From 69c634ea9945b0de816c1d46dfdb86d9bedb68e1 Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Mon, 31 Dec 2018 14:14:00 -0700 Subject: [PATCH 1/8] Add checkbox to form builder --- lib/FormBuilder.lib.php | 47 ++++++++++++++++++++++++++++------------- pages/form.php | 1 + 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/lib/FormBuilder.lib.php b/lib/FormBuilder.lib.php index fddbff2..a07919b 100644 --- a/lib/FormBuilder.lib.php +++ b/lib/FormBuilder.lib.php @@ -173,33 +173,50 @@ HTMLTOP; $required = $item["required"] ? "required" : ""; $id = empty($item["id"]) ? "" : "id=\"$item[id]\""; $pattern = empty($item["pattern"]) ? "" : "pattern=\"$item[pattern]\""; - + if (empty($item['type'])) { + $item['type'] = "text"; + } $itemhtml = ""; + $itemlabel = ""; + if ($item['type'] != "checkbox") { + $itemlabel = ""; + } $itemhtml .= <<
- + $itemlabel
ITEMTOP; - if (empty($item['type']) || $item['type'] != "select") { - $itemhtml .= << -INPUT; - } else { - $itemhtml .= <<"; + $itemhtml .= "\n "; + break; + case "checkbox": + $itemhtml .= << + + +
+CHECKBOX; + break; + default: + $itemhtml .= << +INPUT; + break; } if (!empty($item["error"])) { diff --git a/pages/form.php b/pages/form.php index 7cd7fdd..3a9cc52 100644 --- a/pages/form.php +++ b/pages/form.php @@ -18,6 +18,7 @@ $form->addHiddenInput("page", "form"); $form->addInput("name", "John", "text", true, null, null, "Your name", "fas fa-user", 6, 5, 20, "John(ny)?|Steve", "Invalid name, please enter John, Johnny, or Steve."); $form->addInput("location", "", "select", true, null, ["1" => "Here", "2" => "There"], "Location", "fas fa-map-marker"); +$form->addInput("box", "1", "checkbox", true, null, null, "I agree to the terms of service"); $form->addButton("Submit", "fas fa-save", null, "submit", "savebtn"); From 892102528b7f577faa5df294efc0c6647d3ff1be Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Mon, 31 Dec 2018 14:22:14 -0700 Subject: [PATCH 2/8] Strip tags from aria-label --- lib/FormBuilder.lib.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/FormBuilder.lib.php b/lib/FormBuilder.lib.php index a07919b..35e8fe3 100644 --- a/lib/FormBuilder.lib.php +++ b/lib/FormBuilder.lib.php @@ -181,6 +181,7 @@ HTMLTOP; if ($item['type'] != "checkbox") { $itemlabel = ""; } + $strippedlabel = strip_tags($item['label']); $itemhtml .= <<
@@ -193,7 +194,7 @@ ITEMTOP; switch ($item['type']) { case "select": $itemhtml .= << SELECT; foreach ($item['options'] as $value => $label) { $selected = ""; @@ -207,14 +208,14 @@ SELECT; case "checkbox": $itemhtml .= << - +
CHECKBOX; break; default: $itemhtml .= << +\n INPUT; break; } From b2509086637e7f79788996f84802071d7c83c1a0 Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Wed, 2 Jan 2019 23:51:47 -0700 Subject: [PATCH 3/8] Add more permissions checks --- mobile/index.php | 17 +++++++---------- required.php | 16 +++++++++++++++- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/mobile/index.php b/mobile/index.php index dbb10f3..5b14cbc 100644 --- a/mobile/index.php +++ b/mobile/index.php @@ -8,10 +8,6 @@ * Mobile app API */ -// The name of the permission needed to log in. -// Set to null if you don't need it. -$access_permission = null; - require __DIR__ . "/../required.php"; header('Content-Type: application/json'); @@ -70,13 +66,14 @@ switch ($VARS['action']) { if ($user->exists()) { if ($user->getStatus()->getString() == "NORMAL") { if ($user->checkPassword($VARS['password'])) { - if (is_null($access_permission) || $user->hasPermission($access_permission)) { - Session::start($user); - $_SESSION['mobile'] = true; - exit(json_encode(["status" => "OK"])); - } else { - exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)])); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)])); + } } + Session::start($user); + $_SESSION['mobile'] = true; + exit(json_encode(["status" => "OK"])); } } } diff --git a/required.php b/required.php index 3cfa346..45be1df 100644 --- a/required.php +++ b/required.php @@ -131,11 +131,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { define("GET", true); } - function dieifnotloggedin() { if ($_SESSION['loggedin'] != true) { sendError("Session expired. Please log out and log in again."); } + $user = new User($_SESSION['uid']); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + session_destroy(); + die("You don't have permission to be here."); + } + } } /** @@ -160,4 +166,12 @@ function redirectIfNotLoggedIn() { header('Location: ' . $SETTINGS['url'] . '/index.php'); die(); } + $user = new User($_SESSION['uid']); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + session_destroy(); + header('Location: ./index.php'); + die("You don't have permission to be here."); + } + } } From 7531dc362d15b8b1db49c659500b529d2bf835b2 Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Wed, 2 Jan 2019 23:54:53 -0700 Subject: [PATCH 4/8] Whoops --- required.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/required.php b/required.php index 45be1df..b89147b 100644 --- a/required.php +++ b/required.php @@ -132,6 +132,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } function dieifnotloggedin() { + global $SETTINGS; if ($_SESSION['loggedin'] != true) { sendError("Session expired. Please log out and log in again."); } @@ -162,6 +163,7 @@ function checkDBError($specials = []) { } function redirectIfNotLoggedIn() { + global $SETTINGS; if ($_SESSION['loggedin'] !== TRUE) { header('Location: ' . $SETTINGS['url'] . '/index.php'); die(); From 3ed75822a15a0e75972eda53a1f1c2f912fa4f69 Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Thu, 3 Jan 2019 00:13:41 -0700 Subject: [PATCH 5/8] Update license and readme --- LICENSE.md | 18 +++--------------- README.md | 13 +++++++++---- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 63a11e3..56351c0 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,19 +1,7 @@ -Copyright (c) 2018 Netsyms Technologies. +Copyright (c) 2017-2019 Netsyms Technologies. Some rights reserved. -If you modify and redistribute this project, you must replace the branding -assets with your own. - -The branding assets include: - * the application icon - * the Netsyms N punchcard logo - * the Netsyms for Business graph logo - -If you are unsure if your usage is allowed, please contact us: -https://netsyms.com/contact -legal@netsyms.com - -All other portions of this application, -unless otherwise noted (in comments, headers, etc), are licensed as follows: +Licensed under the Mozilla Public License Version 2.0. Files without MPL header +comments, including third party code, may be under a different license. Mozilla Public License Version 2.0 ================================== diff --git a/README.md b/README.md index 5c109cc..07c89a7 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,10 @@ Program Structure ----------------- ### Folders +* api + An API framework. See api/apisettings.php below. +* api/actions + A place to put your API actions. * langs Translations and alert messages. The language files that are loaded depends on the value of `LANGUAGE` in `settings.php`. @@ -22,7 +26,7 @@ Program Structure The app checks before loading, so it will give a friendly 404 error if it doesn't find your page. Woe to you if you delete `home.php` or `404.php`, as those are assumed to exist for fallback behavior. * static - CSS, JS, fonts, images... + CSS, JavaScript, fonts, images... * vendor If you don't know what this is about, or you don't have it, you need to read up on Composer. Right now. @@ -41,11 +45,12 @@ Program Structure Read through it to see exactly what it does. * action.php A good place to put form handling code. By default it only handles logging out, but is easily expanded. +* api/apisettings.php + An array of API actions. Validates any variables required by your actions before running them. See https://source.netsyms.com/Apps/NotePost/src/branch/master/api/apisettings.php for a full example of its capabilities. * api.php - Similar to action.php, but designed for user/pass authenticated JSON responses. + Legacy shim for code that still expects the API endpoint to be here. * index.php - Login page and handler. Hands off to `app.php` after authenticating user. - It includes 2fa support, by the way. + Handles login and checking permissions. * app.php Main app page after login. Handles loading app pages and 404 errors. Redirects to `index.php` if the user is not logged in. From e66280e07a4015839ec049673d3a38453932866d Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Fri, 4 Jan 2019 17:29:08 -0700 Subject: [PATCH 6/8] FormBuilder: add d-flex to footer --- lib/FormBuilder.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/FormBuilder.lib.php b/lib/FormBuilder.lib.php index 35e8fe3..fa12936 100644 --- a/lib/FormBuilder.lib.php +++ b/lib/FormBuilder.lib.php @@ -242,7 +242,7 @@ ITEMBOTTOM; HTMLBOTTOM; if (!empty($this->buttons)) { - $html .= "\n
"; + $html .= "\n
"; foreach ($this->buttons as $btn) { $btnhtml = ""; $inner = " $btn[text]"; From 7173a50c36f7ecec20e368216fa778e1a63265d0 Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Fri, 4 Jan 2019 17:53:01 -0700 Subject: [PATCH 7/8] Add textarea to FormBuilder --- lib/FormBuilder.lib.php | 26 +++++++++++++++++++++----- pages/form.php | 1 + 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/lib/FormBuilder.lib.php b/lib/FormBuilder.lib.php index fa12936..13567cc 100644 --- a/lib/FormBuilder.lib.php +++ b/lib/FormBuilder.lib.php @@ -178,7 +178,10 @@ HTMLTOP; } $itemhtml = ""; $itemlabel = ""; - if ($item['type'] != "checkbox") { + + if ($item['type'] == "textarea") { + $itemlabel = ""; + } else if ($item['type'] != "checkbox") { $itemlabel = ""; } $strippedlabel = strip_tags($item['label']); @@ -186,13 +189,16 @@ HTMLTOP; \n\n
$itemlabel -
+ITEMTOP; + $inputgrouptop = <<
-ITEMTOP; +INPUTG; switch ($item['type']) { case "select": + $itemhtml .= $inputgrouptop; $itemhtml .= <<"; break; case "checkbox": + $itemhtml .= $inputgrouptop; $itemhtml .= << @@ -213,7 +220,14 @@ SELECT;
CHECKBOX; break; + case "textarea": + $val = htmlentities($item['value']); + $itemhtml .= << +TEXTAREA; + break; default: + $itemhtml .= $inputgrouptop; $itemhtml .= << INPUT; @@ -227,9 +241,11 @@ INPUT;
ERROR; } + if ($item["type"] != "textarea") { + $itemhtml .= "\n
"; + } $itemhtml .= << -
+\n
\n ITEMBOTTOM; $html .= $itemhtml; diff --git a/pages/form.php b/pages/form.php index 3a9cc52..d047a5f 100644 --- a/pages/form.php +++ b/pages/form.php @@ -18,6 +18,7 @@ $form->addHiddenInput("page", "form"); $form->addInput("name", "John", "text", true, null, null, "Your name", "fas fa-user", 6, 5, 20, "John(ny)?|Steve", "Invalid name, please enter John, Johnny, or Steve."); $form->addInput("location", "", "select", true, null, ["1" => "Here", "2" => "There"], "Location", "fas fa-map-marker"); +$form->addInput("textbox", "Hello world", "textarea", true, null, null, "Text area", "fas fa-font"); $form->addInput("box", "1", "checkbox", true, null, null, "I agree to the terms of service"); $form->addButton("Submit", "fas fa-save", null, "submit", "savebtn"); From 7d30251cd60310bcbb13c33b1d5aeddcfa6a554c Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Mon, 7 Jan 2019 22:18:02 -0700 Subject: [PATCH 8/8] Add CORS header to API --- api/index.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/api/index.php b/api/index.php index 8875860..23cb28c 100644 --- a/api/index.php +++ b/api/index.php @@ -10,6 +10,8 @@ require __DIR__ . '/../required.php'; require __DIR__ . '/functions.php'; require __DIR__ . '/apisettings.php'; +header("Access-Control-Allow-Origin: *"); + $VARS = $_GET; if ($_SERVER['REQUEST_METHOD'] != "GET") { $VARS = array_merge($VARS, $_POST);