AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 19:04:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor POST handling.

Browse Source 
- Split into admin and user handlers, each admin page gets its own file now
- Enforce role access once for admin POST requests
- Automatically load POST logic for admin-based requests based on the referring page, otherwise automatically load all user request logic
- Add support for using custom POST handlers
This commit is contained in:
Marcus Hill
2024-09-29 19:02:28 +01:00
parent 635b1f903a
commit 6363d265ca
127 changed files with 1888 additions and 1901 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
post/admin/admin_api.php Normal file
View File

@@ -0,0 +1,82 @@
<?php
/*
* ITFlow - GET/POST request handler for API settings
*/
if (isset($_POST['add_api_key'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$expire = sanitizeInput($_POST['expire']);
$client = intval($_POST['client']);
$secret = sanitizeInput($_POST['key']); // API Key
// Credential decryption password
$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
$apikey_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_decrypt_hash = '$apikey_specific_encryption_ciphertext', api_key_expire = '$expire', api_key_client_id = $client");
$api_key_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Create', log_description = '$session_name created API Key $name set to expire on $expire', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client, log_user_id = $session_user_id, log_entity_id = $api_key_id");
$_SESSION['alert_message'] = "API Key <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_api_key'])) {
validateCSRFToken($_GET['csrf_token']);
$api_key_id = intval($_GET['delete_api_key']);
// Get API Key Name
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT * FROM api_keys WHERE api_key_id = $api_key_id"));
$name = sanitizeInput($row['api_key_name']);
mysqli_query($mysqli,"DELETE FROM api_keys WHERE api_key_id = $api_key_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API Key', log_action = 'Delete', log_description = '$session_name deleted API key $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $api_key_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "API Key <strong>$name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_api_keys'])) {
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$api_key_ids = $_POST['api_key_ids']; // Get array of API key IDs to be deleted
if (!empty($api_key_ids)) {
// Cycle through array and delete each scheduled ticket
foreach ($api_key_ids as $api_key_id) {
$api_key_id = intval($api_key_id);
mysqli_query($mysqli, "DELETE FROM api_keys WHERE api_key_id = $api_key_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API Key', log_action = 'Delete', log_description = '$session_name deleted API key (bulk)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $api_key_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API Key', log_action = 'Delete', log_description = '$session_name bulk deleted $count keys', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count keys(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

116
post/admin/admin_backup.php Normal file
View File

@@ -0,0 +1,116 @@
<?php
/*
* ITFlow - GET/POST request handler for DB / master key backup
*/
if (isset($_GET['download_database'])) {
validateCSRFToken($_GET['csrf_token']);
// Get All Table Names From the Database
$tables = array();
$sql = "SHOW TABLES";
$result = mysqli_query($mysqli, $sql);
while ($row = mysqli_fetch_row($result)) {
$tables[] = $row[0];
}
$sqlScript = "";
foreach ($tables as $table) {
// Prepare SQLscript for creating table structure
$query = "SHOW CREATE TABLE $table";
$result = mysqli_query($mysqli, $query);
$row = mysqli_fetch_row($result);
$sqlScript .= "\n\n" . $row[1] . ";\n\n";
$query = "SELECT * FROM $table";
$result = mysqli_query($mysqli, $query);
$columnCount = mysqli_num_fields($result);
// Prepare SQLscript for dumping data for each table
for ($i = 0; $i < $columnCount; $i ++) {
while ($row = mysqli_fetch_row($result)) {
$sqlScript .= "INSERT INTO $table VALUES(";
for ($j = 0; $j < $columnCount; $j ++) {
if (isset($row[$j])) {
$sqlScript .= '"' . $row[$j] . '"';
} else {
$sqlScript .= '""';
}
if ($j < ($columnCount - 1)) {
$sqlScript .= ',';
}
}
$sqlScript .= ");\n";
}
}
$sqlScript .= "\n";
}
if (!empty($sqlScript)) {
$company_name = $session_company_name;
// Save the SQL script to a backup file
$backup_file_name = date('Y-m-d') . '_ITFlow_backup.sql';
$fileHandler = fopen($backup_file_name, 'w+');
$number_of_lines = fwrite($fileHandler, $sqlScript);
fclose($fileHandler);
// Download the SQL backup file to the browser
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($backup_file_name));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($backup_file_name));
ob_clean();
flush();
readfile($backup_file_name);
exec('rm ' . $backup_file_name);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Database', log_action = 'Download', log_description = '$session_name downloaded the database', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Database downloaded";
}
if (isset($_POST['backup_master_key'])) {
validateCSRFToken($_POST['csrf_token']);
$password = $_POST['password'];
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $session_user_id");
$userRow = mysqli_fetch_array($sql);
if (password_verify($password, $userRow['user_password'])) {
$site_encryption_master_key = decryptUserSpecificKey($userRow['user_specific_encryption_ciphertext'], $password);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Master Key', log_action = 'Download', log_description = '$session_name retrieved the master encryption key', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Settings', notification = '$session_name retrieved the master encryption key'");
echo "==============================";
echo "<br>Master encryption key:<br>";
echo "<b>$site_encryption_master_key</b>";
echo "<br>==============================";
} else {
//Log the failure
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Master Key', log_action = 'Download', log_description = '$session_name attempted to retrieve the master encryption key (failure)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Incorrect password.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}

53
post/admin/admin_bulk_mail.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
/*
* ITFlow - GET/POST request handler for bulk email
*/
if (isset($_POST['send_bulk_mail_now'])) {
if ($_POST['contact_ids']) {
$mail_from = sanitizeInput($_POST['mail_from']);
$mail_from_name = sanitizeInput($_POST['mail_from_name']);
$subject = sanitizeInput($_POST['subject']);
$body = mysqli_escape_string($mysqli, $_POST['body']);
$queued_at = sanitizeInput($_POST['queued_at']);
// Add Emails
foreach($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
$sql = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$client_id = intval($row['contact_client_id']);
// Queue Mail
$data[] = [
'from' => $mail_from,
'from_name' => $mail_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body,
'queued_at' => $queued_at
];
}
addToMailQueue($mysqli, $data);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Bulk Mail', log_action = 'Send', log_description = '$session_name sent bulk email', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "You Sent Bulk Mail";
} else {
$_SESSION['alert_message'] = "NO Bulk Mail SENT";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

80
post/admin/admin_category.php Normal file
View File

@@ -0,0 +1,80 @@
<?php
/*
* ITFlow - GET/POST request handler for categories ('category')
*/
if (isset($_POST['add_category'])) {
require_once 'post/admin/admin_category_model.php';
mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Category', log_action = 'Create', log_description = '$name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Category added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_category'])) {
require_once 'post/admin/admin_category_model.php';
$category_id = intval($_POST['category_id']);
mysqli_query($mysqli,"UPDATE categories SET category_name = '$name', category_type = '$type', category_color = '$color' WHERE category_id = $category_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Category', log_action = 'Modify', log_description = '$name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Category modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_category'])) {
$category_id = intval($_GET['archive_category']);
mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NOW() WHERE category_id = $category_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Category', log_action = 'Archive', log_description = '$category_id'");
$_SESSION['alert_message'] = "Category Archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_category'])) {
$category_id = intval($_GET['unarchive_category']);
mysqli_query($mysqli,"UPDATE categories SET category_archived_at = NULL WHERE category_id = $category_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Category', log_action = 'Unarchive', log_description = '$category_id'");
$_SESSION['alert_message'] = "Category Unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_category'])) {
$category_id = intval($_GET['delete_category']);
mysqli_query($mysqli,"DELETE FROM categories WHERE category_id = $category_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Category', log_action = 'Delete', log_description = '$category_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Category deleted";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

4
post/admin/admin_category_model.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$color = sanitizeInput($_POST['color']);

54
post/admin/admin_custom_field.php Normal file
View File

@@ -0,0 +1,54 @@
<?php
/*
* ITFlow - GET/POST request handler for custom fields
*/
if(isset($_POST['create_custom_field'])){
require_once 'post/admin/admin_custom_field_model.php';
$table = sanitizeInput($_POST['table']);
mysqli_query($mysqli,"INSERT INTO custom_fields SET custom_field_table = '$table', custom_field_label = '$label', custom_field_type = '$type'");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Custom Field', log_action = 'Create', log_description = '$label', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Custom field created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['edit_custom_field'])){
require_once 'post/admin/admin_custom_field_model.php';
$custom_field_id = intval($_POST['custom_field_id']);
mysqli_query($mysqli,"UPDATE custom_fields SET custom_field_label = '$label', custom_field_type = '$type' WHERE custom_field_id = $custom_field_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Custom Field', log_action = 'Edit', log_description = '$label', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "You edited the custom field";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['delete_custom_field'])){
$custom_field_id = intval($_GET['delete_custom_field']);
mysqli_query($mysqli,"DELETE FROM custom_fields WHERE custom_field_id = $custom_field_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Custom Fields', log_action = 'Delete', log_description = '$custom_field_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "You deleted custom field";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

3
post/admin/admin_custom_field_model.php Normal file
View File

@@ -0,0 +1,3 @@
<?php
$label = sanitizeInput($_POST['label']);
$type = sanitizeInput($_POST['type']);

61
post/admin/admin_custom_link.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
/*
* ITFlow - GET/POST request handler for showing custom links on navbars
*/
if (isset($_POST['add_custom_link'])) {
$name = sanitizeInput($_POST['name']);
$uri = sanitizeInput($_POST['uri']);
$new_tab = intval($_POST['new_tab']);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));
$order = intval($_POST['order']);
$location = intval($_POST['location']);
mysqli_query($mysqli,"INSERT INTO custom_links SET custom_link_name = '$name', custom_link_uri = '$uri', custom_link_new_tab = $new_tab, custom_link_icon = '$icon', custom_link_order = $order, custom_link_location = $location");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Custom Link', log_action = 'Create', log_description = '$session_name created custom link $name --> $uri', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Custom link successfully created!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_custom_link'])) {
$custom_link_id = intval($_POST['custom_link_id']);
$name = sanitizeInput($_POST['name']);
$uri = sanitizeInput($_POST['uri']);
$new_tab = intval($_POST['new_tab']);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));
$order = intval($_POST['order']);
$location = intval($_POST['location']);
mysqli_query($mysqli,"UPDATE custom_links SET custom_link_name = '$name', custom_link_uri = '$uri', custom_link_new_tab = $new_tab, custom_link_icon = '$icon', custom_link_order = $order, custom_link_location = $location WHERE custom_link_id = $custom_link_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Custom Link', log_action = 'Modify', log_description = '$session_name edited the custom link $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Custom Link modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_custom_link'])) {
$custom_link_id = intval($_GET['delete_custom_link']);
mysqli_query($mysqli,"DELETE FROM custom_links WHERE custom_link_id = $custom_link_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Custom Link', log_action = 'Delete', log_description = '$session_name deleted a custom link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Cusatom Link deleted!";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

28
post/admin/admin_document_template.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
// Doc Templates
// Import shared code from user-side docs as we reuse functions
require_once 'post/user/document.php';
if (isset($_POST['add_document_template'])) {
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
// Document add query
$add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 1, document_folder_id = 0, document_created_by = $session_user_id, document_client_id = 0");
$document_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document Template', log_action = 'Create', log_description = '$session_name created document template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_message'] = "Document template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

88
post/admin/admin_mail_queue.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
if (isset($_GET['send_failed_mail'])) {
$email_id = intval($_GET['send_failed_mail']);
mysqli_query($mysqli,"UPDATE email_queue SET email_status = 0, email_attempts = 3 WHERE email_id = $email_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Email', log_action = 'Send', log_description = '$session_name attempted to force send email queue id: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $email_id");
$_SESSION['alert_message'] = "Email Force Sent, give it a minute to resend";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['cancel_mail'])) {
$email_id = intval($_GET['cancel_mail']);
mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Email', log_action = 'Cancel', log_description = '$session_name canceled send email queue id: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $email_id");
$_SESSION['alert_message'] = "Email cancelled and marked as failed.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_cancel_emails'])) {
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$email_ids = $_POST['email_ids']; // Get array of email IDs to be cancelled
if (!empty($email_ids)) {
// Cycle through array and mark each email as failed
foreach ($email_ids as $email_id) {
$email_id = intval($email_id);
mysqli_query($mysqli,"UPDATE email_queue SET email_status = 2, email_attempts = 99, email_failed_at = NOW() WHERE email_id = $email_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Email', log_action = 'Cancel', log_description = '$session_name bulk cancelled $count emails from the mail Queue', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Cancelled $count email(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_emails'])) {
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$email_ids = $_POST['email_ids']; // Get array of email IDs to be deleted
if (!empty($email_ids)) {
// Cycle through array and delete each email
foreach ($email_ids as $email_id) {
$email_id = intval($email_id);
mysqli_query($mysqli,"DELETE FROM email_queue WHERE email_id = $email_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Email', log_action = 'Delete', log_description = '$session_name bulk deleted $count emails from the mail Queue', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = "Deleted $count email(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

107
post/admin/admin_project_template.php Normal file
View File

@@ -0,0 +1,107 @@
<?php
if (isset($_POST['add_project_template'])) {
validateTechRole();
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
mysqli_query($mysqli, "INSERT INTO project_templates SET project_template_name = '$name', project_template_description = '$description'");
$project_template_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project Template', log_action = 'Create', log_description = '$session_name created project template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $project_template_id");
$_SESSION['alert_message'] = "You created Project Template <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_project_template'])) {
validateTechRole();
$project_template_id = intval($_POST['project_template_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
mysqli_query($mysqli, "UPDATE project_templates SET project_template_name = '$name', project_template_description = '$description' WHERE project_template_id = $project_template_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project Template', log_action = 'Edit', log_description = '$session_name edited Project template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $project_template_id");
$_SESSION['alert_message'] = "You edited Project Template <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_template_order'])) {
validateTechRole();
$ticket_template_id = intval($_POST['ticket_template_id']);
$project_template_id = intval($_POST['project_template_id']);
$order = intval($_POST['order']);
mysqli_query($mysqli, "UPDATE project_template_ticket_templates SET ticket_template_order = $order WHERE ticket_template_id = $ticket_template_id AND project_template_id = $project_template_id");
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_ticket_template_to_project_template'])) {
validateTechRole();
$project_template_id = intval($_POST['project_template_id']);
$ticket_template_id = intval($_POST['ticket_template_id']);
$order = intval($_POST['order']);
mysqli_query($mysqli, "INSERT INTO project_template_ticket_templates SET project_template_id = $project_template_id, ticket_template_id = $ticket_template_id, ticket_template_order = $order");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project Template', log_action = 'Edit', log_description = '$session_name added a ticket template to project template', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $project_template_id");
$_SESSION['alert_message'] = "You added a ticket template to the project template";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['remove_ticket_template_from_project_template'])) {
validateTechRole();
$ticket_template_id = intval($_POST['ticket_template_id']);
$project_template_id = intval($_POST['project_template_id']);
mysqli_query($mysqli, "DELETE FROM project_template_ticket_templates WHERE project_template_id = $project_template_id AND ticket_template_id = $ticket_template_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project Template', log_action = 'Edit', log_description = '$session_name removed a ticket template from a project template', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $project_template_id");
$_SESSION['alert_message'] = "You removed ticket template from the project template";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_project_template'])) {
validateTechRole();
$project_template_id = intval($_GET['delete_project_template']);
// Get project template name
$sql = mysqli_query($mysqli, "SELECT * FROM project_templates WHERE project_template_id = $project_template_id");
$row = mysqli_fetch_array($sql);
$project_template_name = sanitizeInput($row['project_template_name']);
mysqli_query($mysqli, "DELETE FROM project_templates WHERE project_template_id = $project_template_id");
// Remove Associated Ticket Templates
mysqli_query($mysqli, "DELETE FROM project_template_ticket_templates WHERE project_template_id = $project_template_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project Template', log_action = 'Delete', log_description = '$session_name deleted ticket template $project_template_name and its associated ticket templates and its tasks', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $project_template_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You Deleted Project Template <strong>$project_template_name</strong> and its associated ticket templates and tasks";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

56
post/admin/admin_role.php Normal file
View File

@@ -0,0 +1,56 @@
<?php
/*
* ITFlow - GET/POST request handler for roles
*/
if (isset($_POST['add_role'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['role_name']);
$description = sanitizeInput($_POST['role_description']);
$admin = intval($_POST['role_is_admin']);
mysqli_query($mysqli, "INSERT INTO user_roles SET user_role_name = '$name', user_role_description = '$description', user_role_is_admin = $admin");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Role', log_action = 'Create', log_description = '$session_name created the $name role', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Role $name created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_role'])) {
validateCSRFToken($_POST['csrf_token']);
// Update role metadata
$role_id = sanitizeInput($_POST['role_id']);
$name = sanitizeInput($_POST['role_name']);
$description = sanitizeInput($_POST['role_description']);
$admin = intval($_POST['role_is_admin']);
mysqli_query($mysqli, "UPDATE user_roles SET user_role_name = '$name', user_role_description = '$description', user_role_is_admin = $admin WHERE user_role_id = $role_id");
// Update role access levels
mysqli_query($mysqli, "DELETE FROM user_role_permissions WHERE user_role_id = $role_id");
foreach ($_POST as $key => $value) {
if (str_contains($key, '##module_')){
$module_id = intval(explode('##', $key)[0]);
$access_level = intval($value);
if ($access_level > 0) {
echo $key . ' with id ' . $module_id . " : ". $access_level . "\n";
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = $role_id, module_id = $module_id, user_role_permission_level = $access_level");
}
}
}
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Role', log_action = 'Modify', log_description = '$session_name updated the $name role', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Role $name updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

55
post/admin/admin_settings_company.php Normal file
View File

@@ -0,0 +1,55 @@
<?php
if (isset($_POST['edit_company'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$address = sanitizeInput($_POST['address']);
$city = sanitizeInput($_POST['city']);
$state = sanitizeInput($_POST['state']);
$zip = sanitizeInput($_POST['zip']);
$country = sanitizeInput($_POST['country']);
$phone = preg_replace("/[^0-9]/", '',$_POST['phone']);
$email = sanitizeInput($_POST['email']);
$website = sanitizeInput($_POST['website']);
$sql = mysqli_query($mysqli,"SELECT company_logo FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['company_logo']);
// Check to see if a file is attached
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/settings/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Delete old file
unlink("uploads/settings/$existing_file_name");
// Set Logo
mysqli_query($mysqli,"UPDATE companies SET company_logo = '$new_file_name' WHERE company_id = 1");
$_SESSION['alert_message'] = 'File successfully uploaded.';
}else{
$_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
mysqli_query($mysqli,"UPDATE companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$email', company_website = '$website' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Company', log_action = 'Modify', log_description = '$session_name modified company $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Company <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

27
post/admin/admin_settings_default.php Normal file
View File

@@ -0,0 +1,27 @@
<?php
if (isset($_POST['edit_default_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$start_page = sanitizeInput($_POST['start_page']);
$expense_account = intval($_POST['expense_account']);
$payment_account = intval($_POST['payment_account']);
$payment_method = sanitizeInput($_POST['payment_method']);
$expense_payment_method = sanitizeInput($_POST['expense_payment_method']);
$transfer_from_account = intval($_POST['transfer_from_account']);
$transfer_to_account = intval($_POST['transfer_to_account']);
$calendar = intval($_POST['calendar']);
$net_terms = intval($_POST['net_terms']);
$hourly_rate = floatval($_POST['hourly_rate']);
$phone_mask = intval($_POST['phone_mask']);
mysqli_query($mysqli,"UPDATE settings SET config_start_page = '$start_page', config_default_expense_account = $expense_account, config_default_payment_account = $payment_account, config_default_payment_method = '$payment_method', config_default_expense_payment_method = '$expense_payment_method', config_default_transfer_from_account = $transfer_from_account, config_default_transfer_to_account = $transfer_to_account, config_default_calendar = $calendar, config_default_net_terms = $net_terms, config_default_hourly_rate = $hourly_rate, config_phone_mask = $phone_mask WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified default settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Default settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

19
post/admin/admin_settings_integration.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
if (isset($_POST['edit_integrations_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$azure_client_id = sanitizeInput($_POST['azure_client_id']);
$azure_client_secret = sanitizeInput($_POST['azure_client_secret']);
mysqli_query($mysqli,"UPDATE settings SET config_azure_client_id = '$azure_client_id', config_azure_client_secret = '$azure_client_secret' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified integrations settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Integrations Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

25
post/admin/admin_settings_invoice.php Normal file
View File

@@ -0,0 +1,25 @@
<?php
if (isset($_POST['edit_invoice_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_invoice_prefix = sanitizeInput($_POST['config_invoice_prefix']);
$config_invoice_next_number = intval($_POST['config_invoice_next_number']);
$config_invoice_footer = sanitizeInput($_POST['config_invoice_footer']);
$config_invoice_late_fee_enable = intval($_POST['config_invoice_late_fee_enable']);
$config_invoice_late_fee_percent = floatval($_POST['config_invoice_late_fee_percent']);
$config_recurring_prefix = sanitizeInput($_POST['config_recurring_prefix']);
$config_recurring_next_number = intval($_POST['config_recurring_next_number']);
mysqli_query($mysqli,"UPDATE settings SET config_invoice_prefix = '$config_invoice_prefix', config_invoice_next_number = $config_invoice_next_number, config_invoice_footer = '$config_invoice_footer', config_invoice_late_fee_enable = $config_invoice_late_fee_enable, config_invoice_late_fee_percent = $config_invoice_late_fee_percent, config_recurring_prefix = '$config_recurring_prefix', config_recurring_next_number = $config_recurring_next_number WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Edit', log_description = '$session_name edited invoice settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Invoice Settings edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

22
post/admin/admin_settings_localization.php Normal file
View File

@@ -0,0 +1,22 @@
<?php
if (isset($_POST['edit_localization'])) {
validateCSRFToken($_POST['csrf_token']);
$locale = sanitizeInput($_POST['locale']);
$currency_code = sanitizeInput($_POST['currency_code']);
$timezone = sanitizeInput($_POST['timezone']);
mysqli_query($mysqli,"UPDATE companies SET company_locale = '$locale', company_currency = '$currency_code' WHERE company_id = 1");
mysqli_query($mysqli,"UPDATE settings SET config_timezone = '$timezone' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Company', log_action = 'Edit', log_description = '$session_name edited company localization settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Company localization updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

157
post/admin/admin_settings_mail.php Normal file
View File

@@ -0,0 +1,157 @@
<?php
if (isset($_POST['edit_mail_smtp_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_smtp_host = sanitizeInput($_POST['config_smtp_host']);
$config_smtp_port = intval($_POST['config_smtp_port']);
$config_smtp_encryption = sanitizeInput($_POST['config_smtp_encryption']);
$config_smtp_username = sanitizeInput($_POST['config_smtp_username']);
$config_smtp_password = sanitizeInput($_POST['config_smtp_password']);
mysqli_query($mysqli,"UPDATE settings SET config_smtp_host = '$config_smtp_host', config_smtp_port = $config_smtp_port, config_smtp_encryption = '$config_smtp_encryption', config_smtp_username = '$config_smtp_username', config_smtp_password = '$config_smtp_password' WHERE company_id = 1");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified SMTP mail settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "SMTP Mail Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_mail_imap_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_imap_host = sanitizeInput($_POST['config_imap_host']);
$config_imap_username = sanitizeInput($_POST['config_imap_username']);
$config_imap_password = sanitizeInput($_POST['config_imap_password']);
$config_imap_port = intval($_POST['config_imap_port']);
$config_imap_encryption = sanitizeInput($_POST['config_imap_encryption']);
mysqli_query($mysqli,"UPDATE settings SET config_imap_host = '$config_imap_host', config_imap_port = $config_imap_port, config_imap_encryption = '$config_imap_encryption', config_imap_username = '$config_imap_username', config_imap_password = '$config_imap_password' WHERE company_id = 1");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified IMAP mail settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "IMAP Mail Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_mail_from_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_mail_from_email = sanitizeInput(filter_var($_POST['config_mail_from_email'], FILTER_VALIDATE_EMAIL));
$config_mail_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_mail_from_name']));
$config_invoice_from_email = sanitizeInput(filter_var($_POST['config_invoice_from_email'], FILTER_VALIDATE_EMAIL));
$config_invoice_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_invoice_from_name']));
$config_quote_from_email = sanitizeInput(filter_var($_POST['config_quote_from_email'], FILTER_VALIDATE_EMAIL));
$config_quote_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_quote_from_name']));
$config_ticket_from_email = sanitizeInput(filter_var($_POST['config_ticket_from_email'], FILTER_VALIDATE_EMAIL));
$config_ticket_from_name = sanitizeInput(preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['config_ticket_from_name']));
mysqli_query($mysqli,"UPDATE settings SET config_mail_from_email = '$config_mail_from_email', config_mail_from_name = '$config_mail_from_name', config_invoice_from_email = '$config_invoice_from_email', config_invoice_from_name = '$config_invoice_from_name', config_quote_from_email = '$config_quote_from_email', config_quote_from_name = '$config_quote_from_name', config_ticket_from_email = '$config_ticket_from_email', config_ticket_from_name = '$config_ticket_from_name' WHERE company_id = 1");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified Mail From settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Mail From Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['test_email_smtp'])) {
validateCSRFToken($_POST['csrf_token']);
$test_email = intval($_POST['test_email']);
if($test_email == 1) {
$email_from = sanitizeInput($config_mail_from_email);
$email_from_name = sanitizeInput($config_mail_from_name);
} elseif ($test_email == 2) {
$email_from = sanitizeInput($config_invoice_from_email);
$email_from_name = sanitizeInput($config_invoice_from_name);
} elseif ($test_email == 3) {
$email_from = sanitizeInput($config_quote_from_email);
$email_from_name = sanitizeInput($config_quote_from_name);
} else {
$email_from = sanitizeInput($config_ticket_from_email);
$email_from_name = sanitizeInput($config_ticket_from_name);
}
$email_to = sanitizeInput($_POST['email_to']);
$subject = "Test email from ITFlow";
$body = "This is a test email from ITFlow. If you are reading this, it worked!";
$data = [
[
'from' => $email_from,
'from_name' => $email_from_name,
'recipient' => $email_to,
'recipient_name' => 'Chap',
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
if ($mail === true) {
$_SESSION['alert_message'] = "Test email queued successfully! <a class='text-bold text-light' href='admin_mail_queue.php'>Check Admin > Mail queue</a>";
} else {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Failed to add test mail to queue";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
// Test IMAP
// Autoload Composer dependencies
// require_once __DIR__ . '/../plugins/php-imap/vendor/autoload.php';
// Webklex PHP-IMAP
//use Webklex\PHPIMAP\ClientManager;
if (isset($_POST['test_email_imap'])) {
/*
validateCSRFToken($_POST['csrf_token']);
try {
// Initialize the client manager and create the client
$clientManager = new ClientManager();
$client = $clientManager->make([
'host' => $config_imap_host,
'port' => $config_imap_port,
'encryption' => $config_imap_encryption,
'validate_cert' => true,
'username' => $config_imap_username,
'password' => $config_imap_password,
'protocol' => 'imap'
]);
// Connect to the IMAP server
$client->connect();
$_SESSION['alert_message'] = "Connected successfully";
} catch (Exception $e) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Test IMAP connection failed: " . $e->getMessage();
}
*/
$_SESSION['alert_message'] = "Test is Work In Progress";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

27
post/admin/admin_settings_module.php Normal file
View File

@@ -0,0 +1,27 @@
<?php
if (isset($_POST['edit_module_settings'])) {
$config_module_enable_itdoc = intval($_POST['config_module_enable_itdoc']);
$config_module_enable_ticketing = intval($_POST['config_module_enable_ticketing']);
$config_module_enable_accounting = intval($_POST['config_module_enable_accounting']);
$config_client_portal_enable = intval($_POST['config_client_portal_enable']);
$config_whitelabel_key = $_POST['config_whitelabel_key'];
mysqli_query($mysqli,"UPDATE settings SET config_module_enable_itdoc = $config_module_enable_itdoc, config_module_enable_ticketing = $config_module_enable_ticketing, config_module_enable_accounting = $config_module_enable_accounting, config_client_portal_enable = $config_client_portal_enable WHERE company_id = 1");
// Validate white label key
if (!empty($config_whitelabel_key && validateWhitelabelKey($config_whitelabel_key))) {
mysqli_query($mysqli, "UPDATE settings SET config_whitelabel_enabled = 1, config_whitelabel_key = '$config_whitelabel_key' WHERE company_id = 1");
} else {
mysqli_query($mysqli, "UPDATE settings SET config_whitelabel_enabled = 0, config_whitelabel_key = '' WHERE company_id = 1");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified module settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Module Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

38
post/admin/admin_settings_notification.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
if (isset($_POST['edit_notification_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_enable_cron = intval($_POST['config_enable_cron']);
$config_cron_key = sanitizeInput($_POST['config_cron_key']);
$config_enable_alert_domain_expire = intval($_POST['config_enable_alert_domain_expire']);
$config_send_invoice_reminders = intval($_POST['config_send_invoice_reminders']);
$config_recurring_auto_send_invoice = intval($_POST['config_recurring_auto_send_invoice']);
$config_ticket_client_general_notifications = intval($_POST['config_ticket_client_general_notifications']);
mysqli_query($mysqli,"UPDATE settings SET config_send_invoice_reminders = $config_send_invoice_reminders, config_recurring_auto_send_invoice = $config_recurring_auto_send_invoice, config_enable_cron = $config_enable_cron, config_enable_alert_domain_expire = $config_enable_alert_domain_expire, config_ticket_client_general_notifications = $config_ticket_client_general_notifications WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified notification settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Notification Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['generate_cron_key'])) {
$key = randomString(32);
mysqli_query($mysqli,"UPDATE settings SET config_cron_key = '$key' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name regenerated cron key', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Cron key regenerated!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

24
post/admin/admin_settings_online_payment.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
if (isset($_POST['edit_online_payment_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_stripe_enable = intval($_POST['config_stripe_enable']);
$config_stripe_publishable = sanitizeInput($_POST['config_stripe_publishable']);
$config_stripe_secret = sanitizeInput($_POST['config_stripe_secret']);
$config_stripe_account = intval($_POST['config_stripe_account']);
$config_stripe_expense_vendor = intval($_POST['config_stripe_expense_vendor']);
$config_stripe_expense_category = intval($_POST['config_stripe_expense_category']);
$config_stripe_percentage_fee = floatval($_POST['config_stripe_percentage_fee']) / 100;
$config_stripe_flat_fee = floatval($_POST['config_stripe_flat_fee']);
mysqli_query($mysqli,"UPDATE settings SET config_stripe_enable = $config_stripe_enable, config_stripe_publishable = '$config_stripe_publishable', config_stripe_secret = '$config_stripe_secret', config_stripe_account = $config_stripe_account, config_stripe_expense_vendor = $config_stripe_expense_vendor, config_stripe_expense_category = $config_stripe_expense_category, config_stripe_percentage_fee = $config_stripe_percentage_fee, config_stripe_flat_fee = $config_stripe_flat_fee WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified online payment settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Online Payment Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

19
post/admin/admin_settings_project.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
if (isset($_POST['edit_project_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_project_prefix = sanitizeInput($_POST['config_project_prefix']);
$config_project_next_number = intval($_POST['config_project_next_number']);
mysqli_query($mysqli,"UPDATE settings SET config_project_prefix = '$config_project_prefix', config_project_next_number = $config_project_next_number WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified project settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Project Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

20
post/admin/admin_settings_quote.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
if (isset($_POST['edit_quote_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_quote_prefix = sanitizeInput($_POST['config_quote_prefix']);
$config_quote_next_number = intval($_POST['config_quote_next_number']);
$config_quote_footer = sanitizeInput($_POST['config_quote_footer']);
mysqli_query($mysqli,"UPDATE settings SET config_quote_prefix = '$config_quote_prefix', config_quote_next_number = $config_quote_next_number, config_quote_footer = '$config_quote_footer' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified quote settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

21
post/admin/admin_settings_security.php Normal file
View File

@@ -0,0 +1,21 @@
<?php
if (isset($_POST['edit_security_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_login_message = sanitizeInput($_POST['config_login_message']);
$config_login_key_required = intval($_POST['config_login_key_required']);
$config_login_key_secret = sanitizeInput($_POST['config_login_key_secret']);
$config_login_remember_me_expire = intval($_POST['config_login_remember_me_expire']);
$config_log_retention = intval($_POST['config_log_retention']);
mysqli_query($mysqli,"UPDATE settings SET config_login_message = '$config_login_message', config_login_key_required = '$config_login_key_required', config_login_key_secret = '$config_login_key_secret', config_login_remember_me_expire = $config_login_remember_me_expire, config_log_retention = $config_log_retention WHERE company_id = 1");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified login key settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Login key settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

18
post/admin/admin_settings_telemetry.php Normal file
View File

@@ -0,0 +1,18 @@
<?php
if (isset($_POST['edit_telemetry_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_telemetry = intval($_POST['config_telemetry']);
mysqli_query($mysqli,"UPDATE settings SET config_telemetry = $config_telemetry WHERE company_id = 1");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified telemetry settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Telemetry Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

55
post/admin/admin_settings_theme.php Normal file
View File

@@ -0,0 +1,55 @@
<?php
if (isset($_POST['edit_theme_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$theme = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['theme']));
mysqli_query($mysqli,"UPDATE settings SET config_theme = '$theme' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified theme settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Changed theme to <strong>$theme</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_favicon_settings'])) {
validateCSRFToken($_POST['csrf_token']);
// Check to see if a file is attached
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('ico'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// Delete old file
if(file_exists("uploads/favicon.ico")) {
unlink("uploads/favicon.ico");
}
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/";
//Force File Name
$new_file_name = "favicon.ico";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
$_SESSION['alert_message'] = 'File successfully uploaded.';
}else{
$_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name updated the favicon', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "You updated the favicon";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

22
post/admin/admin_settings_ticket.php Normal file
View File

@@ -0,0 +1,22 @@
<?php
if (isset($_POST['edit_ticket_settings'])) {
$config_ticket_prefix = sanitizeInput($_POST['config_ticket_prefix']);
$config_ticket_next_number = intval($_POST['config_ticket_next_number']);
$config_ticket_email_parse = intval($_POST['config_ticket_email_parse']);
$config_ticket_email_parse_unknown_senders = intval($_POST['config_ticket_email_parse_unknown_senders']);
$config_ticket_default_billable = intval($_POST['config_ticket_default_billable']);
$config_ticket_autoclose_hours = intval($_POST['config_ticket_autoclose_hours']);
$config_ticket_new_ticket_notification_email = sanitizeInput($_POST['config_ticket_new_ticket_notification_email']);
mysqli_query($mysqli,"UPDATE settings SET config_ticket_prefix = '$config_ticket_prefix', config_ticket_next_number = $config_ticket_next_number, config_ticket_email_parse = $config_ticket_email_parse, config_ticket_email_parse_unknown_senders = $config_ticket_email_parse_unknown_senders, config_ticket_autoclose_hours = $config_ticket_autoclose_hours, config_ticket_new_ticket_notification_email = '$config_ticket_new_ticket_notification_email', config_ticket_default_billable = $config_ticket_default_billable WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified ticket settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Ticket Settings updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

48
post/admin/admin_software_template.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
// Software/License Templates
// Import shared code from software-side tickets as we reuse functions
require_once 'post/user/software.php';
if (isset($_POST['add_software_template'])) {
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_license_type = '$license_type', software_notes = '$notes', software_template = 1, software_client_id = 0");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software Template', log_action = 'Create', log_description = '$session_user_name created software template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Software template created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_software_template'])) {
$software_id = intval($_POST['software_id']);
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_license_type = '$license_type', software_notes = '$notes' WHERE software_id = $software_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software Teplate', log_action = 'Modify', log_description = '$session_name modified software template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Software template updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

53
post/admin/admin_tag.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
/*
* ITFlow - GET/POST request handler for tagging
*/
if (isset($_POST['add_tag'])) {
require_once 'post/admin/admin_tag_model.php';
mysqli_query($mysqli,"INSERT INTO tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon'");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tag', log_action = 'Create', log_description = '$name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Tag added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_tag'])) {
require_once 'post/admin/admin_tag_model.php';
$tag_id = intval($_POST['tag_id']);
mysqli_query($mysqli,"UPDATE tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon' WHERE tag_id = $tag_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tag', log_action = 'Modify', log_description = '$name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Tag modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_tag'])) {
$tag_id = intval($_GET['delete_tag']);
mysqli_query($mysqli,"DELETE FROM tags WHERE tag_id = $tag_id");
mysqli_query($mysqli,"DELETE FROM client_tags WHERE tag_id = $tag_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tag', log_action = 'Delete', log_description = '$tag_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Tag deleted";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

5
post/admin/admin_tag_model.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']);
$color = sanitizeInput($_POST['color']);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));

70
post/admin/admin_tax.php Normal file
View File

@@ -0,0 +1,70 @@
<?php
/*
* ITFlow - GET/POST request handler for tax
*/
if (isset($_POST['add_tax'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$percent = floatval($_POST['percent']);
mysqli_query($mysqli,"INSERT INTO taxes SET tax_name = '$name', tax_percent = $percent");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tax', log_action = 'Create', log_description = '$name - $percent', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Tax added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_tax'])) {
validateCSRFToken($_POST['csrf_token']);
$tax_id = intval($_POST['tax_id']);
$name = sanitizeInput($_POST['name']);
$percent = floatval($_POST['percent']);
mysqli_query($mysqli,"UPDATE taxes SET tax_name = '$name', tax_percent = $percent WHERE tax_id = $tax_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tax', log_action = 'Modify', log_description = '$name - $percent', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Tax modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_tax'])) {
validateCSRFToken($_GET['csrf_token']);
$tax_id = intval($_GET['archive_tax']);
mysqli_query($mysqli,"UPDATE taxes SET tax_archived_at = NOW() WHERE tax_id = $tax_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tax', log_action = 'Archive', log_description = '$tax_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent'");
$_SESSION['alert_message'] = "Tax Archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_tax'])) {
$tax_id = intval($_GET['delete_tax']);
mysqli_query($mysqli,"DELETE FROM taxes WHERE tax_id = $tax_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Tax', log_action = 'Delete', log_description = '$tax_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Tax deleted";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

57
post/admin/admin_ticket_status.php Normal file
View File

@@ -0,0 +1,57 @@
<?php
if (isset($_POST['add_ticket_status'])) {
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = '$name', ticket_status_color = '$color'");
$ticket_status_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket Status', log_action = 'Create', log_description = '$session_name created ticket status $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_status_id");
$_SESSION['alert_message'] = "You created Ticket Status <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_status'])) {
$ticket_status_id = intval($_POST['ticket_status_id']);
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
$status = intval($_POST['status']);
mysqli_query($mysqli, "UPDATE ticket_statuses SET ticket_status_name = '$name', ticket_status_color = '$color', ticket_status_active = $status WHERE ticket_status_id = $ticket_status_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket Status', log_action = 'Edit', log_description = '$session_name edited ticket status $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_status_id");
$_SESSION['alert_message'] = "You edited Ticket Status <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_ticket_status'])) {
$ticket_status_id = intval($_GET['delete_ticket_status']);
// Get ticket status name for logging and notification
$sql = mysqli_query($mysqli, "SELECT * FROM ticket_statuses WHERE ticket_status_id = $ticket_status_id");
$row = mysqli_fetch_array($sql);
$ticket_status_name = sanitizeInput($row['ticket_status_name']);
mysqli_query($mysqli, "DELETE FROM ticket_statuses WHERE ticket_status_id = $ticket_status_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket Status', log_action = 'Delete', log_description = '$session_name deleted ticket_status $ticket_status_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_status_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You Deleted Ticket Status <strong>$ticket_status_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

131
post/admin/admin_ticket_template.php Normal file
View File

@@ -0,0 +1,131 @@
<?php
// Ticket Templates
// Import shared code from user-side tickets/tasks as we reuse functions
require_once 'post/user/ticket.php';
require_once 'post/user/task.php';
if (isset($_POST['add_ticket_template'])) {
validateTechRole();
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$subject = sanitizeInput($_POST['subject']);
$details = mysqli_real_escape_string($mysqli, $_POST['details']);
$project_template_id = intval($_POST['project_template']);
mysqli_query($mysqli, "INSERT INTO ticket_templates SET ticket_template_name = '$name', ticket_template_description = '$description', ticket_template_subject = '$subject', ticket_template_details = '$details'");
$ticket_template_id = mysqli_insert_id($mysqli);
if($project_template_id) {
mysqli_query($mysqli, "INSERT INTO project_template_ticket_templates SET project_template_id = $project_template_id, ticket_template_id = $ticket_template_id");
}
// Add Tasks to ticket template
if (!empty($_POST['tasks'])) {
foreach($_POST['tasks'] as $task) {
$task_template_name = sanitizeInput($task);
if (!empty($task_template_name)) {
mysqli_query($mysqli,"INSERT INTO task_templates SET task_template_name = '$task_template_name', task_template_ticket_template_id = $ticket_template_id");
}
}
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket Template', log_action = 'Create', log_description = '$session_name created ticket template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_template_id");
$_SESSION['alert_message'] = "You created Ticket Template <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_template'])) {
validateTechRole();
$ticket_template_id = intval($_POST['ticket_template_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$subject = sanitizeInput($_POST['subject']);
$details = mysqli_real_escape_string($mysqli, $_POST['details']);
mysqli_query($mysqli, "UPDATE ticket_templates SET ticket_template_name = '$name', ticket_template_description = '$description', ticket_template_subject = '$subject', ticket_template_details = '$details' WHERE ticket_template_id = $ticket_template_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket Template', log_action = 'Edit', log_description = '$session_name edited ticket template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_template_id");
$_SESSION['alert_message'] = "You edited Ticket Template <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_ticket_template'])) {
validateTechRole();
$ticket_template_id = intval($_GET['delete_ticket_template']);
// Get ticket template name
$sql = mysqli_query($mysqli, "SELECT * FROM ticket_templates WHERE ticket_template_id = $ticket_template_id");
$row = mysqli_fetch_array($sql);
$ticket_template_name = sanitizeInput($row['ticket_template_name']);
mysqli_query($mysqli, "DELETE FROM ticket_templates WHERE ticket_template_id = $ticket_template_id");
// Delete Associated Tasks
mysqli_query($mysqli, "DELETE FROM task_templates WHERE task_template_ticket_template_id = $ticket_template_id");
// Remove from Associated Project Templates
mysqli_query($mysqli, "DELETE FROM project_template_ticket_templates WHERE ticket_template_id = $ticket_template_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket Template', log_action = 'Delete', log_description = '$session_name deleted ticket template $ticket_template_name and its tasks', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_template_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You Deleted Ticket Template <strong>$ticket_template_name</strong> and its associated tasks";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_ticket_template_task'])) {
validateTechRole();
$ticket_template_id = intval($_POST['ticket_template_id']);
$task_name = sanitizeInput($_POST['task_name']);
mysqli_query($mysqli, "INSERT INTO task_templates SET task_template_name = '$task_name', task_template_ticket_template_id = $ticket_template_id");
$task_template_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task Template', log_action = 'Create', log_description = '$session_name created task template $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $ticket_template_id");
$_SESSION['alert_message'] = "You created Task Template <strong>$task_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_task_template'])) {
validateTechRole();
$task_template_id = intval($_GET['delete_task_template']);
// Get task template name
$sql = mysqli_query($mysqli, "SELECT * FROM task_templates WHERE task_template_id = $task_template_id");
$row = mysqli_fetch_array($sql);
$task_template_name = sanitizeInput($row['task_template_name']);
mysqli_query($mysqli, "DELETE FROM task_templates WHERE task_template_id = $task_template_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task Template', log_action = 'Delete', log_description = '$session_name deleted task template $task_template_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $task_template_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You Deleted Task Template <strong>$task_template_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

377
post/admin/admin_user.php Normal file
View File

@@ -0,0 +1,377 @@
<?php
/*
* ITFlow - GET/POST request handler for user (agent) management
*/
if (isset($_POST['add_user'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'post/admin/admin_user_model.php';
$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
$user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
mysqli_query($mysqli, "INSERT INTO users SET user_name = '$name', user_email = '$email', user_password = '$password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext'");
$user_id = mysqli_insert_id($mysqli);
// Add Client Access Permissions if set
if (!empty($_POST['clients'])) {
foreach($_POST['clients'] as $client_id) {
$client_id = intval($client_id);
mysqli_query($mysqli,"INSERT INTO user_permissions SET user_id = $user_id, client_id = $client_id");
}
}
if (!file_exists("uploads/users/$user_id/")) {
mkdir("uploads/users/$user_id");
}
// Check for and process image/photo
$extended_alert_description = '';
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/users/$user_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Set Avatar
mysqli_query($mysqli, "UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $user_id");
$extended_alert_description = '. File successfully uploaded.';
} else {
$_SESSION['alert_type'] = "error";
$extended_alert_description = '. Error uploading photo. Check upload directory is writable/correct file type/size';
}
}
// Create Settings
mysqli_query($mysqli, "INSERT INTO user_settings SET user_id = $user_id, user_role = $role, user_config_force_mfa = $force_mfa");
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = sanitizeInput($row['company_name']);
// Sanitize Config vars from get_settings.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_ticket_from_email = sanitizeInput($config_ticket_from_email);
$config_login_key_secret = mysqli_real_escape_string($mysqli, $config_login_key_secret);
$config_base_url = sanitizeInput($config_base_url);
// Send user e-mail, if specified
if (isset($_POST['send_email']) && !empty($config_smtp_host) && filter_var($email, FILTER_VALIDATE_EMAIL)) {
$password = mysqli_real_escape_string($mysqli, $_POST['password']);
$subject = "Your new $company_name ITFlow account";
$body = "Hello $name,<br><br>An ITFlow account has been setup for you. Please change your password upon login. <br><br>Username: $email <br>Password: $password<br>Login URL: https://$config_base_url/login.php?key=$config_login_key_secret<br><br>--<br>$company_name - Support<br>$config_ticket_from_email";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $email,
'recipient_name' => $name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email'");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
}
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Create', log_description = '$session_name created user $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
$_SESSION['alert_message'] = "User <strong>$name</strong> created" . $extended_alert_description;
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_user'])) {
validateCSRFToken($_POST['csrf_token']);
require_once 'post/admin/admin_user_model.php';
$user_id = intval($_POST['user_id']);
$new_password = trim($_POST['new_password']);
// Update Client Access
mysqli_query($mysqli,"DELETE FROM user_permissions WHERE user_id = $user_id");
if (!empty($_POST['clients'])) {
foreach($_POST['clients'] as $client_id) {
$client_id = intval($client_id);
mysqli_query($mysqli,"INSERT INTO user_permissions SET user_id = $user_id, client_id = $client_id");
}
}
// Get current Avatar
$sql = mysqli_query($mysqli, "SELECT user_avatar FROM users WHERE user_id = $user_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['user_avatar']);
$extended_log_description = '';
if (!empty($_POST['2fa'])) {
$two_fa = $_POST['2fa'];
}
if (!file_exists("uploads/users/$user_id/")) {
mkdir("uploads/users/$user_id");
}
// Check for and process image/photo
$extended_alert_description = '';
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/users/$user_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Delete old file
unlink("uploads/users/$user_id/$existing_file_name");
// Set Avatar
mysqli_query($mysqli, "UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $user_id");
$extended_alert_description = '. File successfully uploaded.';
} else {
$_SESSION['alert_type'] = "error";
$extended_alert_description = '. Error uploading photo. Check upload directory is writable/correct file type/size';
}
}
mysqli_query($mysqli, "UPDATE users SET user_name = '$name', user_email = '$email' WHERE user_id = $user_id");
if (!empty($new_password)) {
$new_password = password_hash($new_password, PASSWORD_DEFAULT);
$user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['new_password']));
mysqli_query($mysqli, "UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $user_id");
//Extended Logging
$extended_log_description .= ", password changed";
}
if (!empty($two_fa) && $two_fa == 'disable') {
mysqli_query($mysqli, "UPDATE users SET user_token = '' WHERE user_id = '$user_id'");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name disabled 2FA for $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
}
//Update User Settings
mysqli_query($mysqli, "UPDATE user_settings SET user_role = $role, user_config_force_mfa = $force_mfa WHERE user_id = $user_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name modified user $name $extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
$_SESSION['alert_message'] = "User <strong>$name</strong> updated" . $extended_alert_description;
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['activate_user'])) {
validateCSRFToken($_GET['csrf_token']);
$user_id = intval($_GET['activate_user']);
// Get User Name
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
$row = mysqli_fetch_array($sql);
$user_name = sanitizeInput($row['user_name']);
mysqli_query($mysqli, "UPDATE users SET user_status = 1 WHERE user_id = $user_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name activated user $user_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
$_SESSION['alert_message'] = "User <strong>$user_name</strong> activated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['disable_user'])) {
validateCSRFToken($_GET['csrf_token']);
$user_id = intval($_GET['disable_user']);
// Get User Name
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
$row = mysqli_fetch_array($sql);
$user_name = sanitizeInput($row['user_name']);
mysqli_query($mysqli, "UPDATE users SET user_status = 0 WHERE user_id = $user_id");
// Un-assign tickets
mysqli_query($mysqli, "UPDATE tickets SET ticket_assigned_to = 0 WHERE ticket_assigned_to = $user_id AND ticket_closed_at IS NULL");
mysqli_query($mysqli, "UPDATE scheduled_tickets SET scheduled_ticket_assigned_to = 0 WHERE scheduled_ticket_assigned_to = $user_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name disabled user $user_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "User <strong>$user_name</strong> disabled";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['revoke_remember_me'])) {
validateCSRFToken($_GET['csrf_token']);
$user_id = intval($_GET['revoke_remember_me']);
// Get User Name
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id"));
$user_name = sanitizeInput($row['user_name']);
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $user_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name revoked all remember me tokens for user $user_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "User <strong>$user_name</strong> remember me tokens revoked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_user'])) {
validateCSRFToken($_GET['csrf_token']);
// Variables from GET
$user_id = intval($_GET['archive_user']);
$password = password_hash(randomString(), PASSWORD_DEFAULT);
// Get user details
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $user_id");
$row = mysqli_fetch_array($sql);
$name = sanitizeInput($row['user_name']);
// Archive user query
mysqli_query($mysqli, "UPDATE users SET user_name = '$name (archived)', user_password = '$password', user_status = 0, user_specific_encryption_ciphertext = '', user_archived_at = NOW() WHERE user_id = $user_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Archive', log_description = '$session_name archived user $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "User <strong>$name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_users_csv'])) {
//get records from database
$sql = mysqli_query($mysqli, "SELECT * FROM users ORDER BY user_name ASC");
if ($sql->num_rows > 0) {
$delimiter = ", ";
$filename = $session_company_name . "-Users-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Email', 'Role', 'Status', 'Creation Date');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$user_status = intval($row['user_status']);
if ($user_status == 2) {
$user_status_display = "Invited";
} elseif ($user_status == 1) {
$user_status_display = "Active";
} else{
$user_status_display = "Disabled";
}
$user_role = $row['user_role'];
if ($user_role == 3) {
$user_role_display = "Administrator";
} elseif ($user_role == 2) {
$user_role_display = "Technician";
} else {
$user_role_display = "Accountant";
}
$lineData = array($row['user_name'], $row['user_email'], $user_role_display, $user_status_display, $row['user_created_at']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
exit;
}
if (isset($_POST['ir_reset_user_password'])) {
// Incident response: allow mass reset of agent passwords
validateCSRFToken($_POST['csrf_token']);
// Confirm logged-in user password, for security
$admin_password = $_POST['admin_password'];
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $session_user_id");
$userRow = mysqli_fetch_array($sql);
if (!password_verify($admin_password, $userRow['user_password'])) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Incorrect password.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
// Get agents/users, other than the current user
$sql_users = mysqli_query($mysqli, "SELECT * FROM users WHERE (user_archived_at IS NULL AND user_id != $session_user_id)");
// Reset passwords
while ($row = mysqli_fetch_array($sql_users)) {
$user_id = intval($row['user_id']);
$user_email = sanitizeInput($row['user_email']);
$new_password = randomString();
$user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($new_password));
echo $user_email . " -- " . $new_password; // Show
$new_password = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $user_id");
echo "<br><br>";
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name reset ALL user passwords', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
exit; // Stay on the plain text password page
}

5
post/admin/admin_user_model.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']);
$role = intval($_POST['role']);
$force_mfa = intval($_POST['force_mfa']);

116
post/admin/admin_vendor_template.php Normal file
View File

@@ -0,0 +1,116 @@
<?php
// Vendor Templates
// Import shared code from user-side vendor management as we reuse functions
require_once 'post/user/vendor.php';
if (isset($_POST['add_vendor_template'])) {
require_once 'post/user/vendor_model.php';
mysqli_query($mysqli,"INSERT INTO vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code', vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_template = 1, vendor_client_id = 0");
$vendor_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor Template', log_action = 'Create', log_description = '$session_name created vendor template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor template <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_vendor_template'])) {
require_once 'post/user/vendor_model.php';
$vendor_id = intval($_POST['vendor_id']);
$vendor_template_id = intval($_POST['vendor_template_id']);
if ($_POST['global_update_vendor_name'] == 1) {
$sql_global_update_vendor_name = ", vendor_name = '$name'";
} else {
$sql_global_update_vendor_name = "";
}
if ($_POST['global_update_vendor_description'] == 1) {
$sql_global_update_vendor_description = ", vendor_description = '$description'";
} else {
$sql_global_update_vendor_description = "";
}
if ($_POST['global_update_vendor_account_number'] == 1) {
$sql_global_update_vendor_account_number = ", vendor_account_number = '$account_number'";
} else {
$sql_global_update_vendor_account_number = "";
}
if ($_POST['global_update_vendor_contact_name'] == 1) {
$sql_global_update_vendor_contact_name = ", vendor_contact_name = '$contact_name'";
} else {
$sql_global_update_vendor_contact_name = "";
}
if ($_POST['global_update_vendor_phone'] == 1) {
$sql_global_update_vendor_phone = ", vendor_phone = '$phone', vendor_extension = '$extension'";
} else {
$sql_global_update_vendor_phone = "";
}
if ($_POST['global_update_vendor_hours'] == 1) {
$sql_global_update_vendor_hours = ", vendor_hours = '$hours'";
} else {
$sql_global_update_vendor_hours = "";
}
if ($_POST['global_update_vendor_email'] == 1) {
$sql_global_update_vendor_email = ", vendor_email = '$email'";
} else {
$sql_global_update_vendor_email = "";
}
if ($_POST['global_update_vendor_website'] == 1) {
$sql_global_update_vendor_website = ", vendor_website = '$website'";
} else {
$sql_global_update_vendor_website = "";
}
if ($_POST['global_update_vendor_sla'] == 1) {
$sql_global_update_vendor_sla = ", vendor_sla = '$sla'";
} else {
$sql_global_update_vendor_sla = "";
}
if ($_POST['global_update_vendor_code'] == 1) {
$sql_global_update_vendor_code = ", vendor_code = '$code'";
} else {
$sql_global_update_vendor_code = "";
}
if ($_POST['global_update_vendor_notes'] == 1) {
$sql_global_update_vendor_notes = ", vendor_notes = '$notes'";
} else {
$sql_global_update_vendor_notes = "";
}
// Update just the template
mysqli_query($mysqli,"UPDATE vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code', vendor_account_number = '$account_number', vendor_notes = '$notes' WHERE vendor_id = $vendor_id");
if ($_POST['update_base_vendors'] == 1) {
// Update client related vendors if anything is checked
$sql = "$sql_global_update_vendor_name $sql_global_update_vendor_description $sql_global_update_vendor_account_number $sql_global_update_vendor_contact_name $sql_global_update_vendor_phone $sql_global_update_vendor_hours $sql_global_update_vendor_email $sql_global_update_vendor_website $sql_global_update_vendor_sla $sql_global_update_vendor_code $sql_global_update_vendor_notes";
// Remove the first comma to prevent MySQL error
$sql = preg_replace('/,/', '', $sql, 1);
mysqli_query($mysqli,"UPDATE vendors SET $sql WHERE vendor_template_id = $vendor_id");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor Template', log_action = 'Modify', log_description = '$session_name modified vendor template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor template <strong>$name</strong> modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

26
post/admin/edit_ai_settings.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
if (isset($_POST['edit_ai_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$provider = sanitizeInput($_POST['provider']);
if($provider){
$ai_enable = 1;
} else {
$ai_enable = 0;
}
$model = sanitizeInput($_POST['model']);
$url = sanitizeInput($_POST['url']);
$api_key = sanitizeInput($_POST['api_key']);
mysqli_query($mysqli,"UPDATE settings SET config_ai_enable = $ai_enable, config_ai_provider = '$provider', config_ai_model = '$model', config_ai_url = '$url', config_ai_api_key = '$api_key' WHERE company_id = 1");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Edit', log_description = '$session_name edited AI settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "You updated the AI Settings";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}