CMXX - Consumer identity

2025-02-22 23:45:27 +01:00
parent 8dd7023310
commit 3182cb0b3c
10 changed files with 381 additions and 16 deletions
--- a/api/v2/get/consumer_identity.php
+++ b/api/v2/get/consumer_identity.php
@@ -0,0 +1,110 @@
 <?php
 defined($security_key) or exit;
 //------------------------------------------
 // Consumer identity
 //------------------------------------------
 //Connect to DB
 $pdo = dbConnect($dbname);
 //Get user_rights from users.php
 $partner = json_decode($partnerhierarchy);  
 //SoldTo is empty
 if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
 //default whereclause
 list($whereclause,$condition) = getWhereclause('',$permission,$partner,'get');
 //NEW ARRAY
 $criterias = [];   
 $clause = '';
 //Check for $_GET variables and build up clause
 if(isset($get_content) && $get_content!=''){    
    //GET VARIABLES FROM URL
    $requests = explode("&", $get_content);     
    //Check for keys and values
    foreach ($requests as $y){
        $v = explode("=", $y);
        //INCLUDE VARIABLES IN ARRAY
        $criterias[$v[0]] = $v[1]; 
        if ($v[0] == 'page' || $v[0] =='p' || $v[0] =='totals' || $v[0] =='success_msg'){
        //do nothing
        }
        elseif ($v[0] == 'search') {
        //build up search
        $clause .= ' AND email like :'.$v[0]; 
        }
        elseif ($v[0] == 'partnerid') {
        //check accounthierarchy related users
        $clause .= ' AND accounthierarchy like :'.$v[0]; 
        }
        else {//create clause
        $clause .= ' AND '.$v[0].' = :'.$v[0];
        }
    }
    if ($whereclause == '' && $clause !=''){
        $whereclause = 'WHERE '.substr($clause, 4);
    } else {
        $whereclause .= $clause;
    }
 } 
 if(isset($criterias['totals']) && $criterias['totals'] ==''){
 //Request for total rows
    $sql = 'SELECT count(*) as count from consumer_identity '.$whereclause.'';
 } 
 else {
    //SQL for Paging 
    $sql = 'SELECT id,email,profile,first_name,last_name,address_street,address_city,address_state,address_zip,address_country,registered,address_phone,lastlogin,userkey,language,login_count,created,createdby,updated,updatedby,accounthierarchy FROM consumer_identity '.$whereclause.' ORDER BY lastlogin DESC LIMIT :page,:num_products';
 }
 $stmt = $pdo->prepare($sql);
 //Bind to query
 if (str_contains($whereclause, ':condition')){
    $stmt->bindValue('condition', $condition, PDO::PARAM_STR);
 }
 if (!empty($criterias)){
    foreach ($criterias as $key => $value){
        $key_condition = ':'.$key;
        if (str_contains($whereclause, $key_condition)){
            if ($key == 'search'){
                $search_value = '%'.$value.'%';
                $stmt->bindValue($key, $search_value, PDO::PARAM_STR);
            }
            elseif ($key == 'partnerid'){
                $search_value = '%"_"'.$value.'-%';
                $stmt->bindValue($key, $search_value, PDO::PARAM_STR);
            }
            else {
                $stmt->bindValue($key, $value, PDO::PARAM_STR);
            }
        }
    }
 }
 //Add paging details
 if(isset($criterias['totals']) && $criterias['totals']==''){
    $stmt->execute();
    $messages = $stmt->fetch();
    $messages = $messages[0];
 }
 else {
    $current_page = isset($criterias['p']) && is_numeric($criterias['p']) ? (int)$criterias['p'] : 1;
    $stmt->bindValue('page', ($current_page - 1) * $page_rows_users, PDO::PARAM_INT);
    $stmt->bindValue('num_products', $page_rows_users, PDO::PARAM_INT);
    //Excute Query
    $stmt->execute();
    //Get results
    $messages = $stmt->fetchAll(PDO::FETCH_ASSOC);
 }
 //------------------------------------------
 //JSON_ENCODE
 //------------------------------------------
 $messages = json_encode($messages, JSON_UNESCAPED_UNICODE);
 //Send results
 echo $messages;
--- a/api/v2/get/translations.php
+++ b/api/v2/get/translations.php
@@ -14,7 +14,7 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el
 //default whereclause
 $whereclause = '';
-list($whereclause,$condition) = getWhereclause('',$permission,$partner,'get');
+list($whereclause,$condition) = getWhereclause('text_variables',$permission,$partner,'get');
 //NEW ARRAY
 $criterias = [];   
@@ -53,13 +53,13 @@ if(isset($get_content) && $get_content!=''){
 //Define Query
 if(isset($criterias['totals']) && $criterias['totals'] ==''){
 //Request for total rows
-    $sql = 'SELECT count(*) as count FROM text_variables '.$whereclause.'';
+    $sql = 'SELECT count(*) as count FROM text_variables tv '.$whereclause.'';
 } elseif (isset($criterias['generatefile']) && $criterias['generatefile'] !=''){
    $sql = 'SELECT tv.variable,tvt.translation FROM text_variables tv JOIN text_variables_translations tvt ON tv.rowID = tvt.variable_ID '.$whereclause.'';
 }
 else {
    //SQL for Paging 
-    $sql = 'SELECT * FROM text_variables '.$whereclause.' LIMIT :page,:num_products';
+    $sql = 'SELECT * FROM text_variables tv '.$whereclause.' LIMIT :page,:num_products';
 }
 $stmt = $pdo->prepare($sql);
--- a/api/v2/post/consumer_identity.php
+++ b/api/v2/post/consumer_identity.php
@@ -0,0 +1,215 @@
 <?php
 defined($security_key) or exit;
 //------------------------------------------
 // consumer_identity
 //------------------------------------------
 //Connect to DB
 $pdo = dbConnect($dbname);
 //CONTENT FROM API (POST)
 $post_content = json_decode($input,true);
 //SoldTo is empty
 if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
 //default whereclause
 list($whereclause,$condition) = getWhereclause('',$permission,$partner,'');
 //SET PARAMETERS FOR QUERY
 $id = (isset($post_content['userkey'])) ? $post_content['userkey']: ''; //check for rowID
 $command = ($id == '')? 'insert' : 'update';  //IF rowID = empty then INSERT
 if (isset($post_content['delete'])){$command = 'delete';} //change command to delete
 if (isset($post_content['reset'])){$command = 'reset';} //change command to reset
 if (isset($post_content['login'], $post_content['email'], $post_content['password'])){$command = 'login';}//change command to login
 $date = date('Y-m-d H:i:s');
 //CREATE EMPTY STRINGS
 $clause = '';
 $clause_insert ='';
 $input_insert = '';
 //BUILD UP PARTNERHIERARCHY FROM INTERFACE USER
 $partner_product = json_encode(array("salesid"=>$partner->salesid,"soldto"=>$partner->soldto), JSON_UNESCAPED_UNICODE);
 //FIXED VARIABLES
 $post_content['updatedby'] = $userrname; //initial = interface user
 $post_content['accounthierarchy'] = $partner_product; // related to interface user
 $post_content['userkey'] = bin2hex(random_bytes(25)); 
 //Create or update resetkey
 $headers = array('alg'=>'HS256','typ'=>'JWT');
 $payload = array('key'=> bin2hex(random_bytes(25)), 'exp'=>(time() + 1800));
 $resetkey = generate_jwt($headers, $payload);
 //GET EXISTING CONSUMER DATA
 if ($id != '' && $command == 'reset'){
    //STEP 1 - Get username
    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE userkey = ?');
    $stmt->execute([$id]);
    $consumer_data = $stmt->fetch();
    //STEP 2- Store resetkey
    $sql = 'UPDATE users SET resetkey = ?, updatedby = ? WHERE id = ? '.$whereclause.'';
    $stmt = $pdo->prepare($sql);
    $stmt->execute([$resetkey,$post_content['updatedby'],$id]);
    //STEP 3 - Send DATA BACK TO FRONT_END
    $messages = json_encode(array('consumer_email'=> $consumer_data['email'], "resetkey" => $resetkey), JSON_UNESCAPED_UNICODE);
    //Send results
    echo $messages;
    exit;
 }
 //ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE
 if ($command == 'update'){ 
    //Define Query
    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE userkey = ?');
    $stmt->execute([$id]);
    $consumer_data = $stmt->fetch();
    $post_content['updatedby'] = $consumer_data['email'];
    if (isset($post_content['password'])){ 
        $post_content['password'] = password_hash($password, PASSWORD_DEFAULT);
    }
 }
 elseif ($command == 'insert'){
    $post_content['password'] = bin2hex(random_bytes(25)); //generate initial password
    $post_content['language'] = isset($post_content['language']) ? $post_content['language'] : 'US';
 }
 elseif ($command == 'login'){
    //SETUP SQL FOR LOGIN_COUNT
    $sql_login = 'UPDATE consumer_identity SET login_count = ? WHERE id = ?';
    // Check if the account exists
    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE email = ?');
    $stmt->execute([ $post_content['email'] ]);
    $account = $stmt->fetch(PDO::FETCH_ASSOC);
    if (count($account) != 0){
        //CHECK NUMBER OF LOGIN ATTEMPTS IS BELOW 5
        if($user_data['login_count'] < 5){
            // If account exists verify password
            if ($account && password_verify($post_content['password'], $account['password'])) {
                //CONSUMER LOGIN CORRECT RETURN DATA
                $consumer = array(
                    'accountID' => $account['userkey'],
                    'profile' => $account['profile']
                );
                //Reset login count after succesfull attempt
                $login_attempt = 0;
                $stmt_login = $pdo->prepare($sql_login);
                $stmt_login->execute([$login_attempt, $account['id']]);
                //Encrypt results
                $messages = json_encode($consumer, JSON_UNESCAPED_UNICODE);
                //Send results
                echo $messages; 
                exit;
            } 
            else {
                //Update Login count with failed attempt
                $login_attempt = $account['login_count'] + 1;
                $stmt_login = $pdo->prepare($sql_login);
                $stmt_login->execute([$login_attempt, $account['id']]);
                //Send Response
                http_response_code(403); //Not authorized
                exit;
            }
        }
        else {
            //User is blocked & send error
            $messages = '1';
            //------------------------------------------
            //Send results
            //------------------------------------------
            echo $messages; 
            exit;
        }
    }
 }
 else {
    //do nothing
 }
 //CREAT NEW ARRAY AND MAP TO CLAUSE
 if(isset($post_content) && $post_content!=''){   
    foreach ($post_content as $key => $var){
        if ($key == 'submit' || $key == 'id'){
            //do nothing
        }
        else {
            $criterias[$key] = $var;
            $clause .= ' , '.$key.' = ?';
            $clause_insert .= ' , '.$key.'';
            $input_insert .= ', ?'; // ? for each insert item
            $execute_input[]= $var; // Build array for input
        }
    }
 }
 //CLEAN UP INPUT
 $clause = substr($clause, 2); //Clean clause - remove first comma
 $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
 $input_insert = substr($input_insert, 1); //Clean clause - remove first comma
 //QUERY AND VERIFY ALLOWED
 if ($command == 'update' && (isAllowed('consumer_identity',$profile,$permission,'U') === 1)){
    $sql = 'UPDATE consumer_identity SET '.$clause.' WHERE userkey = ? '.$whereclause.'';
    $execute_input[] = $id;
    $stmt = $pdo->prepare($sql);
    $stmt->execute($execute_input);
 } 
 elseif ($command == 'insert' && isAllowed('',$profile,$permission,'C') === 1){
    //check if consumer_identity exists
    $stmt = $pdo->prepare('SELECT * FROM consumer_identity WHERE email = ?');
    $stmt->execute([$post_content['email']]);
    $consumer_exist = $stmt->fetch();
    $exists = (isset($consumer_exist['email']))? 1 : 0;
    if($consumer_exist == 0 ){
        $sql = 'INSERT INTO consumer_identity ('.$clause_insert.') VALUES ('.$input_insert.')';
        $stmt = $pdo->prepare($sql);
        $stmt->execute($execute_input);
        //STEP 2- Send to user
        $messages = json_encode(array('consumer_email'=> $post_content['email'], "resetkey" => $resetkey), JSON_UNESCAPED_UNICODE);
        //Send results
        echo $messages;
        exit;
    } else {
        //------------------------------------------
        //JSON_ENCODE
        //------------------------------------------
        $messages = json_encode($exists, JSON_UNESCAPED_UNICODE);
        //Send results
        echo $messages;            
    }
 }
 elseif ($command == 'delete' && isAllowed('consumer_identity',$profile,$permission,'D') === 1){
    //delete equipment
    $stmt = $pdo->prepare('DELETE FROM consumer_identity WHERE userkey = ? '.$whereclause.'');
    $stmt->execute([ $id ]);
    //Add deletion to changelog
    changelog($dbname,'consumer_identity',$id,'Delete','Delete',$consumername);
 } else
 {
    //do nothing
 }
 ?>
--- a/api/v2/post/translations_details.php
+++ b/api/v2/post/translations_details.php
@@ -70,7 +70,6 @@ if ($command == 'update' && isAllowed('translation_manage',$profile,$permission,
    $sql = 'UPDATE text_variables_translations SET '.$clause.' WHERE rowID = ? '.$whereclause.'';
    $execute_input[] = $id;
    $stmt = $pdo->prepare($sql);
    $stmt->debugDumpParams();
    $stmt->execute($execute_input);
 } 
--- a/api/v2/post/users.php
+++ b/api/v2/post/users.php
@@ -17,7 +17,6 @@ if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} el
 //default whereclause
 list($whereclause,$condition) = getWhereclause('profile',$permission,$partner,'');
 //SET PARAMETERS FOR QUERY
 $id = (isset($post_content['id'])) ? $post_content['id']: ''; //check for rowID
 $command = ($id == '')? 'insert' : 'update';  //IF rowID = empty then INSERT
@@ -134,6 +133,9 @@ $post_content['userkey'] = (isset($post_content['userkey']) && $post_content['us
 //ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE
 if ($command == 'update'){ 
    if (isset($post_content['password'])){ 
        $post_content['password'] = password_hash($password, PASSWORD_DEFAULT);
    }
    $post_content['partnerhierarchy'] = $accounthierarchy;
 }
 elseif ($command == 'insert'){
@@ -147,6 +149,28 @@ else {
    //do nothing
 }
 //+++++++++++++++++++++++++++++++++++++++++++++
 //RESET VIEW/PERMISSION BASED ON USER PERMISSION
 //+++++++++++++++++++++++++++++++++++++++++++++
 if($post_content['view']){
    switch ($permission) {
        case '4':
            //ADMIN+ no override
           break;
        case '3':
            //ADMINS cannot set ADMIN+ => reset to admin
            $post_content['view'] = ($post_content['view'] == 5) ? 4 : $post_content['view'];
            break;
        default:
            //OTHERS CANNOT SET HIGHER -> IF SET THEN MANIPULATION EXPECTED -> SET USER to READONLY
            $post_content['view'] = ($post_content['view'] == 4 || $post_content['view'] == 5) ? 3 : $post_content['view'];
            break;
    }
 }
 //+++++++++++++++++++++++++++++++++++++++++++++
 //+++++++++++++++++++++++++++++++++++++++++++++
 //CREAT NEW ARRAY AND MAP TO CLAUSE
 if(isset($post_content) && $post_content!=''){   
    foreach ($post_content as $key => $var){
--- a/assets/functions.php
+++ b/assets/functions.php
@@ -700,11 +700,12 @@ function getWhereclause($table_name,$permission,$partner,$method){
  //api_name converter to table
  $table =[
    "equipment" => "e.accounthierarchy",
-    "profile" => "partnerhierarchy"
+    "profile" => "partnerhierarchy",
    "text_variables" => "tv.accounthierarchy"
  ];
  $table = ($table_name != '') ? $table[$table_name] : 'accounthierarchy';
-  $type = ($method == 'get') ? 'WHERE ' : ''; 
+  $type = ($method == 'get') ? 'WHERE ' : ' AND '; 
  //SoldTo is empty
  if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
@@ -752,7 +753,7 @@ function getWhereclauselvl2($table_name,$permission,$partner,$method){
  ];
  $table = ($table_name != '') ? $table[$table_name] : 'accounthierarchy';
-  $type = ($method == 'get') ? 'WHERE ' : ''; 
+  $type = ($method == 'get') ? 'WHERE ' : ' AND '; 
  //SoldTo is empty
  if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
@@ -818,8 +819,8 @@ function getProfile($profile, $permission){
    $user_permission = ${'permission_'.$permission};
    //CHECK ALLOWED
-    $page_action = str_contains($user_permission,$action) > 0 ? 1 : 0;
+    $page_action = str_contains($user_permission,$action) > 0 ? 1 : 0; //CHECK IF USER IS ALLOWED TODO THE ACTION
-    $page_access = str_contains($profile,$page) > 0 ? 1 : 0;
+    $page_access = str_contains($profile,$page) > 0 ? 1 : 0; //CHECK USER IS ALLOWED TO ACCESS PAGE
    //RETURN CODE
    if ($page_access == 1 && $page_action == 1){
@@ -920,6 +921,15 @@ function getPartnerName($str){
        return $str2;  
    }
 }
 //------------------------------------------
 // GET ID of Partner
 //------------------------------------------
 function getPartnerID($str){
  $partner_id = explode("-",$str) ?? ''; 
  return $partner_id[0];
 }
 //------------------------------------------
 // overview Indicators
 //------------------------------------------
--- a/settings/settingsmenu.php
+++ b/settings/settingsmenu.php
@@ -46,6 +46,12 @@ $main_menu = [
            "selected" => "orders", 
            "icon" => "fas fa-tachometer-alt",
            "name" => "menu_sales_orders"  
        ],
        "consumer_identity" => [
            "url" => "consumer_identity", 
            "selected" => "consumer_identity", 
            "icon" => "fas fa-tachometer-alt",
            "name" => "menu_consumer_identity"  
        ]
    ],
    "buildtool" => [
--- a/settings/settingsprofiles.php
+++ b/settings/settingsprofiles.php
@@ -6,11 +6,11 @@ define('superuser_profile','dashboard,profile,assets,equipments,equipment,equipm
 /*Admin*/
 define('admin_profile','dashboard,profile,buildtool,sales,accounts,account,contracts,contract,contract_manage,cartests,cartest,cartest_manage,assets,equipments,equipment,equipment_healthindex,equipment_data,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,rmas,rma,rma_manage,rma_history,rma_history_manage,buildtool,products,products_versions,products_software,product,product_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,communications,communication,communication_send,marketing,reporting,report_build,report_contracts_billing,report_healthindex,changelog,application');
 /*AdminPlus*/
-define('adminplus_profile','dashboard,profile,buildtool,sales,accounts,account,contracts,contract,contract_manage,billing,cartests,cartest,cartest_manage,assets,equipments,equipment,equipment_healthindex,equipment_data,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,rmas,rma,rma_manage,rma_history,rma_history_manage,buildtool,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,communications,communication,communication_send,marketing,reporting,report_build,report_contracts_billing,report_healthindex,report_usage,config,settings,logfile,changelog,language,translations,translations_details,translation_manage,media,media_manage,application,maintenance,uploader,profiles,vin,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders');
+define('adminplus_profile','dashboard,profile,buildtool,sales,accounts,account,contracts,contract,contract_manage,billing,cartests,cartest,cartest_manage,assets,equipments,equipment,equipment_healthindex,equipment_data,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,rmas,rma,rma_manage,rma_history,rma_history_manage,buildtool,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,communications,communication,communication_send,marketing,reporting,report_build,report_contracts_billing,report_healthindex,report_usage,config,settings,logfile,changelog,language,translations,translations_details,translation_manage,media,media_manage,application,maintenance,uploader,profiles,vin,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders,consumer_identity');
 /*Build*/
 define('build','dashboard,profile,buildtool,firmwaretool,buildtool,products_software,application');
 /*Commerce*/
-define('commerce','dashboard,profile,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,admin,partners,partner,users,user,user_manage,translations,translations_details,translation_manage,media,media_manage,application,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders');
+define('commerce','dashboard,profile,products,products_versions,products_software,products_attributes,products_attributes_items,products_attributes_manage,products_configurations,products_categories,products_media,product,product_manage,pricelists,pricelists_items,pricelists_manage,catalog,categories,category,discounts,discount,shipping,shipping_manage,admin,partners,partner,users,user,user_manage,translations,translations_details,translation_manage,media,media_manage,application,uploader,shopping_cart,checkout,placeorder,taxes,transactions,transactions_items,invoice,order,orders,consumer_identity');
 /*Distribution*/
 define('distribution','dashboard,profile,assets,equipments,equipment,equipment_manage,equipment_manage_edit,equipments_mass_update,histories,history,history_manage,firmwaretool,products,products_versions,products_software,product,product_manage,servicereports,servicereport,admin,partners,partner,users,user,user_manage,marketing,application');
 /*Firmware*/
--- a/settings/settingsviews.php
+++ b/settings/settingsviews.php
@@ -96,7 +96,8 @@ $all_views = [
    "transactions_items",
    "invoice",
    "order",
-    "orders"
+    "orders",
    "consumer_identity"
 ];
 ?>
--- a/translation_manage.php
+++ b/translation_manage.php
@@ -84,7 +84,7 @@ if (isset($_GET['rowID'])) {
                //GET ALL POST DATA
                $payload = json_encode($attr, JSON_UNESCAPED_UNICODE);
-                var_dump($payload);
+
                //API call
                $responses = ioServer('/v2/translations_details', $payload);
@@ -104,8 +104,8 @@ if (isset($_GET['rowID'])) {
                }
            }
-            //header('Location: index.php?page=translation_manage&rowID='.$_GET['rowID'].'');
+            header('Location: index.php?page=translation_manage&rowID='.$_GET['rowID'].'');
-            //exit;
+            exit;
        }
    }