AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 02:44:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moved user items to user directory

Browse Source
This commit is contained in:
johnnyq
2025-07-28 17:57:06 -04:00
parent 0494bfc1cf
commit 95950700d8
407 changed files with 701 additions and 670 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
post/account.php
View File

@@ -1,90 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for account(s) (accounting related)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$opening_balance = floatval($_POST['opening_balance']);
$currency_code = sanitizeInput($_POST['currency_code']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO accounts SET account_name = '$name', opening_balance = $opening_balance, account_currency_code = '$currency_code', account_notes = '$notes'");
// Logging
logAction("Account", "Create", "$session_name created account $name");
$_SESSION['alert_message'] = "Account <strong>$name</strong> created ";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
$account_id = intval($_POST['account_id']);
$name = sanitizeInput($_POST['name']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_notes = '$notes' WHERE account_id = $account_id");
// Logging
logAction("Account", "Edit", "$session_name edited account $name");
$_SESSION['alert_message'] = "Account <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_account'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_GET['csrf_token']);
$account_id = intval($_GET['archive_account']);
// Get Account Name for logging
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
$row = mysqli_fetch_array($sql);
$account_name = sanitizeInput($row['account_name']);
mysqli_query($mysqli,"UPDATE accounts SET account_archived_at = NOW() WHERE account_id = $account_id");
// Logging
logAction("Account", "Archive", "$session_name archived account $account_name");
$_SESSION['alert_message'] = "Account <strong>$account_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
// Not used anywhere?
if (isset($_GET['delete_account'])) {
enforceUserPermission('module_financial', 3);
$account_id = intval($_GET['delete_account']);
// Get Account Name for logging
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
$row = mysqli_fetch_array($sql);
$account_name = sanitizeInput($row['account_name']);
mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");
//Logging
logAction("Account", "Delete", "$session_name deleted account $account_name");
$_SESSION['alert_message'] = "Account <strong>$account_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

1659
post/asset.php
View File

File diff suppressed because it is too large Load Diff

17
post/asset_interface_model.php
View File

@@ -1,17 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$primary_interface = sanitizeInput($_POST['primary_interface']) ?? 0;
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$mac = sanitizeInput($_POST['mac']);
$ip = sanitizeInput($_POST['ip']);
if ($_POST['dhcp'] == 1){
$ip = 'DHCP';
}
$nat_ip = sanitizeInput($_POST['nat_ip']);
$ipv6 = sanitizeInput($_POST['ipv6']);
$network = intval($_POST['network']);
$notes = sanitizeInput($_POST['notes']);
$connected_to = intval($_POST['connected_to']);

47
post/asset_model.php
View File

@@ -1,47 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$make = sanitizeInput($_POST['make']);
$model = sanitizeInput($_POST['model']);
$serial = sanitizeInput($_POST['serial']);
$os = sanitizeInput($_POST['os']);
$ip = sanitizeInput($_POST['ip']);
$dhcp = intval($_POST['dhcp'] ?? 0);
if ($dhcp == 1) {
$ip = 'DHCP';
}
$ipv6 = sanitizeInput($_POST['ipv6']);
$nat_ip = sanitizeInput($_POST['nat_ip']);
$mac = sanitizeInput($_POST['mac']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$status = sanitizeInput($_POST['status']);
$location = intval($_POST['location'] ?? 0);
$physical_location = sanitizeInput($_POST['physical_location']);
$vendor = intval($_POST['vendor'] ?? 0);
$contact = intval($_POST['contact'] ?? 0);
$network = intval($_POST['network'] ?? 0);
$purchase_reference = sanitizeInput($_POST['purchase_reference']);
$purchase_date = sanitizeInput($_POST['purchase_date']);
if (empty($purchase_date)) {
$purchase_date = "NULL";
} else {
$purchase_date = "'" . $purchase_date . "'";
}
$warranty_expire = sanitizeInput($_POST['warranty_expire']);
if (empty($warranty_expire)) {
$warranty_expire = "NULL";
} else {
$warranty_expire = "'" . $warranty_expire . "'";
}
$install_date = sanitizeInput($_POST['install_date']);
if (empty($install_date)) {
$install_date = "NULL";
} else {
$install_date = "'" . $install_date . "'";
}
$notes = sanitizeInput($_POST['notes']);
$client_id = intval($_POST['client_id']);

65
post/budget.php
View File

@@ -1,65 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for budget
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['save_budget'])) {
enforceUserPermission('module_financial', 2);
validateCSRFToken($_POST['csrf_token']);
$budgets = $_POST['budget'];
$year = intval($_POST['year']);
foreach ($budgets as $category_id => $months) {
foreach ($months as $month => $amount) {
$amount = (int)$amount;
// Check if budget exists
$query = "SELECT * FROM budget WHERE budget_category_id = $category_id AND budget_month = $month AND budget_year = $year";
$result = mysqli_query($mysqli, $query);
if (mysqli_num_rows($result) > 0) {
// Update existing budget
$query = "UPDATE budget SET budget_amount = $amount WHERE budget_category_id = $category_id AND budget_month = $month AND budget_year = $year";
} else {
// Insert new budget
$query = "INSERT INTO budget SET budget_category_id = $category_id, budget_month = $month, budget_year = $year, budget_amount = $amount";
}
mysqli_query($mysqli, $query);
}
}
// Logging
logAction("Budget", "Edit", "$session_name edited the budget for $year");
$_SESSION['alert_message'] = "Budget Updated for $year";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
if (isset($_POST['delete_budget'])) {
enforceUserPermission('module_financial', 3);
validateCSRFToken($_POST['csrf_token']);
$year = intval($_POST['year']);
mysqli_query($mysqli,"DELETE FROM budget WHERE budget_year = $year");
// Logging
logAction("Budget", "Delete", "$session_name deleted the budget for $year");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Budget deleted for $year";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

24
post/category.php
View File

@@ -1,24 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for categories ('category')
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_category'])) {
require_once 'post/user/category_model.php';
mysqli_query($mysqli,"INSERT INTO categories SET category_name = '$name', category_type = '$type', category_color = '$color'");
$category_id = mysqli_insert_id($mysqli);
// Logging
logAction("Category", "Create", "$session_name created category $type $name", 0, $category_id);
$_SESSION['alert_message'] = "Category $type <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

6
post/category_model.php
View File

@@ -1,6 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$color = sanitizeInput($_POST['color']);

268
post/certificate.php
View File

@@ -1,268 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client SSL certificates
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_certificate'])) {
enforceUserPermission('module_support', 2);
require_once 'post/user/certificate_model.php';
// Parse public key data for a manually provided public key
if (!empty($public_key) && (empty($expire) && empty($issued_by))) {
// Parse the public certificate key. If successful, set attributes from the certificate
$public_key_obj = openssl_x509_parse($_POST['public_key']);
if ($public_key_obj) {
$expire = date('Y-m-d', $public_key_obj['validTo_time_t']);
$issued_by = sanitizeInput($public_key_obj['issuer']['O']);
}
}
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
mysqli_query($mysqli,"INSERT INTO certificates SET certificate_name = '$name', certificate_description = '$description', certificate_domain = '$domain', certificate_issued_by = '$issued_by', certificate_expire = $expire, certificate_public_key = '$public_key', certificate_notes = '$notes', certificate_domain_id = $domain_id, certificate_client_id = $client_id");
$certificate_id = mysqli_insert_id($mysqli);
// Logging
logAction("Certificate", "Create", "$session_name created certificate $name", $client_id, $certificate_id);
$_SESSION['alert_message'] = "Certificate <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_certificate'])) {
enforceUserPermission('module_support', 2);
require_once 'post/user/certificate_model.php';
$certificate_id = intval($_POST['certificate_id']);
// Parse public key data for a manually provided public key
if (!empty($public_key) && (empty($expire) && empty($issued_by))) {
// Parse the public certificate key. If successful, set attributes from the certificate
$public_key_obj = openssl_x509_parse($_POST['public_key']);
if ($public_key_obj) {
$expire = date('Y-m-d', $public_key_obj['validTo_time_t']);
$issued_by = sanitizeInput($public_key_obj['issuer']['O']);
}
}
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
// Get current certificate info
$original_certificate_info = mysqli_fetch_assoc(mysqli_query($mysqli,"
SELECT
certificates.*,
domains.domain_name
FROM certificates
LEFT JOIN domains ON certificate_domain_id = domain_id
WHERE certificate_id = $certificate_id
"));
// Update certificate
mysqli_query($mysqli,"UPDATE certificates SET certificate_name = '$name', certificate_description = '$description', certificate_domain = '$domain', certificate_issued_by = '$issued_by', certificate_expire = $expire, certificate_public_key = '$public_key', certificate_notes = '$notes', certificate_domain_id = '$domain_id' WHERE certificate_id = $certificate_id");
// Fetch the updated info
$new_certificate_info = mysqli_fetch_assoc(mysqli_query($mysqli,"
SELECT
certificates.*,
domains.domain_name
FROM certificates
LEFT JOIN domains ON certificate_domain_id = domain_id
WHERE certificate_id = $certificate_id
"));
// Compare/log changes between old/new info
$ignored_columns = ["certificate_public_key", "certificate_updated_at", "certificate_accessed_at", "certificate_domain_id"];
foreach ($original_certificate_info as $column => $old_value) {
$new_value = $new_certificate_info[$column];
if ($old_value != $new_value && !in_array($column, $ignored_columns)) {
$column = sanitizeInput($column);
$old_value = sanitizeInput($old_value);
$new_value = sanitizeInput($new_value);
mysqli_query($mysqli,"INSERT INTO certificate_history SET certificate_history_column = '$column', certificate_history_old_value = '$old_value', certificate_history_new_value = '$new_value', certificate_history_certificate_id = $certificate_id");
}
}
// Logging
logAction("Certificate", "Edit", "$session_name edited certificate $name", $client_id, $certificate_id);
$_SESSION['alert_message'] = "Certificate <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_certificate'])) {
enforceUserPermission('module_support', 2);
$certificate_id = intval($_GET['archive_certificate']);
// Get Certificate Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT certificate_name, certificate_client_id FROM certificates WHERE certificate_id = $certificate_id");
$row = mysqli_fetch_array($sql);
$certificate_name = sanitizeInput($row['certificate_name']);
$client_id = intval($row['certificate_client_id']);
mysqli_query($mysqli,"UPDATE certificates SET certificate_archived_at = NOW() WHERE certificate_id = $certificate_id");
// logging
logAction("Certificate", "Archive", "$session_name arhvived certificate $certificate_name", $client_id, $certificate_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Certificate <strong>$certificate_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_certificate'])) {
enforceUserPermission('module_support', 2);
$certificate_id = intval($_GET['unarchive_certificate']);
// Get Certificate Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT certificate_name, certificate_client_id FROM certificates WHERE certificate_id = $certificate_id");
$row = mysqli_fetch_array($sql);
$certificate_name = sanitizeInput($row['certificate_name']);
$client_id = intval($row['certificate_client_id']);
mysqli_query($mysqli,"UPDATE certificates SET certificate_archived_at = NULL WHERE certificate_id = $certificate_id");
// logging
logAction("Certificate", "Unarchive", "$session_name restored certificate $certificate_name", $client_id, $certificate_id);
$_SESSION['alert_message'] = "Certificate <strong>$certificate_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_certificate'])) {
enforceUserPermission('module_support', 3);
$certificate_id = intval($_GET['delete_certificate']);
// Get Certificate Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT certificate_name, certificate_client_id FROM certificates WHERE certificate_id = $certificate_id");
$row = mysqli_fetch_array($sql);
$certificate_name = sanitizeInput($row['certificate_name']);
$client_id = intval($row['certificate_client_id']);
mysqli_query($mysqli,"DELETE FROM certificates WHERE certificate_id = $certificate_id");
// Logging
logAction("Certificate", "Delete", "$session_name deleted certificate $name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Certificate <strong>$certificate_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_certificates'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['certificate_ids'])) {
// Get selected count
$count = count($_POST['certificate_ids']);
// Cycle through array and delete each certificate
foreach ($_POST['certificate_ids'] as $certificate_id) {
$certificate_id = intval($certificate_id);
// Get Certificate Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT certificate_name, certificate_client_id FROM certificates WHERE certificate_id = $certificate_id");
$row = mysqli_fetch_array($sql);
$certificate_name = sanitizeInput($row['certificate_name']);
$client_id = intval($row['certificate_client_id']);
mysqli_query($mysqli, "DELETE FROM certificates WHERE certificate_id = $certificate_id AND certificate_client_id = $client_id");
// Logging
logAction("Certificate", "Delete", "$session_name deleted certificate $certificate_name", $client_id);
}
// Logging
logAction("Certificate", "Bulk Delete", "$session_name deleted $count certificates", $client_id);
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> certificate(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_certificates_csv'])) {
enforceUserPermission('module_support');
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND certificate_client_id = $client_id";
} else {
$client_query = '';
$client_id = 0;
}
$sql = mysqli_query($mysqli,"SELECT * FROM certificates WHERE certificate_archived_at IS NULL $client_query ORDER BY certificate_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "Certificates-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Domain', 'Issuer', 'Expiration Date');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['certificate_name'], $row['certificate_description'], $row['certificate_domain'], $row['certificate_issued_by'], $row['certificate_expire']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Certificate", "Export", "$session_name exported $num_rows certificate(s) to a CSV file", $client_id);
exit;
}

12
post/certificate_model.php
View File

@@ -1,12 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$domain = sanitizeInput($_POST['domain']);
$issued_by = sanitizeInput($_POST['issued_by']);
$expire = sanitizeInput($_POST['expire']);
$public_key = sanitizeInput($_POST['public_key']);
$notes = sanitizeInput($_POST['notes']);
$domain_id = intval($_POST['domain_id'] ?? 0);
$client_id = intval($_POST['client_id']);

1727
post/client.php
View File

File diff suppressed because it is too large Load Diff

17
post/client_model.php
View File

@@ -1,17 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
$referral = sanitizeInput($_POST['referral']);
$rate = floatval($_POST['rate'] ?? 0);
$currency_code = sanitizeInput($_POST['currency_code'] ?? $session_company_currency); // So we dont have to to have a hidden form input if module sales is disabled
$net_terms = intval($_POST['net_terms'] ?? $config_default_net_terms);
$tax_id_number = sanitizeInput($_POST['tax_id_number'] ?? '');
$abbreviation = sanitizeInput($_POST['abbreviation']);
if (empty($abbreviation)) {
$abbreviation = shortenClient($name);
}
$notes = sanitizeInput($_POST['notes']);
$lead = intval($_POST['lead'] ?? 0);

1396
post/contact.php
View File

File diff suppressed because it is too large Load Diff

22
post/contact_model.php
View File

@@ -1,22 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$title = sanitizeInput($_POST['title']);
$department = sanitizeInput($_POST['department']);
$phone_country_code = preg_replace("/[^0-9]/", '', $_POST['phone_country_code']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$mobile_country_code = preg_replace("/[^0-9]/", '', $_POST['mobile_country_code']);
$mobile = preg_replace("/[^0-9]/", '', $_POST['mobile']);
$email = sanitizeInput($_POST['email']);
$notes = sanitizeInput($_POST['notes']);
$contact_primary = intval($_POST['contact_primary'] ?? 0);
$contact_important = intval($_POST['contact_important'] ?? 0);
$contact_billing = intval($_POST['contact_billing'] ?? 0);
$contact_technical = intval($_POST['contact_technical'] ?? 0);
$location_id = intval($_POST['location'] ?? 0);
$pin = sanitizeInput($_POST['pin']);
$auth_method = sanitizeInput($_POST['auth_method']);

482
post/credential.php
View File

@@ -1,482 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client credentials
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_credential'])) {
enforceUserPermission('module_credential', 2);
require_once 'post/user/credential_model.php';
mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_uri_2 = '$uri_2', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$otp_secret', credential_note = '$note', credential_important = $important, credential_contact_id = $contact_id, credential_asset_id = $asset_id, credential_client_id = $client_id");
$credential_id = mysqli_insert_id($mysqli);
// Add Tags
if (isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag");
}
}
// Logging
logAction("Credential", "Create", "$session_name created credential $name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Credential <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_credential'])) {
enforceUserPermission('module_credential', 2);
require_once 'post/user/credential_model.php';
$credential_id = intval($_POST['credential_id']);
// Determine if the password has actually changed (salt is rotated on all updates, so have to dencrypt both and compare)
$current_password = decryptCredentialEntry(mysqli_fetch_row(mysqli_query($mysqli, "SELECT credential_password FROM credentials WHERE credential_id = $credential_id"))[0]); // Get current credential password
$new_password = decryptCredentialEntry($password); // Get the new password being set (already encrypted by the credential model)
if ($current_password !== $new_password) {
// The password has been changed - update the DB to track
mysqli_query($mysqli, "UPDATE credentials SET credential_password_changed_at = NOW() WHERE credential_id = $credential_id");
}
// Update the credential entry with the new details
mysqli_query($mysqli,"UPDATE credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_uri_2 = '$uri_2', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$otp_secret', credential_note = '$note', credential_important = $important, credential_contact_id = $contact_id, credential_asset_id = $asset_id WHERE credential_id = $credential_id");
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id");
// Add new tags
if(isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag");
}
}
// Logging
logAction("Credential", "Edit", "$session_name edited credential $name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Credential <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['archive_credential'])){
enforceUserPermission('module_credential', 2);
$credential_id = intval($_GET['archive_credential']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id");
//logging
logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Credential <strong>$credential_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_credential'])){
enforceUserPermission('module_credential', 2);
$credential_id = intval($_GET['unarchive_credential']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");
//Logging
logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Credential <strong>$credential_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_credential'])) {
enforceUserPermission('module_credential', 3);
$credential_id = intval($_GET['delete_credential']);
// Get Credential Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"DELETE FROM credentials WHERE credential_id = $credential_id");
// Logging
logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Credential <strong>$credential_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_credential_tags'])) {
enforceUserPermission('module_credential', 2);
// Assign tags to Selected Credentials
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['credential_ids']);
foreach($_POST['credential_ids'] as $credential_id) {
$credential_id = intval($credential_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id");
}
// Add new tags
if (isset($_POST['bulk_tags'])) {
foreach($_POST['bulk_tags'] as $tag) {
$tag = intval($tag);
$sql = mysqli_query($mysqli,"SELECT * FROM credential_tags WHERE credential_id = $credential_id AND tag_id = $tag");
if (mysqli_num_rows($sql) == 0) {
mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag");
}
}
}
// Logging
logAction("Credential", "Edit", "$session_name added tags to $credential_name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Assigned tags for <strong>$count</strong> credentials";
} // End Assign Loop
// Logging
logAction("Credential", "Bulk Edit", "$session_name added tags to $count credentials", $client_id);
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_credentials'])) {
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['credential_ids']);
// Cycle through array and archive each record
foreach ($_POST['credential_ids'] as $credential_id) {
$credential_id = intval($credential_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id");
// Individual Contact logging
logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id);
}
// Bulk Logging
logAction("Credential", "Bulk Archive", "$session_name archived $count credentials", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived <strong>$count</strong> credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_credentials'])) {
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['credential_ids']);
// Cycle through array and unarchive
foreach ($_POST['credential_ids'] as $credential_id) {
$credential_id = intval($credential_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");
// Individual logging
logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id);
}
// Bulk Logging
logAction("Credential", "Bulk Unarchive", "$session_name unarchived $count credential(s)", $client_id);
$_SESSION['alert_message'] = "Unarchived <strong>$count</strong> credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_credentials'])) {
enforceUserPermission('module_credential', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['credential_ids']);
// Cycle through array and delete each record
foreach ($_POST['credential_ids'] as $credential_id) {
$credential_id = intval($credential_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli, "DELETE FROM credentials WHERE credential_id = $credential_id AND credential_client_id = $client_id");
// Logging
logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id);
}
// Bulk Logging
logAction("Credential", "Bulk Delete", "$session_name deleted $count credential(s)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> credential(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_credentials_csv'])) {
enforceUserPermission('module_credential');
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND credential_client_id = $client_id";
} else {
$client_query = '';
$client_id = 0;
}
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM credentials LEFT JOIN clients ON client_id = credential_client_id WHERE credential_archived_at IS NULL $client_query ORDER BY credential_name ASC");
$row = mysqli_fetch_array($sql);
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "Credentials-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Username', 'Password', 'URI');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)){
$credential_username = decryptCredentialEntry($row['credential_username']);
$credential_password = decryptCredentialEntry($row['credential_password']);
$lineData = array($row['credential_name'], $row['credential_description'], $credential_username, $credential_password, $row['credential_uri']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Credential", "Export", "$session_name exported $num_rows credential(s) to a CSV file", $client_id);
exit;
}
if (isset($_POST["import_credentials_csv"])) {
enforceUserPermission('module_credential', 2);
$client_id = intval($_POST['client_id']);
$error = false;
if (!empty($_FILES["file"]["tmp_name"])) {
$file_name = $_FILES["file"]["tmp_name"];
} else {
$_SESSION['alert_message'] = "Please select a file to upload.";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if (in_array($file_extension,$allowed_file_extensions) === false){
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif ($_FILES["file"]["size"] < 1){
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if (!$error & count($f_columns) != 5) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if (!$error){
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false){
$duplicate_detect = 0;
if (isset($column[0])) {
$name = sanitizeInput($column[0]);
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM credentials WHERE credential_name = '$name' AND credential_client_id = $client_id")) > 0){
$duplicate_detect = 1;
}
}
if (isset($column[1])) {
$description = sanitizeInput($column[1]);
}
if (isset($column[2])) {
$username = sanitizeInput(encryptCredentialEntry($column[2]));
}
if (isset($column[3])) {
$password = sanitizeInput(encryptCredentialEntry($column[3]));
}
if (isset($column[4])) {
$uri = sanitizeInput($column[4]);
}
// Check if duplicate was detected
if ($duplicate_detect == 0){
//Add
mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
// Logging
logAction("Credential", "Import", "$session_name imported $row_count credential(s) via CSV file. $duplicate_count duplicate(s) found and not imported", $client_id);
$_SESSION['alert_message'] = "$row_count credential(s) imported, $duplicate_count duplicate(s) detected and not imported";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if ($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['download_credentials_csv_template'])) {
$delimiter = ",";
$filename = "Credentials-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Username', 'Password', 'URI');
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}

16
post/credential_model.php
View File

@@ -1,16 +0,0 @@
<?php
// Model of reusable variables for client credentials - not to be confused with the ITFLow login process
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$username = encryptCredentialEntry(trim($_POST['username']));
$password = encryptCredentialEntry(trim($_POST['password']));
$otp_secret = sanitizeInput($_POST['otp_secret']);
$note = sanitizeInput($_POST['note']);
$important = intval($_POST['important'] ?? 0);
$contact_id = intval($_POST['contact'] ?? 0);
$asset_id = intval($_POST['asset'] ?? 0);

29
post/credit.php
View File

@@ -1,29 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for credits
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_credit'])) {
validateCSRFToken($_POST['csrf_token']);
enforceUserPermission('module_sales', 2);
$client_id = intval($_POST['client']);
$amount = floatval($_POST['amount']);
$expire = sanitizeInput($_POST['expire']);
$reference = sanitizeInput($_POST['reference']);
mysqli_query($mysqli,"INSERT INTO credits SET credit_amount = $amount, credit_reference = '$reference', credit_created_by = $session_user_id, credit_client_id = $client_id");
$credit_id = mysqli_insert_id($mysqli);
// Logging
logAction("Credit", "Create", "$session_name added " . numfmt_format_currency($currency_format, $amount, $session_company_currency) . "", $client_id, $credit_id);
$_SESSION['alert_message'] = "" . numfmt_format_currency($currency_format, $amount, $session_company_currency) . " Credit Added ";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

730
post/document.php
View File

@@ -1,730 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client documents
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_document'])) {
enforceUserPermission('module_support', 2);
require_once 'document_model.php';
$contact_id = intval($_POST['contact'] ?? 0);
$asset_id = intval($_POST['asset'] ?? 0);
// Document add query
mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
$document_id = mysqli_insert_id($mysqli);
if ($contact_id) {
mysqli_query($mysqli,"INSERT INTO contact_documents SET contact_id = $contact_id, document_id = $document_id");
}
if ($asset_id) {
mysqli_query($mysqli,"INSERT INTO asset_documents SET asset_id = $asset_id, document_id = $document_id");
}
// Logging
logAction("Document", "Create", "$session_name created document $name", $client_id, $document_id);
$_SESSION['alert_message'] = "Document <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_document_from_template'])) {
// ROLE Check
enforceUserPermission('module_support', 2);
// GET POST Data
$client_id = intval($_POST['client_id']);
$document_name = sanitizeInput($_POST['name']);
$document_description = sanitizeInput($_POST['description']);
$document_template_id = intval($_POST['document_template_id']);
$folder = intval($_POST['folder']);
// GET Document Template Info
$sql_document = mysqli_query($mysqli,"SELECT * FROM document_templates WHERE document_template_id = $document_template_id");
$row = mysqli_fetch_array($sql_document);
$document_template_name = sanitizeInput($row['document_template_name']);
$content = mysqli_real_escape_string($mysqli,$row['document_template_content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $row['document_content']));
// Document add query
mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$document_name', document_description = '$document_description', document_content = '$content', document_content_raw = '$content_raw', document_folder_id = $folder, document_created_by = $session_user_id, document_client_id = $client_id");
$document_id = mysqli_insert_id($mysqli);
// Logging
logAction("Document", "Create", "$session_name created document $name from template $document_template_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> created from template";
header("Location: client_document_details.php?client_id=$client_id&document_id=$document_id");
}
if (isset($_POST['edit_document'])) {
enforceUserPermission('module_support', 2);
require_once 'document_model.php';
$document_id = intval($_POST['document_id']);
// Save Original Document as a Version
$sql_original_document = mysqli_query($mysqli, "SELECT * FROM documents
WHERE document_client_id = $client_id AND document_id = $document_id"
);
$row = mysqli_fetch_array($sql_original_document);
$original_document_name = sanitizeInput($row['document_name']);
$original_document_description = sanitizeInput($row['document_description']);
$original_document_content = mysqli_escape_string($mysqli, $row['document_content']);
$original_document_created_by = intval($row['document_created_by']);
$original_document_updated_by = intval($row['document_updated_by']);
$original_document_created_at = sanitizeInput($row['document_created_at']);
$original_document_updated_at = sanitizeInput($row['document_updated_at']);
if ($original_document_updated_at) {
$document_version_created_at = $original_document_updated_at;
} else {
$document_version_created_at = $original_document_created_at;
}
if ($original_document_updated_by) {
$document_version_created_by = $original_document_updated_by;
} else {
$document_version_created_by = $original_document_created_by;
}
// Document add query
mysqli_query($mysqli,"INSERT INTO document_versions SET document_version_name = '$original_document_name', document_version_description = '$original_document_description', document_version_content = '$original_document_content', document_version_created_by = $document_version_created_by, document_version_created_at = '$document_version_created_at', document_version_document_id = $document_id");
$document_version_id = mysqli_insert_id($mysqli);
// Update Document
mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_description = '$description', document_content = '$content', document_content_raw = '$content_raw', document_folder_id = $folder, document_updated_by = $session_user_id WHERE document_id = $document_id");
//Logging
logAction("Document", "Edit", "$session_name edited document $name, previous version kept", $client_id, $document_version_id);
$_SESSION['alert_message'] = "Document <strong>$name</strong> edited, previous version kept";
header("Location: client_document_details.php?client_id=$client_id&document_id=$document_id");
}
if (isset($_POST['move_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$folder_id = intval($_POST['folder']);
// Get Document Name Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Folder Name for logging
$sql_folder = mysqli_query($mysqli,"SELECT folder_name FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql_folder);
$folder_name = sanitizeInput($row['folder_name']);
// Document edit query
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = $folder_id WHERE document_id = $document_id");
//Logging
logAction("Document", "Move", "$session_name moved document $document_name to folder $folder_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> moved to folder <strong>$folder_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['rename_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
// Get Document Name before renaming for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$old_document_name = sanitizeInput($row['document_name']);
// Document edit query
mysqli_query($mysqli,"UPDATE documents SET document_name = '$name' WHERE document_id = $document_id");
//Logging
logAction("Document", "Edit", "$session_name renamed document $old_document_name to $name", $client_id, $document_id);
$_SESSION['alert_message'] = "You renamed Document from <strong>$old_document_name</strong> to <strong>$name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_move_document'])) {
enforceUserPermission('module_support', 2);
$folder_id = intval($_POST['bulk_folder_id']);
// Get folder name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT folder_name, folder_client_id FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
// Move Documents to Folder Loop
if (isset($_POST['document_ids'])) {
// Get Selected Count
$count = count($_POST['document_ids']);
foreach($_POST['document_ids'] as $document_id) {
$document_id = intval($document_id);
// Get document name for logging
$sql = mysqli_query($mysqli,"SELECT document_name FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$document_name = sanitizeInput($row['document_name']);
// Document move query
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = $folder_id WHERE document_id = $document_id");
//Logging
logAction("Document", "Move", "$session_name moved document $document_name to folder $folder_name", $client_id, $document_id);
}
logAction("Document", "Bulk Move", "$session_name moved $count document(s) to folder $folder_name", $client_id);
}
$_SESSION['alert_message'] = "You moved <strong>$count</strong> document(s) to the folder <strong>$folder_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_file_to_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$file_id = intval($_POST['file_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get File Name for logging
$sql_file = mysqli_query($mysqli,"SELECT file_name FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql_file);
$file_name = sanitizeInput($row['file_name']);
// Document add query
mysqli_query($mysqli,"INSERT INTO document_files SET file_id = $file_id, document_id = $document_id");
// Logging
logAction("Document", "Link", "$session_name linked file $file_name to document $document_name", $client_id, $document_id);
$_SESSION['alert_message'] = "File <strong>$file_name</strong> linked with Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_file_from_document'])) {
enforceUserPermission('module_support', 2);
$file_id = intval($_GET['file_id']);
$document_id = intval($_GET['document_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get File Name for logging
$sql_file = mysqli_query($mysqli,"SELECT file_name FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql_file);
$file_name = sanitizeInput($row['file_name']);
mysqli_query($mysqli,"DELETE FROM document_files WHERE file_id = $file_id AND document_id = $document_id");
//Logging
logAction("Document", "Unlink", "$session_name unlinked file $file_name from document $document_name", $client_id, $document_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "File <strong>$file_name</strong> unlinked from Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_vendor_to_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$vendor_id = intval($_POST['vendor_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Vendor Name for logging
$sql_vendor = mysqli_query($mysqli,"SELECT vendor_name FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql_vendor);
$vendor_name = sanitizeInput($row['vendor_name']);
// Document add query
mysqli_query($mysqli,"INSERT INTO vendor_documents SET vendor_id = $vendor_id, document_id = $document_id");
// Logging
logAction("Document", "Link", "$session_name linked vendor $vendor_name to document $document_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> linked with Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_vendor_from_document'])) {
enforceUserPermission('module_support', 2);
$vendor_id = intval($_GET['vendor_id']);
$document_id = intval($_GET['document_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Vendor Name for logging
$sql_vendor = mysqli_query($mysqli,"SELECT vendor_name FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql_vendor);
$vendor_name = sanitizeInput($row['vendor_name']);
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE vendor_id = $vendor_id AND document_id = $document_id");
//Logging
logAction("Document", "Unlink", "$session_name unlinked vendor $vendor_name from document $document_name", $client_id, $document_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> unlinked from Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_contact_to_document'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$document_id = intval($_POST['document_id']);
$contact_id = intval($_POST['contact_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Contact Name for logging
$sql_contact = mysqli_query($mysqli,"SELECT contact_name FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql_contact);
$contact_name = sanitizeInput($row['contact_name']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO contact_documents SET contact_id = $contact_id, document_id = $document_id");
// Logging
logAction("Document", "Link", "$session_name linked contact $contact_name to document $document_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> linked with Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_contact_from_document'])) {
enforceUserPermission('module_support', 2);
$contact_id = intval($_GET['contact_id']);
$document_id = intval($_GET['document_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Contact Name for logging
$sql_contact = mysqli_query($mysqli,"SELECT contact_name FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql_contact);
$contact_name = sanitizeInput($row['contact_name']);
mysqli_query($mysqli,"DELETE FROM contact_documents WHERE contact_id = $contact_id AND document_id = $document_id");
//Logging
logAction("Document", "Unlink", "$session_name unlinked contact $contact_name from document $document_name", $client_id, $document_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> unlinked from Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_asset_to_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$asset_id = intval($_POST['asset_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Asset Name for logging
$sql_asset = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql_asset);
$asset_name = sanitizeInput($row['asset_name']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO asset_documents SET asset_id = $asset_id, document_id = $document_id");
// Logging
logAction("Document", "Link", "$session_name linked asset $asset_name to document $document_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> linked with Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_asset_from_document'])) {
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['asset_id']);
$document_id = intval($_GET['document_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Asset Name for logging
$sql_asset = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql_asset);
$asset_name = sanitizeInput($row['asset_name']);
mysqli_query($mysqli,"DELETE FROM asset_documents WHERE asset_id = $asset_id AND document_id = $document_id");
// Logging
logAction("Document", "Unlink", "$session_name unlinked asset $asset_name from document $document_name", $client_id, $document_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> unlinked from Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_software_to_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$software_id = intval($_POST['software_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Software Name for logging
$sql_software = mysqli_query($mysqli,"SELECT software_name FROM software WHERE software_id = $software_id");
$row = mysqli_fetch_array($sql_software);
$software_name = sanitizeInput($row['software_name']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO software_documents SET software_id = $software_id, document_id = $document_id");
// Logging
logAction("Document", "Link", "$session_name linked software $software_name to document $document_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Software <strong>$software_name</strong> linked with Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_software_from_document'])) {
enforceUserPermission('module_support', 2);
$software_id = intval($_GET['software_id']);
$document_id = intval($_GET['document_id']);
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
// Get Software Name for logging
$sql_software = mysqli_query($mysqli,"SELECT software_name FROM software WHERE software_id = $software_id");
$row = mysqli_fetch_array($sql_software);
$software_name = sanitizeInput($row['software_name']);
mysqli_query($mysqli,"DELETE FROM software_documents WHERE software_id = $software_id AND document_id = $document_id");
// Logging
logAction("Document", "Unlink", "$session_name unlinked software $software_name from document $document_name", $client_id, $document_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Software <strong>$software_name</strong> unlinked from Document <strong>$document_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['toggle_document_visibility'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_POST['document_id']);
$document_visible = intval($_POST['document_visible']);
if ($document_visible == 0) {
$visable_wording = "Invisable";
} else {
$visable_wording = "Visable";
}
// Get Document Name and Client ID for logging
$sql_document = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql_document);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
mysqli_query($mysqli,"UPDATE documents SET document_client_visible = $document_visible WHERE document_id = $document_id");
//Logging
logAction("Document", "Edit", "$session_name changed document $document_name visibilty to $visable_wording in the client portal", $client_id, $document_id);
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> changed to <strong>$visable_wording</strong> in the client portal";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['export_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_GET['export_document']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT document_name, document_content, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$document_name = sanitizeInput($row['document_name']);
$document_content = $row['document_content'];
$client_id = intval($row['document_client_id']);
// Include the TCPDF class
require_once('plugins/TCPDF/tcpdf.php');
$pdf = new TCPDF();
// Set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor("$document_name");
$pdf->SetTitle("$document_name");
// Add a page
$pdf->AddPage();
// Set font
$pdf->SetFont('helvetica', '', 12);
// Write HTML content to the PDF
$pdf->writeHTML($document_content, true, false, true, false, '');
// Output PDF to browser
$pdf->Output("$document_name.pdf", 'I'); // 'I' for inline display, 'D' for download
// Logging
logAction("Document", "Export", "$session_name exported document $document_name", $client_id, $document_id);
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> exported";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_document'])) {
enforceUserPermission('module_support', 2);
$document_id = intval($_GET['archive_document']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
mysqli_query($mysqli,"UPDATE documents SET document_archived_at = NOW() WHERE document_id = $document_id");
// Remove Associations
// File Association
mysqli_query($mysqli,"DELETE FROM document_files WHERE document_id = $document_id");
// Contact Associations
mysqli_query($mysqli,"DELETE FROM contact_documents WHERE document_id = $document_id");
// Asset Associations
mysqli_query($mysqli,"DELETE FROM asset_documents WHERE document_id = $document_id");
// Software Associations
mysqli_query($mysqli,"DELETE FROM software_documents WHERE document_id = $document_id");
// Vendor Associations
mysqli_query($mysqli,"DELETE FROM vendor_documents WHERE document_id = $document_id");
// Service Associations
mysqli_query($mysqli,"DELETE FROM service_documents WHERE document_id = $document_id");
// Logging
logAction("Document", "Archive", "$session_name archived document $document_name", $client_id, $document_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_document_version'])) {
enforceUserPermission('module_support', 3);
$document_version_id = intval($_GET['delete_document_version']);
// Get Document
$sql = mysqli_query($mysqli,"SELECT document_version_name, document_client_id FROM documents, document_versions WHERE document_version_document_id = document_id AND document_version_id = $document_version_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['document_client_id']);
$document_version_name = sanitizeInput($row['document_version_name']);
mysqli_query($mysqli,"DELETE FROM document_versions WHERE document_version_id = $document_version_id");
//Logging
logAction("Document Version", "Delete", "$session_name deleted document version $document_version_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Document $document_version_name version deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_document'])) {
enforceUserPermission('module_support', 3);
$document_id = intval($_GET['delete_document']);
// Get Document Name and Client ID for logging
$sql = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['document_client_id']);
$document_name = sanitizeInput($row['document_name']);
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Delete all versions associated with the master document
mysqli_query($mysqli,"DELETE FROM document_versions WHERE document_version_document_id = $document_id");
//Logging
logAction("Document", "Delete", "$session_name deleted document $document_name and all versions", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Document <strong>$document_name</strong> deleted and all versions";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_documents'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['document_ids'])) {
// Get selected document count
$count = count($_POST['document_ids']);
// Delete document loop
foreach($_POST['document_ids'] as $document_id) {
$document_id = intval($document_id);
// Get document name for logging
$sql = mysqli_query($mysqli,"SELECT document_name, document_client_id FROM documents WHERE document_id = $document_id");
$row = mysqli_fetch_array($sql);
$document_name = sanitizeInput($row['document_name']);
$client_id = intval($row['document_client_id']);
mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id");
// Delete all versions associated with the master document
mysqli_query($mysqli,"DELETE FROM document_versions WHERE document_version_document_id = $document_id");
//Logging
logAction("Document", "Delete", "$session_name deleted document $document_name and all versions", $client_id);
}
//Logging
logAction("Document", "Bulk Delete", "$session_name deleted $count document(s) and all versions", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> Documents and associated document versions";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

10
post/document_model.php
View File

@@ -1,10 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$folder = intval($_POST['folder']);
$description = sanitizeInput($_POST['description']);
$content = mysqli_real_escape_string($mysqli,$_POST['content']);
$content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
// Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.

379
post/domain.php
View File

@@ -1,379 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client domains
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_domain'])) {
enforceUserPermission('module_support', 2);
require_once 'domain_model.php';
$extended_log_description = '';
$client_id = intval($_POST['client_id']);
// Set/check/lookup expiry date
if (strtotime($expire)) {
$expire = "'" . $expire . "'";
}
else {
$expire = getDomainExpirationDate($name);
if (strtotime($expire)) {
$expire = "'" . $expire . "'";
} else {
$expire = 'NULL';
}
}
// NS, MX, A and WHOIS records/data
$records = getDomainRecords($name);
$a = sanitizeInput($records['a']);
$ns = sanitizeInput($records['ns']);
$mx = sanitizeInput($records['mx']);
$txt = sanitizeInput($records['txt']);
$whois = sanitizeInput($records['whois']);
// Add domain record
mysqli_query($mysqli,"INSERT INTO domains SET domain_name = '$name', domain_description = '$description', domain_registrar = $registrar, domain_webhost = $webhost, domain_dnshost = $dnshost, domain_mailhost = $mailhost, domain_expire = $expire, domain_ip = '$a', domain_name_servers = '$ns', domain_mail_servers = '$mx', domain_txt = '$txt', domain_raw_whois = '$whois', domain_notes = '$notes', domain_client_id = $client_id");
// Get inserted ID (for linking certificate, if exists)
$domain_id = mysqli_insert_id($mysqli);
// Get SSL cert for domain (if exists)
$certificate = getSSL($name);
if ($certificate['success'] == "TRUE") {
$expire = sanitizeInput($certificate['expire']);
$issued_by = sanitizeInput($certificate['issued_by']);
$public_key = sanitizeInput($certificate['public_key']);
mysqli_query($mysqli,"INSERT INTO certificates SET certificate_name = '$name', certificate_domain = '$name', certificate_issued_by = '$issued_by', certificate_expire = '$expire', certificate_public_key = '$public_key', certificate_domain_id = $domain_id, certificate_client_id = $client_id");
$extended_log_description = ', with associated SSL cert';
}
// Logging
logAction("Domain", "Create", "$session_name created domain $name$extended_log_description", $client_id, $domain_id);
$_SESSION['alert_message'] = "Domain <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_domain'])) {
enforceUserPermission('module_support', 2);
require_once 'domain_model.php';
$domain_id = intval($_POST['domain_id']);
// Set/check/lookup expiry date
if (strtotime($expire) && (new DateTime($expire)) > (new DateTime())) {
$expire = "'" . $expire . "'";
} else {
$expire = getDomainExpirationDate($name);
if (strtotime($expire)) {
$expire = "'" . $expire . "'";
} else {
$expire = 'NULL';
}
}
$client_id = intval($_POST['client_id']);
// Update NS, MX, A and WHOIS records/data
$records = getDomainRecords($name);
$a = sanitizeInput($records['a']);
$ns = sanitizeInput($records['ns']);
$mx = sanitizeInput($records['mx']);
$txt = sanitizeInput($records['txt']);
$whois = sanitizeInput($records['whois']);
// Current domain info
$original_domain_info = mysqli_fetch_assoc(mysqli_query($mysqli,"
SELECT
domains.*,
registrar.vendor_name AS registrar_name,
dnshost.vendor_name AS dnshost_name,
mailhost.vendor_name AS mailhost_name,
webhost.vendor_name AS webhost_name
FROM domains
LEFT JOIN vendors AS registrar ON domains.domain_registrar = registrar.vendor_id
LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id
LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id
LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id
WHERE domain_id = $domain_id
"));
// Update domain
mysqli_query($mysqli,"UPDATE domains SET domain_name = '$name', domain_description = '$description', domain_registrar = $registrar, domain_webhost = $webhost, domain_dnshost = $dnshost, domain_mailhost = $mailhost, domain_expire = $expire, domain_ip = '$a', domain_name_servers = '$ns', domain_mail_servers = '$mx', domain_txt = '$txt', domain_raw_whois = '$whois', domain_notes = '$notes' WHERE domain_id = $domain_id");
// Fetch updated info
$new_domain_info = mysqli_fetch_assoc(mysqli_query($mysqli,"
SELECT
domains.*,
registrar.vendor_name AS registrar_name,
dnshost.vendor_name AS dnshost_name,
mailhost.vendor_name AS mailhost_name,
webhost.vendor_name AS webhost_name
FROM domains
LEFT JOIN vendors AS registrar ON domains.domain_registrar = registrar.vendor_id
LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id
LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id
LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id
WHERE domain_id = $domain_id
"));
// Compare/log changes
$ignored_columns = ["domain_updated_at", "domain_accessed_at", "domain_registrar", "domain_webhost", "domain_dnshost", "domain_mailhost"];
foreach ($original_domain_info as $column => $old_value) {
$new_value = $new_domain_info[$column];
if ($old_value != $new_value && !in_array($column, $ignored_columns)) {
$column = sanitizeInput($column);
$old_value = sanitizeInput($old_value);
$new_value = sanitizeInput($new_value);
mysqli_query($mysqli,"INSERT INTO domain_history SET domain_history_column = '$column', domain_history_old_value = '$old_value', domain_history_new_value = '$new_value', domain_history_domain_id = $domain_id");
}
}
// Logging
logAction("Domain", "Edit", "$session_name edited domain $name", $client_id, $domain_id);
$_SESSION['alert_message'] = "Domain <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_domain'])) {
enforceUserPermission('module_support', 2);
$domain_id = intval($_GET['archive_domain']);
//Get domain Name
$sql = mysqli_query($mysqli,"SELECT * FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NOW() WHERE domain_id = $domain_id");
// Logging
logAction("Domain", "Archive", "$session_name archived domain $domain_name", $client_id, $domain_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Domain <strong>$domain_name archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_domain'])){
enforceUserPermission('module_support', 2);
$domain_id = intval($_GET['unarchive_domain']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NULL WHERE domain_id = $domain_id");
// Logging
logAction("Domain", "Unarchive", "$session_name unarchived domain $domain_name", $client_id, $domain_id);
$_SESSION['alert_message'] = "Domain <strong>$domain_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_domain'])) {
enforceUserPermission('module_support', 3);
$domain_id = intval($_GET['delete_domain']);
// Get Domain Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"DELETE FROM domains WHERE domain_id = $domain_id");
// Logging
logAction("Domain", "Delete", "$session_name deleted domain $domain_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Domain <strong>$domain_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_domains'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['domain_ids'])) {
// Get Selected Count
$count = count($_POST['domain_ids']);
// Cycle through array and archive each record
foreach ($_POST['domain_ids'] as $domain_id) {
$domain_id = intval($domain_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NOW() WHERE domain_id = $domain_id");
// Individual Contact logging
logAction("Domain", "Archive", "$session_name archived domain $domain_name", $client_id, $domain_id);
}
// Bulk Logging
logAction("Domain", "Bulk Archive", "$session_name archived $count domain(s)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived <strong>$count</strong> domain(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_domains'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['domain_ids'])) {
// Get Selected Count
$count = count($_POST['domain_ids']);
// Cycle through array and unarchive
foreach ($_POST['domain_ids'] as $domain_id) {
$domain_id = intval($domain_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli,"UPDATE domains SET domain_archived_at = NULL WHERE domain_id = $domain_id");
// Individual logging
logAction("Domain", "Unarchive", "$session_name unarchived domain $domain_name", $client_id, $domain_id);
}
// Bulk Logging
logAction("Domain", "Bulk Unarchive", "$session_name unarchived $count domain(s)", $client_id);
$_SESSION['alert_message'] = "Unarchived <strong>$count</strong> domain(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_domains'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['domain_ids'])) {
// Get Selected Count
$count = count($_POST['domain_ids']);
// Cycle through array and delete each domain
foreach ($_POST['domain_ids'] as $domain_id) {
$domain_id = intval($domain_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT domain_name, domain_client_id FROM domains WHERE domain_id = $domain_id");
$row = mysqli_fetch_array($sql);
$domain_name = sanitizeInput($row['domain_name']);
$client_id = intval($row['domain_client_id']);
mysqli_query($mysqli, "DELETE FROM domains WHERE domain_id = $domain_id AND domain_client_id = $client_id");
// Logging
logAction("Domain", "Delete", "$session_name deleted domain $domain_name", $client_id);
}
// Logging
logAction("Domain", "Bulk Delete", "$session_name deleted $count domain(s)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> domain(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_domains_csv'])) {
enforceUserPermission('module_support');
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "WHERE domain_client_id = $client_id";
} else {
$client_query = '';
$client_id = 0;
}
$sql = mysqli_query($mysqli,"SELECT * FROM domains $client_query ORDER BY domain_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "Domains-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Domain', 'Description', 'Registrar', 'Web Host', 'Expiration Date');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['domain_name'], $row['domain_description'], $row['domain_registrar'], $row['domain_webhost'], $row['domain_expire']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Domain", "Export", "$session_name exported $num_rows domain(s)", $client_id);
exit;
}

11
post/domain_model.php
View File

@@ -1,11 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = preg_replace("(^https?://)", "", sanitizeInput($_POST['name']));
$description = sanitizeInput($_POST['description']);
$registrar = intval($_POST['registrar'] ?? 0);
$dnshost = intval($_POST['dnshost'] ?? 0);
$webhost = intval($_POST['webhost'] ?? 0);
$mailhost = intval($_POST['mailhost'] ?? 0);
$expire = sanitizeInput($_POST['expire']);
$notes = sanitizeInput($_POST['notes']);

205
post/event.php
View File

@@ -1,205 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for calendar & events
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_calendar'])) {
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
mysqli_query($mysqli,"INSERT INTO calendars SET calendar_name = '$name', calendar_color = '$color'");
$calendar_id = mysqli_insert_id($mysqli);
// Logging
logAction("Calendar", "Create", "$session_name created calendar $name", 0, $calendar_id);
$_SESSION['alert_message'] = "Calendar <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_calendar'])) {
$calendar_id = intval($_POST['calendar_id']);
$name = sanitizeInput($_POST['name']);
$color = sanitizeInput($_POST['color']);
mysqli_query($mysqli,"UPDATE calendars SET calendar_name = '$name', calendar_color = '$color' WHERE calendar_id = $calendar_id");
// Logging
logAction("Calendar", "Edit", "$session_name edited calendar $name", 0, $calendar_id);
$_SESSION['alert_message'] = "Calendar <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_event'])) {
require_once 'post/user/event_model.php';
mysqli_query($mysqli,"INSERT INTO calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client");
$event_id = mysqli_insert_id($mysqli);
//Get Calendar Name
$sql = mysqli_query($mysqli,"SELECT * FROM calendars WHERE calendar_id = $calendar_id");
$row = mysqli_fetch_array($sql);
$calendar_name = sanitizeInput($row['calendar_name']);
//If email is checked
if ($email_event == 1) {
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
$row = mysqli_fetch_array($sql_client);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$subject = "New Calendar Event";
$body = "Hello $contact_name,<br><br>A calendar event has been scheduled:<br><br>Event Title: $title<br>Event Date: $start<br><br><br>--<br>$company_name<br>$company_phone";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($data);
// Logging for email (success/fail)
if ($mail === true) {
logAction("Calendar Event", "Email", "$session_name emailed event $title to $contact_name from client $client_name", $client, $event_id);
} else {
appNotify("Mail", "Failed to send email to $contact_email");
logAction("Mail", "Error", "Failed to send email to $contact_email regarding $subject. $mail");
}
} // End mail IF
// Logging
logAction("Calendar Event", "Create", "$session_name created a calendar event titled $title in calendar $calendar_name", $client, $event_id);
$_SESSION['alert_message'] = "Event <strong>$title</strong> created in calendar <strong>$calendar_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_event'])) {
require_once 'post/user/event_model.php';
$event_id = intval($_POST['event_id']);
mysqli_query($mysqli,"UPDATE calendar_events SET event_title = '$title', event_location = '$location', event_description = '$description', event_start = '$start', event_end = '$end', event_repeat = '$repeat', event_calendar_id = $calendar_id, event_client_id = $client WHERE event_id = $event_id");
//If email is checked
if ($email_event == 1) {
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
$row = mysqli_fetch_array($sql_client);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$subject = "Calendar Event Rescheduled";
$body = "Hello $contact_name,<br><br>A calendar event has been rescheduled:<br><br>Event Title: $title<br>Event Date: $start<br><br><br>--<br>$company_name<br>$company_phone";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($data);
// Logging for email (success/fail)
if ($mail === true) {
logAction("Calendar Event", "Email", "$session_name Emailed modified event $title to $contact_name email $contact_email", $client, $event_id);
} else {
appNotify("Mail", "Failed to send email to $contact_email");
logAction("Mail", "Error", "Failed to send email to $contact_email regarding $subject. $mail");
}
} // End mail IF
//Logging
logAction("Calendar Event", "Edit", "$session_name edited calendar event $title", $client, $event_id);
$_SESSION['alert_message'] = "Calendar event titled <strong>$title</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_event'])) {
$event_id = intval($_GET['delete_event']);
// Get Event Title
$sql = mysqli_query($mysqli,"SELECT * FROM calendar_events WHERE event_id = $event_id");
$row = mysqli_fetch_array($sql);
$event_title = sanitizeInput($row['event_title']);
$client_id = intval($row['event_client_id']);
mysqli_query($mysqli,"DELETE FROM calendar_events WHERE event_id = $event_id");
// Logging
logAction("Calendar Event", "Delete", "$session_name deleted calendar event $event_title", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Calendar event titled <strong>$event_title</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

12
post/event_model.php
View File

@@ -1,12 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$calendar_id = intval($_POST['calendar']);
$title = sanitizeInput($_POST['title']);
$location = sanitizeInput($_POST['location']);
$description = sanitizeInput($_POST['description']);
$start = sanitizeInput($_POST['start']);
$end = sanitizeInput($_POST['end']);
$repeat = sanitizeInput($_POST['repeat']);
$client = intval($_POST['client']);
$email_event = intval($_POST['email_event']);

434
post/expense.php
View File

@@ -1,434 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for expenses
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_expense'])) {
require_once 'post/user/expense_model.php';
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference'");
$expense_id = mysqli_insert_id($mysqli);
// Check for and process attachment
$extended_alert_description = '';
if (isset($_FILES['file']['tmp_name'])) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp', 'pdf'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/expenses/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE expenses SET expense_receipt = '$new_file_name' WHERE expense_id = $expense_id");
$extended_alert_description = '. File successfully uploaded.';
}
}
//Logging
logAction("Expense", "Create", "$session_name created expense $description", $client, $expense_id);
$_SESSION['alert_message'] = "Expense added" . $extended_alert_description;
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_expense'])) {
require_once 'post/user/expense_model.php';
$expense_id = intval($_POST['expense_id']);
// Get old receipt
$sql = mysqli_query($mysqli,"SELECT expense_receipt FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['expense_receipt']);
// Check for and process attachment
$extended_alert_description = '';
if (isset($_FILES['file']['tmp_name'])) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp', 'pdf'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/expenses/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
//Delete old file
unlink("uploads/expenses/$existing_file_name");
mysqli_query($mysqli,"UPDATE expenses SET expense_receipt = '$new_file_name' WHERE expense_id = $expense_id");
$extended_alert_description = '. File successfully uploaded.';
}
}
mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = $amount, expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference' WHERE expense_id = $expense_id");
// Logging
logAction("Expense", "Edit", "$session_name edited expense $description", $client, $expense_id);
$_SESSION['alert_message'] = "Expense modified" . $extended_alert_description;
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_expense'])) {
$expense_id = intval($_GET['delete_expense']);
$sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_receipt = sanitizeInput($row['expense_receipt']);
$expense_description = sanitizeInput($row['expense_description']);
$client_id = intval($row['expense_client_id']);
unlink("uploads/expenses/$expense_receipt");
mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id");
// Logging
logAction("Expense", "Delete", "$session_name deleted expense $expense_description", $client_id);
$_SESSION['alert_message'] = "Expense deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_expense_category'])) {
$category_id = intval($_POST['bulk_category_id']);
// Get Category name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT category_name FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
// Assign category to Selected Expenses
if (isset($_POST['expense_ids'])) {
// Get Selected Count
$count = count($_POST['expense_ids']);
foreach($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
// Get Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT expense_description, expense_client_id FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
$client_id = intval($row['expense_client_id']);
mysqli_query($mysqli,"UPDATE expenses SET expense_category_id = $category_id WHERE expense_id = $expense_id");
// Logging
logAction("Expense", "Edit", "$session_name assigned expense $expense_descrition to category $category_name", $client_id, $expense_id);
} // End Assign Loop
// Logging
logAction("Expense", "Bulk Edit", "$session_name assigned $count expenses to category $category_name");
$_SESSION['alert_message'] = "You assigned expense category <strong>$category_name</strong> to <strong>$count</strong> expense(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_expense_account'])) {
$account_id = intval($_POST['bulk_account_id']);
// Get Account name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_id");
$row = mysqli_fetch_array($sql);
$account_name = sanitizeInput($row['account_name']);
// Assign account to Selected Expenses
if (isset($_POST['expense_ids'])) {
// Get Selected Contacts Count
$count = count($_POST['expense_ids']);
foreach($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
// Get Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT expense_description, expense_client_id FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
$client_id = intval($row['expense_client_id']);
mysqli_query($mysqli,"UPDATE expenses SET expense_account_id = $account_id WHERE expense_id = $expense_id");
// Logging
logAction("Expense", "Edit", "$session_name assigned expense $expense_descrition to account $account_name", $client_id, $expense_id);
} // End Assign Loop
// Logging
logAction("Expense", "Bulk Edit", "$session_name assigned $count expense(s) to account $account_name");
$_SESSION['alert_message'] = "You assigned account <strong>$account_name</strong> to <strong>$count</strong> expense(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_expense_client'])) {
$client_id = intval($_POST['bulk_client_id']);
// Get Client name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = sanitizeInput($row['client_name']);
// Assign Client to Selected Expenses
if (isset($_POST['expense_ids'])) {
// Get Selected Count
$count = count($_POST['expense_ids']);
foreach($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
// Get Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT expense_description FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
mysqli_query($mysqli,"UPDATE expenses SET expense_client_id = $client_id WHERE expense_id = $expense_id");
// Logging
logAction("Expense", "Edit", "$session_name assigned expense $expense_descrition to client $client_name", $client_id, $expense_id);
} // End Assign Loop
$_SESSION['alert_message'] = "You assigned Client <b>$client_name</b> to <b>$expense_count</b> expenses";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_expenses'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['expense_ids'])) {
// Get Selected Count
$count = count($_POST['expense_ids']);
// Cycle through array and delete each expense
foreach ($_POST['expense_ids'] as $expense_id) {
$expense_id = intval($expense_id);
$sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$expense_description = sanitizeInput($row['expense_description']);
$expense_receipt = sanitizeInput($row['expense_receipt']);
$client_id = intval($row['expense_client_id']);
unlink("uploads/expenses/$expense_receipt");
mysqli_query($mysqli, "DELETE FROM expenses WHERE expense_id = $expense_id");
// Logging
logAction("Expense", "Delete", "$session_name deleted expense $expense_descrition", $client_id);
}
// Logging
logAction("Expense", "Bulk Delete", "$session_name deleted $count expense(s)");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> expense(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_expenses_csv'])) {
$date_from = sanitizeInput($_POST['date_from']);
$date_to = sanitizeInput($_POST['date_to']);
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$category = intval($_POST['category']);
if (!empty($date_from) && !empty($date_to)) {
$date_query = "AND DATE(expense_date) BETWEEN '$date_from' AND '$date_to'";
$file_name_date = "$date_from-to-$date_to";
}else{
$date_query = "";
$file_name_date = date('Y-m-d');
}
// Vendor Filter
if ($account) {
$account_query = "AND expense_account_id = $account";
} else {
$account_query = '';
}
// Vendor Filter
if ($vendor) {
$vendor_query = "AND expense_vendor_id = $vendor";
} else {
// Default - any
$vendor_query = '';
}
// Category Filter
if ($category) {
$category_query = "AND expense_category_id = $category";
} else {
// Default - any
$category_query = '';
}
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM expenses
LEFT JOIN categories ON expense_category_id = category_id
LEFT JOIN vendors ON expense_vendor_id = vendor_id
LEFT JOIN accounts ON expense_account_id = account_id
WHERE expense_vendor_id > 0
$date_query
$account_query
$vendor_query
$category_query
ORDER BY expense_date DESC
");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "$session_company_name-Expenses-$file_name_date.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Date', 'Amount', 'Vendor', 'Description', 'Category', 'Account');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)) {
$lineData = array($row['expense_date'], $row['expense_amount'], $row['vendor_name'], $row['expense_description'], $row['category_name'], $row['account_name']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Expense", "Export", "$session_name exported $num_rows expense(s) to CSV file");
exit;
}
if (isset($_POST['create_recurring_expense'])) {
$frequency = intval($_POST['frequency']);
$day = intval($_POST['day']);
$month = intval($_POST['month']);
$amount = floatval(str_replace(',', '', $_POST['amount']));
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$client_id = intval($_POST['client']);
$category = intval($_POST['category']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
$year = date('Y');
if (strtotime("$year-$month-$day") < time()) {
$year++;
}
$start_date = "$year-$month-$day";
mysqli_query($mysqli,"INSERT INTO recurring_expenses SET recurring_expense_frequency = $frequency, recurring_expense_day = $day, recurring_expense_month = $month, recurring_expense_next_date = '$start_date', recurring_expense_description = '$description', recurring_expense_reference = '$reference', recurring_expense_amount = $amount, recurring_expense_currency_code = '$session_company_currency', recurring_expense_vendor_id = $vendor, recurring_expense_client_id = $client_id, recurring_expense_category_id = $category, recurring_expense_account_id = $account");
$recurring_expense_id = mysqli_insert_id($mysqli);
// Logging
logAction("Recurring Expense", "Create", "$session_name created recurring expense $description", $client_id, $recurring_expense_id);
$_SESSION['alert_message'] = "Recurring Expense created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_recurring_expense'])) {
$recurring_expense_id = intval($_POST['recurring_expense_id']);
$frequency = intval($_POST['frequency']);
$day = intval($_POST['day']);
$month = intval($_POST['month']);
$amount = floatval(str_replace(',', '', $_POST['amount']));
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$client_id = intval($_POST['client']);
$category = intval($_POST['category']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
$year = date('Y');
if (strtotime("$year-$month-$day") < time()) {
$year++;
}
$start_date = "$year-$month-$day";
mysqli_query($mysqli,"UPDATE recurring_expenses SET recurring_expense_frequency = $frequency, recurring_expense_day = $day, recurring_expense_month = $month, recurring_expense_next_date = '$start_date', recurring_expense_description = '$description', recurring_expense_reference = '$reference', recurring_expense_amount = $amount, recurring_expense_currency_code = '$session_company_currency', recurring_expense_vendor_id = $vendor, recurring_expense_client_id = $client_id, recurring_expense_category_id = $category, recurring_expense_account_id = $account WHERE recurring_expense_id = $recurring_expense_id");
//Logging
logAction("Recurring Expense", "Edit", "$session_name edited recurring expense $description", $client_id, $recurring_expense_id);
$_SESSION['alert_message'] = "Recurring Expense edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_recurring_expense'])) {
$recurring_expense_id = intval($_GET['delete_recurring_expense']);
// Get Recurring Expense Details for Logging
$sql = mysqli_query($mysqli,"SELECT recurring_expense_description, recurring_expense_client_id FROM recurring_expenses WHERE recurring_expense_id = $recurring_expense_id");
$row = mysqli_fetch_array($sql);
$recurring_expense_description = sanitizeInput($row['recurring_expense_description']);
$client_id = intval($row['recurring_expense_client_id']);
mysqli_query($mysqli,"DELETE FROM recurring_expenses WHERE recurring_expense_id = $recurring_expense_id");
// Logging
logAction("Recurring Expense", "Delete", "$session_name deleted recurring expense $recurring_expense_description", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Recurring Expense deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

11
post/expense_model.php
View File

@@ -1,11 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account = intval($_POST['account']);
$vendor = intval($_POST['vendor']);
$client = intval($_POST['client']);
$category = intval($_POST['category']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);

468
post/file.php
View File

@@ -1,468 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client files/uploads
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['upload_files'])) {
// Enforce required user permission
enforceUserPermission('module_support', 2);
// Sanitize and initialize inputs
$client_id = intval($_POST['client_id']);
$folder_id = intval($_POST['folder_id']);
$description = sanitizeInput($_POST['description']);
$contact_id = intval($_POST['contact'] ?? 0);
$asset_id = intval($_POST['asset'] ?? 0);
$client_dir = "uploads/clients/$client_id";
// Create client directory if it doesn't exist
if (!is_dir($client_dir)) {
mkdir($client_dir, 0755, true);
}
// Allowed file extensions list
$allowedExtensions = [
'jpg', 'jpeg', 'gif', 'png', 'webp', 'pdf', 'txt', 'md', 'doc', 'docx',
'odt', 'csv', 'xls', 'xlsx', 'ods', 'pptx', 'odp', 'zip', 'tar', 'gz',
'msg', 'json', 'wav', 'mp3', 'ogg', 'mov', 'mp4', 'av1', 'ovpn',
'cfg', 'ps1', 'vsdx', 'drawio', 'pfx', 'pages', 'numbers', 'unf', 'key',
'bat', 'stk'
];
// Loop through each uploaded file
foreach ($_FILES['file']['name'] as $index => $originalName) {
// Build a file array for this iteration
$single_file = [
'name' => $_FILES['file']['name'][$index],
'type' => $_FILES['file']['type'][$index],
'tmp_name' => $_FILES['file']['tmp_name'][$index],
'error' => $_FILES['file']['error'][$index],
'size' => $_FILES['file']['size'][$index]
];
// Validate and get a safe file reference name
if ($file_reference_name = checkFileUpload($single_file, $allowedExtensions)) {
$file_tmp_path = $single_file['tmp_name'];
$file_name = sanitizeInput($originalName);
$extParts = explode('.', $file_name);
$file_extension = strtolower(end($extParts));
$file_mime_type = sanitizeInput($single_file['type']);
$file_size = intval($single_file['size']);
// Define destination path and move the uploaded file
$upload_file_dir = $client_dir . "/";
$dest_path = $upload_file_dir . $file_reference_name;
if (!move_uploaded_file($file_tmp_path, $dest_path)) {
$_SESSION['alert_type'] = 'error';
$_SESSION['alert_message'] = 'Error moving file to upload directory. Please ensure the directory is writable.';
continue; // Skip processing this file
}
// Use the file reference (without extension) as the file hash
$file_hash = strstr($file_reference_name, '.', true) ?: $file_reference_name;
// If the file is an image, optimize it
if (in_array($file_extension, ['jpg', 'jpeg', 'png', 'gif', 'webp'])) {
// Create image resource based on file extension
switch ($file_extension) {
case 'jpg':
case 'jpeg':
$src_img = imagecreatefromjpeg($dest_path);
break;
case 'png':
$src_img = imagecreatefrompng($dest_path);
break;
case 'gif':
$src_img = imagecreatefromgif($dest_path);
break;
case 'webp':
$src_img = imagecreatefromwebp($dest_path);
break;
default:
$src_img = false;
}
if ($src_img) {
// Fix image rotation for JPEG images using EXIF data
if (in_array($file_extension, ['jpg', 'jpeg']) && function_exists('exif_read_data')) {
$exif = @exif_read_data($dest_path);
if (!empty($exif['Orientation'])) {
switch ($exif['Orientation']) {
case 3:
$src_img = imagerotate($src_img, 180, 0);
break;
case 6:
$src_img = imagerotate($src_img, -90, 0);
break;
case 8:
$src_img = imagerotate($src_img, 90, 0);
break;
}
}
}
// Get image dimensions
$orig_width = imagesx($src_img);
$orig_height = imagesy($src_img);
$aspect_ratio = $orig_width / $orig_height;
$preview_max_width = 1200;
$preview_max_height = 1200;
// Maintain aspect ratio
if ($orig_width > $orig_height) {
$preview_new_width = min($preview_max_width, $orig_width);
$preview_new_height = round($preview_new_width / $aspect_ratio);
} else {
$preview_new_height = min($preview_max_height, $orig_height);
$preview_new_width = round($preview_new_height * $aspect_ratio);
}
// Create optimized image
$optimized_img = imagecreatetruecolor($preview_new_width, $preview_new_height);
// Handle transparency for PNG & GIF
if (in_array($file_extension, ['png', 'gif'])) {
imagealphablending($optimized_img, false);
imagesavealpha($optimized_img, true);
$transparent = imagecolorallocatealpha($optimized_img, 0, 0, 0, 127);
imagefilledrectangle($optimized_img, 0, 0, $preview_new_width, $preview_new_height, $transparent);
}
// Resize image
imagecopyresampled($optimized_img, $src_img, 0, 0, 0, 0,
$preview_new_width, $preview_new_height, $orig_width, $orig_height);
// Define WebP file path
$optimized_file_name = $file_hash . ".webp";
$optimized_path = $upload_file_dir . $optimized_file_name;
// Save as WebP
imagewebp($optimized_img, $optimized_path, 80);
// Free memory
imagedestroy($optimized_img);
imagedestroy($src_img);
// Delete original uploaded image
unlink($dest_path);
// Get new file size
$file_size = filesize($optimized_path);
// Update details for WebP
$file_reference_name = $optimized_file_name;
$file_extension = "webp";
$file_mime_type = "image/webp";
$file_name = pathinfo($originalName, PATHINFO_FILENAME) . ".webp";
}
}
// Insert file metadata into the database
$query = "INSERT INTO files SET
file_reference_name = '$file_reference_name',
file_name = '$file_name',
file_description = '$description',
file_ext = '$file_extension',
file_mime_type = '$file_mime_type',
file_size = $file_size,
file_created_by = $session_user_id,
file_folder_id = $folder_id,
file_client_id = $client_id";
mysqli_query($mysqli, $query);
$file_id = mysqli_insert_id($mysqli);
if ($contact_id) {
mysqli_query($mysqli,"INSERT INTO contact_files SET contact_id = $contact_id, file_id = $file_id");
}
if ($asset_id) {
mysqli_query($mysqli,"INSERT INTO asset_files SET asset_id = $asset_id, file_id = $file_id");
}
// Log upload action
logAction("File", "Upload", "$session_name uploaded file $file_name", $client_id, $file_id);
$_SESSION['alert_message'] = "Uploaded file <strong>$file_name</strong>";
}
}
// Redirect after processing
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
if (isset($_POST['rename_file'])) {
enforceUserPermission('module_support', 2);
$file_id = intval($_POST['file_id']);
$file_name = sanitizeInput($_POST['file_name']);
$file_description = sanitizeInput($_POST['file_description']);
// Get File Details Client ID for Logging
$sql = mysqli_query($mysqli,"SELECT file_name, file_client_id FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$old_file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
// file edit query
mysqli_query($mysqli,"UPDATE files SET file_name = '$file_name' ,file_description = '$file_description' WHERE file_id = $file_id");
// Logging
logAction("File", "Rename", "$session_name renamed file $old_file_name to $file_name", $client_id, $file_id);
$_SESSION['alert_message'] = "Renamed file <strong>$old_file_name</strong> to <strong>$file_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['move_file'])) {
enforceUserPermission('module_support', 2);
$file_id = intval($_POST['file_id']);
$folder_id = intval($_POST['folder_id']);
// Get File Name and Client ID for Logging
$sql = mysqli_query($mysqli,"SELECT file_name, file_client_id FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
// Get Folder Name for Logging
$sql = mysqli_query($mysqli,"SELECT folder_name FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$folder_name = sanitizeInput($row['folder_name']);
mysqli_query($mysqli,"UPDATE files SET file_folder_id = $folder_id WHERE file_id = $file_id");
// Logging
logAction("File", "Move", "$session_name moved file $file_name to $folder_name", $client_id, $file_id);
$_SESSION['alert_message'] = "File <strong>$file_name</strong> moved to <strong>$folder_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_file'])) {
enforceUserPermission('module_support', 2);
$file_id = intval($_GET['archive_file']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT file_name, file_client_id FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
mysqli_query($mysqli,"UPDATE files SET file_archived_at = NOW() WHERE file_id = $file_id");
//logging
logAction("File", "Archive", "$session_name archived file $file_name", $client_id, $file_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "File <strong>$file_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['delete_file'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
$file_id = intval($_POST['file_id']);
$sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql_file);
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
$file_reference_name = sanitizeInput($row['file_reference_name']);
$file_has_thumbnail = intval($row['file_has_thumbnail']);
$file_has_preview = intval($row['file_has_preview']);
unlink("uploads/clients/$client_id/$file_reference_name");
if ($file_has_thumbnail == 1) {
unlink("uploads/clients/$client_id/thumbnail_$file_reference_name");
}
if ($file_has_preview == 1) {
unlink("uploads/clients/$client_id/preview_$file_reference_name");
}
mysqli_query($mysqli,"DELETE FROM files WHERE file_id = $file_id");
//Logging
logAction("File", "Delete", "$session_name deleted file $file_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "File <strong>$file_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_files'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
// Delete file loop
if (isset($_POST['file_ids'])) {
// Get selected file Count
$file_count = count($_POST['file_ids']);
foreach($_POST['file_ids'] as $file_id) {
$file_id = intval($file_id);
$sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql_file);
$client_id = intval($row['file_client_id']);
$file_name = sanitizeInput($row['file_name']);
$file_reference_name = sanitizeInput($row['file_reference_name']);
$file_has_thumbnail = intval($row['file_has_thumbnail']);
$file_has_preview = intval($row['file_has_preview']);
unlink("uploads/clients/$client_id/$file_reference_name");
if ($file_has_thumbnail == 1) {
unlink("uploads/clients/$client_id/thumbnail_$file_reference_name");
}
if ($file_has_preview == 1) {
unlink("uploads/clients/$client_id/preview_$file_reference_name");
}
mysqli_query($mysqli,"DELETE FROM files WHERE file_id = $file_id");
// Log each invidual file deletion
logAction("File", "Delete", "$session_name deleted file $file_name", $client_id);
}
// Log the bulk delete action
logAction("File", "Bulk Delete", "$session_name deleted $file_count file(s)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "You deleted <strong>$file_count</strong> files";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_move_files'])) {
enforceUserPermission('module_support', 2);
validateCSRFToken($_POST['csrf_token']);
$folder_id = intval($_POST['bulk_folder_id']);
// Get folder name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT folder_name, folder_client_id FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
// Check array for data
if (isset($_POST['file_ids'])) {
// Get Selected file Count
$file_count = count($_POST['file_ids']);
// Move Documents to Folder Loop
foreach($_POST['file_ids'] as $file_id) {
$file_id = intval($file_id);
// Get file name for logging
$sql = mysqli_query($mysqli,"SELECT file_name FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
// file move query
mysqli_query($mysqli,"UPDATE files SET file_folder_id = $folder_id WHERE file_id = $file_id");
// Logging
logAction("File", "Move", "$session_name moved file $file_name to folder $folder_name", $client_id, $file_id);
}
//Logging
logAction("File", "Bulk Move", "$session_name moved $file_count file(s) to folder $folder_name", $client_id);
$_SESSION['alert_message'] = "Moved <strong>$file_count</strong> files to the folder <strong>$folder_name</strong>";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_asset_to_file'])) {
enforceUserPermission('module_support', 2);
$file_id = intval($_POST['file_id']);
$asset_id = intval($_POST['asset_id']);
// Get File Name and Client ID for Logging
$sql = mysqli_query($mysqli,"SELECT file_name, file_client_id FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
// Get Asset Name for Logging
$sql = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
// Contact add query
mysqli_query($mysqli,"INSERT INTO asset_files SET asset_id = $asset_id, file_id = $file_id");
// Logging
logAction("File", "Link", "$session_name linked asset $asset_name to file $file_name", $client_id, $file_id);
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> linked to File <strong>$file_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unlink_asset_from_file'])) {
enforceUserPermission('module_support', 2);
$asset_id = intval($_GET['asset_id']);
$file_id = intval($_GET['file_id']);
// Get File Name and Client ID for Logging
$sql = mysqli_query($mysqli,"SELECT file_name, file_client_id FROM files WHERE file_id = $file_id");
$row = mysqli_fetch_array($sql);
$file_name = sanitizeInput($row['file_name']);
$client_id = intval($row['file_client_id']);
// Get Asset Name for Logging
$sql = mysqli_query($mysqli,"SELECT asset_name FROM assets WHERE asset_id = $asset_id");
$row = mysqli_fetch_array($sql);
$asset_name = sanitizeInput($row['asset_name']);
mysqli_query($mysqli,"DELETE FROM asset_files WHERE asset_id = $asset_id AND file_id = $file_id");
//Logging
logAction("File", "Link", "$session_name unlinked asset $asset_name from file $file_name", $client_id, $file_id);
$_SESSION['alert_message'] = "Asset <strong>$asset_name</strong> unlinked from File <strong>$file_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

86
post/folder.php
View File

@@ -1,86 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for folders
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['create_folder'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$folder_location = intval($_POST['folder_location']);
$folder_name = sanitizeInput($_POST['folder_name']);
$parent_folder = intval($_POST['parent_folder']);
// Document folder add query
$add_folder = mysqli_query($mysqli,"INSERT INTO folders SET folder_name = '$folder_name', parent_folder = $parent_folder, folder_location = $folder_location, folder_client_id = $client_id");
$folder_id = mysqli_insert_id($mysqli);
// Logging
logAction("Folder", "Create", "$session_name created folder $folder_name", $client_id, $folder_id);
$_SESSION['alert_message'] = "Folder <strong>$folder_name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['rename_folder'])) {
enforceUserPermission('module_support', 2);
$folder_id = intval($_POST['folder_id']);
$folder_name = sanitizeInput($_POST['folder_name']);
// Get old Folder Name Client ID for Logging
$sql = mysqli_query($mysqli,"SELECT folder_name, folder_client_id FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$old_folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
// Folder edit query
mysqli_query($mysqli,"UPDATE folders SET folder_name = '$folder_name' WHERE folder_id = $folder_id");
//Logging
logAction("Folder", "Rename", "$session_name renamed folder $old_folder_name to $folder_name", $client_id, $folder_id);
$_SESSION['alert_message'] = "Folder <strong>$old_folder_name</strong> renamed to <strong>$folder_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_folder'])) {
enforceUserPermission('module_support', 3);
$folder_id = intval($_GET['delete_folder']);
// Get Folder Name Client ID for Logging
$sql = mysqli_query($mysqli,"SELECT folder_name, folder_client_id FROM folders WHERE folder_id = $folder_id");
$row = mysqli_fetch_array($sql);
$folder_name = sanitizeInput($row['folder_name']);
$client_id = intval($row['folder_client_id']);
mysqli_query($mysqli,"DELETE FROM folders WHERE folder_id = $folder_id");
// Move files in deleted folder back to the root folder /
$sql_documents = mysqli_query($mysqli,"SELECT * FROM documents WHERE document_folder_id = $folder_id");
while($row = mysqli_fetch_array($sql_documents)) {
$document_id = intval($row['document_id']);
mysqli_query($mysqli,"UPDATE documents SET document_folder_id = 0 WHERE document_id = $document_id");
}
//Logging
logAction("Folder", "Delete", "$session_name deleted folder $folder_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Folder <strong>$folder_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

2295
post/invoice.php
View File

File diff suppressed because it is too large Load Diff

10
post/invoice_model.php
View File

@@ -1,10 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$category = intval($_POST['category']);
$scope = sanitizeInput($_POST['scope']);
$invoice_discount = floatval($_POST['invoice_discount']);
$recurring_discount = floatval($_POST['recurring_discount']);
$config_invoice_prefix = sanitizeInput($config_invoice_prefix);

537
post/location.php
View File

@@ -1,537 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client physical locations/sites
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if(isset($_POST['add_location'])){
enforceUserPermission('module_client', 2);
require_once 'post/user/location_model.php';
if(!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
mysqli_query($mysqli,"INSERT INTO locations SET location_name = '$name', location_description = '$description', location_country = '$country', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone_country_code = '$phone_country_code', location_phone = '$phone', location_phone_extension = '$extension', location_fax_country_code = '$fax_country_code', location_fax = '$fax', location_hours = '$hours', location_notes = '$notes', location_contact_id = $contact, location_client_id = $client_id");
$location_id = mysqli_insert_id($mysqli);
// Add Tags
if (isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO location_tags SET location_id = $location_id, tag_id = $tag");
}
}
// Update Primary location in clients if primary location is checked
if ($location_primary == 1) {
mysqli_query($mysqli,"UPDATE locations SET location_primary = 0 WHERE location_client_id = $client_id");
mysqli_query($mysqli,"UPDATE locations SET location_primary = 1 WHERE location_id = $location_id");
}
if (isset($_FILES['file']['tmp_name'])) {
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE locations SET location_photo = '$new_file_name' WHERE location_id = $location_id");
}
}
// Logging
logAction("Location", "Create", "$session_name created location $name", $client_id, $location_id);
$_SESSION['alert_message'] = "Location <strong>$name</strong> created.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['edit_location'])){
enforceUserPermission('module_client', 2);
require_once 'post/user/location_model.php';
$location_id = intval($_POST['location_id']);
// Get old location photo
$sql = mysqli_query($mysqli,"SELECT location_photo FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['location_photo']);
if(!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
mysqli_query($mysqli,"UPDATE locations SET location_name = '$name', location_description = '$description', location_country = '$country', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone_country_code = '$phone_country_code', location_phone = '$phone', location_phone_extension = '$extension', location_fax_country_code = '$fax_country_code', location_fax = '$fax', location_hours = '$hours', location_notes = '$notes', location_contact_id = $contact WHERE location_id = $location_id");
// Update Primay location in clients if primary location is checked
if ($location_primary == 1) {
mysqli_query($mysqli,"UPDATE locations SET location_primary = 0 WHERE location_client_id = $client_id");
mysqli_query($mysqli,"UPDATE locations SET location_primary = 1 WHERE location_id = $location_id");
}
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
// Add new tags
if (isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO location_tags SET location_id = $location_id, tag_id = $tag");
}
}
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
//Delete old file
unlink("uploads/clients/$client_id/$existing_file_name");
mysqli_query($mysqli,"UPDATE locations SET location_photo = '$new_file_name' WHERE location_id = $location_id");
}
// Logging
logAction("Location", "Edit", "$session_name edited location $name", $client_id, $location_id);
$_SESSION['alert_message'] = "Location <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['archive_location'])){
enforceUserPermission('module_client', 2);
$location_id = intval($_GET['archive_location']);
// Get Location Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
// Logging
logAction("Location", "Archive", "$session_name archived location $location_name", $client_id, $location_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Location <strong>$location_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_location'])){
enforceUserPermission('module_client', 2);
$location_id = intval($_GET['unarchive_location']);
// Get Location Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
// Logging
logAction("Location", "Unarchive", "$session_name unarchived location $location_name", $client_id, $location_id);
$_SESSION['alert_message'] = "Location <strong>$location_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['delete_location'])){
enforceUserPermission('module_client', 3);
$location_id = intval($_GET['delete_location']);
// Get Location Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id");
// Logging
logAction("Location", "Delete", "$session_name deleted location $location_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Location <strong>$location_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_location_tags'])) {
enforceUserPermission('module_client', 2);
// Assign Tags to Selected
if (isset($_POST['location_ids'])) {
// Get Selected Count
$count = count($_POST['location_ids']);
foreach($_POST['location_ids'] as $location_id) {
$location_id = intval($location_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM location_tags WHERE location_id = $location_id");
}
// Add new tags
if (isset($_POST['bulk_tags'])) {
foreach($_POST['bulk_tags'] as $tag) {
$tag = intval($tag);
$sql = mysqli_query($mysqli,"SELECT * FROM location_tags WHERE location_id = $location_id AND tag_id = $tag");
if (mysqli_num_rows($sql) == 0) {
mysqli_query($mysqli, "INSERT INTO location_tags SET location_id = $location_id, tag_id = $tag");
}
}
}
// Logging
logAction("Location", "Edit", "$session_name assigned tags to location $location_name", $client_id, $location_id);
} // End Assign Location Loop
// Logging
logAction("Location", "Bulk Edit", "$session_name assigned tags to $count location(s)", $client_id);
$_SESSION['alert_message'] = "Assigned tags for <strong>$count</strong> locations";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_locations'])) {
enforceUserPermission('module_client', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['location_ids'])) {
$count = 0; // Default 0
// Cycle through array and archive each contact
foreach ($_POST['location_ids'] as $location_id) {
$location_id = intval($location_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id, location_primary FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$location_primary = intval($row['location_primary']);
$client_id = intval($row['location_client_id']);
if($location_primary == 0) {
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NOW() WHERE location_id = $location_id");
// Individual Contact logging
logAction("Location", "Archive", "$session_name archived location $location_name", $client_id, $location_id);
$count++;
}
}
// Bulk Logging
logAction("Location", "Bulk Archive", "$session_name archived $count location(s)");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived <strong>$count</strong> location(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_locations'])) {
enforceUserPermission('module_client', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['location_ids'])) {
// Get Selected Count
$count = count($_POST['location_ids']);
// Cycle through array and unarchive
foreach ($_POST['location_ids'] as $location_id) {
$location_id = intval($location_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli,"UPDATE locations SET location_archived_at = NULL WHERE location_id = $location_id");
// Individual logging
logAction("Location", "Unarchive", "$session_name unarchived location $location_name", $client_id, $location_id);
}
// Bulk Logging
logAction("Location", "Bulk Unarchive", "$session_name unarchived $count location(s)", $client_id);
$_SESSION['alert_message'] = "Unarchived <strong>$count</strong> location(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_locations'])) {
enforceUserPermission('module_client', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['location_ids'])) {
// Get Selected Count
$count = count($_POST['location_ids']);
// Cycle through array and delete each record
foreach ($_POST['location_ids'] as $location_id) {
$location_id = intval($location_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT location_name, location_client_id FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$location_name = sanitizeInput($row['location_name']);
$client_id = intval($row['location_client_id']);
mysqli_query($mysqli, "DELETE FROM locations WHERE location_id = $location_id AND location_client_id = $client_id");
// Logging
logAction("Location", "Delete", "$session_name deleted location $location_name", $client_id);
}
// Logging
logAction("Location", "Bulk Delete", "$session_name deleted $count location(s)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> location(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['export_locations_csv'])){
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND location_client_id = $client_id";
} else {
$client_query = '';
$client_id = 0;
}
//Locations
$sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_archived_at IS NULL $client_query ORDER BY location_name ASC");
$num_rows = mysqli_num_rows($sql);
if($num_rows > 0) {
$delimiter = ",";
$filename = "Locations-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Address', 'City', 'State', 'Postal Code', 'Phone', 'Hours');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()){
$lineData = array($row['location_name'], $row['location_description'], $row['location_address'], $row['location_city'], $row['location_state'], $row['location_zip'], $row['location_phone'], $row['location_hours']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Location", "Export", "$session_name exported $num_rows location(s) to a CSV file", $client_id);
exit;
}
if (isset($_POST["import_locations_csv"])) {
enforceUserPermission('module_client', 2);
$client_id = intval($_POST['client_id']);
$error = false;
if (!empty($_FILES["file"]["tmp_name"])) {
$file_name = $_FILES["file"]["tmp_name"];
} else {
$_SESSION['alert_message'] = "Please select a file to upload.";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if(in_array($file_extension,$allowed_file_extensions) === false){
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif($_FILES["file"]["size"] < 1){
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if(!$error & count($f_columns) != 8) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if(!$error){
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false){
$duplicate_detect = 0;
if(isset($column[0])){
$name = sanitizeInput($column[0]);
if(mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM locations WHERE location_name = '$name' AND location_client_id = $client_id")) > 0){
$duplicate_detect = 1;
}
}
if(isset($column[1])){
$description = sanitizeInput($column[1]);
}
if(isset($column[2])){
$address = sanitizeInput($column[2]);
}
if(isset($column[3])){
$city = sanitizeInput($column[3]);
}
if(isset($column[4])){
$state = sanitizeInput($column[4]);
}
if(isset($column[5])){
$zip = sanitizeInput($column[5]);
}
if(isset($column[6])){
$phone = preg_replace("/[^0-9]/", '',$column[6]);
}
if(isset($column[7])){
$hours = sanitizeInput($column[7]);
}
// Check if duplicate was detected
if($duplicate_detect == 0){
//Add
mysqli_query($mysqli,"INSERT INTO locations SET location_name = '$name', location_description = '$description', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone = '$phone', location_hours = '$hours', location_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
// Logging
logAction("Location", "Import", "$session_name imported $row_count location(s). $duplicate_count duplicate(s) found and not imported", $client_id);
$_SESSION['alert_message'] = "$row_count Location(s) imported, $duplicate_count duplicate(s) detected and not imported";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if(isset($_GET['download_locations_csv_template'])){
$delimiter = ",";
$filename = "Locations-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Address', 'City', 'State', 'Postal Code', 'Phone', 'Hours');
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}

20
post/location_model.php
View File

@@ -1,20 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$country = sanitizeInput($_POST['country']);
$address = sanitizeInput($_POST['address']);
$city = sanitizeInput($_POST['city']);
$state = sanitizeInput($_POST['state']);
$zip = sanitizeInput($_POST['zip']);
$phone = preg_replace("/[^0-9]/", '',$_POST['phone']);
$phone_country_code = preg_replace("/[^0-9]/", '',$_POST['phone_country_code']);
$extension = preg_replace("/[^0-9]/", '',$_POST['extension']);
$fax = preg_replace("/[^0-9]/", '',$_POST['fax']);
$fax_country_code = preg_replace("/[^0-9]/", '',$_POST['fax_country_code']);
$hours = sanitizeInput($_POST['hours']);
$notes = sanitizeInput($_POST['notes']);
$contact = intval($_POST['contact'] ?? 0);
$location_primary = intval($_POST['location_primary'] ?? 0);

4
post/logout.php
View File

@@ -24,9 +24,9 @@ if (isset($_GET['logout'])) {
session_destroy();
if ($config_login_key_required == 1) {
header('Location: login.php?key=' . $config_login_key_secret);
header('Location: ../login.php?key=' . $config_login_key_secret);
} else {
header('Location: login.php');
header('Location: ../login.php');
}
}

203
post/network.php
View File

@@ -1,203 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client networks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_network'])) {
enforceUserPermission('module_support', 2);
require_once 'post/user/network_model.php';
mysqli_query($mysqli,"INSERT INTO networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id, network_client_id = $client_id");
$network_id = mysqli_insert_id($mysqli);
// Logging
logAction("Network", "Create", "$session_name created network $name", $client_id, $network_id);
$_SESSION['alert_message'] = "Network <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_network'])) {
enforceUserPermission('module_support', 2);
$network_id = intval($_POST['network_id']);
require_once 'post/user/network_model.php';
mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network_description = '$description', network_vlan = $vlan, network = '$network', network_subnet = '$subnet', network_gateway = '$gateway', network_primary_dns = '$primary_dns', network_secondary_dns = '$secondary_dns', network_dhcp_range = '$dhcp_range', network_notes = '$notes', network_location_id = $location_id WHERE network_id = $network_id");
// Logging
logAction("Network", "Edit", "$session_name edited network $name", $client_id, $network_id);
$_SESSION['alert_message'] = "Network <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_network'])) {
enforceUserPermission('module_support', 2);
$network_id = intval($_GET['archive_network']);
// Get Network Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT network_name, network_client_id FROM networks WHERE network_id = $network_id");
$row = mysqli_fetch_array($sql);
$network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']);
mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NOW() WHERE network_id = $network_id");
// Logging
logAction("Network", "Archive", "$session_name archived network $network_name", $client_id, $network_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Network <strong>$network_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_network'])) {
enforceUserPermission('module_support', 2);
$network_id = intval($_GET['unarchive_network']);
// Get Network Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT network_name, network_client_id FROM networks WHERE network_id = $network_id");
$row = mysqli_fetch_array($sql);
$network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']);
mysqli_query($mysqli,"UPDATE networks SET network_archived_at = NULL WHERE network_id = $network_id");
// logging
logAction("Network", "Unarchive", "$session_name restored contact $contact_name", $client_id, $network_id);
$_SESSION['alert_message'] = "Network <strong>$network_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_network'])) {
enforceUserPermission('module_support', 3);
$network_id = intval($_GET['delete_network']);
// Get Network Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT network_name, network_client_id FROM networks WHERE network_id = $network_id");
$row = mysqli_fetch_array($sql);
$network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']);
mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id");
// Logging
logAction("Network", "Delete", "$session_name deleted network $network_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Network <strong>$network_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_networks'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['network_ids'])) {
// Get Selected Count
$count = count($_POST['network_ids']);
// Cycle through array and delete each network
foreach ($_POST['network_ids'] as $network_id) {
$network_id = intval($network_id);
// Get Network Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT network_name, network_client_id FROM networks WHERE network_id = $network_id");
$row = mysqli_fetch_array($sql);
$network_name = sanitizeInput($row['network_name']);
$client_id = intval($row['network_client_id']);
mysqli_query($mysqli, "DELETE FROM networks WHERE network_id = $network_id AND network_client_id = $client_id");
// Logging
logAction("Network", "Delete", "$session_name deleted network $network_name", $client_id);
}
// Logging
logAction("Network", "Bulk Delete", "$session_name deleted $count network(s)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> network(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_networks_csv'])) {
enforceUserPermission('module_support', 2);
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND network_client_id = $client_id";
} else {
$client_query = '';
$client_id = 0;
}
$sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_archived_at IS NULL $client_query ORDER BY network_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "Networks-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'vLAN', 'IP/Network', 'Subnet Mask', 'Gateway', 'Primary DNS', 'Secondary DNS', 'DHCP Range');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['network_name'], $row['network_description'], $row['network_vlan'], $row['network'], $row['network_subnet'], $row['network_gateway'], $row['network_primary_dns'], $row['network_secondary_dns'], $row['network_dhcp_range']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Network", "Export", "$session_name deleted $num_rows network(s) to a CSV file", $client_id);
exit;
}

15
post/network_model.php
View File

@@ -1,15 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$vlan = intval($_POST['vlan']);
$network = sanitizeInput($_POST['network']);
$subnet = sanitizeInput($_POST['subnet']);
$gateway = sanitizeInput($_POST['gateway']);
$primary_dns = sanitizeInput($_POST['primary_dns']);
$secondary_dns = sanitizeInput($_POST['secondary_dns']);
$dhcp_range = sanitizeInput($_POST['dhcp_range']);
$notes = sanitizeInput($_POST['notes']);
$location_id = intval($_POST['location'] ?? 0);
$client_id = intval($_POST['client_id']);

309
post/product.php
View File

@@ -1,309 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for products
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
// Products
if (isset($_POST['add_product'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/user/product_model.php';
mysqli_query($mysqli,"INSERT INTO products SET product_name = '$name', product_description = '$description', product_price = '$price', product_currency_code = '$session_company_currency', product_tax_id = $tax, product_category_id = $category");
$product_id = mysqli_insert_id($mysqli);
// Logging
logAction("Product", "Create", "$session_name created product $name", 0, $product_id);
$_SESSION['alert_message'] = "Product <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_product'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/user/product_model.php';
$product_id = intval($_POST['product_id']);
mysqli_query($mysqli,"UPDATE products SET product_name = '$name', product_description = '$description', product_price = '$price', product_tax_id = $tax, product_category_id = $category WHERE product_id = $product_id");
// Logging
logAction("Product", "Edit", "$session_name edited product $name", 0, $product_id);
$_SESSION['alert_message'] = "Product <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_product'])) {
enforceUserPermission('module_sales', 2);
$product_id = intval($_GET['archive_product']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NOW() WHERE product_id = $product_id");
// Logging
logAction("Product", "Archive", "$session_name archived product $product_name", 0, $product_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Product <strong>$product_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_product'])) {
enforceUserPermission('module_sales', 2);
$product_id = intval($_GET['unarchive_product']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id");
// Logging
logAction("Product", "Unarchive", "$session_name unarchived product $product_name", 0, $product_id);
$_SESSION['alert_message'] = "Product <strong>$product_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_product'])) {
enforceUserPermission('module_sales', 3);
$product_id = intval($_GET['delete_product']);
//Get Product Name
$sql = mysqli_query($mysqli,"SELECT * FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"DELETE FROM products WHERE product_id = $product_id");
// Logging
logAction("Product", "Delete", "$session_name deleted product $product_name");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Product <strong>$product_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_edit_product_category'])) {
enforceUserPermission('module_sales', 2);
$category_id = intval($_POST['bulk_category_id']);
// Get Category name for logging and Notification
$sql = mysqli_query($mysqli,"SELECT category_name FROM categories WHERE category_id = $category_id");
$row = mysqli_fetch_array($sql);
$category_name = sanitizeInput($row['category_name']);
// Assign category to Selected Products
if (isset($_POST['product_ids'])) {
// Get Count
$count = count($_POST['product_ids']);
foreach($_POST['product_ids'] as $product_id) {
$product_id = intval($product_id);
// Get Product Details for Logging
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_category_id = $category_id WHERE product_id = $product_id");
//Logging
logAction("Product", "Edit", "$session_name assigned product $product_name to category $category_name", 0, $product_id);
} // End Assign Product Loop
//Logging
logAction("Product", "Edit", "$session_name assigned category $category_name to $count product(s)");
$_SESSION['alert_message'] = "Assigned category <strong>$category_name</strong> to <strong>$count</strong> product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_products'])) {
enforceUserPermission('module_sales', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['product_ids'])) {
$count = count($_POST['product_ids']);
// Cycle through array and archive each record
foreach ($_POST['product_ids'] as $product_id) {
$product_id = intval($product_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NOW() WHERE product_id = $product_id");
// Individual Contact logging
logAction("Product", "Archive", "$session_name archived product $product_name", 0, $product_id);
}
// Bulk Logging
logAction("Product", "Bulk Archive", "$session_name archived $count product(s)");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived <strong>$count</strong> product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_products'])) {
enforceUserPermission('module_sales', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['product_ids'])) {
$count = count($_POST['product_ids']);
// Cycle through array and unarchive each record
foreach ($_POST['product_ids'] as $product_id) {
$product_id = intval($product_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id");
// Individual logging
logAction("Product", "Unarchive", "$session_name unarchived product $product_name", 0, $product_id);
}
// Bulk Logging
logAction("Product", "Bulk Unarchive", "$session_name unarchived $count product(s)");
$_SESSION['alert_message'] = "Unarchived <strong>$count</strong> product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_products'])) {
enforceUserPermission('module_sales', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['product_ids'])) {
$count = count($_POST['product_ids']);
// Cycle through array and delete each record
foreach ($_POST['product_ids'] as $product_id) {
$product_id = intval($product_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE product_id = $product_id");
$row = mysqli_fetch_array($sql);
$product_name = sanitizeInput($row['product_name']);
mysqli_query($mysqli, "DELETE FROM products WHERE product_id = $product_id");
// Individual logging
logAction("Product", "Delete", "$session_name deleted product $product_name");
}
// Bulk logging
logAction("Product", "Bulk Delete", "$session_name deleted $count product(s)");
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> product(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
if (isset($_POST['export_products_csv'])) {
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM products
LEFT JOIN categories ON product_category_id = category_id
LEFT JOIN taxes ON product_tax_id = tax_id
WHERE product_archived_at IS NULL
ORDER BY product_name DESC
");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "$session_company_name-Products.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Product', 'Description', 'Price', 'Currency', 'Category', 'Tax');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)) {
$lineData = array($row['product_name'], $row['product_description'], $row['product_price'], $row['product_currency_code'], $row['category_name'], $row['tax_name']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
logAction("Product", "Export", "$session_name exported $num_rows product(s) to a CSV file");
exit;
}

8
post/product_model.php
View File

@@ -1,8 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$price = floatval($_POST['price']);
$category = intval($_POST['category']);
$tax = intval($_POST['tax']);

331
post/profile.php
View File

@@ -1,331 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for user profiles (tech/agent)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['edit_your_user_details'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']);
$signature = sanitizeInput($_POST['signature']);
$sql = mysqli_query($mysqli,"SELECT user_avatar FROM users WHERE user_id = $session_user_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['user_avatar']);
$logout = false;
$extended_log_description = '';
// Email notification when password or email is changed
$user_old_email_sql = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT user_email FROM users WHERE user_id = $session_user_id"));
$user_old_email = sanitizeInput($user_old_email_sql['user_email']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_app_name = sanitizeInput($config_app_name);
if (!empty($config_smtp_host) && ($user_old_email !== $email)) {
$details = "Your email address was changed. New email: $email.";
$subject = "$config_app_name account update confirmation for $name";
$body = "Hi $name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>$details</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>ITFlow<br>$session_company_name";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $user_old_email,
'recipient_name' => $name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($data);
}
// Photo
if (isset($_FILES['avatar']['tmp_name'])) {
if ($new_file_name = checkFileUpload($_FILES['avatar'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
$file_tmp_path = $_FILES['avatar']['tmp_name'];
// directory in which the uploaded file will be moved
$upload_file_dir = "uploads/users/$session_user_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
// Delete old file
unlink("uploads/users/$session_user_id/$existing_file_name");
// Set Avatar
mysqli_query($mysqli,"UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $session_user_id");
// Extended Logging
$extended_log_description .= ", avatar updated";
}
}
mysqli_query($mysqli,"UPDATE users SET user_name = '$name', user_email = '$email' WHERE user_id = $session_user_id");
mysqli_query($mysqli,"UPDATE user_settings SET user_config_signature = '$signature' WHERE user_id = $session_user_id");
//Logging
logAction("User Account", "Edit", "$session_name edited their account $extended_log_description");
$_SESSION['alert_message'] = "User details updated";
if ($logout) {
header('Location: post.php?logout');
}
else{
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['clear_your_user_avatar'])) {
validateCSRFToken($_GET['csrf_token']);
mysqli_query($mysqli,"UPDATE users SET user_avatar = NULL WHERE user_id = $session_user_id");
logAction("User Account", "Edit", "$session_name cleared their avatar");
$_SESSION['alert_message'] = "Avatar cleared";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_your_user_password'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$new_password = trim($_POST['new_password']);
if (empty($new_password)) {
header('Location: user_security.php');
exit;
}
// Email notification when password or email is changed
$user_sql = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT user_name, user_email FROM users WHERE user_id = $session_user_id"));
$name = sanitizeInput($user_sql['user_name']);
$user_email = sanitizeInput($user_sql['user_email']);
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_app_name = sanitizeInput($config_app_name);
if (!empty($config_smtp_host)){
$details = "Your password was changed.";
$subject = "$config_app_name account update confirmation for $name";
$body = "Hi $name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>$details</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>$config_app_name";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $user_email,
'recipient_name' => $name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($data);
}
$new_password = password_hash($new_password, PASSWORD_DEFAULT);
$user_specific_encryption_ciphertext = encryptUserSpecificKey($_POST['new_password']);
mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $session_user_id");
// Logging
logAction("User Account", "Edit", "$session_name changed their password");
$_SESSION['alert_message'] = "Your password was updated";
header('Location: post.php?logout');
}
if (isset($_POST['edit_your_user_preferences'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
$calendar_first_day = intval($_POST['calendar_first_day']);
// Calendar
if (isset($calendar_first_day)) {
mysqli_query($mysqli, "UPDATE user_settings SET user_config_calendar_first_day = $calendar_first_day WHERE user_id = $session_user_id");
}
// Enable extension access, only if it isn't already setup (user doesn't have cookie)
if (isset($_POST['extension']) && $_POST['extension'] == 'Yes') {
if (!isset($_COOKIE['user_extension_key'])) {
$extension_key = randomString(156);
mysqli_query($mysqli, "UPDATE users SET user_extension_key = '$extension_key' WHERE user_id = $session_user_id");
$extended_log_description .= "enabled browser extension access";
$logout = true;
}
}
// Disable extension access
if (!isset($_POST['extension'])) {
mysqli_query($mysqli, "UPDATE users SET user_extension_key = '' WHERE user_id = $session_user_id");
$extended_log_description .= "disabled browser extension access";
}
// Logging
logAction("User Account", "Edit", "$session_name $extended_log_description");
$_SESSION['alert_message'] = "User preferences updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['enable_mfa'])) {
validateCSRFToken($_POST['csrf_token']);
require_once "plugins/totp/totp.php";
// Grab the code from the user
$verify_code = trim($_POST['verify_code']);
// Ensure it's numeric
if (!ctype_digit($verify_code)) {
$verify_code = '';
}
// Grab the secret from the session
$token = $_SESSION['mfa_token'] ?? '';
// Verify
if (TokenAuth6238::verify($token, $verify_code)) {
// SUCCESS
mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
// Delete any existing MFA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
// Logging
logAction("User Account", "Edit", "$session_name enabled MFA on their account");
$_SESSION['alert_message'] = "Multi-Factor authentication enabled";
// Clear the mfa_token from the session to avoid re-use.
unset($_SESSION['mfa_token']);
// Check if the previous page is mfa_enforcement.php
if (isset($_SERVER['HTTP_REFERER'])) {
$previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH));
if ($previousPage === 'mfa_enforcement.php') {
// Redirect back to mfa_enforcement.php
header("Location: $config_start_page");
exit;
}
}
} else {
// FAILURE
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Verification code invalid, please try again.";
// Set a flag to automatically open the MFA modal again
$_SESSION['show_mfa_modal'] = true;
// Check if the previous page is mfa_enforcement.php
if (isset($_SERVER['HTTP_REFERER'])) {
$previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH));
if ($previousPage === 'mfa_enforcement.php') {
// Redirect back to mfa_enforcement.php
header("Location: " . $_SERVER['HTTP_REFERER']);
exit;
}
}
}
header("Location: user_security.php");
exit;
}
if (isset($_GET['disable_mfa'])){
if ($session_user_config_force_mfa) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Multi-Factor authentication cannot be disabled for your account";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
// CSRF Check
validateCSRFToken($_GET['csrf_token']);
mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
// Delete any existing MFA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
$config_app_name = sanitizeInput($config_app_name);
// Email notification
if (!empty($config_smtp_host)) {
$subject = "$config_app_name account update confirmation for $session_name";
$body = "Hi $session_name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>2FA was disabled.</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>ITFlow<br>$session_company_name";
$data = [
[
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $session_email,
'recipient_name' => $session_name,
'subject' => $subject,
'body' => $body
]
];
$mail = addToMailQueue($data);
}
// Logging
logAction("User Account", "Edit", "$session_name disabled MFA on their account");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Multi-Factor authentication disabled";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['revoke_your_2fa_remember_tokens'])) {
// CSRF
validateCSRFToken($_POST['csrf_token']);
// Delete tokens
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
//Logging
logAction("User Account", "Edit", "$session_name revoked all their remember-me tokens");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Remember me tokens revoked";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

271
post/project.php
View File

@@ -1,271 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for tasks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_project'])) {
enforceUserPermission('module_support', 2);
$project_name = sanitizeInput($_POST['name']);
$project_description = sanitizeInput($_POST['description']);
$due_date = sanitizeInput($_POST['due_date']);
$project_manager = intval($_POST['project_manager']);
$client_id = intval($_POST['client_id']);
$project_template_id = intval($_POST['project_template_id']);
// Sanitize Project Prefix
$config_project_prefix = sanitizeInput($config_project_prefix);
// Get the next Project Number and add 1 for the new Project number
$project_number = $config_project_next_number;
$new_config_project_next_number = $config_project_next_number + 1;
mysqli_query($mysqli, "UPDATE settings SET config_project_next_number = $new_config_project_next_number WHERE company_id = 1");
mysqli_query($mysqli, "INSERT INTO projects SET project_prefix = '$config_project_prefix', project_number = $project_number, project_name = '$project_name', project_description = '$project_description', project_due = '$due_date', project_manager = $project_manager, project_client_id = $client_id");
$project_id = mysqli_insert_id($mysqli);
// If project template is selected add Ticket Templates and convert them to real tickets
if($project_template_id) {
// Get Associated Ticket Templates
$sql_ticket_templates = mysqli_query($mysqli, "SELECT * FROM ticket_templates, project_template_ticket_templates
WHERE ticket_templates.ticket_template_id = project_template_ticket_templates.ticket_template_id
AND project_template_ticket_templates.project_template_id = $project_template_id");
$ticket_template_count = mysqli_num_rows($sql_ticket_templates);
while ($row = mysqli_fetch_array($sql_ticket_templates)) {
$ticket_template_id = intval($row['ticket_template_id']);
$ticket_template_order = intval($row['ticket_template_order']);
$ticket_template_subject = sanitizeInput($row['ticket_template_subject']);
$ticket_template_details = mysqli_escape_string($mysqli, $row['ticket_template_details']);
// Get the next Ticket Number and add 1 for the new ticket number
$ticket_number = $config_ticket_next_number;
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = 1");
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$ticket_template_subject', ticket_details = '$ticket_template_details', ticket_priority = 'Low', ticket_status = 1, ticket_created_by = $session_user_id, ticket_client_id = $client_id, ticket_project_id = $project_id");
$config_ticket_next_number = $config_ticket_next_number + 1;
$ticket_id = mysqli_insert_id($mysqli);
// Task Templates for Ticket template and add the to the ticket
$sql_task_templates = mysqli_query($mysqli,
"SELECT * FROM task_templates WHERE task_template_ticket_template_id = $ticket_template_id");
$task_template_count = mysqli_num_rows($sql_task_templates);
while ($row = mysqli_fetch_array($sql_task_templates)) {
$task_template_id = intval($row['task_template_id']);
$task_template_order = intval($row['task_template_order']);
$task_template_name = sanitizeInput($row['task_template_name']);
mysqli_query($mysqli,"INSERT INTO tasks SET task_name = '$task_template_name', task_order = $task_template_order, task_ticket_id = $ticket_id");
} // End task Loop
} // End Ticket Loop
} // End If Project Template
// Logging
logAction("Project", "Create", "$session_name created project $project_name", $client_id, $project_id);
$_SESSION['alert_message'] = "You created Project <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_project'])) {
enforceUserPermission('module_support', 2);
$project_id = intval($_POST['project_id']);
$project_name = sanitizeInput($_POST['name']);
$project_description = sanitizeInput($_POST['description']);
$due_date = sanitizeInput($_POST['due_date']);
$project_manager = intval($_POST['project_manager']);
$client_id = intval($_POST['client_id']);
mysqli_query($mysqli, "UPDATE projects SET project_name = '$project_name', project_description = '$project_description', project_due = '$due_date', project_manager = $project_manager, project_client_id = $client_id WHERE project_id = $project_id");
// Logging
logAction("Project", "Edit", "$session_name edited project $project_name", $client_id, $project_id);
$_SESSION['alert_message'] = "Project <strong>$project_name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['close_project'])) {
enforceUserPermission('module_support', 2);
$project_id = intval($_GET['close_project']);
// Get Project Name and Client ID for logging
$sql = mysqli_query($mysqli, "SELECT project_name, project_client_id FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$project_name = sanitizeInput($row['project_name']);
$client_id = intval($row['project_client_id']);
mysqli_query($mysqli, "UPDATE projects SET project_completed_at = NOW() WHERE project_id = $project_id");
// Logging
logAction("Project", "Close", "$session_name closed project $project_name", $client_id, $project_id);
$_SESSION['alert_message'] = "Project <strong>$project_name</strong> closed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_project'])) {
enforceUserPermission('module_support', 2);
$project_id = intval($_GET['archive_project']);
// Get Project Name and Client ID for logging
$sql = mysqli_query($mysqli, "SELECT project_name, project_client_id FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$project_name = sanitizeInput($row['project_name']);
$client_id = intval($row['project_client_id']);
mysqli_query($mysqli, "UPDATE projects SET project_archived_at = NOW() WHERE project_id = $project_id");
// Logging
logAction("Project", "Archive", "$session_name archived project $project_name", $client_id, $project_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Project <strong>$project_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_project'])) {
enforceUserPermission('module_support', 2);
$project_id = intval($_GET['unarchive_project']);
// Get Project Name and Client ID for logging
$sql = mysqli_query($mysqli, "SELECT project_name, project_client_id FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$project_name = sanitizeInput($row['project_name']);
$client_id = sanitizeInput($row['project_client_id']);
mysqli_query($mysqli, "UPDATE projects SET project_archived_at = NULL WHERE project_id = $project_id");
// Logging
logAction("Project", "Unarchive", "$session_name unarchived project $project_name", $client_id, $project_id);
$_SESSION['alert_message'] = "Project <strong>$project_name</strong> unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_project'])) {
enforceUserPermission('module_support', 3);
// CSRF Check
validateCSRFToken($_GET['csrf_token']);
$project_id = intval($_GET['delete_project']);
// Get Project Name and Client ID for logging
$sql = mysqli_query($mysqli, "SELECT project_name, project_client_id FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$project_name = sanitizeInput($row['project_name']);
$client_id = intval($row['project_client_id']);
mysqli_query($mysqli, "DELETE FROM projects WHERE project_id = $project_id");
// Logging
logAction("Project", "Delete", "$session_name deleted project $project_name", $client_id, $project_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Project <strong>$project_name</strong> Deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_ticket_to_project'])) {
enforceUserPermission('module_support', 2);
$project_id = intval($_POST['project_id']);
// Get Project Name and Client ID for logging
$sql = mysqli_query($mysqli, "SELECT project_client_id, project_name FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']);
// Add Tickets
if (isset($_POST['tickets'])) {
// Get Selected Count
$count = count($_POST['tickets']);
foreach ($_POST['tickets'] as $ticket) {
$ticket_id = intval($ticket);
// Get Ticket Info
$sql = mysqli_query($mysqli, "SELECT ticket_prefix, ticket_number, ticket_subject FROM tickets WHERE ticket_id = $ticket_id");
$row = mysqli_fetch_array($sql);
$ticket_prefix = sanitizeInput($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_subject = sanitizeInput($row['ticket_subject']);
mysqli_query($mysqli, "UPDATE tickets SET ticket_project_id = $project_id WHERE ticket_id = $ticket_id");
// Logging
logAction("Project", "Edit", "$session_name added ticket $ticket_prefix$ticket_number - $ticket_subject to project $project_name", $client_id, $project_id);
}
// Bulk Logging
logAction("Project", "Bulk Edit", "$session_name added $count ticket(s) to project $project_name", $client_id, $project_id);
$_SESSION['alert_message'] = "<strong>$count</strong> Ticket(s) added to <strong>$project_name</strong>";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['link_closed_ticket_to_project'])) {
enforceUserPermission('module_support', 2);
$project_id = intval($_POST['project_id']);
$ticket_number = intval($_POST['ticket_number']);
// Get Project Name and Client ID for logging
$sql = mysqli_query($mysqli, "SELECT project_client_id, project_name FROM projects WHERE project_id = $project_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['project_client_id']);
$project_name = sanitizeInput($row['project_name']);
// Get ticket details
$sql = mysqli_query($mysqli, "SELECT ticket_id, ticket_prefix, ticket_number, ticket_subject, ticket_updated_at FROM tickets WHERE ticket_number = $ticket_number");
if (mysqli_num_rows($sql) == 0) {
$_SESSION['alert_message'] = "Cannot merge into that ticket.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
$row = mysqli_fetch_array($sql);
$ticket_id = intval($row['ticket_id']);
$ticket_prefix = sanitizeInput($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_subject = sanitizeInput($row['ticket_subject']);
$ticket_updated = sanitizeInput($row['ticket_updated_at']); // So we don't mess with the last response
mysqli_query($mysqli, "UPDATE tickets SET ticket_project_id = $project_id, ticket_updated_at = '$ticket_updated' WHERE ticket_id = $ticket_id");
// Logging
logAction("Project", "Edit", "$session_name added ticket $ticket_prefix$ticket_number - $ticket_subject to project $project_name", $client_id, $project_id);
$_SESSION['alert_message'] = "Ticket added to <strong>$project_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

810
post/quote.php
View File

@@ -1,810 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for quotes
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_quote'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/user/quote_model.php';
$client_id = intval($_POST['client']);
//Get the last Quote Number and add 1 for the new Quote number
$quote_number = $config_quote_next_number;
$new_config_quote_next_number = $config_quote_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = 1");
//Generate a unique URL key for clients to access
$quote_url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$scope', quote_date = '$date', quote_expire = '$expire', quote_currency_code = '$session_company_currency', quote_category_id = $category, quote_status = 'Draft', quote_url_key = '$quote_url_key', quote_client_id = $client_id");
$quote_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Draft', history_description = 'Quote created!', history_quote_id = $quote_id");
// Logging
logAction("Quote", "Create", "$session_name created quote $config_quote_prefix$quote_number", $client_id, $quote_id);
customAction('quote_create', $quote_id);
$_SESSION['alert_message'] = "Quote <strong>$config_quote_prefix$quote_number</strong> created";
header("Location: quote.php?quote_id=$quote_id");
}
if (isset($_POST['add_quote_copy'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$client_id = intval($_POST['client']);
$date = sanitizeInput($_POST['date']);
$expire = sanitizeInput($_POST['expire']);
$config_quote_prefix = sanitizeInput($config_quote_prefix);
//Get the last Invoice Number and add 1 for the new invoice number
$quote_number = $config_quote_next_number;
$new_config_quote_next_number = $config_quote_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = 1");
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$original_quote_prefix = sanitizeInput($row['quote_prefix']);
$original_quote_number = sanitizeInput($row['quote_number']);
$quote_discount_amount = floatval($row['quote_discount_amount']);
$quote_amount = floatval($row['quote_amount']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_note = sanitizeInput($row['quote_note']);
$category_id = intval($row['quote_category_id']);
//Generate a unique URL key for clients to access
$quote_url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$quote_scope', quote_date = '$date', quote_expire = '$expire', quote_category_id = $category_id, quote_status = 'Draft', quote_discount_amount = $quote_discount_amount, quote_amount = $quote_amount, quote_currency_code = '$quote_currency_code', quote_note = '$quote_note', quote_url_key = '$quote_url_key', quote_client_id = $client_id");
$new_quote_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Draft', history_description = 'Quote copied!', history_quote_id = $new_quote_id");
$sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql_items)) {
$item_id = intval($row['item_id']);
$item_name = sanitizeInput($row['item_name']);
$item_description = sanitizeInput($row['item_description']);
$item_quantity = floatval($row['item_quantity']);
$item_price = floatval($row['item_price']);
$item_subtotal = floatval($row['item_subtotal']);
$item_tax = floatval($row['item_tax']);
$item_total = floatval($row['item_total']);
$item_order = intval($row['item_order']);
$tax_id = intval($row['item_tax_id']);
mysqli_query($mysqli,"INSERT INTO invoice_items SET item_name = '$item_name', item_description = '$item_description', item_quantity = $item_quantity, item_price = $item_price, item_subtotal = $item_subtotal, item_tax = $item_tax, item_total = $item_total, item_order = $item_order, item_tax_id = $tax_id, item_quote_id = $new_quote_id");
}
// Logging
logAction("Quote", "Create", "$session_name created quote $config_quote_prefix$quote_number from quote $original_quote_prefix$original_quote_number", $client_id, $new_quote_id);
customAction('quote_create', $new_quote_id);
$_SESSION['alert_message'] = "Quote copied";
header("Location: quote.php?quote_id=$new_quote_id");
}
if (isset($_POST['add_quote_to_invoice'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$date = sanitizeInput($_POST['date']);
$client_net_terms = intval($_POST['client_net_terms']);
$config_invoice_prefix = sanitizeInput($config_invoice_prefix);
$invoice_number = $config_invoice_next_number;
$new_config_invoice_next_number = $config_invoice_next_number + 1;
mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = 1");
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$quote_discount_amount = floatval($row['quote_discount_amount']);
$quote_amount = floatval($row['quote_amount']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_note = sanitizeInput($row['quote_note']);
$client_id = intval($row['quote_client_id']);
$category_id = intval($row['quote_category_id']);
//Generate a unique URL key for clients to access
$url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$quote_scope', invoice_date = '$date', invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_category_id = $category_id, invoice_status = 'Draft', invoice_discount_amount = $quote_discount_amount, invoice_amount = $quote_amount, invoice_currency_code = '$quote_currency_code', invoice_note = '$quote_note', invoice_url_key = '$url_key', invoice_client_id = $client_id");
$new_invoice_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Draft', history_description = 'Invoice created from quote $quote_prefix$quote_number', history_invoice_id = $new_invoice_id");
$sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql_items)) {
$item_id = intval($row['item_id']);
$item_name = sanitizeInput($row['item_name']);
$item_description = sanitizeInput($row['item_description']);
$item_quantity = floatval($row['item_quantity']);
$item_price = floatval($row['item_price']);
$item_subtotal = floatval($row['item_subtotal']);
$item_tax = floatval($row['item_tax']);
$item_total = floatval($row['item_total']);
$item_order = intval($row['item_order']);
$tax_id = intval($row['item_tax_id']);
mysqli_query($mysqli,"INSERT INTO invoice_items SET item_name = '$item_name', item_description = '$item_description', item_quantity = $item_quantity, item_price = $item_price, item_subtotal = $item_subtotal, item_tax = $item_tax, item_total = $item_total, item_order = $item_order, item_tax_id = $tax_id, item_invoice_id = $new_invoice_id");
}
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Invoiced' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Invoiced', history_description = 'Quote invoiced as $config_invoice_prefix$invoice_number', history_quote_id = $quote_id");
// Logging
logAction("Invoice", "Create", "$session_name created invoice $config_invoice_prefix$invoice_number from quote $config_quote_prefix$quote_number", $client_id, $new_invoice_id);
customAction('invoice_create', $new_invoice_id);
$_SESSION['alert_message'] = "Invoice created from quote <strong>$quote_prefix$quote_number</strong>";
header("Location: invoice.php?invoice_id=$new_invoice_id");
}
if (isset($_POST['add_quote_item'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$qty = floatval($_POST['qty']);
$price = floatval($_POST['price']);
$tax_id = intval($_POST['tax_id']);
$item_order = intval($_POST['item_order']);
$subtotal = $price * $qty;
if ($tax_id > 0) {
$sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE tax_id = $tax_id");
$row = mysqli_fetch_array($sql);
$tax_percent = floatval($row['tax_percent']);
$tax_amount = $subtotal * $tax_percent / 100;
}else{
$tax_amount = 0;
}
$total = $subtotal + $tax_amount;
mysqli_query($mysqli,"INSERT INTO invoice_items SET item_name = '$name', item_description = '$description', item_quantity = $qty, item_price = $price, item_subtotal = $subtotal, item_tax = $tax_amount, item_total = $total, item_tax_id = $tax_id, item_order = $item_order, item_quote_id = $quote_id");
// Get Quote Details
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$quote_discount_amount = floatval($row['quote_discount_amount']);
$client_id = intval($row['quote_client_id']);
//add up the total of all items
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
$quote_amount = 0;
while($row = mysqli_fetch_array($sql)) {
$item_total = floatval($row['item_total']);
$quote_amount = $quote_amount + $item_total;
}
$new_quote_amount = $quote_amount - $quote_discount_amount;
mysqli_query($mysqli,"UPDATE quotes SET quote_amount = $new_quote_amount WHERE quote_id = $quote_id");
// Logging
logAction("Quote", "Edit", "$session_name added item $name to quote $quote_prefix$quote_number", $client_id, $quote_id);
$_SESSION['alert_message'] = "Item <strong>$name</strong> added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['quote_note'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_POST['quote_id']);
$note = sanitizeInput($_POST['note']);
// Get Quote Details
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
mysqli_query($mysqli,"UPDATE quotes SET quote_note = '$note' WHERE quote_id = $quote_id");
// Logging
logAction("Quote", "Edit", "$session_name added notes to quote $quote_prefix$quote_number", $client_id, $quote_id);
$_SESSION['alert_message'] = "Notes added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_quote'])) {
enforceUserPermission('module_sales', 2);
require_once 'post/user/quote_model.php';
$quote_id = intval($_POST['quote_id']);
// Get Quote Details for logging
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
//Calculate the new quote amount
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
$quote_amount = 0;
while($row = mysqli_fetch_array($sql)) {
$item_total = floatval($row['item_total']);
$quote_amount = $quote_amount + $item_total;
}
$quote_amount = $quote_amount - $quote_discount;
mysqli_query($mysqli,"UPDATE quotes SET quote_scope = '$scope', quote_date = '$date', quote_expire = '$expire', quote_discount_amount = '$quote_discount', quote_amount = '$quote_amount', quote_category_id = $category WHERE quote_id = $quote_id");
// Logging
logAction("Quote", "Edit", "$session_name edited quote $quote_prefix$quote_number", $client_id, $quote_id);
$_SESSION['alert_message'] = "Quote edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_quote'])) {
enforceUserPermission('module_sales', 3);
$quote_id = intval($_GET['delete_quote']);
// Get Quote Details for logging
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id");
//Delete Items Associated with the Quote
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql)) {;
$item_id = intval($row['item_id']);
mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
}
//Delete History Associated with the Quote
$sql = mysqli_query($mysqli,"SELECT * FROM history WHERE history_quote_id = $quote_id");
while($row = mysqli_fetch_array($sql)) {;
$history_id = intval($row['history_id']);
mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id");
}
// Logging
logAction("Quote", "Delete", "$session_name deleted quote $quote_prefix$quote_number", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Quote <strong>$quote_prefix$quote_number</strong> deleted";
if (isset($_GET['client_id'])) {
$client_id = intval($_GET['client_id']);
header("Location: client_quotes.php?client_id=$client_id");
} else {
header("Location: quotes.php");
}
}
if (isset($_GET['delete_quote_item'])) {
enforceUserPermission('module_sales', 2);
$item_id = intval($_GET['delete_quote_item']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
$row = mysqli_fetch_array($sql);
$item_name = sanitizeInput($row['item_name']);
$quote_id = intval($row['item_quote_id']);
$item_subtotal = floatval($row['item_subtotal']);
$item_tax = floatval($row['item_tax']);
$item_total = floatval($row['item_total']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
$new_quote_amount = floatval($row['quote_amount']) - $item_total;
mysqli_query($mysqli,"UPDATE quotes SET quote_amount = $new_quote_amount WHERE quote_id = $quote_id");
mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
// Logging
logAction("Quote", "Edit", "$session_name removed item $item_name from $quote_prefix$quote_number", $client_id, $quote_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Item <strong>$item_name</strong> removed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['mark_quote_sent'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['mark_quote_sent']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Quote marked sent', history_quote_id = $quote_id");
// Logging
logAction("Quote", "Sent", "$session_name marked quote $quote_prefix$quote_number as sent", $client_id, $quote_id);
$_SESSION['alert_message'] = "Quote marked sent";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['accept_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['accept_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Accepted' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Accepted', history_description = 'Quote accepted by $session_name', history_quote_id = $quote_id");
// Logging
logAction("Quote", "Edit", "$session_name marked quote $quote_prefix$quote_number as accepted", $client_id, $quote_id);
customAction('quote_accept', $quote_id);
$_SESSION['alert_message'] = "Quote accepted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['decline_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['decline_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Declined' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Cancelled', history_description = 'Quote declined by $session_name', history_quote_id = $quote_id");
customAction('quote_decline', $quote_id);
// Logging
logAction("Quote", "Edit", "$session_name marked quote $quote_prefix$quote_number as declined", $client_id, $quote_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Quote declined";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['email_quote'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['email_quote']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes
LEFT JOIN clients ON quote_client_id = client_id
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
WHERE quote_id = $quote_id"
);
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = intval($row['quote_number']);
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_status = sanitizeInput($row['quote_status']);
$quote_date = sanitizeInput($row['quote_date']);
$quote_expire = sanitizeInput($row['quote_expire']);
$quote_amount = floatval($row['quote_amount']);
$quote_url_key = sanitizeInput($row['quote_url_key']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$client_id = intval($row['client_id']);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone'], $row['company_phone_country_code']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config vars from get_settings.php
$config_quote_from_name = sanitizeInput($config_quote_from_name);
$config_quote_from_email = sanitizeInput($config_quote_from_email);
$config_base_url = sanitizeInput($config_base_url);
$subject = "Quote [$quote_scope]";
$body = "Hello $contact_name,<br><br>Thank you for your inquiry, we are pleased to provide you with the following estimate.<br><br><br>$quote_scope<br>Total Cost: " . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . "<br><br><br>View and accept your estimate online <a href=\'https://$config_base_url/guest/guest_view_quote.php?quote_id=$quote_id&url_key=$quote_url_key\'>here</a><br><br><br>--<br>$company_name - Sales<br>$config_quote_from_email<br>$company_phone";
// Queue Mail
$data = [
[
'from' => $config_quote_from_email,
'from_name' => $config_quote_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body,
]
];
addToMailQueue($data);
// Update History
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Emailed Quote', history_quote_id = $quote_id");
// Logging
logAction("Quote", "Email", "$session_name emailed quote $quote_prefix$quote_number to $contact_email", $client_id, $quote_id);
$_SESSION['alert_message'] = "Quote has been queued successfully! <a class='text-bold text-light' href='admin_mail_queue.php'>See Mail Queue</a>";
//Don't change the status to sent if the status is anything but draft
if ($quote_status == 'Draft') {
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent' WHERE quote_id = $quote_id");
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['mark_quote_invoiced'])) {
enforceUserPermission('module_sales', 2);
$quote_id = intval($_GET['mark_quote_invoiced']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
$row = mysqli_fetch_array($sql);
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = sanitizeInput($row['quote_number']);
$client_id = intval($row['quote_client_id']);
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Invoiced' WHERE quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Invoiced', history_description = 'Quote marked as invoiced', history_quote_id = $quote_id");
// Logging
logAction("Quote", "Sent", "$session_name marked quote $quote_prefix$quote_number as invoiced", $client_id, $quote_id);
$_SESSION['alert_message'] = "Quote marked invoiced";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_POST['export_quotes_csv'])){
enforceUserPermission('module_sales');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_client_id = $client_id ORDER BY quote_number ASC");
$num_rows = mysqli_num_rows($sql);
if($num_rows > 0){
$delimiter = ",";
$filename = $client_name . "-Quotes-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Quote Number', 'Scope', 'Amount', 'Date', 'Status');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()){
$lineData = array($row['quote_prefix'] . $row['quote_number'], $row['quote_scope'], $row['quote_amount'], $row['quote_date'], $row['quote_status']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Quote", "Export", "$session_name exported $num_rows quote(s) to a CSV file");
$_SESSION['alert_message'] = "Exported <strong>$num_rows</strong> quote(s)";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit;
}
if (isset($_GET['export_quote_pdf'])) {
$quote_id = intval($_GET['export_quote_pdf']);
$sql = mysqli_query(
$mysqli,
"SELECT * FROM quotes
LEFT JOIN clients ON quote_client_id = client_id
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
LEFT JOIN locations ON clients.client_id = locations.location_client_id AND location_primary = 1
WHERE quote_id = $quote_id
$access_permission_query
LIMIT 1"
);
$row = mysqli_fetch_array($sql);
$quote_id = intval($row['quote_id']);
$quote_prefix = nullable_htmlentities($row['quote_prefix']);
$quote_number = intval($row['quote_number']);
$quote_scope = nullable_htmlentities($row['quote_scope']);
$quote_status = nullable_htmlentities($row['quote_status']);
$quote_date = nullable_htmlentities($row['quote_date']);
$quote_expire = nullable_htmlentities($row['quote_expire']);
$quote_amount = floatval($row['quote_amount']);
$quote_discount = floatval($row['quote_discount_amount']);
$quote_currency_code = nullable_htmlentities($row['quote_currency_code']);
$quote_note = nullable_htmlentities($row['quote_note']);
$quote_url_key = nullable_htmlentities($row['quote_url_key']);
$quote_created_at = nullable_htmlentities($row['quote_created_at']);
$category_id = intval($row['quote_category_id']);
$client_id = intval($row['client_id']);
$client_name = nullable_htmlentities($row['client_name']);
$location_address = nullable_htmlentities($row['location_address']);
$location_city = nullable_htmlentities($row['location_city']);
$location_state = nullable_htmlentities($row['location_state']);
$location_zip = nullable_htmlentities($row['location_zip']);
$location_country = nullable_htmlentities($row['location_country']);
$contact_email = nullable_htmlentities($row['contact_email']);
$contact_phone_country_code = nullable_htmlentities($row['contact_phone_country_code']);
$contact_phone = nullable_htmlentities(formatPhoneNumber($row['contact_phone'], $contact_phone_country_code));
$contact_extension = nullable_htmlentities($row['contact_extension']);
$contact_mobile_country_code = nullable_htmlentities($row['contact_mobile_country_code']);
$contact_mobile = nullable_htmlentities(formatPhoneNumber($row['contact_mobile'], $contact_mobile_country_code));
$client_website = nullable_htmlentities($row['client_website']);
$client_currency_code = nullable_htmlentities($row['client_currency_code']);
$client_net_terms = intval($row['client_net_terms']);
if ($client_net_terms == 0) {
$client_net_terms = $config_default_net_terms;
}
$sql = mysqli_query($mysqli, "SELECT * FROM companies, settings WHERE companies.company_id = settings.company_id AND companies.company_id = 1");
$row = mysqli_fetch_array($sql);
$company_id = intval($row['company_id']);
$company_name = nullable_htmlentities($row['company_name']);
$company_country = nullable_htmlentities($row['company_country']);
$company_address = nullable_htmlentities($row['company_address']);
$company_city = nullable_htmlentities($row['company_city']);
$company_state = nullable_htmlentities($row['company_state']);
$company_zip = nullable_htmlentities($row['company_zip']);
$company_phone_country_code = nullable_htmlentities($row['company_phone_country_code']);
$company_phone = nullable_htmlentities(formatPhoneNumber($row['company_phone'], $company_phone_country_code));
$company_email = nullable_htmlentities($row['company_email']);
$company_website = nullable_htmlentities($row['company_website']);
$company_logo = nullable_htmlentities($row['company_logo']);
//Set Badge color based off of quote status
if ($quote_status == "Sent") {
$quote_badge_color = "warning text-white";
} elseif ($quote_status == "Viewed") {
$quote_badge_color = "primary";
} elseif ($quote_status == "Accepted") {
$quote_badge_color = "success";
} elseif ($quote_status == "Declined") {
$quote_badge_color = "danger";
} elseif ($quote_status == "Invoiced") {
$quote_badge_color = "info";
} else {
$quote_badge_color = "secondary";
}
require_once("plugins/TCPDF/tcpdf.php");
// Start TCPDF
$pdf = new TCPDF('P', 'mm', 'A4', true, 'UTF-8', false);
$pdf->SetMargins(15, 15, 15);
$pdf->setPrintHeader(false);
$pdf->setPrintFooter(false);
$pdf->AddPage();
$pdf->SetFont('helvetica', '', 10);
// Logo + Right Columns
$html = '<table width="100%" cellspacing="0" cellpadding="3">
<tr>
<td width="40%">';
if (!empty($company_logo) && file_exists("uploads/settings/$company_logo")) {
$html .= '<img src="uploads/settings/' . $company_logo . '" width="120">';
}
$html .= '</td>
<td width="60%" align="right">
<span style="font-size:18pt; font-weight:bold;">QUOTE</span><br>
<span style="font-size:14pt;">' . $quote_prefix . $quote_number . '</span><br>';
if (strtolower($quote_status) === 'accepted') {
$html .= '<span style="color:green; font-weight:bold;">ACCEPTED</span><br>';
}
if (strtolower($quote_status) === 'declined') {
$html .= '<span style="color:red; font-weight:bold;">DECLINED</span><br>';
}
$html .= '</td>
</tr>
</table><br>';
// Billing titles
$html .= '<table width="100%" cellspacing="0" cellpadding="2">
<tr>
<td width="50%" style="font-size:14pt; font-weight:bold;">' . $company_name . '</td>
<td width="50%" align="right" style="font-size:14pt; font-weight:bold;">' . $client_name . '</td>
</tr>
<tr>
<td style="font-size:10pt; line-height:1.4;">' . nl2br("$company_address\n$company_city $company_state $company_zip\n$company_country\n$company_phone\n$company_website") . '</td>
<td style="font-size:10pt; line-height:1.4;" align="right">' . nl2br("$location_address\n$location_city $location_state $location_zip\n$location_country\n$contact_email\n$contact_phone") . '</td>
</tr>
</table><br>';
// Date table
$html .= '<table border="0" cellpadding="2" cellspacing="0" width="100%">
<tr>
<td width="60%"></td>
<td width="20%" style="font-size:10pt;"><strong>Date:</strong></td>
<td width="20%" style="font-size:10pt;" align="right">' . $quote_date . '</td>
</tr>
<tr>
<td></td>
<td style="font-size:10pt;"><strong>Expires:</strong></td>
<td style="font-size:10pt;" align="right">' . $quote_expire . '</td>
</tr>
</table><br><br>';
// Items header
$html .= '
<table border="0" cellpadding="5" cellspacing="0" width="100%">
<tr style="background-color:#f0f0f0;">
<th align="left" width="40%"><strong>Item</strong></th>
<th align="center" width="10%"><strong>Qty</strong></th>
<th align="right" width="15%"><strong>Price</strong></th>
<th align="right" width="15%"><strong>Tax</strong></th>
<th align="right" width="20%"><strong>Amount</strong></th>
</tr>';
// Load items
$sql_items = mysqli_query($mysqli, "SELECT * FROM invoice_items WHERE item_quote_id = $quote_id ORDER BY item_order ASC");
while ($item = mysqli_fetch_array($sql_items)) {
$name = $item['item_name'];
$desc = $item['item_description'];
$qty = $item['item_quantity'];
$price = $item['item_price'];
$tax = $item['item_tax'];
$total = $item['item_total'];
$sub_total += $price * $qty;
$total_tax += $tax;
$html .= '
<tr>
<td><strong>' . $name . '</strong>
<br><span style="font-style:italic; font-size:9pt;">' . nl2br($desc) . '</span>
</td>
<td align="center">' . number_format($qty, 2) . '</td>
<td align="right">' . numfmt_format_currency($currency_format, $price, $quote_currency_code) . '</td>
<td align="right">' . numfmt_format_currency($currency_format, $tax, $quote_currency_code) . '</td>
<td align="right">' . numfmt_format_currency($currency_format, $total, $quote_currency_code) . '</td>
</tr>';
}
$html .= '</table><br><hr><br><br>';
// Totals
$html .= '<table width="100%" cellspacing="0" cellpadding="4">
<tr>
<td width="60%" rowspan="6" valign="top"><i>' . nl2br($quote_note) . '</i></td>
<td width="40%">
<table width="100%" cellpadding="3" cellspacing="0">
<tr><td>Subtotal:</td><td align="right">' . numfmt_format_currency($currency_format, $sub_total, $quote_currency_code) . '</td></tr>';
if ($quote_discount > 0) {
$html .= '<tr><td>Discount:</td><td align="right">-' . numfmt_format_currency($currency_format, $quote_discount, $quote_currency_code) . '</td></tr>';
}
if ($total_tax > 0) {
$html .= '<tr><td>Tax:</td><td align="right">' . numfmt_format_currency($currency_format, $total_tax, $quote_currency_code) . '</td></tr>';
}
$html .= '
<tr><td><h3><strong>Total:</strong></h3></td><td align="right"><h3><strong>' . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . '</strong></h3></td></tr>
</table>
</td>
</tr>
</table><br><br>';
// Footer
$html .= '<div style="text-align:center; font-size:9pt; color:gray;">' . nl2br($config_quote_footer) . '</div>';
$pdf->writeHTML($html, true, false, true, false, '');
$filename = preg_replace('/[^A-Za-z0-9_\-]/', '_', "{$quote_date}_{$company_name}_{$client_name}_Quote_{$quote_prefix}{$quote_number}");
$pdf->Output("$filename.pdf", 'I');
exit;
}

10
post/quote_model.php
View File

@@ -1,10 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$expire = sanitizeInput($_POST['expire']);
$category = intval($_POST['category']);
$scope = sanitizeInput($_POST['scope']);
$quote_discount = floatval($_POST['quote_discount']);
$config_quote_prefix = sanitizeInput($config_quote_prefix);

275
post/rack.php
View File

@@ -1,275 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client racks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_rack'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$model = sanitizeInput($_POST['model']);
$depth = sanitizeInput($_POST['depth']);
$units = intval($_POST['units']);
$physical_location = sanitizeInput($_POST['physical_location']);
$location = intval($_POST['location']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"INSERT INTO racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes', rack_client_id = $client_id");
$rack_id = mysqli_insert_id($mysqli);
// Add Photo
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE racks SET rack_photo = '$new_file_name' WHERE rack_id = $rack_id");
}
// Logging
logAction("Rack", "Create", "$session_name created rack $name", $client_id, $rack_id);
$_SESSION['alert_message'] = "Rack <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_rack'])) {
enforceUserPermission('module_support', 2);
$rack_id = intval($_POST['rack_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$model = sanitizeInput($_POST['model']);
$depth = sanitizeInput($_POST['depth']);
$units = intval($_POST['units']);
$physical_location = sanitizeInput($_POST['physical_location']);
$location = intval($_POST['location']);
$notes = sanitizeInput($_POST['notes']);
mysqli_query($mysqli,"UPDATE racks SET rack_name = '$name', rack_description = '$description', rack_type = '$type', rack_model = '$model', rack_depth = '$depth', rack_units = $units, rack_location_id = $location, rack_physical_location = '$physical_location', rack_notes = '$notes' WHERE rack_id = $rack_id");
// Add Photo
if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'webp'))) {
$file_tmp_path = $_FILES['file']['tmp_name'];
// directory in which the uploaded file will be moved
if (!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
}
$upload_file_dir = "uploads/clients/$client_id/";
$dest_path = $upload_file_dir . $new_file_name;
move_uploaded_file($file_tmp_path, $dest_path);
mysqli_query($mysqli,"UPDATE racks SET rack_photo = '$new_file_name' WHERE rack_id = $rack_id");
}
// Logging
logAction("Rack", "Edit", "$session_name edited rack $name", $client_id, $rack_id);
$_SESSION['alert_message'] = "Rack <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_rack'])) {
enforceUserPermission('module_support', 2);
$rack_id = intval($_GET['archive_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']);
mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NOW() WHERE rack_id = $rack_id");
// Logging
logAction("Rack", "Archive", "$session_name archived rack $rack_name", $client_id, $rack_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Rack <strong>$rack_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_rack'])) {
enforceUserPermission('module_support', 2);
$rack_id = intval($_GET['unarchive_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']);
mysqli_query($mysqli,"UPDATE racks SET rack_archived_at = NULL WHERE rack_id = $rack_id");
// Logging
logAction("Rack", "Unarchive", "$session_name unarchived rack $rack_name", $client_id, $rack_id);
$_SESSION['alert_message'] = "Rack <strong>$rack_name</strong> Unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_rack'])) {
enforceUserPermission('module_support', 3);
$rack_id = intval($_GET['delete_rack']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id, rack_photo FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$rack_photo = sanitizeInput($row['rack_photo']);
$client_id = intval($row['rack_client_id']);
mysqli_query($mysqli,"DELETE FROM racks WHERE rack_id = $rack_id");
// Delete Photo if exists
if ($rack_photo) {
unlink("uploads/clients/$client_id/$rack_photo");
}
// Logging
logAction("Rack", "Delete", "$session_name deleted rack $rack_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Rack <strong>$rack_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_rack_unit'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$rack_id = intval($_POST['rack_id']);
$name = sanitizeInput($_POST['name']);
$unit_start = intval($_POST['unit_start']);
$unit_end = intval($_POST['unit_end']);
$asset = intval($_POST['asset']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']);
// **New Validation Check**
if ($unit_start > $unit_end) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Unit Start number cannot be higher than Unit End number.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
// Check if the unit range is already occupied
$check_sql = mysqli_query($mysqli, "SELECT * FROM rack_units WHERE unit_rack_id = $rack_id AND unit_start_number <= $unit_end AND unit_end_number >= $unit_start");
if (mysqli_num_rows($check_sql) > 0) {
// If there is an overlap, return an error message
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Units $unit_start to $unit_end are already in use by another device.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
// If no overlap and validation passes, proceed with the insertion
mysqli_query($mysqli, "INSERT INTO rack_units SET unit_device = '$name', unit_asset_id = $asset, unit_start_number = $unit_start, unit_end_number = $unit_end, unit_rack_id = $rack_id");
$unit_id = mysqli_insert_id($mysqli);
// Logging
logAction("Rack", "Edit", "$session_name added device $name to units $unit_start - $unit_end in rack $rack_name", $client_id, $rack_id);
$_SESSION['alert_message'] = "Device <strong>$name</strong> added to units $unit_start - $unit_end in rack.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_rack_unit'])) {
enforceUserPermission('module_support', 2);
$unit_id = intval($_POST['unit_id']);
$client_id = intval($_POST['client_id']);
$rack_id = intval($_POST['rack_id']);
$name = sanitizeInput($_POST['name']);
$unit_start = intval($_POST['unit_start']);
$unit_end = intval($_POST['unit_end']);
$asset = intval($_POST['asset']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_client_id FROM racks WHERE rack_id = $rack_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$client_id = intval($row['rack_client_id']);
mysqli_query($mysqli,"UPDATE rack_units SET unit_device = '$name', unit_asset_id = $asset, unit_start_number = $unit_start, unit_end_number = $unit_end WHERE unit_id = $unit_id");
// Logging
logAction("Rack", "Edit", "$session_name edited device $name in rack $rack_name", $client_id, $rack_id);
$_SESSION['alert_message'] = "Device $name edited on the rack";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['remove_rack_unit'])) {
enforceUserPermission('module_support', 2);
$unit_id = intval($_GET['remove_rack_unit']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT rack_name, rack_id, rack_client_id FROM racks LEFT JOIN rack_units ON unit_rack_id = rack_id WHERE unit_id = $unit_id");
$row = mysqli_fetch_array($sql);
$rack_name = sanitizeInput($row['rack_name']);
$unit_device = sanitizeInput($row['unit_device']);
$client_id = intval($row['rack_client_id']);
$rack_id = intval($row['rack_id']);
mysqli_query($mysqli,"DELETE FROM rack_units WHERE unit_id = $unit_id");
// Logging
logAction("Rack", "Edit", "$session_name removed device $device_name from rack $rack_name", $client_id, $rack_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Device <strong>$device_name</strong> removed from rack";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

79
post/revenue.php
View File

@@ -1,79 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for revenue
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_revenue'])) {
enforceUserPermission('module_sales', 2);
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account = intval($_POST['account']);
$category = intval($_POST['category']);
$payment_method = sanitizeInput($_POST['payment_method']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
mysqli_query($mysqli,"INSERT INTO revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_currency_code = '$session_company_currency', revenue_payment_method = '$payment_method', revenue_reference = '$reference', revenue_description = '$description', revenue_category_id = $category, revenue_account_id = $account");
$revenue_id = mysqli_insert_id($mysqli);
// Logging
logAction("Revenue", "Create", "$session_name added revenue $description", 0, $revenue_id);
$_SESSION['alert_message'] = "Revenue added";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_revenue'])) {
enforceUserPermission('module_sales', 2);
$revenue_id = intval($_POST['revenue_id']);
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account = intval($_POST['account']);
$category = intval($_POST['category']);
$payment_method = sanitizeInput($_POST['payment_method']);
$description = sanitizeInput($_POST['description']);
$reference = sanitizeInput($_POST['reference']);
mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_payment_method = '$payment_method', revenue_reference = '$reference', revenue_description = '$description', revenue_category_id = $category, revenue_account_id = $account WHERE revenue_id = $revenue_id");
// Logging
logAction("Revenue", "Edit", "$session_name edited revenue $description", 0, $revenue_id);
$_SESSION['alert_message'] = "Revenue edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_revenue'])) {
enforceUserPermission('module_sales', 3);
$revenue_id = intval($_GET['delete_revenue']);
// Get Revenue Details
$sql = mysqli_query($mysqli,"SELECT revenue_description FROM revenues WHERE revenue_id = $revenue_id");
$row = mysqli_fetch_array($sql);
$revenue_description = sanitizeInput($row['revenue_description']);
mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id");
// Logging
logAction("Revenue", "Delete", "$session_name deleted revenue $revenue_description");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Revenue removed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

194
post/service.php
View File

@@ -1,194 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client service info
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_service'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$service_name = sanitizeInput($_POST['name']);
$service_description = sanitizeInput($_POST['description']);
$service_category = sanitizeInput($_POST['category']); //TODO: Needs integration with company categories
$service_importance = sanitizeInput($_POST['importance']);
$service_backup = sanitizeInput($_POST['backup']);
$service_notes = sanitizeInput($_POST['note']);
// Create Service
mysqli_query($mysqli, "INSERT INTO services SET service_name = '$service_name', service_description = '$service_description', service_category = '$service_category', service_importance = '$service_importance', service_backup = '$service_backup', service_notes = '$service_notes', service_client_id = $client_id");
// Create links to assets
$service_id = mysqli_insert_id($mysqli);
if (isset($_POST['contacts'])) {
foreach($_POST['contacts'] as $contact_id) {
$contact_id = intval($contact_id);
mysqli_query($mysqli, "INSERT INTO service_contacts SET service_id = $service_id, contact_id = $contact_id");
}
}
if (isset($_POST['vendors'])) {
foreach($_POST['vendors'] as $vendor_id) {
$vendor_id = intval($vendor_id);
mysqli_query($mysqli, "INSERT INTO service_vendors SET service_id = $service_id, vendor_id = $vendor_id");
}
}
if (isset($_POST['documents'])) {
foreach($_POST['documents'] as $document_id) {
$document_id = intval($document_id);
mysqli_query($mysqli, "INSERT INTO service_documents SET service_id = $service_id, document_id = $document_id");
}
}
if (isset($_POST['assets'])) {
foreach($_POST['assets'] as $asset_id) {
$asset_id = intval($asset_id);
mysqli_query($mysqli, "INSERT INTO service_assets SET service_id = $service_id, asset_id = $asset_id");
}
}
if (isset($_POST['credentials'])) {
foreach($_POST['credentials'] as $credential_id) {
$credential_id = intval($credential_id);
mysqli_query($mysqli, "INSERT INTO service_credentials SET service_id = $service_id, credential_id = $credential_id");
}
}
if (isset($_POST['domains'])) {
foreach($_POST['domains'] as $domain_id) {
$domain_id = intval($domain_id);
mysqli_query($mysqli, "INSERT INTO service_domains SET service_id = $service_id, domain_id = $domain_id");
}
}
if (isset($_POST['certificates'])) {
foreach($_POST['certificates'] as $cert_id) {
$cert_id = intval($cert_id);
mysqli_query($mysqli, "INSERT INTO service_certificates SET service_id = $service_id, certificate_id = $cert_id");
}
}
// Logging
logAction("Service", "Create", "$session_name created service $service_name", $client_id, $service_id);
$_SESSION['alert_message'] = "Service <strong>$service_name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_service'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$service_id = intval($_POST['service_id']);
$service_name = sanitizeInput($_POST['name']);
$service_description = sanitizeInput($_POST['description']);
$service_category = sanitizeInput($_POST['category']); //TODO: Needs integration with company categories
$service_importance = sanitizeInput($_POST['importance']);
$service_backup = sanitizeInput($_POST['backup']);
$service_notes = sanitizeInput($_POST['note']);
// Update main service details
mysqli_query($mysqli, "UPDATE services SET service_name = '$service_name', service_description = '$service_description', service_category = '$service_category', service_importance = '$service_importance', service_backup = '$service_backup', service_notes = '$service_notes' WHERE service_id = $service_id");
// Unlink existing relations/assets
mysqli_query($mysqli, "DELETE FROM service_contacts WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_vendors WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_documents WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_assets WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_credentials WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_domains WHERE service_id = $service_id");
mysqli_query($mysqli, "DELETE FROM service_certificates WHERE service_id = $service_id");
// Relink
if (isset($_POST['contacts'])) {
foreach($_POST['contacts'] as $contact_id) {
$contact_id = intval($contact_id);
mysqli_query($mysqli, "INSERT INTO service_contacts SET service_id = $service_id, contact_id = $contact_id");
}
}
if (isset($_POST['vendors'])) {
foreach($_POST['vendors'] as $vendor_id) {
$vendor_id = intval($vendor_id);
mysqli_query($mysqli, "INSERT INTO service_vendors SET service_id = $service_id, vendor_id = $vendor_id");
}
}
if (isset($_POST['documents'])) {
foreach($_POST['documents'] as $document_id) {
$document_id = intval($document_id);
mysqli_query($mysqli, "INSERT INTO service_documents SET service_id = $service_id, document_id = $document_id");
}
}
if (isset($_POST['assets'])) {
foreach($_POST['assets'] as $asset_id) {
$asset_id = intval($asset_id);
mysqli_query($mysqli, "INSERT INTO service_assets SET service_id = $service_id, asset_id = $asset_id");
}
}
if (isset($_POST['credentials'])) {
foreach($_POST['credentials'] as $credential_id) {
$credential_id = intval($credential_id);
mysqli_query($mysqli, "INSERT INTO service_credentials SET service_id = $service_id, credential_id = $credential_id");
}
}
if (isset($_POST['domains'])) {
foreach($_POST['domains'] as $domain_id) {
$domain_id = intval($domain_id);
mysqli_query($mysqli, "INSERT INTO service_domains SET service_id = $service_id, domain_id = $domain_id");
}
}
if (isset($_POST['certificates'])) {
foreach($_POST['certificates'] as $cert_id) {
$cert_id = intval($cert_id);
mysqli_query($mysqli, "INSERT INTO service_certificates SET service_id = $service_id, certificate_id = $cert_id");
}
}
// Logging
logAction("Service", "Edit", "$session_name edited service $service_name", $client_id, $service_id);
$_SESSION['alert_message'] = "Service <strong>$service_name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_service'])) {
enforceUserPermission('module_support', 3);
validateCSRFToken($_GET['csrf_token']);
$service_id = intval($_GET['delete_service']);
// Get Service Details
$sql = mysqli_query($mysqli,"SELECT service_name, service_client_id FROM services WHERE service_id = $service_id");
$row = mysqli_fetch_array($sql);
$service_name = sanitizeInput($row['service_name']);
$client_id = intval($row['service_client_id']);
// Delete service
mysqli_query($mysqli, "DELETE FROM services WHERE service_id = $service_id");
// Logging
logAction("Service", "Delete", "$session_name deleted service $service_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Service <strong>$service_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

288
post/software.php
View File

@@ -1,288 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for client software & licenses
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_software_from_template'])) {
enforceUserPermission('module_support', 2);
// GET POST Data
$client_id = intval($_POST['client_id']);
$software_template_id = intval($_POST['software_template_id']);
// GET Software Template Info
$sql_software_templates = mysqli_query($mysqli,"SELECT * FROM software_templates WHERE software_template_id = $software_template_id");
$row = mysqli_fetch_array($sql_software_templates);
$name = sanitizeInput($row['software_template_name']);
$version = sanitizeInput($row['software_template_version']);
$description = sanitizeInput($row['software_template_description']);
$type = sanitizeInput($row['software_template_type']);
$license_type = sanitizeInput($row['software_template_license_type']);
$notes = sanitizeInput($row['software_template_notes']);
$vendor = sanitizeInput($_POST['vendor'] ?? 0);
// Software add query
mysqli_query($mysqli,"INSERT INTO software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_license_type = '$license_type', software_notes = '$notes', software_vendor_id = $vendor, software_client_id = $client_id");
$software_id = mysqli_insert_id($mysqli);
// Logging
logAction("Software", "Create", "$session_name created software $name using template", $client_id, $software_id);
$_SESSION['alert_message'] = "Software <strong>$name</strong> created from template";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['add_software'])) {
enforceUserPermission('module_support', 2);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
$key = sanitizeInput($_POST['key']);
$seats = intval($_POST['seats']);
$purchase_reference = sanitizeInput($_POST['purchase_reference']);
$purchase = sanitizeInput($_POST['purchase']);
if (empty($purchase)) {
$purchase = "NULL";
} else {
$purchase = "'" . $purchase . "'";
}
$expire = sanitizeInput($_POST['expire']);
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
$notes = sanitizeInput($_POST['notes']);
$vendor = intval($_POST['vendor'] ?? 0);
mysqli_query($mysqli,"INSERT INTO software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_key = '$key', software_license_type = '$license_type', software_seats = $seats, software_purchase_reference = '$purchase_reference', software_purchase = $purchase, software_expire = $expire, software_notes = '$notes', software_vendor_id = $vendor, software_client_id = $client_id");
$software_id = mysqli_insert_id($mysqli);
$alert_extended = "";
// Add Asset Licenses
if (isset($_POST['assets'])) {
foreach($_POST['assets'] as $asset) {
$asset_id = intval($asset);
mysqli_query($mysqli,"INSERT INTO software_assets SET software_id = $software_id, asset_id = $asset_id");
}
}
// Add Contact Licenses
if (isset($_POST['contacts'])) {
foreach($_POST['contacts'] as $contact) {
$contact = intval($contact);
mysqli_query($mysqli,"INSERT INTO software_contacts SET software_id = $software_id, contact_id = $contact");
}
}
// Logging
logAction("Software", "Create", "$session_name created software $name", $client_id, $software_id);
$_SESSION['alert_message'] = "Software <strong>$name</strong> created $alert_extended";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_software'])) {
enforceUserPermission('module_support', 2);
$software_id = intval($_POST['software_id']);
$client_id = intval($_POST['client_id']);
$name = sanitizeInput($_POST['name']);
$version = sanitizeInput($_POST['version']);
$description = sanitizeInput($_POST['description']);
$type = sanitizeInput($_POST['type']);
$license_type = sanitizeInput($_POST['license_type']);
$notes = sanitizeInput($_POST['notes']);
$key = sanitizeInput($_POST['key']);
$seats = intval($_POST['seats']);
$purchase_reference = sanitizeInput($_POST['purchase_reference']);
$purchase = sanitizeInput($_POST['purchase']);
if (empty($purchase)) {
$purchase = "NULL";
} else {
$purchase = "'" . $purchase . "'";
}
$expire = sanitizeInput($_POST['expire']);
if (empty($expire)) {
$expire = "NULL";
} else {
$expire = "'" . $expire . "'";
}
$notes = sanitizeInput($_POST['notes']);
$vendor = intval($_POST['vendor'] ?? 0);
mysqli_query($mysqli,"UPDATE software SET software_name = '$name', software_version = '$version', software_description = '$description', software_type = '$type', software_key = '$key', software_license_type = '$license_type', software_seats = $seats, software_purchase_reference = '$purchase_reference', software_purchase = $purchase, software_expire = $expire, software_notes = '$notes', software_vendor_id = $vendor WHERE software_id = $software_id");
// Update Asset Licenses
mysqli_query($mysqli,"DELETE FROM software_assets WHERE software_id = $software_id");
if (isset($_POST['assets'])) {
foreach($_POST['assets'] as $asset) {
$asset = intval($asset);
mysqli_query($mysqli,"INSERT INTO software_assets SET software_id = $software_id, asset_id = $asset");
}
}
// Update Contact Licenses
mysqli_query($mysqli,"DELETE FROM software_contacts WHERE software_id = $software_id");
if (isset($_POST['contacts'])) {
foreach($_POST['contacts'] as $contact) {
$contact = intval($contact);
mysqli_query($mysqli,"INSERT INTO software_contacts SET software_id = $software_id, contact_id = $contact");
}
}
// Logging
logAction("Software", "Edit", "$session_name edited software $name", $client_id, $software_id);
$_SESSION['alert_message'] = "Software <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_software'])) {
enforceUserPermission('module_support', 2);
$software_id = intval($_GET['archive_software']);
// Get Software Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT software_name, software_client_id FROM software WHERE software_id = $software_id");
$row = mysqli_fetch_array($sql);
$software_name = sanitizeInput($row['software_name']);
$client_id = intval($row['software_client_id']);
mysqli_query($mysqli,"UPDATE software SET software_archived_at = NOW() WHERE software_id = $software_id");
// Remove Software Relations
mysqli_query($mysqli,"DELETE FROM software_contacts WHERE software_id = $software_id");
mysqli_query($mysqli,"DELETE FROM software_assets WHERE software_id = $software_id");
// Logging
logAction("Software", "Archive", "$session_name archived software $software_name and removed all device/user license associations", $client_id, $software_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Software <strong>$software_name</strong> archived and removed all device/user license associations";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_software'])) {
enforceUserPermission('module_support', 3);
$software_id = intval($_GET['delete_software']);
// Get Software Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT software_name, software_client_id FROM software WHERE software_id = $software_id");
$row = mysqli_fetch_array($sql);
$software_name = sanitizeInput($row['software_name']);
$client_id = intval($row['software_client_id']);
mysqli_query($mysqli,"DELETE FROM software WHERE software_id = $software_id");
//Logging
logAction("Software", "Delete", "$session_name deleted software $software_name and removed all device/user license associations", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Software <strong>$software_name</strong> deleted and removed all device/user license associations";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_client_software_csv'])) {
enforceUserPermission('module_support');
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "WHERE software_client_id = $client_id";
} else {
$client_query = '';
$client_id = 0; //Logging
}
$sql = mysqli_query($mysqli,"SELECT * FROM software $client_query ORDER BY software_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = "Software-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Version', 'Description', 'Type', 'License Type', 'Seats', 'Key', 'Assets', 'Contacts', 'Purchased', 'Expires', 'Notes');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
// Generate asset & user license list for this software
// Asset licenses
$assigned_to_assets = '';
$asset_licenses_sql = mysqli_query($mysqli,"SELECT software_assets.asset_id, assets.asset_name
FROM software_assets
LEFT JOIN assets
ON software_assets.asset_id = assets.asset_id
WHERE software_id = $row[software_id]");
while($asset_row = mysqli_fetch_array($asset_licenses_sql)) {
$assigned_to_assets .= $asset_row['asset_name'] . ", ";
}
// Contact Licenses
$assigned_to_contacts = '';
$contact_licenses_sql = mysqli_query($mysqli,"SELECT software_contacts.contact_id, contacts.contact_name
FROM software_contacts
LEFT JOIN contacts
ON software_contacts.contact_id = contacts.contact_id
WHERE software_id = $row[software_id]");
while($contact_row = mysqli_fetch_array($contact_licenses_sql)) {
$assigned_to_contacts .= $contact_row['contact_name'] . ", ";
}
$lineData = array($row['software_name'], $row['software_version'], $row['software_description'], $row['software_type'], $row['software_license_type'], $row['software_seats'], $row['software_key'], $assigned_to_assets, $assigned_to_contacts, $row['software_purchase'], $row['software_expire'], $row['software_notes']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
logAction("Software", "Export", "$session_name exported $num_rows software(s) $software_name to a CSV file", $client_id);
exit;
}

24
post/tag.php
View File

@@ -1,24 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for tagging
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_tag'])) {
require_once 'post/user/tag_model.php';
mysqli_query($mysqli,"INSERT INTO tags SET tag_name = '$name', tag_type = $type, tag_color = '$color', tag_icon = '$icon'");
$tag_id = mysqli_insert_id($mysqli);
// Logging
logAction("Tag", "Create", "$session_name created tag $name", 0, $tag_id);
$_SESSION['alert_message'] = "Tag <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

7
post/tag_model.php
View File

@@ -1,7 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']);
$color = sanitizeInput($_POST['color']);
$icon = preg_replace("/[^0-9a-zA-Z-]/", "", sanitizeInput($_POST['icon']));

214
post/task.php
View File

@@ -1,214 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for tasks
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_task'])) {
enforceUserPermission('module_support', 2);
$ticket_id = intval($_POST['ticket_id']);
$task_name = sanitizeInput($_POST['name']);
// Get Client ID from tickets using the ticket_id
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $ticket_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
mysqli_query($mysqli, "INSERT INTO tasks SET task_name = '$task_name', task_ticket_id = $ticket_id");
$task_id = mysqli_insert_id($mysqli);
// Logging
logAction("Task", "Create", "$session_name created task $task_name", $client_id, $task_id);
$_SESSION['alert_message'] = "You created Task <strong>$task_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_task'])) {
enforceUserPermission('module_support', 2);
$task_id = intval($_POST['task_id']);
$task_name = sanitizeInput($_POST['name']);
$task_order = intval($_POST['order']);
$task_completion_estimate = intval($_POST['completion_estimate']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_name = '$task_name', task_order = $task_order, task_completion_estimate = $task_completion_estimate WHERE task_id = $task_id");
// Logging
logAction("Task", "Edit", "$session_name edited task $task_name", $client_id, $task_id);
$_SESSION['alert_message'] = "Task <strong>$task_name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_ticket_template_task'])) {
enforceUserPermission('module_support', 2);
$task_template_id = intval($_POST['task_template_id']);
$task_name = sanitizeInput($_POST['name']);
$task_order = intval($_POST['order']);
$task_completion_estimate = intval($_POST['completion_estimate']);
mysqli_query($mysqli, "UPDATE task_templates SET task_template_name = '$task_name', task_template_order = $task_order, task_template_completion_estimate = $task_completion_estimate WHERE task_template_id = $task_template_id");
// Logging
logAction("Task", "Edit", "$session_name edited task $task_name", 0, $task_template_id);
$_SESSION['alert_message'] = "Task <strong>$task_name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_task'])) {
enforceUserPermission('module_support', 3);
// CSRF Check
validateCSRFToken($_GET['csrf_token']);
$task_id = intval($_GET['delete_task']);
// Get Client ID, task name from tasks and tickets using the task_id
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
$task_name = sanitizeInput($row['task_name']);
mysqli_query($mysqli, "DELETE FROM tasks WHERE task_id = $task_id");
// Logging
logAction("Task", "Delete", "$session_name deleted task $task_name", $client_id, $task_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Task <strong>$task_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['complete_task'])) {
enforceUserPermission('module_support', 2);
$task_id = intval($_GET['complete_task']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
$task_name = sanitizeInput($row['task_name']);
$task_completion_estimate = intval($row['task_completion_estimate']);
$ticket_id = intval($row['ticket_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NOW(), task_completed_by = $session_user_id WHERE task_id = $task_id");
// Convert task completion estimate from minutes to TIME format
$time_worked = gmdate("H:i:s", $task_completion_estimate * 60); // Convert minutes to HH:MM:SS
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Completed Task - $task_name', ticket_reply_time_worked = '$time_worked', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
$ticket_reply_id = mysqli_insert_id($mysqli);
// Logging
logAction("Task", "Edit", "$session_name completed task $task_name", $client_id, $task_id);
$_SESSION['alert_message'] = "Task <strong>$task_name</strong> Completed";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['undo_complete_task'])) {
enforceUserPermission('module_support', 2);
$task_id = intval($_GET['undo_complete_task']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
$task_name = sanitizeInput($row['task_name']);
$ticket_id = intval($row['ticket_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NULL, task_completed_by = NULL WHERE task_id = $task_id");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Undo Completed Task - $task_name', ticket_reply_time_worked = '00:01:00', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
$ticket_reply_id = mysqli_insert_id($mysqli);
// Logging
logAction("Task", "Edit", "$session_name marked task $task_name as incomplete", $client_id, $task_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Task <strong>$task_name</strong> marked as incomplete";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['complete_all_tasks'])) {
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['complete_all_tasks']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $ticket_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NOW(), task_completed_by = $session_user_id WHERE task_ticket_id = $ticket_id AND task_completed_at IS NULL");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Marked all tasks complete', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
$ticket_reply_id = mysqli_insert_id($mysqli);
// Logging
logAction("Ticket", "Edit", "$session_name marked all tasks complete for ticket", $client_id, $ticket_id);
$_SESSION['alert_message'] = "Marked all tasks Complete";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['undo_complete_all_tasks'])) {
enforceUserPermission('module_support', 2);
$ticket_id = intval($_GET['undo_complete_all_tasks']);
// Get Client ID
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $ticket_id");
$row = mysqli_fetch_array($sql);
$client_id = intval($row['ticket_client_id']);
mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NULL, task_completed_by = NULL WHERE task_ticket_id = $ticket_id AND task_completed_at IS NOT NULL");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Marked all tasks incomplete', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
$ticket_reply_id = mysqli_insert_id($mysqli);
// Logging
logAction("Ticket", "Edit", "$session_name marked all tasks as incomplete for ticket", $client_id, $ticket_id);
$_SESSION['alert_message'] = "Marked all tasks Incomplete";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

2782
post/ticket.php
View File

File diff suppressed because it is too large Load Diff

13
post/ticket_recurring_model.php
View File

@@ -1,13 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client']);
$subject = sanitizeInput($_POST['subject']);
$priority = sanitizeInput($_POST['priority']);
$details = mysqli_real_escape_string($mysqli, $_POST['details']);
$frequency = sanitizeInput($_POST['frequency']);
$billable = intval($_POST['billable'] ?? 0);
$asset_id = intval($_POST['asset'] ?? 0);
$contact_id = intval($_POST['contact'] ?? 0);
$assigned_to = intval($_POST['assigned_to'] ?? 0);
$category = intval($_POST['category'] ?? 0);

96
post/transfer.php
View File

@@ -1,96 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for transfers (accounting)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_transfer'])) {
enforceUserPermission('module_financial', 2);
require_once 'post/user/transfer_model.php';
// Get Source Account Name for logging
$sql = mysqli_query($mysqli,"SELECT account_name, account_currency_code FROM accounts WHERE account_id = $account_from");
$row = mysqli_fetch_array($sql);
$source_account_name = sanitizeInput($row['account_name']);
$account_currency_code = sanitizeInput($row['account_currency_code']);
// Get Destination Account Name for logging
$sql = mysqli_query($mysqli,"SELECT account_name FROM accounts WHERE account_id = $account_to");
$row = mysqli_fetch_array($sql);
$destination_account_name = sanitizeInput($row['account_name']);
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$date', expense_amount = $amount, expense_currency_code = '$session_company_currency', expense_vendor_id = 0, expense_category_id = 0, expense_account_id = $account_from");
$expense_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_currency_code = '$session_company_currency', revenue_account_id = $account_to, revenue_category_id = 0");
$revenue_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO transfers SET transfer_expense_id = $expense_id, transfer_revenue_id = $revenue_id, transfer_method = '$transfer_method', transfer_notes = '$notes'");
$transfer_id = mysqli_insert_id($mysqli);
// Logging
logAction("Account Transfer", "Create", "$session_name transferred " . numfmt_format_currency($currency_format, $amount, $account_currency_code) . " from account $source_account_name to $destination_account_name", 0, $transfer_id);
$_SESSION['alert_message'] = "Transferred <strong>" . numfmt_format_currency($currency_format, $amount, $account_currency_code) . "</strong> from <strong>$source_account_name</strong> to <strong>$destination_account_name</strong>";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_transfer'])) {
enforceUserPermission('module_financial', 2);
require_once 'post/user/transfer_model.php';
$transfer_id = intval($_POST['transfer_id']);
$expense_id = intval($_POST['expense_id']);
$revenue_id = intval($_POST['revenue_id']);
mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = $amount, expense_account_id = $account_from WHERE expense_id = $expense_id");
mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = $amount, revenue_account_id = $account_to WHERE revenue_id = $revenue_id");
mysqli_query($mysqli,"UPDATE transfers SET transfer_method = '$transfer_method', transfer_notes = '$notes' WHERE transfer_id = $transfer_id");
// Logging
logAction("Account Transfer", "Edit", "$session_name edited transfer", 0, $transfer_id);
$_SESSION['alert_message'] = "Transfer edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_transfer'])) {
enforceUserPermission('module_financial', 3);
$transfer_id = intval($_GET['delete_transfer']);
// Query the transfer ID to get the Payment and Expense IDs, so we can delete those as well
$row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT * FROM transfers WHERE transfer_id = $transfer_id"));
$expense_id = intval($row['transfer_expense_id']);
$revenue_id = intval($row['transfer_revenue_id']);
mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id");
mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id");
mysqli_query($mysqli,"DELETE FROM transfers WHERE transfer_id = $transfer_id");
// Logging
logAction("Account Transfer", "Delete", "$session_name deleted transfer");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Transfer deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

9
post/transfer_model.php
View File

@@ -1,9 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$amount = floatval($_POST['amount']);
$account_from = intval($_POST['account_from']);
$account_to = intval($_POST['account_to']);
$transfer_method = sanitizeInput($_POST['transfer_method']);
$notes = sanitizeInput($_POST['notes']);

127
post/trip.php
View File

@@ -1,127 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for trips (accounting related)
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_trip'])) {
require_once 'post/user/trip_model.php';
mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_user_id = $user_id, trip_client_id = $client_id");
$trip_id = mysqli_insert_id($mysqli);
// Logging
logAction("Trip", "Create", "$session_name logged trip from $source to $destination", $client_id , $trip_id);
$_SESSION['alert_message'] = "Trip from <strong>$source</strong> to <strong>$destination</strong> logged";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_trip'])) {
require_once 'post/user/trip_model.php';
$trip_id = intval($_POST['trip_id']);
mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_source = '$source', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_user_id = $user_id, trip_client_id = $client_id WHERE trip_id = $trip_id");
// Logging
logAction("Trip", "Edit", "$session_name edited trip", $client_id , $trip_id);
$_SESSION['alert_message'] = "Trip edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_trip'])) {
$trip_id = intval($_GET['delete_trip']);
// Get Trip Info and Client ID for logging
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT * FROM trips WHERE trip_id = $trip_id"));
$client_id = intval($row['trip_client_id']);
$trip_source = sanitizeInput($row['trip_source']);
$trip_destination = sanitizeInput($row['trip_destination']);
mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id");
// Logging
logAction("Trip", "Delete", "$session_name deleted trip ($trip_source - $trip_destination)", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Trip ($trip_source - $trip_destination) deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_trips_csv'])) {
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND trip_client_id = $client_id";
} else {
$client_query = '';
}
$date_from = sanitizeInput($_POST['date_from']);
$date_to = sanitizeInput($_POST['date_to']);
if (!empty($date_from) && !empty($date_to)){
$date_query = "DATE(trip_date) BETWEEN '$date_from' AND '$date_to'";
$file_name_date = "$date_from-to-$date_to";
} else {
$date_query = "trip_date IS NOT NULL";
$file_name_date = date('Y-m-d');
}
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM trips
LEFT JOIN clients ON trip_client_id = client_id
WHERE $date_query
$client_query
ORDER BY trip_date DESC"
);
$count = mysqli_num_rows($sql);
if ($count > 0) {
$delimiter = ",";
$filename = "Trips-$file_name_date.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Date', 'Purpose', 'Source', 'Destination', 'Miles');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)){
$lineData = array($row['trip_date'], $row['trip_purpose'], $row['trip_source'], $row['trip_destination'], $row['trip_miles']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
// Logging
logAction("Trip", "Export", "$session_name exported $count trip(s) to a CSV file");
}
exit;
}

11
post/trip_model.php
View File

@@ -1,11 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$date = sanitizeInput($_POST['date']);
$source = sanitizeInput($_POST['source']);
$destination = sanitizeInput($_POST['destination']);
$miles = floatval($_POST['miles']);
$roundtrip = intval($_POST['roundtrip'] ?? 0);
$purpose = sanitizeInput($_POST['purpose']);
$user_id = intval($_POST['user']);
$client_id = intval($_POST['client']);

319
post/vendor.php
View File

@@ -1,319 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for vendors
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_from_template'])) {
// GET POST Data
$client_id = intval($_POST['client_id']); //Used if this vendor is under a contact otherwise its 0 for under company and or template
$vendor_template_id = intval($_POST['vendor_template_id']);
//GET Vendor Info
$sql_vendor_templates = mysqli_query($mysqli,"SELECT * FROM vendor_templates WHERE vendor_template_id = $vendor_template_id");
$row = mysqli_fetch_array($sql_vendor_templates);
$name = sanitizeInput($row['vendor_template_name']);
$description = sanitizeInput($row['vendor_template_description']);
$account_number = sanitizeInput($row['vendor_template_account_number']);
$contact_name = sanitizeInput($row['vendor_template_contact_name']);
$phone_country_code = preg_replace("/[^0-9]/", '',$row['vendor_template_phone_country_code']);
$phone = preg_replace("/[^0-9]/", '',$row['vendor_template_phone']);
$extension = preg_replace("/[^0-9]/", '',$row['vendor_template_extension']);
$email = sanitizeInput($row['vendor_template_email']);
$website = sanitizeInput($row['vendor_template_website']);
$hours = sanitizeInput($row['vendor_template_hours']);
$sla = sanitizeInput($row['vendor_template_sla']);
$code = sanitizeInput($row['vendor_template_code']);
$notes = sanitizeInput($row['vendor_template_notes']);
// Vendor add query
mysqli_query($mysqli,"INSERT INTO vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone_country_code = '$phone_country_code', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code', vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_client_id = $client_id, vendor_template_id = $vendor_template_id");
$vendor_id = mysqli_insert_id($mysqli);
// Logging
logAction("Vendor", "Create", "$session_name created vendor $name using a template", $client_id, $vendor_id);
$_SESSION['alert_message'] = "Vendor <strong>$name</strong> created from template";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
// Vendors
if (isset($_POST['add_vendor'])) {
require_once 'post/user/vendor_model.php';
$client_id = intval($_POST['client_id']); // Used if this vendor is under a contact otherwise its 0 for under company
mysqli_query($mysqli,"INSERT INTO vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone_country_code = '$phone_country_code', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code', vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_client_id = $client_id");
$vendor_id = mysqli_insert_id($mysqli);
// Logging
logAction("Vendor", "Create", "$session_name created vendor $name", $client_id, $vendor_id);
$_SESSION['alert_message'] = "Vendor <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_vendor'])) {
require_once 'post/user/vendor_model.php';
$vendor_id = intval($_POST['vendor_id']);
$vendor_template_id = intval($_POST['vendor_template_id']);
// Get Client ID
$sql_vendor = mysqli_query($mysqli,"SELECT vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql_vendor);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_name = '$name', vendor_description = '$description', vendor_contact_name = '$contact_name', vendor_phone_country_code = '$phone_country_code', vendor_phone = '$phone', vendor_extension = '$extension', vendor_email = '$email', vendor_website = '$website', vendor_hours = '$hours', vendor_sla = '$sla', vendor_code = '$code',vendor_account_number = '$account_number', vendor_notes = '$notes', vendor_template_id = $vendor_template_id WHERE vendor_id = $vendor_id");
// Logging
logAction("Vendor", "Edit", "$session_name edited vendor $name", $client_id, $vendor_id);
$_SESSION['alert_message'] = "Vendor <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_vendor'])) {
$vendor_id = intval($_GET['archive_vendor']);
//Get Vendor Name
$sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NOW() WHERE vendor_id = $vendor_id");
// Logging
logAction("Vendor", "Archive", "$session_name archived vendor $vendor_name", $client_id, $vendor_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_vendor'])){
$vendor_id = intval($_GET['unarchive_vendor']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
// Logging
logAction("Vendor", "Unarchive", "$session_name unarchived vendor $vendor_name", $client_id, $vendor_id);
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_vendor'])) {
$vendor_id = intval($_GET['delete_vendor']);
//Get Vendor Name
$sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
$vendor_template_id = intval($row['vendor_template_id']);
// If its a template reset all vendors based off this template to no template base
if ($vendor_template_id > 0) {
mysqli_query($mysqli,"UPDATE vendors SET vendor_template_id = 0 WHERE vendor_template_id = $vendor_template_id");
}
mysqli_query($mysqli,"DELETE FROM vendors WHERE vendor_id = $vendor_id");
// Logging
logAction("Vendor", "Delete", "$session_name deleted vendor $vendor_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Vendor <strong>$vendor_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_vendors'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['vendor_ids'])) {
// Get Selected Count
$count = count($_POST['vendor_ids']);
// Cycle through array and archive each record
foreach ($_POST['vendor_ids'] as $vendor_id) {
$vendor_id = intval($vendor_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NOW() WHERE vendor_id = $vendor_id");
// Individual Contact logging
logAction("Vendor", "Archive", "$session_name archived vendor $vendor_name", $client_id, $vendor_id);
}
// Bulk Logging
logAction("Vendor", "Bulk Archive", "$session_name archived $count vendor(s)");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived <strong>$count</strong> vendor(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_vendors'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['vendor_ids'])) {
// Get Selected Count
$count = count($_POST['vendor_ids']);
// Cycle through array and unarchive each record
foreach ($_POST['vendor_ids'] as $vendor_id) {
$vendor_id = intval($vendor_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
mysqli_query($mysqli,"UPDATE vendors SET vendor_archived_at = NULL WHERE vendor_id = $vendor_id");
// Individual logging
logAction("Vendor", "Unarchive", "$session_name unarchived vendor $vendor_name", $client_id, $vendor_id);
}
// Bulk Logging
logAction("Vendor", "Bulk Unarchive", "$session_name unarchived $count vendor(s)");
$_SESSION['alert_message'] = "Unarchived <strong>$count</strong> vendor(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_vendors'])) {
validateAdminRole();
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['vendor_ids'])) {
// Get Selected Count
$count = count($_POST['vendor_ids']);
// Cycle through array and delete each record
foreach ($_POST['vendor_ids'] as $vendor_id) {
$vendor_id = intval($vendor_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_name, vendor_client_id, vendor_template_id FROM vendors WHERE vendor_id = $vendor_id");
$row = mysqli_fetch_array($sql);
$vendor_name = sanitizeInput($row['vendor_name']);
$client_id = intval($row['vendor_client_id']);
$vendor_template_id = intval($row['vendor_template_id']);
// If its a template reset all vendors based off this template to no template base
if ($vendor_template_id > 0) {
mysqli_query($mysqli,"UPDATE vendors SET vendor_template_id = 0 WHERE vendor_template_id = $vendor_template_id");
}
mysqli_query($mysqli, "DELETE FROM vendors WHERE vendor_id = $vendor_id AND vendor_client_id = $client_id");
// Logging
logAction("Vendor", "Delete", "$session_name deleted vendor $vendor_name", $client_id);
}
// Bulk Logging
logAction("Vendor", "Bulk Delete", "$session_name deleted $count vendor(s)");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Deleted <strong>$count</strong> vendor(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_vendors_csv'])) {
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND vendor_client_id = $client_id";
} else {
$client_query = "AND vendor_client_id = 0";
}
$sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_template = 0 $client_query ORDER BY vendor_name ASC");
$count = mysqli_num_rows($sql);
if ($count > 0) {
$delimiter = ",";
$filename = "Vendors-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Description', 'Contact Name', 'Phone', 'Website', 'Account Number', 'Notes');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['vendor_name'], $row['vendor_description'], $row['vendor_contact_name'], $row['vendor_phone'], $row['vendor_website'], $row['vendor_account_number'], $row['vendor_notes']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
// Logging
logAction("Vendor", "Export", "$session_name exported $count vendor(s) to a CSV file");
exit;
}

475
post/vendor_contact.php
View File

@@ -1,475 +0,0 @@
<?php
/*
* ITFlow - GET/POST request handler for vendor contacts
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_vendor_contact'])) {
enforceUserPermission('module_client', 2);
require_once 'post/user/vendor_contact_model.php';
mysqli_query($mysqli,"INSERT INTO vendor_contacts SET vendor_contact_name = '$name', vendor_contact_title = '$title', vendor_contact_phone = '$phone', vendor_contact_extension = '$extension', vendor_contact_mobile = '$mobile', vendor_contact_email = '$email', vendor_contact_notes = '$notes', vendor_contact_department = '$department', vendor_contact_vendor_id = $vendor_id");
$vendor_contact_id = mysqli_insert_id($mysqli);
// Logging
logAction("Vendor Contact", "Create", "$session_name created vendor contact $name", $client_id, $vendor_contact_id);
customAction('vendor_contact_create', $vendor_contact_id);
$_SESSION['alert_message'] = "Vendor Contact <strong>$name</strong> created";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['edit_vendor_contact'])) {
enforceUserPermission('module_client', 2);
require_once 'post/user/vendor_contact_model.php';
$vendor_contact_id = intval($_POST['vendor_contact_id']);
mysqli_query($mysqli,"UPDATE vendor_contacts SET vendor_contact_name = '$name', vendor_contact_title = '$title', vendor_contact_phone = '$phone', vendor_contact_extension = '$extension', vendor_contact_mobile = '$mobile', vendor_contact_email = '$email', contact_pin = '$pin', vendor_contact_notes = '$notes', vendor_contact_department = '$department' WHERE vendor_contact_id = $vendor_contact_id");
//Logging
logAction("Vendor Contact", "Edit", "$session_name edited vendor contact $name", $client_id, $vendor_contact_id);
customAction('vendor_contact_update', $vendor_contact_id);
$_SESSION['alert_message'] = "Vendor Contact <strong>$name</strong> updated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_archive_vendor_contacts'])) {
enforceUserPermission('module_client', 2);
//validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['vendor_contact_ids'])) {
$count = 0; // Default 0
// Cycle through array and archive each contact
foreach ($_POST['vendor_contact_ids'] as $vendor_contact_id) {
$vendor_contact_id = intval($vendor_contact_id);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT vendor_contact_name, vendor_contact_client_id FROM vendor_contacts WHERE vendor_contact_id = $vendor_contact_id");
$row = mysqli_fetch_array($sql);
$vendor_contact_name = sanitizeInput($row['vendor_contact_name']);
$client_id = intval($row['contact_client_id']);
}
// Bulk Logging
logAction("Vendor Contact", "Bulk Archive", "$session_name archived $count vendor contacts", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Archived <strong>$count</strong> vendor contact(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_vendor_contacts'])) {
enforceUserPermission('module_client', 2);
//validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['contact_ids'])) {
// Get Selected Contacts Count
$count = count($_POST['contact_ids']);
// Cycle through array and unarchive each contact
foreach ($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
$contact_user_id = intval($row['contact_user_id']);
// unArchive Contact User
if ($contact_user_id > 0) {
mysqli_query($mysqli,"UPDATE users SET user_archived_at = NULL WHERE user_id = $contact_user_id");
}
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
// Individual Contact logging
logAction("Contact", "Unarchive", "$session_name unarchived $contact_name", $client_id, $contact_id);
}
// Bulk Logging
logAction("Contact", "Bulk Unarchive", "$session_name Unarchived $count contacts", $client_id);
$_SESSION['alert_message'] = "You unarchived <strong>$count</strong> contact(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_vendor_contacts'])) {
enforceUserPermission('module_client', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['contact_ids'])) {
// Get Selected Contacts Count
$count = count($_POST['contact_ids']);
// Cycle through array and delete each record
foreach ($_POST['contact_ids'] as $contact_id) {
$contact_id = intval($contact_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
$contact_user_id = intval($row['contact_user_id']);
// Delete Contact User
if ($contact_user_id > 0) {
mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $contact_user_id");
}
mysqli_query($mysqli, "DELETE FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $client_id");
// Remove Relations
mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_assets WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_documents WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_files WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_logins WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_notes WHERE contact_note_contact_id = $contact_id");
// Individual Logging
logAction("Contact", "Delete", "$session_name deleted $contact_name", $client_id);
}
// Bulk Logging
logAction("Contact", "Bulk Delete", "$session_name deleted $count contacts", $client_id);
$_SESSION['alert_message'] = "You deleted <strong>$count</strong> contact(s)";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['archive_vendor_contact'])) {
enforceUserPermission('module_client', 2);
$contact_id = intval($_GET['archive_contact']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
$contact_user_id = intval($row['contact_user_id']);
// Archive Contact User
if ($contact_user_id > 0) {
mysqli_query($mysqli,"UPDATE users SET user_archived_at = NOW() WHERE user_id = $contact_user_id");
}
mysqli_query($mysqli,"UPDATE contacts SET contact_important = 0, contact_billing = 0, contact_technical = 0, contact_archived_at = NOW() WHERE contact_id = $contact_id");
// Logging
logAction("Contact", "Archive", "$session_name archived contact $contact_name", $client_id, $contact_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> has been archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['unarchive_vendor_contact'])) {
validateAdminRole();
$contact_id = intval($_GET['unarchive_contact']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id, contact_user_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
$contact_user_id = intval($row['contact_user_id']);
// unArchive Contact User
if ($contact_user_id > 0) {
mysqli_query($mysqli,"UPDATE users SET user_archived_at = NULL WHERE user_id = $contact_user_id");
}
mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NULL WHERE contact_id = $contact_id");
// logging
logAction("Contact", "Unarchive", "$session_name unarchived contact $contact_name", $client_id, $contact_id);
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> has been Unarchived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_vendor_contact'])) {
enforceUserPermission('module_client', 3);
$contact_id = intval($_GET['delete_contact']);
// Get Contact Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT contact_name, contact_client_id FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$contact_name = sanitizeInput($row['contact_name']);
$client_id = intval($row['contact_client_id']);
$contact_user_id = intval($row['contact_user_id']);
// Delete User
if ($contact_user_id > 0) {
mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $contact_user_id");
}
mysqli_query($mysqli,"DELETE FROM contacts WHERE contact_id = $contact_id");
// Remove Relations
mysqli_query($mysqli, "DELETE FROM contact_tags WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_assets WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_documents WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_files WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_logins WHERE contact_id = $contact_id");
mysqli_query($mysqli, "DELETE FROM contact_notes WHERE contact_note_contact_id = $contact_id");
//Logging
logAction("Contact", "Delete", "$session_name deleted contact $contact_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> has been deleted.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['export_vendor_contacts_csv'])) {
enforceUserPermission('module_client');
$client_id = intval($_POST['client_id']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
//Contacts
$sql = mysqli_query($mysqli,"SELECT * FROM contacts LEFT JOIN locations ON location_id = contact_location_id WHERE contact_client_id = $client_id AND contact_archived_at IS NULL ORDER BY contact_name ASC");
$num_rows = mysqli_num_rows($sql);
if ($num_rows > 0) {
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Contacts-" . date('Y-m-d') . ".csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array('Name', 'Title', 'Department', 'Email', 'Phone', 'Ext', 'Mobile', 'Location');
fputcsv($f, $fields, $delimiter);
//output each row of the data, format line as csv and write to file pointer
while($row = $sql->fetch_assoc()) {
$lineData = array($row['contact_name'], $row['contact_title'], $row['contact_department'], $row['contact_email'], formatPhoneNumber($row['contact_phone']), $row['contact_extension'], formatPhoneNumber($row['contact_mobile']), $row['location_name']);
fputcsv($f, $lineData, $delimiter);
}
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
}
//Logging
logAction("Contact", "Export", "$session_name exported $num_rows contact(s) to a CSV file", $client_id);
exit;
}
if (isset($_POST["import_vendor_contacts_csv"])) {
enforceUserPermission('module_client', 2);
$client_id = intval($_POST['client_id']);
$error = false;
if (!empty($_FILES["file"]["tmp_name"])) {
$file_name = $_FILES["file"]["tmp_name"];
} else {
$_SESSION['alert_message'] = "Please select a file to upload.";
$_SESSION['alert_type'] = "error";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
//Check file is CSV
$file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
$allowed_file_extensions = array('csv');
if (in_array($file_extension,$allowed_file_extensions) === false) {
$error = true;
$_SESSION['alert_message'] = "Bad file extension";
}
//Check file isn't empty
elseif ($_FILES["file"]["size"] < 1) {
$error = true;
$_SESSION['alert_message'] = "Bad file size (empty?)";
}
//(Else)Check column count
$f = fopen($file_name, "r");
$f_columns = fgetcsv($f, 1000, ",");
if (!$error & count($f_columns) != 8) {
$error = true;
$_SESSION['alert_message'] = "Bad column count.";
}
//Else, parse the file
if (!$error) {
$file = fopen($file_name, "r");
fgetcsv($file, 1000, ","); // Skip first line
$row_count = 0;
$duplicate_count = 0;
while(($column = fgetcsv($file, 1000, ",")) !== false) {
$duplicate_detect = 0;
if (isset($column[0])) {
$name = sanitizeInput($column[0]);
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_name = '$name' AND contact_client_id = $client_id")) > 0) {
$duplicate_detect = 1;
}
}
if (isset($column[1])) {
$title = sanitizeInput($column[1]);
}
if (isset($column[2])) {
$department = sanitizeInput($column[2]);
}
if (isset($column[3])) {
$email = sanitizeInput($column[3]);
}
if (isset($column[4])) {
$phone = preg_replace("/[^0-9]/", '',$column[4]);
}
if (isset($column[5])) {
$ext = preg_replace("/[^0-9]/", '',$column[5]);
}
if (isset($column[6])) {
$mobile = preg_replace("/[^0-9]/", '',$column[6]);
}
if (isset($column[7])) {
$location = sanitizeInput($column[7]);
$sql_location = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_name = '$location' AND location_client_id = $client_id");
$row = mysqli_fetch_assoc($sql_location);
$location_id = intval($row['location_id']);
}
// Potentially import the rest in the future?
// Check if duplicate was detected
if ($duplicate_detect == 0) {
//Add
mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_department = '$department', contact_email = '$email', contact_phone = '$phone', contact_extension = '$ext', contact_mobile = '$mobile', contact_location_id = $location_id, contact_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;
}
}
fclose($file);
//Logging
logAction("Contact", "Import", "$session_name imported $row_count contact(s) via CSV file", $client_id);
$_SESSION['alert_message'] = "$row_count Contact(s) added, $duplicate_count duplicate(s) detected";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//Check for any errors, if there are notify user and redirect
if ($error) {
$_SESSION['alert_type'] = "warning";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
}
if (isset($_GET['download_vendor_contacts_csv_template'])) {
$client_id = intval($_GET['download_client_contacts_csv_template']);
//get records from database
$sql = mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id");
$row = mysqli_fetch_array($sql);
$client_name = $row['client_name'];
$delimiter = ",";
$filename = strtoAZaz09($client_name) . "-Contacts-Template.csv";
//create a file pointer
$f = fopen('php://memory', 'w');
//set column headers
$fields = array(
'Full Name ',
'Job Title ',
'Department Name ',
'Email Address ',
'Office Phone ',
'Office Extension ',
'Mobile Phone ',
'Office Location '
);
fputcsv($f, $fields, $delimiter);
//move back to beginning of file
fseek($f, 0);
//set headers to download file rather than displayed
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . $filename . '";');
//output all remaining data on a file pointer
fpassthru($f);
exit;
}

13
post/vendor_contact_model.php
View File

@@ -1,13 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
$vendor_id = intval($_POST['vendor_id']);
$name = sanitizeInput($_POST['name']);
$title = sanitizeInput($_POST['title']);
$department = sanitizeInput($_POST['department']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$mobile = preg_replace("/[^0-9]/", '', $_POST['mobile']);
$email = sanitizeInput($_POST['email']);
$notes = sanitizeInput($_POST['notes']);

16
post/vendor_model.php
View File

@@ -1,16 +0,0 @@
<?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$account_number = sanitizeInput($_POST['account_number']);
$contact_name = sanitizeInput($_POST['contact_name']);
$phone_country_code = preg_replace("/[^0-9]/", '', $_POST['phone_country_code']);
$phone = preg_replace("/[^0-9]/", '', $_POST['phone']);
$extension = preg_replace("/[^0-9]/", '', $_POST['extension']);
$email = sanitizeInput($_POST['email']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website']));
$hours = sanitizeInput($_POST['hours']);
$sla = sanitizeInput($_POST['sla']);
$code = sanitizeInput($_POST['code']);
$notes = sanitizeInput($_POST['notes']);