From d420cd691dcc172aed016dcee18ed8ba5d5bd5c9 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 7 Jan 2022 15:21:09 +0000 Subject: [PATCH 1/4] Initial API restructure --- api.php | 357 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 183 insertions(+), 174 deletions(-) diff --git a/api.php b/api.php index d4cab378..d34928f1 100644 --- a/api.php +++ b/api.php @@ -1,183 +1,192 @@ "; - } - - //Log - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Client Numbers', log_description = 'Client Phone Numbers were pulled', log_created_at = NOW(), company_id = $company_id"); - - } - - if(isset($_GET['phonebook'])){ - - header('Content-type: text/xml'); - header('Pragma: public'); - header('Cache-control: private'); - header('Expires: -1'); - echo ""; - echo ''; - - $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $company_id"); - - while($row = mysqli_fetch_array($sql)){ - $client_name = $row['client_name']; - $client_phone = $row['client_phone']; - - ?> - - - - - - - 0 - - - - - - - - - - 1 - - - - - - - - - - - 2 - - - - '; - - //Log - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Phonebook', log_description = 'XML Phonebook Downloaded', log_created_at = NOW(), company_id = $company_id"); +//Check Key - } - - if(isset($_GET['client_emails'])){ - - $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $company_id"); - - while($row = mysqli_fetch_array($sql)){ - $client_name = $row['client_name']; - $client_email = $row['client_email']; - - echo "$client_name - $client_email
"; - } - - //Log - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Client Emails', log_description = 'Client Emails were pulled', log_created_at = NOW(), company_id = $company_id"); - - - } - - if(isset($_GET['account_balance'])){ - - $client_id = intval($_GET['account_balance']); - - //Add up all the payments for the invoice and get the total amount paid to the invoice - $sql_invoice_amounts = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS invoice_amounts FROM invoices WHERE client_id = $client_id AND invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' AND company_id = $company_id"); - $row = mysqli_fetch_array($sql_invoice_amounts); - - $invoice_amounts = $row['invoice_amounts']; - - $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments, invoices WHERE payments.invoice_id = invoices.invoice_id AND invoices.client_id = $client_id AND payments.company_id = $company_id"); - $row = mysqli_fetch_array($sql_amount_paid); - - $amount_paid = $row['amount_paid']; - - $balance = $invoice_amounts - $amount_paid; - - echo $balance; - - //Log - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Account Balance', log_description = 'Client $client_id checked their balance which had a balance of $balance', log_created_at = NOW(), company_id = $company_id"); - - - } - - }else{ - echo "Incorrect API Key"; - - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Incorrect Key', log_description = 'Failed', log_created_at = NOW()"); - } - -}else{ - echo "Missing the API Key"; - +// Check API key is provided in GET request as 'api_key' +if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) { + // Missing key + header("HTTP/1.1 401 Unauthorized"); mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'No Key', log_description = 'No API Key specified', log_created_at = NOW()"); + + echo "Missing the API Key."; + exit(); } +// Validate API key from GET request +$config_api_key = mysqli_real_escape_string($mysqli,$_GET['api_key']); +$sql = mysqli_query($mysqli,"SELECT * FROM settings, companies WHERE settings.company_id = companies.company_id AND settings.config_api_key = '$config_api_key'"); +if(mysqli_num_rows($sql) != 1){ + // Invalid Key + header("HTTP/1.1 401 Unauthorized"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Incorrect Key', log_description = 'Failed', log_created_at = NOW()"); + + echo "Incorrect API Key."; + exit(); +} + +// API Key is valid. + +$row = mysqli_fetch_array($sql); +$company_id = $row['company_id']; + +if(isset($_GET['cid'])){ + + $cid = intval($_GET['cid']); + + $sql = mysqli_query($mysqli,"SELECT client_name AS name FROM clients WHERE client_phone = $cid AND company_id = $company_id UNION SELECT contact_name AS name FROM contacts WHERE contact_phone = $cid AND company_id = $company_id UNION SELECT contact_name AS name FROM contacts WHERE contact_mobile = $cid AND company_id = $company_id UNION SELECT location_name AS name FROM locations WHERE location_phone = $cid AND company_id = $company_id UNION SELECT vendor_name AS name FROM vendors WHERE vendor_phone = $cid AND company_id = $company_id"); + + $row = mysqli_fetch_array($sql); + $name = $row['name']; + + echo "$name - $cid"; + //Alert whern call comes through + mysqli_query($mysqli,"INSERT INTO alerts SET alert_type = 'Inbound Call', alert_message = 'Inbound call from $name - $cid', alert_date = NOW(), company_id = $company_id"); + //Log When call comes through + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Call', log_action = 'Inbound', log_description = 'Inbound call from $name - $cid', log_created_at = NOW(), company_id = $company_id"); + +} + +if(isset($_GET['incoming_call'])){ + + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'call', log_description = 'incoming', log_created_at = NOW(), company_id = $company_id"); + +} + +if(isset($_GET['client_numbers'])){ + + $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $company_id"); + + while($row = mysqli_fetch_array($sql)){ + $client_name = $row['client_name']; + $client_phone = $row['client_phone']; + + echo "$client_name - $client_phone
"; + } + + //Log + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Client Numbers', log_description = 'Client Phone Numbers were pulled', log_created_at = NOW(), company_id = $company_id"); + +} + +if(isset($_GET['phonebook'])){ + + header('Content-type: text/xml'); + header('Pragma: public'); + header('Cache-control: private'); + header('Expires: -1'); + echo ""; + echo ''; + + $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $company_id"); + + while($row = mysqli_fetch_array($sql)){ + $client_name = $row['client_name']; + $client_phone = $row['client_phone']; + + ?> + + + + + + + 0 + + + + + + + + + + 1 + + + + + + + + + + + 2 + + + + '; + + //Log + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Phonebook', log_description = 'XML Phonebook Downloaded', log_created_at = NOW(), company_id = $company_id"); + + +} + +if(isset($_GET['client_emails'])){ + + $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $company_id"); + + while($row = mysqli_fetch_array($sql)){ + $client_name = $row['client_name']; + $client_email = $row['client_email']; + + echo "$client_name - $client_email
"; + } + + //Log + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Client Emails', log_description = 'Client Emails were pulled', log_created_at = NOW(), company_id = $company_id"); + + +} + +if(isset($_GET['account_balance'])){ + + $client_id = intval($_GET['account_balance']); + + //Add up all the payments for the invoice and get the total amount paid to the invoice + $sql_invoice_amounts = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS invoice_amounts FROM invoices WHERE client_id = $client_id AND invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' AND company_id = $company_id"); + $row = mysqli_fetch_array($sql_invoice_amounts); + + $invoice_amounts = $row['invoice_amounts']; + + $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments, invoices WHERE payments.invoice_id = invoices.invoice_id AND invoices.client_id = $client_id AND payments.company_id = $company_id"); + $row = mysqli_fetch_array($sql_amount_paid); + + $amount_paid = $row['amount_paid']; + + $balance = $invoice_amounts - $amount_paid; + + echo $balance; + + //Log + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Account Balance', log_description = 'Client $client_id checked their balance which had a balance of $balance', log_created_at = NOW(), company_id = $company_id"); + + +} + + ?> \ No newline at end of file From 87faebd90d5eb551a1ccf2dc56995200d93810a7 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Fri, 7 Jan 2022 15:51:22 +0000 Subject: [PATCH 2/4] Add functionality to for adding new assets via API --- README.md | 4 +++- api.php | 21 ++++++++++++++++++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ac95f94a..d9601126 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,9 @@ * XML Phonebook Download - /api.php?api_key=[API_KEY]&phonebook * Client Email (great for mailing lists) - /api.php?api_key=[API_KEY]&client_emails - Returns Client Name - Email Address * Account Balance for Client (can be integrated into multiple places for example in FreePBX Press 3 to check account balance, please enter your client ID your balance is) - /api.php?api_key=[API_KEY]&client_id=[CLIENT_ID] - Returns Account Balance -NOTE: [API_KEY] - is auto generated when a company is created and shows up in General Settings, this can also be changed manually. +* Add new asset for a client - /api.php?api_key=[API_KEY]&add_asset=Name&type=[Desktop|Laptop|Server]&make=Make&model=Model&serial=Serial&os=OS + * Required: api_key, add_asset (name) +* NOTE: [API_KEY] - is auto generated when a company is created and shows up in General Settings, this can also be changed manually. ### Future Todo * MeshCentral / TacticalRMM (Export Assets Info to ITFlow, Exports common software applications to Software) diff --git a/api.php b/api.php index d34928f1..37de01d9 100644 --- a/api.php +++ b/api.php @@ -1,8 +1,6 @@ Date: Fri, 7 Jan 2022 19:10:29 +0000 Subject: [PATCH 3/4] Set php session cookie to be httponly --- login.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/login.php b/login.php index 8e7ad958..7cd5638b 100644 --- a/login.php +++ b/login.php @@ -16,6 +16,9 @@ $browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser())); $user_agent = "$os - $browser"; +// HTTP Only cookies +ini_set("session.cookie_httponly", True); + session_start(); if(isset($_POST['login'])){ From adf1dbe76e9a168da2844146c83d92ae37ccc9f2 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Fri, 7 Jan 2022 14:25:35 -0500 Subject: [PATCH 4/4] Cleanups --- post.php | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/post.php b/post.php index c16def06..0f6d17f1 100644 --- a/post.php +++ b/post.php @@ -4136,51 +4136,47 @@ if (isset($_POST["import_client_assets_csv"])) { $client_id = intval($_POST['client_id']); $file_name = $_FILES["file"]["tmp_name"]; - if ($_FILES["file"]["size"] > 0) { + if($_FILES["file"]["size"] > 0){ $file = fopen($file_name, "r"); fgetcsv($file, 1000, ","); // Skip first line - while (($column = fgetcsv($file, 1000, ",")) !== FALSE) { - if (isset($column[0])) { + while(($column = fgetcsv($file, 1000, ",")) !== FALSE){ + if(isset($column[0])) { $name = trim(strip_tags(mysqli_real_escape_string($mysqli, $column[0]))); } - if (isset($column[1])) { + if(isset($column[1])){ $type = trim(strip_tags(mysqli_real_escape_string($mysqli, $column[1]))); } - if (isset($column[2])) { + if(isset($column[2])){ $make = trim(strip_tags(mysqli_real_escape_string($mysqli, $column[2]))); } - if (isset($column[3])) { + if(isset($column[3])){ $model = trim(strip_tags(mysqli_real_escape_string($mysqli, $column[3]))); } - if (isset($column[4])) { + if(isset($column[4])){ $serial = trim(strip_tags(mysqli_real_escape_string($mysqli, $column[4]))); } - if (isset($column[5])) { + if(isset($column[5])){ $os = trim(strip_tags(mysqli_real_escape_string($mysqli, $column[5]))); } // Potentially import the rest in the future? - // Add + //Add mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_created_at = NOW(), asset_client_id = $client_id, company_id = $session_company_id"); //Logging - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, log_user_id = $session_user_id"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Import', log_description = '$session_name imported CSV file into assets', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id"); } fclose($file); - $_SESSION['alert_message'] = "Asset added"; - - header("Location: " . $_SERVER["HTTP_REFERER"]); - } - else { + $_SESSION['alert_message'] = "Assets added via CSV file"; + }else{ // The file was empty $_SESSION['alert_type'] = "warning"; $_SESSION['alert_message'] = "Something went wrong"; - header("Location: " . $_SERVER["HTTP_REFERER"]); } + header("Location: " . $_SERVER["HTTP_REFERER"]); } - if(isset($_POST['edit_asset'])){ $asset_id = intval($_POST['asset_id']);