From 0e062081cb0a21740698379428932634f2c01b06 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 8 May 2023 10:50:53 +0100
Subject: [PATCH 1/2] Client Portal

- Allow primary + accounting/billing contacts to see quotes
- Allow primary + technical contacts to see docs
---
 portal/document.php      |  78 +++++++++++++++++++++++++++
 portal/documents.php     |  85 +++++++++++++++++++++++++++++
 portal/portal_header.php |   8 +++
 portal/quotes.php        | 112 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 283 insertions(+)
 create mode 100644 portal/document.php
 create mode 100644 portal/documents.php
 create mode 100644 portal/quotes.php

diff --git a/portal/document.php b/portal/document.php
new file mode 100644
index 00000000..56ab981e
--- /dev/null
+++ b/portal/document.php
@@ -0,0 +1,78 @@
+<?php
+/*
+ * Client Portal
+ * Docs for PTC / technical contacts
+ */
+
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
+require_once("inc_portal.php");
+
+if ($session_contact_id !== $session_client_primary_contact_id && !$session_contact_is_technical_contact) {
+    header("Location: portal_post.php?logout");
+    exit();
+}
+
+//Initialize the HTML Purifier to prevent XSS
+require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
+
+// Check for a document ID
+if (!isset($_GET['id']) && !intval($_GET['id'])) {
+    header("Location: documents.php");
+    exit();
+}
+
+$document_id = intval($_GET['id']);
+$sql_document = mysqli_query($mysqli, "SELECT document_id, document_name, document_content FROM documents WHERE document_id = $document_id AND document_client_id = $session_client_id AND document_template = 0 LIMIT 1");
+
+$row = mysqli_fetch_array($sql_document);
+
+$document_id = intval($row['document_id']);
+$document_name = htmlentities($row['document_name']);
+$document_content = $purifier->purify($row['document_content']);
+
+?>
+
+    <div class="row">
+        <div class="col-md-1 text-center">
+            <?php if (!empty($session_contact_photo)) { ?>
+                <img src="<?php echo "../uploads/clients/$session_client_id/$session_contact_photo"; ?>" alt="..." height="50" width="50" class="img-circle img-responsive">
+            <?php } else { ?>
+                <span class="fa-stack fa-2x rounded-left">
+                <i class="fa fa-circle fa-stack-2x text-secondary"></i>
+                <span class="fa fa-stack-1x text-white"><?php echo $session_contact_initials; ?></span>
+            </span>
+            <?php } ?>
+        </div>
+
+        <div class="col-md-11 p-0">
+            <h4>Welcome, <strong><?php echo $session_contact_name ?></strong>!</h4>
+            <hr>
+        </div>
+
+    </div>
+
+    <br>
+
+    <div class="row">
+
+        <div class="col-md-10">
+
+            <div class="card">
+                <div class="card-body">
+                    <h3><?php echo $document_name; ?></h3>
+                    <?php echo $document_content; ?>
+                </div>
+            </div>
+
+        </div>
+
+    </div>
+
+
+<?php
+require_once("portal_footer.php");
diff --git a/portal/documents.php b/portal/documents.php
new file mode 100644
index 00000000..54066f3b
--- /dev/null
+++ b/portal/documents.php
@@ -0,0 +1,85 @@
+<?php
+/*
+ * Client Portal
+ * Docs for PTC / technical contacts
+ */
+
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
+require_once("inc_portal.php");
+
+if ($session_contact_id !== $session_client_primary_contact_id && !$session_contact_is_technical_contact) {
+    header("Location: portal_post.php?logout");
+    exit();
+}
+
+$documents_sql = mysqli_query($mysqli, "SELECT document_id, document_name, document_created_at, folder_name FROM documents LEFT JOIN folders ON document_folder_id = folder_id WHERE document_client_id = $session_client_id AND document_template = 0 ORDER BY folder_id, document_name DESC");
+?>
+
+    <div class="row">
+        <div class="col-md-1 text-center">
+            <?php if (!empty($session_contact_photo)) { ?>
+                <img src="<?php echo "../uploads/clients/$session_client_id/$session_contact_photo"; ?>" alt="..." height="50" width="50" class="img-circle img-responsive">
+            <?php } else { ?>
+                <span class="fa-stack fa-2x rounded-left">
+                <i class="fa fa-circle fa-stack-2x text-secondary"></i>
+                <span class="fa fa-stack-1x text-white"><?php echo $session_contact_initials; ?></span>
+            </span>
+            <?php } ?>
+        </div>
+
+        <div class="col-md-11 p-0">
+            <h4>Welcome, <strong><?php echo $session_contact_name ?></strong>!</h4>
+            <hr>
+        </div>
+
+    </div>
+
+    <br>
+
+    <div class="row">
+
+        <div class="col-md-10">
+
+            <table class="table tabled-bordered border border-dark">
+                <thead class="thead-dark">
+                <tr>
+                    <th>Name</th>
+                    <th>Created</th>
+                </tr>
+                </thead>
+                <tbody>
+
+                <?php
+                while ($row = mysqli_fetch_array($documents_sql)) {
+                    $document_id = intval($row['document_id']);
+                    $folder_name = htmlentities($row['folder_name']);
+                    $document_name = htmlentities($row['document_name']);
+                    $document_created_at = htmlentities($row['document_created_at']);
+
+                    ?>
+
+                    <tr>
+                        <td><a href="document.php?id=<?php echo $document_id?>">
+                                <?php
+                                if (!empty($folder_name)) {
+                                    echo "$folder_name / ";
+                                }
+                                echo $document_name;
+                                ?>
+                            </a>
+                        </td>
+                        <td><?php echo $document_created_at; ?></td>
+                    </tr>
+                <?php } ?>
+
+                </tbody>
+            </table>
+
+        </div>
+
+    </div>
+
+
+<?php
+require_once("portal_footer.php");
diff --git a/portal/portal_header.php b/portal/portal_header.php
index 185f81e2..3f2376b0 100644
--- a/portal/portal_header.php
+++ b/portal/portal_header.php
@@ -51,6 +51,14 @@ header("X-Frame-Options: DENY"); // Legacy
                     <li class="nav-item">
                         <a class="nav-link <?php if (basename($_SERVER['PHP_SELF']) == "invoices.php") {echo "active";} ?>" href="invoices.php">Invoices</a>
                     </li>
+                    <li class="nav-item">
+                        <a class="nav-link <?php if (basename($_SERVER['PHP_SELF']) == "quotes.php") {echo "active";} ?>" href="quotes.php">Quotes</a>
+                    </li>
+                <?php } ?>
+                <?php if ($session_contact_id == $session_client_primary_contact_id || $session_contact_is_technical_contact) { ?>
+                    <li class="nav-item">
+                        <a class="nav-link <?php if (basename($_SERVER['PHP_SELF']) == "documents.php") {echo "active";} ?>" href="documents.php">Documents</a>
+                    </li>
                 <?php } ?>
             </ul>
 
diff --git a/portal/quotes.php b/portal/quotes.php
new file mode 100644
index 00000000..61db7b36
--- /dev/null
+++ b/portal/quotes.php
@@ -0,0 +1,112 @@
+<?php
+/*
+ * Client Portal
+ * Quotes for PTC / billing contacts
+ */
+
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
+require_once("inc_portal.php");
+
+if ($session_contact_id !== $session_client_primary_contact_id && !$session_contact_is_billing_contact) {
+    header("Location: portal_post.php?logout");
+    exit();
+}
+
+$quotes_sql = mysqli_query($mysqli, "SELECT * FROM quotes WHERE quote_client_id = $session_client_id AND quote_status != 'Draft' ORDER BY quote_date DESC");
+?>
+
+    <div class="row">
+        <div class="col-md-1 text-center">
+            <?php if (!empty($session_contact_photo)) { ?>
+                <img src="<?php echo "../uploads/clients/$session_client_id/$session_contact_photo"; ?>" alt="..." height="50" width="50" class="img-circle img-responsive">
+            <?php } else { ?>
+                <span class="fa-stack fa-2x rounded-left">
+                <i class="fa fa-circle fa-stack-2x text-secondary"></i>
+                <span class="fa fa-stack-1x text-white"><?php echo $session_contact_initials; ?></span>
+            </span>
+            <?php } ?>
+        </div>
+
+        <div class="col-md-11 p-0">
+            <h4>Welcome, <strong><?php echo $session_contact_name ?></strong>!</h4>
+            <hr>
+        </div>
+
+    </div>
+
+    <br>
+
+    <div class="row">
+
+        <div class="col-md-10">
+
+            <table class="table tabled-bordered border border-dark">
+                <thead class="thead-dark">
+                <tr>
+                    <th>#</th>
+                    <th>Scope</th>
+                    <th>Amount</th>
+                    <th>Date</th>
+                    <th>Status</th>
+                </tr>
+                </thead>
+                <tbody>
+
+                <?php
+                while ($row = mysqli_fetch_array($quotes_sql)) {
+                    $quote_id = intval($row['quote_id']);
+                    $quote_prefix = htmlentities($row['quote_prefix']);
+                    $quote_number = intval($row['quote_number']);
+                    $quote_scope = htmlentities($row['quote_scope']);
+                    $quote_status = htmlentities($row['quote_status']);
+                    $quote_date = htmlentities($row['quote_date']);
+                    $quote_amount = floatval($row['quote_amount']);
+                    $quote_url_key = htmlentities($row['quote_url_key']);
+
+                    if (empty($quote_scope)) {
+                        $quote_scope_display = "-";
+                    } else {
+                        $quote_scope_display = $quote_scope;
+                    }
+
+                    if ($quote_status == "Sent") {
+                        $quote_badge_color = "warning text-white";
+                    } elseif ($quote_status == "Viewed") {
+                        $quote_badge_color = "primary";
+                    } elseif ($quote_status == "Accepted") {
+                        $quote_badge_color = "success";
+                    } elseif ($quote_status == "Declined") {
+                        $quote_badge_color = "danger";
+                    } elseif ($quote_status == "Invoiced") {
+                        $quote_badge_color = "info";
+                    } else {
+                        $quote_badge_color = "secondary";
+                    }
+
+                    ?>
+
+                    <tr>
+                        <td><a target="_blank" href="\\<?php echo $config_base_url ?>/guest_view_quote.php?quote_id=<?php echo "$quote_id&url_key=$quote_url_key"?>"> <?php echo "$quote_prefix$quote_number"; ?></a></td>
+                        <td><?php echo $quote_scope_display; ?></td>
+                        <td><?php echo numfmt_format_currency($currency_format, $quote_amount, $session_company_currency); ?></td>
+                        <td><?php echo $quote_date; ?></td>
+                        <td>
+                            <span class="p-2 badge badge-<?php echo $quote_badge_color; ?>">
+                                <?php echo $quote_status; ?>
+                            </span>
+                        </td>
+
+                    </tr>
+                <?php } ?>
+
+                </tbody>
+            </table>
+
+        </div>
+
+    </div>
+
+
+<?php
+require_once("portal_footer.php");

From db6b88edd3714dc49e0d03dd443b432f475229bd Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 8 May 2023 10:54:40 +0100
Subject: [PATCH 2/2] Codesmell

---
 portal/document.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/portal/document.php b/portal/document.php
index 56ab981e..519b0bf1 100644
--- a/portal/document.php
+++ b/portal/document.php
@@ -14,7 +14,7 @@ if ($session_contact_id !== $session_client_primary_contact_id && !$session_cont
 }
 
 //Initialize the HTML Purifier to prevent XSS
-require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
+require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
 $purifier_config = HTMLPurifier_Config::createDefault();
 $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
 $purifier = new HTMLPurifier($purifier_config);