$name created"); redirect(); } if (isset($_POST['edit_credential'])) { enforceUserPermission('module_credential', 2); require_once 'credential_model.php'; $credential_id = intval($_POST['credential_id']); // Determine if the password has actually changed (salt is rotated on all updates, so have to dencrypt both and compare) $current_password = decryptCredentialEntry(mysqli_fetch_row(mysqli_query($mysqli, "SELECT credential_password FROM credentials WHERE credential_id = $credential_id"))[0]); // Get current credential password $new_password = decryptCredentialEntry($password); // Get the new password being set (already encrypted by the credential model) if ($current_password !== $new_password) { // The password has been changed - update the DB to track mysqli_query($mysqli, "UPDATE credentials SET credential_password_changed_at = NOW() WHERE credential_id = $credential_id"); } // Update the credential entry with the new details mysqli_query($mysqli,"UPDATE credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_uri_2 = '$uri_2', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$otp_secret', credential_note = '$note', credential_important = $important, credential_contact_id = $contact_id, credential_asset_id = $asset_id WHERE credential_id = $credential_id"); // Tags // Delete existing tags mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id"); // Add new tags if(isset($_POST['tags'])) { foreach($_POST['tags'] as $tag) { $tag = intval($tag); mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag"); } } logAction("Credential", "Edit", "$session_name edited credential $name", $client_id, $credential_id); flash_alert("Credential $name edited"); redirect(); } if(isset($_GET['archive_credential'])){ enforceUserPermission('module_credential', 2); $credential_id = intval($_GET['archive_credential']); // Get Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id"); logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id); flash_alert("Credential $credential_name archived", 'error'); redirect(); } if(isset($_GET['unarchive_credential'])){ enforceUserPermission('module_credential', 2); $credential_id = intval($_GET['unarchive_credential']); // Get Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id"); logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id); flash_alert("Credential $credential_name restored"); redirect(); } if (isset($_GET['delete_credential'])) { enforceUserPermission('module_credential', 3); $credential_id = intval($_GET['delete_credential']); // Get Credential Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); mysqli_query($mysqli,"DELETE FROM credentials WHERE credential_id = $credential_id"); logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id); flash_alert("Credential $credential_name deleted", 'error'); redirect(); } if (isset($_POST['bulk_assign_credential_tags'])) { enforceUserPermission('module_credential', 2); // Assign tags to Selected Credentials if (isset($_POST['credential_ids'])) { // Get Selected Credential Count $count = count($_POST['credential_ids']); foreach($_POST['credential_ids'] as $credential_id) { $credential_id = intval($credential_id); // Get Contact Details for Logging $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); if($_POST['bulk_remove_tags']) { // Delete tags if chosed to do so mysqli_query($mysqli, "DELETE FROM credential_tags WHERE credential_id = $credential_id"); } // Add new tags if (isset($_POST['bulk_tags'])) { foreach($_POST['bulk_tags'] as $tag) { $tag = intval($tag); $sql = mysqli_query($mysqli,"SELECT * FROM credential_tags WHERE credential_id = $credential_id AND tag_id = $tag"); if (mysqli_num_rows($sql) == 0) { mysqli_query($mysqli, "INSERT INTO credential_tags SET credential_id = $credential_id, tag_id = $tag"); } } } logAction("Credential", "Edit", "$session_name added tags to $credential_name", $client_id, $credential_id); flash_alert("Assigned tags for $count credentials"); } // End Assign Loop logAction("Credential", "Bulk Edit", "$session_name added tags to $count credentials", $client_id); } redirect(); } if (isset($_POST['bulk_archive_credentials'])) { validateCSRFToken($_POST['csrf_token']); enforceUserPermission('module_credential', 2); if (isset($_POST['credential_ids'])) { // Get Selected Credential Count $count = count($_POST['credential_ids']); // Cycle through array and archive each record foreach ($_POST['credential_ids'] as $credential_id) { $credential_id = intval($credential_id); // Get Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NOW() WHERE credential_id = $credential_id"); logAction("Credential", "Archive", "$session_name archived credential $credential_name", $client_id, $credential_id); } logAction("Credential", "Bulk Archive", "$session_name archived $count credentials", $client_id); flash_alert("Archived $count credential(s)", 'error'); } redirect(); } if (isset($_POST['bulk_unarchive_credentials'])) { validateCSRFToken($_POST['csrf_token']); enforceUserPermission('module_credential', 2); if (isset($_POST['credential_ids'])) { // Get Selected Credential Count $count = count($_POST['credential_ids']); // Cycle through array and unarchive foreach ($_POST['credential_ids'] as $credential_id) { $credential_id = intval($credential_id); // Get Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id"); logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id); } logAction("Credential", "Bulk Unarchive", "$session_name unarchived $count credential(s)", $client_id); flash_alert("Unarchived $count credential(s)"); } redirect(); } if (isset($_POST['bulk_delete_credentials'])) { validateCSRFToken($_POST['csrf_token']); enforceUserPermission('module_credential', 3); if (isset($_POST['credential_ids'])) { // Get Selected Credential Count $count = count($_POST['credential_ids']); // Cycle through array and delete each record foreach ($_POST['credential_ids'] as $credential_id) { $credential_id = intval($credential_id); // Get Name and Client ID for logging and alert message $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id"); $row = mysqli_fetch_array($sql); $credential_name = sanitizeInput($row['credential_name']); $client_id = intval($row['credential_client_id']); mysqli_query($mysqli, "DELETE FROM credentials WHERE credential_id = $credential_id AND credential_client_id = $client_id"); logAction("Credential", "Delete", "$session_name deleted credential $credential_name", $client_id); } logAction("Credential", "Bulk Delete", "$session_name deleted $count credential(s)", $client_id); flash_alert("Deleted $count credential(s)", 'error'); } redirect(); } if (isset($_POST['export_credentials_csv'])) { enforceUserPermission('module_credential'); if ($_POST['client_id']) { $client_id = intval($_POST['client_id']); $client_query = "AND credential_client_id = $client_id"; $client_name = getFieldById('clients', $client_id, 'client_name'); $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; $file_name_prepend = "$session_company_name-"; } //get records from database $sql = mysqli_query($mysqli,"SELECT * FROM credentials LEFT JOIN clients ON client_id = credential_client_id WHERE credential_archived_at IS NULL $client_query ORDER BY credential_name ASC"); $num_rows = mysqli_num_rows($sql); if ($num_rows > 0) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash $filename = sanitize_filename($file_name_prepend . "Credentials-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); //set column headers $fields = array('Name', 'Description', 'Username', 'Password', 'TOTP', 'URI'); fputcsv($f, $fields, $delimiter, $enclosure, $escape); //output each row of the data, format line as csv and write to file pointer while($row = mysqli_fetch_assoc($sql)){ $credential_username = decryptCredentialEntry($row['credential_username']); $credential_password = decryptCredentialEntry($row['credential_password']); $lineData = array($row['credential_name'], $row['credential_description'], $credential_username, $credential_password, $row['credential_otp_secret'], $row['credential_uri']); fputcsv($f, $lineData, $delimiter, $enclosure, $escape); } //move back to beginning of file fseek($f, 0); //set headers to download file rather than displayed header('Content-Type: text/csv'); header('Content-Disposition: attachment; filename="' . $filename . '";'); //output all remaining data on a file pointer fpassthru($f); } logAction("Credential", "Export", "$session_name exported $num_rows credential(s) to a CSV file", $client_id); exit; } if (isset($_POST["import_credentials_csv"])) { enforceUserPermission('module_credential', 2); $client_id = intval($_POST['client_id']); $error = false; if (!empty($_FILES["file"]["tmp_name"])) { $file_name = $_FILES["file"]["tmp_name"]; } else { flash_alert("Please select a file to upload.", 'error'); redirect(); } //Check file is CSV $file_extension = strtolower(end(explode('.',$_FILES['file']['name']))); $allowed_file_extensions = array('csv'); if (in_array($file_extension,$allowed_file_extensions) === false){ $error = true; flash_alert("Bad file extension", 'error'); } //Check file isn't empty elseif ($_FILES["file"]["size"] < 1){ $error = true; flash_alert("Bad file size (empty?)", 'error'); } //(Else)Check column count $f = fopen($file_name, "r"); $f_columns = fgetcsv($f, 1000, ","); if (!$error & count($f_columns) != 6) { $error = true; flash_alert("Bad column count.", 'error'); } //Else, parse the file if (!$error){ $file = fopen($file_name, "r"); fgetcsv($file, 1000, ","); // Skip first line $row_count = 0; $duplicate_count = 0; while(($column = fgetcsv($file, 1000, ",")) !== false){ $duplicate_detect = 0; // Name if (isset($column[0])) { $name = sanitizeInput($column[0]); if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM credentials WHERE credential_name = '$name' AND credential_client_id = $client_id")) > 0){ $duplicate_detect = 1; } } // Desc if (isset($column[1])) { $description = sanitizeInput($column[1]); } // User if (isset($column[2])) { $username = sanitizeInput(encryptCredentialEntry($column[2])); } // Pass if (isset($column[3])) { $password = sanitizeInput(encryptCredentialEntry($column[3])); } // OTP if (isset($column[4])) { $totp = sanitizeInput($column[4]); } // URL if (isset($column[4])) { $uri = sanitizeInput($column[5]); } // Check if duplicate was detected if ($duplicate_detect == 0){ //Add mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$totp', credential_client_id = $client_id"); $row_count = $row_count + 1; } else { $duplicate_count = $duplicate_count + 1; } } fclose($file); logAction("Credential", "Import", "$session_name imported $row_count credential(s) via CSV file. $duplicate_count duplicate(s) found and not imported", $client_id); flash_alert("$row_count credential(s) imported, $duplicate_count duplicate(s) detected and not imported", 'warning'); redirect(); } //Check for any errors, if there are notify user and redirect if ($error) { redirect(); } } if (isset($_GET['download_credentials_csv_template'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; $filename = "Credentials-Template.csv"; //create a file pointer $f = fopen('php://memory', 'w'); //set column headers $fields = array('Name', 'Description', 'Username', 'Password', 'TOTP', 'URI'); fputcsv($f, $fields, $delimiter, $enclosure, $escape); //move back to beginning of file fseek($f, 0); //set headers to download file rather than displayed header('Content-Type: text/csv'); header('Content-Disposition: attachment; filename="' . $filename . '";'); //output all remaining data on a file pointer fpassthru($f); exit; }