soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';} //default whereclause to check if data is owned by user $whereclause = ''; switch ($permission) { case '4': $whereclause = ''; break; case '3': $whereclause = ''; break; case '2': $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; $whereclause = ' AND partnerhierarchy like "'.$condition.'"'; break; default: $condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%'; $whereclause = ' AND partnerhierarchy like "'.$condition.'"'; break; } //SET PARAMETERS FOR QUERY $id = (isset($post_content['id'])) ? $post_content['id']: ''; //check for rowID $command = ($id == '')? 'insert' : 'update'; //IF rowID = empty then INSERT if (isset($post_content['delete'])){$command = 'delete';} //change command to delete if (isset($post_content['reset'])){$command = 'reset';} //change command to reset $date = date('Y-m-d H:i:s'); //CREATE EMPTY STRINGS $clause = ''; $clause_insert =''; $input_insert = ''; //GET EXISTING USER DATA if ($id != '' && $command != 'reset'){ //Define Query $stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?'); $stmt->execute([$id]); $user_data = $stmt->fetch(); $owner_user = (($user_data['username'] == $username)? 1 : 0); $user_name_old = $user_data['username']; $view_old = $user_data['view']; $partnerhierarchy_old = json_decode($user_data['partnerhierarchy']); $salesid_new = ((isset($post_content['salesid']) && $post_content['salesid'] != '' && $post_content['salesid'] != $partnerhierarchy_old->salesid)? $post_content['salesid'] : $partnerhierarchy_old->salesid); $soldto_new = ((isset($post_content['soldto']) && $post_content['soldto'] != '' && $post_content['soldto'] != $partnerhierarchy_old->soldto)? $post_content['soldto'] : $partnerhierarchy_old->soldto); $shipto_new = (($post_content['shipto'] != '' && $post_content['shipto'] != $partnerhierarchy_old->shipto)? $post_content['shipto'] : $partnerhierarchy_old->shipto); $location_new = (($post_content['location'] != '' && $post_content['location'] != $partnerhierarchy_old->location)? $post_content['location'] : $partnerhierarchy_old->location); if ($permission == 4){ //ADMIN+ ONLY ARE ALLOWED TO CHANGE SALES AND SOLD $account = array( "salesid"=>$salesid_new, "soldto"=>$soldto_new, "shipto"=>$shipto_new, "location"=>$location_new ); }elseif ($permission == 3) { //ADMIN ONLY ARE ALLOWED TO CHANGE SOLD $account = array( "salesid"=>$partner->salesid, "soldto"=>$soldto_new, "shipto"=>$shipto_new, "location"=>$location_new ); } else { $account = array( "salesid"=>$partner->salesid, "soldto"=>$partner->soldto, "shipto"=>$shipto_new, "location"=>$location_new ); } } elseif ($command == 'insert') { //ID is empty => INSERT / NEW RECORD if ($permission == 4){ //ADMIN+ ONLY ARE ALLOWED TO CHANGE SALES AND SOLD $account = array( "salesid"=>$post_content['salesid'], "soldto"=>$post_content['soldto'], "shipto"=>$post_content['shipto'], "location"=>$post_content['location'] ); } elseif ($permission == 3){ //ADMIN ONLY ARE ALLOWED TO CHANGE SOLD $account = array( "salesid"=>$partner->salesid, "soldto"=>$post_content['soldto'], "shipto"=>$post_content['shipto'], "location"=>$post_content['location'] ); } else { $account = array( "salesid"=>$partner->salesid, "soldto"=>$partner->soldto, "shipto"=>$post_content['shipto'], "location"=>$post_content['location'] ); } } elseif ($id != '' && $command == 'reset'){ //Reset user requested //Get username $stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?'); $stmt->execute([$id]); $user_data = $stmt->fetch(); //generate resetkey $post_content['resetkey'] = generate_jwt($headers, $payload); //STEP 1- create resetkey $headers = array('alg'=>'HS256','typ'=>'JWT'); $payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800)); $resetkey = generate_jwt($headers, $payload); //STEP 2- Store resetkey $sql = 'UPDATE users SET resetkey = ? WHERE id = ? '.$whereclause.''; $stmt = $pdo->prepare($sql); $stmt->execute([$resetkey,$id]); //STEP 3 - Send to user include_once './assets/mail/email_template_reset.php'; send_mail($user_data['email'],$subject,$message,'',''); } $accounthierarchy = json_encode($account, JSON_UNESCAPED_UNICODE); //Create resetkey & tokens $headers = array('alg'=>'HS256','typ'=>'JWT'); $payload = array('username'=>$post_content['username'], 'exp'=>(time() + 1800)); $post_content['service'] = (isset($post_content['service']) && $post_content['service'] == 1) ? bin2hex(random_bytes(25)) : ''; $post_content['userkey'] = (isset($post_content['userkey']) && $post_content['userkey'] == 1) ? bin2hex(random_bytes(25)) : ''; //ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE if ($command == 'update'){ $post_content['partnerhierarchy'] = $accounthierarchy; } elseif ($command == 'insert'){ $post_content['resetkey'] = $resetkey = generate_jwt($headers, $payload); $post_content['password'] = generate_jwt($headers, $payload); $post_content['partnerhierarchy'] = $accounthierarchy; $post_content['salesID'] = $partner->salesid; } else { //do nothing } //CREAT NEW ARRAY AND MAP TO CLAUSE if(isset($post_content) && $post_content!=''){ foreach ($post_content as $key => $var){ if ($key == 'submit' || $key == 'id' || str_contains($key, 'old_') || $key == 'salesid' || $key == 'soldto' || $key == 'shipto' || $key == 'location'){ //do nothing } else { $criterias[$key] = $var; $clause .= ' , '.$key.' = ?'; $clause_insert .= ' , '.$key.''; $input_insert .= ', ?'; // ? for each insert item $execute_input[]= $var; // Build array for input } } } //CLEAN UP INPUT $clause = substr($clause, 2); //Clean clause - remove first comma $clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma $input_insert = substr($input_insert, 1); //Clean clause - remove first comma //QUERY AND VERIFY ALLOWED if ($command == 'update' && (isAllowed('user',$profile,$permission,'U') === 1 || $owner_user === 1)){ $sql = 'UPDATE users SET '.$clause.' WHERE id = ? '.$whereclause.''; $execute_input[] = $id; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); //Update the username in all tables when changed if ($post_content['username'] != $user_name_old){ $sql_like = '%'.$user_name_old.'%'; $sql1= 'UPDATE equipment SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql2= 'UPDATE communication SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql3= 'UPDATE contracts SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql4= 'UPDATE feedback SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql5= 'UPDATE history SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql6= 'UPDATE opportunities SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql7= 'UPDATE orders SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql8= 'UPDATE products SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql_users = 'UPDATE account SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; $sql_partner = 'UPDATE partner SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?'; //SQL_users $stmt = $pdo->prepare($sql_users); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL_partners $stmt = $pdo->prepare($sql_partner); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); $pdo = dbConnect($dbname); //SQL1 $stmt = $pdo->prepare($sql1); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL2 $stmt = $pdo->prepare($sql2); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL3 $stmt = $pdo->prepare($sql3); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL4 $stmt = $pdo->prepare($sql4); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL5 $stmt = $pdo->prepare($sql5); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL6 $stmt = $pdo->prepare($sql6); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL7 $stmt = $pdo->prepare($sql7); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); //SQL8 $stmt = $pdo->prepare($sql8); $stmt->execute([$user_name_old,$post_content['username'], $sql_like]); } } elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){ //check if user exists $stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?'); $stmt->execute([$post_content['username']]); $user_exist = $stmt->fetch(); $exists = (isset($user_exist['username']))? 1 : 0; if($user_exist == 0 ){ $sql = 'INSERT INTO users ('.$clause_insert.') VALUES ('.$input_insert.')'; $stmt = $pdo->prepare($sql); $stmt->execute($execute_input); //STEP 2- Send to user include_once './assets/mail/email_template_new.php'; send_mail($post_content['email'],$subject,$message,'',''); } else { //Encrypt results $messages = generate_payload($exists); //Send results echo $messages; } } elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){ //delete equipment $stmt = $pdo->prepare('DELETE FROM users WHERE id = ? '.$whereclause.''); $stmt->execute([ $id ]); //Add deletion to changelog changelog($dbname,'users',$id,'Delete','Delete',$username); } else { //do nothing } ?>