From 3182cb0b3c4705f3d2a85fd7485ea580daacbf1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”> Date: Sat, 22 Feb 2025 23:45:27 +0100 Subject: [PATCH] CMXX - Consumer identity --- api/v2/get/consumer_identity.php | 110 ++++++++++++++ api/v2/get/translations.php | 6 +- api/v2/post/consumer_identity.php | 215 +++++++++++++++++++++++++++ api/v2/post/translations_details.php | 1 - api/v2/post/users.php | 26 +++- assets/functions.php | 20 ++- settings/settingsmenu.php | 6 + settings/settingsprofiles.php | 4 +- settings/settingsviews.php | 3 +- translation_manage.php | 6 +- 10 files changed, 381 insertions(+), 16 deletions(-) create mode 100644 api/v2/get/consumer_identity.php create mode 100644 api/v2/post/consumer_identity.php diff --git a/api/v2/get/consumer_identity.php b/api/v2/get/consumer_identity.php new file mode 100644 index 0000000..0a59a06 --- /dev/null +++ b/api/v2/get/consumer_identity.php @@ -0,0 +1,110 @@ +soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} + +//default whereclause +list($whereclause,$condition) = getWhereclause('',$permission,$partner,'get'); + +//NEW ARRAY +$criterias = []; +$clause = ''; + +//Check for $_GET variables and build up clause +if(isset($get_content) && $get_content!=''){ + //GET VARIABLES FROM URL + $requests = explode("&", $get_content); + //Check for keys and values + foreach ($requests as $y){ + $v = explode("=", $y); + //INCLUDE VARIABLES IN ARRAY + $criterias[$v[0]] = $v[1]; + + if ($v[0] == 'page' || $v[0] =='p' || $v[0] =='totals' || $v[0] =='success_msg'){ + //do nothing + } + elseif ($v[0] == 'search') { + //build up search + $clause .= ' AND email like :'.$v[0]; + } + elseif ($v[0] == 'partnerid') { + //check accounthierarchy related users + $clause .= ' AND accounthierarchy like :'.$v[0]; + } + else {//create clause + $clause .= ' AND '.$v[0].' = :'.$v[0]; + } + } + if ($whereclause == '' && $clause !=''){ + $whereclause = 'WHERE '.substr($clause, 4); + } else { + $whereclause .= $clause; + } +} + +if(isset($criterias['totals']) && $criterias['totals'] ==''){ +//Request for total rows + $sql = 'SELECT count(*) as count from consumer_identity '.$whereclause.''; +} +else { + //SQL for Paging + $sql = 'SELECT id,email,profile,first_name,last_name,address_street,address_city,address_state,address_zip,address_country,registered,address_phone,lastlogin,userkey,language,login_count,created,createdby,updated,updatedby,accounthierarchy FROM consumer_identity '.$whereclause.' ORDER BY lastlogin DESC LIMIT :page,:num_products'; +} + +$stmt = $pdo->prepare($sql); + +//Bind to query +if (str_contains($whereclause, ':condition')){ + $stmt->bindValue('condition', $condition, PDO::PARAM_STR); +} + +if (!empty($criterias)){ + foreach ($criterias as $key => $value){ + $key_condition = ':'.$key; + if (str_contains($whereclause, $key_condition)){ + if ($key == 'search'){ + $search_value = '%'.$value.'%'; + $stmt->bindValue($key, $search_value, PDO::PARAM_STR); + } + elseif ($key == 'partnerid'){ + $search_value = '%"_"'.$value.'-%'; + $stmt->bindValue($key, $search_value, PDO::PARAM_STR); + } + else { + $stmt->bindValue($key, $value, PDO::PARAM_STR); + } + } + } +} + +//Add paging details +if(isset($criterias['totals']) && $criterias['totals']==''){ + $stmt->execute(); + $messages = $stmt->fetch(); + $messages = $messages[0]; +} +else { + $current_page = isset($criterias['p']) && is_numeric($criterias['p']) ? (int)$criterias['p'] : 1; + $stmt->bindValue('page', ($current_page - 1) * $page_rows_users, PDO::PARAM_INT); + $stmt->bindValue('num_products', $page_rows_users, PDO::PARAM_INT); + //Excute Query + $stmt->execute(); + //Get results + $messages = $stmt->fetchAll(PDO::FETCH_ASSOC); +} + +//------------------------------------------ +//JSON_ENCODE +//------------------------------------------ +$messages = json_encode($messages, JSON_UNESCAPED_UNICODE); + +//Send results +echo $messages; diff --git a/api/v2/get/translations.php b/api/v2/get/translations.php index da4a919..f56cf0f 100644 --- a/api/v2/get/translations.php +++ b/api/v2/get/translations.php @@ -14,7 +14,7 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause $whereclause = ''; -list($whereclause,$condition) = getWhereclause('',$permission,$partner,'get'); +list($whereclause,$condition) = getWhereclause('text_variables',$permission,$partner,'get'); //NEW ARRAY $criterias = []; @@ -53,13 +53,13 @@ if(isset($get_content) && $get_content!=''){ //Define Query if(isset($criterias['totals']) && $criterias['totals'] ==''){ //Request for total rows - $sql = 'SELECT count(*) as count FROM text_variables '.$whereclause.''; + $sql = 'SELECT count(*) as count FROM text_variables tv '.$whereclause.''; } elseif (isset($criterias['generatefile']) && $criterias['generatefile'] !=''){ $sql = 'SELECT tv.variable,tvt.translation FROM text_variables tv JOIN text_variables_translations tvt ON tv.rowID = tvt.variable_ID '.$whereclause.''; } else { //SQL for Paging - $sql = 'SELECT * FROM text_variables '.$whereclause.' LIMIT :page,:num_products'; + $sql = 'SELECT * FROM text_variables tv '.$whereclause.' LIMIT :page,:num_products'; } $stmt = $pdo->prepare($sql); diff --git a/api/v2/post/consumer_identity.php b/api/v2/post/consumer_identity.php new file mode 100644 index 0000000..9b8dd55 --- /dev/null +++ b/api/v2/post/consumer_identity.php @@ -0,0 +1,215 @@ +soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} + +//default whereclause +list($whereclause,$condition) = getWhereclause('',$permission,$partner,''); + + + +//SET PARAMETERS FOR QUERY +$id = (isset($post_content['userkey'])) ? $post_content['userkey']: ''; //check for rowID +$command = ($id == '')? 'insert' : 'update'; //IF rowID = empty then INSERT +if (isset($post_content['delete'])){$command = 'delete';} //change command to delete +if (isset($post_content['reset'])){$command = 'reset';} //change command to reset +if (isset($post_content['login'], $post_content['email'], $post_content['password'])){$command = 'login';}//change command to login +$date = date('Y-m-d H:i:s'); + +//CREATE EMPTY STRINGS +$clause = ''; +$clause_insert =''; +$input_insert = ''; + +//BUILD UP PARTNERHIERARCHY FROM INTERFACE USER +$partner_product = json_encode(array("salesid"=>$partner->salesid,"soldto"=>$partner->soldto), JSON_UNESCAPED_UNICODE); + +//FIXED VARIABLES +$post_content['updatedby'] = $userrname; //initial = interface user +$post_content['accounthierarchy'] = $partner_product; // related to interface user +$post_content['userkey'] = bin2hex(random_bytes(25)); +//Create or update resetkey +$headers = array('alg'=>'HS256','typ'=>'JWT'); +$payload = array('key'=> bin2hex(random_bytes(25)), 'exp'=>(time() + 1800)); +$resetkey = generate_jwt($headers, $payload); + +//GET EXISTING CONSUMER DATA +if ($id != '' && $command == 'reset'){ + + //STEP 1 - Get username + $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE userkey = ?'); + $stmt->execute([$id]); + $consumer_data = $stmt->fetch(); + + //STEP 2- Store resetkey + $sql = 'UPDATE users SET resetkey = ?, updatedby = ? WHERE id = ? '.$whereclause.''; + $stmt = $pdo->prepare($sql); + $stmt->execute([$resetkey,$post_content['updatedby'],$id]); + + //STEP 3 - Send DATA BACK TO FRONT_END + $messages = json_encode(array('consumer_email'=> $consumer_data['email'], "resetkey" => $resetkey), JSON_UNESCAPED_UNICODE); + //Send results + echo $messages; + exit; +} + +//ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE +if ($command == 'update'){ + //Define Query + $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE userkey = ?'); + $stmt->execute([$id]); + $consumer_data = $stmt->fetch(); + + $post_content['updatedby'] = $consumer_data['email']; + + if (isset($post_content['password'])){ + $post_content['password'] = password_hash($password, PASSWORD_DEFAULT); + } + +} +elseif ($command == 'insert'){ + $post_content['password'] = bin2hex(random_bytes(25)); //generate initial password + $post_content['language'] = isset($post_content['language']) ? $post_content['language'] : 'US'; +} +elseif ($command == 'login'){ + + //SETUP SQL FOR LOGIN_COUNT + $sql_login = 'UPDATE consumer_identity SET login_count = ? WHERE id = ?'; + + // Check if the account exists + $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE email = ?'); + $stmt->execute([ $post_content['email'] ]); + $account = $stmt->fetch(PDO::FETCH_ASSOC); + + if (count($account) != 0){ + + //CHECK NUMBER OF LOGIN ATTEMPTS IS BELOW 5 + if($user_data['login_count'] < 5){ + // If account exists verify password + if ($account && password_verify($post_content['password'], $account['password'])) { + + //CONSUMER LOGIN CORRECT RETURN DATA + $consumer = array( + 'accountID' => $account['userkey'], + 'profile' => $account['profile'] + ); + + //Reset login count after succesfull attempt + $login_attempt = 0; + + $stmt_login = $pdo->prepare($sql_login); + $stmt_login->execute([$login_attempt, $account['id']]); + + //Encrypt results + $messages = json_encode($consumer, JSON_UNESCAPED_UNICODE); + //Send results + echo $messages; + exit; + } + else { + //Update Login count with failed attempt + $login_attempt = $account['login_count'] + 1; + $stmt_login = $pdo->prepare($sql_login); + $stmt_login->execute([$login_attempt, $account['id']]); + //Send Response + http_response_code(403); //Not authorized + exit; + } + } + else { + //User is blocked & send error + $messages = '1'; + //------------------------------------------ + //Send results + //------------------------------------------ + echo $messages; + exit; + } + } +} +else { + //do nothing +} + +//CREAT NEW ARRAY AND MAP TO CLAUSE +if(isset($post_content) && $post_content!=''){ + foreach ($post_content as $key => $var){ + if ($key == 'submit' || $key == 'id'){ + //do nothing + } + else { + $criterias[$key] = $var; + $clause .= ' , '.$key.' = ?'; + $clause_insert .= ' , '.$key.''; + $input_insert .= ', ?'; // ? for each insert item + $execute_input[]= $var; // Build array for input + } + } +} + +//CLEAN UP INPUT +$clause = substr($clause, 2); //Clean clause - remove first comma +$clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma +$input_insert = substr($input_insert, 1); //Clean clause - remove first comma + +//QUERY AND VERIFY ALLOWED +if ($command == 'update' && (isAllowed('consumer_identity',$profile,$permission,'U') === 1)){ + $sql = 'UPDATE consumer_identity SET '.$clause.' WHERE userkey = ? '.$whereclause.''; + + $execute_input[] = $id; + $stmt = $pdo->prepare($sql); + $stmt->execute($execute_input); + +} +elseif ($command == 'insert' && isAllowed('',$profile,$permission,'C') === 1){ + + //check if consumer_identity exists + $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE email = ?'); + $stmt->execute([$post_content['email']]); + $consumer_exist = $stmt->fetch(); + + $exists = (isset($consumer_exist['email']))? 1 : 0; + if($consumer_exist == 0 ){ + $sql = 'INSERT INTO consumer_identity ('.$clause_insert.') VALUES ('.$input_insert.')'; + $stmt = $pdo->prepare($sql); + $stmt->execute($execute_input); + + //STEP 2- Send to user + $messages = json_encode(array('consumer_email'=> $post_content['email'], "resetkey" => $resetkey), JSON_UNESCAPED_UNICODE); + //Send results + echo $messages; + exit; + } else { + //------------------------------------------ + //JSON_ENCODE + //------------------------------------------ + $messages = json_encode($exists, JSON_UNESCAPED_UNICODE); + + //Send results + echo $messages; + } +} +elseif ($command == 'delete' && isAllowed('consumer_identity',$profile,$permission,'D') === 1){ + //delete equipment + $stmt = $pdo->prepare('DELETE FROM consumer_identity WHERE userkey = ? '.$whereclause.''); + $stmt->execute([ $id ]); + + //Add deletion to changelog + changelog($dbname,'consumer_identity',$id,'Delete','Delete',$consumername); +} else +{ + //do nothing +} + + +?> \ No newline at end of file diff --git a/api/v2/post/translations_details.php b/api/v2/post/translations_details.php index ca784e3..ffb7c7d 100644 --- a/api/v2/post/translations_details.php +++ b/api/v2/post/translations_details.php @@ -70,7 +70,6 @@ if ($command == 'update' && isAllowed('translation_manage',$profile,$permission, $sql = 'UPDATE text_variables_translations SET '.$clause.' WHERE rowID = ? '.$whereclause.''; $execute_input[] = $id; $stmt = $pdo->prepare($sql); - $stmt->debugDumpParams(); $stmt->execute($execute_input); } diff --git a/api/v2/post/users.php b/api/v2/post/users.php index 8455f65..1bb09ef 100644 --- a/api/v2/post/users.php +++ b/api/v2/post/users.php @@ -17,7 +17,6 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el //default whereclause list($whereclause,$condition) = getWhereclause('profile',$permission,$partner,''); - //SET PARAMETERS FOR QUERY $id = (isset($post_content['id'])) ? $post_content['id']: ''; //check for rowID $command = ($id == '')? 'insert' : 'update'; //IF rowID = empty then INSERT @@ -134,6 +133,9 @@ $post_content['userkey'] = (isset($post_content['userkey']) && $post_content['us //ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE if ($command == 'update'){ + if (isset($post_content['password'])){ + $post_content['password'] = password_hash($password, PASSWORD_DEFAULT); + } $post_content['partnerhierarchy'] = $accounthierarchy; } elseif ($command == 'insert'){ @@ -147,6 +149,28 @@ else { //do nothing } +//+++++++++++++++++++++++++++++++++++++++++++++ +//RESET VIEW/PERMISSION BASED ON USER PERMISSION +//+++++++++++++++++++++++++++++++++++++++++++++ +if($post_content['view']){ + switch ($permission) { + case '4': + //ADMIN+ no override + break; + case '3': + //ADMINS cannot set ADMIN+ => reset to admin + $post_content['view'] = ($post_content['view'] == 5) ? 4 : $post_content['view']; + break; + default: + //OTHERS CANNOT SET HIGHER -> IF SET THEN MANIPULATION EXPECTED -> SET USER to READONLY + $post_content['view'] = ($post_content['view'] == 4 || $post_content['view'] == 5) ? 3 : $post_content['view']; + break; + } +} +//+++++++++++++++++++++++++++++++++++++++++++++ +//+++++++++++++++++++++++++++++++++++++++++++++ + + //CREAT NEW ARRAY AND MAP TO CLAUSE if(isset($post_content) && $post_content!=''){ foreach ($post_content as $key => $var){ diff --git a/assets/functions.php b/assets/functions.php index c6e8976..6bc221d 100644 --- a/assets/functions.php +++ b/assets/functions.php @@ -700,11 +700,12 @@ function getWhereclause($table_name,$permission,$partner,$method){ //api_name converter to table $table =[ "equipment" => "e.accounthierarchy", - "profile" => "partnerhierarchy" + "profile" => "partnerhierarchy", + "text_variables" => "tv.accounthierarchy" ]; $table = ($table_name != '') ? $table[$table_name] : 'accounthierarchy'; - $type = ($method == 'get') ? 'WHERE ' : ''; + $type = ($method == 'get') ? 'WHERE ' : ' AND '; //SoldTo is empty if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} @@ -752,7 +753,7 @@ function getWhereclauselvl2($table_name,$permission,$partner,$method){ ]; $table = ($table_name != '') ? $table[$table_name] : 'accounthierarchy'; - $type = ($method == 'get') ? 'WHERE ' : ''; + $type = ($method == 'get') ? 'WHERE ' : ' AND '; //SoldTo is empty if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} @@ -818,8 +819,8 @@ function getProfile($profile, $permission){ $user_permission = ${'permission_'.$permission}; //CHECK ALLOWED - $page_action = str_contains($user_permission,$action) > 0 ? 1 : 0; - $page_access = str_contains($profile,$page) > 0 ? 1 : 0; + $page_action = str_contains($user_permission,$action) > 0 ? 1 : 0; //CHECK IF USER IS ALLOWED TODO THE ACTION + $page_access = str_contains($profile,$page) > 0 ? 1 : 0; //CHECK USER IS ALLOWED TO ACCESS PAGE //RETURN CODE if ($page_access == 1 && $page_action == 1){ @@ -920,6 +921,15 @@ function getPartnerName($str){ return $str2; } } + +//------------------------------------------ +// GET ID of Partner +//------------------------------------------ +function getPartnerID($str){ + $partner_id = explode("-",$str) ?? ''; + return $partner_id[0]; +} + //------------------------------------------ // overview Indicators //------------------------------------------ diff --git a/settings/settingsmenu.php b/settings/settingsmenu.php index 860df6c..b47c0de 100644 --- a/settings/settingsmenu.php +++ b/settings/settingsmenu.php @@ -46,6 +46,12 @@ $main_menu = [ "selected" => "orders", "icon" => "fas fa-tachometer-alt", "name" => "menu_sales_orders" + ], + "consumer_identity" => [ + "url" => "consumer_identity", + "selected" => "consumer_identity", + "icon" => "fas fa-tachometer-alt", + "name" => "menu_consumer_identity" ] ], "buildtool" => [ diff --git a/settings/settingsprofiles.php b/settings/settingsprofiles.php index 6cc953b..9018c69 100644 --- a/settings/settingsprofiles.php +++ b/settings/settingsprofiles.php @@ -6,11 +6,11 @@ define('superuser_profile','dashboard,profile,assets,equipments,equipment,equipm /*Admin*/ define('admin_profile','dashboard,profile,buildtool,sales,accounts,account,contracts,contract,contract_manage,cartests,cartest,cartest_manage,assets,equipments,equipment,equipment_healthindex,equipment_data,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,rmas,rma,rma_manage,rma_history,rma_history_manage,buildtool,products,products_versions,products_software,product,product_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,communications,communication,communication_send,marketing,reporting,report_build,report_contracts_billing,report_healthindex,changelog,application'); /*AdminPlus*/ -define('adminplus_profile','dashboard,profile,buildtool,sales,accounts,account,contracts,contract,contract_manage,billing,cartests,cartest,cartest_manage,assets,equipments,equipment,equipment_healthindex,equipment_data,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,rmas,rma,rma_manage,rma_history,rma_history_manage,buildtool,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,communications,communication,communication_send,marketing,reporting,report_build,report_contracts_billing,report_healthindex,report_usage,config,settings,logfile,changelog,language,translations,translations_details,translation_manage,media,media_manage,application,maintenance,uploader,profiles,vin,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders'); +define('adminplus_profile','dashboard,profile,buildtool,sales,accounts,account,contracts,contract,contract_manage,billing,cartests,cartest,cartest_manage,assets,equipments,equipment,equipment_healthindex,equipment_data,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,rmas,rma,rma_manage,rma_history,rma_history_manage,buildtool,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,communications,communication,communication_send,marketing,reporting,report_build,report_contracts_billing,report_healthindex,report_usage,config,settings,logfile,changelog,language,translations,translations_details,translation_manage,media,media_manage,application,maintenance,uploader,profiles,vin,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders,consumer_identity'); /*Build*/ define('build','dashboard,profile,buildtool,firmwaretool,buildtool,products_software,application'); /*Commerce*/ -define('commerce','dashboard,profile,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,admin,partners,partner,users,user,user_manage,translations,translations_details,translation_manage,media,media_manage,application,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders'); +define('commerce','dashboard,profile,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,admin,partners,partner,users,user,user_manage,translations,translations_details,translation_manage,media,media_manage,application,uploader,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders,consumer_identity'); /*Distribution*/ define('distribution','dashboard,profile,assets,equipments,equipment,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,products,products_versions,products_software,product,product_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,marketing,application'); /*Firmware*/ diff --git a/settings/settingsviews.php b/settings/settingsviews.php index a0425f0..f99f79e 100644 --- a/settings/settingsviews.php +++ b/settings/settingsviews.php @@ -96,7 +96,8 @@ $all_views = [ "transactions_items", "invoice", "order", - "orders" + "orders", + "consumer_identity" ]; ?> \ No newline at end of file diff --git a/translation_manage.php b/translation_manage.php index f3dcbd0..85014ca 100644 --- a/translation_manage.php +++ b/translation_manage.php @@ -84,7 +84,7 @@ if (isset($_GET['rowID'])) { //GET ALL POST DATA $payload = json_encode($attr, JSON_UNESCAPED_UNICODE); - var_dump($payload); + //API call $responses = ioServer('/v2/translations_details', $payload); @@ -104,8 +104,8 @@ if (isset($_GET['rowID'])) { } } - //header('Location: index.php?page=translation_manage&rowID='.$_GET['rowID'].''); - //exit; + header('Location: index.php?page=translation_manage&rowID='.$_GET['rowID'].''); + exit; } }