Portal-related updates

- Bug fix contact password setting - Add invoice guest view link to invoices portal page - Billing contacts now have access to invoices on the portal - Technical contacts now have access to all tickets - General housekeeping/tidying
2023-02-04 15:28:39 +00:00 · 2023-02-04 15:28:39 +00:00 · 7f02464b92
parent 04070ff67a
commit 7f02464b92
15 changed files with 929 additions and 859 deletions
--- a/client_contact_add_modal.php
+++ b/client_contact_add_modal.php
@ -8,6 +8,12 @@
                </button>
            </div>
            <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                <!-- Prevent undefined checkbox errors on submit -->
                <input type="hidden" name="primary_contact" value="0">
                <input type="hidden" name="contact_important" value="0">
                <input type="hidden" name="contact_billing" value="0">
                <input type="hidden" name="contact_technical" value="0">
                <!-- End prevent undefined errors -->
                <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
                <div class="modal-body bg-white">
--- a/client_contact_edit_modal.php
+++ b/client_contact_edit_modal.php
@ -8,6 +8,12 @@
                </button>
            </div>
            <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                <!-- Prevent undefined checkbox errors on submit -->
                <input type="hidden" name="primary_contact" value="0">
                <input type="hidden" name="contact_important" value="0">
                <input type="hidden" name="contact_billing" value="0">
                <input type="hidden" name="contact_technical" value="0">
                <!-- End prevent undefined errors -->
                <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
                <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
                <input type="hidden" name="existing_file_name" value="<?php echo $contact_photo; ?>">
--- a/guest_header.php
+++ b/guest_header.php
@ -1,7 +1,7 @@
 <?php
-include("config.php");
+require_once("config.php");
-include("functions.php");
+require_once("functions.php");
 session_start();
@ -24,8 +24,6 @@ $user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_A
    <link rel="stylesheet" href="plugins/fontawesome-free/css/all.min.css">
    <!-- Theme style -->
    <link rel="stylesheet" href="dist/css/adminlte.min.css">
  <!-- Google Font: Source Sans Pro -->
  <!-- <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet"> -->
    <!-- Custom Style Sheet -->
    <link href="plugins/tempusdominus-bootstrap-4/css/tempusdominus-bootstrap-4.min.css" rel="stylesheet" type="text/css">
--- a/guest_view_invoice.php
+++ b/guest_view_invoice.php
@ -1,4 +1,6 @@
-<?php include("guest_header.php");
+<?php
 require_once("guest_header.php");
 if (isset($_GET['invoice_id'], $_GET['url_key'])) {
@ -71,6 +73,8 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
        $os = strip_tags(mysqli_real_escape_string($mysqli,getOS($session_user_agent)));
        $browser = strip_tags(mysqli_real_escape_string($mysqli,getWebBrowser($session_user_agent)));
        $invoice_tally_total = 0; // Default
        //Set Badge color based off of invoice status
        if ($invoice_status == "Sent") {
            $invoice_badge_color = "warning text-white";
@ -108,6 +112,7 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
        $balance = $invoice_amount - $amount_paid;
        //check to see if overdue
        $invoice_color = $invoice_badge_color; // Default
        if ($invoice_status !== "Paid" && $invoice_status !== "Draft" && $invoice_status !== "Cancelled") {
            $unixtime_invoice_due = strtotime($invoice_due) + 86400;
            if ($unixtime_invoice_due < time()) {
--- a/portal/check_login.php
+++ b/portal/check_login.php
@ -20,17 +20,28 @@ if (!$_SESSION['client_logged_in']) {
    die;
 }
-// SESSION FINGERPRINT
+// User IP & UA
 $session_ip = strip_tags(mysqli_real_escape_string($mysqli, getIP()));
 // Get user agent
 $session_user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
 // Get info from session
 $session_client_id = $_SESSION['client_id'];
 $session_contact_id = $_SESSION['contact_id'];
 $session_company_id = $_SESSION['company_id'];
 // Get company info from database
 $sql = mysqli_query($mysqli, "SELECT * FROM companies WHERE company_id = $session_company_id");
 $row = mysqli_fetch_array($sql);
 $session_company_name = $row['company_name'];
 $session_company_country = $row['company_country'];
 $session_company_locale = $row['company_locale'];
 $session_company_currency = $row['company_currency'];
 $currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
 // Get contact info
 $contact_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
 $contact = mysqli_fetch_array($contact_sql);
@ -41,6 +52,17 @@ $session_contact_title = strip_tags(mysqli_real_escape_string($mysqli, $contact[
 $session_contact_email = strip_tags(mysqli_real_escape_string($mysqli, $contact['contact_email']));
 $session_contact_photo = $contact['contact_photo'];
 $session_contact_is_technical_contact = false;
 $session_contact_is_billing_contact = false;
 if ($contact['contact_technical'] == 1) {
    $session_contact_is_technical_contact = true;
 }
 if ($contact['contact_billing'] == 1) {
    $session_contact_is_billing_contact = true;
 }
 // Get client info
 $client_sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$session_client_id'");
 $client = mysqli_fetch_array($client_sql);
--- a/portal/invoices.php
+++ b/portal/invoices.php
@ -4,21 +4,14 @@
 * Invoices for PTC
 */
 /*
 TODO:
    - Allow accounting contacts to see this page
    - Tidy styling and add currency codes
    - Add links to see the invoice in full (similar to invoice guest view)
 */
 require_once("inc_portal.php");
-if ($session_contact_id !== $session_client_primary_contact_id) {
+if ($session_contact_id !== $session_client_primary_contact_id && !$session_contact_is_billing_contact) {
    header("Location: portal_post.php?logout");
    exit();
 }
-$invoices_sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $session_client_id AND invoice_status = 'Paid' ORDER BY invoice_date DESC");
+$invoices_sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $session_client_id AND (invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Paid') ORDER BY invoice_date DESC");
 ?>
    <div class="row">
@ -53,8 +46,10 @@ $invoices_sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_clie
                <tr>
                    <th>#</th>
                    <th>Scope</th>
                    <th>Date</th>
                    <th>Amount</th>
                    <th>Date</th>
                    <th>Due</th>
                    <th>Status</th>
                </tr>
                </thead>
                <tbody>
@ -65,15 +60,52 @@ $invoices_sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_clie
                    $invoice_prefix = htmlentities($row['invoice_prefix']);
                    $invoice_number = htmlentities($row['invoice_number']);
                    $invoice_scope = htmlentities($row['invoice_scope']);
                    $invoice_status = htmlentities($row['invoice_status']);
                    $invoice_date = $row['invoice_date'];
                    $invoice_due = $row['invoice_due'];
                    $invoice_amount = floatval($row['invoice_amount']);
                    $invoice_url_key = htmlentities($row['invoice_url_key']);
                    if (empty($invoice_scope)) {
                        $invoice_scope_display = "-";
                    } else {
                        $invoice_scope_display = $invoice_scope;
                    }
                    $now = time();
                    if (($invoice_status == "Sent" || $invoice_status == "Partial" || $invoice_status == "Viewed") && strtotime($invoice_due) + 86400 < $now ) {
                        $overdue_color = "text-danger font-weight-bold";
                    } else {
                        $overdue_color = "";
                    }
                    if ($invoice_status == "Sent") {
                        $invoice_badge_color = "warning text-white";
                    } elseif ($invoice_status == "Viewed") {
                        $invoice_badge_color = "info";
                    } elseif ($invoice_status == "Partial") {
                        $invoice_badge_color = "primary";
                    } elseif ($invoice_status == "Paid") {
                        $invoice_badge_color = "success";
                    } elseif ($invoice_status == "Cancelled") {
                        $invoice_badge_color = "danger";
                    } else{
                        $invoice_badge_color = "secondary";
                    }
                    ?>
                    <tr>
-                        <td><?php echo "$invoice_prefix$invoice_number"; ?></a></td>
+                        <td><a target="_blank" href="\\<?php echo $config_base_url ?>/guest_view_invoice.php?invoice_id=<?php echo "$invoice_id&url_key=$invoice_url_key"?>"> <?php echo "$invoice_prefix$invoice_number"; ?></a></td>
-                        <td><?php echo $invoice_scope; ?></td>
+                        <td><?php echo $invoice_scope_display; ?></td>
                        <td><?php echo numfmt_format_currency($currency_format, $invoice_amount, $session_company_currency); ?></td>
                        <td><?php echo $invoice_date; ?></td>
-                        <td><?php echo $invoice_amount; ?></td>
+                        <td class="<?php echo $overdue_color; ?>"><?php echo $invoice_due; ?></td>
                        <td>
                            <span class="p-2 badge badge-<?php echo $invoice_badge_color; ?>">
                                <?php echo $invoice_status; ?>
                            </span>
                        </td>
                    </tr>
                    <?php
                }
--- a/portal/portal_functions.php
+++ b/portal/portal_functions.php
@ -7,17 +7,17 @@
 /*
 * Verifies a contact has access to a particular ticket ID, and that the ticket is in the correct state (open/closed) to perform an action
 */
-function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state) {
+function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state)
 {
    // Access the global variables
-    global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_client_id;
+    global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_contact_is_technical_contact, $session_client_id;
    // Setup
    if ($expected_ticket_state == "Closed") {
        // Closed tickets
        $ticket_state_snippet = "ticket_status = 'Closed'";
-    }
+    } else {
    else {
        // Open (working/hold) tickets
        $ticket_state_snippet = "ticket_status != 'Closed'";
    }
@ -27,12 +27,12 @@ function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state)
    $row = mysqli_fetch_array($sql);
    $ticket_id = $row['ticket_id'];
-    if (intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) {
+    if (intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id || $session_contact_is_technical_contact)) {
-        // Client is ticket owner, or primary contact
+        // Client is ticket owner, primary contact, or a technical contact
-        return TRUE;
+        return true;
    }
-    // Client is NOT ticket owner or primary contact
+    // Client is NOT ticket owner or primary/tech contact
-    return FALSE;
+    return false;
 }
--- a/portal/portal_header.php
+++ b/portal/portal_header.php
@ -43,7 +43,7 @@
                    <li class="nav-item">
                        <a class="nav-link <?php if (basename($_SERVER['PHP_SELF']) == "tickets.php" || basename($_SERVER['PHP_SELF']) == "ticket_add.php" || basename($_SERVER['PHP_SELF']) == "ticket.php") {echo "active";} ?>" href="tickets.php">Tickets</a>
                    </li>
-                <?php if ($session_contact_id == $session_client_primary_contact_id) { ?>
+                <?php if ($session_contact_id == $session_client_primary_contact_id || $session_contact_is_billing_contact) { ?>
                    <li class="nav-item">
                        <a class="nav-link <?php if (basename($_SERVER['PHP_SELF']) == "invoices.php") {echo "active";} ?>" href="invoices.php">Invoices</a>
                    </li>
--- a/portal/profile.php
+++ b/portal/profile.php
@ -4,7 +4,7 @@
 * User profile
 */
-require('inc_portal.php');
+require_once('inc_portal.php');
 ?>
    <h2>Profile</h2>
@ -12,7 +12,12 @@ require('inc_portal.php');
    <p>Name: <?php echo $session_contact_name ?></p>
    <p>Email: <?php echo $session_contact_email ?></p>
    <p>Client: <?php echo $session_client_name ?></p>
    <br>
    <p>Client Primary Contact: <?php if ($session_client_primary_contact_id == $session_contact_id) {echo "Yes"; } else {echo "No";} ?></p>
    <p>Client Technical Contact: <?php if ($session_contact_is_technical_contact) {echo "Yes"; } else {echo "No";} ?></p>
    <p>Client Billing Contact: <?php if ($session_contact_is_billing_contact == $session_contact_id) {echo "Yes"; } else {echo "No";} ?></p>
    <p>Login via: <?php echo $_SESSION['login_method'] ?> </p>
@ -34,7 +39,6 @@ require('inc_portal.php');
            <button type="submit" name="edit_profile" class="btn btn-primary mt-3"><i class="fa fa-fw fa-check"></i> Save password</button>
        </form>
    </div>
 <?php endif ?>
 <?php
--- a/portal/ticket.php
+++ b/portal/ticket.php
@ -9,7 +9,7 @@ require_once("inc_portal.php");
 if (isset($_GET['id']) && intval($_GET['id'])) {
    $ticket_id = intval($_GET['id']);
-    if ($session_contact_id == $session_client_primary_contact_id) {
+    if ($session_contact_id == $session_client_primary_contact_id || $session_contact_is_technical_contact) {
        $ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'");
    } else {
        $ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'");
@ -44,12 +44,9 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
                <h4 class="mt-1">
                    Ticket <?php echo $ticket_prefix, $ticket_number ?>
                    <?php
-                    if ($ticket_status !== "Closed") {
+                    if ($ticket_status !== "Closed") { ?>
                    ?>
                        <a href="portal_post.php?close_ticket=<?php echo $ticket_id; ?>" class="btn btn-sm btn-outline-success float-right text-white"><i class="fas fa-fw fa-check text-success"></i> Close ticket</a>
-                    <?php
+                    <?php } ?>
                    }
                    ?>
                </h4>
            </div>
@ -61,7 +58,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
                    <br>
                    <strong>Priority:</strong> <?php echo $ticket_priority ?>
                </p>
-                <strong>Issue:</strong> <?php echo $ticket_details ?>
+                <?php echo $ticket_details ?>
            </div>
        </div>
--- a/portal/ticket_add.php
+++ b/portal/ticket_add.php
@ -4,7 +4,7 @@
 * New ticket form
 */
-require('inc_portal.php');
+require_once('inc_portal.php');
 ?>
    <ol class="breadcrumb d-print-none">
--- a/portal/ticket_view_all.php
+++ b/portal/ticket_view_all.php
@ -6,7 +6,7 @@
 require_once('inc_portal.php');
-if ($session_contact_id !== $session_client_primary_contact_id) {
+if ($session_contact_id !== $session_client_primary_contact_id && !$session_contact_is_technical_contact) {
    header("Location: portal_post.php?logout");
    exit();
 }
--- a/portal/tickets.php
+++ b/portal/tickets.php
@ -117,7 +117,7 @@ $total_tickets = $row['total_tickets'];
        <a href="?status=%" class="btn btn-secondary btn-block p-3 mb-3 text-left">All my tickets | <strong><?php echo $total_tickets ?></strong></a>
        <?php
-        if ($session_contact_id == $session_client_primary_contact_id) {
+        if ($session_contact_id == $session_client_primary_contact_id || $session_contact_is_technical_contact) {
        ?>
        <hr>
--- a/post.php
+++ b/post.php
@ -4604,7 +4604,7 @@ if(isset($_POST['edit_contact'])){
    // Set password
    if(!empty($_POST['contact_password'])){
      $password_hash = mysqli_real_escape_string($mysqli,password_hash($_POST['contact_password'], PASSWORD_DEFAULT));
-      mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_client_id = '$client_id'");
+      mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$contact_id' AND contact_client_id = '$client_id'");
    }
    // Send contact a welcome e-mail, if specified