From 0020c5708ab69c4297fb913aa5b39eadc718503b Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Mon, 28 Mar 2022 21:48:20 +0100 Subject: [PATCH 1/3] Fix = vs == role check mistake --- post.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/post.php b/post.php index 2fe355c7..dc319ef0 100644 --- a/post.php +++ b/post.php @@ -4151,7 +4151,7 @@ if(isset($_GET['delete_revenue'])){ if(isset($_POST['add_contact'])){ - if($session_user_role = 1){ + if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; $_SESSION['alert_message'] = "You are not permitted to do that!"; header("Location: " . $_SERVER["HTTP_REFERER"]); @@ -4238,7 +4238,7 @@ if(isset($_POST['add_contact'])){ if(isset($_POST['edit_contact'])){ - if($session_user_role = 1){ + if($session_user_role == 1){ $_SESSION['alert_type'] = "danger"; $_SESSION['alert_message'] = "You are not permitted to do that!"; header("Location: " . $_SERVER["HTTP_REFERER"]); From b957d40bdb60f3617648ab0314e2bd744a6dff6f Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Mon, 28 Mar 2022 22:50:23 +0100 Subject: [PATCH 2/3] Move contact ticket access check to function. Add ability for client to close ticket --- portal/inc_portal.php | 1 + portal/portal_functions.php | 40 ++++++++ portal/portal_post.php | 190 +++++++++++++++++++----------------- 3 files changed, 142 insertions(+), 89 deletions(-) create mode 100644 portal/portal_functions.php diff --git a/portal/inc_portal.php b/portal/inc_portal.php index 954e8c92..bcabab29 100644 --- a/portal/inc_portal.php +++ b/portal/inc_portal.php @@ -7,6 +7,7 @@ include('../config.php'); include('../functions.php'); include('check_login.php'); +include('portal_functions.php'); if(!isset($_SESSION)){ // HTTP Only cookies diff --git a/portal/portal_functions.php b/portal/portal_functions.php new file mode 100644 index 00000000..5d1fe3cf --- /dev/null +++ b/portal/portal_functions.php @@ -0,0 +1,40 @@ +set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); - $purifier = new HTMLPurifier($purifier_config); - - $requested_ticket_id = intval($_POST['ticket_id']); - - // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks. - // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags. - // So, we need to convert line breaks to HTML and clean HTML with HTML Purifier - $comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment']))))); - - if(empty($comment)){ - header("Location: " . $_SERVER["HTTP_REFERER"]); - exit; - } - - // Verify the contact has access to the provided ticket ID - $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND ticket_status != 'Closed' AND ticket_client_id = '$session_client_id' LIMIT 1"); - $row = mysqli_fetch_array($sql); - $ticket_id = $row['ticket_id']; - - if(intval($ticket_id)){ - if($row['ticket_contact_id'] !== $session_contact_id AND $session_client_primary_contact_id !== $session_contact_id){ - // This would only happen if the user intentionally modifies the hidden ticket_id value - header("Location: portal_post.php?logout"); - exit(); - } - - // Add comment - mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'"); - - // Update Ticket Last Response Field & set ticket to open as client has replied - mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1"); - - header("Location: " . $_SERVER["HTTP_REFERER"]); - } - else{ - header("Location: portal_post.php?logout"); - exit(); - } -} - -if(isset($_POST['add_ticket_feedback'])){ - $requested_ticket_id = intval($_POST['ticket_id']); - $feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback']))); - - // Verify the contact has access to the provided ticket ID - $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND ticket_status = 'Closed' AND ticket_client_id = '$session_client_id' LIMIT 1"); - $row = mysqli_fetch_array($sql); - $ticket_id = $row['ticket_id']; - $ticket_subject = $row['ticket_subject']; - - if(intval($ticket_id)){ - if($row['ticket_contact_id'] !== $session_contact_id AND $session_client_primary_contact_id !== $session_contact_id){ - header("Location: " . $_SERVER["HTTP_REFERER"]); - exit("No access to this ticket ($requested_ticket_id)"); - } - - // Add feedback - mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1"); - - if($feedback == "Bad"){ - mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket - $ticket_subject ($ticket_id) - as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'"); - } - - header("Location: " . $_SERVER["HTTP_REFERER"]); - } - else{ - header("Location: portal_post.php?logout"); - exit(); - } - - -} - if(isset($_POST['add_ticket'])){ // Get ticket prefix/number @@ -129,9 +41,109 @@ if(isset($_POST['add_ticket'])){ mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id"); $id = mysqli_insert_id($mysqli); - //Logging + // Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id"); header("Location: ticket.php?id=" . $id); +} + +if(isset($_POST['add_ticket_comment'])){ + // HTML Purifier + require("../plugins/htmlpurifier/HTMLPurifier.standalone.php"); + $purifier_config = HTMLPurifier_Config::createDefault(); + $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]); + $purifier = new HTMLPurifier($purifier_config); + + $ticket_id = intval($_POST['ticket_id']); + + // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks. + // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags. + // So, we need to convert line breaks to HTML and clean HTML with HTML Purifier + $comment = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['comment']))))); + + // After stripping bad HTML, check the comment isn't just empty + if(empty($comment)){ + header("Location: " . $_SERVER["HTTP_REFERER"]); + exit; + } + + // Verify the contact has access to the provided ticket ID + if(verifyContactTicketAccess($ticket_id, "Open")) { + + // Add the comment + mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'"); + + // Update Ticket Last Response Field & set ticket to open as client has replied + mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1"); + + // Redirect + header("Location: " . $_SERVER["HTTP_REFERER"]); + } + else { + // The client does not have access to this ticket + header("Location: portal_post.php?logout"); + exit(); + } +} + +if(isset($_POST['add_ticket_feedback'])){ + $ticket_id = intval($_POST['ticket_id']); + $feedback = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['add_ticket_feedback']))); + + // Verify the contact has access to the provided ticket ID + if(verifyContactTicketAccess($ticket_id, "Closed")) { + + // Add feedback + mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1"); + + // Notify on bad feedback + if($feedback == "Bad"){ + mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'"); + } + + // Redirect + header("Location: " . $_SERVER["HTTP_REFERER"]); + } + else { + // The client does not have access to this ticket + header("Location: portal_post.php?logout"); + exit(); + } + +} + +if(isset($_GET['close_ticket'])){ + $ticket_id = intval($_GET['close_ticket']); + + // Verify the contact has access to the provided ticket ID + if(verifyContactTicketAccess($ticket_id, "Open")) { + + // Close ticket + mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'"); + + // Add reply + mysqli_query($mysqli,"INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id"); + + //Logging + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_created_at = NOW(), company_id = $session_company_id"); + + header("Location: ticket.php?id=" . $ticket_id); + } + else { + // The client does not have access to this ticket + // This is only a GET request, might just be a mistake + header("Location: index.php"); + exit(); + } +} + +if(isset($_GET['logout'])){ + setcookie("PHPSESSID", '', time() - 3600, "/"); + unset($_COOKIE['PHPSESSID']); + + session_unset(); + session_destroy(); + + header('Location: login.php'); } \ No newline at end of file From 390e52f7bdc511d9856780d2cfc72d05f439ff9a Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Mon, 28 Mar 2022 22:56:21 +0100 Subject: [PATCH 3/3] Consolidate if statement --- portal/portal_functions.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/portal/portal_functions.php b/portal/portal_functions.php index 5d1fe3cf..56fcbbf7 100644 --- a/portal/portal_functions.php +++ b/portal/portal_functions.php @@ -27,11 +27,9 @@ function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state) $row = mysqli_fetch_array($sql); $ticket_id = $row['ticket_id']; - if(intval($ticket_id)) { - if ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id) { - // Client is ticket owner, or primary contact - return TRUE; - } + if(intval($ticket_id) && ($session_contact_id == $row['ticket_contact_id'] || $session_contact_id == $session_client_primary_contact_id)) { + // Client is ticket owner, or primary contact + return TRUE; } // Client is NOT ticket owner or primary contact