AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 02:44:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor POST handling.

Browse Source 
- Split into admin and user handlers, each admin page gets its own file now
- Enforce role access once for admin POST requests
- Automatically load POST logic for admin-based requests based on the referring page, otherwise automatically load all user request logic
- Add support for using custom POST handlers
This commit is contained in:
Marcus Hill
2024-09-29 19:02:28 +01:00
parent 635b1f903a
commit 6363d265ca
127 changed files with 1888 additions and 1901 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
post/user/account.php Normal file
View File

@@ -0,0 +1,73 @@
<?php
/*
* ITFlow - GET/POST request handler for account(s) (accounting related)
*/
if (isset($_POST['add_account'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$opening_balance = floatval($_POST['opening_balance']);
$currency_code = sanitizeInput($_POST['currency_code']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO accounts SET account_name = '$name', opening_balance = $opening_balance, account_currency_code = '$currency_code', account_notes = '$notes'");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Account', log_action = 'Create', log_description = '$name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Account added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_account'])) {
validateCSRFToken($_POST['csrf_token']);
$account_id = intval($_POST['account_id']);
$name = sanitizeInput($_POST['name']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_notes = '$notes' WHERE account_id = $account_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Account', log_action = 'Modify', log_description = '$name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Account modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_account'])) {
validateCSRFToken($_GET['csrf_token']);
$account_id = intval($_GET['archive_account']);
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Account', log_action = 'Archive', log_description = '$account_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent'");
$_SESSION['alert_message'] = "Account Archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
// Not used anywhere?
if (isset($_GET['delete_account'])) {
$account_id = intval($_GET['delete_account']);
mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Account', log_action = 'Delete', log_description = '$account_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Account deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

815
post/user/asset.php Normal file
View File

@@ -0,0 +1,815 @@
<?php
/*
* ITFlow - GET/POST request handler for client assets
*/
if (isset($_POST['add_asset'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$make = sanitizeInput($_POST['make']);
$model = sanitizeInput($_POST['model']);
$serial = sanitizeInput($_POST['serial']);
$os = sanitizeInput($_POST['os']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$nat_ip = sanitizeInput($_POST['nat_ip']);
$mac = sanitizeInput($_POST['mac']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$status = sanitizeInput($_POST['status']);
$location = intval($_POST['location']);
$physical_location = sanitizeInput($_POST['physical_location']);
$vendor = intval($_POST['vendor']);
$contact = intval($_POST['contact']);
$network = intval($_POST['network']);
$purchase_date = sanitizeInput($_POST['purchase_date']);
if (empty($purchase_date)) {
$purchase_date = "NULL";
} else {
$purchase_date = "'" . $purchase_date . "'";
}
$warranty_expire = sanitizeInput($_POST['warranty_expire']);
if (empty($warranty_expire)) {
$warranty_expire = "NULL";
} else {
$warranty_expire = "'" . $warranty_expire . "'";
}
$install_date = sanitizeInput($_POST['install_date']);
if (empty($install_date)) {
$install_date = "NULL";
} else {
$install_date = "'" . $install_date . "'";
}
$notes = sanitizeInput($_POST['notes']);
$alert_extended = "";
mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_description = '$description', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_uri = '$uri', asset_uri_2 = '$uri_2', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_status = '$status', asset_purchase_date = $purchase_date, asset_warranty_expire = $warranty_expire, asset_install_date = $install_date, asset_physical_location = '$physical_location', asset_notes = '$notes', asset_client_id = $client_id");
$asset_id = mysqli_insert_id($mysqli);
// Add Photo
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE assets SET asset_photo = '$new_file_name' WHERE asset_id = $asset_id");
}
}
// Add Primary Interface
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = 'Primary', interface_mac = '$mac', interface_ip = '$ip', interface_nat_ip = '$nat_ip', interface_ipv6 = '$ipv6', interface_port = 'eth0', interface_primary = 1, interface_network_id = $network, interface_asset_id = $asset_id");
if (!empty($_POST['username'])) {
$username = trim(mysqli_real_escape_string($mysqli, encryptLoginEntry($_POST['username'])));
$password = trim(mysqli_real_escape_string($mysqli, encryptLoginEntry($_POST['password'])));
mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_username = '$username', login_password = '$password', login_asset_id = $asset_id, login_client_id = $client_id");
$login_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Create', log_description = '$session_name created login credentials for asset $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$alert_extended = " along with login credentials";
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Create', log_description = '$session_name created asset $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_message'] = "Asset <strong>$name</strong> created $alert_extended";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_asset'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$asset_id = intval($_POST['asset_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$make = sanitizeInput($_POST['make']);
$model = sanitizeInput($_POST['model']);
$serial = sanitizeInput($_POST['serial']);
$os = sanitizeInput($_POST['os']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$nat_ip = sanitizeInput($_POST['nat_ip']);
$mac = sanitizeInput($_POST['mac']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$status = sanitizeInput($_POST['status']);
$location = intval($_POST['location']);
$physical_location = sanitizeInput($_POST['physical_location']);
$vendor = intval($_POST['vendor']);
$contact = intval($_POST['contact']);
$network = intval($_POST['network']);
$purchase_date = sanitizeInput($_POST['purchase_date']);
if (empty($purchase_date)) {
$purchase_date = "NULL";
} else {
$purchase_date = "'" . $purchase_date . "'";
}
$warranty_expire = sanitizeInput($_POST['warranty_expire']);
if (empty($warranty_expire)) {
$warranty_expire = "NULL";
} else {
$warranty_expire = "'" . $warranty_expire . "'";
}
$install_date = sanitizeInput($_POST['install_date']);
if (empty($install_date)) {
$install_date = "NULL";
} else {
$install_date = "'" . $install_date . "'";
}
$notes = sanitizeInput($_POST['notes']);
// Get Existing Photo
$sql = mysqli_query($mysqli,"SELECT asset_photo FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['asset_photo']);
mysqli_query($mysqli,"UPDATE assets SET asset_name = '$name', asset_description = '$description', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_uri = '$uri', asset_uri_2 = '$uri_2', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_status = '$status', asset_purchase_date = $purchase_date, asset_warranty_expire = $warranty_expire, asset_install_date = $install_date, asset_physical_location = '$physical_location', asset_notes = '$notes' WHERE asset_id = $asset_id");
$sql_interfaces = mysqli_query($mysqli, "SELECT * FROM asset_interfaces WHERE interface_asset_id = $asset_id AND interface_primary = 1");
if(mysqli_num_rows($sql_interfaces) == 0 ) {
// Add Primary Interface
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = 'Primary', interface_mac = '$mac', interface_ip = '$ip', interface_nat_ip = '$nat_ip', interface_ipv6 = '$ipv6', interface_port = 'eth0', interface_primary = 1, interface_network_id = $network, interface_asset_id = $asset_id");
} else {
// Update Primary Interface
mysqli_query($mysqli,"UPDATE asset_interfaces SET interface_mac = '$mac', interface_ip = '$ip', interface_nat_ip = '$nat_ip', interface_ipv6 = '$ipv6', interface_network_id = $network WHERE interface_asset_id = $asset_id AND interface_primary = 1");
}
// Update Photo
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
// Set directory in which the uploaded file will be moved
$file_tmp_path = $_FILES['file']['tmp_name'];
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
//Delete old file
unlink("uploads/clients/$client_id/$existing_file_name");
mysqli_query($mysqli,"UPDATE assets SET asset_photo = '$new_file_name' WHERE asset_id = $asset_id");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Modify', log_description = '$session_name modified asset $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_message'] = "Asset <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['change_client_asset'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$current_asset_id = intval($_POST['current_asset_id']);
$new_client_id = intval($_POST['new_client_id']);
// Get Asset details and current client ID/Name for logging
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT asset_name, asset_notes, asset_client_id, client_name FROM assets LEFT JOIN clients ON client_id = asset_client_id WHERE asset_id = $current_asset_id"));
$asset_name = sanitizeInput($row['asset_name']);
$asset_notes = sanitizeInput($row['asset_notes']);
$current_client_id = intval($row['asset_client_id']);
$current_client_name = sanitizeInput($row['client_name']);
// Get new client name for logging
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $new_client_id"));
$new_client_name = sanitizeInput($row['client_name']);
// Create new asset
mysqli_query($mysqli, "
INSERT INTO assets (asset_type, asset_name, asset_description, asset_make, asset_model, asset_serial, asset_os, asset_status, asset_purchase_date, asset_warranty_expire, asset_install_date, asset_notes, asset_important)
SELECT asset_type, asset_name, asset_description, asset_make, asset_model, asset_serial, asset_os, asset_status, asset_purchase_date, asset_warranty_expire, asset_install_date, asset_notes, asset_important
FROM assets
WHERE asset_id = $current_asset_id
");
$new_asset_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli, "UPDATE assets SET asset_client_id = $new_client_id WHERE asset_id = $new_asset_id");
// Archive/log the current asset
$notes = $asset_notes . "\r\n\r\n---\r\n* " . date('Y-m-d H:i:s') . ": Transferred asset $asset_name (old asset ID: $current_asset_id) from $current_client_name to $new_client_name (new asset ID: $new_asset_id)";
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NOW() WHERE asset_id = $current_asset_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Archive', log_description = '$session_name archived asset $asset_name (via transfer)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $current_client_id, log_user_id = $session_user_id, log_entity_id = $current_asset_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Transfer', log_description = 'Transferred asset $asset_name (old asset ID: $current_asset_id) from $current_client_name to $new_client_name (new asset ID: $new_asset_id)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $current_client_id, log_user_id = $session_user_id, log_entity_id = $current_asset_id");
mysqli_query($mysqli, "UPDATE assets SET asset_notes = '$notes' WHERE asset_id = $current_asset_id");
// Log the new asset
$notes = $asset_notes . "\r\n\r\n---\r\n* " . date('Y-m-d H:i:s') . ": Transferred asset $asset_name (old asset ID: $current_asset_id) from $current_client_name to $new_client_name (new asset ID: $new_asset_id)";
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Create', log_description = '$session_name created asset $name (via transfer)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $new_client_id, log_user_id = $session_user_id, log_entity_id = $new_asset_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Transfer', log_description = 'Transferred asset $asset_name (old asset ID: $current_asset_id) from $current_client_name to $new_client_name (new asset ID: $new_asset_id)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $new_client_id, log_user_id = $session_user_id, log_entity_id = $new_asset_id");
mysqli_query($mysqli, "UPDATE assets SET asset_notes = '$notes' WHERE asset_id = $new_asset_id");
$_SESSION['alert_message'] = "Asset <strong>$name</strong> transferred";
header("Location: client_assets.php?client_id=$new_client_id&asset_id=$new_asset_id");
}
if (isset($_GET['archive_asset'])) {
validateCSRFToken($_GET['csrf_token']);
validateTechRole();
$asset_id = intval($_GET['archive_asset']);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NOW() WHERE asset_id = $asset_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Archive', log_description = '$session_name archived asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_asset'])) {
validateCSRFToken($_GET['csrf_token']);
validateTechRole();
$asset_id = intval($_GET['unarchive_asset']);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NULL WHERE asset_id = $asset_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Unarchive', log_description = '$session_name Unarchived asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> Unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_asset'])) {
validateCSRFToken($_GET['csrf_token']);
validateAdminRole();
$asset_id = intval($_GET['delete_asset']);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id");
// Delete Interfaces
mysqli_query($mysqli,"DELETE FROM asset_interfaces WHERE interface_asset_id = $asset_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Delete', log_description = '$session_name deleted asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_asset_location'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$location_id = intval($_POST['bulk_location_id']);
// Get Location name and client id for logging and Notification
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
// Get Selected Contacts Count
$asset_count = count($_POST['asset_ids']);
// Assign Location to Selected Contacts
if (!empty($_POST['asset_ids'])) {
foreach($_POST['asset_ids'] as $asset_id) {
$asset_id = intval($asset_id);
// Get Asset Details for Logging
$sql = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
mysqli_query($mysqli,"UPDATE assets SET asset_location_id = $location_id WHERE asset_id = $asset_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Modify', log_description = '$session_name assigned $asset_name to Location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You assigned <b>$asset_count</b> assets to location <b>$location_name</b>";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_asset_contact'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$contact_id = intval($_POST['bulk_contact_id']);
// Get Contact name and client id for logging and Notification
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
// Get Selected Contacts Count
$asset_count = count($_POST['asset_ids']);
// Assign Contact to Selected Assets
if (!empty($_POST['asset_ids'])) {
foreach($_POST['asset_ids'] as $asset_id) {
$asset_id = intval($asset_id);
// Get Asset Details for Logging
$sql = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
mysqli_query($mysqli,"UPDATE assets SET asset_contact_id = $contact_id WHERE asset_id = $asset_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Modify', log_description = '$session_name assigned $asset_name to contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
} // End Assign Contact Loop
$_SESSION['alert_message'] = "You assigned <b>$asset_count</b> assets to contact <b>$contact_name</b>";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_asset_status'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$status = sanitizeInput($_POST['bulk_status']);
// Get Selected Contacts Count
$asset_count = count($_POST['asset_ids']);
// Assign Contact to Selected Assets
if (!empty($_POST['asset_ids'])) {
foreach($_POST['asset_ids'] as $asset_id) {
$asset_id = intval($asset_id);
// Get Asset Details for Logging
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"UPDATE assets SET asset_status = '$status' WHERE asset_id = $asset_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Modify', log_description = '$session_name set status $status on $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
} // End Assign Contact Loop
$_SESSION['alert_message'] = "You set the status <b>$status</b> on <b>$asset_count</b> assets.";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_assets'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$count = 0; // Default 0
$asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted
if (!empty($asset_ids)) {
// Cycle through array and delete each network
foreach ($asset_ids as $asset_id) {
$asset_id = intval($asset_id);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NOW() WHERE asset_id = $asset_id");
// Individual Asset logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Archive', log_description = '$session_name archived asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Archive', log_description = '$session_name archived $count assets', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count asset(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_assets'])) {
validateCSRFToken($_POST['csrf_token']);
validateAdminRole();
$count = 0; // Default 0
$asset_ids = $_POST['asset_ids']; // Get array of asset IDs to be deleted
if (!empty($asset_ids)) {
// Cycle through array and delete each network
foreach ($asset_ids as $asset_id) {
$asset_id = intval($asset_id);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"UPDATE assets SET asset_archived_at = NULL WHERE asset_id = $asset_id");
// Individual Asset logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Unarchive', log_description = '$session_name Unarchived asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Unarchive', log_description = '$session_name Unarchived $count assets', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count asset(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST["import_client_assets_csv"])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$client_id = intval($_POST['client_id']);
$file_name = $_FILES["file"]["tmp_name"];
$error = false;
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if (in_array($file_extension,$allowed_file_extensions) === false) {
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif ($_FILES["file"]["size"] < 1) {
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count (name, desc, type, make, model, serial, os, assigned to, location)
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if (!$error & count($f_columns) != 9) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if (!$error) {
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false) {
// Default variables (if undefined)
$description = $type = $make = $model = $serial = $os = '';
$contact_id = $location_id = 0;
$duplicate_detect = 0;
if (isset($column[0])) {
$name = sanitizeInput($column[0]);
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id = $client_id")) > 0) {
$duplicate_detect = 1;
}
}
if (!empty($column[1])) {
$description = sanitizeInput($column[1]);
}
if (!empty($column[2])) {
$type = sanitizeInput($column[2]);
}
if (!empty($column[3])) {
$make = sanitizeInput($column[3]);
}
if (!empty($column[4])) {
$model = sanitizeInput($column[4]);
}
if (!empty($column[5])) {
$serial = sanitizeInput($column[5]);
}
if (!empty($column[6])) {
$os = sanitizeInput($column[6]);
}
if (!empty($column[7])) {
$contact = sanitizeInput($column[7]);
if ($contact) {
$sql_contact = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_name = '$contact' AND contact_client_id = $client_id");
$row = mysqli_fetch_assoc($sql_contact);
$contact_id = intval($row['contact_id']);
}
}
if (!empty($column[8])) {
$location = sanitizeInput($column[8]);
if ($location) {
$sql_location = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_name = '$location' AND location_client_id = $client_id");
$row = mysqli_fetch_assoc($sql_location);
$location_id = intval($row['location_id']);
}
}
// Check if duplicate was detected
if ($duplicate_detect == 0) {
//Add
mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_description = '$description', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_contact_id = $contact_id, asset_location_id = $location_id, asset_client_id = $client_id");
$asset_id = mysqli_insert_id($mysqli);
// Add Primary Interface
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = 'Primary', interface_port = 'eth0', interface_primary = 1, interface_asset_id = $asset_id");
$row_count = $row_count + 1;
} else {
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Import', log_description = '$session_name imported $row_count asset(s) via CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "$row_count Asset(s) added, $duplicate_count duplicate(s) detected";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if ($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['download_client_assets_csv_template'])) {
$client_id = intval($_GET['download_client_assets_csv_template']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Assets-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Type', 'Make', 'Model', 'Serial', 'OS', 'Assigned To', 'Location');
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}
if (isset($_POST['export_client_assets_csv'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM assets LEFT JOIN contacts ON asset_contact_id = contact_id LEFT JOIN locations ON asset_location_id = location_id LEFT JOIN asset_interfaces ON interface_asset_id = asset_id AND interface_primary = 1 LEFT JOIN clients ON asset_client_id = client_id WHERE asset_client_id = $client_id AND asset_archived_at IS NULL ORDER BY asset_name ASC");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Assets-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Type', 'Make', 'Model', 'Serial Number', 'Operating System', 'Purchase Date', 'Warranty Expire', 'Install Date', 'Assigned To', 'Location', 'Notes');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_array($sql)) {
$lineData = array($row['asset_name'], $row['asset_description'], $row['asset_type'], $row['asset_make'], $row['asset_model'], $row['asset_serial'], $row['asset_os'], $row['asset_purchase_date'], $row['asset_warranty_expire'], $row['asset_install_date'], $row['contact_name'], $row['location_name'], $row['asset_notes']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Export', log_description = '$session_name exported $num_rows asset(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}
if (isset($_POST['add_asset_interface'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$asset_id = intval($_POST['asset_id']);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
$name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$port = sanitizeInput($_POST['port']);
$network = intval($_POST['network']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO asset_interfaces SET interface_name = '$name', interface_mac = '$mac', interface_ip = '$ip', interface_ipv6 = '$ipv6', interface_port = '$port', interface_notes = '$notes', interface_network_id = $network, interface_asset_id = $asset_id");
$interface_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Interface', log_action = 'Create', log_description = '$session_name created interface $name for asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_message'] = "Interface <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_asset_interface'])) {
validateCSRFToken($_POST['csrf_token']);
validateTechRole();
$interface_id = intval($_POST['interface_id']);
// Get Asset Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT asset_name, asset_client_id, asset_id FROM asset_interfaces LEFT JOIN assets ON asset_id = interface_asset_id WHERE interface_id = $interface_id");
$row = mysqli_fetch_array($sql);
$asset_id = intval($row['asset_id']);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
$name = sanitizeInput($_POST['name']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);
if($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$port = sanitizeInput($_POST['port']);
$network = intval($_POST['network']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE asset_interfaces SET interface_name = '$name', interface_mac = '$mac', interface_ip = '$ip', interface_ipv6 = '$ipv6', interface_port = '$port', interface_notes = '$notes', interface_network_id = $network WHERE interface_id = $interface_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Interface', log_action = 'Create', log_description = '$session_name edited interface $name for asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_message'] = "Interface <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_asset_interface'])) {
validateCSRFToken($_GET['csrf_token']);
validateAdminRole();
$interface_id = intval($_GET['delete_asset_interface']);
$sql = mysqli_query($mysqli,"SELECT asset_name, interface_name, asset_client_id, asset_id FROM asset_interfaces LEFT JOIN assets ON asset_id = interface_asset_id WHERE interface_id = $interface_id");
$row = mysqli_fetch_array($sql);
$asset_id = intval($row['asset_id']);
$interface_name = sanitizeInput($row['interface_name']);
$asset_name = sanitizeInput($row['asset_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"DELETE FROM asset_interfaces WHERE interface_id = $interface_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Interface', log_action = 'Delete', log_description = '$session_name deleted interface $interface_name from asset $asset_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Interface <strong>$interface_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

52
post/user/budget.php Normal file
View File

@@ -0,0 +1,52 @@
<?php
/*
* ITFlow - GET/POST request handler for budget
*/
if (isset($_POST['save_budget'])) {
$budgets = $_POST['budget'];
$year = intval($_POST['year']);
foreach ($budgets as $category_id => $months) {
foreach ($months as $month => $amount) {
$amount = (int)$amount;
// Check if budget exists
$query = "SELECT * FROM budget WHERE budget_category_id = $category_id AND budget_month = $month AND budget_year = $year";
$result = mysqli_query($mysqli, $query);
if (mysqli_num_rows($result) > 0) {
// Update existing budget
$query = "UPDATE budget SET budget_amount = $amount WHERE budget_category_id = $category_id AND budget_month = $month AND budget_year = $year";
} else {
// Insert new budget
$query = "INSERT INTO budget SET budget_category_id = $category_id, budget_month = $month, budget_year = $year, budget_amount = $amount";
}
mysqli_query($mysqli, $query);
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Budget', log_action = 'Edit', log_description = '$session_name updated the budget for $year', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Budget Updated for $year";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
if (isset($_POST['delete_budget'])) {
$year = intval($_POST['year']);
mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Budget', log_action = 'Delete', log_description = '$session_name deleted the budget for $year', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Budget deleted for $year";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

219
post/user/certificate.php Normal file
View File

@@ -0,0 +1,219 @@
<?php
/*
* ITFlow - GET/POST request handler for client SSL certificates
*/
if (isset($_POST['add_certificate'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$domain = sanitizeInput($_POST['domain']);
$issued_by = sanitizeInput($_POST['issued_by']);
$expire = sanitizeInput($_POST['expire']);
$public_key = sanitizeInput($_POST['public_key']);
$notes = sanitizeInput($_POST['notes']);
$domain_id = intval($_POST['domain_id']);
// Parse public key data for a manually provided public key
if (!empty($public_key) && (empty($expire) && empty($issued_by))) {
// Parse the public certificate key. If successful, set attributes from the certificate
$public_key_obj = openssl_x509_parse($_POST['public_key']);
if ($public_key_obj) {
$expire = date('Y-m-d', $public_key_obj['validTo_time_t']);
$issued_by = sanitizeInput($public_key_obj['issuer']['O']);
}
}
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
mysqli_query($mysqli,"INSERT INTO certificates SET certificate_name = '$name', certificate_description = '$description', certificate_domain = '$domain', certificate_issued_by = '$issued_by', certificate_expire = $expire, certificate_public_key = '$public_key', certificate_notes = '$notes', certificate_domain_id = $domain_id, certificate_client_id = $client_id");
$certificate_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Certificate', log_action = 'Create', log_description = '$session_name created certificate $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $certificate_id");
$_SESSION['alert_message'] = "Certificate <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_certificate'])) {
validateTechRole();
$certificate_id = intval($_POST['certificate_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$domain = sanitizeInput($_POST['domain']);
$issued_by = sanitizeInput($_POST['issued_by']);
$expire = sanitizeInput($_POST['expire']);
$public_key = sanitizeInput($_POST['public_key']);
$notes = sanitizeInput($_POST['notes']);
$domain_id = intval($_POST['domain_id']);
$client_id = intval($_POST['client_id']);
// Parse public key data for a manually provided public key
if (!empty($public_key) && (empty($expire) && empty($issued_by))) {
// Parse the public certificate key. If successful, set attributes from the certificate
$public_key_obj = openssl_x509_parse($_POST['public_key']);
if ($public_key_obj) {
$expire = date('Y-m-d', $public_key_obj['validTo_time_t']);
$issued_by = sanitizeInput($public_key_obj['issuer']['O']);
}
}
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
mysqli_query($mysqli,"UPDATE certificates SET certificate_name = '$name', certificate_description = '$description', certificate_domain = '$domain', certificate_issued_by = '$issued_by', certificate_expire = $expire, certificate_public_key = '$public_key', certificate_notes = '$notes', certificate_domain_id = '$domain_id' WHERE certificate_id = $certificate_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Certificate', log_action = 'Modify', log_description = '$session_name modified certificate $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $certificate_id");
$_SESSION['alert_message'] = "Certificate <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_certificate'])) {
validateTechRole();
$certificate_id = intval($_GET['archive_certificate']);
// Get Certificate Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT certificate_name, certificate_client_id FROM certificates WHERE certificate_id = $certificate_id");
$row = mysqli_fetch_array($sql);
$certificate_name = sanitizeInput($row['certificate_name']);
$client_id = intval($row['certificate_client_id']);
mysqli_query($mysqli,"UPDATE certificates SET certificate_archived_at = NOW() WHERE certificate_id = $certificate_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Certificate', log_action = 'Archive', log_description = '$session_name archived certificate $certificate_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $certificate_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Certificate <strong>$certificate_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_certificate'])) {
validateAdminRole();
$certificate_id = intval($_GET['delete_certificate']);
// Get Certificate Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT certificate_name, certificate_client_id FROM certificates WHERE certificate_id = $certificate_id");
$row = mysqli_fetch_array($sql);
$certificate_name = sanitizeInput($row['certificate_name']);
$client_id = intval($row['certificate_client_id']);
mysqli_query($mysqli,"DELETE FROM certificates WHERE certificate_id = $certificate_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Certificate', log_action = 'Delete', log_description = '$session_name deleted certificate $certificate_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $certificate_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Certificate <strong>$certificate_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_certificates'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$certificate_ids = $_POST['certificate_ids']; // Get array of cert IDs to be deleted
$client_id = intval($_POST['client_id']);
if (!empty($certificate_ids)) {
// Cycle through array and delete each certificate
foreach ($certificate_ids as $certificate_id) {
$certificate_id = intval($certificate_id);
mysqli_query($mysqli, "DELETE FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Certificate', log_action = 'Delete', log_description = '$session_name deleted a certificate (bulk)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $certificate_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Certificate', log_action = 'Delete', log_description = '$session_name bulk deleted $count certificates', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count certificate(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_certificates_csv'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM certificates WHERE certificate_client_id = $client_id ORDER BY certificate_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = $client_name . "-Certificates-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Domain', 'Issuer', 'Expiration Date');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['certificate_name'], $row['certificate_description'], $row['certificate_domain'], $row['certificate_issued_by'], $row['certificate_expire']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Certificate', log_action = 'Export', log_description = '$session_name exported $num_rows certificate(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}

1926
post/user/client.php Normal file
View File

File diff suppressed because it is too large Load Diff

12
post/user/client_model.php Normal file
View File

@@ -0,0 +1,12 @@
<?php
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
$referral = sanitizeInput($_POST['referral']);
$rate = floatval($_POST['rate']);
$currency_code = sanitizeInput($_POST['currency_code']);
$net_terms = intval($_POST['net_terms']);
$tax_id_number = sanitizeInput($_POST['tax_id_number']);
$abbreviation = sanitizeInput($_POST['abbreviation']);
$notes = sanitizeInput($_POST['notes']);
$lead = intval($_POST['lead']);

851
post/user/contact.php Normal file
View File

@@ -0,0 +1,851 @@
<?php
/*
* ITFlow - GET/POST request handler for client contacts
*/
if (isset($_POST['add_contact'])) {
validateTechRole();
require_once 'post/user/contact_model.php';
// Set password
if (!empty($_POST['contact_password'])) {
$password_hash = password_hash(trim($_POST['contact_password']), PASSWORD_DEFAULT);
} else {
// Set a random password
$password_hash = password_hash(randomString(), PASSWORD_DEFAULT);
}
mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_pin = '$pin', contact_notes = '$notes', contact_important = $contact_important, contact_billing = $contact_billing, contact_technical = $contact_technical, contact_auth_method = '$auth_method', contact_password_hash = '$password_hash', contact_department = '$department', contact_location_id = $location_id, contact_client_id = $client_id");
$contact_id = mysqli_insert_id($mysqli);
// Add Tags
if (isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO contact_tags SET contact_id = $contact_id, tag_id = $tag");
}
}
//Update Primary contact in clients if primary contact is checked
if ($contact_primary == 1) {
mysqli_query($mysqli,"UPDATE contacts SET contact_primary = 0 WHERE contact_client_id = $client_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_primary = 1, contact_important = 1 WHERE contact_id = $contact_id");
}
// Check for and process image/photo
if ($_FILES['file']['tmp_name']) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE contacts SET contact_photo = '$new_file_name' WHERE contact_id = $contact_id");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Create', log_description = '$session_name created contact $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$_SESSION['alert_message'] = "Contact <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_contact'])) {
validateTechRole();
require_once 'post/user/contact_model.php';
$contact_id = intval($_POST['contact_id']);
$send_email = intval($_POST['send_email']);
// Get Exisiting Contact Photo
$sql = mysqli_query($mysqli,"SELECT contact_photo FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['contact_photo']);
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_pin = '$pin', contact_notes = '$notes', contact_important = $contact_important, contact_billing = $contact_billing, contact_technical = $contact_technical, contact_auth_method = '$auth_method', contact_department = '$department', contact_location_id = $location_id WHERE contact_id = $contact_id");
// Upload Photo
if ($_FILES['file']['tmp_name']) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
// Set directory in which the uploaded file will be moved
$file_tmp_path = $_FILES['file']['tmp_name'];
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
//Delete old file
unlink("uploads/clients/$client_id/$existing_file_name");
mysqli_query($mysqli,"UPDATE contacts SET contact_photo = '$new_file_name' WHERE contact_id = $contact_id");
}
}
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id");
// Add new tags
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO contact_tags SET contact_id = $contact_id, tag_id = $tag");
}
// Update Primary contact in clients if primary contact is checked
if ($contact_primary == 1) {
mysqli_query($mysqli,"UPDATE contacts SET contact_primary = 0 WHERE contact_client_id = $client_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_primary = 1, contact_important = 1 WHERE contact_id = $contact_id");
}
// Set password
if (!empty($_POST['contact_password'])) {
$password_hash = password_hash(trim($_POST['contact_password']), PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = $contact_id AND contact_client_id = $client_id");
}
// Send contact a welcome e-mail, if specified
if ($send_email && !empty($auth_method) && !empty($config_smtp_host)) {
// Sanitize Config vars from get_settings.php
$config_ticket_from_email = sanitizeInput($config_ticket_from_email);
$config_ticket_from_name = sanitizeInput($config_ticket_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_base_url = sanitizeInput($config_base_url);
// Get Company Phone Number
$sql = mysqli_query($mysqli,"SELECT company_name, company_phone FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = sanitizeInput($row['company_name']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
// Authentication info (azure, reset password, or tech-provided temporary password)
if ($auth_method == 'azure') {
$password_info = "Login with your Microsoft (Azure AD) account.";
} elseif (empty($_POST['contact_password'])) {
$password_info = "Request a password reset at https://$config_base_url/portal/login_reset.php";
} else {
$password_info = mysqli_real_escape_string($mysqli, $_POST['contact_password'] . " -- Please change on first login");
}
$subject = "Your new $company_name portal account";
$body = "Hello $name,<br><br>$company_name has created a support portal account for you. <br><br>Username: $email<br>Password: $password_info<br><br>Login URL: https://$config_base_url/portal/<br><br>--<br>$company_name - Support<br>$config_ticket_from_email<br>$company_phone";
// Queue Mail
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $email,
'recipient_name' => $name,
'subject' => $subject,
'body' => $body,
]
];
addToMailQueue($mysqli, $data);
// Get Email ID for reference
$email_id = mysqli_insert_id($mysqli);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name modified contact $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$_SESSION['alert_message'] = "Contact <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_contact_location'])) {
validateTechRole();
$location_id = intval($_POST['bulk_location_id']);
// Get Location name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
// Get Selected Contacts Count
$contact_count = count($_POST['contact_ids']);
// Assign Location to Selected Contacts
if (!empty($_POST['contact_ids'])) {
foreach($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT contact_name FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
mysqli_query($mysqli,"UPDATE contacts SET contact_location_id = $location_id WHERE contact_id = $contact_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name assigned $contact_name to Location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You assigned <b>$contact_count</b> contacts to location <b>$location_name</b>";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_contact_phone'])) {
validateTechRole();
$phone = preg_replace("/[^0-9]/", '', $_POST['bulk_phone']);
// Get Selected Contacts Count
$contact_count = count($_POST['contact_ids']);
// Assign Location to Selected Contacts
if (!empty($_POST['contact_ids'])) {
foreach($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"UPDATE contacts SET contact_phone = '$phone' WHERE contact_id = $contact_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name set Phone Number to $phone for $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You set Phone Number <b>" . formatPhoneNumber($phone) . "</b> on $contact_count</b> contacts";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_contact_department'])) {
validateTechRole();
$department = sanitizeInput($_POST['bulk_department']);
// Get Selected Contacts Count
$contact_count = count($_POST['contact_ids']);
// Assign Location to Selected Contacts
if (!empty($_POST['contact_ids'])) {
foreach($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"UPDATE contacts SET contact_department = '$department' WHERE contact_id = $contact_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name set Department to $department for $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You set the Department to <b>$department</b> for <b>$contact_count</b> contacts";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_contact_role'])) {
validateTechRole();
$contact_important = intval($_POST['bulk_contact_important']);
$contact_billing = intval($_POST['bulk_contact_billing']);
$contact_technical = intval($_POST['bulk_contact_technical']);
// Get Selected Contacts Count
$contact_count = count($_POST['contact_ids']);
// Assign Location to Selected Contacts
if (!empty($_POST['contact_ids'])) {
foreach($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"UPDATE contacts SET contact_important = $contact_important, contact_billing = $contact_billing, contact_technical = $contact_technical WHERE contact_id = $contact_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name updated $contact_name role', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You updated roles for <b>$contact_count</b> contacts";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_contact_tags'])) {
validateTechRole();
// Get Selected Contacts Count
$count = count($_POST['contact_ids']);
// Assign Location to Selected Contacts
if (!empty($_POST['contact_ids'])) {
foreach($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id");
}
// Add new tags
foreach($_POST['bulk_tags'] as $tag) {
$tag = intval($tag);
$sql = mysqli_query($mysqli,"SELECT * FROM contact_tags WHERE contact_id = $contact_id AND tag_id = $tag");
if (mysqli_num_rows($sql) == 0) {
mysqli_query($mysqli, "INSERT INTO contact_tags SET contact_id = $contact_id, tag_id = $tag");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name added tags to $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "Assigned tags for <b>$count</b> contacts";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_contacts'])) {
validateAdminRole();
//validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$contact_ids = $_POST['contact_ids']; // Get array of contact IDs to be deleted
if (!empty($contact_ids)) {
// Cycle through array and archive each contact
foreach ($contact_ids as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_primary FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$contact_primary = intval($row['contact_primary']);
$client_id = intval($row['contact_client_id']);
if($contact_primary == 0) {
mysqli_query($mysqli,"UPDATE contacts SET contact_important = 0, contact_billing = 0, contact_technical = 0, contact_auth_method = '', contact_password_hash = '', contact_archived_at = NOW() WHERE contact_id = $contact_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Archive', log_description = '$session_name archived contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$count++;
}
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Archive', log_description = '$session_name archived $count contacts', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count contact(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_contacts'])) {
validateAdminRole();
//validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$contact_ids = $_POST['contact_ids']; // Get array of contact IDs
if (!empty($contact_ids)) {
// Cycle through array and unarchive each contact
foreach ($contact_ids as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Unarchive', log_description = '$session_name Unarchived contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Unarchive', log_description = '$session_name Unarchived $count contacts', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count contact(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_contacts'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$contact_ids = $_POST['contact_ids']; // Get array of IDs to be deleted
if (!empty($contact_ids)) {
// Cycle through array and delete each record
foreach ($contact_ids as $contact_id) {
$contact_id = intval($contact_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli, "DELETE FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id");
// Remove Relations
mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_assets WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_documents WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_files WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_logins WHERE contact_id = $contact_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Delete', log_description = '$session_name deleted contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Delete', log_description = '$session_name bulk deleted $count contacts', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count contact(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['anonymize_contact'])) {
validateAdminRole();
$contact_id = intval($_GET['anonymize_contact']);
// Get contact & client info
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_email, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$contact_first_name = explode(" ", $contact_name)[0];
$contact_email = sanitizeInput($row['contact_email']);
$contact_phone = sanitizeInput($row['contact_phone']);
$info_to_redact = array($contact_name, $contact_first_name, $contact_email, $contact_phone);
$client_id = intval($row['contact_client_id']);
// Redact name with asterisks
mysqli_query($mysqli,"UPDATE contacts SET contact_name = '*****' WHERE contact_id = $contact_id");
// Remove all other contact information
// Doing redactions field by field to ensure that an error updating one field doesn't break the entire query
mysqli_query($mysqli,"UPDATE contacts SET contact_title = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_department = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_email = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_phone = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_extension = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_mobile = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_photo = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_pin = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_notes = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_auth_method = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_password_hash = '' WHERE contact_id = $contact_id");
mysqli_query($mysqli,"UPDATE contacts SET contact_location_id = '0' WHERE contact_id = $contact_id");
// Remove Billing, Technical, Important Roles
mysqli_query($mysqli,"UPDATE contacts SET contact_important = 0, contact_billing = 0, contact_technical = 0 WHERE contact_id = $contact_id");
// Redact audit logs
$log_sql = mysqli_query($mysqli, "SELECT * FROM logs WHERE log_client_id = $client_id");
while ($log = mysqli_fetch_array($log_sql)) {
$log_id = intval($log['log_id']);
$description = $log['log_description'];
$description = str_ireplace($info_to_redact, "*****", $description);
$description = sanitizeInput($description);
mysqli_query($mysqli,"UPDATE logs SET log_description = '$description' WHERE log_id = $log_id AND log_client_id = $client_id");
}
// Get all tickets this contact raised
$contact_tickets_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id = $client_id AND ticket_contact_id = $contact_id");
while ($ticket = mysqli_fetch_array($contact_tickets_sql)) {
$ticket_id = intval($ticket['ticket_id']);
// Redact contact name or email in the subject of all tickets they raised
$subject = $ticket['ticket_subject'];
$subject = str_ireplace($info_to_redact, "*****", $subject);
$subject = sanitizeInput($subject);
mysqli_query($mysqli,"UPDATE tickets SET ticket_subject = '$subject' WHERE ticket_id = $ticket_id");
// Redact contact name or email in the description of all tickets they raised
$details = $ticket['ticket_details'];
$details = str_ireplace($info_to_redact, "*****", $details);
$details = sanitizeInput($details);
mysqli_query($mysqli,"UPDATE tickets SET ticket_details = '$details' WHERE ticket_id = $ticket_id");
// Redact contact name or email in the replies of all tickets they raised
$ticket_replies_sql = mysqli_query($mysqli, "SELECT * FROM ticket_replies WHERE ticket_reply_ticket_id = $ticket_id");
while($ticket_reply = mysqli_fetch_array($ticket_replies_sql)) {
$ticket_reply_id = intval($ticket_reply['ticket_reply_id']);
$ticket_reply_details = $ticket_reply['ticket_reply'];
$ticket_reply_details = str_ireplace($info_to_redact, "*****", $ticket_reply_details);
$ticket_reply_details = sanitizeInput($ticket_reply_details);
mysqli_query($mysqli,"UPDATE ticket_replies SET ticket_reply = '$ticket_reply_details' WHERE ticket_reply_id = $ticket_reply_id");
}
}
// Archive contact
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NOW() WHERE contact_id = $contact_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Anonymize', log_description = '$session_name anonymized contact', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Contact $contact_name anonymized & archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_contact'])) {
validateTechRole();
$contact_id = intval($_GET['archive_contact']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"UPDATE contacts SET contact_important = 0, contact_billing = 0, contact_technical = 0, contact_auth_method = '', contact_password_hash = '', contact_archived_at = NOW() WHERE contact_id = $contact_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Archive', log_description = '$session_name archived contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_contact'])) {
validateAdminRole();
$contact_id = intval($_GET['unarchive_contact']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Unarchive', log_description = '$session_name unarchived contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> Unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_contact'])) {
validateAdminRole();
$contact_id = intval($_GET['delete_contact']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
mysqli_query($mysqli,"DELETE FROM contacts WHERE contact_id = $contact_id");
// Remove Relations
mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_assets WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_documents WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_files WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_logins WHERE contact_id = $contact_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Delete', log_description = '$session_name deleted contact $contact_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $contact_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> deleted.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_contacts_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
//Contacts
$sql = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN locations ON location_id = contact_location_id WHERE contact_client_id = $client_id AND contact_archived_at IS NULL ORDER BY contact_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Contacts-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Title', 'Department', 'Email', 'Phone', 'Ext', 'Mobile', 'Location');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['contact_name'], $row['contact_title'], $row['contact_department'], $row['contact_email'], formatPhoneNumber($row['contact_phone']), $row['contact_extension'], formatPhoneNumber($row['contact_mobile']), $row['location_name']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Export', log_description = '$session_name exported $num_rows contact(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}
if (isset($_POST["import_client_contacts_csv"])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$file_name = $_FILES["file"]["tmp_name"];
$error = false;
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if (in_array($file_extension,$allowed_file_extensions) === false) {
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif ($_FILES["file"]["size"] < 1) {
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if (!$error & count($f_columns) != 8) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if (!$error) {
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false) {
$duplicate_detect = 0;
if (isset($column[0])) {
$name = sanitizeInput($column[0]);
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_name = '$name' AND contact_client_id = $client_id")) > 0) {
$duplicate_detect = 1;
}
}
if (isset($column[1])) {
$title = sanitizeInput($column[1]);
}
if (isset($column[2])) {
$department = sanitizeInput($column[2]);
}
if (isset($column[3])) {
$email = sanitizeInput($column[3]);
}
if (isset($column[4])) {
$phone = preg_replace("/[^0-9]/", '',$column[4]);
}
if (isset($column[5])) {
$ext = preg_replace("/[^0-9]/", '',$column[5]);
}
if (isset($column[6])) {
$mobile = preg_replace("/[^0-9]/", '',$column[6]);
}
if (isset($column[7])) {
$location = sanitizeInput($column[7]);
$sql_location = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_name = '$location' AND location_client_id = $client_id");
$row = mysqli_fetch_assoc($sql_location);
$location_id = intval($row['location_id']);
}
// Potentially import the rest in the future?
// Check if duplicate was detected
if ($duplicate_detect == 0) {
//Add
mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_department = '$department', contact_email = '$email', contact_phone = '$phone', contact_extension = '$ext', contact_mobile = '$mobile', contact_location_id = $location_id, contact_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Import', log_description = '$session_name imported $row_count contact(s) via CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "$row_count Contact(s) added, $duplicate_count duplicate(s) detected";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if ($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['download_client_contacts_csv_template'])) {
$client_id = intval($_GET['download_client_contacts_csv_template']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Contacts-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array(
'Full Name ',
'Job Title ',
'Department Name ',
'Email Address ',
'Office Phone ',
'Office Extension ',
'Mobile Phone ',
'Office Location '
);
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}

19
post/user/contact_model.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$title = sanitizeInput($_POST['title']);
$department = sanitizeInput($_POST['department']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$mobile = preg_replace("/[^0-9]/", '', $_POST['mobile']);
$email = sanitizeInput($_POST['email']);
$notes = sanitizeInput($_POST['notes']);
$contact_primary = intval($_POST['contact_primary']);
$contact_important = intval($_POST['contact_important']);
$contact_billing = intval($_POST['contact_billing']);
$contact_technical = intval($_POST['contact_technical']);
$location_id = intval($_POST['location']);
$pin = sanitizeInput($_POST['pin']);
$auth_method = sanitizeInput($_POST['auth_method']);

418
post/user/credential.php Normal file
View File

@@ -0,0 +1,418 @@
<?php
/*
* ITFlow - GET/POST request handler for client credentials (formerly logins)
*/
if (isset($_POST['add_login'])) {
enforceUserPermission('module_credential', 2);
require_once 'post/login_model.php';
mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id");
$login_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Create', log_description = '$session_name created login $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$_SESSION['alert_message'] = "Login <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_login'])) {
enforceUserPermission('module_credential', 2);
require_once 'post/login_model.php';
$login_id = intval($_POST['login_id']);
// Determine if the password has actually changed (salt is rotated on all updates, so have to dencrypt both and compare)
$current_password = decryptLoginEntry(mysqli_fetch_row(mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = $login_id"))[0]); // Get current login password
$new_password = decryptLoginEntry($password); // Get the new password being set (already encrypted by the login model)
if ($current_password !== $new_password) {
// The password has been changed - update the DB to track
mysqli_query($mysqli, "UPDATE logins SET login_password_changed_at = NOW() WHERE login_id = $login_id");
}
// Update the login entry with the new details
mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id WHERE login_id = $login_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Modify', log_description = '$session_name modified login $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$_SESSION['alert_message'] = "Login <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['archive_login'])){
enforceUserPermission('module_credential', 2);
$login_id = intval($_GET['archive_login']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NOW() WHERE login_id = $login_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Archive', log_description = '$session_name archived login $login_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Credential <strong>$login_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_login'])){
enforceUserPermission('module_credential', 2);
$login_id = intval($_GET['unarchive_login']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NULL WHERE login_id = $login_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Unarchive', log_description = '$session_name restored credential $login_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$_SESSION['alert_message'] = "Credential <strong>$login_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_login'])) {
enforceUserPermission('module_credential', 3);
$login_id = intval($_GET['delete_login']);
// Get Login Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
mysqli_query($mysqli,"DELETE FROM logins WHERE login_id = $login_id");
// Remove Relations
mysqli_query($mysqli,"DELETE FROM client_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM service_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM software_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM vendor_logins WHERE login_id = $login_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Delete', log_description = '$session_name deleted login $login_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$_SESSION['alert_message'] = "Login <strong>$login_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_logins'])) {
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$login_ids = $_POST['login_ids']; // Get array of IDs to be deleted
if (!empty($login_ids)) {
// Cycle through array and archive each record
foreach ($login_ids as $login_id) {
$login_id = intval($login_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NOW() WHERE login_id = $login_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Archive', log_description = '$session_name archived login $login_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Archive', log_description = '$session_name archived $count logins', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_logins'])) {
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$login_ids = $_POST['login_ids']; // Get array of IDs
if (!empty($login_ids)) {
// Cycle through array and unarchive
foreach ($login_ids as $login_id) {
$login_id = intval($login_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NULL WHERE login_id = $login_id");
// Individual logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Unarchive', log_description = '$session_name Unarchived login $logins_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Unarchive', log_description = '$session_name Unarchived $count logins', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_logins'])) {
enforceUserPermission('module_credential', 3);
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$login_ids = $_POST['login_ids']; // Get array of IDs to be deleted
if (!empty($login_ids)) {
// Cycle through array and delete each record
foreach ($login_ids as $login_id) {
$login_id = intval($login_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
mysqli_query($mysqli, "DELETE FROM logins WHERE login_id = $login_id AND login_client_id = $client_id");
// Remove Relations
mysqli_query($mysqli,"DELETE FROM client_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM service_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM software_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM vendor_logins WHERE login_id = $login_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Delete', log_description = '$session_name deleted login $login_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $login_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Delete', log_description = '$session_name bulk deleted $count logins', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_logins_csv'])) {
enforceUserPermission('module_credential');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM logins LEFT JOIN clients ON client_id = login_client_id WHERE login_client_id = $client_id ORDER BY login_name ASC");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Credentials-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Username', 'Password', 'URI');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$login_username = decryptLoginEntry($row['login_username']);
$login_password = decryptLoginEntry($row['login_password']);
$lineData = array($row['login_name'], $row['login_description'], $login_username, $login_password, $row['login_uri']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Export', log_description = '$session_name exported $num_rows login(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}
if (isset($_POST["import_client_logins_csv"])) {
enforceUserPermission('module_credential', 2);
$client_id = intval($_POST['client_id']);
$file_name = $_FILES["file"]["tmp_name"];
$error = false;
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if (in_array($file_extension,$allowed_file_extensions) === false){
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif ($_FILES["file"]["size"] < 1){
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if (!$error & count($f_columns) != 5) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if (!$error){
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false){
$duplicate_detect = 0;
if (isset($column[0])) {
$name = sanitizeInput($column[0]);
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM logins WHERE login_name = '$name' AND login_client_id = $client_id")) > 0){
$duplicate_detect = 1;
}
}
if (isset($column[1])) {
$description = sanitizeInput($column[1]);
}
if (isset($column[2])) {
$username = sanitizeInput(encryptLoginEntry($column[2]));
}
if (isset($column[3])) {
$password = sanitizeInput(encryptLoginEntry($column[3]));
}
if (isset($column[4])) {
$uri = sanitizeInput($column[4]);
}
// Check if duplicate was detected
if ($duplicate_detect == 0){
//Add
mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_username = '$username', login_password = '$password', login_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Credential', log_action = 'Import', log_description = '$session_name imported $row_count login(s) via csv file. $duplicate_count duplicate(s) detected and not imported', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "$row_count Login(s) imported, $duplicate_count duplicate(s) detected and not imported";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if ($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['download_client_logins_csv_template'])) {
$client_id = intval($_GET['download_client_logins_csv_template']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Logins-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Username', 'Password', 'URI');
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}

16
post/user/credential_model.php Normal file
View File

@@ -0,0 +1,16 @@
<?php
// Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$username = encryptLoginEntry(trim($_POST['username']));
$password = encryptLoginEntry(trim($_POST['password']));
$otp_secret = sanitizeInput($_POST['otp_secret']);
$note = sanitizeInput($_POST['note']);
$important = intval($_POST['important']);
$contact_id = intval($_POST['contact']);
$vendor_id = intval($_POST['vendor']);
$asset_id = intval($_POST['asset']);
$software_id = intval($_POST['software']);

558
post/user/document.php Normal file
View File

@@ -0,0 +1,558 @@
<?php
/*
* ITFlow - GET/POST request handler for client documents
*/
if (isset($_POST['add_document'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
$folder = intval($_POST['folder']);
// Document add query
$add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
$document_id = mysqli_insert_id($mysqli);
// Update field document_parent to be the same id as document ID as this is the only version of the document.
mysqli_query($mysqli,"UPDATE documents SET document_parent = $document_id WHERE document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Create', log_description = 'Created $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Document <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_document_from_template'])) {
// ROLE Check
validateTechRole();
// GET POST Data
$client_id = intval($_POST['client_id']);
$document_name = sanitizeInput($_POST['name']);
$document_description = sanitizeInput($_POST['description']);
$document_template_id = intval($_POST['document_template_id']);
$folder = intval($_POST['folder']);
//GET Document Info
$sql_document = mysqli_query($mysqli,"SELECT * FROM documents WHERE document_id = $document_template_id");
$row = mysqli_fetch_array($sql_document);
$document_template_name = sanitizeInput($row['document_name']);
$content = mysqli_real_escape_string($mysqli,$row['document_content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $row['document_content']));
// Document add query
mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$document_name', document_description = '$document_description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
$document_id = mysqli_insert_id($mysqli);
// Update field document_parent to be the same id as document ID as this is the only version of the document.
mysqli_query($mysqli,"UPDATE documents SET document_parent = $document_id WHERE document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Create', log_description = 'Document $document_name created from template $document_template_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> created from template";
header("Location: client_document_details.php?client_id=$client_id&document_id=$document_id");
}
if (isset($_POST['edit_document'])) {
validateTechRole();
$document_id = intval($_POST['document_id']);
$document_created_by = intval($_POST['created_by']);
$document_parent = intval($_POST['document_parent']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
$folder = intval($_POST['folder']);
// Document add query
mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_template = 0, document_folder_id = $folder, document_created_by = $document_created_by, document_updated_by = $session_user_id, document_client_id = $client_id");
$new_document_id = mysqli_insert_id($mysqli);
// Update the parent ID of the new document to match its new document ID
mysqli_query($mysqli,"UPDATE documents SET document_parent = $new_document_id WHERE document_id = $new_document_id");
// Link all exisiting links with old document with new document
mysqli_query($mysqli,"UPDATE documents SET document_parent = $new_document_id, document_archived_at = NOW() WHERE document_parent = $document_id");
// Update Links to the new parent document
// document files
mysqli_query($mysqli,"UPDATE document_files SET document_id = $new_document_id WHERE document_id = $document_id");
// contact documents
mysqli_query($mysqli,"UPDATE contact_documents SET document_id = $new_document_id WHERE document_id = $document_id");
// asset documents
mysqli_query($mysqli,"UPDATE asset_documents SET document_id = $new_document_id WHERE document_id = $document_id");
// software documents
mysqli_query($mysqli,"UPDATE software_documents SET document_id = $new_document_id WHERE document_id = $document_id");
// vendor documents
mysqli_query($mysqli,"UPDATE vendor_documents SET document_id = $new_document_id WHERE document_id = $document_id");
// Service document
mysqli_query($mysqli,"UPDATE service_documents SET document_id = $new_document_id WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Edit', log_description = '$session_name Edited document $name previous version was kept', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $new_document_id");
$_SESSION['alert_message'] = "Document <strong>$name</strong> updated, previous version kept";
header("Location: client_document_details.php?client_id=$client_id&document_id=$new_document_id");
}
if (isset($_POST['move_document'])) {
validateTechRole();
$document_id = intval($_POST['document_id']);
$client_id = intval($_POST['client_id']);
$folder = intval($_POST['folder']);
// Document edit query
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = $folder WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Modify', log_description = '$session_name moved document', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_message'] = "Document moved";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['rename_document'])) {
validateTechRole();
$document_id = intval($_POST['document_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
// Document edit query
mysqli_query($mysqli,"UPDATE documents SET document_name = '$name' WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Rename', log_description = '$session_name renamed document to $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_message'] = "You renamed Document to <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_move_document'])) {
validateTechRole();
$folder_id = intval($_POST['bulk_folder_id']);
// Get folder name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT folder_name, folder_client_id FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
// Get Selected Document Count
$document_count = count($_POST['document_ids']);
// Move Documents to Folder Loop
if (!empty($_POST['document_ids'])) {
foreach($_POST['document_ids'] as $document_id) {
$document_id = intval($document_id);
// Get document name for logging
$sql = mysqli_query($mysqli,"SELECT document_name FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$document_name = sanitizeInput($row['document_name']);
// Document move query
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = $folder_id WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Move', log_description = '$session_name moved document $document_name to folder $folder_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $document_id");
}
}
$_SESSION['alert_message'] = "You moved <b>$document_count</b> documents to the folder <b>$folder_name</b>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_file_to_document'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
$file_id = intval($_POST['file_id']);
// Document add query
mysqli_query($mysqli,"INSERT INTO document_files SET file_id = $file_id, document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Link', log_description = 'Created Document File link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "File linked with Document";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_file_from_document'])) {
validateTechRole();
$file_id = intval($_GET['file_id']);
$document_id = intval($_GET['document_id']);
mysqli_query($mysqli,"DELETE FROM document_files WHERE file_id = $file_id AND document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'unLink', log_description = 'Document File link removed', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "File has been unlinked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_vendor_to_document'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
$vendor_id = intval($_POST['vendor_id']);
// Document add query
mysqli_query($mysqli,"INSERT INTO vendor_documents SET vendor_id = $vendor_id, document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Link', log_description = 'Created Document Vendor link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor linked with Document";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_vendor_from_document'])) {
validateTechRole();
$vendor_id = intval($_GET['vendor_id']);
$document_id = intval($_GET['document_id']);
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE vendor_id = $vendor_id AND document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'unLink', log_description = 'Document Vendor link removed', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor has been unlinked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_contact_to_document'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
$contact_id = intval($_POST['contact_id']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO contact_documents SET contact_id = $contact_id, document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Link', log_description = 'Created Document Contact link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Contact linked with Document";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_contact_from_document'])) {
validateTechRole();
$contact_id = intval($_GET['contact_id']);
$document_id = intval($_GET['document_id']);
mysqli_query($mysqli,"DELETE FROM contact_documents WHERE contact_id = $contact_id AND document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'unLink', log_description = 'Document Contact link removed', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Contact has been unlinked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_asset_to_document'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
$asset_id = intval($_POST['asset_id']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO asset_documents SET asset_id = $asset_id, document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Link', log_description = 'Created Document Asset link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Asset linked with Document";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_asset_from_document'])) {
validateTechRole();
$asset_id = intval($_GET['asset_id']);
$document_id = intval($_GET['document_id']);
mysqli_query($mysqli,"DELETE FROM asset_documents WHERE asset_id = $asset_id AND document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'unLink', log_description = 'Document Asset link removed', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Asset has been unlinked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_software_to_document'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
$software_id = intval($_POST['software_id']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO software_documents SET software_id = $software_id, document_id = $document_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Link', log_description = 'Created Document Software link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Contact linked with Document";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_software_from_document'])) {
validateTechRole();
$software_id = intval($_GET['software_id']);
$document_id = intval($_GET['document_id']);
mysqli_query($mysqli,"DELETE FROM software_documents WHERE software_id = $software_id AND document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'unLink', log_description = 'Document Software link removed', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Software has been unlinked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_document_template'])) {
validateTechRole();
$document_id = intval($_POST['document_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
// Document edit query
mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_updated_by = $session_user_id WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document Template', log_action = 'Modify', log_description = '$session_name modified document template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_message'] = "Document Template <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['document_visible'])) {
validateTechRole();
$document_id = intval($_POST['document_id']);
$document_visible = intval($_POST['document_visible']);
mysqli_query($mysqli,"UPDATE documents SET document_client_visible = $document_visible WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Modify', log_description = '$session_name modified document visibility', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_message'] = "Document visibility updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_document'])) {
validateTechRole();
$document_id = intval($_GET['archive_document']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NOW() WHERE document_id = $document_id");
// Remove Associations
// File Association
mysqli_query($mysqli,"DELETE FROM document_files WHERE document_id = $document_id");
// Contact Associations
mysqli_query($mysqli,"DELETE FROM contact_documents WHERE document_id = $document_id");
// Asset Associations
mysqli_query($mysqli,"DELETE FROM asset_documents WHERE document_id = $document_id");
// Software Associations
mysqli_query($mysqli,"DELETE FROM software_documents WHERE document_id = $document_id");
// Vendor Associations
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE document_id = $document_id");
// Service Associations
mysqli_query($mysqli,"DELETE FROM service_documents WHERE document_id = $document_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Archive', log_description = '$session_name archived document $document_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $document_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_document_version'])) {
validateAdminRole();
$document_id = intval($_GET['delete_document_version']);
// Get Document Parent ID
$sql = mysqli_query($mysqli,"SELECT document_parent, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['document_client_id']);
$document_parent = intval($row['document_parent']);
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Remove Associations
// File Association
mysqli_query($mysqli,"DELETE FROM document_files WHERE document_id = $document_id");
// Contact Associations
mysqli_query($mysqli,"DELETE FROM contact_documents WHERE document_id = $document_id");
// Asset Associations
mysqli_query($mysqli,"DELETE FROM asset_documents WHERE document_id = $document_id");
// Software Associations
mysqli_query($mysqli,"DELETE FROM software_documents WHERE document_id = $document_id");
// Vendor Associations
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE document_id = $document_id");
// Service Associations
mysqli_query($mysqli,"DELETE FROM service_documents WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document Version', log_action = 'Delete', log_description = '$document_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Document version deleted";
header("Location: client_document_details.php?client_id=$client_id&document_id=$document_parent");
}
if (isset($_GET['delete_document'])) {
validateAdminRole();
$document_id = intval($_GET['delete_document']);
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Delete all versions associated with the master document
mysqli_query($mysqli,"DELETE FROM documents WHERE document_parent = $document_id");
// Remove Associations
// File Association
mysqli_query($mysqli,"DELETE FROM document_files WHERE document_id = $document_id");
// Contact Associations
mysqli_query($mysqli,"DELETE FROM contact_documents WHERE document_id = $document_id");
// Asset Associations
mysqli_query($mysqli,"DELETE FROM asset_documents WHERE document_id = $document_id");
// Software Associations
mysqli_query($mysqli,"DELETE FROM software_documents WHERE document_id = $document_id");
// Vendor Associations
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE document_id = $document_id");
// Service Associations
mysqli_query($mysqli,"DELETE FROM service_documents WHERE document_id = $document_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Delete', log_description = '$document_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Document and versions deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

342
post/user/domain.php Normal file
View File

@@ -0,0 +1,342 @@
<?php
/*
* ITFlow - GET/POST request handler for client domains
*/
if (isset($_POST['add_domain'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']);
$dnshost = intval($_POST['dnshost']);
$webhost = intval($_POST['webhost']);
$mailhost = intval($_POST['mailhost']);
$extended_log_description = '';
$expire = sanitizeInput($_POST['expire']);
$notes = sanitizeInput($_POST['notes']);
// Set/check/lookup expiry date
if (strtotime($expire)) {
$expire = "'" . $expire . "'";
}
else {
$expire = getDomainExpirationDate($name);
if (strtotime($expire)) {
$expire = "'" . $expire . "'";
} else {
$expire = 'NULL';
}
}
// NS, MX, A and WHOIS records/data
$records = getDomainRecords($name);
$a = sanitizeInput($records['a']);
$ns = sanitizeInput($records['ns']);
$mx = sanitizeInput($records['mx']);
$txt = sanitizeInput($records['txt']);
$whois = sanitizeInput($records['whois']);
// Add domain record
mysqli_query($mysqli,"INSERT INTO domains SET domain_name = '$name', domain_description = '$description', domain_registrar = $registrar, domain_webhost = $webhost, domain_dnshost = $dnshost, domain_mailhost = $mailhost, domain_expire = $expire, domain_ip = '$a', domain_name_servers = '$ns', domain_mail_servers = '$mx', domain_txt = '$txt', domain_raw_whois = '$whois', domain_notes = '$notes', domain_client_id = $client_id");
// Get inserted ID (for linking certificate, if exists)
$domain_id = mysqli_insert_id($mysqli);
// Get SSL cert for domain (if exists)
$certificate = getSSL($name);
if ($certificate['success'] == "TRUE") {
$expire = sanitizeInput($certificate['expire']);
$issued_by = sanitizeInput($certificate['issued_by']);
$public_key = sanitizeInput($certificate['public_key']);
mysqli_query($mysqli,"INSERT INTO certificates SET certificate_name = '$name', certificate_domain = '$name', certificate_issued_by = '$issued_by', certificate_expire = '$expire', certificate_public_key = '$public_key', certificate_domain_id = $domain_id, certificate_client_id = $client_id");
$extended_log_description = ', with associated SSL cert';
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Create', log_description = '$session_name created domain $name$extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$_SESSION['alert_message'] = "Domain <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_domain'])) {
validateTechRole();
$domain_id = intval($_POST['domain_id']);
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar']);
$dnshost = intval($_POST['dnshost']);
$webhost = intval($_POST['webhost']);
$mailhost = intval($_POST['mailhost']);
$expire = sanitizeInput($_POST['expire']);
$notes = sanitizeInput($_POST['notes']);
// if (empty($expire) || (new DateTime($expire)) < (new DateTime())) {
// // Update domain expiry date
// $expire = getDomainExpirationDate($name);
// }
// Set/check/lookup expiry date
if (strtotime($expire) && (new DateTime($expire)) > (new DateTime())) {
$expire = "'" . $expire . "'";
}
else {
$expire = getDomainExpirationDate($name);
if (strtotime($expire)) {
$expire = "'" . $expire . "'";
} else {
$expire = 'NULL';
}
}
$client_id = intval($_POST['client_id']);
// Update NS, MX, A and WHOIS records/data
$records = getDomainRecords($name);
$a = sanitizeInput($records['a']);
$ns = sanitizeInput($records['ns']);
$mx = sanitizeInput($records['mx']);
$txt = sanitizeInput($records['txt']);
$whois = sanitizeInput($records['whois']);
mysqli_query($mysqli,"UPDATE domains SET domain_name = '$name', domain_description = '$description', domain_registrar = $registrar, domain_webhost = $webhost, domain_dnshost = $dnshost, domain_mailhost = $mailhost, domain_expire = $expire, domain_ip = '$a', domain_name_servers = '$ns', domain_mail_servers = '$mx', domain_txt = '$txt', domain_raw_whois = '$whois', domain_notes = '$notes' WHERE domain_id = $domain_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Modify', log_description = '$session_name modified domain $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$_SESSION['alert_message'] = "Domain <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_domain'])) {
$domain_id = intval($_GET['archive_domain']);
//Get domain Name
$sql = mysqli_query($mysqli,"SELECT * FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NOW() WHERE domain_id = $domain_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Archive', log_description = '$session_name archived domain $domain_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Domain <strong>$domain_name archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_domain'])){
$domain_id = intval($_GET['unarchive_domain']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NULL WHERE domain_id = $domain_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'domain', log_action = 'Unarchive', log_description = '$session_name restored domain $domain_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$_SESSION['alert_message'] = "Domain <strong>$domain_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_domain'])) {
validateAdminRole();
$domain_id = intval($_GET['delete_domain']);
// Get Domain Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"DELETE FROM domains WHERE domain_id = $domain_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Delete', log_description = '$session_name deleted domain $domain_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Domain <strong>$domain_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_domains'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$domain_ids = $_POST['domain_ids']; // Get array of IDs to be deleted
if (!empty($domain_ids)) {
// Cycle through array and archive each record
foreach ($domain_ids as $domain_id) {
$domain_id = intval($domain_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NOW() WHERE domain_id = $domain_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Archive', log_description = '$session_name archived domain $domain_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Domain', log_action = 'Archive', log_description = '$session_name archived $count domains', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count domain(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_domains'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$domain_ids = $_POST['domain_ids']; // Get array of IDs
if (!empty($domain_ids)) {
// Cycle through array and unarchive
foreach ($domain_ids as $domain_id) {
$domain_id = intval($domain_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NULL WHERE domain_id = $domain_id");
// Individual logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Unarchive', log_description = '$session_name Unarchived domain $domains_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Domain', log_action = 'Unarchive', log_description = '$session_name Unarchived $count domains', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count domain(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_domains'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$domain_ids = $_POST['domain_ids']; // Get array of domain IDs to be deleted
$client_id = intval($_POST['client_id']);
if (!empty($domain_ids)) {
// Cycle through array and delete each domain
foreach ($domain_ids as $domain_id) {
$domain_id = intval($domain_id);
mysqli_query($mysqli, "DELETE FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Domain', log_action = 'Delete', log_description = '$session_name deleted a domain (bulk)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $domain_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Domain', log_action = 'Delete', log_description = '$session_name bulk deleted $count domains', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count domain(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_domains_csv'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM domains WHERE domain_client_id = $client_id ORDER BY domain_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = $client_name . "-Domains-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Domain', 'Description', 'Registrar', 'Web Host', 'Expiration Date');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['domain_name'], $row['domain_description'], $row['domain_registrar'], $row['domain_webhost'], $row['domain_expire']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Domain', log_action = 'Export', log_description = '$session_name exported $num_rows domain(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}

203
post/user/event.php Normal file
View File

@@ -0,0 +1,203 @@
<?php
/*
* ITFlow - GET/POST request handler for calendar & events
*/
if (isset($_POST['add_calendar'])) {
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
mysqli_query($mysqli,"INSERT INTO calendars SET calendar_name = '$name', calendar_color = '$color'");
$calendar_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar', log_action = 'Create', log_description = '$session_name created calendar $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $calendar_id");
$_SESSION['alert_message'] = "Calendar <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_calendar'])) {
$calendar_id = intval($_POST['calendar_id']);
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
mysqli_query($mysqli,"UPDATE calendars SET calendar_name = '$name', calendar_color = '$color' WHERE calendar_id = $calendar_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar', log_action = 'Edit', log_description = '$session_name Edited calendar $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $calendar_id");
$_SESSION['alert_message'] = "Calendar <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_event'])) {
require_once 'post/user/event_model.php';
mysqli_query($mysqli,"INSERT INTO events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client");
$event_id = mysqli_insert_id($mysqli);
//Get Calendar Name
$sql = mysqli_query($mysqli,"SELECT * FROM calendars WHERE calendar_id = $calendar_id");
$row = mysqli_fetch_array($sql);
$calendar_name = sanitizeInput($row['calendar_name']);
//If email is checked
if ($email_event == 1) {
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
$row = mysqli_fetch_array($sql_client);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$subject = "New Calendar Event";
$body = "Hello $contact_name,<br><br>A calendar event has been scheduled:<br><br>Event Title: $title<br>Event Date: $start<br><br><br>--<br>$company_name<br>$company_phone";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
// Logging for email (success/fail)
if ($mail === true) {
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Email', log_description = '$session_name emailed event $title to $contact_name from client $client_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client, log_user_id = $session_user_id, log_entity_id = $event_id");
} else {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $contact_email'");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $contact_email regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
}
} // End mail IF
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Create', log_description = '$session_name created a calendar event titled $title in calendar $calendar_name', log_ip = '$session_ip', log_client_id = $client, log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $event_id");
$_SESSION['alert_message'] = "Event <strong>$title</strong> created in calendar <strong>$calendar_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_event'])) {
require_once 'post/user/event_model.php';
$event_id = intval($_POST['event_id']);
mysqli_query($mysqli,"UPDATE events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client WHERE event_id = $event_id");
//If email is checked
if ($email_event == 1) {
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
$row = mysqli_fetch_array($sql_client);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$subject = "Calendar Event Rescheduled";
$body = "Hello $contact_name,<br><br>A calendar event has been rescheduled:<br><br>Event Title: $title<br>Event Date: $start<br><br><br>--<br>$company_name<br>$company_phone";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
// Logging for email (success/fail)
if ($mail === true) {
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar_Event', log_action = 'Email', log_description = '$session_name Emailed modified event $title to $client_name email $client_email', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
} else {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $contact_email'");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $contact_email regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
}
} // End mail IF
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Modify', log_description = '$session_name modified calendar event $title', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client, log_user_id = $session_user_id, log_entity_id = $event_id");
$_SESSION['alert_message'] = "Calendar event titled <strong>$title</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_event'])) {
$event_id = intval($_GET['delete_event']);
// Get Event Title
$sql = mysqli_query($mysqli,"SELECT * FROM events WHERE event_id = $event_id");
$row = mysqli_fetch_array($sql);
$event_title = sanitizeInput($row['event_title']);
$client_id = intval($row['event_client_id']);
mysqli_query($mysqli,"DELETE FROM events WHERE event_id = $event_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Delete', log_description = '$session_name deleted calendar event titled $event_title', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Calendar event titled <strong>$event_title</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

10
post/user/event_model.php Normal file
View File

@@ -0,0 +1,10 @@
<?php
$calendar_id = intval($_POST['calendar']);
$title = sanitizeInput($_POST['title']);
$location = sanitizeInput($_POST['location']);
$description = sanitizeInput($_POST['description']);
$start = sanitizeInput($_POST['start']);
$end = sanitizeInput($_POST['end']);
$repeat = sanitizeInput($_POST['repeat']);
$client = intval($_POST['client']);
$email_event = intval($_POST['email_event']);

411
post/user/expense.php Normal file
View File

@@ -0,0 +1,411 @@
<?php
/*
* ITFlow - GET/POST request handler for expenses
*/
if (isset($_POST['add_expense'])) {
require_once 'post/user/expense_model.php';
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference'");
$expense_id = mysqli_insert_id($mysqli);
// Check for and process attachment
$extended_alert_description = '';
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'pdf'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/expenses/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE expenses SET expense_receipt = '$new_file_name' WHERE expense_id = $expense_id");
$extended_alert_description = '. File successfully uploaded.';
} else {
$_SESSION['alert_type'] = "error";
$extended_alert_description = '. Error uploading file. Check upload directory is writable/correct file type/size';
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Create', log_description = '$description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Expense added" . $extended_alert_description;
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_expense'])) {
require_once 'post/user/expense_model.php';
$expense_id = intval($_POST['expense_id']);
// Get old receipt
$sql = mysqli_query($mysqli,"SELECT expense_receipt FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['expense_receipt']);
// Check for and process attachment
$extended_alert_description = '';
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'pdf'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/expenses/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
//Delete old file
unlink("uploads/expenses/$existing_file_name");
mysqli_query($mysqli,"UPDATE expenses SET expense_receipt = '$new_file_name' WHERE expense_id = $expense_id");
$extended_alert_description = '. File successfully uploaded.';
} else {
$_SESSION['alert_type'] = "error";
$extended_alert_description = '. Error uploading file. Check upload directory is writable/correct file type/size';
}
}
mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = $amount, expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference' WHERE expense_id = $expense_id");
$_SESSION['alert_message'] = "Expense modified" . $extended_alert_description;
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Modify', log_description = '$description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_expense'])) {
$expense_id = intval($_GET['delete_expense']);
$sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_receipt = sanitizeInput($row['expense_receipt']);
unlink("uploads/expenses/$expense_receipt");
mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Delete', log_description = '$expense_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Expense deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_expense_category'])) {
$category_id = intval($_POST['bulk_category_id']);
// Get Category name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT category_name FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
// Get Selected Contacts Count
$expense_count = count($_POST['expense_ids']);
// Assign category to Selected Expenses
if (!empty($_POST['expense_ids'])) {
foreach($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
// Get Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT expense_description, expense_client_id FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
$client_id = intval($row['expense_client_id']);
mysqli_query($mysqli,"UPDATE expenses SET expense_category_id = $category_id WHERE expense_id = $expense_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Edit', log_description = '$session_name assigned $expense_description to expense category $category_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $expense_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You assigned expense category <b>$category_name</b> to <b>$expense_count</b> expenses";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_expense_account'])) {
$account_id = intval($_POST['bulk_account_id']);
// Get Account name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
$row = mysqli_fetch_array($sql);
$account_name = sanitizeInput($row['account_name']);
// Get Selected Contacts Count
$expense_count = count($_POST['expense_ids']);
// Assign category to Selected Expenses
if (!empty($_POST['expense_ids'])) {
foreach($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
// Get Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT expense_description, expense_client_id FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
$client_id = intval($row['expense_client_id']);
mysqli_query($mysqli,"UPDATE expenses SET expense_account_id = $account_id WHERE expense_id = $expense_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Edit', log_description = '$session_name assigned $expense_description to account $account_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $expense_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You assigned account <b>$account_name</b> to <b>$expense_count</b> expenses";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_expense_client'])) {
$client_id = intval($_POST['bulk_client_id']);
// Get Client name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = sanitizeInput($row['client_name']);
// Get Selected Contacts Count
$expense_count = count($_POST['expense_ids']);
// Assign category to Selected Expenses
if (!empty($_POST['expense_ids'])) {
foreach($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
// Get Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT expense_description FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
mysqli_query($mysqli,"UPDATE expenses SET expense_client_id = $client_id WHERE expense_id = $expense_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Edit', log_description = '$session_name assigned $expense_description to client $client_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $expense_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "You assigned Client <b>$client_name</b> to <b>$expense_count</b> expenses";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_expenses'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$expense_ids = $_POST['expense_ids']; // Get array of expense IDs to be deleted
$client_id = intval($_POST['client_id']);
if (!empty($expense_ids)) {
// Cycle through array and delete each expense
foreach ($expense_ids as $expense_id) {
$expense_id = intval($expense_id);
$sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_receipt = sanitizeInput($row['expense_receipt']);
unlink("uploads/expenses/$expense_receipt");
mysqli_query($mysqli, "DELETE FROM expenses WHERE expense_id = $expense_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Expense', log_action = 'Delete', log_description = '$session_name deleted a expense (bulk)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $expense_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Expense', log_action = 'Delete', log_description = '$session_name bulk deleted $count expenses', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted $count expense(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_expenses_csv'])) {
$date_from = sanitizeInput($_POST['date_from']);
$date_to = sanitizeInput($_POST['date_to']);
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$category = intval($_POST['category']);
if (!empty($date_from) && !empty($date_to)) {
$date_query = "AND DATE(expense_date) BETWEEN '$date_from' AND '$date_to'";
$file_name_date = "$date_from-to-$date_to";
}else{
$date_query = "";
$file_name_date = date('Y-m-d');
}
// Vendor Filter
if ($account) {
$account_query = "AND expense_account_id = $account";
} else {
$account_query = '';
}
// Vendor Filter
if ($vendor) {
$vendor_query = "AND expense_vendor_id = $vendor";
} else {
// Default - any
$vendor_query = '';
}
// Category Filter
if ($category) {
$category_query = "AND expense_category_id = $category";
} else {
// Default - any
$category_query = '';
}
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM expenses
LEFT JOIN categories ON expense_category_id = category_id
LEFT JOIN vendors ON expense_vendor_id = vendor_id
LEFT JOIN accounts ON expense_account_id = account_id
WHERE expense_vendor_id > 0
$date_query
$account_query
$vendor_query
$category_query
ORDER BY expense_date DESC
");
if (mysqli_num_rows($sql) > 0) {
$delimiter = ",";
$filename = "$session_company_name-Expenses-$file_name_date.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Date', 'Amount', 'Vendor', 'Description', 'Category', 'Account');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)) {
$lineData = array($row['expense_date'], $row['expense_amount'], $row['vendor_name'], $row['expense_description'], $row['category_name'], $row['account_name']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Export', log_description = '$session_name exported expenses to CSV File', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
exit;
}
if (isset($_POST['create_recurring_expense'])) {
$frequency = intval($_POST['frequency']);
$day = intval($_POST['day']);
$month = intval($_POST['month']);
$amount = floatval(str_replace(',', '', $_POST['amount']));
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$client = intval($_POST['client']);
$category = intval($_POST['category']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
$start_date = date('Y') . "-$month-$day";
mysqli_query($mysqli,"INSERT INTO recurring_expenses SET recurring_expense_frequency = $frequency, recurring_expense_day = $day, recurring_expense_month = $month, recurring_expense_next_date = '$start_date', recurring_expense_description = '$description', recurring_expense_reference = '$reference', recurring_expense_amount = $amount, recurring_expense_currency_code = '$session_company_currency', recurring_expense_vendor_id = $vendor, recurring_expense_client_id = $client, recurring_expense_category_id = $category, recurring_expense_account_id = $account");
$recurring_expense_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Recurring Expense', log_action = 'Create', log_description = '$description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Recurring Expense added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_recurring_expense'])) {
$recurring_expense_id = intval($_POST['recurring_expense_id']);
$frequency = intval($_POST['frequency']);
$day = intval($_POST['day']);
$month = intval($_POST['month']);
$amount = floatval(str_replace(',', '', $_POST['amount']));
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$client = intval($_POST['client']);
$category = intval($_POST['category']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
$start_date = date('Y') . "-$month-$day";
mysqli_query($mysqli,"UPDATE recurring_expenses SET recurring_expense_frequency = $frequency, recurring_expense_day = $day, recurring_expense_month = $month, recurring_expense_next_date = '$start_date', recurring_expense_description = '$description', recurring_expense_reference = '$reference', recurring_expense_amount = $amount, recurring_expense_currency_code = '$session_company_currency', recurring_expense_vendor_id = $vendor, recurring_expense_client_id = $client, recurring_expense_category_id = $category, recurring_expense_account_id = $account WHERE recurring_expense_id = $recurring_expense_id");
$recurring_expense_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Recurring Expense', log_action = 'Edit', log_description = '$description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Recurring Expense edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_recurring_expense'])) {
$recurring_expense_id = intval($_GET['delete_recurring_expense']);
mysqli_query($mysqli,"DELETE FROM recurring_expenses WHERE recurring_expense_id = $recurring_expense_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Recurring Expense', log_action = 'Delete', log_description = '$recurring_expense_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Recurring Expense deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

9
post/user/expense_model.php Normal file
View File

@@ -0,0 +1,9 @@
<?php
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$client = intval($_POST['client']);
$category = intval($_POST['category']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);

222
post/user/file.php Normal file
View File

@@ -0,0 +1,222 @@
<?php
/*
* ITFlow - GET/POST request handler for client files/uploads
*/
if (isset($_POST['upload_files'])) {
$client_id = intval($_POST['client_id']);
$folder_id = intval($_POST['folder_id']);
$description = sanitizeInput($_POST['description']);
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
for ($i = 0; $i < count($_FILES['file']['name']); $i++) {
// Extract file details for this iteration
$single_file = [
'name' => $_FILES['file']['name'][$i],
'type' => $_FILES['file']['type'][$i],
'tmp_name' => $_FILES['file']['tmp_name'][$i],
'error' => $_FILES['file']['error'][$i],
'size' => $_FILES['file']['size'][$i]
];
if ($file_reference_name = checkFileUpload($single_file, array('jpg', 'jpeg', 'gif', 'png', 'webp', 'pdf', 'txt', 'md', 'doc', 'docx', 'odt', 'csv', 'xls', 'xlsx', 'ods', 'pptx', 'odp', 'zip', 'tar', 'gz', 'xml', 'msg', 'json', 'wav', 'mp3', 'ogg', 'mov', 'mp4', 'av1', 'ovpn', 'cfg', 'ps1', 'vsdx', 'drawio', 'pfx', 'pages', 'numbers', 'unf'))) {
$file_tmp_path = $_FILES['file']['tmp_name'][$i];
$file_name = sanitizeInput($_FILES['file']['name'][$i]);
$extarr = explode('.', $_FILES['file']['name'][$i]);
$file_extension = sanitizeInput(strtolower(end($extarr)));
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $file_reference_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Extract .ext from reference file name to be used to store SHA256 hash
$file_hash = strstr($file_reference_name, '.', true) ?: $file_reference_name;
mysqli_query($mysqli,"INSERT INTO files SET file_reference_name = '$file_reference_name', file_name = '$file_name', file_description = '$description', file_ext = '$file_extension', file_hash = '$file_hash', file_folder_id = $folder_id, file_client_id = $client_id");
//Logging
$file_id = intval(mysqli_insert_id($mysqli));
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'File', log_action = 'Upload', log_description = '$session_name uploaded $file_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $file_id");
} else {
$_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
// Redirect at the end, after processing all files
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['rename_file'])) {
validateTechRole();
$file_id = intval($_POST['file_id']);
$client_id = intval($_POST['client_id']);
$file_name = sanitizeInput($_POST['file_name']);
$file_description = sanitizeInput($_POST['file_description']);
// Folder edit query
mysqli_query($mysqli,"UPDATE files SET file_name = '$file_name' ,file_description = '$file_description' WHERE file_id = $file_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'Rename', log_description = '$session_name renamed file to $file_name $file_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $file_id");
$_SESSION['alert_message'] = "File <strong>$file_name</strong> renamed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['move_file'])) {
validateTechRole();
$file_id = intval($_POST['file_id']);
$client_id = intval($_POST['client_id']);
$folder_id = intval($_POST['folder_id']);
// Document edit query
mysqli_query($mysqli,"UPDATE files SET file_folder_id = $folder_id WHERE file_id = $file_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'Move', log_description = '$session_name moved file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $file_id");
$_SESSION['alert_message'] = "File moved";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_file'])) {
validateTechRole();
$file_id = intval($_GET['archive_file']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT file_name, file_client_id FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NOW() WHERE file_id = $file_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'Archive', log_description = '$session_name archived file $file_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $file_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "File <strong>$file_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['delete_file'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$file_id = intval($_POST['file_id']);
$sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql_file);
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
$file_reference_name = sanitizeInput($row['file_reference_name']);
unlink("uploads/clients/$client_id/$file_reference_name");
mysqli_query($mysqli,"DELETE FROM files WHERE file_id = $file_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'Delete', log_description = '$file_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = '$client_id', log_user_id = $session_user_id, log_entity_id = $file_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "File <strong>$file_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_move_files'])) {
validateTechRole();
$folder_id = intval($_POST['bulk_folder_id']);
// Get folder name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT folder_name, folder_client_id FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
// Get Selected file Count
$file_count = count($_POST['file_ids']);
// Move Documents to Folder Loop
if (!empty($_POST['file_ids'])) {
foreach($_POST['file_ids'] as $file_id) {
$file_id = intval($file_id);
// Get file name for logging
$sql = mysqli_query($mysqli,"SELECT file_name FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
// file move query
mysqli_query($mysqli,"UPDATE files SET file_folder_id = $folder_id WHERE file_id = $file_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'Move', log_description = '$session_name moved file $file_name to folder $folder_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $file_id");
}
}
$_SESSION['alert_message'] = "You moved <b>$file_count</b> files to the folder <b>$folder_name</b>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_asset_to_file'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$file_id = intval($_POST['file_id']);
$asset_id = intval($_POST['asset_id']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO asset_files SET asset_id = $asset_id, file_id = $file_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'Link', log_description = 'Created File Asset link', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Asset linked with File";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_asset_from_file'])) {
validateTechRole();
$asset_id = intval($_GET['asset_id']);
$file_id = intval($_GET['file_id']);
mysqli_query($mysqli,"DELETE FROM asset_files WHERE asset_id = $asset_id AND file_id = $file_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'File', log_action = 'unLink', log_description = 'File Asset link removed', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Asset has been unlinked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

71
post/user/folder.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/*
* ITFlow - GET/POST request handler for folders
*/
if (isset($_POST['create_folder'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$folder_location = intval($_POST['folder_location']);
$folder_name = sanitizeInput($_POST['folder_name']);
// Document folder add query
$add_folder = mysqli_query($mysqli,"INSERT INTO folders SET folder_name = '$folder_name', folder_location = $folder_location, folder_client_id = $client_id");
$folder_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Folder', log_action = 'Create', log_description = '$session_name created folder $folder_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $folder_id");
$_SESSION['alert_message'] = "Folder <strong>$folder_name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['rename_folder'])) {
validateTechRole();
$folder_id = intval($_POST['folder_id']);
$client_id = intval($_POST['client_id']);
$folder_name = sanitizeInput($_POST['folder_name']);
// Folder edit query
mysqli_query($mysqli,"UPDATE folders SET folder_name = '$folder_name' WHERE folder_id = $folder_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Folder', log_action = 'Modify', log_description = '$session_name renamed folder to $folder_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $folder_id");
$_SESSION['alert_message'] = "Folder <strong>$folder_name</strong> renamed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_folder'])) {
validateAdminRole();
$folder_id = intval($_GET['delete_folder']);
mysqli_query($mysqli,"DELETE FROM folders WHERE folder_id = $folder_id");
// Move files in deleted folder back to the root folder /
$sql_documents = mysqli_query($mysqli,"SELECT * FROM documents WHERE document_folder_id = $folder_id");
while($row = mysqli_fetch_array($sql_documents)) {
$document_id = intval($row['document_id']);
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = 0 WHERE document_id = $document_id");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Folder', log_action = 'Delete', log_description = '$folder_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Folder deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

1500
post/user/invoice.php Normal file
View File

File diff suppressed because it is too large Load Diff

8
post/user/invoice_model.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
$date = sanitizeInput($_POST['date']);
$category = intval($_POST['category']);
$scope = sanitizeInput($_POST['scope']);
$invoice_discount = floatval($_POST['invoice_discount']);
$recurring_discount = floatval($_POST['recurring_discount']);
$config_invoice_prefix = sanitizeInput($config_invoice_prefix);

544
post/user/location.php Normal file
View File

@@ -0,0 +1,544 @@
<?php
/*
* ITFlow - GET/POST request handler for client physical locations/sites
*/
if(isset($_POST['add_location'])){
validateTechRole();
require_once 'post/user/location_model.php';
if(!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
mysqli_query($mysqli,"INSERT INTO locations SET location_name = '$name', location_description = '$description', location_country = '$country', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone = '$phone', location_hours = '$hours', location_notes = '$notes', location_contact_id = $contact, location_client_id = $client_id");
$location_id = mysqli_insert_id($mysqli);
// Add Tags
if (isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO location_tags SET location_id = $location_id, tag_id = $tag");
}
}
// Update Primary location in clients if primary location is checked
if ($location_primary == 1) {
mysqli_query($mysqli,"UPDATE locations SET location_primary = 0 WHERE location_client_id = $client_id");
mysqli_query($mysqli,"UPDATE locations SET location_primary = 1 WHERE location_id = $location_id");
}
// Check to see if a file is attached
if($_FILES['file']['tmp_name'] != ''){
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE locations SET location_photo = '$new_file_name' WHERE location_id = $location_id");
$_SESSION['alert_message'] = 'File successfully uploaded.';
}else{
$_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Create', log_description = '$session_name created location $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$_SESSION['alert_message'] .= "Location <strong>$name</strong> created.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['edit_location'])){
validateTechRole();
require_once 'post/user/location_model.php';
$location_id = intval($_POST['location_id']);
// Get old location photo
$sql = mysqli_query($mysqli,"SELECT location_photo FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['location_photo']);
if(!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
mysqli_query($mysqli,"UPDATE locations SET location_name = '$name', location_description = '$description', location_country = '$country', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone = '$phone', location_hours = '$hours', location_notes = '$notes', location_contact_id = $contact WHERE location_id = $location_id");
// Update Primay location in clients if primary location is checked
if ($location_primary == 1) {
mysqli_query($mysqli,"UPDATE locations SET location_primary = 0 WHERE location_client_id = $client_id");
mysqli_query($mysqli,"UPDATE locations SET location_primary = 1 WHERE location_id = $location_id");
}
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
// Add new tags
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO location_tags SET location_id = $location_id, tag_id = $tag");
}
//Check to see if a file is attached
if($_FILES['file']['tmp_name'] != ''){
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
//Delete old file
unlink("uploads/clients/$client_id/$existing_file_name");
mysqli_query($mysqli,"UPDATE locations SET location_photo = '$new_file_name' WHERE location_id = $location_id");
$_SESSION['alert_message'] = 'File successfully uploaded.';
}else{
$_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Modify', log_description = '$session_name modified location $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$_SESSION['alert_message'] .= "Location <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['archive_location'])){
validateTechRole();
$location_id = intval($_GET['archive_location']);
// Get Location Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Archive', log_description = '$session_name archived location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Location <strong>$location_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_location'])){
validateTechRole();
$location_id = intval($_GET['unarchive_location']);
// Get Location Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Unarchive', log_description = '$session_name restored location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$_SESSION['alert_message'] = "Location <strong>$location_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['delete_location'])){
validateAdminRole();
$location_id = intval($_GET['delete_location']);
// Get Location Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id");
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Delete', log_description = '$session_name deleted location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Location <strong>$location_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_location_tags'])) {
validateTechRole();
// Get Selected Count
$count = count($_POST['location_ids']);
// Assign Tags to Selected
if (!empty($_POST['location_ids'])) {
foreach($_POST['location_ids'] as $location_id) {
$location_id = intval($location_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
}
// Add new tags
foreach($_POST['bulk_tags'] as $tag) {
$tag = intval($tag);
$sql = mysqli_query($mysqli,"SELECT * FROM location_tags WHERE location_id = $location_id AND tag_id = $tag");
if (mysqli_num_rows($sql) == 0) {
mysqli_query($mysqli, "INSERT INTO location_tags SET location_id = $location_id, tag_id = $tag");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Modify', log_description = '$session_name added tags to $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
} // End Assign Location Loop
$_SESSION['alert_message'] = "Assigned tags for <b>$count</b> locations";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_locations'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$location_ids = $_POST['location_ids']; // Get array of IDs to be deleted
if (!empty($location_ids)) {
// Cycle through array and archive each contact
foreach ($location_ids as $location_id) {
$location_id = intval($location_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id, location_primary FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$location_primary = intval($row['location_primary']);
$client_id = intval($row['location_client_id']);
if($location_primary == 0) {
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Archive', log_description = '$session_name archived location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$count++;
}
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Location', log_action = 'Archive', log_description = '$session_name archived $count locations', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count location(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_locations'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$location_ids = $_POST['location_ids']; // Get array of IDs
if (!empty($location_ids)) {
// Cycle through array and unarchive
foreach ($location_ids as $location_id) {
$location_id = intval($location_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
// Individual logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Unarchive', log_description = '$session_name Unarchived location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Location', log_action = 'Unarchive', log_description = '$session_name Unarchived $count locations', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count location(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_locations'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$location_ids = $_POST['location_ids']; // Get array of IDs to be deleted
if (!empty($location_ids)) {
// Cycle through array and delete each record
foreach ($location_ids as $location_id) {
$location_id = intval($location_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli, "DELETE FROM locations WHERE location_id = $location_id AND location_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Location', log_action = 'Delete', log_description = '$session_name deleted location $location_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $location_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Location', log_action = 'Delete', log_description = '$session_name bulk deleted $count locations', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count location(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['export_client_locations_csv'])){
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = sanitizeInput($row['client_name']);
//Locations
$sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_client_id = $client_id AND location_archived_at IS NULL ORDER BY location_name ASC");
$num_rows = mysqli_num_rows($sql);
if($num_rows > 0) {
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Locations-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Address', 'City', 'State', 'Postal Code', 'Phone', 'Hours');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()){
$lineData = array($row['location_name'], $row['location_description'], $row['location_address'], $row['location_city'], $row['location_state'], $row['location_zip'], $row['location_phone'], $row['location_hours']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Export', log_description = '$session_name exported $num_rows location(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}
if(isset($_POST["import_client_locations_csv"])){
validateTechRole();
$client_id = intval($_POST['client_id']);
$file_name = $_FILES["file"]["tmp_name"];
$error = false;
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if(in_array($file_extension,$allowed_file_extensions) === false){
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif($_FILES["file"]["size"] < 1){
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if(!$error & count($f_columns) != 8) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if(!$error){
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false){
$duplicate_detect = 0;
if(isset($column[0])){
$name = sanitizeInput($column[0]);
if(mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM locations WHERE location_name = '$name' AND location_client_id = $client_id")) > 0){
$duplicate_detect = 1;
}
}
if(isset($column[1])){
$description = sanitizeInput($column[1]);
}
if(isset($column[2])){
$address = sanitizeInput($column[2]);
}
if(isset($column[3])){
$city = sanitizeInput($column[3]);
}
if(isset($column[4])){
$state = sanitizeInput($column[4]);
}
if(isset($column[5])){
$zip = sanitizeInput($column[5]);
}
if(isset($column[6])){
$phone = preg_replace("/[^0-9]/", '',$column[6]);
}
if(isset($column[7])){
$hours = sanitizeInput($column[7]);
}
// Check if duplicate was detected
if($duplicate_detect == 0){
//Add
mysqli_query($mysqli,"INSERT INTO locations SET location_name = '$name', location_description = '$description', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone = '$phone', location_hours = '$hours', location_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Location', log_action = 'Import', log_description = '$session_name imported $row_count location(s) via CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent' log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "$row_count Location(s) imported, $duplicate_count duplicate(s) detected and not imported";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if(isset($_GET['download_client_locations_csv_template'])){
$client_id = intval($_GET['download_client_locations_csv_template']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Locations-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Address', 'City', 'State', 'Postal Code', 'Phone', 'Hours');
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}

14
post/user/location_model.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$country = sanitizeInput($_POST['country']);
$address = sanitizeInput($_POST['address']);
$city = sanitizeInput($_POST['city']);
$state = sanitizeInput($_POST['state']);
$zip = sanitizeInput($_POST['zip']);
$phone = preg_replace("/[^0-9]/", '',$_POST['phone']);
$hours = sanitizeInput($_POST['hours']);
$notes = sanitizeInput($_POST['notes']);
$contact = intval($_POST['contact']);
$location_primary = intval($_POST['location_primary']);

171
post/user/network.php Normal file
View File

@@ -0,0 +1,171 @@
<?php
/*
* ITFlow - GET/POST request handler for client networks
*/
if (isset($_POST['add_network'])) {
validateTechRole();
require_once 'post/user/login_model.php';
mysqli_query($mysqli,"INSERT INTO networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id, network_client_id = $client_id");
$network_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Network', log_action = 'Create', log_description = '$session name created network $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $network_id");
$_SESSION['alert_message'] = "Network <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_network'])) {
validateTechRole();
$network_id = intval($_POST['network_id']);
require_once 'post/user/login_model.php';
mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Network', log_action = 'Modify', log_description = '$session_name modified network $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $network_id");
$_SESSION['alert_message'] = "Network <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_network'])) {
validateTechRole();
$network_id = intval($_GET['archive_network']);
// Get Network Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT network_name, network_client_id FROM networks WHERE network_id = $network_id");
$row = mysqli_fetch_array($sql);
$network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']);
mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NOW() WHERE network_id = $network_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Network', log_action = 'Archive', log_description = '$session_name archived network $network_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $network_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Network <strong>$network_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_network'])) {
validateAdminRole();
$network_id = intval($_GET['delete_network']);
// Get Network Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT network_name, network_client_id FROM networks WHERE network_id = $network_id");
$row = mysqli_fetch_array($sql);
$network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']);
mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Network', log_action = 'Delete', log_description = '$session_name deleted network $network_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $network_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Network <strong>$network_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_networks'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$network_ids = $_POST['network_ids']; // Get array of network IDs to be deleted
$client_id = intval($_POST['client_id']);
if (!empty($network_ids)) {
// Cycle through array and delete each network
foreach ($network_ids as $network_id) {
$network_id = intval($network_id);
mysqli_query($mysqli, "DELETE FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Network', log_action = 'Delete', log_description = '$session_name deleted a network (bulk)', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $network_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Certificate', log_action = 'Network', log_description = '$session_name bulk deleted $count networks', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count network(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_networks_csv'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_client_id = $client_id ORDER BY network_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = $client_name . "-Networks-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'vLAN', 'IP/Network', 'Subnet Mask', 'Gateway', 'Primary DNS', 'Secondary DNS', 'DHCP Range');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['network_name'], $row['network_description'], $row['network_vlan'], $row['network'], $row['network_subnet'], $row['network_gateway'], $row['network_primary_dns'], $row['network_secondary_dns'], $row['network_dhcp_range']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Network', log_action = 'Export', log_description = '$session_name exported $num_rows network(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}

13
post/user/network_model.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']);
$network = sanitizeInput($_POST['network']);
$subnet = sanitizeInput($_POST['subnet']);
$gateway = sanitizeInput($_POST['gateway']);
$primary_dns = sanitizeInput($_POST['primary_dns']);
$secondary_dns = sanitizeInput($_POST['secondary_dns']);
$dhcp_range = sanitizeInput($_POST['dhcp_range']);
$notes = sanitizeInput($_POST['notes']);
$location_id = intval($_POST['location']);
$client_id = intval($_POST['client_id']);

298
post/user/product.php Normal file
View File

@@ -0,0 +1,298 @@
<?php
/*
* ITFlow - GET/POST request handler for products
*/
// Products
if (isset($_POST['add_product'])) {
require_once 'post/user/product_model.php';
mysqli_query($mysqli,"INSERT INTO products SET product_name = '$name', product_description = '$description', product_price = '$price', product_currency_code = '$session_company_currency', product_tax_id = $tax, product_category_id = $category");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Create', log_description = '$session_name created product $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Product <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_product'])) {
require_once 'post/user/product_model.php';
$product_id = intval($_POST['product_id']);
mysqli_query($mysqli,"UPDATE products SET product_name = '$name', product_description = '$description', product_price = '$price', product_tax_id = $tax, product_category_id = $category WHERE product_id = $product_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Modify', log_description = '$name', log_user_id = $session_user_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Modify', log_description = '$session_name modified product $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Product <strong>$name</strong> modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_product'])) {
validateTechRole();
$product_id = intval($_GET['archive_product']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NOW() WHERE product_id = $product_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Archive', log_description = '$session_name archived product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Product <strong>$product_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_product'])) {
validateTechRole();
$product_id = intval($_GET['unarchive_product']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Unarchive', log_description = '$session_name restored product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id");
$_SESSION['alert_message'] = "Product <strong>$product_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_product'])) {
$product_id = intval($_GET['delete_product']);
//Get Product Name
$sql = mysqli_query($mysqli,"SELECT * FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"DELETE FROM products WHERE product_id = $product_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Delete', log_description = '$session_name deleted product $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Product <strong>$product_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_product_category'])) {
$category_id = intval($_POST['bulk_category_id']);
// Get Category name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT category_name FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
// Get Count
$count = count($_POST['product_ids']);
// Assign category to Selected Products
if (!empty($_POST['product_ids'])) {
foreach($_POST['product_ids'] as $product_id) {
$product_id = intval($product_id);
// Get Product Details for Logging
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_category_id = $category_id WHERE product_id = $product_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Edit', log_description = '$session_name assigned $product_name to income category $category_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id");
} // End Assign Product Loop
$_SESSION['alert_message'] = "You assigned product category <b>$category_name</b> to <b>$count</b> products";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_products'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$product_ids = $_POST['product_ids']; // Get array of IDs to be deleted
if (!empty($product_ids)) {
// Cycle through array and archive each record
foreach ($product_ids as $product_id) {
$product_id = intval($product_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NOW() WHERE product_id = $product_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Archive', log_description = '$session_name archived product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Bulk Archive', log_description = '$session_name archived $count products', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_products'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$product_ids = $_POST['product_ids']; // Get array of IDs
if (!empty($product_ids)) {
// Cycle through array and unarchive
foreach ($product_ids as $product_id) {
$product_id = intval($product_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id");
// Individual logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Unarchive', log_description = '$session_name Unarchived product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Unarchive', log_description = '$session_name Unarchived $count products', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_products'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$product_ids = $_POST['product_ids']; // Get array of IDs to be deleted
if (!empty($product_ids)) {
// Cycle through array and delete each record
foreach ($product_ids as $product_id) {
$product_id = intval($product_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli, "DELETE FROM products WHERE product_id = $product_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Delete', log_description = '$session_name deleted product $product_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $product_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Product', log_action = 'Bulk Delete', log_description = '$session_name bulk deleted $count products', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
if (isset($_POST['export_products_csv'])) {
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM products
LEFT JOIN categories ON product_category_id = category_id
LEFT JOIN taxes ON product_tax_id = tax_id
WHERE product_archived_at IS NULL
ORDER BY product_name DESC
");
if (mysqli_num_rows($sql) > 0) {
$delimiter = ",";
$filename = "$session_company_name-Products.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Product', 'Description', 'Price', 'Currency', 'Category', 'Tax');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)) {
$lineData = array($row['product_name'], $row['product_description'], $row['product_price'], $row['product_currency_code'], $row['category_name'], $row['tax_name']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Product', log_action = 'Export', log_description = '$session_name exported products to CSV File', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
exit;
}

6
post/user/product_model.php Normal file
View File

@@ -0,0 +1,6 @@
<?php
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$price = floatval($_POST['price']);
$category = intval($_POST['category']);
$tax = intval($_POST['tax']);

306
post/user/profile.php Normal file
View File

@@ -0,0 +1,306 @@
<?php
/*
* ITFlow - GET/POST request handler for user profiles (tech/agent)
*/
if (isset($_POST['edit_your_user_details'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']);
$sql = mysqli_query($mysqli,"SELECT user_avatar FROM users WHERE user_id = $session_user_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['user_avatar']);
$logout = false;
$extended_log_description = '';
// Email notification when password or email is changed
$user_old_email_sql = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT user_email FROM users WHERE user_id = $session_user_id"));
$user_old_email = sanitizeInput($user_old_email_sql['user_email']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_app_name = sanitizeInput($config_app_name);
if (!empty($config_smtp_host) && ($user_old_email !== $email)) {
$details = "Your email address was changed. New email: $email.";
$subject = "$config_app_name account update confirmation for $name";
$body = "Hi $name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>$details</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>ITFlow<br>$session_company_name";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $user_old_email,
'recipient_name' => $name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
}
// Check to see if a file is attached
if ($_FILES['avatar']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['avatar'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['avatar']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/users/$session_user_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Delete old file
unlink("uploads/users/$session_user_id/$existing_file_name");
// Set Avatar
mysqli_query($mysqli,"UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $session_user_id");
// Extended Logging
$extended_log_description .= ", avatar updated";
} else {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
}
}
mysqli_query($mysqli,"UPDATE users SET user_name = '$name', user_email = '$email' WHERE user_id = $session_user_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Details', log_action = 'Modify', log_description = '$session_name modified their details $extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "User details updated";
if ($logout) {
header('Location: post.php?logout');
}
else{
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['clear_your_user_avatar'])) {
validateCSRFToken($_GET['csrf_token']);
mysqli_query($mysqli,"UPDATE users SET user_avatar = NULL WHERE user_id = $session_user_id");
$_SESSION['alert_message'] = "Avatar cleared";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_your_user_password'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$new_password = trim($_POST['new_password']);
if (empty($new_password)) {
header('Location: user_security.php');
exit;
}
// Email notification when password or email is changed
$user_sql = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT user_name, user_email FROM users WHERE user_id = $session_user_id"));
$name = sanitizeInput($user_sql['user_name']);
$user_email = sanitizeInput($user_sql['user_email']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_app_name = sanitizeInput($config_app_name);
if (!empty($config_smtp_host)){
$details = "Your password was changed.";
$subject = "$config_app_name account update confirmation for $name";
$body = "Hi $name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>$details</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>$config_app_name";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $user_email,
'recipient_name' => $name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
}
$new_password = password_hash($new_password, PASSWORD_DEFAULT);
$user_specific_encryption_ciphertext = encryptUserSpecificKey($_POST['new_password']);
mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $session_user_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Preferences', log_action = 'Modify', log_description = '$session_name changed their password', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Your password was updated";
header('Location: post.php?logout');
}
if (isset($_POST['edit_your_user_preferences'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$calendar_first_day = intval($_POST['calendar_first_day']);
// Calendar
if (isset($calendar_first_day)) {
mysqli_query($mysqli, "UPDATE user_settings SET user_config_calendar_first_day = $calendar_first_day WHERE user_id = $session_user_id");
}
// Enable extension access, only if it isn't already setup (user doesn't have cookie)
if (isset($_POST['extension']) && $_POST['extension'] == 'Yes') {
if (!isset($_COOKIE['user_extension_key'])) {
$extension_key = randomString(156);
mysqli_query($mysqli, "UPDATE users SET user_extension_key = '$extension_key' WHERE user_id = $session_user_id");
$extended_log_description .= "enabled browser extension access";
$logout = true;
}
}
// Disable extension access
if (!isset($_POST['extension'])) {
mysqli_query($mysqli, "UPDATE users SET user_extension_key = '' WHERE user_id = $session_user_id");
$extended_log_description .= "disabled browser extension access";
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Preferences', log_action = 'Modify', log_description = '$session_name $extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "User preferences updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['verify'])) {
require_once "rfc6238.php";
$currentcode = intval($_POST['code']); //code to validate, for example received from device
if (TokenAuth6238::verify($session_token, $currentcode)) {
$_SESSION['alert_message'] = "VALID!";
}else{
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "IN-VALID!";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['enable_2fa'])){
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$token = sanitizeInput($_POST['token']);
mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
// Delete any existing 2FA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Two-factor authentication enabled";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['disable_2fa'])){
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name disabled 2FA on their account', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_app_name = sanitizeInput($config_app_name);
// Email notification
if (!empty($config_smtp_host)) {
$subject = "$config_app_name account update confirmation for $session_name";
$body = "Hi $session_name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>2FA was disabled.</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>ITFlow<br>$session_company_name";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $session_email,
'recipient_name' => $session_name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($mysqli, $data);
}
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Two-factor authentication disabled";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['revoke_your_2fa_remember_tokens'])) {
// CSRF
validateCSRFToken($_POST['csrf_token']);
// Delete tokens
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name revoked all their remember-me tokens', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, log_entity_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Remember me tokens revoked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['logout'])) {
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Logout', log_action = 'Success', log_description = '$session_name logged out', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
mysqli_query($mysqli, "UPDATE users SET user_php_session = '' WHERE user_id = $session_user_id");
setcookie("PHPSESSID", '', time() - 3600, "/");
unset($_COOKIE['PHPSESSID']);
setcookie("user_encryption_session_key", '', time() - 3600, "/");
unset($_COOKIE['user_encryption_session_key']);
setcookie("user_extension_key", '', time() - 3600, "/");
unset($_COOKIE['user_extension_key']);
session_unset();
session_destroy();
header('Location: login.php?key=' . $config_login_key_secret);
}

177
post/user/project.php Normal file
View File

@@ -0,0 +1,177 @@
<?php
/*
* ITFlow - GET/POST request handler for tasks
*/
if (isset($_POST['add_project'])) {
validateTechRole();
$project_name = sanitizeInput($_POST['name']);
$project_description = sanitizeInput($_POST['description']);
$due_date = sanitizeInput($_POST['due_date']);
$project_manager = intval($_POST['project_manager']);
$client_id = intval($_POST['client_id']);
$project_template_id = intval($_POST['project_template_id']);
// Sanitize Project Prefix
$config_project_prefix = sanitizeInput($config_project_prefix);
// Get the next Project Number and add 1 for the new Project number
$project_number = $config_project_next_number;
$new_config_project_next_number = $config_project_next_number + 1;
mysqli_query($mysqli, "UPDATE settings SET config_project_next_number = $new_config_project_next_number WHERE company_id = 1");
mysqli_query($mysqli, "INSERT INTO projects SET project_prefix = '$config_project_prefix', project_number = $project_number, project_name = '$project_name', project_description = '$project_description', project_due = '$due_date', project_manager = $project_manager, project_client_id = $client_id");
$project_id = mysqli_insert_id($mysqli);
// If project template is selected add Ticket Templates and convert them to real tickets
if($project_template_id) {
// Get Associated Ticket Templates
$sql_ticket_templates = mysqli_query($mysqli, "SELECT * FROM ticket_templates, project_template_ticket_templates
WHERE ticket_templates.ticket_template_id = project_template_ticket_templates.ticket_template_id
AND project_template_ticket_templates.project_template_id = $project_template_id");
$ticket_template_count = mysqli_num_rows($sql_ticket_templates);
while ($row = mysqli_fetch_array($sql_ticket_templates)) {
$ticket_template_id = intval($row['ticket_template_id']);
$ticket_template_order = intval($row['ticket_template_order']);
$ticket_template_subject = sanitizeInput($row['ticket_template_subject']);
$ticket_template_details = mysqli_escape_string($mysqli, $row['ticket_template_details']);
// Get the next Ticket Number and add 1 for the new ticket number
$ticket_number = $config_ticket_next_number;
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = 1");
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$ticket_template_subject', ticket_details = '$ticket_template_details', ticket_priority = 'Low', ticket_status = 1, ticket_created_by = $session_user_id, ticket_client_id = $client_id, ticket_project_id = $project_id");
$config_ticket_next_number = $config_ticket_next_number + 1;
$ticket_id = mysqli_insert_id($mysqli);
// Task Templates for Ticket template and add the to the ticket
$sql_task_templates = mysqli_query($mysqli,
"SELECT * FROM task_templates WHERE task_template_ticket_template_id = $ticket_template_id");
$task_template_count = mysqli_num_rows($sql_task_templates);
while ($row = mysqli_fetch_array($sql_task_templates)) {
$task_template_id = intval($row['task_template_id']);
$task_template_order = intval($row['task_template_order']);
$task_template_name = sanitizeInput($row['task_template_name']);
mysqli_query($mysqli,"INSERT INTO tasks SET task_name = '$task_template_name', task_order = $task_template_order, task_ticket_id = $ticket_id");
} // End task Loop
} // End Ticket Loop
} // End If Project Template
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project', log_action = 'Create', log_description = '$session_name created project $project_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $project_id");
$_SESSION['alert_message'] = "You created Project <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_project'])) {
validateTechRole();
$project_id = intval($_POST['project_id']);
$project_name = sanitizeInput($_POST['name']);
$project_description = sanitizeInput($_POST['description']);
$due_date = sanitizeInput($_POST['due_date']);
$project_manager = intval($_POST['project_manager']);
$client_id = intval($_POST['client_id']);
mysqli_query($mysqli, "UPDATE projects SET project_name = '$project_name', project_description = '$project_description', project_due = '$due_date', project_manager = $project_manager WHERE project_id = $project_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project', log_action = 'Edit', log_description = '$session_name edited project $project_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $project_id");
$_SESSION['alert_message'] = "You edited Project <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['close_project'])) {
validateTechRole();
$project_id = intval($_GET['close_project']);
// Get Project Name and client id for logging
$sql = mysqli_query($mysqli, "SELECT * FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']);
mysqli_query($mysqli, "UPDATE projects SET project_completed_at = NOW() WHERE project_id = $project_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project', log_action = 'Close', log_description = '$session_name closed project $project_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $project_id");
$_SESSION['alert_message'] = "You closed Project <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_project'])) {
validateTechRole();
$project_id = intval($_GET['delete_project']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']);
mysqli_query($mysqli, "DELETE FROM projects WHERE project_id = $project_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Projects', log_action = 'Delete', log_description = '$session_name deleted project $project_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $project_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You Deleted Project <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_project_ticket'])) {
validateTechRole();
$project_id = intval($_POST['project_id']);
// Get Project Name
$sql = mysqli_query($mysqli, "SELECT * FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']);
// Add Tickets
if (!empty($_POST['tickets'])) {
foreach ($_POST['tickets'] as $ticket) {
$ticket_id = intval($ticket);
// Get Ticket Info
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_project_id = $project_id");
$row = mysqli_fetch_array($sql);
$ticket_subject = sanitizeInput($row['ticket_subject']);
mysqli_query($mysqli, "UPDATE tickets SET ticket_project_id = $project_id WHERE ticket_id = $ticket_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Project', log_action = 'Edit', log_description = '$session_name added a ticket $ticket_subject to project $project_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $project_id");
}
}
$_SESSION['alert_message'] = "You added Tickets to <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

550
post/user/quote.php Normal file
View File

@@ -0,0 +1,550 @@
<?php
/*
* ITFlow - GET/POST request handler for quotes
*/
if (isset($_POST['add_quote'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/user/quote_model.php';
$client = intval($_POST['client']);
//Get the last Quote Number and add 1 for the new Quote number
$quote_number = $config_quote_next_number;
$new_config_quote_next_number = $config_quote_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = 1");
//Generate a unique URL key for clients to access
$quote_url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$scope', quote_date = '$date', quote_expire = '$expire', quote_currency_code = '$session_company_currency', quote_category_id = $category, quote_status = 'Draft', quote_url_key = '$quote_url_key', quote_client_id = $client");
$quote_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Draft', history_description = 'Quote created!', history_quote_id = $quote_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Create', log_description = '$quote_prefix$quote_number', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote added";
header("Location: quote.php?quote_id=$quote_id");
}
if (isset($_POST['add_quote_copy'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$client_id = intval($_POST['client']);
$date = sanitizeInput($_POST['date']);
$expire = sanitizeInput($_POST['expire']);
//Get the last Invoice Number and add 1 for the new invoice number
$quote_number = $config_quote_next_number;
$new_config_quote_next_number = $config_quote_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = 1");
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_discount_amount = floatval($row['quote_discount_amount']);
$quote_amount = floatval($row['quote_amount']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_note = sanitizeInput($row['quote_note']);
$category_id = intval($row['quote_category_id']);
//Generate a unique URL key for clients to access
$quote_url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$quote_scope', quote_date = '$date', quote_expire = '$expire', quote_category_id = $category_id, quote_status = 'Draft', quote_discount_amount = $quote_discount_amount, quote_amount = $quote_amount, quote_currency_code = '$quote_currency_code', quote_note = '$quote_note', quote_url_key = '$quote_url_key', quote_client_id = $client_id");
$new_quote_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Draft', history_description = 'Quote copied!', history_quote_id = $new_quote_id");
$sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql_items)) {
$item_id = intval($row['item_id']);
$item_name = sanitizeInput($row['item_name']);
$item_description = sanitizeInput($row['item_description']);
$item_quantity = floatval($row['item_quantity']);
$item_price = floatval($row['item_price']);
$item_subtotal = floatval($row['item_subtotal']);
$item_tax = floatval($row['item_tax']);
$item_total = floatval($row['item_total']);
$item_order = intval($row['item_order']);
$tax_id = intval($row['item_tax_id']);
mysqli_query($mysqli,"INSERT INTO invoice_items SET item_name = '$item_name', item_description = '$item_description', item_quantity = $item_quantity, item_price = $item_price, item_subtotal = $item_subtotal, item_tax = $item_tax, item_total = $item_total, item_order = $item_order, item_tax_id = $tax_id, item_quote_id = $new_quote_id");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Create', log_description = 'Copied Quote', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote copied";
header("Location: quote.php?quote_id=$new_quote_id");
}
if (isset($_POST['add_quote_to_invoice'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$date = sanitizeInput($_POST['date']);
$client_net_terms = intval($_POST['client_net_terms']);
$invoice_number = $config_invoice_next_number;
$new_config_invoice_next_number = $config_invoice_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = 1");
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_discount_amount = floatval($row['quote_discount_amount']);
$quote_amount = floatval($row['quote_amount']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_note = sanitizeInput($row['quote_note']);
$client_id = intval($row['quote_client_id']);
$category_id = intval($row['quote_category_id']);
//Generate a unique URL key for clients to access
$url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$quote_scope', invoice_date = '$date', invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_category_id = $category_id, invoice_status = 'Draft', invoice_discount_amount = $quote_discount_amount, invoice_amount = $quote_amount, invoice_currency_code = '$quote_currency_code', invoice_note = '$quote_note', invoice_url_key = '$url_key', invoice_client_id = $client_id");
$new_invoice_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Draft', history_description = 'Quote copied to Invoice!', history_invoice_id = $new_invoice_id");
$sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql_items)) {
$item_id = intval($row['item_id']);
$item_name = sanitizeInput($row['item_name']);
$item_description = sanitizeInput($row['item_description']);
$item_quantity = floatval($row['item_quantity']);
$item_price = floatval($row['item_price']);
$item_subtotal = floatval($row['item_subtotal']);
$item_tax = floatval($row['item_tax']);
$item_total = floatval($row['item_total']);
$item_order = intval($row['item_order']);
$tax_id = intval($row['item_tax_id']);
mysqli_query($mysqli,"INSERT INTO invoice_items SET item_name = '$item_name', item_description = '$item_description', item_quantity = $item_quantity, item_price = $item_price, item_subtotal = $item_subtotal, item_tax = $item_tax, item_total = $item_total, item_order = $item_order, item_tax_id = $tax_id, item_invoice_id = $new_invoice_id");
}
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Invoiced' WHERE quote_id = $quote_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Create', log_description = 'Quote copied to Invoice', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote copied to Invoice";
header("Location: invoice.php?invoice_id=$new_invoice_id");
}
if (isset($_POST['add_quote_item'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$qty = floatval($_POST['qty']);
$price = floatval($_POST['price']);
$tax_id = intval($_POST['tax_id']);
$item_order = intval($_POST['item_order']);
$subtotal = $price * $qty;
if ($tax_id > 0) {
$sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE tax_id = $tax_id");
$row = mysqli_fetch_array($sql);
$tax_percent = floatval($row['tax_percent']);
$tax_amount = $subtotal * $tax_percent / 100;
}else{
$tax_amount = 0;
}
$total = $subtotal + $tax_amount;
mysqli_query($mysqli,"INSERT INTO invoice_items SET item_name = '$name', item_description = '$description', item_quantity = $qty, item_price = $price, item_subtotal = $subtotal, item_tax = $tax_amount, item_total = $total, item_tax_id = $tax_id, item_order = $item_order, item_quote_id = $quote_id");
//Get Discount
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_discount_amount = floatval($row['quote_discount_amount']);
//add up the total of all items
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
$quote_amount = 0;
while($row = mysqli_fetch_array($sql)) {
$item_total = floatval($row['item_total']);
$quote_amount = $quote_amount + $item_total;
}
$new_quote_amount = $quote_amount - $quote_discount_amount;
mysqli_query($mysqli,"UPDATE quotes SET quote_amount = $new_quote_amount WHERE quote_id = $quote_id");
$_SESSION['alert_message'] = "Item added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['quote_note'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$note = sanitizeInput($_POST['note']);
mysqli_query($mysqli,"UPDATE quotes SET quote_note = '$note' WHERE quote_id = $quote_id");
$_SESSION['alert_message'] = "Notes added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_quote'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/user/quote_model.php';
$quote_id = intval($_POST['quote_id']);
//Calculate the new quote amount
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
$quote_amount = 0;
while($row = mysqli_fetch_array($sql)) {
$item_total = floatval($row['item_total']);
$quote_amount = $quote_amount + $item_total;
}
$quote_amount = $quote_amount - $quote_discount;
mysqli_query($mysqli,"UPDATE quotes SET quote_scope = '$scope', quote_date = '$date', quote_expire = '$expire', quote_discount_amount = '$quote_discount', quote_amount = '$quote_amount', quote_category_id = $category WHERE quote_id = $quote_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Modify', log_description = '$quote_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_quote'])) {
enforceUserPermission('module_sales', 3);
$quote_id = intval($_GET['delete_quote']);
mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id");
//Delete Items Associated with the Quote
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql)) {;
$item_id = intval($row['item_id']);
mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
}
//Delete History Associated with the Quote
$sql = mysqli_query($mysqli,"SELECT * FROM history WHERE history_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql)) {;
$history_id = intval($row['history_id']);
mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Delete', log_description = '$quote_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quotes deleted";
if (isset($_GET['client_id'])) {
$client_id = intval($_GET['client_id']);
header("Location: client_quotes.php?client_id=$client_id");
} else {
header("Location: quotes.php");
}
}
if (isset($_GET['delete_quote_item'])) {
enforceUserPermission('module_sales', 2);
$item_id = intval($_GET['delete_quote_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
$row = mysqli_fetch_array($sql);
$quote_id = intval($row['item_quote_id']);
$item_subtotal = floatval($row['item_subtotal']);
$item_tax = floatval($row['item_tax']);
$item_total = floatval($row['item_total']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$new_quote_amount = floatval($row['quote_amount']) - $item_total;
mysqli_query($mysqli,"UPDATE quotes SET quote_amount = $new_quote_amount WHERE quote_id = $quote_id");
mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote Item', log_action = 'Delete', log_description = '$item_id from $quote_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Item deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['mark_quote_sent'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['mark_quote_sent']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'QUOTE marked sent', history_quote_id = $quote_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Update', log_description = '$quote_id marked sent', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote marked sent";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['accept_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['accept_quote']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Accepted' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Accepted', history_description = 'Quote accepted!', history_quote_id = $quote_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Modify', log_description = 'Accepted Quote $quote_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote accepted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['decline_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['decline_quote']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Declined' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Cancelled', history_description = 'Quote declined!', history_quote_id = $quote_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Modify', log_description = 'Declined Quote $quote_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Quote declined";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['email_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['email_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes
LEFT JOIN clients ON quote_client_id = client_id
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
WHERE quote_id = $quote_id"
);
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = intval($row['quote_number']);
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_status = sanitizeInput($row['quote_status']);
$quote_date = sanitizeInput($row['quote_date']);
$quote_expire = sanitizeInput($row['quote_expire']);
$quote_amount = floatval($row['quote_amount']);
$quote_url_key = sanitizeInput($row['quote_url_key']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$client_id = intval($row['client_id']);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config vars from get_settings.php
$config_quote_from_name = sanitizeInput($config_quote_from_name);
$config_quote_from_email = sanitizeInput($config_quote_from_email);
$config_base_url = sanitizeInput($config_base_url);
$subject = "Quote [$quote_scope]";
$body = "Hello $contact_name,<br><br>Thank you for your inquiry, we are pleased to provide you with the following estimate.<br><br><br>$quote_scope<br>Total Cost: " . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . "<br><br><br>View and accept your estimate online <a href=\'https://$config_base_url/guest_view_quote.php?quote_id=$quote_id&url_key=$quote_url_key\'>here</a><br><br><br>--<br>$company_name - Sales<br>$config_quote_from_email<br>$company_phone";
// Queue Mail
$data = [
[
'from' => $config_quote_from_email,
'from_name' => $config_quote_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body,
]
];
addToMailQueue($mysqli, $data);
// Logging
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Email Quote Queued', history_quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Email', log_description = '$session_name emailed Quote $quote_prefix$quote_number to $contact_email Email ID: ', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $quote_id");
$_SESSION['alert_message'] = "Quote has been queued successfully! <a class='text-bold text-light' href='admin_mail_queue.php'>Check Admin > Mail queue</a>";
//Don't change the status to sent if the status is anything but draft
if ($quote_status == 'Draft') {
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent' WHERE quote_id = $quote_id");
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['export_client_quotes_csv'])){
enforceUserPermission('module_sales');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_client_id = $client_id ORDER BY quote_number ASC");
if($sql->num_rows > 0){
$delimiter = ",";
$filename = $client_name . "-Quotes-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Quote Number', 'Scope', 'Amount', 'Date', 'Status');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()){
$lineData = array($row['quote_prefix'] . $row['quote_number'], $row['quote_scope'], $row['quote_amount'], $row['quote_date'], $row['quote_status']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
exit;
}
if (isset($_POST['update_quote_item_order'])) {
enforceUserPermission('module_sales', 2);
if ($_POST['update_quote_item_order'] == 'up') {
$item_id = intval($_POST['item_id']);
$item_quote_id = intval($_POST['item_quote_id']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
$row = mysqli_fetch_array($sql);
$item_order = intval($row['item_order']);
$new_item_order = $item_order - 1;
//Check if new item order is used
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $item_quote_id AND item_order = $new_item_order");
//Redo the entire order of list
while ($row = mysqli_fetch_array($sql)) {
$item_id = intval($row['item_id']);
$item_order = intval($row['item_order']);
$new_item_order = $item_order + 1;
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $new_item_order WHERE item_id = $item_id");
}
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $item_order WHERE item_quote_id = $item_quote_id AND item_order = $new_item_order");
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $new_item_order WHERE item_id = $item_id");
$_SESSION['alert_message'] = "Item moved up";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if ($_POST['update_quote_item_order'] == 'down') {
$item_id = intval($_POST['item_id']);
$item_quote_id = intval($_POST['item_quote_id']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
$row = mysqli_fetch_array($sql);
$item_order = intval($row['item_order']);
$new_item_order = $item_order + 1;
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $item_order WHERE item_quote_id = $item_quote_id AND item_order = $new_item_order");
mysqli_query($mysqli,"UPDATE invoice_items SET item_order = $new_item_order WHERE item_id = $item_id");
$_SESSION['alert_message'] = "Item moved down";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}

8
post/user/quote_model.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
$date = sanitizeInput($_POST['date']);
$expire = sanitizeInput($_POST['expire']);
$category = intval($_POST['category']);
$scope = sanitizeInput($_POST['scope']);
$quote_discount = floatval($_POST['quote_discount']);
$config_quote_prefix = sanitizeInput($config_quote_prefix);

259
post/user/rack.php Normal file
View File

@@ -0,0 +1,259 @@
<?php
/*
* ITFlow - GET/POST request handler for client racks
*/
if (isset($_POST['add_rack'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$model = sanitizeInput($_POST['model']);
$depth = sanitizeInput($_POST['depth']);
$units = intval($_POST['units']);
$physical_location = sanitizeInput($_POST['physical_location']);
$location = intval($_POST['location']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes', rack_client_id = $client_id");
$rack_id = mysqli_insert_id($mysqli);
// Add Photo
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE racks SET rack_photo = '$new_file_name' WHERE rack_id = $rack_id");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Rack', log_action = 'Create', log_description = '$session_name created rack $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_message'] = "Rack <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_rack'])) {
validateTechRole();
$rack_id = intval($_POST['rack_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$model = sanitizeInput($_POST['model']);
$depth = sanitizeInput($_POST['depth']);
$units = intval($_POST['units']);
$physical_location = sanitizeInput($_POST['physical_location']);
$location = intval($_POST['location']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes' WHERE rack_id = $rack_id");
// Add Photo
if ($_FILES['file']['tmp_name'] != '') {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE racks SET rack_photo = '$new_file_name' WHERE rack_id = $rack_id");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Rack', log_action = 'Edit', log_description = '$session_name edited rack $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_message'] = "Rack <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_rack'])) {
validateTechRole();
$rack_id = intval($_GET['archive_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['asset_client_id']);
mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NOW() WHERE rack_id = $rack_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Rack', log_action = 'Archive', log_description = '$session_name archived rack $rack_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Asset <strong>$rack_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_rack'])) {
validateTechRole();
$rack_id = intval($_GET['unarchive_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']);
mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NULL WHERE rack_id = $rack_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Unarchive', log_description = '$session_name restored rack $rack_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $asset_id");
$_SESSION['alert_message'] = "Rack <strong>$rack_name</strong> Unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_rack'])) {
validateAdminRole();
$rack_id = intval($_GET['delete_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id, rack_photo FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$rack_photo = sanitizeInput($row['rack_photo']);
$client_id = intval($row['rack_client_id']);
mysqli_query($mysqli,"DELETE FROM racks WHERE rack_id = $rack_id");
// Delete Photo if exists
if ($rack_photo) {
unlink("uploads/clients/$client_id/$rack_photo");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Rack', log_action = 'Delete', log_description = '$session_name deleted rack $rack_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Rack <strong>$rack_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_rack_unit'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$rack_id = intval($_POST['rack_id']);
$name = sanitizeInput($_POST['name']);
$unit_start = intval($_POST['unit_start']);
$unit_end = intval($_POST['unit_end']);
$asset = intval($_POST['asset']);
// Check if the unit range is already occupied
$check_sql = mysqli_query($mysqli, "SELECT * FROM rack_units WHERE unit_rack_id = $rack_id AND
((unit_start_number <= $unit_start AND unit_end_number >= $unit_start) OR
(unit_start_number <= $unit_end AND unit_end_number >= $unit_end) OR
($unit_start <= unit_start_number AND $unit_end >= unit_start_number))");
if (mysqli_num_rows($check_sql) > 0) {
// If there is an overlap, return an error message
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Units $unit_start to $unit_end are already in use by another device.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
// If no overlap, proceed with the insertion
mysqli_query($mysqli, "INSERT INTO rack_units SET unit_device = '$name', unit_asset_id = $asset, unit_start_number = $unit_start, unit_end_number = $unit_end, unit_rack_id = $rack_id");
$unit_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Rack Unit', log_action = 'Create', log_description = '$session_name added a unit the rack', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_message'] = "Device Added to Unit $unit_start - $unit_end to rack";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_rack_unit'])) {
validateTechRole();
$unit_id = intval($_POST['unit_id']);
$client_id = intval($_POST['client_id']);
$rack_id = intval($_POST['rack_id']);
$name = sanitizeInput($_POST['name']);
$unit_start = intval($_POST['unit_start']);
$unit_end = intval($_POST['unit_end']);
$asset = intval($_POST['asset']);
mysqli_query($mysqli,"UPDATE rack_units SET unit_device = '$name', unit_asset_id = $asset, unit_start_number = $unit_start, unit_end_number = $unit_end WHERE unit_id = $unit_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Rack Unit', log_action = 'Edit', log_description = '$session_name edited a unit on the rack', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_message'] = "Device edited on the rack";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['remove_rack_unit'])) {
validateTechRole();
$unit_id = intval($_GET['remove_rack_unit']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_id, rack_client_id FROM racks LEFT JOIN rack_units ON unit_rack_id = rack_id WHERE unit_id = $unit_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']);
$rack_id = intval($row['rack_id']);
mysqli_query($mysqli,"DELETE FROM rack_units WHERE unit_id = $unit_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Rack Unit', log_action = 'Delete', log_description = '$session_name removed device from rack', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $rack_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You removed device from the rack";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

65
post/user/revenue.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
/*
* ITFlow - GET/POST request handler for revenue
*/
if (isset($_POST['add_revenue'])) {
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$currency_code = sanitizeInput($_POST['currency_code']);
$account = intval($_POST['account']);
$category = intval($_POST['category']);
$payment_method = sanitizeInput($_POST['payment_method']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
mysqli_query($mysqli,"INSERT INTO revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_currency_code = '$currency_code', revenue_payment_method = '$payment_method', revenue_reference = '$reference', revenue_description = '$description', revenue_category_id = $category, revenue_account_id = $account");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Revenue', log_action = 'Create', log_description = '$date - $amount', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Revenue added!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_revenue'])) {
$revenue_id = intval($_POST['revenue_id']);
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$currency_code = sanitizeInput($_POST['currency_code']);
$account = intval($_POST['account']);
$category = intval($_POST['category']);
$payment_method = sanitizeInput($_POST['payment_method']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_currency_code = '$currency_code', revenue_payment_method = '$payment_method', revenue_reference = '$reference', revenue_description = '$description', revenue_category_id = $category, revenue_account_id = $account WHERE revenue_id = $revenue_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Revenue', log_action = 'Modify', log_description = '$revenue_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Revenue modified!";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_revenue'])) {
$revenue_id = intval($_GET['delete_revenue']);
mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Revenue', log_action = 'Delete', log_description = '$revenue_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Revenue deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

243
post/user/service.php Normal file
View File

@@ -0,0 +1,243 @@
<?php
/*
* ITFlow - GET/POST request handler for client service info
*/
if (isset($_POST['add_service'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$service_name = sanitizeInput($_POST['name']);
$service_description = sanitizeInput($_POST['description']);
$service_category = sanitizeInput($_POST['category']); //TODO: Needs integration with company categories
$service_importance = sanitizeInput($_POST['importance']);
$service_backup = sanitizeInput($_POST['backup']);
$service_notes = sanitizeInput($_POST['note']);
// Create Service
$service_sql = mysqli_query($mysqli, "INSERT INTO services SET service_name = '$service_name', service_description = '$service_description', service_category = '$service_category', service_importance = '$service_importance', service_backup = '$service_backup', service_notes = '$service_notes', service_client_id = $client_id");
// Create links to assets
if ($service_sql) {
$service_id = $mysqli->insert_id;
if (!empty($_POST['contacts'])) {
$service_contact_ids = $_POST['contacts'];
foreach($service_contact_ids as $contact_id) {
$contact_id = intval($contact_id);
if ($contact_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_contacts SET service_id = $service_id, contact_id = $contact_id");
}
}
}
if (!empty($_POST['vendors'])) {
$service_vendor_ids = $_POST['vendors'];
foreach($service_vendor_ids as $vendor_id) {
$vendor_id = intval($vendor_id);
if ($vendor_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_vendors SET service_id = $service_id, vendor_id = $vendor_id");
}
}
}
if (!empty($_POST['documents'])) {
$service_document_ids = $_POST['documents'];
foreach($service_document_ids as $document_id) {
$document_id = intval($document_id);
if ($document_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_documents SET service_id = $service_id, document_id = $document_id");
}
}
}
if (!empty($_POST['assets'])) {
$service_asset_ids = $_POST['assets'];
foreach($service_asset_ids as $asset_id) {
$asset_id = intval($asset_id);
if ($asset_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_assets SET service_id = $service_id, asset_id = $asset_id");
}
}
}
if (!empty($_POST['logins'])) {
$service_login_ids = $_POST['logins'];
foreach($service_login_ids as $login_id) {
$login_id = intval($login_id);
if ($login_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_logins SET service_id = $service_id, login_id = $login_id");
}
}
}
if (!empty($_POST['domains'])) {
$service_domain_ids = $_POST['domains'];
foreach($service_domain_ids as $domain_id) {
$domain_id = intval($domain_id);
if ($domain_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_domains SET service_id = $service_id, domain_id = $domain_id");
}
}
}
if (!empty($_POST['certificates'])) {
$service_cert_ids = $_POST['certificates'];
foreach($service_cert_ids as $cert_id) {
$cert_id = intval($cert_id);
if ($cert_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_certificates SET service_id = $service_id, certificate_id = $cert_id");
}
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Service', log_action = 'Create', log_description = '$session_name created service $service_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Service added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
else{
$_SESSION['alert_message'] = "Something went wrong (SQL)";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_POST['edit_service'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$service_id = intval($_POST['service_id']);
$service_name = sanitizeInput($_POST['name']);
$service_description = sanitizeInput($_POST['description']);
$service_category = sanitizeInput($_POST['category']); //TODO: Needs integration with company categories
$service_importance = sanitizeInput($_POST['importance']);
$service_backup = sanitizeInput($_POST['backup']);
$service_notes = sanitizeInput($_POST['note']);
// Update main service details
mysqli_query($mysqli, "UPDATE services SET service_name = '$service_name', service_description = '$service_description', service_category = '$service_category', service_importance = '$service_importance', service_backup = '$service_backup', service_notes = '$service_notes' WHERE service_id = $service_id");
// Unlink existing relations/assets
mysqli_query($mysqli, "DELETE FROM service_contacts WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_vendors WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_documents WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_assets WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_logins WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_domains WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_certificates WHERE service_id = $service_id");
// Relink
if (!empty($_POST['contacts'])) {
$service_contact_ids = $_POST['contacts'];
foreach($service_contact_ids as $contact_id) {
$contact_id = intval($contact_id);
if ($contact_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_contacts SET service_id = $service_id, contact_id = $contact_id");
}
}
}
if (!empty($_POST['vendors'])) {
$service_vendor_ids = $_POST['vendors'];
foreach($service_vendor_ids as $vendor_id) {
$vendor_id = intval($vendor_id);
if ($vendor_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_vendors SET service_id = $service_id, vendor_id = $vendor_id");
}
}
}
if (!empty($_POST['documents'])) {
$service_document_ids = $_POST['documents'];
foreach($service_document_ids as $document_id) {
$document_id = intval($document_id);
if ($document_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_documents SET service_id = $service_id, document_id = $document_id");
}
}
}
if (!empty($_POST['assets'])) {
$service_asset_ids = $_POST['assets'];
foreach($service_asset_ids as $asset_id) {
$asset_id = intval($asset_id);
if ($asset_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_assets SET service_id = $service_id, asset_id = $asset_id");
}
}
}
if (!empty($_POST['logins'])) {
$service_login_ids = $_POST['logins'];
foreach($service_login_ids as $login_id) {
$login_id = intval($login_id);
if ($login_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_logins SET service_id = $service_id, login_id = $login_id");
}
}
}
if (!empty($_POST['domains'])) {
$service_domain_ids = $_POST['domains'];
foreach($service_domain_ids as $domain_id) {
$domain_id = intval($domain_id);
if ($domain_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_domains SET service_id = $service_id, domain_id = $domain_id");
}
}
}
if (!empty($_POST['certificates'])) {
$service_cert_ids = $_POST['certificates'];
foreach($service_cert_ids as $cert_id) {
$cert_id = intval($cert_id);
if ($cert_id > 0) {
mysqli_query($mysqli, "INSERT INTO service_certificates SET service_id = $service_id, certificate_id = $cert_id");
}
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Service', log_action = 'Modify', log_description = '$session_name modified service $service_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Service updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_service'])) {
validateAdminRole();
$service_id = intval($_GET['delete_service']);
// Delete service
$delete_sql = mysqli_query($mysqli, "DELETE FROM services WHERE service_id = $service_id");
// Delete relations
// TODO: Convert this to a join delete
if ($delete_sql) {
mysqli_query($mysqli, "DELETE FROM service_contacts WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_vendors WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_documents WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_assets WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_logins WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_domains WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_certificates WHERE service_id = $service_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Service', log_action = 'Delete', log_description = '$session_name deleted service $service_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Service deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
$_SESSION['alert_message'] = "Something went wrong (SQL)";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}

284
post/user/software.php Normal file
View File

@@ -0,0 +1,284 @@
<?php
/*
* ITFlow - GET/POST request handler for client software & licenses
*/
if (isset($_POST['add_software_from_template'])) {
// GET POST Data
$client_id = intval($_POST['client_id']);
$software_template_id = intval($_POST['software_template_id']);
// GET Software Info
$sql_software = mysqli_query($mysqli,"SELECT * FROM software WHERE software_id = $software_template_id");
$row = mysqli_fetch_array($sql_software);
$name = sanitizeInput($row['software_name']);
$version = sanitizeInput($row['software_version']);
$description = sanitizeInput($row['software_description']);
$type = sanitizeInput($row['software_type']);
$license_type = sanitizeInput($row['software_license_type']);
$notes = sanitizeInput($row['software_notes']);
// Software add query
mysqli_query($mysqli,"INSERT INTO software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_license_type = '$license_type', software_notes = '$notes', software_client_id = $client_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software', log_action = 'Create', log_description = 'Software created from template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Software created from template";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_software'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
$key = sanitizeInput($_POST['key']);
$seats = intval($_POST['seats']);
$purchase = sanitizeInput($_POST['purchase']);
if (empty($purchase)) {
$purchase = "NULL";
} else {
$purchase = "'" . $purchase . "'";
}
$expire = sanitizeInput($_POST['expire']);
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_key = '$key', software_license_type = '$license_type', software_seats = $seats, software_purchase = $purchase, software_expire = $expire, software_notes = '$notes', software_client_id = $client_id");
$software_id = mysqli_insert_id($mysqli);
$alert_extended = "";
// Add Asset Licenses
if (!empty($_POST['assets'])) {
foreach($_POST['assets'] as $asset) {
$asset_id = intval($asset);
mysqli_query($mysqli,"INSERT INTO software_assets SET software_id = $software_id, asset_id = $asset_id");
}
}
// Add Contact Licenses
if (!empty($_POST['contacts'])) {
foreach($_POST['contacts'] as $contact) {
$contact = intval($contact);
mysqli_query($mysqli,"INSERT INTO software_contacts SET software_id = $software_id, contact_id = $contact");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software', log_action = 'Create', log_description = '$session_name created software $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $software_id");
$_SESSION['alert_message'] = "Software <strong>$name</strong> created $alert_extended";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_software'])) {
validateTechRole();
$software_id = intval($_POST['software_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
$key = sanitizeInput($_POST['key']);
$seats = intval($_POST['seats']);
$purchase = sanitizeInput($_POST['purchase']);
if (empty($purchase)) {
$purchase = "NULL";
} else {
$purchase = "'" . $purchase . "'";
}
$expire = sanitizeInput($_POST['expire']);
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_key = '$key', software_license_type = '$license_type', software_seats = $seats, software_purchase = $purchase, software_expire = $expire, software_notes = '$notes' WHERE software_id = $software_id");
// Update Asset Licenses
mysqli_query($mysqli,"DELETE FROM software_assets WHERE software_id = $software_id");
if (!empty($_POST['assets'])) {
foreach($_POST['assets'] as $asset) {
$asset = intval($asset);
mysqli_query($mysqli,"INSERT INTO software_assets SET software_id = $software_id, asset_id = $asset");
}
}
// Update Contact Licenses
mysqli_query($mysqli,"DELETE FROM software_contacts WHERE software_id = $software_id");
if (!empty($_POST['contacts'])) {
foreach($_POST['contacts'] as $contact) {
$contact = intval($contact);
mysqli_query($mysqli,"INSERT INTO software_contacts SET software_id = $software_id, contact_id = $contact");
}
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software', log_action = 'Modify', log_description = '$session_name modified software $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $software_id");
$_SESSION['alert_message'] = "Software <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_software'])) {
validateTechRole();
$software_id = intval($_GET['archive_software']);
// Get Software Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT software_name, software_client_id FROM software WHERE software_id = $software_id");
$row = mysqli_fetch_array($sql);
$software_name = sanitizeInput($row['software_name']);
$client_id = intval($row['software_client_id']);
mysqli_query($mysqli,"UPDATE software SET software_archived_at = NOW() WHERE software_id = $software_id");
// Remove Software Relations
mysqli_query($mysqli,"DELETE FROM software_contacts WHERE software_id = $software_id");
mysqli_query($mysqli,"DELETE FROM software_assets WHERE software_id = $software_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software', log_action = 'Archive', log_description = '$session_name archived software $software_name and removed all device/user license associations', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $software_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Software <strong>$software_name</strong> archived and removed all device/user license associations";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_software'])) {
validateAdminRole();
$software_id = intval($_GET['delete_software']);
// Get Software Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT software_name, software_client_id FROM software WHERE software_id = $software_id");
$row = mysqli_fetch_array($sql);
$software_name = sanitizeInput($row['software_name']);
$client_id = intval($row['software_client_id']);
mysqli_query($mysqli,"DELETE FROM software WHERE software_id = $software_id");
// Remove Software Relations
mysqli_query($mysqli,"DELETE FROM software_contacts WHERE software_id = $software_id");
mysqli_query($mysqli,"DELETE FROM software_assets WHERE software_id = $software_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software', log_action = 'Delete', log_description = '$session_name deleted software $software_name and removed all device/user license associations', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $software_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Software <strong>$software_name</strong> deleted and removed all device/user license associations";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_software_csv'])) {
validateTechRole();
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM software WHERE software_client_id = $client_id ORDER BY software_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = $client_name . "-Software-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Version', 'Description', 'Type', 'License Type', 'Seats', 'Key', 'Assets', 'Contacts', 'Purchased', 'Expires', 'Notes');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
// Generate asset & user license list for this software
// Asset licenses
$assigned_to_assets = '';
$asset_licenses_sql = mysqli_query($mysqli,"SELECT software_assets.asset_id, assets.asset_name
FROM software_assets
LEFT JOIN assets
ON software_assets.asset_id = assets.asset_id
WHERE software_id = $row[software_id]");
while($asset_row = mysqli_fetch_array($asset_licenses_sql)) {
$assigned_to_assets .= $asset_row['asset_name'] . ", ";
}
// Contact Licenses
$assigned_to_contacts = '';
$contact_licenses_sql = mysqli_query($mysqli,"SELECT software_contacts.contact_id, contacts.contact_name
FROM software_contacts
LEFT JOIN contacts
ON software_contacts.contact_id = contacts.contact_id
WHERE software_id = $row[software_id]");
while($contact_row = mysqli_fetch_array($contact_licenses_sql)) {
$assigned_to_contacts .= $contact_row['contact_name'] . ", ";
}
$lineData = array($row['software_name'], $row['software_version'], $row['software_description'], $row['software_type'], $row['software_license_type'], $row['software_seats'], $row['software_key'], $assigned_to_assets, $assigned_to_contacts, $row['software_purchase'], $row['software_expire'], $row['software_notes']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Software', log_action = 'Export', log_description = '$session_name exported $num_rows software license(s) to a CSV file', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}

140
post/user/task.php Normal file
View File

@@ -0,0 +1,140 @@
<?php
/*
* ITFlow - GET/POST request handler for tasks
*/
if (isset($_POST['add_task'])) {
validateTechRole();
$ticket_id = intval($_POST['ticket_id']);
$task_name = sanitizeInput($_POST['name']);
// Get Client ID from tickets using the ticket_id
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $ticket_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
mysqli_query($mysqli, "INSERT INTO tasks SET task_name = '$task_name', task_ticket_id = $ticket_id");
$task_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Create', log_description = '$session_name created task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id");
$_SESSION['alert_message'] = "You created Task <strong>$task_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_task'])) {
validateTechRole();
$task_id = intval($_POST['task_id']);
$task_name = sanitizeInput($_POST['name']);
$task_order = intval($_POST['order']);
$is_ticket = intval($_POST['is_ticket']);
if($is_ticket == 1) {
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_name = '$task_name', task_order = $task_order WHERE task_id = $task_id");
} else {
$client_id = 0;
mysqli_query($mysqli, "UPDATE task_templates SET task_template_name = '$task_name', task_template_order = $task_order WHERE task_template_id = $task_id");
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Edit', log_description = '$session_name edited task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id");
$_SESSION['alert_message'] = "You edited Task <strong>$task_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_task'])) {
validateTechRole();
// CSRF Check
validateCSRFToken($_GET['csrf_token']);
$task_id = intval($_GET['delete_task']);
// Get Client ID, task name from tasks and tickets using the task_id
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
$task_name = sanitizeInput($row['task_name']);
mysqli_query($mysqli, "DELETE FROM tasks WHERE task_id = $task_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Delete', log_description = '$session_name deleted task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You Deleted Task <strong>$task_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['complete_task'])) {
validateTechRole();
$task_id = intval($_GET['complete_task']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
$task_name = sanitizeInput($row['task_name']);
$ticket_id = intval($row['ticket_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NOW(), task_completed_by = $session_user_id WHERE task_id = $task_id");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Completed Task - $task_name', ticket_reply_time_worked = '00:05:00', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
$ticket_reply_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Edit', log_description = '$session_name completed task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id");
$_SESSION['alert_message'] = "You completed Task <strong>$task_name</strong> Great Job!<i class='far fa-4x fa-smile-wink ml-2'></i>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['undo_complete_task'])) {
validateTechRole();
$task_id = intval($_GET['undo_complete_task']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
$task_name = sanitizeInput($row['task_name']);
$ticket_id = intval($row['ticket_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NULL, task_completed_by = NULL WHERE task_id = $task_id");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Undo Completed Task - $task_name', ticket_reply_time_worked = '00:01:00', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
$ticket_reply_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Edit', log_description = '$session_name un-completed task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id");
$_SESSION['alert_message'] = "You marked Task <strong>$task_name</strong> as incomplete";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

2231
post/user/ticket.php Normal file
View File

File diff suppressed because it is too large Load Diff

23
post/user/ticket_recurring_model.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
$client_id = intval($_POST['client']);
$subject = sanitizeInput($_POST['subject']);
$priority = sanitizeInput($_POST['priority']);
$details = mysqli_real_escape_string($mysqli, $_POST['details']);
$frequency = sanitizeInput($_POST['frequency']);
$billable = intval($_POST['billable']);
$asset_id = "0";
if (isset($_POST['asset'])) {
$asset_id = intval($_POST['asset']);
}
$contact_id = "0";
if (isset($_POST['contact'])) {
$contact_id = intval($_POST['contact']);
}
$assigned_to = "0";
if (isset($_POST['assigned_to'])) {
$assigned_to = intval($_POST['assigned_to']);
}

74
post/user/transfer.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
/*
* ITFlow - GET/POST request handler for transfers (accounting)
*/
if (isset($_POST['add_transfer'])) {
require_once 'post/user/transfer_model.php';
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_vendor_id = 0, expense_category_id = 0, expense_account_id = $account_from");
$expense_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_currency_code = '$session_company_currency', revenue_account_id = $account_to, revenue_category_id = 0");
$revenue_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO transfers SET transfer_expense_id = $expense_id, transfer_revenue_id = $revenue_id, transfer_method = '$transfer_method', transfer_notes = '$notes'");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Transfer', log_action = 'Create', log_description = '$date - $amount', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Transfer complete";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_transfer'])) {
require_once 'post/user/transfer_model.php';
$transfer_id = intval($_POST['transfer_id']);
$expense_id = intval($_POST['expense_id']);
$revenue_id = intval($_POST['revenue_id']);
mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = $amount, expense_account_id = $account_from WHERE expense_id = $expense_id");
mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_account_id = $account_to WHERE revenue_id = $revenue_id");
mysqli_query($mysqli,"UPDATE transfers SET transfer_method = '$transfer_method', transfer_notes = '$notes' WHERE transfer_id = $transfer_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Transfer', log_action = 'Modifed', log_description = '$date - $amount', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Transfer modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_transfer'])) {
$transfer_id = intval($_GET['delete_transfer']);
//Query the transfer ID to get the Payment and Expense IDs, so we can delete those as well
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT * FROM transfers WHERE transfer_id = $transfer_id"));
$expense_id = intval($row['transfer_expense_id']);
$revenue_id = intval($row['transfer_revenue_id']);
mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id");
mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id");
mysqli_query($mysqli,"DELETE FROM transfers WHERE transfer_id = $transfer_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Transfer', log_action = 'Delete', log_description = '$transfer_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Transfer deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

7
post/user/transfer_model.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account_from = intval($_POST['account_from']);
$account_to = intval($_POST['account_to']);
$transfer_method = sanitizeInput($_POST['transfer_method']);
$notes = sanitizeInput($_POST['notes']);

147
post/user/trip.php Normal file
View File

@@ -0,0 +1,147 @@
<?php
/*
* ITFlow - GET/POST request handler for trips (accounting related)
*/
if (isset($_POST['add_trip'])) {
require_once 'post/user/trip_model.php';
mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id");
//logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Trip', log_action = 'Create', log_description = '$session_name logged trip to $destination', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Trip added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_trip'])) {
require_once 'post/user/trip_model.php';
$trip_id = intval($_POST['trip_id']);
mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_user_id = $user_id, trip_client_id = $client_id WHERE trip_id = $trip_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Trip', log_action = 'Modify', log_description = '$date', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Trip modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_trip'])) {
$trip_id = intval($_GET['delete_trip']);
//Get Client ID
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT * FROM trips WHERE trip_id = $trip_id"));
$client_id = intval($row['trip_client_id']);
mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Trip', log_action = 'Delete', log_description = '$trip_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Trip deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_trips_csv'])) {
$date_from = sanitizeInput($_POST['date_from']);
$date_to = sanitizeInput($_POST['date_to']);
if (!empty($date_from) && !empty($date_to)){
$date_query = "DATE(trip_date) BETWEEN '$date_from' AND '$date_to'";
$file_name_date = "$date_from-to-$date_to";
} else {
$date_query = "trip_date IS NOT NULL";
$file_name_date = date('Y-m-d');
}
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM trips
LEFT JOIN clients ON trip_client_id = client_id
WHERE $date_query
ORDER BY trip_date DESC"
);
if(mysqli_num_rows($sql) > 0){
$delimiter = ",";
$filename = "$session_company_name-Trips-$file_name_date.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Date', 'Purpose', 'Source', 'Destination', 'Miles');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)){
$lineData = array($row['trip_date'], $row['trip_purpose'], $row['trip_source'], $row['trip_destination'], $row['trip_miles']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
exit;
}
if (isset($_POST['export_client_trips_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM trips WHERE trip_client_id = $client_id ORDER BY trip_date ASC");
if($sql->num_rows > 0){
$delimiter = ",";
$filename = $client_name . "-Trips-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Date', 'Purpose', 'Source', 'Destination', 'Miles');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()){
$lineData = array($row['trip_date'], $row['trip_purpose'], $row['trip_source'], $row['trip_destination'], $row['trip_miles']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
exit;
}

9
post/user/trip_model.php Normal file
View File

@@ -0,0 +1,9 @@
<?php
$date = sanitizeInput($_POST['date']);
$source = sanitizeInput($_POST['source']);
$destination = sanitizeInput($_POST['destination']);
$miles = floatval($_POST['miles']);
$roundtrip = intval($_POST['roundtrip']);
$purpose = sanitizeInput($_POST['purpose']);
$user_id = intval($_POST['user']);
$client_id = intval($_POST['client']);

324
post/user/vendor.php Normal file
View File

@@ -0,0 +1,324 @@
<?php
/*
* ITFlow - GET/POST request handler for vendors
*/
if (isset($_POST['add_vendor_from_template'])) {
// GET POST Data
$client_id = intval($_POST['client_id']); //Used if this vendor is under a contact otherwise its 0 for under company and or template
$vendor_template_id = intval($_POST['vendor_template_id']);
//GET Vendor Info
$sql_vendor = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_id = $vendor_template_id");
$row = mysqli_fetch_array($sql_vendor);
$name = sanitizeInput($row['vendor_name']);
$description = sanitizeInput($row['vendor_description']);
$account_number = sanitizeInput($row['vendor_account_number']);
$contact_name = sanitizeInput($row['vendor_contact_name']);
$phone = preg_replace("/[^0-9]/", '',$row['vendor_phone']);
$extension = preg_replace("/[^0-9]/", '',$row['vendor_extension']);
$email = sanitizeInput($row['vendor_email']);
$website = sanitizeInput($row['vendor_website']);
$hours = sanitizeInput($row['vendor_hours']);
$sla = sanitizeInput($row['vendor_sla']);
$code = sanitizeInput($row['vendor_code']);
$notes = sanitizeInput($row['vendor_notes']);
// Vendor add query
mysqli_query($mysqli,"INSERT INTO vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code', vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_client_id = $client_id, vendor_template_id = $vendor_template_id");
$vendor_id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Create', log_description = 'Vendor created from template $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor created from template";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
// Vendors
if (isset($_POST['add_vendor'])) {
require_once 'post/user/vendor_model.php';
$client_id = intval($_POST['client_id']); // Used if this vendor is under a contact otherwise its 0 for under company
mysqli_query($mysqli,"INSERT INTO vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code', vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_client_id = $client_id");
$vendor_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Create', log_description = '$session_name created vendor $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_vendor'])) {
require_once 'post/user/vendor_model.php';
$vendor_id = intval($_POST['vendor_id']);
$vendor_template_id = intval($_POST['vendor_template_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code',vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_template_id = $vendor_template_id WHERE vendor_id = $vendor_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Modify', log_description = '$session_name modified vendor $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Vendor <strong>$name</strong> modified";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_vendor'])) {
$vendor_id = intval($_GET['archive_vendor']);
//Get Vendor Name
$sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NOW() WHERE vendor_id = $vendor_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Archive', log_description = '$session_name archived vendor $vendor_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_vendor'])){
$vendor_id = intval($_GET['unarchive_vendor']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Unarchive', log_description = '$session_name restored credential $vendor_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $vendor_id");
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_vendor'])) {
$vendor_id = intval($_GET['delete_vendor']);
//Get Vendor Name
$sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
$vendor_template_id = intval($row['vendor_template_id']);
// If its a template reset all vendors based off this template to no template base
if ($vendor_template_id > 0) {
mysqli_query($mysqli,"UPDATE vendors SET vendor_template_id = 0 WHERE vendor_template_id = $vendor_template_id");
}
mysqli_query($mysqli,"DELETE FROM vendors WHERE vendor_id = $vendor_id");
// Remove Relations
mysqli_query($mysqli,"DELETE FROM vendor_files WHERE vendor_id = $vendor_id");
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE vendor_id = $vendor_id");
mysqli_query($mysqli,"DELETE FROM vendor_logins WHERE vendor_id = $vendor_id");
mysqli_query($mysqli,"DELETE FROM service_vendors WHERE vendor_id = $vendor_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Delete', log_description = '$session_name deleted vendor $vendor_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_vendors'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$vendor_ids = $_POST['vendor_ids']; // Get array of IDs to be deleted
if (!empty($vendor_ids)) {
// Cycle through array and archive each record
foreach ($vendor_ids as $vendor_id) {
$vendor_id = intval($vendor_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NOW() WHERE vendor_id = $vendor_id");
// Individual Contact logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Archive', log_description = '$session_name archived vendor $vendor_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $vendor_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Vendor', log_action = 'Archive', log_description = '$session_name archived $count vendors', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived $count credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_vendors'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$vendor_ids = $_POST['vendor_ids']; // Get array of IDs
if (!empty($vendor_ids)) {
// Cycle through array and unarchive
foreach ($vendor_ids as $vendor_id) {
$vendor_id = intval($vendor_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
// Individual logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Unarchive', log_description = '$session_name Unarchived vendor $vendors_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $vendor_id");
$count++;
}
// Bulk Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Vendor', log_action = 'Unarchive', log_description = '$session_name Unarchived $count vendors', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Unarchived $count vendor(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_vendors'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
$count = 0; // Default 0
$vendor_ids = $_POST['vendor_ids']; // Get array of IDs to be deleted
if (!empty($vendor_ids)) {
// Cycle through array and delete each record
foreach ($vendor_ids as $vendor_id) {
$vendor_id = intval($vendor_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id, vendor_template_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
$vendor_template_id = intval($row['vendor_template_id']);
// If its a template reset all vendors based off this template to no template base
if ($vendor_template_id > 0) {
mysqli_query($mysqli,"UPDATE vendors SET vendor_template_id = 0 WHERE vendor_template_id = $vendor_template_id");
}
mysqli_query($mysqli, "DELETE FROM vendors WHERE vendor_id = $vendor_id AND vendor_client_id = $client_id");
// Remove Relations
mysqli_query($mysqli,"DELETE FROM vendor_files WHERE vendor_id = $vendor_id");
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE vendor_id = $vendor_id");
mysqli_query($mysqli,"DELETE FROM vendor_logins WHERE vendor_id = $vendor_id");
mysqli_query($mysqli,"DELETE FROM service_vendors WHERE vendor_id = $vendor_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Vendor', log_action = 'Delete', log_description = '$session_name deleted vendor $vendor_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $vendor_id");
$count++;
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Vendor', log_action = 'Delete', log_description = '$session_name bulk deleted $count vendors', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Deleted $count vendor(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_vendors_csv'])) {
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_client_id = $client_id ORDER BY vendor_name ASC");
if ($sql->num_rows > 0) {
$delimiter = ",";
$filename = $client_name . "-Vendors-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Contact Name', 'Phone', 'Website', 'Account Number', 'Notes');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['vendor_name'], $row['vendor_description'], $row['vendor_contact_name'], $row['vendor_phone'], $row['vendor_website'], $row['vendor_account_number'], $row['vendor_notes']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Vendor', log_action = 'Export', log_description = '$session_name exported vendors to CSV', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
exit;
}

13
post/user/vendor_model.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$account_number = sanitizeInput($_POST['account_number']);
$contact_name = sanitizeInput($_POST['contact_name']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$email = sanitizeInput($_POST['email']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
$hours = sanitizeInput($_POST['hours']);
$sla = sanitizeInput($_POST['sla']);
$code = sanitizeInput($_POST['code']);
$notes = sanitizeInput($_POST['notes']);