AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1160 from itflow-org/develop 

Release 25.01.01
This commit is contained in:
Johnny 2025-01-30 14:45:57 -05:00 committed by GitHub
parent e8c3cabde7 2e5b0d1429
commit e3aafcbc68
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
44 changed files with 700 additions and 890 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
CHANGELOG.md
View File

@ -2,6 +2,21 @@
This file documents all notable changes made to ITFlow.
## [25.01.01]
### Added / Changed
- Redesigned the Multi-Factor Authentication (MFA) Setup and Enforcement Flow UI/UX for a more intuitive user experience.
- Added a "Member" column in the user roles listing for improved visibility.
- General UI/UX improvements, along with minor performance optimizations and cleanups.
### Fixed
- Fixed an issue where Stripe was not appearing as a recurring payment option.
- Corrected inaccurate Quarter 2 Expense results in the Profit & Loss Report.
- Resolved TOTP code not displaying correctly on hover in the Contact or Asset Details sections.
- Archived contacts no longer appear in the Bulk Mail section.
- Fixed an issue where the Ticket Assign Modal was showing both ITFlow and client users.
- Fixed issue with login key redirecting to legacy client portal page.
## [25.01]
### Added / Changed

5
admin_bulk_mail.php
View File

@ -4,7 +4,8 @@ require_once "includes/inc_all_admin.php";
$sql = mysqli_query($mysqli, "SELECT * FROM contacts
LEFT JOIN clients ON client_id = contact_client_id
WHERE contact_archived_at IS NULL
WHERE client_archived_at IS NULL
AND contact_archived_at IS NULL
AND contact_email != ''
AND (contact_primary = 1 OR
contact_important = 1 OR
@ -22,7 +23,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM contacts
<h3 class="card-title mt-2 mb-2"><i class="fa fa-fw fa-envelope-open mr-2"></i>Bulk Mail</h3>
<div class="card-tools">
<button id="bulkActionButton" hidden class="btn btn-primary" type="submit" form='bulkActions' name="send_bulk_mail_now">
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send Now (<span id="selectedCount">0</span>)
<i class="fas fa-fw fa-paper-plane mr-2"></i>Send (<span id="selectedCount">0</span>)
</button>
</div>
</div>

10
admin_mail_queue.php
View File

@ -102,11 +102,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<input class="form-check-input" id="selectAllCheckbox" type="checkbox" onclick="checkAll(this)">
</div>
</td>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=email_id&order=<?php echo $disp; ?>">
ID <?php if ($sort == 'email_id') { echo $order_icon; } ?>
</a>
</th>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=email_queued_at&order=<?php echo $disp; ?>">
Queued <?php if ($sort == 'email_queued_at') { echo $order_icon; } ?>
@ -137,7 +132,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
Attempts <?php if ($sort == 'email_attempts') { echo $order_icon; } ?>
</a>
</th>
<th>Action</th>
<th class="text-center">Action</th>
</tr>
</thead>
<tbody>
@ -175,14 +170,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</div>
<?php } ?>
</td>
<td><?php echo $email_id; ?></td>
<td><?php echo $email_queued_at; ?></td>
<td><?php echo "$email_from<br><small class='text-secondary'>$email_from_name</small>"?></td>
<td><?php echo "$email_recipient<br><small class='text-secondary'>$email_recipient_name</small>"?></td>
<td><?php echo $email_subject; ?></td>
<td><?php echo $email_status_display; ?></td>
<td><?php echo $email_attempts; ?></td>
<td>
<td class="text-center">
<a class="btn btn-sm btn-secondary" href="admin_mail_queue_message_view.php?email_id=<?php echo $email_id; ?>">
<i class="fas fa-fw fa-eye"></i>
</a>

37
admin_role.php
View File

@ -21,7 +21,7 @@ $sql = mysqli_query(
$num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
?>
<div class="alert alert-warning text-center"><strong>Roles are still in development. Permissions may not be fully enforced.</strong></div>
<div class="alert alert-info text-center"><strong>Roles are still in development. Permissions may not be fully enforced.</strong></div>
<div class="card card-dark">
<div class="card-header py-2">
@ -54,22 +54,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<tr>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=user_role_name&order=<?php echo $disp; ?>">
Name <?php if ($sort == 'user_role_name') { echo $order_icon; } ?>
</a>
</th>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=user_role_description&order=<?php echo $disp; ?>">
Description <?php if ($sort == 'user_role_description') { echo $order_icon; } ?>
Role <?php if ($sort == 'user_role_name') { echo $order_icon; } ?>
</a>
</th>
<th>Members</th>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=user_role_is_admin&order=<?php echo $disp; ?>">
Admin <?php if ($sort == 'user_role_is_admin') { echo $order_icon; } ?>
</a>
</th>
<th class="text-center">
User count
</th>
<th class="text-center">Action</th>
</tr>
</thead>
@ -87,16 +80,32 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
$sql_role_user_count = mysqli_query($mysqli, "SELECT COUNT(users.user_id) FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_role = $role_id AND user_archived_at IS NULL");
$role_user_count = mysqli_fetch_row($sql_role_user_count)[0];
$sql_users = mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_role = $role_id AND user_archived_at IS NULL");
// Initialize an empty array to hold user names
$user_names = [];
// Fetch each row and store the user_name in the array
while($row = mysqli_fetch_assoc($sql_users)) {
$user_names[] = nullable_htmlentities($row['user_name']);
}
// Convert the array of user names to a comma-separated string
$user_names_string = implode(",", $user_names) ;
if (empty($user_names_string)) {
$user_names_string = "-";
}
?>
<tr>
<td>
<a class="text-dark" href="#" data-toggle="modal" data-target="#editRoleModal<?php echo $role_id; ?>">
<div class="text-secondary"><?php echo $role_name; ?></div>
<a class="text-dark text-bold" href="#" data-toggle="modal" data-target="#editRoleModal<?php echo $role_id; ?>">
<?php echo $role_name; ?>
</a>
<div class="text-secondary"><?php echo $role_description; ?></div>
</td>
<td><?php echo $role_description; ?></td>
<td><?php echo $user_names_string; ?></td>
<td><?php echo $role_admin ? 'Yes' : 'No' ; ?></td>
<td class="text-center"><?php echo $role_user_count ?></td>
<td>
<?php if ($role_id !== 3) { ?>
<div class="dropdown dropleft text-center">

2
admin_settings_company.php
View File

@ -33,7 +33,7 @@ $company_initials = nullable_htmlentities(initials($company_name));
<div class="row">
<div class="col-md-3 text-center">
<?php if(file_exists("uploads/settings/$company_logo")) { ?>
<?php if($company_logo) { ?>
<img class="img-thumbnail" src="<?php echo "uploads/settings/$company_logo"; ?>">
<a href="post.php?remove_company_logo" class="btn btn-outline-danger btn-block">Remove Logo</a>
<hr>

13
admin_settings_notification.php
View File

@ -19,19 +19,6 @@ require_once "includes/inc_all_admin.php";
</div>
</div>
<div class="form-group">
<label>Cron Key</label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="text" class="form-control" name="config_cron_key" placeholder="Generate a CRON Key" value="<?php echo nullable_htmlentities($config_cron_key); ?>" readonly>
<div class="input-group-append">
<a href="post.php?generate_cron_key" class="btn btn-secondary confirm-link"><i class="fas fa-fw fa-sync mr-2"></i>Regenerate</a>
</div>
</div>
</div>
<table class="table table-bordered">
<thead class="thead-dark">
<tr>

7
check_login.php
View File

@ -54,7 +54,7 @@ $row = mysqli_fetch_array($sql);
$session_name = sanitizeInput($row['user_name']);
$session_email = $row['user_email'];
$session_avatar = $row['user_avatar'];
$session_token = $row['user_token'];
$session_token = $row['user_token']; // MFA Token
$session_user_role = intval($row['user_role']);
$session_user_role_display = sanitizeInput($row['user_role_name']);
if (isset($row['user_role_is_admin']) && $row['user_role_is_admin'] == 1) {
@ -128,8 +128,3 @@ $session_mobile = isMobile();
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('notification_id') AS num FROM notifications WHERE (notification_user_id = $session_user_id OR notification_user_id = 0) AND notification_dismissed_at IS NULL"));
$num_notifications = $row['num'];
// FORCE MFA Setup
//if ($session_user_config_force_mfa == 1 && $session_token == NULL) {
// header("Location: force_mfa.php");
//}

4
client_asset_details.php
View File

@ -485,7 +485,7 @@ if (isset($_GET['asset_id'])) {
if (empty($login_otp_secret)) {
$otp_display = "-";
} else {
$otp_display = "<span onmouseenter='showOTP($login_id_with_secret)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
$otp_display = "<span onmouseenter='showOTPViaLoginID($login_id)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
}
$login_note = nullable_htmlentities($row['login_note']);
$login_important = intval($row['login_important']);
@ -926,6 +926,8 @@ if (isset($_GET['asset_id'])) {
</script>
<script src="js/recurring_tickets_edit_modal.js"></script>
<!-- Include script to get TOTP code via the login ID -->
<script src="js/logins_show_otp_via_id.js"></script>
<?php

4
client_contact_details.php
View File

@ -477,7 +477,7 @@ if (isset($_GET['contact_id'])) {
if (empty($login_otp_secret)) {
$otp_display = "-";
} else {
$otp_display = "<span onmouseenter='showOTP($login_id_with_secret)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
$otp_display = "<span onmouseenter='showOTPViaLoginID($login_id)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
}
$login_note = nullable_htmlentities($row['login_note']);
$login_important = intval($row['login_important']);
@ -1129,6 +1129,8 @@ if (isset($_GET['contact_id'])) {
</script>
<script src="js/recurring_tickets_edit_modal.js"></script>
<!-- Include script to get TOTP code via the login ID -->
<script src="js/logins_show_otp_via_id.js"></script>
<?php

245
cron.php
View File

@ -1,19 +1,19 @@
<?php
// Cron scripts have now moved to the /scripts folder
// This file will soon be removed from the project
// Set working directory to the directory this cron script lives at.
chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This script must be run from the command line.\n");
}
require_once "config.php";
// Set Timezone
require_once "inc_set_timezone.php";
require_once "functions.php";
$sql_companies = mysqli_query($mysqli, "SELECT * FROM companies, settings WHERE companies.company_id = settings.company_id AND companies.company_id = 1");
$row = mysqli_fetch_array($sql_companies);
@ -31,7 +31,6 @@ $company_currency = sanitizeInput($row['company_currency']);
// Company Settings
$config_enable_cron = intval($row['config_enable_cron']);
$config_cron_key = $row['config_cron_key'];
$config_invoice_overdue_reminders = $row['config_invoice_overdue_reminders'];
$config_invoice_prefix = sanitizeInput($row['config_invoice_prefix']);
$config_invoice_from_email = sanitizeInput($row['config_invoice_from_email']);
@ -82,18 +81,20 @@ $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY);
$config_whitelabel_enabled = intval($row['config_whitelabel_enabled']);
$config_whitelabel_key = $row['config_whitelabel_key'];
$argv = $_SERVER['argv'];
// Online Stripe Payment
$config_stripe_enable = intval($row['config_stripe_enable']);
$config_stripe_secret = $row['config_stripe_secret'];
$config_stripe_account = intval($row['config_stripe_account']);
$config_stripe_expense_vendor = intval($row['config_stripe_expense_vendor']);
$config_stripe_expense_category = intval($row['config_stripe_expense_category']);
$config_stripe_percentage_fee = floatval($row['config_stripe_percentage_fee']);
$config_stripe_flat_fee = floatval($row['config_stripe_flat_fee']);
// Check cron is enabled
if ($config_enable_cron == 0) {
exit("Cron: is not enabled -- Quitting..");
}
// Check Cron Key
if ( $argv[1] !== $config_cron_key ) {
exit("Cron Key invalid -- Quitting..");
}
/*
* ###############################################################################################################
* STARTUP ACTIONS
@ -133,6 +134,29 @@ mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_created_
// Cleanup old audit logs
mysqli_query($mysqli, "DELETE FROM logs WHERE log_created_at < CURDATE() - INTERVAL $config_log_retention DAY");
// Cleanup old app/debug logs
mysqli_query($mysqli, "DELETE FROM app_logs WHERE app_log_created_at < CURDATE() - INTERVAL $config_log_retention DAY");
// Cleanup old auth logs
mysqli_query($mysqli, "DELETE FROM auth_logs WHERE auth_log_created_at < CURDATE() - INTERVAL $config_log_retention DAY");
// CLeanup old domain history
$sql = mysqli_query($mysqli, "SELECT domain_id FROM domains");
while ($row = mysqli_fetch_array($sql)) {
$domain_id = intval($row['domain_id']);
mysqli_query($mysqli, "
DELETE FROM domain_history
WHERE domain_history_id NOT IN (
SELECT domain_history_id FROM (
SELECT domain_history_id FROM domain_history
WHERE domain_history_domain_id = $domain_id
ORDER BY domain_history_modified_at DESC
LIMIT 25
) AS recent_entries
) AND domain_history_domain_id = $domain_id
");
}
// Logging
// logAction("Cron", "Task", "Cron cleaned up old data");
@ -145,9 +169,7 @@ mysqli_query($mysqli, "DELETE FROM logs WHERE log_created_at < CURDATE() - INTER
// Whitelabel - Disable if expired/invalid
if ($config_whitelabel_enabled && !validateWhitelabelKey($config_whitelabel_key)) {
mysqli_query($mysqli, "UPDATE settings SET config_whitelabel_enabled = 0, config_whitelabel_key = '' WHERE company_id = 1");
appNotify("Settings", "White-labelling was disabled due to expired/invalid key", "settings_modules.php");
}
@ -165,7 +187,7 @@ if ($config_enable_alert_domain_expire == 1) {
$sql = mysqli_query(
$mysqli,
"SELECT * FROM domains
LEFT JOIN clients ON domain_client_id = client_id
LEFT JOIN clients ON domain_client_id = client_id
WHERE domain_expire IS NOT NULL AND domain_expire = CURDATE() + INTERVAL $day DAY"
);
@ -195,7 +217,7 @@ foreach ($certificateAlertArray as $day) {
$sql = mysqli_query(
$mysqli,
"SELECT * FROM certificates
LEFT JOIN clients ON certificate_client_id = client_id
LEFT JOIN clients ON certificate_client_id = client_id
WHERE certificate_expire = CURDATE() + INTERVAL $day DAY"
);
@ -400,7 +422,7 @@ if (mysqli_num_rows($sql_scheduled_tickets) > 0) {
$sql_resolved_tickets_to_close = mysqli_query(
$mysqli,
"SELECT * FROM tickets
"SELECT * FROM tickets
WHERE ticket_status = 4
AND ticket_updated_at < NOW() - INTERVAL $config_ticket_autoclose_hours HOUR"
);
@ -522,7 +544,7 @@ if ($config_send_invoice_reminders == 1) {
$sql_recurring = mysqli_query($mysqli, "SELECT * FROM recurring
LEFT JOIN recurring_payments ON recurring_id = recurring_payment_recurring_invoice_id
LEFT JOIN clients ON client_id = recurring_client_id
WHERE recurring_next_date = CURDATE()
WHERE recurring_next_date = CURDATE()
AND recurring_status = 1
");
@ -594,27 +616,28 @@ while ($row = mysqli_fetch_array($sql_recurring)) {
mysqli_query($mysqli, "UPDATE recurring SET recurring_last_sent = CURDATE(), recurring_next_date = DATE_ADD(CURDATE(), INTERVAL 1 $recurring_frequency) WHERE recurring_id = $recurring_id");
if ($config_recurring_auto_send_invoice == 1 && $recurring_invoice_email_notify == 1) {
$sql = mysqli_query(
$mysqli,
"SELECT * FROM invoices
// Get details of the newly generated invoice
$sql = mysqli_query(
$mysqli,
"SELECT * FROM invoices
LEFT JOIN clients ON invoice_client_id = client_id
LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1
WHERE invoice_id = $new_invoice_id"
);
);
$row = mysqli_fetch_array($sql);
$invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']);
$invoice_scope = sanitizeInput($row['invoice_scope']);
$invoice_date = sanitizeInput($row['invoice_date']);
$invoice_due = sanitizeInput($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']);
$client_id = intval($row['client_id']);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$row = mysqli_fetch_array($sql);
$invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']);
$invoice_scope = sanitizeInput($row['invoice_scope']);
$invoice_date = sanitizeInput($row['invoice_date']);
$invoice_due = sanitizeInput($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = sanitizeInput($row['invoice_url_key']);
$client_id = intval($row['client_id']);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
if ($config_recurring_auto_send_invoice == 1 && $recurring_invoice_email_notify == 1) {
$subject = "Invoice $invoice_prefix$invoice_number";
$body = "Hello $contact_name,<br><br>An invoice regarding \"$invoice_scope\" has been generated. Please view the details below.<br><br>Invoice: $invoice_prefix$invoice_number<br>Issue Date: $invoice_date<br>Total: " . numfmt_format_currency($currency_format, $invoice_amount, $recurring_currency_code) . "<br>Due Date: $invoice_due<br><br><br>To view your invoice, please click <a href=\'https://$config_base_url/guest/guest_view_invoice.php?invoice_id=$new_invoice_id&url_key=$invoice_url_key\'>here</a>.<br><br><br>--<br>$company_name - Billing<br>$config_invoice_from_email<br>$company_phone";
@ -673,19 +696,151 @@ while ($row = mysqli_fetch_array($sql_recurring)) {
// Create Payment from Auto Payment
if ($recurring_payment_recurring_invoice_id) {
mysqli_query($mysqli,"INSERT INTO payments SET payment_date = CURDATE(), payment_amount = $recurring_amount, payment_currency_code = '$recurring_payment_currency_code', payment_account_id = $recurring_payment_account_id, payment_method = '$recurring_payment_method', payment_reference = 'Paid via AutoPay', payment_invoice_id = $new_invoice_id");
// Get Payment ID for reference
$payment_id = mysqli_insert_id($mysqli);
if ($recurring_payment_method == "Stripe") {
// Stripe payment
// Update Invoice Status
mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Paid' WHERE invoice_id = $new_invoice_id");
// Get Stripe info for client
$stripe_client_details = mysqli_fetch_array(mysqli_query($mysqli, "SELECT * FROM client_stripe WHERE client_id = $client_id LIMIT 1"));
$stripe_id = sanitizeInput($stripe_client_details['stripe_id']);
$stripe_pm = sanitizeInput($stripe_client_details['stripe_pm']);
//Add Payment to History
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Paid', history_description = 'Payment added via Auto Pay', history_invoice_id = $new_invoice_id");
if ($config_stripe_enable && $stripe_id && $stripe_pm) {
// Initialize
require_once __DIR__ . '/plugins/stripe-php/init.php';
$stripe = new \Stripe\StripeClient($config_stripe_secret);
$balance_to_pay = round($invoice_amount, 2);
$pi_description = "ITFlow: $client_name payment of $recurring_payment_currency_code $balance_to_pay for $invoice_prefix$invoice_number";
// Create a payment intent
try {
$payment_intent = $stripe->paymentIntents->create([
'amount' => intval($balance_to_pay * 100), // Times by 100 as Stripe expects values in cents
'currency' => $recurring_payment_currency_code,
'customer' => $stripe_id,
'payment_method' => $stripe_pm,
'off_session' => true,
'confirm' => true,
'description' => $pi_description,
'metadata' => [
'itflow_client_id' => $client_id,
'itflow_client_name' => $client_name,
'itflow_invoice_number' => $invoice_prefix . $invoice_number,
'itflow_invoice_id' => $new_invoice_id,
]
]);
// Get details from PI
$pi_id = sanitizeInput($payment_intent->id);
$pi_date = date('Y-m-d', $payment_intent->created);
$pi_amount_paid = floatval(($payment_intent->amount_received / 100));
$pi_currency = strtoupper(sanitizeInput($payment_intent->currency));
$pi_livemode = $payment_intent->livemode;
} catch (Exception $e) {
$error = $e->getMessage();
error_log("Stripe payment error - encountered exception during payment intent for invoice ID $new_invoice_id / $invoice_prefix$invoice_number: $error");
logApp("Stripe", "error", "Exception during PI for invoice ID $new_invoice_id: $error");
echo $error;
}
if ($payment_intent->status == "succeeded" && intval($balance_to_pay) == intval($pi_amount_paid)) {
// Update Invoice Status
mysqli_query($mysqli, "UPDATE invoices SET invoice_status = 'Paid' WHERE invoice_id = $new_invoice_id");
// Add Payment to History
mysqli_query($mysqli, "INSERT INTO payments SET payment_date = '$pi_date', payment_amount = $pi_amount_paid, payment_currency_code = '$pi_currency', payment_account_id = $recurring_payment_account_id, payment_method = 'Stripe', payment_reference = 'Stripe - $pi_id', payment_invoice_id = $new_invoice_id");
mysqli_query($mysqli, "INSERT INTO history SET history_status = 'Paid', history_description = 'Online Payment added (autopay)', history_invoice_id = $new_invoice_id");
// Email receipt
if (!empty($config_smtp_host)) {
$subject = "Payment Received - Invoice $invoice_prefix$invoice_number";
$body = "Hello $contact_name,<br><br>We have received online payment for the amount of " . numfmt_format_currency($currency_format, $invoice_amount, $recurring_payment_currency_code) . " for invoice <a href=\'https://$config_base_url/guest/guest_view_invoice.php?invoice_id=$new_invoice_id&url_key=$invoice_url_key\'>$invoice_prefix$invoice_number</a>. Please keep this email as a receipt for your records.<br><br>Amount Paid: " . numfmt_format_currency($currency_format, $invoice_amount, $recurring_payment_currency_code) . "<br><br>Thank you for your business!<br><br><br>--<br>$company_name - Billing Department<br>$config_invoice_from_email<br>$company_phone";
// Queue Mail
$data = [
[
'from' => $config_invoice_from_email,
'from_name' => $config_invoice_from_name,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body,
]
];
// Email the internal notification address too
if (!empty($config_invoice_paid_notification_email)) {
$subject = "Payment Received - $client_name - Invoice $invoice_prefix$invoice_number";
$body = "Hello, <br><br>This is a notification that an invoice has been paid in ITFlow. Below is a copy of the receipt sent to the client:-<br><br>--------<br><br>Hello $contact_name,<br><br>We have received online payment for the amount of " . numfmt_format_currency($currency_format, $invoice_amount, $recurring_payment_currency_code) . " for invoice <a href=\'https://$config_base_url/guest/guest_view_invoice.php?invoice_id=$new_invoice_id&url_key=$invoice_url_key\'>$invoice_prefix$invoice_number</a>. Please keep this email as a receipt for your records.<br><br>Amount Paid: " . numfmt_format_currency($currency_format, $invoice_amount, $recurring_payment_currency_code) . "<br><br>Thank you for your business!<br><br><br>--<br>$company_name - Billing Department<br>$config_invoice_from_email<br>$company_phone";
$data[] = [
'from' => $config_invoice_from_email,
'from_name' => $config_invoice_from_name,
'recipient' => $config_invoice_paid_notification_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body,
];
}
$mail = addToMailQueue($data);
// Email Logging
$email_id = mysqli_insert_id($mysqli);
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Payment Receipt sent to mail queue ID: $email_id!', history_invoice_id = $new_invoice_id");
logAction("Invoice", "Payment", "Payment receipt for invoice $invoice_prefix$invoice_number queued to $contact_email Email ID: $email_id", $client_id, $new_invoice_id);
}
// Log info
$extended_log_desc = '';
if (!$pi_livemode) {
$extended_log_desc = '(DEV MODE)';
}
// Create Stripe payment gateway fee as an expense (if configured)
if ($config_stripe_expense_vendor > 0 && $config_stripe_expense_category > 0) {
$gateway_fee = round($invoice_amount * $config_stripe_percentage_fee + $config_stripe_flat_fee, 2);
mysqli_query($mysqli,"INSERT INTO expenses SET expense_date = '$pi_date', expense_amount = $gateway_fee, expense_currency_code = '$company_currency', expense_account_id = $config_stripe_account, expense_vendor_id = $config_stripe_expense_vendor, expense_client_id = $client_id, expense_category_id = $config_stripe_expense_category, expense_description = 'Stripe Transaction for Invoice $invoice_prefix$invoice_number In the Amount of $balance_to_pay', expense_reference = 'Stripe - $pi_id $extended_log_desc'");
}
// Notify/log
appNotify("Invoice Paid", "Invoice $invoice_prefix$invoice_number automatically paid", "invoice.php?invoice_id=$new_invoice_id", $client_id);
logAction("Invoice", "Payment", "Auto Stripe payment amount of " . numfmt_format_currency($currency_format, $recurring_amount, $recurring_payment_currency_code) . " added to invoice $invoice_prefix$invoice_number - $pi_id $extended_log_desc", $client_id, $new_invoice_id);
customAction('invoice_pay', $new_invoice_id);
} else {
mysqli_query($mysqli, "INSERT INTO history SET history_status = 'Payment failed', history_description = 'Stripe autopay failed due to payment error', history_invoice_id = $new_invoice_id");
logAction("Invoice", "Payment", "Failed auto Payment amount of invoice $invoice_prefix$invoice_number due to Stripe payment error", $client_id, $new_invoice_id);
}
} else {
logAction("Invoice", "Payment", "Failed auto Payment amount of invoice $invoice_prefix$invoice_number due to Stripe configuration error", $client_id, $new_invoice_id);
}
} else {
// Else: Cash/Bank payment
//TODO: Should we send a receipt for auto bank payments, even when nobody actually confirms receipt?
mysqli_query($mysqli,"INSERT INTO payments SET payment_date = CURDATE(), payment_amount = $recurring_amount, payment_currency_code = '$recurring_payment_currency_code', payment_account_id = $recurring_payment_account_id, payment_method = '$recurring_payment_method', payment_reference = 'Paid via AutoPay', payment_invoice_id = $new_invoice_id");
// Get Payment ID for reference
$payment_id = mysqli_insert_id($mysqli);
// Update Invoice Status
mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Paid' WHERE invoice_id = $new_invoice_id");
//Add Payment to History
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Paid', history_description = 'Payment added via Auto Pay', history_invoice_id = $new_invoice_id");
// Logging
logAction("Invoice", "Payment", "Auto Payment amount of " . numfmt_format_currency($currency_format, $recurring_amount, $recurring_payment_currency_code) . " added to invoice $invoice_prefix$invoice_number", $client_id, $new_invoice_id);
}
// Logging
logAction("Invoice", "Payment", "Auto Payment amount of " . numfmt_format_currency($currency_format, $recurring_amount, $recurring_payment_currency_code) . " added to invoice $invoice_prefix$invoice_number", $client_id, $new_invoice_id);
} //End Auto Payment
} //End Recurring Invoices Loop
@ -1011,4 +1166,4 @@ appNotify("Cron", "Cron ran OK, but paths need updating - cron scripts are now i
// Logging
logApp("Cron", "info", "Cron executed successfully");
logApp("Cron", "warning", "Cron ran using an old script path");
logApp("Cron", "warning", "Cron ran using an old script path");

17
cron_certificate_refresher.php
View File

@ -1,10 +1,17 @@
<?php
// Set working directory to the directory this cron script lives at.
chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This script must be run from the command line.\n");
}
require_once "config.php";
// Set Timezone
require_once "inc_set_timezone.php";
require_once "functions.php";
@ -14,20 +21,12 @@ $row = mysqli_fetch_array($sql_settings);
// Company Settings
$config_enable_cron = intval($row['config_enable_cron']);
$config_cron_key = $row['config_cron_key'];
$argv = $_SERVER['argv'];
// Check cron is enabled
if ($config_enable_cron == 0) {
exit("Cron: is not enabled -- Quitting..");
}
// Check Cron Key
if ( $argv[1] !== $config_cron_key ) {
exit("Cron Key invalid -- Quitting..");
}
/*
* ###############################################################################################################
* UPDATE CERTIFICATE EXPIRY DATE

77
cron_domain_refresher.php
View File

@ -1,50 +1,40 @@
<?php
// Set working directory to the directory this cron script lives at.
chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This script must be run from the command line.\n");
}
require_once "config.php";
// Set Timezone
require_once "inc_set_timezone.php";
require_once "functions.php";
$sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE settings.company_id = 1");
$row = mysqli_fetch_array($sql_settings);
// Company Settings
$config_enable_cron = intval($row['config_enable_cron']);
$config_cron_key = $row['config_cron_key'];
$argv = $_SERVER['argv'];
// Check cron is enabled
if ($config_enable_cron == 0) {
exit("Cron: is not enabled -- Quitting..");
}
// Check Cron Key
if ( $argv[1] !== $config_cron_key ) {
exit("Cron Key invalid -- Quitting..");
}
/*
* ###############################################################################################################
* REFRESH DATA
* ###############################################################################################################
*/
// 2023-02-20 JQ Commenting this code out as its intermitently breaking cron executions, investigating
// ERROR
// php cron.php
// PHP Fatal error: Uncaught TypeError: mysqli_fetch_array(): Argument #1 ($result) must be of type mysqli_result, bool given in cron.php:141
// Stack trace:
//#0 cron.php(141): mysqli_fetch_array()
//#1 {main}
// thrown in cron.php on line 141
// END ERROR
// REFRESH DOMAIN WHOIS DATA (1 a day)
// REFRESH DOMAIN WHOIS DATA (1 a day/run)
// Get the oldest updated domain (MariaDB shows NULLs first when ordering by default)
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT domain_id, domain_name, domain_expire FROM `domains` ORDER BY domain_updated_at LIMIT 1"));
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT domain_id, domain_name, domain_expire FROM `domains` WHERE domain_archived_at IS NULL ORDER BY domain_updated_at LIMIT 1"));
if ($row) {
@ -76,7 +66,52 @@ if ($row) {
$expire = 'NULL';
}
// Current domain info
$original_domain_info = mysqli_fetch_assoc(mysqli_query($mysqli,"
SELECT
domains.*,
registrar.vendor_name AS registrar_name,
dnshost.vendor_name AS dnshost_name,
mailhost.vendor_name AS mailhost_name,
webhost.vendor_name AS webhost_name
FROM domains
LEFT JOIN vendors AS registrar ON domains.domain_registrar = registrar.vendor_id
LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id
LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id
LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id
WHERE domain_id = $domain_id
"));
// Update the domain
mysqli_query($mysqli, "UPDATE domains SET domain_name = '$domain_name', domain_expire = $expire, domain_ip = '$a', domain_name_servers = '$ns', domain_mail_servers = '$mx', domain_txt = '$txt', domain_raw_whois = '$whois' WHERE domain_id = $domain_id");
echo "Updated $domain_name.";
// Fetch updated info
$new_domain_info = mysqli_fetch_assoc(mysqli_query($mysqli,"
SELECT
domains.*,
registrar.vendor_name AS registrar_name,
dnshost.vendor_name AS dnshost_name,
mailhost.vendor_name AS mailhost_name,
webhost.vendor_name AS webhost_name
FROM domains
LEFT JOIN vendors AS registrar ON domains.domain_registrar = registrar.vendor_id
LEFT JOIN vendors AS dnshost ON domains.domain_dnshost = dnshost.vendor_id
LEFT JOIN vendors AS mailhost ON domains.domain_mailhost = mailhost.vendor_id
LEFT JOIN vendors AS webhost ON domains.domain_webhost = webhost.vendor_id
WHERE domain_id = $domain_id
"));
// Compare/log changes
$ignored_columns = ["domain_updated_at", "domain_accessed_at", "domain_registrar", "domain_webhost", "domain_dnshost", "domain_mailhost"];
foreach ($original_domain_info as $column => $old_value) {
$new_value = $new_domain_info[$column];
if ($old_value != $new_value && !in_array($column, $ignored_columns)) {
$column = sanitizeInput($column);
$old_value = sanitizeInput($old_value);
$new_value = sanitizeInput($new_value);
mysqli_query($mysqli,"INSERT INTO domain_history SET domain_history_column = '$column', domain_history_old_value = '$old_value', domain_history_new_value = '$new_value', domain_history_domain_id = $domain_id");
}
}
}

19
cron_mail_queue.php
View File

@ -1,10 +1,16 @@
<?php
require_once "config.php";
// Set working directory to the directory this cron script lives at.
chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This script must be run from the command line.\n");
}
require_once "config.php";
// Set Timezone
require_once "inc_set_timezone.php";
require_once "functions.php";
$sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = 1");
@ -13,27 +19,18 @@ $row = mysqli_fetch_array($sql_settings);
// Company Settings
$config_enable_cron = intval($row['config_enable_cron']);
$config_cron_key = $row['config_cron_key'];
$config_smtp_host = $row['config_smtp_host'];
$config_smtp_username = $row['config_smtp_username'];
$config_smtp_password = $row['config_smtp_password'];
$config_smtp_port = intval($row['config_smtp_port']);
$config_smtp_encryption = $row['config_smtp_encryption'];
$argv = $_SERVER['argv'];
// Check cron is enabled
if ($config_enable_cron == 0) {
error_log("Mail queue error - Cron is not enabled");
exit("Cron: is not enabled -- Quitting..");
}
// Check Cron Key
if ($argv[1] !== $config_cron_key) {
error_log("Mail queue error - Invalid cron key supplied");
exit("Cron Key invalid -- Quitting..");
}
// Get system temp directory
$temp_dir = sys_get_temp_dir();

20
cron_ticket_email_parser.php
View File

@ -10,6 +10,11 @@ $script_start_time = microtime(true); // unComment when Debugging Execution time
// Set working directory to the directory this cron script lives at.
chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This script must be run from the command line.\n");
}
// Get ITFlow config & helper functions
require_once "config.php";
@ -35,13 +40,6 @@ if ($config_ticket_email_parse == 0) {
exit("Email Parser: Feature is not enabled - check Settings > Ticketing > Email-to-ticket parsing. See https://docs.itflow.org/ticket_email_parse -- Quitting..");
}
$argv = $_SERVER['argv'];
// Check Cron Key
if ($argv[1] !== $config_cron_key) {
exit("Cron Key invalid -- Quitting..");
}
// Get system temp directory
$temp_dir = sys_get_temp_dir();
@ -88,7 +86,7 @@ $allowed_extensions = array('jpg', 'jpeg', 'gif', 'png', 'webp', 'pdf', 'txt', '
// Function to raise a new ticket for a given contact and email them confirmation (if configured)
function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date, $subject, $message, $attachments, $original_message_file) {
global $mysqli, $config_app_name, $company_name, $company_phone, $config_ticket_prefix, $config_ticket_client_general_notifications, $config_ticket_new_ticket_notification_email, $config_base_url, $config_ticket_from_name, $config_ticket_from_email, $allowed_extensions;
global $mysqli, $config_app_name, $company_name, $company_phone, $config_ticket_prefix, $config_ticket_client_general_notifications, $config_ticket_new_ticket_notification_email, $config_base_url, $config_ticket_from_name, $config_ticket_from_email, $config_ticket_default_billable, $allowed_extensions;
$ticket_number_sql = mysqli_fetch_array(mysqli_query($mysqli, "SELECT config_ticket_next_number FROM settings WHERE company_id = 1"));
$ticket_number = intval($ticket_number_sql['config_ticket_next_number']);
@ -111,7 +109,7 @@ function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date
//Generate a unique URL key for clients to access
$url_key = randomString(156);
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$ticket_prefix_esc', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$message_esc', ticket_priority = 'Low', ticket_status = 1, ticket_created_by = 0, ticket_contact_id = $contact_id, ticket_url_key = '$url_key', ticket_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$ticket_prefix_esc', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$message_esc', ticket_priority = 'Low', ticket_status = 1, ticket_billable = $config_ticket_default_billable, ticket_created_by = 0, ticket_contact_id = $contact_id, ticket_url_key = '$url_key', ticket_client_id = $client_id");
$id = mysqli_insert_id($mysqli);
// Logging
@ -155,7 +153,7 @@ function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date
$data = [];
if ($config_ticket_client_general_notifications == 1) {
$subject_email = "Ticket created - [$config_ticket_prefix$ticket_number] - $subject";
$body = "<i style='color: #808080'>##- Please type your reply above this line -##</i><br><br>Hello $contact_name,<br><br>Thank you for your email. A ticket regarding \"$subject\" has been automatically created for you.<br><br>Ticket: $config_ticket_prefix$ticket_number<br>Subject: $subject<br>Status: New<br>https://$config_base_url/client/ticket.php?id=$id<br><br>--<br>$company_name - Support<br>$config_ticket_from_email<br>$company_phone";
$body = "<i style='color: #808080'>##- Please type your reply above this line -##</i><br><br>Hello $contact_name,<br><br>Thank you for your email. A ticket regarding \"$subject\" has been automatically created for you.<br><br>Ticket: $config_ticket_prefix$ticket_number<br>Subject: $subject<br>Status: New<br>Portal: <a href='https://$config_base_url/guest/guest_view_ticket.php?ticket_id=$id&url_key=$url_key'>View ticket</a><br><br>--<br>$company_name - Support<br>$config_ticket_from_email<br>$company_phone";
$data[] = [
'from' => $config_ticket_from_email,
'from_name' => $config_ticket_from_name,
@ -556,5 +554,3 @@ if (file_exists($lock_file_path)) {
}
echo "Processed Emails into tickets: $processed_count\n";
echo "Unprocessed Emails: $unprocessed_count\n";
?>

13
database_updates.php
View File

@ -2462,10 +2462,17 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) {
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.7.9'");
}
// if (CURRENT_DATABASE_VERSION == '1.7.9') {
// // Insert queries here required to update to DB version 1.8.0
if (CURRENT_DATABASE_VERSION == '1.7.9') {
mysqli_query($mysqli, "ALTER TABLE `settings` DROP `config_cron_key`");
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.8.0'");
}
// if (CURRENT_DATABASE_VERSION == '1.8.0') {
// // Insert queries here required to update to DB version 1.8.1
// // Then, update the database to the next sequential version
// mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.8.0'");
// mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.8.1'");
// }
} else {

3
db.sql
View File

@ -1705,7 +1705,6 @@ CREATE TABLE `settings` (
`config_ticket_new_ticket_notification_email` varchar(200) DEFAULT NULL,
`config_ticket_default_billable` tinyint(1) NOT NULL DEFAULT 0,
`config_enable_cron` tinyint(1) NOT NULL DEFAULT 0,
`config_cron_key` varchar(255) DEFAULT NULL,
`config_recurring_auto_send_invoice` tinyint(1) NOT NULL DEFAULT 1,
`config_enable_alert_domain_expire` tinyint(1) NOT NULL DEFAULT 1,
`config_send_invoice_reminders` tinyint(1) NOT NULL DEFAULT 1,
@ -2343,4 +2342,4 @@ CREATE TABLE `vendors` (
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2025-01-18 13:03:55
-- Dump completed on 2025-01-25 21:47:06

74
force_mfa.php
View File

@ -1,74 +0,0 @@
<?php
require_once "config.php";
include_once "functions.php";
require_once "check_login.php";
require_once "header.php";
?>
<div class="card card-dark">
<div class="card-header py-3">
<h3 class="card-title"><i class="fas fa-fw fa-sheild mr-2"></i>2FA Setup</h3>
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<?php if (empty($session_token)) { ?>
<button type="submit" name="enable_2fa" class="btn btn-success btn-block mt-3"><i class="fa fa-fw fa-lock"></i><br> Enable 2FA</button>
<?php } else { ?>
<p>You have set up 2FA. Your QR code is below.</p>
<button type="submit" name="disable_2fa" class="btn btn-danger btn-block mt-3"><i class="fa fa-fw fa-unlock"></i><br>Disable 2FA</button>
<?php } ?>
<center>
<?php
require_once 'rfc6238.php';
//Generate a base32 Key
$secretkey = key32gen();
if (!empty($session_token)) {
// Generate QR Code
$data = "otpauth://totp/ITFlow:$session_email?secret=$session_token";
print "<img src='plugins/barcode/barcode.php?f=png&s=qr&d=$data'>";
echo "<p class='text-secondary'>$session_token</p>";
}
?>
</center>
<input type="hidden" name="token" value="<?php echo $secretkey; ?>">
</form>
<?php if (!empty($session_token)) { ?>
<form action="post.php" method="post" autocomplete="off">
<div class="form-group">
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="text" class="form-control" name="code" placeholder="Verify 2FA Code" required>
<div class="input-group-append">
<button type="submit" name="verify" class="btn btn-success">Verify</button>
</div>
</div>
</div>
</form>
<?php } ?>
</div>
</div>
<?php
require_once "includes/footer.php";

2
get_settings.php
View File

@ -76,10 +76,8 @@ $config_ticket_autoclose_hours = intval($row['config_ticket_autoclose_hours']);
$config_ticket_new_ticket_notification_email = $row['config_ticket_new_ticket_notification_email'];
$config_ticket_default_billable = intval($row['config_ticket_default_billable']);
// Cron
$config_enable_cron = intval($row['config_enable_cron']);
$config_cron_key = $row['config_cron_key'];
// Alerts & Notifications
$config_recurring_auto_send_invoice = intval($row['config_recurring_auto_send_invoice']);

4
includes/app_version.php
View File

@ -2,7 +2,7 @@
/*
* ITFlow
* This file defines the current ITFlow release/version
* Update this file each time we merge develop into master. Format is YY.M (add a .v if there is more than one release a month.
* Update this file each time we merge develop into master. Format is YY.MM (add a .v if there is more than one release a month.
*/
DEFINE("APP_VERSION", "25.01");
DEFINE("APP_VERSION", "25.01.1");

2
includes/database_version.php
View File

@ -5,4 +5,4 @@
* It is used in conjunction with database_updates.php
*/
DEFINE("LATEST_DATABASE_VERSION", "1.7.9");
DEFINE("LATEST_DATABASE_VERSION", "1.8.0");

24
includes/header.php
View File

@ -39,6 +39,30 @@ header("X-Frame-Options: DENY");
<link href='plugins/daterangepicker/daterangepicker.css' rel='stylesheet' />
<link href="plugins/toastr/toastr.min.css" rel="stylesheet">
<link href="plugins/DataTables/datatables.min.css" rel="stylesheet">
<!-- CSS to allow regular button to show as block button in mobile response view using the class btn-responsive -->
<style>
/*
For screens below 576px (xs):
- Make the button full-width, display:block
*/
@media (max-width: 575.98px) {
.btn-responsive {
display: block;
width: 100%;
}
}
/*
For screens 576px (sm) and above:
- Revert to an inline style
*/
@media (min-width: 576px) {
.btn-responsive {
display: inline-block;
width: auto;
}
}
</style>
<!-- jQuery -->
<script src="plugins/jquery/jquery.min.js"></script>

2
includes/top_nav.php
View File

@ -137,7 +137,7 @@
<li class="nav-item dropdown user-menu">
<a href="#" class="nav-link" data-toggle="dropdown">
<?php if (empty($session_avatar)) { ?>
<i class="fas fa-user"></i>
<i class="fas fa-user-circle mr-1"></i>
<?php }else{ ?>
<img src="<?php echo "uploads/users/$session_user_id/$session_avatar"; ?>"
class="user-image img-circle">

9
login.php
View File

@ -75,7 +75,7 @@ $config_login_remember_me_expire = intval($row['config_login_remember_me_expire'
// If no/incorrect 'key' is supplied, send to client portal instead
if ($config_login_key_required) {
if (!isset($_GET['key']) || $_GET['key'] !== $config_login_key_secret) {
header("Location: portal");
header("Location: client");
exit();
}
}
@ -145,7 +145,7 @@ if (isset($_POST['login'])) {
// Validate MFA code
if (!empty($current_code) && TokenAuth6238::verify($token, $current_code)) {
$mfa_is_complete = true;
$extended_log = 'with 2FA';
$extended_log = 'with MFA';
}
if ($mfa_is_complete) {
@ -201,8 +201,7 @@ if (isset($_POST['login'])) {
// Forcing MFA
if ($force_mfa == 1 && $token == NULL) {
$secretMFA = key32gen();
$config_start_page = "post.php?enable_2fa_force&token=$secretMFA&csrf_token=$_SESSION[csrf_token]";
$config_start_page = "mfa_enforcement.php";
}
// Setup encryption session key
@ -325,7 +324,7 @@ if (isset($_POST['login'])) {
<?php if (!empty($company_logo)) { ?>
<img alt="<?=nullable_htmlentities($company_name)?> logo" height="110" width="380" class="img-fluid" src="<?php echo "uploads/settings/$company_logo"; ?>">
<?php } else { ?>
<b>IT</b>Flow
<span class="text-primary text-bold"><i class="fas fa-paper-plane mr-2"></i>IT</span>Flow
<?php } ?>
</div>

159
mfa_enforcement.php Normal file
View File

@ -0,0 +1,159 @@
<?php
require_once "config.php";
require_once "functions.php";
require_once "check_login.php";
require_once 'plugins/totp/totp.php'; //TOTP MFA Lib
// Get Company Logo
$sql = mysqli_query($mysqli, "SELECT company_logo FROM companies");
$row = mysqli_fetch_array($sql);
$company_logo = nullable_htmlentities($row['company_logo']);
// Only generate the token once and store it in session:
if (empty($_SESSION['mfa_token'])) {
$token = key32gen();
$_SESSION['mfa_token'] = $token;
}
$token = $_SESSION['mfa_token'];
// Generate QR Code
$data = "otpauth://totp/ITFlow:$session_email?secret=$token";
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="robots" content="noindex">
<title>MFA Enforcement | <?php echo $session_company_name; ?></title>
<!--
Favicon
If Fav Icon exists else use the default one
-->
<?php if(file_exists('uploads/favicon.ico')) { ?>
<link rel="icon" type="image/x-icon" href="/uploads/favicon.ico">
<?php } ?>
<!-- Font Awesome Icons -->
<link rel="stylesheet" href="plugins/fontawesome-free/css/all.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="plugins/adminlte/css/adminlte.min.css">
<link href="plugins/toastr/toastr.min.css" rel="stylesheet">
<!-- jQuery -->
<script src="plugins/jquery/jquery.min.js"></script>
<script src="plugins/toastr/toastr.min.js"></script>
</head>
<body class="hold-transition login-page">
<?php require_once "includes/inc_alert_feedback.php"; ?>
<div class="login-box">
<div class="login-logo">
<?php if (!empty($company_logo)) { ?>
<img alt="<?=nullable_htmlentities($company_name)?> logo" height="110" width="380" class="img-fluid" src="<?php echo "uploads/settings/$company_logo"; ?>">
<?php } else { ?>
<span class="text-primary text-bold"><i class="fas fa-paper-plane mr-2"></i>IT</span>Flow
<?php } ?>
</div>
<!-- /.login-logo -->
<div class="card">
<div class="card-body login-card-body text-center">
<p class="login-box-msg">Multi-Factor Authentication Enforced</p>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<img src='plugins/barcode/barcode.php?f=png&s=qr&d=<?php echo $data; ?>' data-toggle="tooltip" title="Scan QR code into your MFA App">
<p>
<small data-toggle="tooltip" title="Can't Scan? Copy and paste this code into your app"><?php echo $token; ?></small>
<button type="button" class='btn btn-sm clipboardjs' data-clipboard-text='<?php echo $token; ?>'><i class='far fa-copy text-secondary'></i></button>
</p>
<div class="input-group mb-3">
<input type="text" class="form-control" inputmode="numeric" pattern="[0-9]*" minlength="6" maxlength="6" name="verify_code" placeholder="Enter 6 digit code to verify MFA" required>
<div class="input-group-append">
<div class="input-group-text">
<span class="fas fa-lock"></span>
</div>
</div>
</div>
<button type="submit" name="enable_mfa" class="btn btn-primary btn-block mb-3"><i class="fa fa-check mr-2"></i>Enable MFA</button>
</form>
</div>
<!-- /.login-card-body -->
</div>
</div>
<!-- /.login-box -->
<!-- REQUIRED SCRIPTS -->
<!-- Bootstrap 4 -->
<script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- Custom js-->
<script src="plugins/clipboardjs/clipboard.min.js"></script>
<script>
// Slide alert up after 4 secs
$("#alert").fadeTo(5000, 500).slideUp(500, function(){
$("#alert").slideUp(500);
});
// ClipboardJS
// Tooltip
$('button').tooltip({
trigger: 'click',
placement: 'bottom'
});
function setTooltip(btn, message) {
$(btn).tooltip('hide')
.attr('data-original-title', message)
.tooltip('show');
}
function hideTooltip(btn) {
setTimeout(function() {
$(btn).tooltip('hide');
}, 1000);
}
// Clipboard
var clipboard = new ClipboardJS('.clipboardjs');
clipboard.on('success', function(e) {
setTooltip(e.trigger, 'Copied!');
hideTooltip(e.trigger);
});
clipboard.on('error', function(e) {
setTooltip(e.trigger, 'Failed!');
hideTooltip(e.trigger);
});
// Enable Popovers
$(function () {
$('[data-toggle="popover"]').popover()
});
</script>
</body>
</html>

3
modals/recurring_payment_add_modal.php
View File

@ -48,6 +48,9 @@
</div>
<select class="form-control select2" name="payment_method" required>
<option value="">- Method of Payment -</option>
<?php if ($config_stripe_enable) { ?>
<option value="Stripe">Stripe</option>
<?php } ?>
<?php
$sql_payment_method_select = mysqli_query($mysqli, "SELECT * FROM categories WHERE category_type = 'Payment Method' AND category_archived_at IS NULL ORDER BY category_name ASC");

5
modals/ticket_assign_modal.php
View File

@ -21,11 +21,10 @@
<select class="form-control select2" name="assigned_to">
<option value="0">Not Assigned</option>
<?php
$sql_users_select = mysqli_query($mysqli, "SELECT users.user_id, user_name FROM users
$sql_users_select = mysqli_query($mysqli, "SELECT users.user_id, user_name FROM users
LEFT JOIN user_settings on users.user_id = user_settings.user_id
WHERE user_role > 1
AND user_type = 1
AND user_archived_at IS NULL
AND user_archived_at IS NULL
ORDER BY user_name DESC"
);
while ($row = mysqli_fetch_array($sql_users_select)) {

53
modals/user_mfa_modal.php Normal file
View File

@ -0,0 +1,53 @@
<?php
require_once 'plugins/totp/totp.php';
// Only generate the token once and store it in session:
if (empty($_SESSION['mfa_token'])) {
$token = key32gen();
$_SESSION['mfa_token'] = $token;
}
$token = $_SESSION['mfa_token'];
// Generate QR Code
$data = "otpauth://totp/ITFlow:$session_email?secret=$token";
?>
<div class="modal" id="enableMFAModal" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content bg-dark">
<div class="modal-header">
<h5 class="modal-title"><i class="fa fa-fw fa-lock mr-2"></i>Multi-Factor Authentication</h5>
<button type="button" class="close text-white" data-dismiss="modal">
<span>&times;</span>
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="modal-body bg-white">
<div class="text-center">
<img src='plugins/barcode/barcode.php?f=png&s=qr&d=<?php echo $data; ?>'>
<p><span class='text-secondary'>Secret:</span> <?php echo $token; ?>
<button type="button" class='btn btn-sm clipboardjs' data-clipboard-text='<?php echo $token; ?>'><i class='far fa-copy text-secondary'></i></button>
</p>
</div>
<div class="form-group">
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
</div>
<input type="text" class="form-control" inputmode="numeric" pattern="[0-9]*" minlength="6" maxlength="6" name="verify_code" placeholder="Enter 6 digit code to verify MFA" required>
</div>
</div>
</div>
<div class="modal-footer bg-white">
<button type="submit" name="enable_mfa" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Enable</button>
<button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button>
</div>
</form>
</div>
</div>
</div>

16
post/admin/admin_settings_notification.php
View File

@ -7,7 +7,6 @@ if (isset($_POST['edit_notification_settings'])) {
validateCSRFToken($_POST['csrf_token']);
$config_enable_cron = intval($_POST['config_enable_cron'] ?? 0);
$config_cron_key = sanitizeInput($_POST['config_cron_key']);
$config_enable_alert_domain_expire = intval($_POST['config_enable_alert_domain_expire'] ?? 0);
$config_send_invoice_reminders = intval($_POST['config_send_invoice_reminders'] ?? 0);
$config_recurring_auto_send_invoice = intval($_POST['config_recurring_auto_send_invoice'] ?? 0);
@ -23,18 +22,3 @@ if (isset($_POST['edit_notification_settings'])) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['generate_cron_key'])) {
$key = randomString(32);
mysqli_query($mysqli,"UPDATE settings SET config_cron_key = '$key' WHERE company_id = 1");
// Logging
logAction("Settings", "Edit", "$session_name regenerated the cron key");
$_SESSION['alert_message'] = "Cron key regenerated";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}

3
post/user/invoice.php
View File

@ -1430,9 +1430,6 @@ if (isset($_GET['delete_recurring_payment'])) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Auto Payment Removed for Recurring Invoice <strong>$recurring_prefix$recurring_number</strong>";
if ($config_stripe_enable) {
$_SESSION['alert_message'] = "Auto Payment Removed - Stripe Auto payments must be manually removed in Stripe";
}
header("Location: " . $_SERVER["HTTP_REFERER"]);

95
post/user/profile.php
View File

@ -190,63 +190,92 @@ if (isset($_POST['edit_your_user_preferences'])) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['enable_mfa'])) {
if (isset($_POST['verify'])) {
validateCSRFToken($_POST['csrf_token']);
require_once "plugins/totp/totp.php";
$currentcode = intval($_POST['code']); //code to validate, for example received from device
if (TokenAuth6238::verify($session_token, $currentcode)) {
$_SESSION['alert_message'] = "VALID!";
}else{
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "IN-VALID!";
// Grab the code from the user
$verify_code = trim($_POST['verify_code']);
// Ensure it's numeric
if (!ctype_digit($verify_code)) {
$verify_code = '';
}
header("Location: " . $_SERVER["HTTP_REFERER"]);
// Grab the secret from the session
$token = $_SESSION['mfa_token'] ?? '';
}
// Verify
if (TokenAuth6238::verify($token, $verify_code)) {
if (isset($_POST['enable_2fa']) || isset($_GET['enable_2fa_force'])) {
// SUCCESS
mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
// CSRF Check
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
validateCSRFToken($_POST['csrf_token']);
// Delete any existing MFA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
// Logging
logAction("User Account", "Edit", "$session_name enabled MFA on their account");
$_SESSION['alert_message'] = "Multi-Factor authentication enabled";
// Clear the mfa_token from the session to avoid re-use.
unset($_SESSION['mfa_token']);
// Check if the previous page is mfa_enforcement.php
if (isset($_SERVER['HTTP_REFERER'])) {
$previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH));
if ($previousPage === 'mfa_enforcement.php') {
// Redirect back to mfa_enforcement.php
header("Location: $config_start_page");
exit;
}
}
$extended_log_description = "";
$token = sanitizeInput($_POST['token']);
} else {
// If this is a GET request then we forced MFA as part of login
validateCSRFToken($_GET['csrf_token']);
// FAILURE
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Verification code invalid, please try again.";
$extended_log_description = "(forced)";
$token = sanitizeInput($_GET['token']);
// Set a flag to automatically open the MFA modal again
$_SESSION['show_mfa_modal'] = true;
// Check if the previous page is mfa_enforcement.php
if (isset($_SERVER['HTTP_REFERER'])) {
$previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH));
if ($previousPage === 'mfa_enforcement.php') {
// Redirect back to mfa_enforcement.php
header("Location: " . $_SERVER['HTTP_REFERER']);
exit;
}
}
}
mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
// Delete any existing 2FA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
// Logging
logAction("User Account", "Edit", "$session_name enabled MFA on their account $extended_log_description");
$_SESSION['alert_message'] = "Two-factor authentication enabled $extended_log_description";
header("Location: user_security.php");
exit;
}
if (isset($_POST['disable_2fa'])){
if (isset($_GET['disable_mfa'])){
if ($session_user_config_force_mfa) {
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Multi-Factor authentication cannot be disabled for your account";
header("Location: " . $_SERVER["HTTP_REFERER"]);
exit();
}
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
validateCSRFToken($_GET['csrf_token']);
mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
// Delete any existing MFA tokens - these browsers should be re-validated
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
$config_mail_from_name = sanitizeInput($config_mail_from_name);
$config_mail_from_email = sanitizeInput($config_mail_from_email);
@ -274,7 +303,7 @@ if (isset($_POST['disable_2fa'])){
logAction("User Account", "Edit", "$session_name disabled MFA on their account");
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Two-factor authentication disabled";
$_SESSION['alert_message'] = "Multi-Factor authentication disabled";
header("Location: " . $_SERVER["HTTP_REFERER"]);

5
recurring_invoice.php
View File

@ -62,8 +62,9 @@ if (isset($_GET['recurring_id'])) {
}
$recurring_payment_id = intval($row['recurring_payment_id']);
$recurring_payment_recurring_invoice_id = intval($row['recurring_payment_recurring_invoice_id']);
$recurring_payment_method = nullable_htmlentities($row['recurring_payment_method']);
// Override Tab Title // No Sanitizing needed as this var will opnly be used in the tab title
// Override Tab Title // No Sanitizing needed as this var will only be used in the tab title
$tab_title = $row['client_name'];
$page_title = "{$row['recurring_prefix']}{$row['recurring_number']}";
@ -131,7 +132,7 @@ if (isset($_GET['recurring_id'])) {
<?php if ($recurring_payment_recurring_invoice_id) { ?>
<a class="btn btn-outline-secondary" href="post.php?delete_recurring_payment=<?php echo $recurring_payment_id; ?>">
<i class="fas fa-fw fa-times-circle mr-2"></i>Disable AutoPay
<i class="fas fa-fw fa-times-circle mr-2"></i>Disable AutoPay (<?php echo $recurring_payment_method ?>)
</a>
<?php } else { ?>
<a class="btn btn-secondary" href='#' data-toggle="modal" data-target="#addRecurringPaymentModal<?php echo $recurring_id; ?>">

2
report_profit_loss.php
View File

@ -377,7 +377,7 @@ $sql_categories_expense = mysqli_query($mysqli, "SELECT * FROM categories WHERE
?>
<th class="text-right"><?php echo numfmt_format_currency($currency_format, $expense_amount_for_quarter_two, $session_company_currency); ?></th>
<th class="text-right"><?php echo numfmt_format_currency($currency_format, $expense_total_amount_for_quarter_two, $session_company_currency); ?></th>
<?php

2
scripts/cron.php
View File

@ -5,7 +5,7 @@ chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
die("This script must be run from the command line.\n");
}
require_once "../config.php";

2
scripts/cron_certificate_refresher.php
View File

@ -5,7 +5,7 @@ chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
die("This script must be run from the command line.\n");
}
require_once "../config.php";

2
scripts/cron_domain_refresher.php
View File

@ -5,7 +5,7 @@ chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
die("This script must be run from the command line.\n");
}
require_once "../config.php";

2
scripts/cron_mail_queue.php
View File

@ -5,7 +5,7 @@ chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
die("This script must be run from the command line.\n");
}
require_once "../config.php";

2
scripts/cron_ticket_email_parser.php
View File

@ -12,7 +12,7 @@ chdir(dirname(__FILE__));
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
die("This script must be run from the command line.\n");
}
// Get ITFlow config & helper functions

2
scripts/setup_cli.php
View File

@ -10,7 +10,7 @@ chdir(__DIR__);
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
die("This script must be run from the command line.\n");
}
// Define required arguments

12
setup.php
View File

@ -243,21 +243,9 @@ if (isset($_POST['add_company_settings'])) {
}
}
$latest_database_version = LATEST_DATABASE_VERSION;
mysqli_query($mysqli,"INSERT INTO settings SET company_id = 1, config_current_database_version = '$latest_database_version', config_invoice_prefix = 'INV-', config_invoice_next_number = 1, config_recurring_prefix = 'REC-', config_recurring_next_number = 1, config_invoice_overdue_reminders = '1,3,7', config_quote_prefix = 'QUO-', config_quote_next_number = 1, config_default_net_terms = 30, config_ticket_next_number = 1, config_ticket_prefix = 'TCK-'");
# Used only for the install script to grab the generated cronkey and insert into the db
if (file_exists("uploads/tmp/cronkey.php")) {
include "uploads/tmp/cronkey.php";
mysqli_query($mysqli,"UPDATE settings SET config_cron_key = '$itflow_install_script_generated_cronkey'");
unlink('uploads/tmp/cronkey.php');
}
// Create Categories
// Expense Categories Examples
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Office Supplies', category_type = 'Expense', category_color = 'blue'");

389
setup_cli.php
View File

@ -1,389 +0,0 @@
#!/usr/bin/env php
<?php
// Example
//php setup_cli.php --help
//php setup_cli.php --host=localhost --username=itflow --password=secret --database=itflow --base-url=example.com/itflow --locale=en_US --timezone=UTC --currency=USD --company-name="My Company" --country="United States" --user-name="John Doe" --user-email="john@example.com" --user-password="admin123" --non-interactive
// Change to the directory of this script so that all shell commands run here
chdir(__DIR__);
// Ensure we're running from command line
if (php_sapi_name() !== 'cli') {
die("This setup script must be run from the command line.\n");
}
// Define required arguments
$required_args = [
'host' => 'Database host',
'username' => 'Database username',
'password' => 'Database password',
'database' => 'Database name',
'base-url' => 'Base URL (without protocol, e.g. example.com/itflow)',
'locale' => 'Locale (e.g. en_US)',
'timezone' => 'Timezone (e.g. UTC)',
'currency' => 'Currency code (e.g. USD)',
'company-name' => 'Company name',
'country' => 'Company country (e.g. United States)',
'user-name' => 'Admin user full name',
'user-email' => 'Admin user email',
'user-password'=> 'Admin user password (min 8 chars)'
];
// Additional optional arguments
// address, city, state, zip, phone, company-email, website
// These are optional and don't need error checks if missing.
$optional_args = [
'address' => 'Company address (optional)',
'city' => 'Company city (optional)',
'state' => 'Company state (optional)',
'zip' => 'Company postal code (optional)',
'phone' => 'Company phone (optional)',
'company-email' => 'Company email (optional)',
'website' => 'Company website (optional)'
];
// Parse command line options
$shortopts = "";
$longopts = [
"help",
"host:",
"username:",
"password:",
"database:",
"base-url:",
"locale:",
"timezone:",
"currency:",
"company-name:",
"country:",
"address::",
"city::",
"state::",
"zip::",
"phone::",
"company-email::",
"website::",
"user-name:",
"user-email:",
"user-password:",
"non-interactive"
];
$options = getopt($shortopts, $longopts);
// If --help is set, print usage and exit
if (isset($options['help'])) {
echo "ITFlow CLI Setup Script\n\n";
echo "Usage:\n";
echo " php setup_cli.php [options]\n\n";
echo "Options:\n";
foreach ($required_args as $arg => $desc) {
echo " --$arg\t$desc (required)\n";
}
foreach ($optional_args as $arg => $desc) {
echo " --$arg\t$desc\n";
}
echo " --non-interactive\tRun in non-interactive mode (fail if required args missing)\n";
echo " --help\t\tShow this help message\n\n";
echo "If running interactively (without --non-interactive), any missing required arguments will be prompted.\n";
echo "If running non-interactively, all required arguments must be provided.\n\n";
exit(0);
}
if (file_exists("config.php")) {
include "config.php";
}
include "functions.php";
include "includes/database_version.php";
if (!isset($config_enable_setup)) {
$config_enable_setup = 1;
}
if ($config_enable_setup == 0) {
echo "Setup is disabled. Please delete or modify config.php if you need to re-run the setup.\n";
exit;
}
$errorLog = ini_get('error_log') ?: "/var/log/apache2/error.log";
$timezones = DateTimeZone::listIdentifiers();
function prompt($message) {
echo $message . ": ";
return trim(fgets(STDIN));
}
$non_interactive = isset($options['non-interactive']);
function getOptionOrPrompt($key, $promptMessage, $required = false, $default = '', $optionsGlobal = []) {
global $options, $non_interactive;
if (isset($options[$key])) {
return $options[$key];
} else {
if ($non_interactive && $required) {
die("Missing required argument: --$key\n");
}
$val = prompt($promptMessage . (strlen($default) ? " [$default]" : ''));
if (empty($val) && !empty($default)) {
$val = $default;
}
if ($required && empty($val)) {
die("Error: $promptMessage is required.\n");
}
return $val;
}
}
// Start setup
echo "Welcome to the ITFlow CLI Setup.\n";
// If config exists, abort
if (file_exists('config.php')) {
echo "Database is already configured in config.php.\n";
echo "To re-run the setup, remove config.php and run this script again.\n";
exit;
}
// If non-interactive is set, ensure all required arguments are present
if ($non_interactive) {
foreach (array_keys($required_args) as $arg) {
if (!isset($options[$arg])) {
die("Missing required argument: --$arg\n");
}
}
}
// Database Setup
echo "\n=== Database Setup ===\n";
$database = getOptionOrPrompt('database', "Enter the database name", true);
$host = getOptionOrPrompt('host', "Enter the database host", true, 'localhost');
if (empty($host)) $host = "localhost";
$username = getOptionOrPrompt('username', "Enter the database username", true);
$password = getOptionOrPrompt('password', "Enter the database password", true);
// Base URL
$base_url = getOptionOrPrompt('base-url', "Enter the base URL (e.g. example.com/itflow)", true);
$base_url = rtrim($base_url, '/');
// Locale, Timezone, Currency
echo "\n=== Localization ===\n";
$locale = getOptionOrPrompt('locale', "Enter the locale (e.g. en_US)", true);
$timezone = getOptionOrPrompt('timezone', "Enter the timezone (e.g. UTC or America/New_York)", true);
$currency_code = getOptionOrPrompt('currency', "Enter the currency code (e.g. USD)", true);
// Company Details
echo "\n=== Company Details ===\n";
$company_name = getOptionOrPrompt('company-name', "Company Name", true);
$country = getOptionOrPrompt('country', "Country (e.g. United States)", true);
$address = getOptionOrPrompt('address', "Address (optional)", false);
$city = getOptionOrPrompt('city', "City (optional)", false);
$state = getOptionOrPrompt('state', "State/Province (optional)", false);
$zip = getOptionOrPrompt('zip', "Postal Code (optional)", false);
$phone = getOptionOrPrompt('phone', "Phone (optional)", false);
$phone = preg_replace("/[^0-9]/", '', $phone);
$company_email = getOptionOrPrompt('company-email', "Company Email (optional)", false);
$website = getOptionOrPrompt('website', "Website (optional)", false);
// User Setup
echo "\n=== Create First User ===\n";
$user_name = getOptionOrPrompt('user-name', "Full Name", true);
$user_email = getOptionOrPrompt('user-email', "Email Address", true);
while (!filter_var($user_email, FILTER_VALIDATE_EMAIL)) {
echo "Invalid email.\n";
if ($non_interactive) {
die("Invalid email address: $user_email\n");
}
$user_email = prompt("Email Address");
}
$user_password_plain = getOptionOrPrompt('user-password', "Password (at least 8 chars)", true);
if (strlen($user_password_plain) < 8) {
if ($non_interactive) {
die("Password must be at least 8 characters.\n");
}
while (strlen($user_password_plain) < 8) {
echo "Password too short. Try again.\n";
$user_password_plain = prompt("Password");
}
}
if (!preg_match('/^[a-zA-Z0-9.\-\/]+$/', $host)) {
die("Invalid host format.\n");
}
// Test Database
$conn = @mysqli_connect($host, $username, $password, $database);
if (!$conn) {
die("Database connection failed - " . mysqli_connect_error() . "\n");
}
$installation_id = randomString(32);
$new_config = "<?php\n\n";
$new_config .= "\$dbhost = " . var_export($host, true) . ";\n";
$new_config .= "\$dbusername = " . var_export($username, true) . ";\n";
$new_config .= "\$dbpassword = " . var_export($password, true) . ";\n";
$new_config .= "\$database = " . var_export($database, true) . ";\n";
$new_config .= "\$mysqli = mysqli_connect(\$dbhost, \$dbusername, \$dbpassword, \$database) or die('Database Connection Failed');\n";
$new_config .= "\$config_app_name = 'ITFlow';\n";
$new_config .= "\$config_base_url = '" . addslashes($base_url) . "';\n";
$new_config .= "\$config_https_only = TRUE;\n";
$new_config .= "\$repo_branch = 'master';\n";
$new_config .= "\$installation_id = '$installation_id';\n";
if (file_put_contents("config.php", $new_config) === false) {
die("Failed to write config.php. Check file permissions.\n");
}
if (!file_exists('config.php')) {
die("config.php does not exist after write attempt.\n");
}
include "config.php";
// Import DB Schema
echo "Importing database schema...\n";
$filename = 'db.sql';
if (!file_exists($filename)) {
die("db.sql file not found.\n");
}
$templine = '';
$lines = file($filename);
foreach ($lines as $line) {
if (substr($line, 0, 2) == '--' || trim($line) == '')
continue;
$templine .= $line;
if (substr(trim($line), -1, 1) == ';') {
mysqli_query($mysqli, $templine) or die("Error performing query: $templine\n" . mysqli_error($mysqli) . "\n");
$templine = '';
}
}
echo "Database imported successfully.\n";
// Create User
$password_hash = password_hash(trim($user_password_plain), PASSWORD_DEFAULT);
$site_encryption_master_key = randomString();
$user_specific_encryption_ciphertext = setupFirstUserSpecificKey($user_password_plain, $site_encryption_master_key);
mysqli_query($mysqli,"INSERT INTO users SET user_name = '$user_name', user_email = '$user_email', user_password = '$password_hash', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext'");
mysqli_query($mysqli,"INSERT INTO user_settings SET user_id = 1, user_role = 3");
echo "User $user_name created successfully.\n";
// Company Details
mysqli_query($mysqli,"INSERT INTO companies SET company_name = '$company_name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$company_email', company_website = '$website', company_locale = '$locale', company_currency = '$currency_code'");
// Insert default settings and categories
$latest_database_version = LATEST_DATABASE_VERSION;
mysqli_query($mysqli,"INSERT INTO settings SET company_id = 1, config_current_database_version = '$latest_database_version', config_invoice_prefix = 'INV-', config_invoice_next_number = 1, config_recurring_prefix = 'REC-', config_recurring_next_number = 1, config_invoice_overdue_reminders = '1,3,7', config_quote_prefix = 'QUO-', config_quote_next_number = 1, config_default_net_terms = 30, config_ticket_next_number = 1, config_ticket_prefix = 'TCK-'");
// Categories
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Office Supplies', category_type = 'Expense', category_color = 'blue'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Travel', category_type = 'Expense', category_color = 'red'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Advertising', category_type = 'Expense', category_color = 'green'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Service', category_type = 'Income', category_color = 'blue'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Friend', category_type = 'Referral', category_color = 'blue'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Search Engine', category_type = 'Referral', category_color = 'red'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Cash', category_type = 'Payment Method', category_color = 'blue'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Check', category_type = 'Payment Method', category_color = 'red'");
mysqli_query($mysqli,"INSERT INTO categories SET category_name = 'Bank Transfer', category_type = 'Payment Method', category_color = 'green'");
// Calendar
mysqli_query($mysqli,"INSERT INTO calendars SET calendar_name = 'Default', calendar_color = 'blue'");
// Ticket Statuses
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = 'New', ticket_status_color = '#dc3545'");
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = 'Open', ticket_status_color = '#007bff'");
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = 'On Hold', ticket_status_color = '#28a745'");
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = 'Resolved', ticket_status_color = '#343a40'");
mysqli_query($mysqli, "INSERT INTO ticket_statuses SET ticket_status_name = 'Closed', ticket_status_color = '#343a40'");
// Modules
mysqli_query($mysqli, "INSERT INTO modules SET module_name = 'module_client', module_description = 'General client & contact management'");
mysqli_query($mysqli, "INSERT INTO modules SET module_name = 'module_support', module_description = 'Access to ticketing, assets and documentation'");
mysqli_query($mysqli, "INSERT INTO modules SET module_name = 'module_credential', module_description = 'Access to client credentials - usernames, passwords and 2FA codes'");
mysqli_query($mysqli, "INSERT INTO modules SET module_name = 'module_sales', module_description = 'Access to quotes, invoices and products'");
mysqli_query($mysqli, "INSERT INTO modules SET module_name = 'module_financial', module_description = 'Access to payments, accounts, expenses and budgets'");
mysqli_query($mysqli, "INSERT INTO modules SET module_name = 'module_reporting', module_description = 'Access to all reports'");
// Roles
mysqli_query($mysqli, "INSERT INTO user_roles SET user_role_id = 1, user_role_name = 'Accountant', user_role_description = 'Built-in - Limited access to financial-focused modules'");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 1, module_id = 1, user_role_permission_level = 1");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 1, module_id = 2, user_role_permission_level = 1");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 1, module_id = 4, user_role_permission_level = 1");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 1, module_id = 5, user_role_permission_level = 2");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 1, module_id = 6, user_role_permission_level = 1");
mysqli_query($mysqli, "INSERT INTO user_roles SET user_role_id = 2, user_role_name = 'Technician', user_role_description = 'Built-in - Limited access to technical-focused modules'");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 2, module_id = 1, user_role_permission_level = 2");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 2, module_id = 2, user_role_permission_level = 2");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 2, module_id = 3, user_role_permission_level = 2");
mysqli_query($mysqli, "INSERT INTO user_role_permissions SET user_role_id = 2, module_id = 4, user_role_permission_level = 2");
mysqli_query($mysqli, "INSERT INTO user_roles SET user_role_id = 3, user_role_name = 'Administrator', user_role_description = 'Built-in - Full administrative access', user_role_is_admin = 1");
// Custom Links
mysqli_query($mysqli,"INSERT INTO custom_links SET custom_link_name = 'Docs', custom_link_uri = 'https://docs.itflow.org', custom_link_new_tab = 1, custom_link_icon = 'question-circle'");
// Finalizing
mysqli_query($mysqli,"UPDATE companies SET company_locale = '$locale', company_currency = '$currency_code' WHERE company_id = 1");
mysqli_query($mysqli,"UPDATE settings SET config_timezone = '$timezone', config_phone_mask = 1 WHERE company_id = 1");
mysqli_query($mysqli,"INSERT INTO accounts SET account_name = 'Cash', account_currency_code = '$currency_code'");
// Telemetry (optional if interactive)
if (!$non_interactive) {
echo "\n=== Telemetry ===\n";
echo "Would you like to share anonymous usage data with the project maintainers? [y/N]: ";
$share = strtolower(trim(fgets(STDIN)));
if ($share === 'y') {
mysqli_query($mysqli,"UPDATE settings SET config_telemetry = 2");
echo "Any comments to include? Press Enter if none: ";
$comments = trim(fgets(STDIN));
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name_db = $row['company_name'];
$website_db = $row['company_website'];
$city_db = $row['company_city'];
$state_db = $row['company_state'];
$country_db = $row['company_country'];
$currency_db = $row['company_currency'];
$postdata = http_build_query([
'installation_id' => "$installation_id",
'company_name' => "$company_name_db",
'website' => "$website_db",
'city' => "$city_db",
'state' => "$state_db",
'country' => "$country_db",
'currency' => "$currency_db",
'comments' => "$comments",
'collection_method' => 1
]);
$opts = ['http' =>
[
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => $postdata
]
];
$context = stream_context_create($opts);
$result = @file_get_contents('https://telemetry.itflow.org', false, $context);
echo "Telemetry response: $result\n";
}
}
// finalize config
$myfile = fopen("config.php", "a");
$txt = "\$config_enable_setup = 0;\n\n";
fwrite($myfile, $txt);
fclose($myfile);
echo "\nSetup complete!\n";
echo "You can now log in with the user you created at: https://$base_url/login.php\n";
exit(0);

8
tickets.php
View File

@ -280,7 +280,7 @@ $user_active_assigned_tickets = intval($row['total_tickets_assigned']);
<option value="unassigned" <?php if ($ticket_assigned_filter_id == "0") { echo "selected"; } ?>>Unassigned</option>
<?php
$sql_assign_to = mysqli_query($mysqli, "SELECT * FROM users WHERE user_archived_at IS NULL ORDER BY user_name ASC");
$sql_assign_to = mysqli_query($mysqli, "SELECT * FROM users WHERE user_type = 1 AND user_archived_at IS NULL ORDER BY user_name ASC");
while ($row = mysqli_fetch_array($sql_assign_to)) {
$user_id = intval($row['user_id']);
$user_name = nullable_htmlentities($row['user_name']);
@ -316,12 +316,12 @@ $user_active_assigned_tickets = intval($row['total_tickets_assigned']);
</th>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=ticket_subject&order=<?php echo $disp; ?>">
Subject / Tasks <?php if ($sort == 'ticket_subject') { echo $order_icon; } ?>
Subject <?php if ($sort == 'ticket_subject') { echo $order_icon; } ?>
</a>
</th>
<th>
<a class="text-dark" href="?<?php echo $url_query_strings_sort; ?>&sort=client_name&order=<?php echo $disp; ?>">
Client / Contact <?php if ($sort == 'client_name') { echo $order_icon; } ?>
Client / <span class="text-secondary">Contact</span> <?php if ($sort == 'client_name') { echo $order_icon; } ?>
</a>
</th>
@ -418,7 +418,7 @@ $user_active_assigned_tickets = intval($row['total_tickets_assigned']);
if (empty($contact_name)) {
$contact_display = "-";
} else {
$contact_display = "$contact_name<br><small class='text-secondary'>$contact_email</small>";
$contact_display = "$contact_name";
}
// Get who last updated the ticket - to be shown in the last Response column

130
update_cli.php
View File

@ -1,130 +0,0 @@
#!/usr/bin/env php
<?php
// Change to the directory of this script so that all shell commands run here
chdir(__DIR__);
// Ensure script is run only from the CLI
if (php_sapi_name() !== 'cli') {
die("This script can only be run from the command line.\n");
}
// Ensure the script is run by the owner of the file
$fileOwner = fileowner(__FILE__);
$currentUser = posix_geteuid(); // Get the current effective user ID
if ($currentUser !== $fileOwner) {
$ownerInfo = posix_getpwuid($fileOwner);
$ownerName = $ownerInfo['name'] ?? 'unknown';
fwrite(STDERR, "Error: This script must be run by the file owner ($ownerName) to proceed.\nYou could try sudo -u $ownerName php update_cli.php\n");
exit(1);
}
require_once 'config.php';
require_once "functions.php";
// A function to print the help message so that we don't duplicate it
function printHelp() {
echo "Usage: php update_cli.php [options]\n\n";
echo "Options:\n";
echo " --help Show this help message.\n";
echo " --update Perform a git pull to update the application.\n";
echo " --force_update Perform a git fetch and hard reset to origin/master.\n";
echo " --update_db Update the database structure to the latest version.\n";
echo "\nIf no options are provided, a standard update (git pull) is performed.\n";
}
// Define allowed options (removed 'user')
$allowed_options = [
'help',
'update',
'force_update',
'update_db'
];
// Parse command-line options
$options = getopt('', ['update', 'force_update', 'update_db', 'help']);
// Check for invalid options by comparing argv against allowed options
$argv_copy = $argv;
array_shift($argv_copy); // Remove script name
foreach ($argv_copy as $arg) {
if (substr($arg, 0, 2) === '--') {
// Extract the option name (everything after -- and before = if present)
$eqPos = strpos($arg, '=');
if ($eqPos !== false) {
$optName = substr($arg, 2, $eqPos - 2);
} else {
$optName = substr($arg, 2);
}
// Check if option name is allowed
if (!in_array($optName, $allowed_options)) {
echo "Error: Unrecognized option: $arg\n\n";
printHelp();
exit(1);
}
}
}
// If "help" is requested, show instructions and exit
if (isset($options['help'])) {
printHelp();
exit;
}
// If no recognized options are passed, default to --update
if (count($options) === 0) {
$options['update'] = true;
}
// If "update" or "force_update" is requested
if (isset($options['update']) || isset($options['force_update'])) {
if (isset($options['force_update'])) {
// Perform a hard reset
exec("git fetch --all 2>&1", $output, $return_var);
exec("git reset --hard origin/master 2>&1", $output2, $return_var2);
echo implode("\n", $output) . "\n" . implode("\n", $output2) . "\n";
} else {
// Perform a standard update (git pull)
exec("git pull 2>&1", $output, $return_var);
// Check if the repository is already up to date
if (strpos(implode("\n", $output), 'Already up to date.') === false) {
echo implode("\n", $output) . "\n";
echo "Update successful\n";
} else {
// If already up-to-date, don't show the update success message
echo implode("\n", $output) . "\n";
}
}
}
// If "update_db" is requested
if (isset($options['update_db'])) {
require_once('includes/database_version.php');
$latest_db_version = LATEST_DATABASE_VERSION;
// Fetch the current version from the database
$result = mysqli_query($mysqli, "SELECT config_current_database_version FROM settings LIMIT 1");
$row = mysqli_fetch_assoc($result);
DEFINE("CURRENT_DATABASE_VERSION", $row['config_current_database_version']);
$old_db_version = $row['config_current_database_version'];
// Now include the update logic
require_once('database_updates.php');
// After database_updates.php has done its job, fetch the updated current DB version again
$result = mysqli_query($mysqli, "SELECT config_current_database_version FROM settings LIMIT 1");
$row = mysqli_fetch_assoc($result);
$new_db_version = $row['config_current_database_version'];
if ($old_db_version !== $latest_db_version) {
echo "Database updated from version $old_db_version to $new_db_version.\n";
echo "The latest database version is $latest_db_version.\n";
} else {
echo "Database is already at the latest version ($latest_db_version). No updates were applied.\n";
}
}

6
user_details.php
View File

@ -14,7 +14,7 @@ require_once "includes/inc_all_user.php";
<div class="row">
<div class="col-md-3 text-center">
<?php if(file_exists("uploads/users/$session_user_id/$session_avatar")) { ?>
<?php if($session_avatar) { ?>
<img class="img-thumbnail" src="<?php echo "uploads/users/$session_user_id/" . nullable_htmlentities($session_avatar); ?>">
<a href="post.php?clear_your_user_avatar&csrf_token=<?= $_SESSION['csrf_token'] ?>" class="btn btn-outline-danger btn-block">Remove Avatar</a>
<hr>
@ -24,7 +24,7 @@ require_once "includes/inc_all_user.php";
<input type="file" class="form-control-file" accept="image/*" name="avatar">
</div>
</div>
<div class="col-9">
<div class="col-md-9">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>
@ -56,7 +56,7 @@ require_once "includes/inc_all_user.php";
</div>
</div>
<button type="submit" name="edit_your_user_details" class="btn btn-primary"><i class="fas fa-check mr-2"></i>Save</button>
<button type="submit" name="edit_your_user_details" class="btn btn-primary btn-responsive"><i class="fas fa-check mr-2"></i>Save</button>
</div>
</div>

84
user_security.php
View File

@ -31,65 +31,20 @@ $remember_token_count = mysqli_num_rows($sql_remember_tokens);
<button type="submit" name="edit_your_user_password" class="btn btn-primary"><i class="fas fa-check mr-2"></i>Change</button>
</form>
</div>
</div>
<div class="card card-dark">
<div class="card-header">
<h3 class="card-title"><i class="fas fa-lock mr-2"></i>Mult-Factor Authentication</h3>
</div>
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<div class="float-right">
<?php if (empty($session_token)) { ?>
<button type="submit" name="enable_2fa" class="btn btn-success"><i class="fa fa-fw fa-lock"></i><br> Enable 2FA</button>
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#enableMFAModal">
<i class="fas fa-lock mr-2"></i>Enable Multi-Factor Authentication
</button>
<?php require_once "modals/user_mfa_modal.php"; ?>
<?php } else { ?>
<p>You have set up 2FA. Your QR code is below.</p>
<button type="submit" name="disable_2fa" class="btn btn-danger"><i class="fa fa-fw fa-unlock"></i><br>Disable 2FA</button>
<a href="post.php?disable_mfa&csrf_token=<?php echo $_SESSION['csrf_token'] ?>" class="btn btn-danger"><i class="fas fa-unlock mr-2"></i>Disable Multi-Factor Authentication</a>
<?php } ?>
</div>
<center>
<?php
require_once 'plugins/totp/totp.php';
//Generate a base32 Key
$secretkey = key32gen();
if (!empty($session_token)) {
// Generate QR Code
$data = "otpauth://totp/ITFlow:$session_email?secret=$session_token";
print "<img src='plugins/barcode/barcode.php?f=png&s=qr&d=$data'>";
echo "<p class='text-secondary'>$session_token</p>";
}
?>
</center>
<input type="hidden" name="token" value="<?php echo $secretkey; ?>">
</form>
<?php if (!empty($session_token)) { ?>
<form action="post.php" method="post" autocomplete="off">
<div class="form-group">
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="text" class="form-control" inputmode="numeric" pattern="[0-9]*" name="code" placeholder="Verify 2FA Code" required>
<div class="input-group-append">
<button type="submit" name="verify" class="btn btn-success">Verify</button>
</div>
</div>
</div>
</form>
<?php } ?>
</div>
</div>
@ -121,4 +76,25 @@ $remember_token_count = mysqli_num_rows($sql_remember_tokens);
<?php } ?>
<?php
// Show the error alert if it exists:
if (!empty($_SESSION['alert_type']) && $_SESSION['alert_type'] == 'error') {
echo "<div class='alert alert-danger'>{$_SESSION['alert_message']}</div>";
// Clear it so it doesn't persist on refresh
unset($_SESSION['alert_type']);
unset($_SESSION['alert_message']);
}
// If the user just failed a TOTP verification, auto-open the modal:
if (!empty($_SESSION['show_mfa_modal'])) {
echo "
<script>
document.addEventListener('DOMContentLoaded', function() {
// jQuery or vanilla JS to open the modal
$('#enableMFAModal').modal('show');
});
</script>";
unset($_SESSION['show_mfa_modal']);
}
require_once "includes/footer.php";