a> <a href="login.php">Back to login</a>
</div>
<!-- /.login-card-body -->
</div> </div>
<!-- /.login-card-body --> <!-- /.div.card -->
</div>
<!-- /.div.card -->
</div> </div>
<!-- /.login-box --> <!-- /.login-box -->
@ -262,10 +261,10 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
<!-- Prevents resubmit on refresh or back --> <!-- Prevents resubmit on refresh or back -->
<script> <script>
if(window.history.replaceState){ if (window.history.replaceState) {
window.history.replaceState(null,null,window.location.href); window.history.replaceState(null,null,window.location.href);
} }
</script> </script>
</body> </body>
</html> </html>

44
portal/portal_functions.php
View File

@ -7,32 +7,32 @@
/* /*
* Verifies a contact has access to a particular ticket ID, and that the ticket is in the correct state (open/closed) to perform an action * Verifies a contact has access to a particular ticket ID, and that the ticket is in the correct state (open/closed) to perform an action
*/ */
function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state){ function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state) {
// Access the global variables // Access the global variables
global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_client_id; global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_client_id;
// Setup // Setup
if($expected_ticket_state == "Closed"){ if ($expected_ticket_state == "Closed") {
// Closed tickets // Closed tickets
$ticket_state_snippet = "ticket_status = 'Closed'"; $ticket_state_snippet = "ticket_status = 'Closed'";
} }
else{ else {
// Open (working/hold) tickets // Open (working/hold) tickets
$ticket_state_snippet = "ticket_status != 'Closed'"; $ticket_state_snippet = "ticket_status != 'Closed'";
} }
// Verify the contact has access to the provided ticket ID // Verify the contact has access to the provided ticket ID
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND $ticket_state_snippet AND ticket_client_id = '$session_client_id' LIMIT 1"); $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND $ticket_state_snippet AND ticket_client_id = '$session_client_id' LIMIT 1");
$row = mysqli_fetch_array($sql); $row = mysqli_fetch_array($sql);
$ticket_id = $row['ticket_id']; $ticket_id = $row['ticket_id'];
if(intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) { if (intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) {
// Client is ticket owner, or primary contact // Client is ticket owner, or primary contact
return TRUE; return TRUE;
} }
// Client is NOT ticket owner or primary contact // Client is NOT ticket owner or primary contact
return FALSE; return FALSE;
} }

88
portal/portal_header.php
View File

@ -8,61 +8,61 @@
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<title><?php echo $config_app_name; ?> | Client Portal - Tickets</title> <title><?php echo $config_app_name; ?> | Client Portal - Tickets</title>
<!-- Tell the browser to be responsive to screen width --> <!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex"> <meta name="robots" content="noindex">
<!-- Font Awesome --> <!-- Font Awesome -->
<link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css"> <link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
<!-- Theme style --> <!-- Theme style -->
<link rel="stylesheet" href="../dist/css/adminlte.min.css"> <link rel="stylesheet" href="../dist/css/adminlte.min.css">
<!-- Google Font: Source Sans Pro --> <!-- Google Font: Source Sans Pro -->
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet"> <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">
</head> </head>
<!-- Navbar --> <!-- Navbar -->
<nav class="navbar navbar-expand-lg navbar-dark bg-dark"> <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<div class="container"> <div class="container">
<a class="navbar-brand" href="index.php"><?php echo $config_app_name ?></a> <a class="navbar-brand" href="index.php"><?php echo $config_app_name ?></a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span> <span class="navbar-toggler-icon"></span>
</button> </button>
<div class="collapse navbar-collapse" id="navbarSupportedContent"> <div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav mr-auto"> <ul class="navbar-nav mr-auto">
<li class="nav-item <?php if(basename($_SERVER['PHP_SELF']) == "index.php") {echo "active";} ?>"> <li class="nav-item <?php if (basename($_SERVER['PHP_SELF']) == "index.php") {echo "active";} ?>">
<a class="nav-link" href="index.php">Home</a> <a class="nav-link" href="index.php">Home</a>
</li> </li>
<?php if($session_contact_id == $session_client_primary_contact_id) { ?> <?php if ($session_contact_id == $session_client_primary_contact_id) { ?>
<li class="nav-item"> <li class="nav-item">
<a class="nav-link" href="ticket_view_all.php">All Tickets</a> <a class="nav-link" href="ticket_view_all.php">All Tickets</a>
</li> </li>
<?php } ?> <?php } ?>
<li class="nav-item"> <li class="nav-item">
<a class="nav-link" href="ticket_add.php">New Ticket</a> <a class="nav-link" href="ticket_add.php">New Ticket</a>
</li> </li>
</ul> </ul>
<ul class="nav navbar-nav pull-right"> <ul class="nav navbar-nav pull-right">
<li class="nav-item dropdown"> <li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<?php echo $session_contact_name ?> <?php echo $session_contact_name ?>
</a> </a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown"> <div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="profile.php">Profile</a> <a class="dropdown-item" href="profile.php">Profile</a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item" href="portal_post.php?logout">Logout</a> <a class="dropdown-item" href="portal_post.php?logout">Logout</a>
</div> </div>
</li> </li>
</ul> </ul>
</div>
</div> </div>
</div>
</nav> </nav>
<br> <br>

257
portal/portal_post.php
View File

@ -6,156 +6,151 @@
require_once("inc_portal.php"); require_once("inc_portal.php");
if(isset($_POST['add_ticket'])){ if (isset($_POST['add_ticket'])) {
// Get ticket prefix/number // Get ticket prefix/number
$sql_settings = mysqli_query($mysqli,"SELECT * FROM settings WHERE company_id = $session_company_id"); $sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = $session_company_id");
$row = mysqli_fetch_array($sql_settings); $row = mysqli_fetch_array($sql_settings);
$config_ticket_prefix = $row['config_ticket_prefix']; $config_ticket_prefix = $row['config_ticket_prefix'];
$config_ticket_next_number = $row['config_ticket_next_number']; $config_ticket_next_number = $row['config_ticket_next_number'];
// HTML Purifier // HTML Purifier
require("../plugins/htmlpurifier/HTMLPurifier.standalone.php"); require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config); $purifier = new HTMLPurifier($purifier_config);
$client_id = $session_client_id; $client_id = $session_client_id;
$contact = $session_contact_id; $contact = $session_contact_id;
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); $subject = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['subject'])));
$details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['details']))))); $details = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
// Ensure priority is low/med/high (as can be user defined) // Ensure priority is low/med/high (as can be user defined)
if($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High"){ if ($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High") {
$priority = "Low"; $priority = "Low";
} } else {
else{ $priority = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['priority'])));
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
}
// Get the next Ticket Number and add 1 for the new ticket number
$ticket_number = $config_ticket_next_number;
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
$id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
}
if(isset($_POST['add_ticket_comment'])){
// HTML Purifier
require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
$ticket_id = intval($_POST['ticket_id']);
// Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
// In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
// So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
$comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
// After stripping bad HTML, check the comment isn't just empty
if(empty($comment)){
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Open")) {
// Add the comment
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
// Update Ticket Last Response Field & set ticket to open as client has replied
mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
}
if(isset($_POST['add_ticket_feedback'])){
$ticket_id = intval($_POST['ticket_id']);
$feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback'])));
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
// Notify on bad feedback
if($feedback == "Bad"){
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
} }
// Redirect // Get the next Ticket Number and add 1 for the new ticket number
header("Location: " . $_SERVER["HTTP_REFERER"]); $ticket_number = $config_ticket_next_number;
} $new_config_ticket_next_number = $config_ticket_next_number + 1;
else { mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
// The client does not have access to this ticket
header("Location: portal_post.php?logout"); mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
exit(); $id = mysqli_insert_id($mysqli);
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
} }
if(isset($_GET['close_ticket'])){ if (isset($_POST['add_ticket_comment'])) {
$ticket_id = intval($_GET['close_ticket']); // HTML Purifier
require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
// Verify the contact has access to the provided ticket ID $ticket_id = intval($_POST['ticket_id']);
if(verifyContactTicketAccess($ticket_id, "Open")) {
// Close ticket // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'"); // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
// So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
$comment = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
// Add reply // After stripping bad HTML, check the comment isn't just empty
mysqli_query($mysqli,"INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id"); if (empty($comment)) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
//Logging // Verify the contact has access to the provided ticket ID
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id"); if (verifyContactTicketAccess($ticket_id, "Open")) {
header("Location: ticket.php?id=" . $ticket_id); // Add the comment
} mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
else {
// The client does not have access to this ticket // Update Ticket Last Response Field & set ticket to open as client has replied
// This is only a GET request, might just be a mistake mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
header("Location: index.php");
exit(); // Redirect
} header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
} }
if(isset($_GET['logout'])){ if (isset($_POST['add_ticket_feedback'])) {
setcookie("PHPSESSID", '', time() - 3600, "/"); $ticket_id = intval($_POST['ticket_id']);
unset($_COOKIE['PHPSESSID']); $feedback = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['add_ticket_feedback'])));
session_unset(); // Verify the contact has access to the provided ticket ID
session_destroy(); if (verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
// Notify on bad feedback
if ($feedback == "Bad") {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
}
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
header('Location: login.php');
} }
if(isset($_POST['edit_profile'])){ if (isset($_GET['close_ticket'])) {
$new_password = $_POST['new_password']; $ticket_id = intval($_GET['close_ticket']);
if(!empty($new_password)){
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
//Logging // Verify the contact has access to the provided ticket ID
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id"); if (verifyContactTicketAccess($ticket_id, "Open")) {
}
header('Location: index.php'); // Close ticket
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id");
header("Location: ticket.php?id=" . $ticket_id);
} else {
// The client does not have access to this ticket - send them home
header("Location: index.php");
exit();
}
}
if (isset($_GET['logout'])) {
setcookie("PHPSESSID", '', time() - 3600, "/");
unset($_COOKIE['PHPSESSID']);
session_unset();
session_destroy();
header('Location: login.php');
}
if (isset($_POST['edit_profile'])) {
$new_password = $_POST['new_password'];
if (!empty($new_password)) {
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id");
}
header('Location: index.php');
} }

40
portal/profile.php
View File

@ -12,30 +12,30 @@ require('inc_portal.php');
<p>Name: <?php echo $session_contact_name ?></p> <p>Name: <?php echo $session_contact_name ?></p>
<p>Email: <?php echo $session_contact_email ?></p> <p>Email: <?php echo $session_contact_email ?></p>
<p>Client: <?php echo $session_client_name ?></p> <p>Client: <?php echo $session_client_name ?></p>
<p>Client Primary Contact: <?php if($session_client_primary_contact_id == $session_contact_id) {echo "Yes"; } else {echo "No";} ?></p> <p>Client Primary Contact: <?php if ($session_client_primary_contact_id == $session_contact_id) {echo "Yes"; } else {echo "No";} ?></p>
<p>Login via: <?php echo $_SESSION['login_method'] ?> </p> <p>Login via: <?php echo $_SESSION['login_method'] ?> </p>
<!-- // Show option to change password if auth provider is local --> <!-- // Show option to change password if auth provider is local -->
<?php if($_SESSION['login_method'] == 'local'): ?> <?php if ($_SESSION['login_method'] == 'local'): ?>
<hr> <hr>
<div class="col-md-6"> <div class="col-md-6">
<h4>Password</h4> <h4>Password</h4>
<form action="portal_post.php" method="post" autocomplete="off"> <form action="portal_post.php" method="post" autocomplete="off">
<div class="form-group"> <div class="form-group">
<label>New Password</label> <label>New Password</label>
<div class="input-group"> <div class="input-group">
<div class="input-group-prepend"> <div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span> <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
</div> </div>
<input type="password" class="form-control" minlength="6" required data-toggle="password" name="new_password" placeholder="Leave blank for no change" autocomplete="new-password"> <input type="password" class="form-control" minlength="6" required data-toggle="password" name="new_password" placeholder="Leave blank for no change" autocomplete="new-password">
</div> </div>
</div> </div>
<button type="submit" name="edit_profile" class="btn btn-primary mt-3"><i class="fa fa-fw fa-check"></i> Save password</button> <button type="submit" name="edit_profile" class="btn btn-primary mt-3"><i class="fa fa-fw fa-check"></i> Save password</button>
</form> </form>
</div> </div>
<?php endif ?> <?php endif ?>
<?php <?php
include('portal_footer.php'); require_once('portal_footer.php');

239
portal/ticket.php
View File

@ -6,160 +6,157 @@
require_once("inc_portal.php"); require_once("inc_portal.php");
if(isset($_GET['id']) && intval($_GET['id'])) { if (isset($_GET['id']) && intval($_GET['id'])) {
$ticket_id = intval($_GET['id']); $ticket_id = intval($_GET['id']);
if($session_contact_id == $session_client_primary_contact_id){ if ($session_contact_id == $session_client_primary_contact_id) {
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'"); $ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'");
} } else {
else{ $ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'");
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'"); }
}
$ticket = mysqli_fetch_array($ticket_sql); $ticket = mysqli_fetch_array($ticket_sql);
if ($ticket) { if ($ticket) {
?> ?>
<nav class="navbar navbar-dark bg-dark"> <nav class="navbar navbar-dark bg-dark">
<i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a> <i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a>
<span class="navbar-text"> <span class="navbar-text">
<?php <?php
if($ticket['ticket_status'] !== "Closed"){ ?> if ($ticket['ticket_status'] !== "Closed") { ?>
<button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i> Close ticket</a></button> <button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i> Close ticket</a></button>
<?php } ?> <?php } ?>
</span> </span>
</nav>
<div class="card"> </nav>
<div class="card-header">
<h3 class="card-title"><b>Subject:</b> <?php echo $ticket['ticket_subject'] ?></h3>
</div>
<div class="card-body">
<p>
<b>State:</b> <?php echo $ticket['ticket_status'] ?>
<br>
<b>Priority:</b> <?php echo $ticket['ticket_priority'] ?>
</p>
<b>Issue:</b> <?php echo $ticket['ticket_details'] ?>
</div>
</div>
<div class="card">
<!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback --> <div class="card-header">
<h3 class="card-title"><b>Subject:</b> <?php echo $ticket['ticket_subject'] ?></h3>
</div>
<div class="card-body">
<p>
<b>State:</b> <?php echo $ticket['ticket_status'] ?>
<br>
<b>Priority:</b> <?php echo $ticket['ticket_priority'] ?>
</p>
<b>Issue:</b> <?php echo $ticket['ticket_details'] ?>
</div>
</div>
<?php if($ticket['ticket_status'] !== "Closed") { ?>
<div class="form-group">
<form action="portal_post.php" method="post">
<div class="form-group">
<textarea class="form-control" name="comment" placeholder="Add comments.."></textarea>
</div>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary" name="add_ticket_comment">Save reply</button>
</form>
</div>
<?php }
elseif(empty($ticket['ticket_feedback'])) { ?> <!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback -->
<h4>Rate your ticket</h4> <?php if ($ticket['ticket_status'] !== "Closed") { ?>
<div class="form-group">
<form action="portal_post.php" method="post">
<div class="form-group">
<textarea class="form-control" name="comment" placeholder="Add comments.."></textarea>
</div>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary" name="add_ticket_comment">Save reply</button>
</form>
</div>
<?php }
<form action="portal_post.php" method="post"> elseif (empty($ticket['ticket_feedback'])) { ?>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary btn-lg" name="add_ticket_feedback" value="Good" onclick="this.form.submit()"> <h4>Rate your ticket</h4>
<span class="fa fa-smile" aria-hidden="true"></span> Good
</button>
<button type="submit" class="btn btn-danger btn-lg" name="add_ticket_feedback" value="Bad" onclick="this.form.submit()"> <form action="portal_post.php" method="post">
<span class="fa fa-frown" aria-hidden="true"></span> Bad <input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
</button>
</form>
<?php } <button type="submit" class="btn btn-primary btn-lg" name="add_ticket_feedback" value="Good" onclick="this.form.submit()">
<span class="fa fa-smile" aria-hidden="true"></span> Good
</button>
else{ ?> <button type="submit" class="btn btn-danger btn-lg" name="add_ticket_feedback" value="Bad" onclick="this.form.submit()">
<span class="fa fa-frown" aria-hidden="true"></span> Bad
</button>
</form>
<h4>Rated <?php echo $ticket['ticket_feedback'] ?> -- Thanks for your feedback!</h4> <?php }
<?php } ?> else { ?>
<!-- End comments/feedback --> <h4>Rated <?php echo $ticket['ticket_feedback'] ?> -- Thanks for your feedback!</h4>
<hr><br> <?php } ?>
<?php <!-- End comments/feedback -->
$sql = mysqli_query($mysqli,"SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
while($row = mysqli_fetch_array($sql)){ <hr><br>
$ticket_reply_id = $row['ticket_reply_id'];
$ticket_reply = $row['ticket_reply'];
$ticket_reply_created_at = $row['ticket_reply_created_at'];
$ticket_reply_updated_at = $row['ticket_reply_updated_at'];
$ticket_reply_by = $row['ticket_reply_by'];
$ticket_reply_type = $row['ticket_reply_type'];
if($ticket_reply_type == "Client"){ <?php
$ticket_reply_by_display = $row['contact_name']; $sql = mysqli_query($mysqli, "SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
$user_initials = initials($row['contact_name']);
$user_avatar = $row['contact_photo'];
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
}
else{
$ticket_reply_by_display = $row['user_name'];
$user_id = $row['user_id'];
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";
}
?>
<div class="card card-outline <?php if($ticket_reply_type == 'Client') {echo "card-warning"; } else{ echo "card-info"; } ?> mb-3"> while ($row = mysqli_fetch_array($sql)) {
<div class="card-header"> $ticket_reply_id = $row['ticket_reply_id'];
<h3 class="card-title"> $ticket_reply = $row['ticket_reply'];
<div class="media"> $ticket_reply_created_at = $row['ticket_reply_created_at'];
<?php if(!empty($user_avatar)){ ?> $ticket_reply_updated_at = $row['ticket_reply_updated_at'];
<img src="<?php echo $avatar_link ?>" alt="User Avatar" class="img-size-50 mr-3 img-circle"> $ticket_reply_by = $row['ticket_reply_by'];
<?php }else{ ?> $ticket_reply_type = $row['ticket_reply_type'];
<span class="fa-stack fa-2x">
if ($ticket_reply_type == "Client") {
$ticket_reply_by_display = $row['contact_name'];
$user_initials = initials($row['contact_name']);
$user_avatar = $row['contact_photo'];
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
} else {
$ticket_reply_by_display = $row['user_name'];
$user_id = $row['user_id'];
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";
}
?>
<div class="card card-outline <?php if ($ticket_reply_type == 'Client') { echo "card-warning"; } else { echo "card-info"; } ?> mb-3">
<div class="card-header">
<h3 class="card-title">
<div class="media">
<?php if (!empty($user_avatar)) { ?>
<img src="<?php echo $avatar_link ?>" alt="User Avatar" class="img-size-50 mr-3 img-circle">
<?php } else { ?>
<span class="fa-stack fa-2x">
<i class="fa fa-circle fa-stack-2x text-secondary"></i> <i class="fa fa-circle fa-stack-2x text-secondary"></i>
<span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span> <span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span>
</span> </span>
<?php <?php
} }
?> ?>
<div class="media-body"> <div class="media-body">
<?php echo $ticket_reply_by_display; ?> <?php echo $ticket_reply_by_display; ?>
<br> <br>
<small class="text-muted"><?php echo $ticket_reply_created_at; ?> <?php if(!empty($ticket_reply_updated_at)){ echo "(edited: $ticket_reply_updated_at)"; } ?></small> <small class="text-muted"><?php echo $ticket_reply_created_at; ?> <?php if (!empty($ticket_reply_updated_at)) { echo "(edited: $ticket_reply_updated_at)"; } ?></small>
</div> </div>
</div>
</h3>
</div>
<div class="card-body">
<?php echo $ticket_reply; ?>
</div>
</div> </div>
</h3>
</div>
<div class="card-body"> <?php
<?php echo $ticket_reply; ?>
</div>
</div>
<?php }
?>
<?php
} else {
echo "Ticket ID not found!";
} }
?> } else {
header("Location: index.php");
<?php
}
else{
echo "Ticket ID not found!";
}
}
else{
header("Location: index.php");
} }
require_once("portal_footer.php"); require_once("portal_footer.php");

72
portal/ticket_add.php
View File

@ -7,44 +7,44 @@
require('inc_portal.php'); require('inc_portal.php');
?> ?>
<h2>Raise a new ticket</h2> <h2>Raise a new ticket</h2>
<div class="col-8"> <div class="col-8">
<form action="portal_post.php" method="post"> <form action="portal_post.php" method="post">
<div class="form-group"> <div class="form-group">
<label>Subject <strong class="text-danger">*</strong></label> <label>Subject <strong class="text-danger">*</strong></label>
<div class="input-group"> <div class="input-group">
<div class="input-group-prepend"> <div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-tag"></i></span> <span class="input-group-text"><i class="fa fa-fw fa-tag"></i></span>
</div> </div>
<input type="text" class="form-control" name="subject" placeholder="Subject" required> <input type="text" class="form-control" name="subject" placeholder="Subject" required>
</div> </div>
</div>
<div class="form-group">
<label>Priority <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-thermometer-half"></i></span>
</div>
<select class="form-control select2" name="priority" required>
<option>Low</option>
<option>Medium</option>
<option>High</option>
</select>
</div>
</div>
<div class="form-group">
<label>Details <strong class="text-danger">*</strong></label>
<textarea class="form-control" rows="4" name="details" required></textarea>
</div>
<button class="btn btn-primary" name="add_ticket">Raise ticket</button>
</form>
</div> </div>
<div class="form-group">
<label>Priority <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-thermometer-half"></i></span>
</div>
<select class="form-control select2" name="priority" required>
<option>Low</option>
<option>Medium</option>
<option>High</option>
</select>
</div>
</div>
<div class="form-group">
<label>Details <strong class="text-danger">*</strong></label>
<textarea class="form-control" rows="4" name="details" required></textarea>
</div>
<button class="btn btn-primary" name="add_ticket">Raise ticket</button>
</form>
</div>
<?php <?php
include('portal_footer.php'); require_once('portal_footer.php');

96
portal/ticket_view_all.php
View File

@ -6,67 +6,67 @@
require('inc_portal.php'); require('inc_portal.php');
if($session_contact_id !== $session_client_primary_contact_id){ if ($session_contact_id !== $session_client_primary_contact_id) {
header("Location: portal_post.php?logout"); header("Location: portal_post.php?logout");
exit(); exit();
} }
// Ticket status from GET // Ticket status from GET
if (!isset($_GET['status'])) { if (!isset($_GET['status'])) {
// If nothing is set, assume we only want to see open tickets // If nothing is set, assume we only want to see open tickets
$status = 'Open'; $status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'"; $ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Open') { } elseif (isset($_GET['status']) && ($_GET['status']) == 'Open') {
$status = 'Open'; $status = 'Open';
$ticket_status_snippet = "ticket_status != 'Closed'"; $ticket_status_snippet = "ticket_status != 'Closed'";
} elseif (isset($_GET['status']) && ($_GET['status']) == 'Closed') { } elseif (isset($_GET['status']) && ($_GET['status']) == 'Closed') {
$status = 'Closed'; $status = 'Closed';
$ticket_status_snippet = "ticket_status = 'Closed'"; $ticket_status_snippet = "ticket_status = 'Closed'";
} else { } else {
$status = '%'; $status = '%';
$ticket_status_snippet = "ticket_status LIKE '%'"; $ticket_status_snippet = "ticket_status LIKE '%'";
} }
$all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC"); $all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC");
?> ?>
<h2>All tickets</h2> <h2>All tickets</h2>
<div class="col-md-2"> <div class="col-md-2">
<div class="form-group"> <div class="form-group">
<form method="get"> <form method="get">
<label>Ticket Status</label> <label>Ticket Status</label>
<select class="form-control" name="status" onchange="this.form.submit()"> <select class="form-control" name="status" onchange="this.form.submit()">
<option value="%" <?php if($status == "%"){echo "selected";}?> >Any</option> <option value="%" <?php if ($status == "%") {echo "selected";}?> >Any</option>
<option value="Open" <?php if($status == "Open"){echo "selected";}?> >Open</option> <option value="Open" <?php if ($status == "Open") {echo "selected";}?> >Open</option>
<option value="Closed" <?php if($status == "Closed"){echo "selected";}?> >Closed</option> <option value="Closed" <?php if ($status == "Closed") {echo "selected";}?> >Closed</option>
</select> </select>
</form> </form>
</div>
</div> </div>
</div> <table class="table">
<table class="table"> <thead>
<thead> <tr>
<tr> <th scope="col">#</th>
<th scope="col">#</th> <th scope="col">Subject</th>
<th scope="col">Subject</th> <th scope="col">Contact</th>
<th scope="col">Contact</th> <th scope="col">Status</th>
<th scope="col">Status</th> </tr>
</tr> </thead>
</thead> <tbody>
<tbody>
<?php <?php
while($ticket = mysqli_fetch_array($all_tickets)){ while ($ticket = mysqli_fetch_array($all_tickets)) {
echo "<tr>"; echo "<tr>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_id]</a></td>"; echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_id]</a></td>";
echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>"; echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
echo "<td>$ticket[contact_name]</td>"; echo "<td>$ticket[contact_name]</td>";
echo "<td>$ticket[ticket_status]</td>"; echo "<td>$ticket[ticket_status]</td>";
echo "</tr>"; echo "</tr>";
} }
?> ?>
</tbody> </tbody>
</table> </table>
</div> </div>
<?php <?php
include('portal_footer.php'); require_once('portal_footer.php');

1
uploads/clients/index.php
View File

@ -0,0 +1 @@

1
uploads/expenses/index.php
View File

@ -0,0 +1 @@

1
uploads/index.php
View File

@ -0,0 +1 @@

1
uploads/settings/index.php
View File

@ -0,0 +1 @@

1
uploads/tmp/index.php
View File

@ -0,0 +1 @@

1
uploads/users/index.php
View File

@ -0,0 +1 @@