AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for client-specific API keys 

Refactoring API. Added a contact update endpoint.
Small misc changes.
This commit is contained in:
Marcus Hill 2022-04-15 17:43:06 +01:00
parent bdd00c843d
commit e55622827d
26 changed files with 286 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
api/v1/assets/asset_model.php Normal file
View File

@ -0,0 +1,27 @@
<?php
$type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_type'])));
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_name'])));
$make = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_make'])));
$model = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_model'])));
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_serial'])));
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os'])));
$asset_ip = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_ip'])));
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_mac'])));
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_purchase_date'])));
if(empty($purchase_date)){
$purchase_date = "0000-00-00";
}
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_warranty_expire'])));
if(empty($warranty_expire)){
$warranty_expire = "0000-00-00";
}
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_install_date'])));
if(empty($install_date)){
$install_date = "0000-00-00";
}
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_notes'])));
$meshcentral_id = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_meshcentral_id'])));
$vendor = intval($_POST['asset_vendor_id']);
$location = intval($_POST['asset_location_id']);
$contact = intval($_POST['asset_contact_id']);
$network = intval($_POST['asset_network_id']);

52
api/v1/assets/create.php
View File

@ -1,57 +1,25 @@
<?php
require('../validate_api_key.php');
if($_SERVER['REQUEST_METHOD'] !== "POST"){
header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False";
$return_arr['message'] = "Can only send POST requests to this endpoint.";
echo json_encode($return_arr);
exit();
}
require('../require_post_method.php');
// Parse info
$type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_type'])));
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_name'])));
$make = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_make'])));
$model = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_model'])));
$serial = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_serial'])));
$os = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_os'])));
$ip = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_ip'])));
$mac = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_mac'])));
$purchase_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_purchase_date'])));
if(empty($purchase_date)){
$purchase_date = "0000-00-00";
}
$warranty_expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_warranty_expire'])));
if(empty($warranty_expire)){
$warranty_expire = "0000-00-00";
}
$install_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['install_date'])));
if(empty($install_date)){
$install_date = "0000-00-00";
}
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_notes'])));
$meshcentral_id = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['asset_meshcentral_id'])));
$location = intval($_POST['location']);
$vendor = intval($_POST['vendor']);
$contact = intval($_POST['contact']);
$network = intval($_POST['network']);
$client_id = intval(json_decode($_POST['client_id']));
require('asset_model.php');
if(!empty($name)){
// Default
$insert_id = FALSE;
if(!empty($name) && !empty($client_id)){
// Insert into Database
$insert_sql = mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$ip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_created_at = NOW(), asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'");
$insert_sql = mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$asset_ip', asset_mac = '$mac', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_install_date = '$install_date', asset_notes = '$notes', asset_created_at = NOW(), asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'");
if($insert_sql){
$insert_id = $mysqli->insert_id;
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = '$client_id', company_id = $company_id");
}
}
else{
$insert_id = FALSE;
}
// Output
include('../create_output.php');

24
api/v1/assets/read.php
View File

@ -5,37 +5,37 @@ require('../require_get_method.php');
// Asset via ID (single)
if(isset($_GET['asset_id'])){
$id = intval($_GET['asset_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND company_id = '$company_id'");
$id = intval($_GET['asset_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Asset query via type
elseif(isset($_GET['asset_type'])){
$type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type']));
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
$type = mysqli_real_escape_string($mysqli,ucfirst($_GET['asset_type']));
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Asset query via name
elseif(isset($_GET['asset_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['asset_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
$name = mysqli_real_escape_string($mysqli,$_GET['asset_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Asset query via serial
elseif(isset($_GET['asset_serial'])){
$serial = mysqli_real_escape_string($mysqli,$_GET['asset_serial']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
$serial = mysqli_real_escape_string($mysqli,$_GET['asset_serial']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Asset query via client ID
elseif(isset($_GET['asset_client_id'])){
$client = intval($_GET['asset_client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id = '$client' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// All assets
else{
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Output

18
api/v1/certificates/read.php
View File

@ -5,25 +5,25 @@ require('../require_get_method.php');
// Specific certificate via ID (single)
if(isset($_GET['certificate_id'])){
$id = intval($_GET['certificate_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND company_id = '$company_id'");
$id = intval($_GET['certificate_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Certificate by name
elseif(isset($_GET['certificate_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['certificate_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
$name = mysqli_real_escape_string($mysqli,$_GET['certificate_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
}
// Certificate via client ID
elseif(isset($_GET['certificate_client_id'])){
$client = intval($_GET['certificate_client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
// Certificate via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
}
// All certificates
else{
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
}
// Output

11
api/v1/contacts/contact_model.php Normal file
View File

@ -0,0 +1,11 @@
<?php
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_name'])));
$title = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_title'])));
$department = intval($_POST['contact_department']);
$phone = preg_replace("/[^0-9]/", '',$_POST['contact_phone']);
$extension = preg_replace("/[^0-9]/", '',$_POST['contact_extension']);
$mobile = preg_replace("/[^0-9]/", '',$_POST['contact_mobile']);
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_email'])));
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_notes'])));
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_auth_method'])));
$location_id = intval($_POST['contact_location_id']);

51
api/v1/contacts/create.php
View File

@ -1,41 +1,34 @@
<?php
require('../validate_api_key.php');
if($_SERVER['REQUEST_METHOD'] !== "POST"){
header("HTTP/1.1 405 Method Not Allowed");
$return_arr['success'] = "False";
$return_arr['message'] = "Can only send POST requests to this endpoint.";
echo json_encode($return_arr);
exit();
}
require('../require_post_method.php');
// Parse Info
$client_id = intval($_POST['client_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_name'])));
$title = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_title'])));
$department = intval($_POST['contact_department']);
$phone = preg_replace("/[^0-9]/", '',$_POST['contact_phone']);
$extension = preg_replace("/[^0-9]/", '',$_POST['contact_extension']);
$mobile = preg_replace("/[^0-9]/", '',$_POST['contact_mobile']);
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_email'])));
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_notes'])));
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['contact_auth_method'])));
$location_id = intval($_POST['location']);
include('contact_model.php');
if(!empty($name)){
// Insert contact
$insert_sql = mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id");
if($insert_sql){
$insert_id = $mysqli->insert_id;
// Default
$insert_id = FALSE;
if(!empty($name) && !empty($email) && !empty($client_id)){
// Check contact with $email doesn't already exist
$email_duplication_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id = '$client_id'");
if(mysqli_num_rows($email_duplication_sql) == 0){
// Insert contact
$insert_sql = mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_created_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id");
// Check insert & get insert ID
if($insert_sql){
$insert_id = mysqli_insert_id($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), company_id = $company_id");
}
}
else{
$insert_id = FALSE;
}
// Output
include('../create_output.php');

6
api/v1/contacts/read.php
View File

@ -6,18 +6,18 @@ require('../require_get_method.php');
// Specific contact via ID (single)
if(isset($_GET['contact_id'])){
$id = intval($_GET['contact_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND company_id = '$company_id'");
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Specific contact via email (single)
elseif(isset($_GET['contact_email'])){
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['contact_email'])));
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND company_id = '$company_id'");
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// All contacts
else{
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset");
}
// Output

28
api/v1/contacts/update.php Normal file
View File

@ -0,0 +1,28 @@
<?php
require('../validate_api_key.php');
require('../require_post_method.php');
// Parse Info
$contact_id = intval($_POST['contact_id']);
include('contact_model.php');
// Default
$update_id = FALSE;
if(!empty($name) && !empty($email)){
$update_sql = mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_auth_method = '$auth_method', contact_updated_at = NOW(), contact_department_id = $department, contact_location_id = $location_id, contact_client_id = $client_id, company_id = $company_id WHERE contact_id = $contact_id LIMIT 1");
// Check insert & get insert ID
if($update_sql){
$update_id = mysqli_affected_rows($mysqli);
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Updated', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated contact $name via API ($api_key_name)', log_ip = '$ip', log_created_at = NOW(), log_client_id = $client_id, company_id = $company_id");
}
}
// Output
include('../update_output.php');

4
api/v1/create_output.php
View File

@ -16,10 +16,10 @@ if(isset($insert_id) && is_numeric($insert_id)){
];
}
// Query returned false, something went wrong or it was declined due to required variables missing
// Query returned false: something went wrong, or it was declined due to required variables missing
else{
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but insert query failed, ensure ALL required variables are provided and database schema is up-to-date. Turn on error logging and look for 'undefined index'";
$return_arr['message'] = "Auth success but insert query failed, ensure ALL required variables are provided (and aren't duplicates where applicable) and database schema is up-to-date. Turn on error logging and look for 'undefined index'.";
}
echo json_encode($return_arr);

18
api/v1/domains/read.php
View File

@ -5,25 +5,25 @@ require('../require_get_method.php');
// Specific domain via ID (single)
if(isset($_GET['domain_id'])){
$id = intval($_GET['domain_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND company_id = '$company_id'");
$id = intval($_GET['domain_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Domain by name
elseif(isset($_GET['domain_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['domain_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
$name = mysqli_real_escape_string($mysqli,$_GET['domain_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Domain via client ID
elseif(isset($_GET['domain_client_id'])){
$client = intval($_GET['domain_client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id = '$client' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
// Domain via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
}
// All domains
else{
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
}
// Output

18
api/v1/networks/read.php
View File

@ -5,25 +5,25 @@ require('../require_get_method.php');
// Specific network via ID (single)
if(isset($_GET['network_id'])){
$id = intval($_GET['network_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND company_id = '$company_id'");
$id = intval($_GET['network_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND network_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Network by name
elseif(isset($_GET['network_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['network_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
$name = mysqli_real_escape_string($mysqli,$_GET['network_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
}
// Network via client ID
elseif(isset($_GET['network_client_id'])){
$client = intval($_GET['network_client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id = '$client' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
// Network via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
}
// All networks
else{
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
}
// Output

2
api/v1/read_output.php
View File

@ -20,7 +20,7 @@ if($sql && mysqli_num_rows($sql) > 0){
}
else{
$return_arr['success'] = "False";
$return_arr['message'] = "No resource (for this company) with the specified parameter(s).";
$return_arr['message'] = "No resource (for this client and company) with the specified parameter(s).";
echo json_encode($return_arr);
exit();
}

5
api/v1/require_get_method.php
View File

@ -5,4 +5,9 @@ if($_SERVER['REQUEST_METHOD'] !== "GET"){
$return_arr['message'] = "Can only send GET requests to this endpoint.";
echo json_encode($return_arr);
exit();
}
// Wildcard client ID for most SELECT queries
if($client_id == 0){
$client_id = "%";
}

7
api/v1/require_post_method.php
View File

@ -5,4 +5,11 @@ if($_SERVER['REQUEST_METHOD'] !== "POST"){
$return_arr['message'] = "Can only send POST requests to this endpoint.";
echo json_encode($return_arr);
exit();
}
// Client ID must be specific for INSERT/UPDATE/DELETE queries
// If this API key allows any client, set $client_id to the one specified, else leave it
if($client_id == 0){
//
$client_id = intval($_POST['client_id']);
}

26
api/v1/software/read.php
View File

@ -5,37 +5,37 @@ require('../require_get_method.php');
// Specific software via ID (single)
if(isset($_GET['software_id'])){
$id = intval($_GET['software_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND company_id = '$company_id'");
$id = intval($_GET['software_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// Specific software via License ID
if(isset($_GET['software_license'])){
$license = mysqli_real_escape_string($mysqli,$_GET['software_license']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license = '$license' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
$license = mysqli_real_escape_string($mysqli,$_GET['software_license']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_license_type = '$license' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// Software by name
elseif(isset($_GET['software_name'])){
$name = mysqli_real_escape_string($mysqli,$_GET['software_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
$name = mysqli_real_escape_string($mysqli,$_GET['software_name']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
}
// Software via type
elseif(isset($_GET['software_type'])){
$type = intval($_GET['software_type']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
$type = intval($_GET['software_type']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// Software via client ID
elseif(isset($_GET['software_client_id'])){
$client = intval($_GET['software_client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id = '$client' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
// Software via client ID (if allowed)
elseif(isset($_GET['client_id']) && $client_id == "%"){
$client_id = intval($_GET['client_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// All software(s)
else{
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
}
// Output

4
api/v1/tickets/read.php
View File

@ -6,12 +6,12 @@ require('../require_get_method.php');
// Specific ticket via ID (single)
if(isset($_GET['ticket_id'])){
$id = intval($_GET['ticket_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND company_id = '$company_id'");
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'");
}
// All tickets
else{
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
}
// Output

23
api/v1/update_output.php Normal file
View File

@ -0,0 +1,23 @@
<?php
/*
* API - update_output.php
* Included on calls to update.php endpoints
* Checks the status of the update SQL query ($update_sql)
* Returns success data / fail messages
*/
// Check if the insert query was successful
if(isset($update_id) && is_numeric($update_id) && $update_id > 0){
// Insert successful
$return_arr['success'] = "True";
$return_arr['count'] = $update_id;
}
// Query returned false: something went wrong, or it was declined due to required variables missing
else{
$return_arr['success'] = "False";
$return_arr['message'] = "Auth success but update query failed/returned no results. Ensure ALL required variables are provided and database schema is up-to-date. Most likely cause: non-existent module (contact/ticket/etc) id";
}
echo json_encode($return_arr);
exit();

5
api/v1/validate_api_key.php
View File

@ -86,10 +86,11 @@ if(isset($api_key)){
// Success
else{
// Set company ID & key name
// Set client ID, company ID & key name
$row = mysqli_fetch_array($sql);
$company_id = $row['company_id'];
$api_key_name = $row['api_key_name'];
$client_id = $row['api_key_client_id'];
$company_id = $row['company_id'];
// Set limit & offset for queries
if(isset($_GET['limit'])){

53
api_key_add_modal.php
View File

@ -1,3 +1,6 @@
<?php
$key = keygen();
?>
<div class="modal" id="addApiKeyModal" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content bg-dark">
@ -10,30 +13,72 @@
<form action="post.php" method="post" autocomplete="off">
<div class="modal-body bg-white">
<input type="hidden" name="key" value="<?php echo $key ?>">
<div class="form-group">
<label>API Key <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="text" class="form-control" value="<?php echo $key ?>" required disabled>
<div class="input-group-append">
<button class="btn btn-default clipboardjs" type="button" data-clipboard-text="<?php echo $key; ?>"><i class="fa fa-fw fa-copy"></i></button>
</div>
</div>
</div>
<hr>
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
<span class="input-group-text"><i class="fa fa-fw fa-sticky-note"></i></span>
</div>
<input type="text" class="form-control" name="name" placeholder="Key Name" required autofocus>
</div>
</div>
<div class="form-group">
<label>Expiration Date</label>
<label>Expiration Date <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
</div>
<input type="date" class="form-control" name="expire">
<input type="date" class="form-control" name="expire" required>
</div>
</div>
<div class="form-group">
<label>Client <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
</div>
<select class="form-control select2" name="client" required>
<option value="">- Client -</option>
<option value="0"> ALL CLIENTS </option>
<?php
$sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC");
while($row = mysqli_fetch_array($sql)){
$client_id = $row['client_id'];
$client_name = $row['client_name'];
?>
<option value="<?php echo $client_id; ?>"><?php echo "$client_name (Client ID: $client_id)"; ?></option>
<?php
}
?>
</select>
</div>
</div>
</div>
<div class="modal-footer bg-white">
<button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
<button type="submit" name="add_api_key" class="btn btn-primary">Save</button>
<button type="submit" name="add_api_key" class="btn btn-primary">Add</button>
</div>
</form>
</div>

43
api_key_edit_modal.php
View File

@ -1,43 +0,0 @@
<div class="modal" id="editApiKeyModal<?php echo $api_key_id; ?>" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content bg-dark">
<div class="modal-header">
<h5 class="modal-title"><i class="fa fa-fw fa-key"></i> <?php echo $api_key_name; ?></h5>
<button type="button" class="close text-white" data-dismiss="modal">
<span>&times;</span>
</button>
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="api_key_id" value="<?php echo $api_key_id; ?>">
<div class="modal-body bg-white">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="text" class="form-control" name="name" placeholder="Key Name" value="<?php echo $api_key_name; ?>" required autofocus>
</div>
</div>
<div class="form-group">
<label>Expiration Date</label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
</div>
<input type="date" class="form-control" name="expire" value="<?php echo $api_key_expire; ?>">
</div>
</div>
</div>
<div class="modal-footer bg-white">
<button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
<button type="submit" name="edit_api_key" class="btn btn-primary">Save</button>
</div>
</form>
</div>
</div>
</div>

2
client_contact_details_modal.php
View File

@ -85,7 +85,7 @@
$software_id = $row['software_id'];
$software_name = $row['software_name'];
$software_type = $row['software_type'];
$software_license = $row['software_license'];
$software_license = $row['software_license_type'];
$software_notes = $row['software_notes'];
?>

3
database_updates.php
View File

@ -45,6 +45,9 @@ if(LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION){
mysqli_query($mysqli, "UPDATE `documents` SET `document_content_raw` = '$content_raw' WHERE `document_id` = '$id'");
}
// Add API key client column
mysqli_query($mysqli, "ALTER TABLE `api_keys` ADD `api_key_client_id` INT NOT NULL DEFAULT '0' AFTER `api_key_expire`");
// Then, update the database to the next sequential version
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '0.0.3'");
}

1
db.sql
View File

@ -50,6 +50,7 @@ CREATE TABLE `api_keys` (
`api_key_created_at` datetime NOT NULL,
`api_key_updated_at` datetime DEFAULT NULL,
`api_key_expire` date NOT NULL,
`api_key_client_id` int(11) NOT NULL DEFAULT '0',
`company_id` int(11) NOT NULL,
PRIMARY KEY (`api_key_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

6
post.php
View File

@ -407,12 +407,12 @@ if(isset($_POST['add_api_key'])){
exit();
}
$secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['key'])));
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['expire'])));
// Gen a Key
$secret = keygen();
$client = intval($_POST['client']);
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_created_at = NOW(), company_id = $session_company_id");
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_client_id = '$client', api_key_created_at = NOW(), company_id = $session_company_id");
$api_key_id = mysqli_insert_id($mysqli);

27
settings-api.php
View File

@ -10,8 +10,9 @@
$url_query_strings_sb = http_build_query(array_merge($_GET,array('sb' => $sb, 'o' => $o)));
$sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM api_keys
LEFT JOIN clients on api_keys.api_key_client_id = clients.client_id
WHERE (api_key_name LIKE '%$q%')
AND company_id = $session_company_id
AND api_keys.company_id = $session_company_id
ORDER BY $sb $o LIMIT $record_from, $record_to");
$num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
@ -40,6 +41,7 @@
<thead class="text-dark <?php if($num_rows[0] == 0){ echo "d-none"; } ?>">
<tr>
<th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=api_key_name&o=<?php echo $disp; ?>">Name</a></th>
<th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=api_key_client_id&o=<?php echo $disp; ?>">Client</a></th>
<th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=api_key_secret&o=<?php echo $disp; ?>">Secret</a></th>
<th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=api_key_created_at&o=<?php echo $disp; ?>">Created</a></th>
<th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=api_key_expire&o=<?php echo $disp; ?>">Expire</a></th>
@ -52,15 +54,24 @@
while($row = mysqli_fetch_array($sql)){
$api_key_id = $row['api_key_id'];
$api_key_name = $row['api_key_name'];
$api_key_secret = $row['api_key_secret'];
$api_key_secret = "************" . substr($row['api_key_secret'], -4);
$api_key_created_at = $row['api_key_created_at'];
$api_key_expire = $row['api_key_expire'];
if($api_key_expire < date("Y-m-d H:i:s")){
$api_key_expire = $api_key_expire . " (Expired)";
}
if($row['api_key_client_id'] == 0){
$api_key_client = "<i>All Clients</i>";
}
else{
$api_key_client = $row['client_name'];
}
?>
<tr>
<td>
<a class="text-dark" href="#" data-toggle="modal" data-target="#editApiKeyModal<?php echo $api_key_id; ?>"><?php echo $api_key_name; ?></a>
</td>
<td><?php echo $api_key_name; ?></td>
<td><?php echo $api_key_client; ?></td>
<td><?php echo $api_key_secret; ?></td>
<td><?php echo $api_key_created_at; ?></td>
<td><?php echo $api_key_expire; ?></td>
@ -70,17 +81,13 @@
<i class="fas fa-ellipsis-h"></i>
</button>
<div class="dropdown-menu">
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editApiKeyModal<?php echo $api_key_id; ?>">Edit</a>
<div class="dropdown-divider"></div>
<a class="dropdown-item text-danger" href="post.php?delete_api_key=<?php echo $api_key_id; ?>">Delete</a>
<a class="dropdown-item text-danger" href="post.php?delete_api_key=<?php echo $api_key_id; ?>">Revoke</a>
</div>
</div>
</td>
</tr>
<?php
include("api_key_edit_modal.php");
}

16
user_archive_modal.php Normal file
View File

@ -0,0 +1,16 @@
<div class="modal" id="archiveUserModal<?php echo $user_id; ?>" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-body">
<center class="mb-4">
<i class="far fa-10x fa-times-circle text-danger mb-3 mt-3"></i>
<h2>Are you sure?</h2>
<h6 class="mb-4 text-secondary">Do you really want to <b>archive <?php echo $user_name; ?></b>? This process cannot be undone.</h6>
<h6 class="mb-4 text-secondary"><?php echo $user_name ?> will no longer be able to login or use ITFlow, but all associated content will remain accessible.</h6>
<button type="button" class="btn btn-outline-secondary btn-lg px-5 mr-4" data-dismiss="modal">Cancel</button>
<a class="btn btn-danger btn-lg px-5" href="post.php?archive_user=<?php echo $user_id; ?>">Yes, archive!</a>
</center>
</div>
</div>
</div>
</div>