AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 02:44:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Completely renamed everything login to credential including tables added cascading deletion to the multi to multi tables

Browse Source
This commit is contained in:
johnnyq
2025-03-12 21:28:50 -04:00
parent c0db914213
commit e93704bbdb
32 changed files with 890 additions and 788 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
post/user/credential.php
View File

@@ -1,31 +1,31 @@
<?php
/*
* ITFlow - GET/POST request handler for client credentials (formerly logins)
* ITFlow - GET/POST request handler for client credentials
*/
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
if (isset($_POST['add_login'])) {
if (isset($_POST['add_credential'])) {
enforceUserPermission('module_credential', 2);
require_once 'post/user/credential_model.php';
mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_asset_id = $asset_id, login_client_id = $client_id");
mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_uri_2 = '$uri_2', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$otp_secret', credential_note = '$note', credential_important = $important, credential_contact_id = $contact_id, credential_asset_id = $asset_id, credential_client_id = $client_id");
$login_id = mysqli_insert_id($mysqli);
$credential_id = mysqli_insert_id($mysqli);
// Add Tags
if (isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO login_tags SET login_id = $login_id, tag_id = $tag");
mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag");
}
}
// Logging
logAction("Credential", "Create", "$session_name created credential $name", $client_id, $login_id);
logAction("Credential", "Create", "$session_name created credential $name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Credential <strong>$name</strong> created";
@@ -33,146 +33,146 @@ if (isset($_POST['add_login'])) {
}
if (isset($_POST['edit_login'])) {
if (isset($_POST['edit_credential'])) {
enforceUserPermission('module_credential', 2);
require_once 'post/user/credential_model.php';
$login_id = intval($_POST['login_id']);
$credential_id = intval($_POST['credential_id']);
// Determine if the password has actually changed (salt is rotated on all updates, so have to dencrypt both and compare)
$current_password = decryptLoginEntry(mysqli_fetch_row(mysqli_query($mysqli, "SELECT login_password FROM logins WHERE login_id = $login_id"))[0]); // Get current login password
$new_password = decryptLoginEntry($password); // Get the new password being set (already encrypted by the login model)
$current_password = decryptCredentialEntry(mysqli_fetch_row(mysqli_query($mysqli, "SELECT credential_password FROM credentials WHERE credential_id = $credential_id"))[0]); // Get current credential password
$new_password = decryptCredentialEntry($password); // Get the new password being set (already encrypted by the credential model)
if ($current_password !== $new_password) {
// The password has been changed - update the DB to track
mysqli_query($mysqli, "UPDATE logins SET login_password_changed_at = NOW() WHERE login_id = $login_id");
mysqli_query($mysqli, "UPDATE credentials SET credential_password_changed_at = NOW() WHERE credential_id = $credential_id");
}
// Update the login entry with the new details
mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_asset_id = $asset_id WHERE login_id = $login_id");
// Update the credential entry with the new details
mysqli_query($mysqli,"UPDATE credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_uri_2 = '$uri_2', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$otp_secret', credential_note = '$note', credential_important = $important, credential_contact_id = $contact_id, credential_asset_id = $asset_id WHERE credential_id = $credential_id");
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM login_tags WHERE login_id = $login_id");
mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id");
// Add new tags
if(isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO login_tags SET login_id = $login_id, tag_id = $tag");
mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag");
}
}
// Logging
logAction("Credential", "Edit", "$session_name edited credential $name", $client_id, $login_id);
logAction("Credential", "Edit", "$session_name edited credential $name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Login <strong>$name</strong> edited";
$_SESSION['alert_message'] = "Credential <strong>$name</strong> edited";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['archive_login'])){
if(isset($_GET['archive_credential'])){
enforceUserPermission('module_credential', 2);
$login_id = intval($_GET['archive_login']);
$credential_id = intval($_GET['archive_credential']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NOW() WHERE login_id = $login_id");
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id");
//logging
logAction("Credential", "Archive", "$session_name archived credential $login_name", $client_id, $login_id);
logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Credential <strong>$login_name</strong> archived";
$_SESSION['alert_message'] = "Credential <strong>$credential_name</strong> archived";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if(isset($_GET['unarchive_login'])){
if(isset($_GET['unarchive_credential'])){
enforceUserPermission('module_credential', 2);
$login_id = intval($_GET['unarchive_login']);
$credential_id = intval($_GET['unarchive_credential']);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NULL WHERE login_id = $login_id");
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");
//Logging
logAction("Credential", "Unarchive", "$session_name unarchived credential $login_name", $client_id, $login_id);
logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Credential <strong>$login_name</strong> restored";
$_SESSION['alert_message'] = "Credential <strong>$credential_name</strong> restored";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_GET['delete_login'])) {
if (isset($_GET['delete_credential'])) {
enforceUserPermission('module_credential', 3);
$login_id = intval($_GET['delete_login']);
$credential_id = intval($_GET['delete_credential']);
// Get Login Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
// Get Credential Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"DELETE FROM logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM credentials WHERE credential_id = $credential_id");
// Remove Relations
mysqli_query($mysqli,"DELETE FROM contact_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM service_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM software_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM vendor_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM contact_credentials WHERE credential_id = $credential_id");
mysqli_query($mysqli,"DELETE FROM service_credentials WHERE credential_id = $credential_id");
mysqli_query($mysqli,"DELETE FROM software_credentials WHERE credential_id = $credential_id");
mysqli_query($mysqli,"DELETE FROM vendor_credentials WHERE credential_id = $credential_id");
// Logging
logAction("Credential", "Delete", "$session_name deleted credential $login_name", $client_id);
logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id);
$_SESSION['alert_type'] = "error";
$_SESSION['alert_message'] = "Credential <strong>$login_name</strong> deleted";
$_SESSION['alert_message'] = "Credential <strong>$credential_name</strong> deleted";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_assign_login_tags'])) {
if (isset($_POST['bulk_assign_credential_tags'])) {
enforceUserPermission('module_credential', 2);
// Assign tags to Selected Credentials
if (isset($_POST['login_ids'])) {
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['login_ids']);
$count = count($_POST['credential_ids']);
foreach($_POST['login_ids'] as $login_id) {
$login_id = intval($login_id);
foreach($_POST['credential_ids'] as $credential_id) {
$credential_id = intval($credential_id);
// Get Contact Details for Logging
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
if($_POST['bulk_remove_tags']) {
// Delete tags if chosed to do so
mysqli_query($mysqli, "DELETE FROM login_tags WHERE login_id = $login_id");
mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id");
}
// Add new tags
@@ -180,15 +180,15 @@ if (isset($_POST['bulk_assign_login_tags'])) {
foreach($_POST['bulk_tags'] as $tag) {
$tag = intval($tag);
$sql = mysqli_query($mysqli,"SELECT * FROM login_tags WHERE login_id = $login_id AND tag_id = $tag");
$sql = mysqli_query($mysqli,"SELECT * FROM credential_tags WHERE credential_id = $credential_id AND tag_id = $tag");
if (mysqli_num_rows($sql) == 0) {
mysqli_query($mysqli, "INSERT INTO login_tags SET login_id = $login_id, tag_id = $tag");
mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag");
}
}
}
// Logging
logAction("Credential", "Edit", "$session_name added tags to $login_name", $client_id, $login_id);
logAction("Credential", "Edit", "$session_name added tags to $credential_name", $client_id, $credential_id);
$_SESSION['alert_message'] = "Assigned tags for <strong>$count</strong> credentials";
@@ -202,31 +202,31 @@ if (isset($_POST['bulk_assign_login_tags'])) {
}
if (isset($_POST['bulk_archive_logins'])) {
if (isset($_POST['bulk_archive_credentials'])) {
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['login_ids'])) {
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['login_ids']);
$count = count($_POST['credential_ids']);
// Cycle through array and archive each record
foreach ($_POST['login_ids'] as $login_id) {
foreach ($_POST['credential_ids'] as $credential_id) {
$login_id = intval($login_id);
$credential_id = intval($credential_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NOW() WHERE login_id = $login_id");
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id");
// Individual Contact logging
logAction("Credential", "Archive", "$session_name archived credential $login_name", $client_id, $login_id);
logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id);
}
// Bulk Logging
@@ -240,32 +240,32 @@ if (isset($_POST['bulk_archive_logins'])) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_unarchive_logins'])) {
if (isset($_POST['bulk_unarchive_credentials'])) {
enforceUserPermission('module_credential', 2);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['login_ids'])) {
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['login_ids']);
$count = count($_POST['credential_ids']);
// Cycle through array and unarchive
foreach ($_POST['login_ids'] as $login_id) {
foreach ($_POST['credential_ids'] as $credential_id) {
$login_id = intval($login_id);
$credential_id = intval($credential_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli,"UPDATE logins SET login_archived_at = NULL WHERE login_id = $login_id");
mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");
// Individual logging
logAction("Credential", "Unarchive", "$session_name unarchived credential $login_name", $client_id, $login_id);
logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id);
}
@@ -279,38 +279,38 @@ if (isset($_POST['bulk_unarchive_logins'])) {
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
if (isset($_POST['bulk_delete_logins'])) {
if (isset($_POST['bulk_delete_credentials'])) {
enforceUserPermission('module_credential', 3);
validateCSRFToken($_POST['csrf_token']);
if (isset($_POST['login_ids'])) {
if (isset($_POST['credential_ids'])) {
// Get Selected Credential Count
$count = count($_POST['login_ids']);
$count = count($_POST['credential_ids']);
// Cycle through array and delete each record
foreach ($_POST['login_ids'] as $login_id) {
foreach ($_POST['credential_ids'] as $credential_id) {
$login_id = intval($login_id);
$credential_id = intval($credential_id);
// Get Name and Client ID for logging and alert message
$sql = mysqli_query($mysqli,"SELECT login_name, login_client_id FROM logins WHERE login_id = $login_id");
$sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
$row = mysqli_fetch_array($sql);
$login_name = sanitizeInput($row['login_name']);
$client_id = intval($row['login_client_id']);
$credential_name = sanitizeInput($row['credential_name']);
$client_id = intval($row['credential_client_id']);
mysqli_query($mysqli, "DELETE FROM logins WHERE login_id = $login_id AND login_client_id = $client_id");
mysqli_query($mysqli, "DELETE FROM credentials WHERE credential_id = $credential_id AND credential_client_id = $client_id");
// Remove Relations
mysqli_query($mysqli,"DELETE FROM contact_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM service_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM software_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM vendor_logins WHERE login_id = $login_id");
mysqli_query($mysqli,"DELETE FROM contact_credentials WHERE credential_id = $credential_id");
mysqli_query($mysqli,"DELETE FROM service_credentials WHERE credential_id = $credential_id");
mysqli_query($mysqli,"DELETE FROM software_credentials WHERE credential_id = $credential_id");
mysqli_query($mysqli,"DELETE FROM vendor_credentials WHERE credential_id = $credential_id");
// Logging
logAction("Credential", "Delete", "$session_name deleted credential $login_name", $client_id);
logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id);
}
@@ -331,13 +331,13 @@ if (isset($_POST['export_credentials_csv'])) {
if (isset($_POST['client_id'])) {
$client_id = intval($_POST['client_id']);
$client_query = "AND login_client_id = $client_id";
$client_query = "AND credential_client_id = $client_id";
} else {
$client_query = '';
}
//get records from database
$sql = mysqli_query($mysqli,"SELECT * FROM logins LEFT JOIN clients ON client_id = login_client_id WHERE login_archived_at IS NULL $client_query ORDER BY login_name ASC");
$sql = mysqli_query($mysqli,"SELECT * FROM credentials LEFT JOIN clients ON client_id = credential_client_id WHERE credential_archived_at IS NULL $client_query ORDER BY credential_name ASC");
$row = mysqli_fetch_array($sql);
$num_rows = mysqli_num_rows($sql);
@@ -355,9 +355,9 @@ if (isset($_POST['export_credentials_csv'])) {
//output each row of the data, format line as csv and write to file pointer
while($row = mysqli_fetch_assoc($sql)){
$login_username = decryptLoginEntry($row['login_username']);
$login_password = decryptLoginEntry($row['login_password']);
$lineData = array($row['login_name'], $row['login_description'], $login_username, $login_password, $row['login_uri']);
$credential_username = decryptCredentialEntry($row['credential_username']);
$credential_password = decryptCredentialEntry($row['credential_password']);
$lineData = array($row['credential_name'], $row['credential_description'], $credential_username, $credential_password, $row['credential_uri']);
fputcsv($f, $lineData, $delimiter);
}
@@ -427,7 +427,7 @@ if (isset($_POST["import_credentials_csv"])) {
$duplicate_detect = 0;
if (isset($column[0])) {
$name = sanitizeInput($column[0]);
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM logins WHERE login_name = '$name' AND login_client_id = $client_id")) > 0){
if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM credentials WHERE credential_name = '$name' AND credential_client_id = $client_id")) > 0){
$duplicate_detect = 1;
}
}
@@ -435,10 +435,10 @@ if (isset($_POST["import_credentials_csv"])) {
$description = sanitizeInput($column[1]);
}
if (isset($column[2])) {
$username = sanitizeInput(encryptLoginEntry($column[2]));
$username = sanitizeInput(encryptCredentialEntry($column[2]));
}
if (isset($column[3])) {
$password = sanitizeInput(encryptLoginEntry($column[3]));
$password = sanitizeInput(encryptCredentialEntry($column[3]));
}
if (isset($column[4])) {
$uri = sanitizeInput($column[4]);
@@ -447,7 +447,7 @@ if (isset($_POST["import_credentials_csv"])) {
// Check if duplicate was detected
if ($duplicate_detect == 0){
//Add
mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_username = '$username', login_password = '$password', login_client_id = $client_id");
mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_client_id = $client_id");
$row_count = $row_count + 1;
}else{
$duplicate_count = $duplicate_count + 1;

6
post/user/credential_model.php
View File

@@ -1,5 +1,5 @@
<?php
// Model of reusable variables for client credentials/logins - not to be confused with the ITFLow login process
// Model of reusable variables for client credentials - not to be confused with the ITFLow login process
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$client_id = intval($_POST['client_id']);
@@ -7,8 +7,8 @@ $name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$uri = sanitizeInput($_POST['uri']);
$uri_2 = sanitizeInput($_POST['uri_2']);
$username = encryptLoginEntry(trim($_POST['username']));
$password = encryptLoginEntry(trim($_POST['password']));
$username = encryptCredentialEntry(trim($_POST['username']));
$password = encryptCredentialEntry(trim($_POST['password']));
$otp_secret = sanitizeInput($_POST['otp_secret']);
$note = sanitizeInput($_POST['note']);
$important = intval($_POST['important'] ?? 0);