Merge pull request #421 from wrongecho/misc2

Client portal + permission bug fix
2022-03-28 19:15:01 -04:00 · 2022-03-28 19:15:01 -04:00 · bb24cc7112
parent 512a2d03eb 390e52f7bd
commit bb24cc7112
4 changed files with 142 additions and 91 deletions
--- a/portal/inc_portal.php
+++ b/portal/inc_portal.php
@ -7,6 +7,7 @@
 include('../config.php');
 include('../functions.php');
 include('check_login.php');
+include('portal_functions.php');

 if(!isset($_SESSION)){
  // HTTP Only cookies
--- a/portal/portal_functions.php
+++ b/portal/portal_functions.php
@ -0,0 +1,38 @@
+<?php
+/*
+ * Client Portal
+ * Functions
+ */
+
+/*
+ * Verifies a contact has access to a particular ticket ID, and that the ticket is in the correct state (open/closed) to perform an action
+ */
+function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state){
+
+  // Access the global variables
+  global $mysqli, $session_contact_id, $session_client_primary_contact_id, $session_client_id;
+
+  // Setup
+  if($expected_ticket_state == "Closed"){
+    // Closed tickets
+    $ticket_state_snippet = "ticket_status = 'Closed'";
+  }
+  else{
+    // Open (working/hold) tickets
+    $ticket_state_snippet = "ticket_status != 'Closed'";
+  }
+
+  // Verify the contact has access to the provided ticket ID
+  $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND $ticket_state_snippet AND ticket_client_id = '$session_client_id' LIMIT 1");
+  $row = mysqli_fetch_array($sql);
+  $ticket_id = $row['ticket_id'];
+
+  if(intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) {
+    // Client is ticket owner, or primary contact
+    return TRUE;
+  }
+
+  // Client is NOT ticket owner or primary contact
+  return FALSE;
+
+}
--- a/portal/portal_post.php
+++ b/portal/portal_post.php
@ -6,94 +6,6 @@

 require_once("inc_portal.php");

-if(isset($_GET['logout'])){
-  setcookie("PHPSESSID", '', time() - 3600, "/");
-  unset($_COOKIE['PHPSESSID']);
-
-  session_unset();
-  session_destroy();
-
-  header('Location: login.php');
-}
-
-if(isset($_POST['add_ticket_comment'])){
-  // HTML Purifier
-  require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
-  $purifier_config = HTMLPurifier_Config::createDefault();
-  $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
-  $purifier = new HTMLPurifier($purifier_config);
-
-  $requested_ticket_id = intval($_POST['ticket_id']);
-
-  // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
-  // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
-  // So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
-  $comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
-
-  if(empty($comment)){
-    header("Location: " . $_SERVER["HTTP_REFERER"]);
-    exit;
-  }
-
-  // Verify the contact has access to the provided ticket ID
-  $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND ticket_status != 'Closed' AND ticket_client_id = '$session_client_id' LIMIT 1");
-  $row = mysqli_fetch_array($sql);
-  $ticket_id = $row['ticket_id'];
-
-  if(intval($ticket_id)){
-    if($row['ticket_contact_id'] !== $session_contact_id AND $session_client_primary_contact_id !== $session_contact_id){
-      // This would only happen if the user intentionally modifies the hidden ticket_id value
-      header("Location: portal_post.php?logout");
-      exit();
-    }
-
-    // Add comment
-    mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
-
-    // Update Ticket Last Response Field & set ticket to open as client has replied
-    mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
-
-    header("Location: " . $_SERVER["HTTP_REFERER"]);
-  }
-  else{
-    header("Location: portal_post.php?logout");
-    exit();
-  }
-}
-
-if(isset($_POST['add_ticket_feedback'])){
-  $requested_ticket_id = intval($_POST['ticket_id']);
-  $feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback'])));
-
-  // Verify the contact has access to the provided ticket ID
-  $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND ticket_status = 'Closed' AND ticket_client_id = '$session_client_id' LIMIT 1");
-  $row = mysqli_fetch_array($sql);
-  $ticket_id = $row['ticket_id'];
-  $ticket_subject = $row['ticket_subject'];
-
-  if(intval($ticket_id)){
-    if($row['ticket_contact_id'] !== $session_contact_id AND $session_client_primary_contact_id !== $session_contact_id){
-      header("Location: " . $_SERVER["HTTP_REFERER"]);
-      exit("No access to this ticket ($requested_ticket_id)");
-    }
-
-    // Add feedback
-    mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
-
-    if($feedback == "Bad"){
-      mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket - $ticket_subject ($ticket_id) - as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
-    }
-
-    header("Location: " . $_SERVER["HTTP_REFERER"]);
-  }
-  else{
-    header("Location: portal_post.php?logout");
-    exit();
-  }
-
-
-}
-
 if(isset($_POST['add_ticket'])){

  // Get ticket prefix/number
@ -129,9 +41,109 @@ if(isset($_POST['add_ticket'])){
  mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
  $id = mysqli_insert_id($mysqli);

-  //Logging
+  // Logging
  mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");

  header("Location: ticket.php?id=" . $id);

+}
+
+if(isset($_POST['add_ticket_comment'])){
+  // HTML Purifier
+  require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
+  $purifier_config = HTMLPurifier_Config::createDefault();
+  $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+  $purifier = new HTMLPurifier($purifier_config);
+
+  $ticket_id = intval($_POST['ticket_id']);
+
+  // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
+  // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
+  // So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
+  $comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
+
+  // After stripping bad HTML, check the comment isn't just empty
+  if(empty($comment)){
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+    exit;
+  }
+
+  // Verify the contact has access to the provided ticket ID
+  if(verifyContactTicketAccess($ticket_id, "Open")) {
+
+    // Add the comment
+    mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
+
+    // Update Ticket Last Response Field & set ticket to open as client has replied
+    mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
+
+    // Redirect
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+  }
+  else {
+    // The client does not have access to this ticket
+    header("Location: portal_post.php?logout");
+    exit();
+  }
+}
+
+if(isset($_POST['add_ticket_feedback'])){
+  $ticket_id = intval($_POST['ticket_id']);
+  $feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback'])));
+
+  // Verify the contact has access to the provided ticket ID
+  if(verifyContactTicketAccess($ticket_id, "Closed")) {
+
+    // Add feedback
+    mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
+
+    // Notify on bad feedback
+    if($feedback == "Bad"){
+      mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
+    }
+
+    // Redirect
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+  }
+  else {
+    // The client does not have access to this ticket
+    header("Location: portal_post.php?logout");
+    exit();
+  }
+
+}
+
+if(isset($_GET['close_ticket'])){
+  $ticket_id = intval($_GET['close_ticket']);
+
+  // Verify the contact has access to the provided ticket ID
+  if(verifyContactTicketAccess($ticket_id, "Open")) {
+
+    // Close ticket
+    mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'");
+
+    // Add reply
+    mysqli_query($mysqli,"INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id");
+
+    //Logging
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_created_at = NOW(), company_id = $session_company_id");
+
+    header("Location: ticket.php?id=" . $ticket_id);
+  }
+  else {
+    // The client does not have access to this ticket
+    // This is only a GET request, might just be a mistake
+    header("Location: index.php");
+    exit();
+  }
+}
+
+if(isset($_GET['logout'])){
+  setcookie("PHPSESSID", '', time() - 3600, "/");
+  unset($_COOKIE['PHPSESSID']);
+
+  session_unset();
+  session_destroy();
+
+  header('Location: login.php');
 }
--- a/post.php
+++ b/post.php
@ -4151,7 +4151,7 @@ if(isset($_GET['delete_revenue'])){

 if(isset($_POST['add_contact'])){

-    if($session_user_role = 1){
+    if($session_user_role == 1){
      $_SESSION['alert_type'] = "danger";
      $_SESSION['alert_message'] = "You are not permitted to do that!";
      header("Location: " . $_SERVER["HTTP_REFERER"]);
@ -4238,7 +4238,7 @@ if(isset($_POST['add_contact'])){

 if(isset($_POST['edit_contact'])){

-    if($session_user_role = 1){
+    if($session_user_role == 1){
      $_SESSION['alert_type'] = "danger";
      $_SESSION['alert_message'] = "You are not permitted to do that!";
      header("Location: " . $_SERVER["HTTP_REFERER"]);