pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
78cfe93dcef705ae333c4ffdc575761921ac592f
assetmgt/api/v2/post/users.php
“VeLiTi” 78cfe93dce CM89 - contract changes
2024-09-20 14:57:11 +02:00

279 lines
11 KiB
PHP
Raw Blame History

<?php
defined($security_key) or exit;
//------------------------------------------
// users
//------------------------------------------
//Connect to DB
$pdo = dbConnect($dbname);
//CONTENT FROM API (POST)
$post_content = json_decode($input,true);
$owner_user = 0;
//SoldTo is empty
if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
//default whereclause to check if data is owned by user
$whereclause = '';
switch ($permission) {
case '4':
$whereclause = '';
break;
case '3':
$whereclause = '';
break;
case '2':
$condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search;
$whereclause = ' AND partnerhierarchy like "'.$condition.'"';
break;
default:
$condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search.'___shipto___'.substr($partner->shipto, 0, strpos($partner->shipto, "-")).'%___location___'.substr($partner->location, 0, strpos($partner->location, "-")).'%';
$whereclause = ' AND partnerhierarchy like "'.$condition.'"';
break;
}
//SET PARAMETERS FOR QUERY
$id = (isset($post_content['id'])) ? $post_content['id']: ''; //check for rowID
$command = ($id == '')? 'insert' : 'update'; //IF rowID = empty then INSERT
if (isset($post_content['delete'])){$command = 'delete';} //change command to delete
if (isset($post_content['reset'])){$command = 'reset';} //change command to reset
$date = date('Y-m-d H:i:s');
//CREATE EMPTY STRINGS
$clause = '';
$clause_insert ='';
$input_insert = '';
//GET EXISTING USER DATA
if ($id != '' && $command != 'reset'){
//Define Query
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
$user_data = $stmt->fetch();
$owner_user = (($user_data['username'] == $username)? 1 : 0);
$user_name_old = $user_data['username'];
$view_old = $user_data['view'];
$partnerhierarchy_old = json_decode($user_data['partnerhierarchy']);
$salesid_new = ((isset($post_content['salesid']) && $post_content['salesid'] != '' && $post_content['salesid'] != $partnerhierarchy_old->salesid)? $post_content['salesid'] : $partnerhierarchy_old->salesid);
$soldto_new = ((isset($post_content['soldto']) && $post_content['soldto'] != '' && $post_content['soldto'] != $partnerhierarchy_old->soldto)? $post_content['soldto'] : $partnerhierarchy_old->soldto);
$shipto_new = (($post_content['shipto'] != '' && $post_content['shipto'] != $partnerhierarchy_old->shipto)? $post_content['shipto'] : $partnerhierarchy_old->shipto);
$location_new = (($post_content['location'] != '' && $post_content['location'] != $partnerhierarchy_old->location)? $post_content['location'] : $partnerhierarchy_old->location);
if ($permission == 4){
//ADMIN+ ONLY ARE ALLOWED TO CHANGE SALES AND SOLD
$account = array(
"salesid"=>$salesid_new,
"soldto"=>$soldto_new,
"shipto"=>$shipto_new,
"location"=>$location_new
);
}elseif ($permission == 3) {
//ADMIN ONLY ARE ALLOWED TO CHANGE SOLD
$account = array(
"salesid"=>$partner->salesid,
"soldto"=>$soldto_new,
"shipto"=>$shipto_new,
"location"=>$location_new
);
}
else {
$account = array(
"salesid"=>$partner->salesid,
"soldto"=>$partner->soldto,
"shipto"=>$shipto_new,
"location"=>$location_new
);
}
} elseif ($command == 'insert') {
//ID is empty => INSERT / NEW RECORD
if ($permission == 4){
//ADMIN+ ONLY ARE ALLOWED TO CHANGE SALES AND SOLD
$account = array(
"salesid"=>$post_content['salesid'],
"soldto"=>$post_content['soldto'],
"shipto"=>$post_content['shipto'],
"location"=>$post_content['location']
);
}
elseif ($permission == 3){
//ADMIN ONLY ARE ALLOWED TO CHANGE SOLD
$account = array(
"salesid"=>$partner->salesid,
"soldto"=>$post_content['soldto'],
"shipto"=>$post_content['shipto'],
"location"=>$post_content['location']
);
}
else {
$account = array(
"salesid"=>$partner->salesid,
"soldto"=>$partner->soldto,
"shipto"=>$post_content['shipto'],
"location"=>$post_content['location']
);
}
} elseif ($id != '' && $command == 'reset'){
//Reset user requested
//Get username
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
$user_data = $stmt->fetch();
//generate resetkey
$post_content['resetkey'] = generate_jwt($headers, $payload);
//STEP 1- create resetkey
$headers = array('alg'=>'HS256','typ'=>'JWT');
$payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
$resetkey = generate_jwt($headers, $payload);
//STEP 2- Store resetkey
$sql = 'UPDATE users SET resetkey = ? WHERE id = ? '.$whereclause.'';
$stmt = $pdo->prepare($sql);
$stmt->execute([$resetkey,$id]);
//STEP 3 - Send to user
include_once './assets/mail/email_template_reset.php';
send_mail($user_data['email'],$subject,$message,'','');
}
$accounthierarchy = json_encode($account, JSON_UNESCAPED_UNICODE);
//Create resetkey & tokens
$headers = array('alg'=>'HS256','typ'=>'JWT');
$payload = array('username'=>$post_content['username'], 'exp'=>(time() + 1800));
$post_content['service'] = (isset($post_content['service']) && $post_content['service'] == 1) ? bin2hex(random_bytes(25)) : '';
$post_content['userkey'] = (isset($post_content['userkey']) && $post_content['userkey'] == 1) ? bin2hex(random_bytes(25)) : '';
//ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE
if ($command == 'update'){
$post_content['partnerhierarchy'] = $accounthierarchy;
}
elseif ($command == 'insert'){
$post_content['resetkey'] = $resetkey = generate_jwt($headers, $payload);
$post_content['password'] = generate_jwt($headers, $payload);
$post_content['partnerhierarchy'] = $accounthierarchy;
$post_content['salesID'] = $partner->salesid;
}
else {
//do nothing
}
//CREAT NEW ARRAY AND MAP TO CLAUSE
if(isset($post_content) && $post_content!=''){
foreach ($post_content as $key => $var){
if ($key == 'submit' || $key == 'id' || str_contains($key, 'old_') || $key == 'salesid' || $key == 'soldto' || $key == 'shipto' || $key == 'location'){
//do nothing
}
else {
$criterias[$key] = $var;
$clause .= ' , '.$key.' = ?';
$clause_insert .= ' , '.$key.'';
$input_insert .= ', ?'; // ? for each insert item
$execute_input[]= $var; // Build array for input
}
}
}
//CLEAN UP INPUT
$clause = substr($clause, 2); //Clean clause - remove first comma
$clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
$input_insert = substr($input_insert, 1); //Clean clause - remove first comma
//QUERY AND VERIFY ALLOWED
if ($command == 'update' && (isAllowed('user',$profile,$permission,'U') === 1 || $owner_user === 1)){
$sql = 'UPDATE users SET '.$clause.' WHERE id = ? '.$whereclause.'';
$execute_input[] = $id;
$stmt = $pdo->prepare($sql);
$stmt->execute($execute_input);
//Update the username in all tables when changed
if ($post_content['username'] != $user_name_old){
$sql_like = '%'.$user_name_old.'%';
$sql1= 'UPDATE equipment SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql2= 'UPDATE communication SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql3= 'UPDATE contracts SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql4= 'UPDATE feedback SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql5= 'UPDATE history SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql6= 'UPDATE opportunities SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql7= 'UPDATE orders SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql8= 'UPDATE products SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql_users = 'UPDATE account SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
$sql_partner = 'UPDATE partner SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
//SQL_users
$stmt = $pdo->prepare($sql_users);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL_partners
$stmt = $pdo->prepare($sql_partner);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
$pdo = dbConnect($dbname);
//SQL1
$stmt = $pdo->prepare($sql1);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL2
$stmt = $pdo->prepare($sql2);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL3
$stmt = $pdo->prepare($sql3);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL4
$stmt = $pdo->prepare($sql4);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL5
$stmt = $pdo->prepare($sql5);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL6
$stmt = $pdo->prepare($sql6);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL7
$stmt = $pdo->prepare($sql7);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
//SQL8
$stmt = $pdo->prepare($sql8);
$stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
}
}
elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){
//check if user exists
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
$stmt->execute([$post_content['username']]);
$user_exist = $stmt->fetch();
$exists = (isset($user_exist['username']))? 1 : 0;
if($user_exist == 0 ){
$sql = 'INSERT INTO users ('.$clause_insert.') VALUES ('.$input_insert.')';
$stmt = $pdo->prepare($sql);
$stmt->execute($execute_input);
//STEP 2- Send to user
include_once './assets/mail/email_template_new.php';
send_mail($post_content['email'],$subject,$message,'','');
} else {
//------------------------------------------
//JSON_ENCODE
//------------------------------------------
$messages = json_encode($exists, JSON_UNESCAPED_UNICODE);
//Send results
echo $messages;
}
}
elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){
//delete equipment
$stmt = $pdo->prepare('DELETE FROM users WHERE id = ? '.$whereclause.'');
$stmt->execute([ $id ]);
//Add deletion to changelog
changelog($dbname,'users',$id,'Delete','Delete',$username);
} else
{
//do nothing
}
?>
Reference in New Issue View Git Blame Copy Permalink