diff --git a/api/v0/authorization.php b/api/v0/authorization.php index 89cf78e..b670074 100644 --- a/api/v0/authorization.php +++ b/api/v0/authorization.php @@ -20,7 +20,7 @@ if (!empty($username) && !empty($password)) { die("Connection failed: " . $conn->connect_error); } - $sql = "SELECT id, username, password, service FROM users WHERE username='$username'"; + $sql = "SELECT id, username, password, service, lastlogin FROM users WHERE username='$username'"; $result = $conn->query($sql); if ($result->num_rows == 1) { @@ -34,17 +34,28 @@ if (!empty($username) && !empty($password)) { http_response_code(401); } else { + $service = bin2hex(random_bytes(25)); //$row['service']; + + //Check valid userkey + $valid_key = strtotime('+30 minutes',strtotime($row['lastlogin'])); + $valid = ($valid_key <= time())?0:1; - $service = bin2hex(random_bytes(25)); //$row['service']; - $jwt = createCommunicationToken($service); + if ($row['service'] != '' && $valid == 0){ + + $sql_service = 'UPDATE users SET service = ? WHERE id = ?'; + $stmt_service = $conn->prepare($sql_service); + $stmt_service->execute([$service, $row['id']]); + } + + $jwt = createCommunicationToken($service); - $logindate = date('Y-m-d H:i:s'); - $id = $row['id']; + $logindate = date('Y-m-d H:i:s'); + $id = $row['id']; - $sql1 = "UPDATE users SET lastlogin = '$logindate', service = '$service' WHERE id='$id'"; - $conn->query($sql1); + $sql1 = "UPDATE users SET lastlogin = '$logindate' WHERE id='$id'"; + $conn->query($sql1); - echo json_encode(array('token' => $jwt)); + echo json_encode(array('token' => $jwt)); } } else diff --git a/api/v1/authorization.php b/api/v1/authorization.php index c273a4b..cdd8861 100644 --- a/api/v1/authorization.php +++ b/api/v1/authorization.php @@ -48,8 +48,12 @@ if ($stmt->rowCount() == 1) { } else { //STANDARD LOGIN if (password_verify($password, $user_data['password'])) { + //Check valid userkey + $valid_key = strtotime('+30 minutes',strtotime($user_data['lastlogin'])); + $valid = ($valid_key <= time())?0:1; + //REFRESH USERKEY - if ($user_data['userkey'] != ''){ + if ($user_data['userkey'] != '' && $valid == 0){ $user_data['userkey'] = bin2hex(random_bytes(25)); $sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?'; $stmt_userkey = $pdo->prepare($sql_userkey); @@ -57,7 +61,7 @@ if ($stmt->rowCount() == 1) { } //REFRESH USERKEY - if ($user_data['service'] != ''){ + if ($user_data['service'] != '' && $valid == 0){ $user_data['service'] = bin2hex(random_bytes(25)); $sql_service = 'UPDATE users SET service = ? WHERE id = ?'; $stmt_service = $pdo->prepare($sql_service); diff --git a/api/v1/get/contracts.php b/api/v1/get/contracts.php index f9053b8..c375187 100644 --- a/api/v1/get/contracts.php +++ b/api/v1/get/contracts.php @@ -55,6 +55,10 @@ if(isset($get_content) && $get_content!=''){ //build up search $clause .= ' AND reference like :'.$v[0]; } + elseif ($v[0] == 'servicetool') { + //build up search + $clause .= ' AND servicetool like :'.$v[0]; + } else {//create clause $clause .= ' AND '.$v[0].' = :'.$v[0]; } @@ -94,6 +98,10 @@ if (!empty($criterias)){ $search_value = '%'.$value.'%'; $stmt->bindValue($key, $search_value, PDO::PARAM_STR); } + elseif ($key == 'servicetool'){ + $search_value = '%"'.$value.'"%'; + $stmt->bindValue($key, $search_value, PDO::PARAM_STR); + } else { $stmt->bindValue($key, $value, PDO::PARAM_STR); } diff --git a/api/v2/authorization.php b/api/v2/authorization.php index d10db82..8a0f174 100644 --- a/api/v2/authorization.php +++ b/api/v2/authorization.php @@ -49,8 +49,12 @@ if ($stmt->rowCount() == 1) { } else { //STANDARD LOGIN if (password_verify($password, $user_data['password'])) { + //Check valid userkey + $valid_key = strtotime('+30 minutes',strtotime($user_data['lastlogin'])); + $valid = ($valid_key <= time())?0:1; + //REFRESH USERKEY - if ($user_data['userkey'] != ''){ + if ($user_data['userkey'] != '' && $valid == 0){ $user_data['userkey'] = bin2hex(random_bytes(25)); $sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?'; $stmt_userkey = $pdo->prepare($sql_userkey); @@ -58,7 +62,7 @@ if ($stmt->rowCount() == 1) { } //REFRESH USERKEY - if ($user_data['service'] != ''){ + if ($user_data['service'] != '' && $valid == 0){ $user_data['service'] = bin2hex(random_bytes(25)); $sql_service = 'UPDATE users SET service = ? WHERE id = ?'; $stmt_service = $pdo->prepare($sql_service); diff --git a/api/v2/get/accounts.php b/api/v2/get/accounts.php new file mode 100644 index 0000000..1ab4634 --- /dev/null +++ b/api/v2/get/accounts.php @@ -0,0 +1,132 @@ +soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} + +//default whereclause +$whereclause = ''; + +switch ($permission) { + case '4': + $whereclause = ''; + break; + case '3': + $whereclause = ''; + break; + default: + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; + $whereclause = ' AND accounthierarchy like "'.$condition.'"'; + break; +} + +//NEW ARRAY +$criterias = []; +$clause = ''; + +//Check for $_GET variables and build up clause +if(isset($get_content) && $get_content!=''){ + //GET VARIABLES FROM URL + $requests = explode("&", $get_content); + //Check for keys and values + foreach ($requests as $y){ + $v = explode("=", $y); + //INCLUDE VARIABLES IN ARRAY + $criterias[$v[0]] = $v[1]; + + if ($v[0] == 'page' || $v[0] =='p' || $v[0] =='totals' || $v[0] =='list' || $v[0] =='success_msg'){ + //do nothing + } + elseif ($v[0] == 'accountdetails') { + //build up search + $clause .= ' AND accountdetails like :'.$v[0]; + } + elseif ($v[0] == 'search') { + //build up search + $clause .= ' AND accountdetails like :'.$v[0]; + } + else {//create clause + $clause .= ' AND '.$v[0].' = :'.$v[0]; + } + } + if ($whereclause == '' && $clause !=''){ + $whereclause = 'WHERE '.substr($clause, 4); + } else { + $whereclause .= $clause; + } +} +//Define Query +if(isset($criterias['totals']) && $criterias['totals'] ==''){ +//Request for total rows + $sql = 'SELECT count(*) as count FROM account '.$whereclause.''; +} +elseif (isset($criterias['list']) && $criterias['list'] =='') { + //SQL for Paging + $sql = 'SELECT * FROM account '.$whereclause.''; +} +else { + //SQL for Paging + $sql = 'SELECT * FROM account '.$whereclause.' LIMIT :page,:num_products'; +} + +$stmt = $pdo->prepare($sql); + +//Bind to query +if (str_contains($whereclause, ':condition')){ + $stmt->bindValue('condition', $condition, PDO::PARAM_STR); +} + +if (!empty($criterias)){ + foreach ($criterias as $key => $value){ + $key_condition = ':'.$key; + if (str_contains($whereclause, $key_condition)){ + if ($key == 'search' ||$key == 'accountdetails' ){ + $search_value = '%'.$value.'%'; + $stmt->bindValue($key, $search_value, PDO::PARAM_STR); + } + else { + $stmt->bindValue($key, $value, PDO::PARAM_STR); + } + } + } +} + +//Add paging details +if(isset($criterias['totals']) && $criterias['totals']==''){ + $stmt->execute(); + $messages = $stmt->fetch(); + $messages = $messages[0]; +} +elseif(isset($criterias['list']) && $criterias['list']==''){ + //Excute Query + $stmt->execute(); + //Get results + $messages = $stmt->fetchAll(PDO::FETCH_ASSOC); +} +else { + $current_page = isset($criterias['p']) && is_numeric($criterias['p']) ? (int)$criterias['p'] : 1; + $stmt->bindValue('page', ($current_page - 1) * $page_rows_accounts, PDO::PARAM_INT); + $stmt->bindValue('num_products', $page_rows_accounts, PDO::PARAM_INT); + + //Excute Query + $stmt->execute(); + //Get results + $messages = $stmt->fetchAll(PDO::FETCH_ASSOC); +} + +//------------------------------------------ +//JSON_ENCODE +//------------------------------------------ +$messages = json_encode($messages, JSON_UNESCAPED_UNICODE); + +//Send results +echo $messages; + +?> \ No newline at end of file diff --git a/api/v2/get/contracts.php b/api/v2/get/contracts.php index 74cd53d..d03c5ce 100644 --- a/api/v2/get/contracts.php +++ b/api/v2/get/contracts.php @@ -55,6 +55,10 @@ if(isset($get_content) && $get_content!=''){ //build up search $clause .= ' AND reference like :'.$v[0]; } + elseif ($v[0] == 'servicetool') { + //build up search + $clause .= ' AND servicetool like :'.$v[0]; + } else {//create clause $clause .= ' AND '.$v[0].' = :'.$v[0]; } @@ -94,6 +98,10 @@ if (!empty($criterias)){ $search_value = '%'.$value.'%'; $stmt->bindValue($key, $search_value, PDO::PARAM_STR); } + elseif ($key == 'servicetool'){ + $search_value = '%"'.$value.'"%'; + $stmt->bindValue($key, $search_value, PDO::PARAM_STR); + } else { $stmt->bindValue($key, $value, PDO::PARAM_STR); } diff --git a/api/v2/post/accounts.php b/api/v2/post/accounts.php new file mode 100644 index 0000000..bbe1688 --- /dev/null +++ b/api/v2/post/accounts.php @@ -0,0 +1,188 @@ +soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} + +//default whereclause to check if data is owned buy user +$whereclause = ''; + +switch ($permission) { + case '4': + $whereclause = ''; + break; + case '3': + $whereclause = ''; + break; + default: + $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; + $whereclause = ' AND accounthierarchy like "'.$condition.'"'; + break; +} + +//SET PARAMETERS FOR QUERY +$id = $post_content['rowID'] ?? ''; //check for rowID +$command = ($id == '')? 'insert' : 'update'; //IF rowID = empty then INSERT +if (isset($post_content['delete'])){$command = 'delete';} //change command to delete +$date = date('Y-m-d H:i:s'); + +//CREATE EMPTY STRINGS +$clause = ''; +$clause_insert =''; +$input_insert = ''; + +if ($id != ''){ + //Define Query + $stmt = $pdo->prepare('SELECT * FROM account WHERE rowID = ?'); + $stmt->execute([$id]); + $account_data = $stmt->fetch(); + + $accounthierarchy_old = json_decode($account_data['accounthierarchy']); + + $salesid_new = ((isset($post_content['salesid']) && $post_content['salesid'] != '' && $post_content['salesid'] != $accounthierarchy_old->salesid)? $post_content['salesid'] : $accounthierarchy_old->salesid); + $soldto_new = ((isset($post_content['soldto']) && $post_content['soldto'] != '' && $post_content['soldto'] != $accounthierarchy_old->soldto)? $post_content['soldto'] : $accounthierarchy_old->soldto); + + if ($permission == 3 || $permission == 4){ + //ADMIN ONLY ARE ALLOWED TO CHANGE SALES AND SOLD + $account = array( + "salesid"=>$salesid_new, + "soldto"=>$soldto_new + ); + } else { + $account = array( + "salesid"=>$accounthierarchy_old->salesid, + "soldto"=> $soldto_new + ); + } +} +else { + //ID is empty => INSERT / NEW RECORD + + //GET PARTNERDETAILS FROM USER + $sales_user = array( + "salesid"=>$partner->salesid, + "soldto"=>$partner->soldto + ); + $salesID = json_encode($sales_user, JSON_UNESCAPED_UNICODE); + + //CHECK IF PARTNER-ID IS EMPTY THEN CHECK IF EXIST OR CREATE + if (isset($post_content['soldto']) && $post_content['soldto'] ==''){ + + //PARTNER ID IS EMPTY => SEARCH IF EXIST + $stmt = $pdo->prepare('SELECT * FROM partner WHERE partnername = ? AND partnertype = ?'); + $stmt->execute([$post_content['accountdetails']['billcompany'],$partnertype2]); + $partner_exist = $stmt->fetch(); + + if($partner_exist){ + //PARTNER EXIST -> USE IT + $post_content['soldto'] = $partner_exist['partnerID'].'-'.$partner_exist['partnername']; + } + else{ + //PARTNER DOES NOT EXIST -> CREATE IT + //INSERT NEW PARTNER + $sql = 'INSERT INTO partner (partnertype, partnername, partnernotes, salesID, createdby) VALUES (?,?,?,?,?)'; + $stmt = $pdo->prepare($sql); + $stmt->execute([$partnertype2,$post_content['accountdetails']['billcompany'],'created from account',$salesID,$username]); + $rowID = $pdo->lastInsertId(); + $post_content['soldto'] = $rowID.'-'.$post_content['accountdetails']['billcompany']; + } + } + //CHECK IF PARTNER-ID IS NOT EMPTY THEN USE IT + $account = array( + "salesid"=>$post_content['salesid'], + "soldto"=>$post_content['soldto'] + ); + + //CHECK IF COMMUNICATION USER EXIST FOR THIS PARTNER + if (isset($post_content['accountdetails']['billemail']) && $post_content['accountdetails']['billemail'] !=''){ + //Check if communication record exist + $rowID = getrowID($dbname,'rowID','communication','partnerID ="'.$post_content['soldto'].'" and email = "'.$post_content['accountdetails']['billemail'].'"'); + + if ($rowID){ + //communication record exist + } + else + { + //communication record does not exist ->create + $sql = 'INSERT INTO communication (status,partnerID,email,type_1,type_2,type_3,createdby,salesID,coms_type) VALUES (?,?,?,?,?,?,?,?,?)'; + $stmt = $pdo2->prepare($sql); + $stmt->execute(['1',$post_content['soldto'],$post_content['accountdetails']['billemail'],'1','1','1',$username,$salesID,'1']); + } + } + +} + +//Create JSONs +$accounthierarchy = json_encode($account, JSON_UNESCAPED_UNICODE); +$accountdetails = json_encode($post_content['accountdetails'], JSON_UNESCAPED_UNICODE); + +//ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE +if ($command == 'update' && !isset($post_content['delete'])){ + $post_content['rowID'] = $id; + $post_content['accounthierarchy'] = $accounthierarchy; + $post_content['accountdetails'] = $accountdetails; +} +elseif ($command == 'insert' && !isset($post_content['delete'])){ + $post_content['created'] = $date; + $post_content['createdby'] = $username; + $post_content['accounthierarchy'] = $accounthierarchy; + $post_content['accountdetails'] = $accountdetails; +} +else { + //do nothing +} + +//CREAT NEW ARRAY AND MAP TO CLAUSE +if(isset($post_content) && $post_content!=''){ + foreach ($post_content as $key => $var){ + if ($key == 'submit' || $key == 'delete' || $key == 'rowID'|| $key == 'id' || str_contains($key, 'old_')|| $key == 'salesid' || $key == 'soldto'|| $key == 'accountID'){ + //do nothing + } + else { + $criterias[$key] = $var; + $clause .= ' , '.$key.' = ?'; + $clause_insert .= ' , '.$key.''; + $input_insert .= ', ?'; // ? for each insert item + $execute_input[]= $var; // Build array for input + } + } +} + +//CLEAN UP INPUT +$clause = substr($clause, 2); //Clean clause - remove first comma +$clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma +$input_insert = substr($input_insert, 1); //Clean clause - remove first comma + +//QUERY AND VERIFY ALLOWED +if ($command == 'update' && !isset($post_content['delete']) && isAllowed('account',$profile,$permission,'U') === 1){ + $sql = 'UPDATE account SET '.$clause.' WHERE rowID = ? '.$whereclause.''; + $execute_input[] = $id; + $stmt = $pdo->prepare($sql); + $stmt->execute($execute_input); +} +elseif ($command == 'insert' && !isset($post_content['delete']) && isAllowed('account',$profile,$permission,'C') === 1){ + $sql = 'INSERT INTO account ('.$clause_insert.') VALUES ('.$input_insert.')'; + $stmt = $pdo->prepare($sql); + $stmt->execute($execute_input); +} +elseif ($command == 'delete' && isAllowed('account',$profile,$permission,'D') === 1){ + $stmt = $pdo->prepare('DELETE FROM account WHERE rowID = ? '.$whereclause.''); + $stmt->execute([ $id ]); + + //Add deletion to changelog + changelog($dbname,'accounts',$id,'Delete','Delete',$username); +} else +{ + //do nothing +} + +?> \ No newline at end of file diff --git a/api/v2/post/equipments.php b/api/v2/post/equipments.php index 6c955b2..fee668c 100644 --- a/api/v2/post/equipments.php +++ b/api/v2/post/equipments.php @@ -54,11 +54,11 @@ if ($id != ''){ $equipment_old = json_decode($equipment_data['accounthierarchy']); - $salesid_new = (($post_content['salesid'] != '' && $post_content['salesid'] != $equipment_old->salesid)? $post_content['salesid'] : $equipment_old->salesid); - $soldto_new = (($post_content['soldto'] != '' && $post_content['soldto'] != $equipment_old->soldto)? $post_content['soldto'] : $equipment_old->soldto); - $shipto_new = (($post_content['shipto'] != '' && $post_content['shipto'] != $equipment_old->shipto)? $post_content['shipto'] : $equipment_old->shipto); - $location_new = (($post_content['location'] != '' && $post_content['location'] != $equipment_old->location)? $post_content['location'] : $equipment_old->location); - $section_new = (($post_content['section'] != '' && $post_content['section'] != $equipment_old->section)? $post_content['section'] : $equipment_old->section); + $salesid_new = ((isset($post_content['salesid']) && $post_content['salesid'] != '' && $post_content['salesid'] != $equipment_old->salesid)? $post_content['salesid'] : $equipment_old->salesid); + $soldto_new = ((isset($post_content['soldto']) &&$post_content['soldto'] != '' && $post_content['soldto'] != $equipment_old->soldto)? $post_content['soldto'] : $equipment_old->soldto); + $shipto_new = ((isset($post_content['shipto']) &&$post_content['shipto'] != '' && $post_content['shipto'] != $equipment_old->shipto)? $post_content['shipto'] : $equipment_old->shipto); + $location_new = ((isset($post_content['location']) &&$post_content['location'] != '' && $post_content['location'] != $equipment_old->location)? $post_content['location'] : $equipment_old->location); + $section_new = ((isset($post_content['section']) &&$post_content['section'] != '' && $post_content['section'] != $equipment_old->section)? $post_content['section'] : $equipment_old->section); $owner_equipment = (($equipment_data['createdby'] == $username)? 1 : 0); diff --git a/contract.php b/contract.php index 7967cd0..f8a551a 100644 --- a/contract.php +++ b/contract.php @@ -31,6 +31,7 @@ $update_allowed = isAllowed($page ,$_SESSION['profile'],$_SESSION['permission'], $update_allowed_edit = isAllowed($page_manage ,$_SESSION['profile'],$_SESSION['permission'],'U'); $delete_allowed = isAllowed($page_manage ,$_SESSION['profile'],$_SESSION['permission'],'D'); $create_allowed = isAllowed($page_manage ,$_SESSION['profile'],$_SESSION['permission'],'C'); +$view_equipment = isAllowed('equipment' ,$_SESSION['profile'],$_SESSION['permission'],'R'); //GET Details from URL $GET_VALUES = urlGETdetails($_GET) ?? ''; @@ -304,7 +305,7 @@ $view .= '
'; //Check for assigned tools foreach ($servicetools as $tools){ - $view .= ''.$tools.''; + $view .= ''.(($view_equipment == 1)? ''.$tools.'':$tools).''; } $view .= ' @@ -322,7 +323,8 @@ $view .= '
'; //Check for ignore list foreach ($ignore_lists as $list){ - $view .= ''.$list.''; + $view .= ''.(($view_equipment == 1)? ''.$list.'':$list).''; + } $view .= ' diff --git a/equipment.php b/equipment.php index 44a8305..9abf471 100644 --- a/equipment.php +++ b/equipment.php @@ -26,6 +26,7 @@ $delete_allowed = isAllowed($page_manage ,$_SESSION['profile'],$_SESSION['permis $create_allowed = isAllowed($page_manage ,$_SESSION['profile'],$_SESSION['permission'],'C'); $view_product = isAllowed('product' ,$_SESSION['profile'],$_SESSION['permission'],'R'); $view_history = isAllowed('history' ,$_SESSION['profile'],$_SESSION['permission'],'C'); +$view_contracts = isAllowed('contracts' ,$_SESSION['profile'],$_SESSION['permission'],'R'); //GET Details from URL $GET_VALUES = urlGETdetails($_GET) ?? ''; @@ -38,14 +39,14 @@ if (!empty($responses)){$responses = decode_payload($responses);}else{$responses $responses = $responses[0]; //CALL TO API FOR History -$api_url = '/v1/equipments/equipmentID='.$_GET['equipmentID'].'&type=ServiceReport&history=1'; +$api_url = '/v1/equipments/equipmentID='.$responses->equipmentID.'&type=ServiceReport&history=1'; $history = ioServer($api_url,''); //Decode Payload if (!empty($history)){$history = decode_payload($history);}else{$history = null;} //CALL TO API FOR EQUIPMENT DATA -$api_url = '/v1/equipment_data/equipmentid='.$_GET['equipmentID']; +$api_url = '/v1/equipment_data/equipmentid='.$responses->equipmentID; $equipment_data = ioServer($api_url,''); //Decode Payload @@ -110,7 +111,7 @@ if (isset($_GET['success_msg'])) { template_header('Asset', 'asset', 'view'); $view = '
-

'.$view_asset_h2.' - '.$_GET['equipmentID'].'

+

'.$view_asset_h2.' - '.$responses->equipmentID.'

'.$button_cancel.' '; @@ -122,7 +123,7 @@ $equipment_owner = (($responses->createdby == $_SESSION['username'])? 1 : 0); // //------------------------------------ if ($update_allowed_edit === 1 || $equipment_owner === 1){ - $view .= 'Edit'; + $view .= 'Edit'; } $view .= '
'; @@ -325,7 +326,7 @@ if ($update_allowed === 1){
- +
@@ -353,14 +354,14 @@ $view .= '
'.$view_asset_actions.'
- '.$button_history.' + '.$button_history.' '.$view_communication.' '.$view_users.' '; if ($update_allowed === 1){ - $view .=''.$button_firmware.''; + $view .=''.$button_firmware.''; } $view .='
';