AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Misc tidying code spacing & formatting in accordance with SonarCloud/PSR

This commit is contained in:
Marcus Hill 2023-01-01 15:41:21 +00:00
parent 807d374b90
commit 6746edda1a
12 changed files with 546 additions and 555 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

362
ajax.php
View File

@ -6,161 +6,159 @@
* Always returns data in JSON format, unless otherwise specified * Always returns data in JSON format, unless otherwise specified
*/ */
include("config.php"); require_once("config.php");
include("functions.php"); require_once("functions.php");
include("check_login.php"); require_once("check_login.php");
require_once("rfc6238.php"); require_once("rfc6238.php");
/* /*
* Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key) * Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key)
*/ */
if(isset($_GET['certificate_fetch_parse_json_details'])){ if (isset($_GET['certificate_fetch_parse_json_details'])) {
// PHP doesn't appreciate attempting SSL sockets to non-existent domains // PHP doesn't appreciate attempting SSL sockets to non-existent domains
if(empty($_GET['domain'])){ if (empty($_GET['domain'])) {
exit(); exit();
} }
$domain = $_GET['domain']; $domain = $_GET['domain'];
// FQDNs in database shouldn't have a URL scheme, adding one // FQDNs in database shouldn't have a URL scheme, adding one
$domain = "https://".$domain; $domain = "https://".$domain;
// Parse host and port // Parse host and port
$url = parse_url($domain, PHP_URL_HOST); $url = parse_url($domain, PHP_URL_HOST);
$port = parse_url($domain, PHP_URL_PORT); $port = parse_url($domain, PHP_URL_PORT);
// Default port // Default port
if(!$port){ if (!$port) {
$port = "443"; $port = "443";
} }
// Get certificate (using verify peer false to allow for self-signed certs) // Get certificate (using verify peer false to allow for self-signed certs)
$socket = "ssl://$url:$port"; $socket = "ssl://$url:$port";
$get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE, "verify_peer" => FALSE,))); $get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE, "verify_peer" => FALSE,)));
$read = stream_socket_client($socket, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get); $read = stream_socket_client($socket, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get);
$cert = stream_context_get_params($read); $cert = stream_context_get_params($read);
$cert_public_key_obj = openssl_x509_parse($cert['options']['ssl']['peer_certificate']); $cert_public_key_obj = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
openssl_x509_export($cert['options']['ssl']['peer_certificate'], $export); openssl_x509_export($cert['options']['ssl']['peer_certificate'], $export);
// Process data // Process data
if($cert_public_key_obj){ if ($cert_public_key_obj) {
$response['success'] = "TRUE"; $response['success'] = "TRUE";
$response['expire'] = date('Y-m-d', $cert_public_key_obj['validTo_time_t']); $response['expire'] = date('Y-m-d', $cert_public_key_obj['validTo_time_t']);
$response['issued_by'] = strip_tags($cert_public_key_obj['issuer']['O']); $response['issued_by'] = strip_tags($cert_public_key_obj['issuer']['O']);
$response['public_key'] = $export; //nl2br $response['public_key'] = $export; //nl2br
} } else {
else{ $response['success'] = "FALSE";
$response['success'] = "FALSE"; }
}
echo json_encode($response); echo json_encode($response);
} }
/* /*
* Looks up info for a given certificate ID from the database, used to dynamically populate modal fields * Looks up info for a given certificate ID from the database, used to dynamically populate modal fields
*/ */
if(isset($_GET['certificate_get_json_details'])){ if (isset($_GET['certificate_get_json_details'])) {
validateTechRole(); validateTechRole();
$certificate_id = intval($_GET['certificate_id']); $certificate_id = intval($_GET['certificate_id']);
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
// Individual certificate lookup // Individual certificate lookup
$cert_sql = mysqli_query($mysqli,"SELECT * FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id"); $cert_sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id");
while($row = mysqli_fetch_array($cert_sql)){ while ($row = mysqli_fetch_array($cert_sql)) {
$response['certificate'][] = $row; $response['certificate'][] = $row;
} }
// Get all domains for this client that could be linked to this certificate // Get all domains for this client that could be linked to this certificate
$domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'"); $domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'");
while($row = mysqli_fetch_array($domains_sql)){ while ($row = mysqli_fetch_array($domains_sql)) {
$response['domains'][] = $row; $response['domains'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
/* /*
* Looks up info for a given domain ID from the database, used to dynamically populate modal fields * Looks up info for a given domain ID from the database, used to dynamically populate modal fields
*/ */
if(isset($_GET['domain_get_json_details'])){ if (isset($_GET['domain_get_json_details'])) {
validateTechRole(); validateTechRole();
$domain_id = intval($_GET['domain_id']); $domain_id = intval($_GET['domain_id']);
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
// Individual domain lookup // Individual domain lookup
$cert_sql = mysqli_query($mysqli,"SELECT * FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id"); $cert_sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id");
while($row = mysqli_fetch_array($cert_sql)){ while ($row = mysqli_fetch_array($cert_sql)) {
$response['domain'][] = $row; $response['domain'][] = $row;
} }
// Get all registrars/webhosts (vendors) for this client that could be linked to this domain // Get all registrars/webhosts (vendors) for this client that could be linked to this domain
$vendor_sql = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors WHERE vendor_client_id = $client_id"); $vendor_sql = mysqli_query($mysqli, "SELECT vendor_id, vendor_name FROM vendors WHERE vendor_client_id = $client_id");
while($row = mysqli_fetch_array($vendor_sql)){ while ($row = mysqli_fetch_array($vendor_sql)) {
$response['vendors'][] = $row; $response['vendors'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
/* /*
* Looks up info on the ticket number provided, used to populate the ticket merge modal * Looks up info on the ticket number provided, used to populate the ticket merge modal
*/ */
if(isset($_GET['merge_ticket_get_json_details'])){ if (isset($_GET['merge_ticket_get_json_details'])) {
validateTechRole(); validateTechRole();
$merge_into_ticket_number = intval($_GET['merge_into_ticket_number']); $merge_into_ticket_number = intval($_GET['merge_into_ticket_number']);
$sql = mysqli_query($mysqli,"SELECT * FROM tickets $sql = mysqli_query($mysqli, "SELECT * FROM tickets
LEFT JOIN clients ON ticket_client_id = client_id LEFT JOIN clients ON ticket_client_id = client_id
LEFT JOIN contacts ON ticket_contact_id = contact_id LEFT JOIN contacts ON ticket_contact_id = contact_id
WHERE ticket_number = '$merge_into_ticket_number' AND tickets.company_id = '$session_company_id'"); WHERE ticket_number = '$merge_into_ticket_number' AND tickets.company_id = '$session_company_id'");
if(mysqli_num_rows($sql) == 0){ if (mysqli_num_rows($sql) == 0) {
//Do nothing. //Do nothing.
} } else {
else { //Return ticket, client and contact details for the given ticket number
//Return ticket, client and contact details for the given ticket number $response = mysqli_fetch_array($sql);
$response = mysqli_fetch_array($sql); echo json_encode($response);
echo json_encode($response); }
}
} }
/* /*
* Looks up info for a given network ID from the database, used to dynamically populate modal fields * Looks up info for a given network ID from the database, used to dynamically populate modal fields
*/ */
if(isset($_GET['network_get_json_details'])){ if (isset($_GET['network_get_json_details'])) {
validateTechRole(); validateTechRole();
$network_id = intval($_GET['network_id']); $network_id = intval($_GET['network_id']);
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
// Individual network lookup // Individual network lookup
$network_sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_id = $network_id AND network_client_id = $client_id"); $network_sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
while($row = mysqli_fetch_array($network_sql)){ while ($row = mysqli_fetch_array($network_sql)) {
$response['network'][] = $row; $response['network'][] = $row;
} }
// Lookup all client locations, as networks can be associated with any client location // Lookup all client locations, as networks can be associated with any client location
$locations_sql = mysqli_query($mysqli, "SELECT location_id, location_name FROM locations $locations_sql = mysqli_query($mysqli, "SELECT location_id, location_name FROM locations
WHERE location_client_id = '$client_id' AND company_id = '$session_company_id'" WHERE location_client_id = '$client_id' AND company_id = '$session_company_id'"
); );
while($row = mysqli_fetch_array($locations_sql)){ while ($row = mysqli_fetch_array($locations_sql)) {
$response['locations'][] = $row; $response['locations'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
if(isset($_POST['client_set_notes'])){ if (isset($_POST['client_set_notes'])) {
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes']))); $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes'])));
// Update notes // Update notes
mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'"); mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'");
// Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id");
} }
@ -169,10 +167,10 @@ if(isset($_POST['client_set_notes'])){
* Called upon loading a ticket, and every 2 mins thereafter * Called upon loading a ticket, and every 2 mins thereafter
* Is used in conjunction with ticket_query_views to show who is currently viewing a ticket * Is used in conjunction with ticket_query_views to show who is currently viewing a ticket
*/ */
if(isset($_GET['ticket_add_view'])){ if (isset($_GET['ticket_add_view'])) {
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()"); mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()");
} }
/* /*
@ -180,112 +178,112 @@ if(isset($_GET['ticket_add_view'])){
* Returns formatted text of the agents currently viewing a ticket * Returns formatted text of the agents currently viewing a ticket
* Called upon loading a ticket, and every 2 mins thereafter * Called upon loading a ticket, and every 2 mins thereafter
*/ */
if(isset($_GET['ticket_query_views'])){ if (isset($_GET['ticket_query_views'])) {
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
$query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)"); $query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)");
while($row = mysqli_fetch_array($query)){ while ($row = mysqli_fetch_array($query)) {
$users[] = $row['user_name']; $users[] = $row['user_name'];
}
if(!empty($users)){
$users = array_unique($users);
if(count($users) > 1){
// Multiple viewers
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
} }
else{
// Single viewer if (!empty($users)) {
$response['message'] = implode("", $users) . " is viewing this ticket."; $users = array_unique($users);
if (count($users) > 1) {
// Multiple viewers
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
} else {
// Single viewer
$response['message'] = implode("", $users) . " is viewing this ticket.";
}
} else {
// No viewers
$response['message'] = "";
} }
}
else{ echo json_encode($response);
// No viewers
$response['message'] = "";
}
echo json_encode($response);
} }
/* /*
* Generates public/guest links for sharing logins/docs * Generates public/guest links for sharing logins/docs
*/ */
if(isset($_GET['share_generate_link'])){ if (isset($_GET['share_generate_link'])) {
validateTechRole(); validateTechRole();
$item_encrypted_credential = ''; // Default empty $item_encrypted_credential = ''; // Default empty
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type']))); $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
$item_id = intval($_GET['id']); $item_id = intval($_GET['id']);
$item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note']))); $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
$item_view_limit = intval($_GET['views']); $item_view_limit = intval($_GET['views']);
$item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires']))); $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
$item_key = bin2hex(random_bytes(78)); $item_key = bin2hex(random_bytes(78));
if($item_type == "Document"){ if ($item_type == "Document") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1")); $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
$item_name = $row['document_name']; $item_name = $row['document_name'];
} }
if($item_type == "File"){ if ($item_type == "File") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1")); $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1"));
$item_name = $row['file_name']; $item_name = $row['file_name'];
} }
if($item_type == "Login"){ if ($item_type == "Login") {
$login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1"); $login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
$row = mysqli_fetch_array($login); $row = mysqli_fetch_array($login);
$item_name = $row['login_name']; $item_name = $row['login_name'];
// Decrypt & re-encrypt password for sharing // Decrypt & re-encrypt password for sharing
$login_password_cleartext = decryptLoginEntry($row['login_password']); $login_password_cleartext = decryptLoginEntry($row['login_password']);
$login_encryption_key = bin2hex(random_bytes(8)); $login_encryption_key = bin2hex(random_bytes(8));
$iv = bin2hex(random_bytes(8)); $iv = bin2hex(random_bytes(8));
$ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv); $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
$item_encrypted_credential = $iv . $ciphertext; $item_encrypted_credential = $iv . $ciphertext;
} }
// Insert entry into DB // Insert entry into DB
$sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'"); $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
$share_id = $mysqli->insert_id; $share_id = $mysqli->insert_id;
// Return URL // Return URL
if($item_type == "Login"){ if ($item_type == "Login") {
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key"; $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key&ek=$login_encryption_key";
} }
else{ else {
$url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key"; $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key";
} }
echo json_encode($url); echo json_encode($url);
// Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
} }
/* /*
* Looks up info for a given scheduled ticket ID from the database, used to dynamically populate modal edit fields * Looks up info for a given scheduled ticket ID from the database, used to dynamically populate modal edit fields
*/ */
if(isset($_GET['scheduled_ticket_get_json_details'])){ if (isset($_GET['scheduled_ticket_get_json_details'])) {
validateTechRole(); validateTechRole();
$client_id = intval($_GET['client_id']); $client_id = intval($_GET['client_id']);
$ticket_id = intval($_GET['ticket_id']); $ticket_id = intval($_GET['ticket_id']);
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets $ticket_sql = mysqli_query($mysqli, "SELECT * FROM scheduled_tickets
WHERE scheduled_ticket_id = $ticket_id WHERE scheduled_ticket_id = $ticket_id
AND scheduled_ticket_client_id = $client_id LIMIT 1"); AND scheduled_ticket_client_id = $client_id LIMIT 1");
while($row = mysqli_fetch_array($ticket_sql)){ while ($row = mysqli_fetch_array($ticket_sql)) {
$response['ticket'][] = $row; $response['ticket'][] = $row;
} }
$asset_sql = mysqli_query($mysqli, "SELECT asset_id, asset_name FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL"); $asset_sql = mysqli_query($mysqli, "SELECT asset_id, asset_name FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL");
while($row = mysqli_fetch_array($asset_sql)){ while ($row = mysqli_fetch_array($asset_sql)) {
$response['assets'][] = $row; $response['assets'][] = $row;
} }
echo json_encode($response); echo json_encode($response);
} }
@ -293,8 +291,8 @@ if(isset($_GET['scheduled_ticket_get_json_details'])){
* Dynamic TOTP for client login page * Dynamic TOTP for client login page
* When provided with a TOTP secret, returns a 6-digit code * When provided with a TOTP secret, returns a 6-digit code
*/ */
if(isset($_GET['get_totp_token'])){ if (isset($_GET['get_totp_token'])) {
$otp = TokenAuth6238::getTokenCode($_GET['totp_secret']); $otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
echo json_encode($otp); echo json_encode($otp);
} }

49
get_credential.php
View File

@ -18,17 +18,16 @@
// Headers to allow extensions access (CORS) // Headers to allow extensions access (CORS)
$chrome_id = "chrome-extension://afgpakhonllnmnomchjhidealcpmnegc"; $chrome_id = "chrome-extension://afgpakhonllnmnomchjhidealcpmnegc";
//$firefox_id = "moz-extension://857479e9-3992-4e99-9a5e-b514d2ad0a82"; // Firefox rejected the extension. They are still using manifest v2 so will just focus on Chrome/Edge with v3 for now until Mozilla catches up
if (isset($_SERVER['HTTP_ORIGIN'])) { if (isset($_SERVER['HTTP_ORIGIN'])) {
if($_SERVER['HTTP_ORIGIN'] == $chrome_id){ if ($_SERVER['HTTP_ORIGIN'] == $chrome_id) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true'); header('Access-Control-Allow-Credentials: true');
} }
} }
include("config.php"); include_once("config.php");
include("functions.php"); include_once("functions.php");
// IP & User Agent for logging // IP & User Agent for logging
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip())); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
@ -41,13 +40,13 @@ DEFINE("WORDING_BAD_EXT_COOKIE_KEY", "ITFlow - You are not logged into ITFlow, d
// Check user is logged in & has extension access // Check user is logged in & has extension access
// We're not using the PHP session as we don't want to potentially expose the session cookie with SameSite None // We're not using the PHP session as we don't want to potentially expose the session cookie with SameSite None
if(!isset($_COOKIE['user_extension_key'])){ if (!isset($_COOKIE['user_extension_key'])) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
@ -56,13 +55,13 @@ if(!isset($_COOKIE['user_extension_key'])){
$user_extension_key = $_COOKIE['user_extension_key']; $user_extension_key = $_COOKIE['user_extension_key'];
// Check the key isn't empty, less than 17 characters or the word "disabled". // Check the key isn't empty, less than 17 characters or the word "disabled".
if(empty($user_extension_key) || strlen($user_extension_key) < 16 || strtolower($user_extension_key) == "disabled"){ if (empty($user_extension_key) || strlen($user_extension_key) < 16 || strtolower($user_extension_key) == "disabled") {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging // Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
@ -74,25 +73,25 @@ $auth_user = mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings
$row = mysqli_fetch_array($auth_user); $row = mysqli_fetch_array($auth_user);
// Check SQL query state // Check SQL query state
if(mysqli_num_rows($auth_user) < 1 || !$auth_user){ if (mysqli_num_rows($auth_user) < 1 || !$auth_user) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
// Sanity check // Sanity check
if(hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])){ if (hash('sha256', $row['user_extension_key']) !== hash('sha256', $_COOKIE['user_extension_key'])) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_BAD_EXT_COOKIE_KEY; $data['message'] = WORDING_BAD_EXT_COOKIE_KEY;
echo(json_encode($data)); echo json_encode($data);
//Logging //Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = 'Failed login attempt using extension (get_credential.php)', log_ip = '$ip', log_user_agent = '$user_agent'");
exit(); exit();
} }
@ -110,28 +109,28 @@ $session_company_id = $row['user_default_company'];
$session_user_role = $row['user_role']; $session_user_role = $row['user_role'];
// Check user access level is correct (not an accountant) // Check user access level is correct (not an accountant)
if($session_user_role < 1){ if ($session_user_role < 1) {
$data['found'] = "FALSE"; $data['found'] = "FALSE";
$data['message'] = WORDING_ROLECHECK_FAILED; $data['message'] = WORDING_ROLECHECK_FAILED;
echo(json_encode($data)); echo json_encode($data);
//Logging //Logging
$user_name = mysqli_real_escape_string($mysqli, $session_name); $user_name = mysqli_real_escape_string($mysqli, $session_name);
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = '$user_name not authorised to use extension', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $session_user_id"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Extension Failed', log_description = '$user_name not authorised to use extension', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $session_user_id");
exit(); exit();
} }
// Lets go! // Lets go!
if(isset($_GET['host'])){ if (isset($_GET['host'])) {
if(!empty($_GET['host'])){ if (!empty($_GET['host'])) {
$url = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['host']))); $url = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['host'])));
$sql_logins = mysqli_query($mysqli, "SELECT * FROM logins WHERE (login_uri = '$url' AND company_id = '$session_company_id') LIMIT 1"); $sql_logins = mysqli_query($mysqli, "SELECT * FROM logins WHERE (login_uri = '$url' AND company_id = '$session_company_id') LIMIT 1");
if(mysqli_num_rows($sql_logins) > 0){ if (mysqli_num_rows($sql_logins) > 0) {
$row = mysqli_fetch_array($sql_logins); $row = mysqli_fetch_array($sql_logins);
$data['found'] = "TRUE"; $data['found'] = "TRUE";
$data['username'] = htmlentities($row['login_username']); $data['username'] = htmlentities($row['login_username']);

163
portal/login_microsoft.php
View File

@ -4,20 +4,20 @@
* OAuth Login via Microsoft IDP * OAuth Login via Microsoft IDP
*/ */
include('../config.php'); require_once('../config.php');
include('../functions.php'); require_once('../functions.php');
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", true);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", true);
} }
session_start(); session_start();
} }
$sql_settings = mysqli_query($mysqli,"SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'"); $sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'");
$settings = mysqli_fetch_array($sql_settings); $settings = mysqli_fetch_array($sql_settings);
$client_id = $settings['config_azure_client_id']; $client_id = $settings['config_azure_client_id'];
@ -33,15 +33,15 @@ $token_grant_url = "https://login.microsoftonline.com/organizations/oauth2/v2.0/
// Returns a authorization code if login was successful // Returns a authorization code if login was successful
if ($_SERVER['REQUEST_METHOD'] == "GET"){ if ($_SERVER['REQUEST_METHOD'] == "GET"){
$params = array ( $params = array (
'client_id' => $client_id, 'client_id' => $client_id,
'redirect_uri' => $redirect_uri, 'redirect_uri' => $redirect_uri,
'response_type' => 'code', 'response_type' => 'code',
'response_mode' =>'form_post', 'response_mode' =>'form_post',
'scope' => 'https://graph.microsoft.com/User.Read', 'scope' => 'https://graph.microsoft.com/User.Read',
'state' => session_id()); 'state' => session_id());
header ('Location: '.$auth_code_url.'?'.http_build_query ($params)); header('Location: '.$auth_code_url.'?'.http_build_query($params));
} }
@ -49,78 +49,75 @@ if ($_SERVER['REQUEST_METHOD'] == "GET"){
// Request an access token using authorization code (& client secret) (server side) // Request an access token using authorization code (& client secret) (server side)
if (isset($_POST['code']) && $_POST['state'] == session_id()){ if (isset($_POST['code']) && $_POST['state'] == session_id()){
$params = array ( $params = array (
'client_id' =>$client_id, 'client_id' =>$client_id,
'code' => $_POST['code'], 'code' => $_POST['code'],
'redirect_uri' => $redirect_uri, 'redirect_uri' => $redirect_uri,
'grant_type' => 'authorization_code', 'grant_type' => 'authorization_code',
'client_secret' => $client_secret 'client_secret' => $client_secret
); );
// Send request via CURL (server side) so user cannot see the client secret
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$token_grant_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$access_token_response = json_decode(curl_exec($ch),1);
// Check if we have an access token
// If we do, send a request to Microsoft Graph API to get user info
if (isset($access_token_response['access_token'])){
// Send request via CURL (server side) so user cannot see the client secret
$ch = curl_init(); $ch = curl_init();
curl_setopt ($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'], curl_setopt($ch, CURLOPT_URL, $token_grant_url);
'Content-type: application/json')); curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/"); curl_setopt($ch, CURLOPT_POSTFIELDS,
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP #curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$msgraph_response = json_decode (curl_exec ($ch), 1); $access_token_response = json_decode(curl_exec($ch), 1);
if (isset($msgraph_response['error'])){ // Check if we have an access token
// Something went wrong verifying the token/using the Graph API - quit // If we do, send a request to Microsoft Graph API to get user info
echo "Error with MS Graph API. Details:"; if (isset($access_token_response['access_token'])){
var_dump ($msgraph_response['error']);
exit(); $ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'],
'Content-type: application/json'));
curl_setopt($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
$msgraph_response = json_decode(curl_exec($ch), 1);
if (isset($msgraph_response['error'])){
// Something went wrong verifying the token/using the Graph API - quit
echo "Error with MS Graph API. Details:";
var_dump($msgraph_response['error']);
exit();
} elseif (isset($msgraph_response['id'])) {
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
$row = mysqli_fetch_array($sql);
if ($row['contact_auth_method'] == 'azure') {
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "azure";
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $upn successfully logged in via Azure', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
header("Location: index.php");
} else {
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
header("Location: index.php");
}
}
header('Location: index.php');
} else {
echo "Error getting access_token";
} }
elseif(isset($msgraph_response['id'])){
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
$row = mysqli_fetch_array($sql);
if($row['contact_auth_method'] == 'azure'){
$_SESSION['client_logged_in'] = TRUE;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['login_method'] = "azure";
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $upn successfully logged in via Azure', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
header("Location: index.php");
}
else{
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
header("Location: index.php");
}
}
header ('Location: index.php');
}
else{
echo "Error getting access_token";
}
} }
// If the user is just sat on the page, redirect them to login to try again // If the user is just sat on the page, redirect them to login to try again
if(empty($_GET)){ if (empty($_GET)) {
echo "<script> setTimeout(function(){ window.location = \"login.php\"; },1000);</script>"; echo "<script> setTimeout(function(){ window.location = \"login.php\"; },1000);</script>";
} }

25
portal/login_reset.php
View File

@ -7,19 +7,19 @@
$session_company_id = 1; $session_company_id = 1;
require_once('../config.php'); require_once('../config.php');
require_once('../functions.php'); require_once('../functions.php');
require_once ('../get_settings.php'); require_once('../get_settings.php');
if (empty($config_smtp_host)) { if (empty($config_smtp_host)) {
header("Location: login.php"); header("Location: login.php");
exit(); exit();
} }
if(!isset($_SESSION)){ if (!isset($_SESSION)) {
// HTTP Only cookies // HTTP Only cookies
ini_set("session.cookie_httponly", True); ini_set("session.cookie_httponly", true);
if($config_https_only){ if ($config_https_only) {
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
ini_set("session.cookie_secure", True); ini_set("session.cookie_secure", true);
} }
session_start(); session_start();
} }
@ -38,7 +38,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
/* /*
* Send password reset email * Send password reset email
*/ */
if(isset($_POST['password_reset_email_request'])){ if (isset($_POST['password_reset_email_request'])) {
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email'])); $email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
@ -54,7 +54,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
$token = key32gen(); $token = key32gen();
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client"; $url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1"); mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send reset email // Send reset email
@ -82,10 +82,9 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
/* /*
* Do password reset * Do password reset
*/ */
} } elseif (isset($_POST['password_reset_set_password'])) {
elseif(isset($_POST['password_reset_set_password'])){
if(!isset($_POST['new_password']) || !isset($_POST['email']) || !isset($_POST['token']) || !isset($_POST['client'])) { if (!isset($_POST['new_password']) || !isset($_POST['email']) || !isset($_POST['token']) || !isset($_POST['client'])) {
$_SESSION['login_message'] = WORDING_ERROR; $_SESSION['login_message'] = WORDING_ERROR;
} }
@ -106,7 +105,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
// Set password, invalidate token, logging // Set password, invalidate token, logging
$password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT)); $password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1"); mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
// Send confirmation email // Send confirmation email
$subject = "Password reset confirmation for $company_name ITFlow Portal"; $subject = "Password reset confirmation for $company_name ITFlow Portal";
@ -232,7 +231,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
<p class="login-box-msg text-danger"> <p class="login-box-msg text-danger">
<?php <?php
// Show feedback from session // Show feedback from session
if(!empty($_SESSION['login_message'])){ if (!empty($_SESSION['login_message'])) {
echo $_SESSION['login_message']; echo $_SESSION['login_message'];
unset($_SESSION['login_message']); unset($_SESSION['login_message']);
} }
@ -268,4 +267,4 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
</script> </script>
</body> </body>
</html> </html>

257
portal/portal_post.php
View File

@ -6,156 +6,151 @@
require_once("inc_portal.php"); require_once("inc_portal.php");
if(isset($_POST['add_ticket'])){ if (isset($_POST['add_ticket'])) {
// Get ticket prefix/number // Get ticket prefix/number
$sql_settings = mysqli_query($mysqli,"SELECT * FROM settings WHERE company_id = $session_company_id"); $sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = $session_company_id");
$row = mysqli_fetch_array($sql_settings); $row = mysqli_fetch_array($sql_settings);
$config_ticket_prefix = $row['config_ticket_prefix']; $config_ticket_prefix = $row['config_ticket_prefix'];
$config_ticket_next_number = $row['config_ticket_next_number']; $config_ticket_next_number = $row['config_ticket_next_number'];
// HTML Purifier // HTML Purifier
require("../plugins/htmlpurifier/HTMLPurifier.standalone.php"); require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config); $purifier = new HTMLPurifier($purifier_config);
$client_id = $session_client_id; $client_id = $session_client_id;
$contact = $session_contact_id; $contact = $session_contact_id;
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); $subject = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['subject'])));
$details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['details']))))); $details = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
// Ensure priority is low/med/high (as can be user defined) // Ensure priority is low/med/high (as can be user defined)
if($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High"){ if ($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High") {
$priority = "Low"; $priority = "Low";
} } else {
else{ $priority = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['priority'])));
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
}
// Get the next Ticket Number and add 1 for the new ticket number
$ticket_number = $config_ticket_next_number;
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
$id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
}
if(isset($_POST['add_ticket_comment'])){
// HTML Purifier
require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
$ticket_id = intval($_POST['ticket_id']);
// Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
// In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
// So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
$comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
// After stripping bad HTML, check the comment isn't just empty
if(empty($comment)){
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Open")) {
// Add the comment
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
// Update Ticket Last Response Field & set ticket to open as client has replied
mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
}
if(isset($_POST['add_ticket_feedback'])){
$ticket_id = intval($_POST['ticket_id']);
$feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback'])));
// Verify the contact has access to the provided ticket ID
if(verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
// Notify on bad feedback
if($feedback == "Bad"){
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
} }
// Redirect // Get the next Ticket Number and add 1 for the new ticket number
header("Location: " . $_SERVER["HTTP_REFERER"]); $ticket_number = $config_ticket_next_number;
} $new_config_ticket_next_number = $config_ticket_next_number + 1;
else { mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
// The client does not have access to this ticket
header("Location: portal_post.php?logout"); mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
exit(); $id = mysqli_insert_id($mysqli);
}
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
} }
if(isset($_GET['close_ticket'])){ if (isset($_POST['add_ticket_comment'])) {
$ticket_id = intval($_GET['close_ticket']); // HTML Purifier
require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
// Verify the contact has access to the provided ticket ID $ticket_id = intval($_POST['ticket_id']);
if(verifyContactTicketAccess($ticket_id, "Open")) {
// Close ticket // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'"); // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
// So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
$comment = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
// Add reply // After stripping bad HTML, check the comment isn't just empty
mysqli_query($mysqli,"INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id"); if (empty($comment)) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
//Logging // Verify the contact has access to the provided ticket ID
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id"); if (verifyContactTicketAccess($ticket_id, "Open")) {
header("Location: ticket.php?id=" . $ticket_id); // Add the comment
} mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
else {
// The client does not have access to this ticket // Update Ticket Last Response Field & set ticket to open as client has replied
// This is only a GET request, might just be a mistake mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
header("Location: index.php");
exit(); // Redirect
} header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
} }
if(isset($_GET['logout'])){ if (isset($_POST['add_ticket_feedback'])) {
setcookie("PHPSESSID", '', time() - 3600, "/"); $ticket_id = intval($_POST['ticket_id']);
unset($_COOKIE['PHPSESSID']); $feedback = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['add_ticket_feedback'])));
session_unset(); // Verify the contact has access to the provided ticket ID
session_destroy(); if (verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
// Notify on bad feedback
if ($feedback == "Bad") {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
}
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
} else {
// The client does not have access to this ticket
header("Location: portal_post.php?logout");
exit();
}
header('Location: login.php');
} }
if(isset($_POST['edit_profile'])){ if (isset($_GET['close_ticket'])) {
$new_password = $_POST['new_password']; $ticket_id = intval($_GET['close_ticket']);
if(!empty($new_password)){
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
//Logging // Verify the contact has access to the provided ticket ID
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id"); if (verifyContactTicketAccess($ticket_id, "Open")) {
}
header('Location: index.php'); // Close ticket
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id");
header("Location: ticket.php?id=" . $ticket_id);
} else {
// The client does not have access to this ticket - send them home
header("Location: index.php");
exit();
}
}
if (isset($_GET['logout'])) {
setcookie("PHPSESSID", '', time() - 3600, "/");
unset($_COOKIE['PHPSESSID']);
session_unset();
session_destroy();
header('Location: login.php');
}
if (isset($_POST['edit_profile'])) {
$new_password = $_POST['new_password'];
if (!empty($new_password)) {
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id");
}
header('Location: index.php');
} }

239
portal/ticket.php
View File

@ -6,160 +6,157 @@
require_once("inc_portal.php"); require_once("inc_portal.php");
if(isset($_GET['id']) && intval($_GET['id'])) { if (isset($_GET['id']) && intval($_GET['id'])) {
$ticket_id = intval($_GET['id']); $ticket_id = intval($_GET['id']);
if($session_contact_id == $session_client_primary_contact_id){ if ($session_contact_id == $session_client_primary_contact_id) {
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'"); $ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'");
} } else {
else{ $ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'");
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'"); }
}
$ticket = mysqli_fetch_array($ticket_sql); $ticket = mysqli_fetch_array($ticket_sql);
if ($ticket) { if ($ticket) {
?> ?>
<nav class="navbar navbar-dark bg-dark"> <nav class="navbar navbar-dark bg-dark">
<i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a> <i class="fas fa-fw fa-ticket-alt text-secondary"></i> <a class="navbar-brand">Ticket <?php echo $ticket['ticket_prefix'], $ticket['ticket_number'] ?></a>
<span class="navbar-text"> <span class="navbar-text">
<?php <?php
if($ticket['ticket_status'] !== "Closed"){ ?> if ($ticket['ticket_status'] !== "Closed") { ?>
<button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i> Close ticket</a></button> <button class="btn btn-sm btn-outline-success my-2 my-sm-0 form-inline my-2 my-lg-0" type="submit"><a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>"><i class="fas fa-fw fa-check text-secondary text-success"></i> Close ticket</a></button>
<?php } ?> <?php } ?>
</span> </span>
</nav>
<div class="card"> </nav>
<div class="card-header">
<h3 class="card-title"><b>Subject:</b> <?php echo $ticket['ticket_subject'] ?></h3>
</div>
<div class="card-body">
<p>
<b>State:</b> <?php echo $ticket['ticket_status'] ?>
<br>
<b>Priority:</b> <?php echo $ticket['ticket_priority'] ?>
</p>
<b>Issue:</b> <?php echo $ticket['ticket_details'] ?>
</div>
</div>
<div class="card">
<!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback --> <div class="card-header">
<h3 class="card-title"><b>Subject:</b> <?php echo $ticket['ticket_subject'] ?></h3>
</div>
<div class="card-body">
<p>
<b>State:</b> <?php echo $ticket['ticket_status'] ?>
<br>
<b>Priority:</b> <?php echo $ticket['ticket_priority'] ?>
</p>
<b>Issue:</b> <?php echo $ticket['ticket_details'] ?>
</div>
</div>
<?php if($ticket['ticket_status'] !== "Closed") { ?>
<div class="form-group">
<form action="portal_post.php" method="post">
<div class="form-group">
<textarea class="form-control" name="comment" placeholder="Add comments.."></textarea>
</div>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary" name="add_ticket_comment">Save reply</button>
</form>
</div>
<?php }
elseif(empty($ticket['ticket_feedback'])) { ?> <!-- Either show the reply comments box, ticket smiley feedback, or thanks for feedback -->
<h4>Rate your ticket</h4> <?php if ($ticket['ticket_status'] !== "Closed") { ?>
<div class="form-group">
<form action="portal_post.php" method="post">
<div class="form-group">
<textarea class="form-control" name="comment" placeholder="Add comments.."></textarea>
</div>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary" name="add_ticket_comment">Save reply</button>
</form>
</div>
<?php }
<form action="portal_post.php" method="post"> elseif (empty($ticket['ticket_feedback'])) { ?>
<input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
<button type="submit" class="btn btn-primary btn-lg" name="add_ticket_feedback" value="Good" onclick="this.form.submit()"> <h4>Rate your ticket</h4>
<span class="fa fa-smile" aria-hidden="true"></span> Good
</button>
<button type="submit" class="btn btn-danger btn-lg" name="add_ticket_feedback" value="Bad" onclick="this.form.submit()"> <form action="portal_post.php" method="post">
<span class="fa fa-frown" aria-hidden="true"></span> Bad <input type="hidden" name="ticket_id" value="<?php echo $ticket['ticket_id'] ?>">
</button>
</form>
<?php } <button type="submit" class="btn btn-primary btn-lg" name="add_ticket_feedback" value="Good" onclick="this.form.submit()">
<span class="fa fa-smile" aria-hidden="true"></span> Good
</button>
else{ ?> <button type="submit" class="btn btn-danger btn-lg" name="add_ticket_feedback" value="Bad" onclick="this.form.submit()">
<span class="fa fa-frown" aria-hidden="true"></span> Bad
</button>
</form>
<h4>Rated <?php echo $ticket['ticket_feedback'] ?> -- Thanks for your feedback!</h4> <?php }
<?php } ?> else { ?>
<!-- End comments/feedback --> <h4>Rated <?php echo $ticket['ticket_feedback'] ?> -- Thanks for your feedback!</h4>
<hr><br> <?php } ?>
<?php <!-- End comments/feedback -->
$sql = mysqli_query($mysqli,"SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
while($row = mysqli_fetch_array($sql)){ <hr><br>
$ticket_reply_id = $row['ticket_reply_id'];
$ticket_reply = $row['ticket_reply'];
$ticket_reply_created_at = $row['ticket_reply_created_at'];
$ticket_reply_updated_at = $row['ticket_reply_updated_at'];
$ticket_reply_by = $row['ticket_reply_by'];
$ticket_reply_type = $row['ticket_reply_type'];
if($ticket_reply_type == "Client"){ <?php
$ticket_reply_by_display = $row['contact_name']; $sql = mysqli_query($mysqli, "SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
$user_initials = initials($row['contact_name']);
$user_avatar = $row['contact_photo'];
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
}
else{
$ticket_reply_by_display = $row['user_name'];
$user_id = $row['user_id'];
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";
}
?>
<div class="card card-outline <?php if($ticket_reply_type == 'Client') {echo "card-warning"; } else{ echo "card-info"; } ?> mb-3"> while ($row = mysqli_fetch_array($sql)) {
<div class="card-header"> $ticket_reply_id = $row['ticket_reply_id'];
<h3 class="card-title"> $ticket_reply = $row['ticket_reply'];
<div class="media"> $ticket_reply_created_at = $row['ticket_reply_created_at'];
<?php if(!empty($user_avatar)){ ?> $ticket_reply_updated_at = $row['ticket_reply_updated_at'];
<img src="<?php echo $avatar_link ?>" alt="User Avatar" class="img-size-50 mr-3 img-circle"> $ticket_reply_by = $row['ticket_reply_by'];
<?php }else{ ?> $ticket_reply_type = $row['ticket_reply_type'];
<span class="fa-stack fa-2x">
if ($ticket_reply_type == "Client") {
$ticket_reply_by_display = $row['contact_name'];
$user_initials = initials($row['contact_name']);
$user_avatar = $row['contact_photo'];
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
} else {
$ticket_reply_by_display = $row['user_name'];
$user_id = $row['user_id'];
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";
}
?>
<div class="card card-outline <?php if ($ticket_reply_type == 'Client') { echo "card-warning"; } else { echo "card-info"; } ?> mb-3">
<div class="card-header">
<h3 class="card-title">
<div class="media">
<?php if (!empty($user_avatar)) { ?>
<img src="<?php echo $avatar_link ?>" alt="User Avatar" class="img-size-50 mr-3 img-circle">
<?php } else { ?>
<span class="fa-stack fa-2x">
<i class="fa fa-circle fa-stack-2x text-secondary"></i> <i class="fa fa-circle fa-stack-2x text-secondary"></i>
<span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span> <span class="fa fa-stack-1x text-white"><?php echo $user_initials; ?></span>
</span> </span>
<?php <?php
} }
?> ?>
<div class="media-body"> <div class="media-body">
<?php echo $ticket_reply_by_display; ?> <?php echo $ticket_reply_by_display; ?>
<br> <br>
<small class="text-muted"><?php echo $ticket_reply_created_at; ?> <?php if(!empty($ticket_reply_updated_at)){ echo "(edited: $ticket_reply_updated_at)"; } ?></small> <small class="text-muted"><?php echo $ticket_reply_created_at; ?> <?php if(!empty($ticket_reply_updated_at)){ echo "(edited: $ticket_reply_updated_at)"; } ?></small>
</div> </div>
</div>
</h3>
</div>
<div class="card-body">
<?php echo $ticket_reply; ?>
</div>
</div> </div>
</h3>
</div>
<div class="card-body"> <?php
<?php echo $ticket_reply; ?>
</div>
</div>
<?php }
?>
<?php
} else {
echo "Ticket ID not found!";
} }
?> } else {
header("Location: index.php");
<?php
}
else{
echo "Ticket ID not found!";
}
}
else{
header("Location: index.php");
} }
require_once("portal_footer.php"); require_once("portal_footer.php");

1
uploads/clients/index.php
View File

@ -0,0 +1 @@

1
uploads/expenses/index.php
View File

@ -0,0 +1 @@

1
uploads/index.php
View File

@ -0,0 +1 @@

1
uploads/settings/index.php
View File

@ -0,0 +1 @@

1
uploads/tmp/index.php
View File

@ -0,0 +1 @@

1
uploads/users/index.php
View File

@ -0,0 +1 @@