From 6f6f5a021782374f79bd8c9019970b9eaa629eb9 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sat, 19 Feb 2022 20:02:14 +0000 Subject: [PATCH] Add document sharing via link #315 --- client_contact_edit_modal.php | 2 +- client_documents.php | 4 +- guest_download_file.php | 64 ++++++++++++++++ guest_header.php | 4 - guest_view_item.php | 138 ++++++++++++++++++++++++++++++++++ post.php | 22 ++++++ share_modal.php | 78 +++++++++++++++++++ 7 files changed, 306 insertions(+), 6 deletions(-) create mode 100644 guest_download_file.php create mode 100644 guest_view_item.php create mode 100644 share_modal.php diff --git a/client_contact_edit_modal.php b/client_contact_edit_modal.php index 7bbf3550..2e76cf7f 100644 --- a/client_contact_edit_modal.php +++ b/client_contact_edit_modal.php @@ -103,7 +103,7 @@ '$network_created_at' OR location_archived_at IS NULL) AND location_client_id = $client_id ORDER BY location_name ASC"); + $sql_locations = mysqli_query($mysqli,"SELECT * FROM locations WHERE (location_archived_at > NOW() OR location_archived_at IS NULL) AND location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql_locations)){ $location_id_select = $row['location_id']; $location_name_select = $row['location_name']; diff --git a/client_documents.php b/client_documents.php index 8c0abec8..f73b14d1 100644 --- a/client_documents.php +++ b/client_documents.php @@ -165,6 +165,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Edit + )">Share
Delete
@@ -187,5 +188,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); + - + \ No newline at end of file diff --git a/guest_download_file.php b/guest_download_file.php new file mode 100644 index 00000000..8c4de511 --- /dev/null +++ b/guest_download_file.php @@ -0,0 +1,64 @@ + NOW() LIMIT 1"); + $row = mysqli_fetch_array($sql); + + // Check result + if(mysqli_num_rows($sql) !== 1 OR !$row){ + exit("No file."); + } + + // Check it is a file + if($row['item_type'] !== "File"){ + exit("Bad item type."); + } + + // Check item share is active & hasn't been viewed too many times + if($row['item_active'] !== "1" OR $row['item_views'] >= $row['item_view_limit']){ + exit("Item cannot be viewed at this time."); + } + + $item_related_id = $row['item_related_id']; + $client_id = $row['item_client_id']; + + if(empty($row['item_views'])){ + $item_views = 0; + } + else { + $item_views = intval($row['item_views']); + } + + $file_sql = mysqli_query($mysqli, "SELECT * FROM files WHERE file_id = '$item_related_id' AND file_client_id = '$client_id' LIMIT 1"); + $file_row = mysqli_fetch_array($file_sql); + + if(mysqli_num_rows($file_sql) !== 1 OR !$file_row){ + exit("No file."); + } + + $file_name = $file_row['file_name']; + $file_ext = $file_row['file_ext']; + $file_reference_name = $file_row['file_reference_name']; + $client_id = $file_row['file_client_id']; + $company_id = $file_row['company_id']; + $file_path = "uploads/clients/$company_id/$client_id/$file_reference_name"; + + // Display file as download + $mime_type = mime_content_type($file_path); + header('Content-type: '.$mime_type); + header('Content-Disposition: attachment; filename=download.' .$file_ext); + readfile($file_path); + + + // Update file view count & logging + $new_item_views = $item_views + 1; + mysqli_query($mysqli, "UPDATE shared_items SET item_views = '$new_item_views' WHERE item_id = '$item_id'"); + + + + +} \ No newline at end of file diff --git a/guest_header.php b/guest_header.php index f79af3a5..887cc6a0 100644 --- a/guest_header.php +++ b/guest_header.php @@ -6,10 +6,6 @@ ?> - diff --git a/guest_view_item.php b/guest_view_item.php new file mode 100644 index 00000000..c9b19055 --- /dev/null +++ b/guest_view_item.php @@ -0,0 +1,138 @@ + + +

Guest sharing

+
+ +Incorrect URL."; + include("guest_footer.php"); + exit(); +} + +$item_id = intval($_GET['id']); +$item_key = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['key']))); + +$sql = mysqli_query($mysqli, "SELECT * FROM shared_items WHERE item_id = '$item_id' AND item_key = '$item_key' AND item_expire_at > NOW() LIMIT 1"); +$row = mysqli_fetch_array($sql); + +// Check we got a result +if(mysqli_num_rows($sql) !== 1 OR !$row){ + echo "
No item to view. Check with the person that sent you this link to ensure it is correct and has not expired.
"; + include("guest_footer.php"); + exit(); +} + +// Check item share is active & hasn't been viewed too many times +if($row['item_active'] !== "1" OR $row['item_views'] >= $row['item_view_limit']){ + echo "
Item cannot be viewed at this time. Check with the person that sent you this link to ensure it is correct and has not expired.
"; + include("guest_footer.php"); + exit(); +} + +// If we got here, we have valid information + +echo "
You may only be able to view this information for a limited time! Be sure to copy/download what you need.
"; + +$item_type = $row['item_type']; +$item_related_id = $row['item_related_id']; +$item_encrypted_credential = $row['item_encrypted_credential']; +$item_note = $row['item_note']; +$item_views = intval($row['item_views']); +$item_created = $row['item_created_at']; +$item_expire = $row['item_expire_at']; +$item_client_id = $row['item_client_id']; + +if($item_type == "Document"){ + $doc_sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$item_related_id' AND document_client_id = '$item_client_id' LIMIT 1"); + $doc_row = mysqli_fetch_array($doc_sql); + + if(mysqli_num_rows($doc_sql) !== 1 OR !$doc_row){ + echo "
Error retrieving document to view.
"; + include("guest_footer.php"); + exit(); + } + + $doc_title = $doc_row['document_name']; + $doc_content = $doc_row['document_content']; + + echo "

$doc_title has been shared with you

"; + if(!empty($item_note)){ + echo "

$item_note

"; + } + echo "
"; + echo $doc_content; + + // Update file view count + $new_item_views = $item_views + 1; + mysqli_query($mysqli, "UPDATE shared_items SET item_views = '$new_item_views' WHERE item_id = '$item_id'"); + + // Logging // TODO: Need to add IP, etc. + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Viewed', log_description = 'Viewed shared $item_type link - Item ID: $item_id', log_client_id = '$item_client_id', log_created_at = NOW(), company_id = '1'"); + + +} +elseif($item_type == "File"){ + $file_sql = mysqli_query($mysqli, "SELECT * FROM files WHERE file_id = '$item_related_id' AND file_client_id = '$item_client_id' LIMIT 1"); + $file_row = mysqli_fetch_array($file_sql); + + if(mysqli_num_rows($file_sql) !== 1 OR !$file_row){ + echo "
Error retrieving file.
"; + include("guest_footer.php"); + exit(); + } + + $file_name = $file_row['file_name']; + + echo "

$file_name has been shared with you

"; + if(!empty($item_note)){ + echo "

$item_note

"; + } + echo "Download"; + + +} +elseif($item_type == "Login"){ + $encryption_key = $_GET['ek']; + + $login_sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$item_related_id' AND login_client_id = '$item_client_id' LIMIT 1"); + $login_row = mysqli_fetch_array($login_sql); + if(mysqli_num_rows($login_sql) !== 1 OR !$login_row){ + echo "
Error retrieving login.
"; + include("guest_footer.php"); + exit(); + } + + $login_name = $login_row['login_name']; + $login_uri = $login_row['login_uri']; + $login_username = $login_row['login_username']; + $login_iv = substr($row['item_encrypted_credential'], 0, 16); + $login_ciphertext = substr($row['item_encrypted_credential'], 16); + $login_password = openssl_decrypt($login_ciphertext, 'aes-128-cbc', $encryption_key,0, $login_iv); + $login_otp = $login_row['login_otp_secret']; + $login_notes = $login_row['login_note']; + + echo "

$login_name has been shared with you

"; + if(!empty($item_note)){ + echo "

$item_note

"; + } + + echo "

Name: $login_name

"; + echo "

URL: $login_uri

"; + echo "

Username: $login_username

"; + echo "

Password: $login_password

"; + echo "

OTP: $login_otp

"; + echo "

Notes: $login_notes

"; + + +} + +echo "
"; + +include("guest_footer.php"); \ No newline at end of file diff --git a/post.php b/post.php index f007272a..614fd27b 100644 --- a/post.php +++ b/post.php @@ -1275,6 +1275,28 @@ if(isset($_GET['delete_client'])){ header("Location: " . $_SERVER["HTTP_REFERER"]); } +if(isset($_GET['share_generate_link'])){ + $client_id = intval($_GET['client_id']); + $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type']))); + $item_id = intval($_GET['id']); + $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note']))); + $item_view_limit = intval($_GET['views']); + $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires']))); + $item_key = keygen(); + + // Insert entry into DB + $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_note = '$item_note', item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'"); + $share_id = $mysqli->insert_id; + + // Return URL + $url = "$config_base_url/guest_view_item.php?id=$share_id&key=$item_key"; + echo json_encode($url); + + // Logging + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - Item ID: $item_id', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id"); + +} + if(isset($_POST['add_calendar'])){ $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); diff --git a/share_modal.php b/share_modal.php new file mode 100644 index 00000000..c3c419a7 --- /dev/null +++ b/share_modal.php @@ -0,0 +1,78 @@ + + \ No newline at end of file