Initialized migrating modals into entity folders and modals out of ajax and start working on moving admin items to new admin directory

2026-02-28 02:44:53 +00:00 · 2025-07-27 21:24:14 -04:00
parent 699546f531
commit 4906e06bf1
37 changed files with 2046 additions and 37 deletions
--- a/admin/post/role.php
+++ b/admin/post/role.php
@@ -0,0 +1,89 @@
+<?php
+
+/*
+ * ITFlow - GET/POST request handler for roles
+ */
+
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
+if (isset($_POST['add_role'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    $name = sanitizeInput($_POST['role_name']);
+    $description = sanitizeInput($_POST['role_description']);
+    $admin = intval($_POST['role_is_admin']);
+
+    mysqli_query($mysqli, "INSERT INTO user_roles SET role_name = '$name', role_description = '$description', role_is_admin = $admin");
+
+    $role_id = mysqli_insert_id($mysqli);
+
+    // Logging
+    logAction("User Role", "Create", "$session_name created user role $name", 0, $role_id);
+
+    $_SESSION['alert_message'] = "User Role <strong$name</strong> created";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_POST['edit_role'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    // Update role metadata
+    $role_id = sanitizeInput($_POST['role_id']);
+    $name = sanitizeInput($_POST['role_name']);
+    $description = sanitizeInput($_POST['role_description']);
+    $admin = intval($_POST['role_is_admin']);
+    
+    mysqli_query($mysqli, "UPDATE user_roles SET role_name = '$name', role_description = '$description', role_is_admin = $admin WHERE role_id = $role_id");
+
+    // Update role access levels
+    mysqli_query($mysqli, "DELETE FROM user_role_permissions WHERE user_role_id = $role_id");
+    foreach ($_POST as $key => $value) {
+        if (str_contains($key, '##module_')){
+            $module_id = intval(explode('##', $key)[0]);
+            $access_level = intval($value);
+
+            if ($access_level > 0) {
+                mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = $role_id, module_id = $module_id, user_role_permission_level = $access_level");
+            }
+        }
+
+    }
+
+    // Logging
+    logAction("User Role", "Edit", "$session_name edited user role $name", 0, $role_id);
+
+    $_SESSION['alert_message'] = "User Role <strong>$name</strong> edited";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+}
+
+if (isset($_GET['archive_role'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+    $role_id = intval($_GET['archive_role']);
+
+    // Check role isn't in use
+    $sql_role_user_count = mysqli_query($mysqli, "SELECT COUNT(user_id) FROM users WHERE user_role_id = $role_id AND user_archived_at IS NULL");
+    $role_user_count = mysqli_fetch_row($sql_role_user_count)[0];
+    if ($role_user_count != 0) {
+        $_SESSION['alert_type'] = "error";
+        $_SESSION['alert_message'] = "Role must not in use to archive it";
+        header("Location: " . $_SERVER["HTTP_REFERER"]);
+        exit();
+    }
+
+    mysqli_query($mysqli, "UPDATE user_roles SET role_archived_at = NOW() WHERE role_id = $role_id");
+
+    // Logging
+    $role_details = mysqli_fetch_array(mysqli_query($mysqli, "SELECT role_name FROM user_roles WHERE role_id = $role_id LIMIT 1"));
+    $role_name = sanitizeInput($role_details['role_name']);
+    logAction("User Role", "Archive", "$session_name archived user role $role_name", 0, $role_id);
+
+    $_SESSION['alert_message'] = "User Role archived";
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+}
--- a/admin/post/user.php
+++ b/admin/post/user.php
@@ -0,0 +1,373 @@
+<?php
+
+/*
+ * ITFlow - GET/POST request handler for user (agent) management
+ */
+
+require_once "../../config.php";
+require_once "../../functions.php";
+require_once "../../includes/check_login.php";
+
+if (isset($_POST['add_user'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    require_once 'user_model.php';
+
+    $password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
+    $user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
+
+    mysqli_query($mysqli, "INSERT INTO users SET user_name = '$name', user_email = '$email', user_password = '$password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext', user_role_id = $role");
+
+    $user_id = mysqli_insert_id($mysqli);
+
+    // Add Client Access Permissions if set
+    if (isset($_POST['clients'])) {
+        foreach($_POST['clients'] as $client_id) {
+            $client_id = intval($client_id);
+            mysqli_query($mysqli,"INSERT INTO user_client_permissions SET user_id = $user_id, client_id = $client_id");
+        }
+    }
+
+    if (!file_exists("uploads/users/$user_id/")) {
+        mkdir("uploads/users/$user_id");
+    }
+
+    // Check for and process image/photo
+    $extended_alert_description = '';
+    if (isset($_FILES['file']['tmp_name'])) {
+        if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
+
+            $file_tmp_path = $_FILES['file']['tmp_name'];
+
+            // directory in which the uploaded file will be moved
+            $upload_file_dir = "../uploads/users/$user_id/";
+            $dest_path = $upload_file_dir . $new_file_name;
+            move_uploaded_file($file_tmp_path, $dest_path);
+
+            // Set Avatar
+            mysqli_query($mysqli, "UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $user_id");
+            $extended_alert_description = '. File successfully uploaded.';
+        }
+    }
+
+    // Create Settings
+    mysqli_query($mysqli, "INSERT INTO user_settings SET user_id = $user_id, user_config_force_mfa = $force_mfa");
+
+    $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
+    $row = mysqli_fetch_array($sql);
+    $company_name = sanitizeInput($row['company_name']);
+
+    // Sanitize Config vars from get_settings.php
+    $config_mail_from_name = sanitizeInput($config_mail_from_name);
+    $config_mail_from_email = sanitizeInput($config_mail_from_email);
+    $config_ticket_from_email = sanitizeInput($config_ticket_from_email);
+    $config_login_key_secret = mysqli_real_escape_string($mysqli, $config_login_key_secret);
+    $config_base_url = sanitizeInput($config_base_url);
+
+    // Send user e-mail, if specified
+    if (isset($_POST['send_email']) && !empty($config_smtp_host) && filter_var($email, FILTER_VALIDATE_EMAIL)) {
+
+        $password = mysqli_real_escape_string($mysqli, $_POST['password']);
+
+        $subject = "Your new $company_name ITFlow account";
+        $body = "Hello $name,<br><br>An ITFlow account has been setup for you. Please change your password upon login. <br><br>Username: $email <br>Password: $password<br>Login URL: https://$config_base_url/login.php?key=$config_login_key_secret<br><br>--<br>$company_name - Support<br>$config_ticket_from_email";
+
+        $data = [
+            [
+                'from' => $config_mail_from_email,
+                'from_name' => $config_mail_from_name,
+                'recipient' => $email,
+                'recipient_name' => $name,
+                'subject' => $subject,
+                'body' => $body
+            ]
+        ];
+        $mail = addToMailQueue($data);
+
+        if ($mail !== true) {
+            mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email'");
+            mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent',  log_user_id = $session_user_id, log_entity_id = $user_id");
+        }
+
+    }
+
+    // Logging
+    logAction("User", "Create", "$session_name created user $name", 0, $user_id);
+
+    $_SESSION['alert_message'] = "User <strong>$name</strong> created" . $extended_alert_description;
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_POST['edit_user'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    require_once 'post/admin/admin_user_model.php';
+
+    $user_id = intval($_POST['user_id']);
+    $new_password = trim($_POST['new_password']);
+
+    // Update Client Access
+    mysqli_query($mysqli,"DELETE FROM user_client_permissions WHERE user_id = $user_id");
+    if (isset($_POST['clients'])) {
+        foreach($_POST['clients'] as $client_id) {
+            $client_id = intval($client_id);
+            mysqli_query($mysqli,"INSERT INTO user_client_permissions SET user_id = $user_id, client_id = $client_id");
+        }
+    }
+
+    // Get current Avatar
+    $sql = mysqli_query($mysqli, "SELECT user_avatar FROM users WHERE user_id = $user_id");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['user_avatar']);
+
+    $extended_log_description = '';
+    if (!empty($_POST['2fa'])) {
+        $two_fa = $_POST['2fa'];
+    }
+
+    if (!file_exists("uploads/users/$user_id/")) {
+        mkdir("uploads/users/$user_id");
+    }
+
+    // Check for and process image/photo
+    $extended_alert_description = '';
+    if (isset($_FILES['file']['tmp_name'])) {
+        if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
+
+            $file_tmp_path = $_FILES['file']['tmp_name'];
+
+            // directory in which the uploaded file will be moved
+            $upload_file_dir = "uploads/users/$user_id/";
+            $dest_path = $upload_file_dir . $new_file_name;
+            move_uploaded_file($file_tmp_path, $dest_path);
+
+            // Delete old file
+            unlink("../uploads/users/$user_id/$existing_file_name");
+
+            // Set Avatar
+            mysqli_query($mysqli, "UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $user_id");
+            $extended_alert_description = '. File successfully uploaded.';
+        
+        }
+    }
+
+    mysqli_query($mysqli, "UPDATE users SET user_name = '$name', user_email = '$email', user_role_id = $role WHERE user_id = $user_id");
+
+    if (!empty($new_password)) {
+        $new_password = password_hash($new_password, PASSWORD_DEFAULT);
+        $user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['new_password']));
+        mysqli_query($mysqli, "UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $user_id");
+        //Extended Logging
+        $extended_log_description .= ", password changed";
+    }
+
+    if (!empty($two_fa) && $two_fa == 'disable') {
+        mysqli_query($mysqli, "UPDATE users SET user_token = '' WHERE user_id = '$user_id'");
+        mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name disabled 2FA for $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
+    }
+
+    //Update User Settings
+    mysqli_query($mysqli, "UPDATE user_settings SET user_config_force_mfa = $force_mfa WHERE user_id = $user_id");
+
+    // Logging
+    logAction("User", "Edit", "$session_name edited user $name", 0, $user_id);
+
+    $_SESSION['alert_message'] = "User <strong>$name</strong> updated" . $extended_alert_description;
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_GET['activate_user'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+    $user_id = intval($_GET['activate_user']);
+
+    // Get User Name
+    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
+    $row = mysqli_fetch_array($sql);
+    $user_name = sanitizeInput($row['user_name']);
+
+    mysqli_query($mysqli, "UPDATE users SET user_status = 1 WHERE user_id = $user_id");
+
+    // Logging
+    logAction("User", "Activate", "$session_name activated user $user_name", 0, $user_id);
+
+    $_SESSION['alert_message'] = "User <strong>$user_name</strong> activated";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_GET['disable_user'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+    $user_id = intval($_GET['disable_user']);
+
+    // Get User Name
+    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
+    $row = mysqli_fetch_array($sql);
+    $user_name = sanitizeInput($row['user_name']);
+
+    mysqli_query($mysqli, "UPDATE users SET user_status = 0 WHERE user_id = $user_id");
+
+    // Un-assign tickets
+    mysqli_query($mysqli, "UPDATE tickets SET ticket_assigned_to = 0 WHERE ticket_assigned_to = $user_id AND ticket_closed_at IS NULL");
+    mysqli_query($mysqli, "UPDATE recurring_tickets SET recurring_ticket_assigned_to = 0 WHERE recurring_ticket_assigned_to = $user_id");
+
+    // Logging
+    logAction("User", "Disable", "$session_name disabled user $name", 0, $user_id);
+
+    $_SESSION['alert_type'] = "error";
+    $_SESSION['alert_message'] = "User <strong>$user_name</strong> disabled";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_GET['revoke_remember_me'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+    $user_id = intval($_GET['revoke_remember_me']);
+
+    // Get User Name
+    $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id"));
+    $user_name = sanitizeInput($row['user_name']);
+
+    mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $user_id");
+
+    // Logging
+    logAction("User", "Edit", "$session_name revoked all remember me tokens for user $user_name", 0, $user_id);
+
+    $_SESSION['alert_type'] = "error";
+    $_SESSION['alert_message'] = "User <strong>$user_name</strong> remember me tokens revoked";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_GET['archive_user'])) {
+
+    validateCSRFToken($_GET['csrf_token']);
+
+    // Variables from GET
+    $user_id = intval($_GET['archive_user']);
+    $password = password_hash(randomString(), PASSWORD_DEFAULT);
+
+    // Get user details
+    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
+    $row = mysqli_fetch_array($sql);
+    $name = sanitizeInput($row['user_name']);
+
+    // Archive user query
+    mysqli_query($mysqli, "UPDATE users SET user_name = '$name (archived)', user_password = '$password', user_status = 0, user_specific_encryption_ciphertext = '', user_archived_at = NOW() WHERE user_id = $user_id");
+
+    // Logging
+    logAction("User", "Archive", "$session_name archived user $name", 0, $user_id);
+
+    $_SESSION['alert_type'] = "error";
+    $_SESSION['alert_message'] = "User <strong>$name</strong> archived";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
+if (isset($_POST['export_users_csv'])) {
+
+    //get records from database
+    $sql = mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_roles ON user_role_id = role_id ORDER BY user_name ASC");
+
+    $count = mysqli_num_rows($sql);
+
+    if ($count > 0) {
+        $delimiter = ",";
+        $filename = "Users-" . date('Y-m-d') . ".csv";
+
+        //create a file pointer
+        $f = fopen('php://memory', 'w');
+
+        //set column headers
+        $fields = array('Name', 'Email', 'Role', 'Status', 'Creation Date');
+        fputcsv($f, $fields, $delimiter);
+
+        //output each row of the data, format line as csv and write to file pointer
+        while($row = $sql->fetch_assoc()) {
+
+            $user_status = intval($row['user_status']);
+            if ($user_status == 2) {
+                $user_status_display = "Invited";
+            } elseif ($user_status == 1) {
+                $user_status_display = "Active";
+            } else{
+                $user_status_display = "Disabled";
+            }
+
+            $lineData = array($row['user_name'], $row['user_email'], $row['role_name'], $user_status_display, $row['user_created_at']);
+            fputcsv($f, $lineData, $delimiter);
+        }
+
+        //move back to beginning of file
+        fseek($f, 0);
+
+        //set headers to download file rather than displayed
+        header('Content-Type: text/csv');
+        header('Content-Disposition: attachment; filename="' . $filename . '";');
+
+        //output all remaining data on a file pointer
+        fpassthru($f);
+
+        // Logging
+        logAction("User", "Export", "$session_name exported $count user(s) to a CSV file");
+    }
+    exit;
+
+}
+
+if (isset($_POST['ir_reset_user_password'])) {
+
+    // Incident response: allow mass reset of agent passwords
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    // Confirm logged-in user password, for security
+    $admin_password = $_POST['admin_password'];
+    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $session_user_id");
+    $userRow = mysqli_fetch_array($sql);
+    if (!password_verify($admin_password, $userRow['user_password'])) {
+        $_SESSION['alert_type'] = "error";
+        $_SESSION['alert_message'] = "Incorrect password.";
+        header("Location: " . $_SERVER["HTTP_REFERER"]);
+        exit;
+    }
+
+    // Get agents/users, other than the current user
+    $sql_users = mysqli_query($mysqli, "SELECT * FROM users WHERE (user_archived_at IS NULL AND user_id != $session_user_id)");
+
+    // Reset passwords
+    while ($row = mysqli_fetch_array($sql_users)) {
+        $user_id = intval($row['user_id']);
+        $user_email = sanitizeInput($row['user_email']);
+        $new_password = randomString();
+        $user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($new_password));
+
+        echo $user_email . " -- " . $new_password; // Show
+        $new_password = password_hash($new_password, PASSWORD_DEFAULT);
+
+        mysqli_query($mysqli, "UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $user_id");
+
+        echo "<br><br>";
+    }
+
+    // Logging
+    logAction("User", "Edit", "$session_name reset ALL user passwords");
+
+    exit; // Stay on the plain text password page
+
+}
--- a/admin/post/user_model.php
+++ b/admin/post/user_model.php
@@ -0,0 +1,6 @@
+<?php
+
+$name = sanitizeInput($_POST['name']);
+$email = sanitizeInput($_POST['email']);
+$role = intval($_POST['role']);
+$force_mfa = intval($_POST['force_mfa'] ?? 0);