From be892b007d0d8eb03e583d4376aab989700cc155 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Mon, 3 Jul 2017 03:27:08 -0600
Subject: [PATCH] Make widgets disappear if the user doesn't have permission to
 use them

---
 apps/inventory_link.php     |   5 ++
 apps/qwikclock_inout.php    |  16 +++++-
 apps/sync_mobile.php        | 100 ++++++++++++++++++------------------
 apps/taskfloor_messages.php |  13 ++++-
 apps/taskfloor_tasks.php    |  13 ++++-
 home.php                    |  13 ++++-
 6 files changed, 105 insertions(+), 55 deletions(-)

diff --git a/apps/inventory_link.php b/apps/inventory_link.php
index df41d70..70889ac 100644
--- a/apps/inventory_link.php
+++ b/apps/inventory_link.php
@@ -12,4 +12,9 @@ $APPS["inventory_link"]["icon"] = "cubes";
 $APPS["inventory_link"]["type"] = "teal";
 $content = "<p class='mobile-app-hide'>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
 $APPS["inventory_link"]["content"] = $content;
+
+require_once __DIR__ . "/../lib/login.php";
+if (account_has_permission($_SESSION['username'], "INV_VIEW") !== true) {
+    unset($APPS['inventory_link']);
+}
 ?>
\ No newline at end of file
diff --git a/apps/qwikclock_inout.php b/apps/qwikclock_inout.php
index 5458891..50ddc7d 100644
--- a/apps/qwikclock_inout.php
+++ b/apps/qwikclock_inout.php
@@ -1,10 +1,12 @@
 <?php
 
 dieifnotloggedin();
+require_once __DIR__ . "/../lib/login.php";
 addMultiLangStrings(["en_us" => [
         "qwikclock" => "QwikClock",
         "punch in" => "Punch in",
-        "punch out" => "Punch out"
+        "punch out" => "Punch out",
+        "permission denied" => "You do not have permission to do that."
     ]
 ]);
 $APPS["qwikclock_inout"]["i18n"] = TRUE;
@@ -12,6 +14,9 @@ $APPS["qwikclock_inout"]["title"] = "qwikclock";
 $APPS["qwikclock_inout"]["icon"] = "clock-o";
 $APPS["qwikclock_inout"]["type"] = "blue";
 $content = "";
+
+use GuzzleHttp\Exception\ClientException;
+
 if (!is_empty($_GET['qwikclock']) && ($_GET['qwikclock'] === "punchin" || $_GET['qwikclock'] === "punchout")) {
     try {
         $client = new GuzzleHttp\Client();
@@ -28,6 +33,10 @@ if (!is_empty($_GET['qwikclock']) && ($_GET['qwikclock'] === "punchin" || $_GET[
         } else {
             $content = "<div class=\"alert alert-danger alert-dismissable\"><button type=\"button\" class=\"close\">&times;</button>" . $resp['msg'] . "</div>";
         }
+    } catch (ClientException $e) {
+        if ($e->getResponse()->getStatusCode() == 403) {
+            $content = "<div class=\"alert alert-danger alert-dismissable\"><button type=\"button\" class=\"close\">&times;</button>" . lang("permission denied", false) . "</div>";
+        }
     } catch (Exception $e) {
         $content = "<div class=\"alert alert-danger alert-dismissable\"><button type=\"button\" class=\"close\">&times;</button>" . lang("error loading widget", false) . "  " . $e->getMessage() . "</div>";
     }
@@ -40,4 +49,9 @@ $content .= <<<END
 END;
 $content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
 $APPS["qwikclock_inout"]["content"] = $content;
+
+
+if (account_has_permission($_SESSION['username'], "QWIKCLOCK") !== true) {
+    unset($APPS['qwikclock_inout']);
+}
 ?>
\ No newline at end of file
diff --git a/apps/sync_mobile.php b/apps/sync_mobile.php
index 549656a..98fe01f 100644
--- a/apps/sync_mobile.php
+++ b/apps/sync_mobile.php
@@ -4,64 +4,65 @@ dieifnotloggedin();
 
 use Endroid\QrCode\QrCode;
 
-addMultiLangStrings(["en_us" => [
-        "sync mobile" => "Sync Mobile App",
-        "scan sync qrcode" => "Scan this code with the mobile app or enter the code manually.",
-        "sync explained" => "Access your account and apps on the go.  Use a sync code to securely connect your phone or tablet to Portal with the Netsyms Business mobile app.",
-        "generate sync" => "Create new sync code",
-        "active sync codes" => "Active codes",
-        "no active codes" => "No active codes.",
-        "done adding sync code" => "Done adding code"
-    ]
-]);
+if (MOBILE_ENABLED) {
+    addMultiLangStrings(["en_us" => [
+            "sync mobile" => "Sync Mobile App",
+            "scan sync qrcode" => "Scan this code with the mobile app or enter the code manually.",
+            "sync explained" => "Access your account and apps on the go.  Use a sync code to securely connect your phone or tablet to Portal with the Netsyms Business mobile app.",
+            "generate sync" => "Create new sync code",
+            "active sync codes" => "Active codes",
+            "no active codes" => "No active codes.",
+            "done adding sync code" => "Done adding code"
+        ]
+    ]);
 
-$APPS["sync_mobile"]["title"] = lang("sync mobile", false);
-$APPS["sync_mobile"]["icon"] = "mobile";
+    $APPS["sync_mobile"]["title"] = lang("sync mobile", false);
+    $APPS["sync_mobile"]["icon"] = "mobile";
 
-if (!is_empty($_GET['delsynccode'])) {
-    if ($database->has("mobile_codes", ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['delsynccode']]])) {
-        $database->delete("mobile_codes", ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['delsynccode']]]);
+    if (!is_empty($_GET['delsynccode'])) {
+        if ($database->has("mobile_codes", ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['delsynccode']]])) {
+            $database->delete("mobile_codes", ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['delsynccode']]]);
+        }
     }
-}
 
-if ($_GET['mobilecode'] == "generate") {
-    if (!is_empty($_GET['showsynccode']) && $database->has("mobile_codes", ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['showsynccode']]])) {
-        $code = $database->get("mobile_codes", 'code', ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['showsynccode']]]);
-    } else {
-        $code = strtoupper(substr(md5(mt_rand() . uniqid("", true)), 0, 20));
-        $database->insert('mobile_codes', ['uid' => $_SESSION['uid'], 'code' => $code]);
-    }
-    $url = URL . "mobile/index.php";
-    $encodedurl = str_replace("/", "\\", $url);
-    $codeuri = "bizsync://" . $encodedurl . "/" . $_SESSION['username'] . "/" . $code;
-    $qrCode = new QrCode($codeuri);
-    $qrCode->setSize(200);
-    $qrCode->setErrorCorrection("H");
-    $qrcode = $qrCode->getDataUri();
-    $chunk_code = trim(chunk_split($code, 5, ' '));
-    $lang_done = lang("done adding sync code", false);
-    $APPS["sync_mobile"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan sync qrcode", false) . '</div>' . <<<END
+    if ($_GET['mobilecode'] == "generate") {
+        if (!is_empty($_GET['showsynccode']) && $database->has("mobile_codes", ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['showsynccode']]])) {
+            $code = $database->get("mobile_codes", 'code', ["AND" => ["uid" => $_SESSION['uid'], "codeid" => $_GET['showsynccode']]]);
+        } else {
+            $code = strtoupper(substr(md5(mt_rand() . uniqid("", true)), 0, 20));
+            $database->insert('mobile_codes', ['uid' => $_SESSION['uid'], 'code' => $code]);
+        }
+        $url = URL . "mobile/index.php";
+        $encodedurl = str_replace("/", "\\", $url);
+        $codeuri = "bizsync://" . $encodedurl . "/" . $_SESSION['username'] . "/" . $code;
+        $qrCode = new QrCode($codeuri);
+        $qrCode->setSize(200);
+        $qrCode->setErrorCorrection("H");
+        $qrcode = $qrCode->getDataUri();
+        $chunk_code = trim(chunk_split($code, 5, ' '));
+        $lang_done = lang("done adding sync code", false);
+        $APPS["sync_mobile"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan sync qrcode", false) . '</div>' . <<<END
 <img src="$qrcode" class="img-responsive qrcode" />
 <div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_code</div>
 <div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$url</div>
 <a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a>
 END;
-} else {
-    $activecodes = $database->select("mobile_codes", ["codeid", "code"], ["uid" => $_SESSION['uid']]);
-    $content = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("sync explained", false) . '</div>'
-            . '<a class="btn btn-success btn-sm btn-block" href="home.php?page=security&mobilecode=generate">'
-            . lang("generate sync", false) . '</a>';
-    $content .= "<br /><b>" . lang("active sync codes", false) . ":</b><br />";
-    $content .= "<div class='list-group'>";
-    if (count($activecodes) > 0) {
-        foreach ($activecodes as $c) {
-            $content .= "<div class='list-group-item mobilekey'><span style='font-family: Ubuntu Mono,monospace; flex-shrink: 0'>" . trim(chunk_split($c['code'], 5, ' ')) . "</span> <span class='tinybuttons'><a class='btn btn-primary btn-sm' href='home.php?page=security&mobilecode=generate&showsynccode=" . $c['codeid'] . "'><i class='fa fa-qrcode'></i></a> <a class='btn btn-danger btn-sm' href='home.php?page=security&delsynccode=" . $c['codeid'] . "'><i class='fa fa-trash'></i></a></span></div>";
-        }
     } else {
-        $content .= "<div class='list-group-item'>" . lang("no active codes", false) . "</div>";
-    }
-    $content .= "</div>";
-    $content .= <<<END
+        $activecodes = $database->select("mobile_codes", ["codeid", "code"], ["uid" => $_SESSION['uid']]);
+        $content = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("sync explained", false) . '</div>'
+                . '<a class="btn btn-success btn-sm btn-block" href="home.php?page=security&mobilecode=generate">'
+                . lang("generate sync", false) . '</a>';
+        $content .= "<br /><b>" . lang("active sync codes", false) . ":</b><br />";
+        $content .= "<div class='list-group'>";
+        if (count($activecodes) > 0) {
+            foreach ($activecodes as $c) {
+                $content .= "<div class='list-group-item mobilekey'><span style='font-family: Ubuntu Mono,monospace; flex-shrink: 0'>" . trim(chunk_split($c['code'], 5, ' ')) . "</span> <span class='tinybuttons'><a class='btn btn-primary btn-sm' href='home.php?page=security&mobilecode=generate&showsynccode=" . $c['codeid'] . "'><i class='fa fa-qrcode'></i></a> <a class='btn btn-danger btn-sm' href='home.php?page=security&delsynccode=" . $c['codeid'] . "'><i class='fa fa-trash'></i></a></span></div>";
+            }
+        } else {
+            $content .= "<div class='list-group-item'>" . lang("no active codes", false) . "</div>";
+        }
+        $content .= "</div>";
+        $content .= <<<END
             <style>
                 .mobilekey {
                     display: flex;
@@ -70,5 +71,6 @@ END;
                 }
             </style>
 END;
-    $APPS["sync_mobile"]["content"] = $content;
+        $APPS["sync_mobile"]["content"] = $content;
+    }
 }
\ No newline at end of file
diff --git a/apps/taskfloor_messages.php b/apps/taskfloor_messages.php
index d2706b4..e40900c 100644
--- a/apps/taskfloor_messages.php
+++ b/apps/taskfloor_messages.php
@@ -10,6 +10,9 @@ $APPS["taskfloor_messages"]["i18n"] = TRUE;
 $APPS["taskfloor_messages"]["title"] = "messages";
 $APPS["taskfloor_messages"]["icon"] = "comments";
 $APPS["taskfloor_messages"]["type"] = "deep-purple";
+
+use GuzzleHttp\Exception\ClientException;
+
 try {
     $client = new GuzzleHttp\Client();
 
@@ -46,9 +49,15 @@ END;
             $content = "<div class=\"alert alert-info\">" . lang("no messages", false) . "</div>";
         }
     }
+    $content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+    $APPS["taskfloor_messages"]["content"] = $content;
+} catch (ClientException $e) {
+    if ($e->getResponse()->getStatusCode() == 403) {
+        unset($APPS['taskfloor_messages']);
+    }
 } catch (Exception $e) {
     $content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . "  " . $e->getMessage() . "</div>";
+    $content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+    $APPS["taskfloor_messages"]["content"] = $content;
 }
-$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
-$APPS["taskfloor_messages"]["content"] = $content;
 ?>
\ No newline at end of file
diff --git a/apps/taskfloor_tasks.php b/apps/taskfloor_tasks.php
index d9746e2..860f8c6 100644
--- a/apps/taskfloor_tasks.php
+++ b/apps/taskfloor_tasks.php
@@ -10,6 +10,9 @@ $APPS["taskfloor_tasks"]["i18n"] = TRUE;
 $APPS["taskfloor_tasks"]["title"] = "tasks";
 $APPS["taskfloor_tasks"]["icon"] = "tasks";
 $APPS["taskfloor_tasks"]["type"] = "blue-grey";
+
+use GuzzleHttp\Exception\ClientException;
+
 try {
     $client = new GuzzleHttp\Client();
 
@@ -34,9 +37,15 @@ try {
             $content = "<div class=\"alert alert-success\">" . lang("no tasks found", false) . "</div>";
         }
     }
+    $content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+    $APPS["taskfloor_tasks"]["content"] = $content;
+} catch (ClientException $e) {
+    if ($e->getResponse()->getStatusCode() == 403) {
+        unset($APPS['taskfloor_tasks']);
+    }
 } catch (Exception $e) {
     $content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . "  " . $e->getMessage() . "</div>";
+    $content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+    $APPS["taskfloor_tasks"]["content"] = $content;
 }
-$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
-$APPS["taskfloor_tasks"]["content"] = $content;
 ?>
\ No newline at end of file
diff --git a/home.php b/home.php
index 6abd49a..3d602f9 100644
--- a/home.php
+++ b/home.php
@@ -156,7 +156,15 @@ END;
             <div class="row widget-box">
                 <?php
                 // Center the widgets horizontally on the screen
-                $appcount = count(APPS[$pageid]);
+                $appcount = 0;
+                foreach (APPS[$pageid] as $app) {
+                    if (file_exists(__DIR__ . "/apps/" . $app . ".php")) {
+                        include_once __DIR__ . "/apps/" . $app . ".php";
+                        if (isset($APPS[$app])) {
+                            $appcount++;
+                        }
+                    }
+                }
                 if ($appcount == 1) {
                     ?>
                     <div class="hidden-xs col-sm-3 col-md-4 col-lg-4">
@@ -175,6 +183,9 @@ END;
                 foreach (APPS[$pageid] as $app) {
                     if (file_exists(__DIR__ . "/apps/" . $app . ".php")) {
                         include_once __DIR__ . "/apps/" . $app . ".php";
+                        if (!isset($APPS[$app])) {
+                            continue;
+                        }
                         $apptitle = ($APPS[$app]['i18n'] === TRUE ? lang($APPS[$app]['title'], false) : $APPS[$app]['title']);
                         $appicon = (is_empty($APPS[$app]['icon']) ? "" : "fa fa-fw fa-" . $APPS[$app]['icon']);
                         $apptype = (is_empty($APPS[$app]['type']) ? "default" : $APPS[$app]['type']);