AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #462 from wrongecho/updated-timestamp 

Assorted changes
This commit is contained in:
Johnny 2022-05-07 15:22:52 -04:00 committed by GitHub
parent 598f1b1aa1 7bb68a36d9
commit cb22db5d65
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 211 additions and 617 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
ajax.php
View File

@ -59,12 +59,7 @@ if(isset($_GET['certificate_fetch_parse_json_details'])){
* Looks up info for a given certificate ID from the database, used to dynamically populate modal fields
*/
if(isset($_GET['certificate_get_json_details'])){
if($session_user_role == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
validateTechRole();
$certificate_id = intval($_GET['certificate_id']);
$client_id = intval($_GET['client_id']);
@ -88,12 +83,7 @@ if(isset($_GET['certificate_get_json_details'])){
* Looks up info for a given domain ID from the database, used to dynamically populate modal fields
*/
if(isset($_GET['domain_get_json_details'])){
if($session_user_role == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
validateTechRole();
$domain_id = intval($_GET['domain_id']);
$client_id = intval($_GET['client_id']);
@ -117,12 +107,7 @@ if(isset($_GET['domain_get_json_details'])){
* Looks up info on the ticket number provided, used to populate the ticket merge modal
*/
if(isset($_GET['merge_ticket_get_json_details'])){
if($session_user_role == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
validateTechRole();
$merge_into_ticket_number = intval($_GET['merge_into_ticket_number']);
@ -145,12 +130,7 @@ if(isset($_GET['merge_ticket_get_json_details'])){
* Looks up info for a given network ID from the database, used to dynamically populate modal fields
*/
if(isset($_GET['network_get_json_details'])){
if($session_user_role == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
validateTechRole();
$network_id = intval($_GET['network_id']);
$client_id = intval($_GET['client_id']);
@ -229,12 +209,9 @@ if(isset($_GET['ticket_query_views'])){
* Generates public/guest links for sharing logins/docs
*/
if(isset($_GET['share_generate_link'])){
if($session_user_role == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
validateTechRole();
$item_encrypted_credential = ''; // Default empty
$client_id = intval($_GET['client_id']);
$item_type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['type'])));
@ -244,10 +221,23 @@ if(isset($_GET['share_generate_link'])){
$item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
$item_key = keygen();
if($item_type == "Document"){
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
$item_name = $row['document_name'];
}
if($item_type == "File"){
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1"));
$item_name = $row['file_name'];
}
if($item_type == "Login"){
$login = mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
$login = mysqli_query($mysqli, "SELECT login_name, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
$row = mysqli_fetch_array($login);
$item_name = $row['login_name'];
// Decrypt & re-encrypt password for sharing
$login_password_cleartext = decryptLoginEntry($row['login_password']);
$login_encryption_key = keygen();
$iv = keygen();
@ -255,9 +245,6 @@ if(isset($_GET['share_generate_link'])){
$item_encrypted_credential = $iv . $ciphertext;
}
else{
$item_encrypted_credential = '';
}
// Insert entry into DB
$sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
@ -273,7 +260,7 @@ if(isset($_GET['share_generate_link'])){
echo json_encode($url);
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - Item ID: $item_id', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
}
@ -281,12 +268,7 @@ if(isset($_GET['share_generate_link'])){
* Looks up info for a given scheduled ticket ID from the database, used to dynamically populate modal edit fields
*/
if(isset($_GET['scheduled_ticket_get_json_details'])){
if($session_user_role == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
validateTechRole();
$client_id = intval($_GET['client_id']);
$ticket_id = intval($_GET['ticket_id']);

1
api_key_add_modal.php
View File

@ -13,6 +13,7 @@ $key = keygen();
<form action="post.php" method="post" autocomplete="off">
<div class="modal-body bg-white">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<input type="hidden" name="key" value="<?php echo $key ?>">
<div class="form-group">

3
check_login.php
View File

@ -89,7 +89,4 @@ $num_notifications = $row['num'];
//Set Currency Format
$currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
// Role check failed wording
DEFINE("WORDING_ROLECHECK_FAILED", "You are not permitted to do that!");
?>

1
db.sql
View File

@ -48,7 +48,6 @@ CREATE TABLE `api_keys` (
`api_key_name` varchar(255) NOT NULL,
`api_key_secret` varchar(255) NOT NULL,
`api_key_created_at` datetime NOT NULL DEFAULT current_timestamp(),
`api_key_updated_at` datetime DEFAULT NULL,
`api_key_expire` date NOT NULL,
`api_key_client_id` int(11) NOT NULL DEFAULT 0,
`company_id` int(11) NOT NULL,

37
functions.php
View File

@ -1,5 +1,8 @@
<?php
// Role check failed wording
DEFINE("WORDING_ROLECHECK_FAILED", "You are not permitted to do that!");
function keygen()
{
$chars = "abcdefghijklmnopqrstuvwxyz";
@ -432,4 +435,38 @@ function validateCSRFToken($token){
}
}
/*
* Role validation
* Admin - 3
* Tech - 2
* Accountant - 1
*/
function validateAdminRole(){
if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] != 3){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
}
function validateTechRole(){
if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] == 1){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
}
function validateAccountantRole(){
if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] == 2){
$_SESSION['alert_type'] = "danger";
$_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
}
?>

8
login.php
View File

@ -57,13 +57,15 @@ if(isset($_POST['login'])){
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_email = '$email' AND user_archived_at IS NULL"));
if (password_verify($password, $row['user_password'])) {
// User variables
$token = $row['user_token'];
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name'];
$user_name = $row['user_name'];
$user_id = $row['user_id'];
// CSRF Token
// Session info
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name'];
$_SESSION['user_role'] = $row['user_role'];
$_SESSION['csrf_token'] = keygen();
// Setup encryption session key

712
post.php
View File

File diff suppressed because it is too large Load Diff

2
settings-api.php
View File

@ -81,7 +81,7 @@
<i class="fas fa-ellipsis-h"></i>
</button>
<div class="dropdown-menu">
<a class="dropdown-item text-danger" href="post.php?delete_api_key=<?php echo $api_key_id; ?>">Revoke</a>
<a class="dropdown-item text-danger" href="post.php?delete_api_key=<?php echo $api_key_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Revoke</a>
</div>
</div>
</td>