From 4d90327c792c2585ce482362ad4e866b9a23e427 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Wed, 21 Jun 2023 12:09:32 -0400
Subject: [PATCH] Created Mail Queue Logs / Viewer in settings, enabled manual
 send invoice to use the new queue system, now it logs the Email ID so you can
 reference it in the Queue to see if it sent, also do not send mail to blank
 billing contact emails

---
 cron_mail_queue.php     |  12 ++-
 post.php                |  60 +++++++--------
 settings_mail_queue.php | 162 ++++++++++++++++++++++++++++++++++++++++
 settings_side_nav.php   |   7 ++
 4 files changed, 206 insertions(+), 35 deletions(-)
 create mode 100644 settings_mail_queue.php

diff --git a/cron_mail_queue.php b/cron_mail_queue.php
index b084aae3..60005dac 100644
--- a/cron_mail_queue.php
+++ b/cron_mail_queue.php
@@ -3,6 +3,12 @@
 require_once("config.php");
 require_once("functions.php");
 
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 $sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = 1");
 
 $row = mysqli_fetch_array($sql_settings);
@@ -42,10 +48,11 @@ if (mysqli_num_rows($sql_queue) > 0) {
         $email_recipient = nullable_htmlentities($row['email_recipient']);
         $email_recipient_name = nullable_htmlentities($row['email_recipient_name']);
         $email_subject = nullable_htmlentities($row['email_subject']);
-        $email_content = nullable_htmlentities($row['email_content']);
+        $email_content = $purifier->purify($row['email_content']);
         $email_queued_at = nullable_htmlentities($row['email_queued_at']);
         $email_sent_at = nullable_htmlentities($row['email_sent_at']);
 
+        // Sanitized Input
         $email_recipient_logging = sanitizeInput($row['email_recipient']);
         $email_subject_logging = sanitizeInput($row['email_subject']);
 
@@ -97,12 +104,13 @@ if (mysqli_num_rows($sql_failed_queue) > 0) {
         $email_recipient = nullable_htmlentities($row['email_recipient']);
         $email_recipient_name = nullable_htmlentities($row['email_recipient_name']);
         $email_subject = nullable_htmlentities($row['email_subject']);
-        $email_content = nullable_htmlentities($row['email_content']);
+        $email_content = $purifier->purify($row['email_content']);
         $email_queued_at = nullable_htmlentities($row['email_queued_at']);
         $email_sent_at = nullable_htmlentities($row['email_sent_at']);
         // Increment the attempts
         $email_attempts = intval($row['email_attempts']) + 1;
 
+        // Sanitized Input
         $email_recipient_logging = sanitizeInput($row['email_recipient']);
         $email_subject_logging = sanitizeInput($row['email_subject']);
 
diff --git a/post.php b/post.php
index 8d921b32..348b5202 100644
--- a/post.php
+++ b/post.php
@@ -4058,6 +4058,7 @@ if(isset($_GET['email_invoice'])){
     $client_id = $row['client_id'];
     $client_name = $row['client_name'];
     $contact_name = $row['contact_name'];
+    $contact_name_escaped = sanitizeInput($row['contact_name']);
     $contact_email = $row['contact_email'];
     $contact_email_escaped = sanitizeInput($row['contact_email']);
     $contact_phone = formatPhoneNumber($row['contact_phone']);
@@ -4081,7 +4082,7 @@ if(isset($_GET['email_invoice'])){
 
     $sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payment_id DESC");
 
-    //Add up all the payments for the invoice and get the total amount paid to the invoice
+    // Add up all the payments for the invoice and get the total amount paid to the invoice
     $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE payment_invoice_id = $invoice_id");
     $row = mysqli_fetch_array($sql_amount_paid);
     $amount_paid = floatval($row['amount_paid']);
@@ -4089,58 +4090,51 @@ if(isset($_GET['email_invoice'])){
     $balance = $invoice_amount - $amount_paid;
 
     if ($invoice_status == 'Paid') {
-        $subject = "Invoice $invoice_prefix$invoice_number Copy";
-        $body    = "Hello $contact_name,<br><br>Please click on the link below to see your invoice marked <b>paid</b>.<br><br><a href='https://$config_base_url/guest_view_invoice.php?invoice_id=$invoice_id&url_key=$invoice_url_key'>Invoice Link</a><br><br><br>~<br>$company_name<br>Billing Department<br>$config_invoice_from_email<br>$company_phone";
+        $subject = sanitizeInput("Invoice $invoice_prefix$invoice_number Copy");
+        $body    = mysqli_real_escape_string($mysqli, "Hello $contact_name,<br><br>Please click on the link below to see your invoice marked <b>paid</b>.<br><br><a href='https://$config_base_url/guest_view_invoice.php?invoice_id=$invoice_id&url_key=$invoice_url_key'>Invoice Link</a><br><br><br>~<br>$company_name<br>Billing Department<br>$config_invoice_from_email<br>$company_phone");
     } else {
-        $subject = "Invoice $invoice_prefix$invoice_number";
-        $body    = "Hello $contact_name,<br><br>Please view the details of the invoice below.<br><br>Invoice: $invoice_prefix$invoice_number<br>Issue Date: $invoice_date<br>Total: " . numfmt_format_currency($currency_format, $invoice_amount, $invoice_currency_code) . "<br>Balance Due: " . numfmt_format_currency($currency_format, $balance, $invoice_currency_code) . "<br>Due Date: $invoice_due<br><br><br>To view your invoice click <a href='https://$config_base_url/guest_view_invoice.php?invoice_id=$invoice_id&url_key=$invoice_url_key'>here</a><br><br><br>~<br>$company_name<br>Billing Department<br>$config_invoice_from_email<br>$company_phone";
+        $subject = sanitizeInput("Invoice $invoice_prefix$invoice_number");
+        $body    = mysqli_real_escape_string($mysqli, "Hello $contact_name,<br><br>Please view the details of the invoice below.<br><br>Invoice: $invoice_prefix$invoice_number<br>Issue Date: $invoice_date<br>Total: " . numfmt_format_currency($currency_format, $invoice_amount, $invoice_currency_code) . "<br>Balance Due: " . numfmt_format_currency($currency_format, $balance, $invoice_currency_code) . "<br>Due Date: $invoice_due<br><br><br>To view your invoice click <a href='https://$config_base_url/guest_view_invoice.php?invoice_id=$invoice_id&url_key=$invoice_url_key'>here</a><br><br><br>~<br>$company_name<br>Billing Department<br>$config_invoice_from_email<br>$company_phone");
     }
 
-    $mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
-        $config_invoice_from_email, $config_invoice_from_name,
-        $contact_email, $contact_name,
-        $subject, $body);
+    // Queue Mail
+    mysqli_query($mysqli, "INSERT INTO email_queue SET email_recipient = '$contact_email_escaped', email_recipient_name = '$contact_name_escaped', email_from = '$config_invoice_from_email', email_from_name = '$config_invoice_from_name', email_subject = '$subject', email_content = '$body'");
 
-    if ($mail === true) {
-        $_SESSION['alert_message'] = "Invoice has been sent";
-        mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Emailed invoice', history_invoice_id = $invoice_id");
+    // Get Email ID for reference
+    $email_id = mysqli_insert_id($mysqli);
 
-        //Don't change the status to sent if the status is anything but draft
-        if($invoice_status == 'Draft'){
-            mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent' WHERE invoice_id = $invoice_id");
-        }
+    $_SESSION['alert_message'] = "Invoice has been sent to the mail queue";
+    mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Queued', history_description = 'Invoice sent to the mail queue ID: $email_id', history_invoice_id = $invoice_id");
 
-        //Logging
-        mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Invoice', log_action = 'Email', log_description = 'Invoice $invoice_prefix$invoice_number emailed to $contact_email_escaped', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
-
-    } else {
-        $_SESSION['alert_type'] = "error";
-        $_SESSION['alert_message'] = "Invoice Failed to send ";
-        mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Email Invoice Failed', history_invoice_id = $invoice_id");
-
-        mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $contact_email_escaped', notification_client_id = $client_id,");
-        mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $contact_email_escaped regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
+    // Don't change the status to sent if the status is anything but draft
+    if($invoice_status == 'Draft'){
+        mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent' WHERE invoice_id = $invoice_id");
     }
 
+    // Logging
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Invoice', log_action = 'Email Queue', log_description = 'Invoice $invoice_prefix$invoice_number queued to $contact_email_escaped Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
+
     // Send copies of the invoice to any additional billing contacts
     $sql_billing_contacts = mysqli_query(
         $mysqli,
         "SELECT contact_name, contact_email FROM contacts
         WHERE contact_billing = 1
         AND contact_email != '$contact_email_escaped'
+        AND contact_email != ''
         AND contact_client_id = $client_id"
     );
     while ($billing_contact = mysqli_fetch_array($sql_billing_contacts)) {
-        $billing_contact_name = $billing_contact['contact_name'];
-        $billing_contact_email = $billing_contact['contact_email'];
+        $billing_contact_name = sanitizeInput($billing_contact['contact_name']);
+        $billing_contact_email = sanitizeInput($billing_contact['contact_email']);
+
+        // Queue Mail
+        mysqli_query($mysqli, "INSERT INTO email_queue SET email_recipient = '$billing_contact_email', email_recipient_name = '$billing_contact_name', email_from = '$config_invoice_from_email', email_from_name = '$config_invoice_from_name', email_subject = '$subject', email_content = '$body'");
+
+        // Get Email ID for reference
+        $email_id = mysqli_insert_id($mysqli);
 
-        sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
-            $config_invoice_from_email, $config_invoice_from_name,
-            $billing_contact_email, $billing_contact_name,
-            $subject, $body);
     }
 
-
     header("Location: " . $_SERVER["HTTP_REFERER"]);
 
 }
diff --git a/settings_mail_queue.php b/settings_mail_queue.php
new file mode 100644
index 00000000..3e329b46
--- /dev/null
+++ b/settings_mail_queue.php
@@ -0,0 +1,162 @@
+<?php
+
+// Default Column Sortby Filter
+$sb = "email_id";
+$o = "DESC";
+
+require_once("inc_all_settings.php");
+
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
+//Rebuild URL
+$url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
+
+$sql = mysqli_query(
+    $mysqli,
+    "SELECT SQL_CALC_FOUND_ROWS * FROM email_queue
+    WHERE (email_from LIKE '%$q%' OR email_from_name LIKE '%$q%' OR email_recipient LIKE '%$q%' OR email_recipient_name LIKE '%$q%' OR email_subject LIKE '%$q%')
+    AND DATE(email_queued_at) BETWEEN '$dtf' AND '$dtt'
+    ORDER BY $sb $o LIMIT $record_from, $record_to"
+);
+
+$num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
+
+?>
+
+    <div class="card card-dark">
+        <div class="card-header py-3">
+            <h3 class="card-title"><i class="fas fa-fw fa-envelope-open mr-2"></i>Email Queue</h3>
+        </div>
+        <div class="card-body">
+            <form class="mb-4" autocomplete="off">
+                <div class="row">
+                    <div class="col-sm-4">
+                        <div class="input-group">
+                            <input type="search" class="form-control" name="q" value="<?php if (isset($q)) { echo stripslashes(nullable_htmlentities($q)); } ?>" placeholder="Search mail queue">
+                            <div class="input-group-append">
+                                <button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
+                                <button class="btn btn-primary"><i class="fa fa-search"></i></button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                <div class="collapse mt-3 <?php if (!empty($_GET['dtf'])) { echo "show"; } ?>" id="advancedFilter">
+                    <div class="row">
+                        <div class="col-md-2">
+                            <div class="form-group">
+                                <label>Canned Date</label>
+                                <select class="form-control select2" name="canned_date">
+                                    <option <?php if ($_GET['canned_date'] == "custom") { echo "selected"; } ?> value="">Custom</option>
+                                    <option <?php if ($_GET['canned_date'] == "today") { echo "selected"; } ?> value="today">Today</option>
+                                    <option <?php if ($_GET['canned_date'] == "yesterday") { echo "selected"; } ?> value="yesterday">Yesterday</option>
+                                    <option <?php if ($_GET['canned_date'] == "thisweek") { echo "selected"; } ?> value="thisweek">This Week</option>
+                                    <option <?php if ($_GET['canned_date'] == "lastweek") { echo "selected"; } ?> value="lastweek">Last Week</option>
+                                    <option <?php if ($_GET['canned_date'] == "thismonth") { echo "selected"; } ?> value="thismonth">This Month</option>
+                                    <option <?php if ($_GET['canned_date'] == "lastmonth") { echo "selected"; } ?> value="lastmonth">Last Month</option>
+                                    <option <?php if ($_GET['canned_date'] == "thisyear") { echo "selected"; } ?> value="thisyear">This Year</option>
+                                    <option <?php if ($_GET['canned_date'] == "lastyear") { echo "selected"; } ?> value="lastyear">Last Year</option>
+                                </select>
+                            </div>
+                        </div>
+                        <div class="col-md-2">
+                            <div class="form-group">
+                                <label>Date From</label>
+                                <input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo nullable_htmlentities($dtf); ?>">
+                            </div>
+                        </div>
+                        <div class="col-md-2">
+                            <div class="form-group">
+                                <label>Date To</label>
+                                <input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo nullable_htmlentities($dtt); ?>">
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </form>
+            <hr>
+            <div class="table-responsive-sm">
+                <table class="table table-sm table-striped table-borderless table-hover">
+                    <thead class="text-dark <?php if ($num_rows[0] == 0) { echo "d-none"; } ?>">
+                    <tr>
+                        <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=email_queued_at&o=<?php echo $disp; ?>">Queued</a></th>
+                        <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=email_from&o=<?php echo $disp; ?>">From</a></th>
+                        <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=email_recipient&o=<?php echo $disp; ?>">To</a></th>
+                        <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=email_subject&o=<?php echo $disp; ?>">Subject</a></th>
+                        <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=email_status&o=<?php echo $disp; ?>">Status</a></th>
+                        <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=email_attempts&o=<?php echo $disp; ?>">Attempts</a></th>
+                        <th>Action</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    <?php
+
+                    while ($row = mysqli_fetch_array($sql)) {
+                        $email_id = intval($row['email_id']);
+                        $email_from = nullable_htmlentities($row['email_from']);
+                        $email_from_name = nullable_htmlentities($row['email_from_name']);
+                        $email_recipient = nullable_htmlentities($row['email_recipient']);
+                        $email_recipient_name = nullable_htmlentities($row['email_recipient_name']);
+                        $email_subject = nullable_htmlentities($row['email_subject']);
+                        $email_content = $purifier->purify($row['email_content']);
+                        $email_attempts = intval($row['email_attempts']);
+                        $email_queued_at = nullable_htmlentities($row['email_queued_at']);
+                        $email_failed_at = nullable_htmlentities($row['email_failed_at']);
+                        $email_sent_at = nullable_htmlentities($row['email_sent_at']);
+                        $email_status = intval($row['email_status']);
+                        if($email_status == 0){
+                            $email_status_display = "<div class='text-primary'>Queued</div>";
+                        }elseif($email_status == 1){
+                            $email_status_display = "<div class='text-warning'>Sending</div>";
+                        }elseif($email_status_display == 2){
+                            $email_status_display = "<div class='text-danger'>Failed</div><small class='text-secondary'>$email_failed_at</small>";
+                        }else{
+                            $email_status_display = "<div class='text-success'>Sent</div><small class='text-secondary'>$email_sent_at</small>";
+                        }
+
+                        ?>
+
+                        <tr>
+                            <td><?php echo $email_queued_at; ?></td>
+                            <td><?php echo "$email_from<br><small class='text-secondary'>$email_from_name</small>"?></td>
+                            <td><?php echo "$email_recipient<br><small class='text-secondary'>$email_recipient_name</small>"?></td>
+                            <td><?php echo $email_subject; ?></td>
+                            <td><?php echo $email_status_display; ?></td>
+                            <td><?php echo $email_attempts; ?></td>
+                            <td>
+                                <button class="btn btn-sm btn-secondary" data-toggle="modal" data-target="#viewEmailModal<?php echo $email_id; ?>"><i class="fas fa-fw fa-eye"></i></button>
+                            </td>
+                        </tr>
+
+                        <div class="modal" id="viewEmailModal<?php echo $email_id; ?>" tabindex="-1">
+                            <div class="modal-dialog modal-xl ">
+                                <div class="modal-content bg-dark">
+                                    <div class="modal-header">
+                                        <h5 class="modal-title"><i class="fa fa-fw fa-envelope mr-2"></i><?php echo $email_subject; ?></h5>
+                                        <button type="button" class="close text-white" data-dismiss="modal">
+                                            <span>&times;</span>
+                                        </button>
+                                    </div>
+                                    <div class="modal-body bg-white">
+                                        <?php echo $email_content; ?>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+
+                        <?php
+                    }
+                    ?>
+
+                    </tbody>
+                </table>
+            </div>
+            <?php require_once("pagination.php"); ?>
+        </div>
+    </div>
+
+<?php
+require_once("footer.php");
diff --git a/settings_side_nav.php b/settings_side_nav.php
index e83828ba..4db1f868 100644
--- a/settings_side_nav.php
+++ b/settings_side_nav.php
@@ -211,6 +211,13 @@
           </a>
         </li>
 
+        <li class="nav-item">
+          <a href="settings_mail_queue.php" class="nav-link <?php if (basename($_SERVER["PHP_SELF"]) == "settings_mail_queue.php") { echo "active"; } ?>">
+            <i class="nav-icon far fa-envelope-open"></i>
+            <p>Mail Queue</p>
+          </a>
+        </li>
+
         <li class="nav-item">
           <a href="logs.php" class="nav-link <?php if (basename($_SERVER["PHP_SELF"]) == "logs.php") { echo "active"; } ?>">
             <i class="nav-icon far fa-eye"></i>