Tickets & Tasks

- Add ability to un-complete/undo a completed task
- Require CSRF verification when deleting tickets and tasks

post/tasks.php

@@ -61,6 +61,9 @@ if (isset($_GET['delete_task'])) {
 
     validateTechRole();
 
+    // CSRF Check
+    validateCSRFToken($_GET['csrf_token']);
+
     $task_id = intval($_GET['delete_task']);
 
     // Get Client ID, task name from tasks and tickets using the task_id
@@ -105,5 +108,33 @@ if (isset($_GET['complete_task'])) {
 
     $_SESSION['alert_message'] = "You completed Task <strong>$task_name</strong> Great Job!<i class='far fa-4x fa-smile-wink ml-2'></i>";
 
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+}
+
+if (isset($_GET['undo_complete_task'])) {
+
+    validateTechRole();
+
+    $task_id = intval($_GET['undo_complete_task']);
+
+    // Get Client ID
+    $sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id");
+    $row = mysqli_fetch_array($sql);
+    $client_id = intval($row['ticket_client_id']);
+    $task_name = sanitizeInput($row['task_name']);
+    $ticket_id = intval($row['ticket_id']);
+
+    mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NULL, task_completed_by = NULL WHERE task_id = $task_id");
+
+    // Add reply
+    mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Undo Completed Task - $task_name', ticket_reply_time_worked = '00:01:00', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id");
+
+    $ticket_reply_id = mysqli_insert_id($mysqli);
+
+    // Logging
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Edit', log_description = '$session_name un-completed task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id");
+
+    $_SESSION['alert_message'] = "You marked Task <strong>$task_name</strong> as incomplete";
+
     header("Location: " . $_SERVER["HTTP_REFERER"]);
 }

post/ticket.php

@@ -629,6 +629,9 @@ if (isset($_GET['delete_ticket'])) {
 
     validateAdminRole();
 
+    // CSRF Check
+    validateCSRFToken($_GET['csrf_token']);
+
     $ticket_id = intval($_GET['delete_ticket']);
 
     // Get Ticket and Client ID for logging and alert message

ticket.php

@@ -50,7 +50,7 @@ if (isset($_GET['ticket_id'])) {
         $ticket_prefix = nullable_htmlentities($row['ticket_prefix']);
         $ticket_number = intval($row['ticket_number']);
         $ticket_category = intval($row['ticket_category']);
-        $ticket_category_display = htmlentities($row['category_name']);
+        $ticket_category_display = nullable_htmlentities($row['category_name']);
         $ticket_subject = nullable_htmlentities($row['ticket_subject']);
         $ticket_details = $purifier->purify($row['ticket_details']);
         $ticket_priority = nullable_htmlentities($row['ticket_priority']);
@@ -502,7 +502,7 @@ if (isset($_GET['ticket_id'])) {
                                 </a>
                                 <?php if ($session_user_role == 3) { ?>
                                     <div class="dropdown-divider"></div>
-                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_ticket=<?php echo $ticket_id; ?>">
+                                    <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_ticket=<?php echo $ticket_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
                                         <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                     </a>
                                 <?php } ?>
@@ -916,7 +916,7 @@ if (isset($_GET['ticket_id'])) {
                             $task_id = intval($row['task_id']);
                             $task_name = nullable_htmlentities($row['task_name']);
                             $task_order = intval($row['task_order']);
-                            $task_description = nullable_htmlentities($row['task_description']);
+                            //$task_description = nullable_htmlentities($row['task_description']); // not in db yet
                             $task_completed_at = nullable_htmlentities($row['task_completed_at']);
                         ?>
                             <tr>
@@ -940,8 +940,13 @@ if (isset($_GET['ticket_id'])) {
                                                 <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTaskModal<?php echo $task_id; ?>">
                                                     <i class="fas fa-fw fa-edit mr-2"></i>Edit
                                                 </a>
+                                                <?php if ($task_completed_at) { ?>
+                                                    <a class="dropdown-item" href="post.php?undo_complete_task=<?php echo $task_id; ?>">
+                                                        <i class="fas fa-fw fa-arrow-circle-left mr-2"></i>Mark incomplete
+                                                    </a>
+                                                <?php } ?>
                                                 <div class="dropdown-divider"></div>
-                                                <a class="dropdown-item text-danger confirm-link" href="post.php?delete_task=<?php echo $task_id; ?>">
+                                                <a class="dropdown-item text-danger confirm-link" href="post.php?delete_task=<?php echo $task_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">
                                                     <i class="fas fa-fw fa-trash-alt mr-2"></i>Delete
                                                 </a>
                                             </div>