public function process(Vtiger_Request $request)
{
$shortURL = str_replace('index.php', '', AppConfig::main('site_URL'));
$viewer = $this->getViewer($request);
$viewer->assign('URLCSS', $shortURL . Yeti_Layout::getLayoutFile('modules/AJAXChat/Chat.css'));
$viewer->assign('URL', $shortURL . "libraries/AJAXChat/index.php");
$viewer->view('Index.tpl', 'AJAXChat');
}
public static function getLayoutFile($name)
{
$basePath = 'layouts' . '/' . AppConfig::main('defaultLayout') . '/';
$filePath = Vtiger_Loader::resolveNameToPath('~' . $basePath . $name);
if (is_file($filePath)) {
return $basePath . $name;
}
$basePath = 'layouts' . '/' . Vtiger_Viewer::getDefaultLayoutName() . '/';
return $basePath . $name;
}
public function process(Vtiger_Request $request)
{
$viewer = $this->getViewer($request);
$moduleName = $request->getModule();
$viewer->assign('MODULE', $moduleName);
$viewer->assign('ENABLED_MOBILE_MODULE', in_array('mobileModule', vglobal('enabledServices')));
$viewer->assign('CURRENT_VERSION', vglobal('YetiForce_current_version'));
$viewer->assign('LANGUAGE_SELECTION', AppConfig::main('langInLoginView'));
$viewer->assign('LAYOUT_SELECTION', AppConfig::main('layoutInLoginView'));
$viewer->assign('ERROR', $request->get('error'));
$viewer->assign('FPERROR', $request->get('fpError'));
$viewer->assign('STATUS', $request->get('status'));
$viewer->assign('STATUS_ERROR', $request->get('statusError'));
$viewer->view('Login.tpl', 'Users');
}
/**
* Function to check the file access is made within web root directory.
* @param String File path to check
* @param Boolean False to avoid die() if check fails
*/
static function checkFileAccess($filepath, $dieOnFail = true)
{
// Set the base directory to compare with
$use_root_directory = AppConfig::main('root_directory');
if (empty($use_root_directory)) {
$use_root_directory = realpath(dirname(__FILE__) . '/../../.');
}
$realfilepath = realpath($filepath);
/** Replace all \\ with \ first */
$realfilepath = str_replace('\\\\', '\\', $realfilepath);
$rootdirpath = str_replace('\\\\', '\\', $use_root_directory);
/** Replace all \ with / now */
$realfilepath = str_replace('\\', '/', $realfilepath);
$rootdirpath = str_replace('\\', '/', $rootdirpath);
if (stripos($realfilepath, $rootdirpath) !== 0) {
if ($dieOnFail) {
$log = LoggerManager::getInstance();
$log->error(__CLASS__ . ':' . __FUNCTION__ . '(' . $filepath . ') - Sorry! Attempt to access restricted file. realfilepath: ' . print_r($realfilepath, true));
throw new AppException('Sorry! Attempt to access restricted file.');
}
return false;
}
return true;
}
public function process(Vtiger_Request $request)
{
$moduleName = $request->getModule();
$uid = $request->get('uid');
$folder = $request->get('folder');
$rcId = $request->get('rcId');
$account = OSSMail_Record_Model::getAccountByHash($rcId);
if (!$account) {
throw new NoPermittedException('LBL_PERMISSION_DENIED');
}
$rcId = $account['user_id'];
$mailViewModel = OSSMailView_Record_Model::getCleanInstance('OSSMailView');
$record = $mailViewModel->checkMailExist($uid, $folder, $rcId);
$viewer = $this->getViewer($request);
$viewer->assign('RECORD', $record);
if ($record) {
$reletedRecords = $mailViewModel->getReletedRecords($record);
$viewer->assign('RELETED_RECORDS', $reletedRecords);
}
Vtiger_Module_Model::getModulesByLevel();
$viewer->assign('MODULE_NAME', $moduleName);
$viewer->assign('URL', AppConfig::main('site_URL'));
$viewer->view('MailActionBar.tpl', $moduleName);
}
function GetSite_URL()
{
$site_URL = AppConfig::main('site_URL');
if (substr($site_URL, -1) != '/') {
$site_URL = $site_URL . '/';
}
return $site_URL;
}
/**
* function to return whether the file access is made within vtiger root directory
* and it exists.
* @global String $root_directory vtiger root directory as given in config.inc.php file.
* @param String $filepath relative path to the file which need to be verified
* @return Boolean true if file is a valid file within vtiger root directory, false otherwise.
*/
static function isFileAccessible($filepath)
{
// Set the base directory to compare with
$use_root_directory = AppConfig::main('root_directory');
if (empty($use_root_directory)) {
$use_root_directory = realpath(dirname(__FILE__) . '/../../.');
}
$realfilepath = realpath($filepath);
/** Replace all \\ with \ first */
$realfilepath = str_replace('\\\\', '\\', $realfilepath);
$rootdirpath = str_replace('\\\\', '\\', $use_root_directory);
/** Replace all \ with / now */
$realfilepath = str_replace('\\', '/', $realfilepath);
$rootdirpath = str_replace('\\', '/', $rootdirpath);
if (stripos($realfilepath, $rootdirpath) !== 0) {
return false;
}
return true;
}
public static function getBacktrace($ignore = 2)
{
$trace = '';
$rootDirectory = rtrim(AppConfig::main('root_directory'), '/');
foreach (debug_backtrace() as $k => $v) {
if ($k < $ignore) {
continue;
}
$file = str_replace($rootDirectory . DIRECTORY_SEPARATOR, '', $v['file']);
$trace .= '#' . ($k - $ignore) . ' ' . (isset($v['class']) ? $v['class'] . '->' : '') . $v['function'] . '() in ' . $file . '(' . $v['line'] . '): ' . PHP_EOL;
}
return $trace;
}
/**
* Detect if the task was started by never finished.
*/
function hadTimeout()
{
if (!$this->isRunning()) {
return false;
}
$maxExecutionTime = intval(ini_get('max_execution_time'));
if ($maxExecutionTime == 0) {
$maxExecutionTime = AppConfig::main('maxExecutionCronTime');
}
$time = $this->getLastEnd();
if ($time == 0) {
$time = $this->getLastStart();
}
if (time() > $time + $maxExecutionTime) {
return true;
}
return false;
}
} else {
// Run all service
$cronTasks = Vtiger_Cron::listAllActiveInstances();
}
$cronStarts = date('Y-m-d H:i:s');
//set global current user permissions
$current_user = vglobal('current_user');
$current_user = Users::getActiveAdminUser();
echo sprintf('--------------- %s | Start CRON ----------', date('Y-m-d H:i:s')) . PHP_EOL;
foreach ($cronTasks as $cronTask) {
try {
// Timeout could happen if intermediate cron-tasks fails
// and affect the next task. Which need to be handled in this cycle.
if ($cronTask->hadTimeout()) {
echo sprintf('%s | %s - Cron task had timedout as it was not completed last time it run' . PHP_EOL, date('Y-m-d H:i:s'), $cronTask->getName());
if (AppConfig::main('unblockedTimeoutCronTasks')) {
$cronTask->unlockTask();
}
}
// Not ready to run yet?
if ($cronTask->isRunning()) {
$log->fatal($cronTask->getName() . ' - Task omitted, it has not been finished during the last scanning');
echo sprintf('%s | %s - Task omitted, it has not been finished during the last scanning' . PHP_EOL, date('Y-m-d H:i:s'), $cronTask->getName());
continue;
}
// Not ready to run yet?
if (!$cronTask->isRunnable()) {
$log->info($cronTask->getName() . ' - Not ready to run as the time to run again is not completed');
echo sprintf('%s | %s - Not ready to run as the time to run again is not completed' . PHP_EOL, date('Y-m-d H:i:s'), $cronTask->getName());
continue;
}
function process(Vtiger_Request $request)
{
$log = LoggerManager::getLogger('System');
vglobal('log', $log);
Vtiger_Session::init();
if (AppConfig::main('forceSSL') && !Vtiger_Functions::getBrowserInfo()->https) {
header("Location: https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}");
}
// Better place this here as session get initiated
//skipping the csrf checking for the forgot(reset) password
if (AppConfig::main('csrfProtection') && $request->get('mode') != 'reset' && $request->get('action') != 'Login') {
require_once 'libraries/csrf-magic/csrf-magic.php';
require_once 'config/csrf_config.php';
}
// TODO - Get rid of global variable $current_user
// common utils api called, depend on this variable right now
$currentUser = $this->getLogin();
vglobal('current_user', $currentUser);
$currentLanguage = Vtiger_Language_Handler::getLanguage();
vglobal('current_language', $currentLanguage);
$module = $request->getModule();
$qualifiedModuleName = $request->getModule(false);
if ($currentUser && $qualifiedModuleName) {
$moduleLanguageStrings = Vtiger_Language_Handler::getModuleStringsFromFile($currentLanguage, $qualifiedModuleName);
vglobal('mod_strings', $moduleLanguageStrings['languageStrings']);
}
if ($currentUser) {
$moduleLanguageStrings = Vtiger_Language_Handler::getModuleStringsFromFile($currentLanguage);
vglobal('app_strings', $moduleLanguageStrings['languageStrings']);
}
$view = $request->get('view');
$action = $request->get('action');
$response = false;
try {
if ($this->isInstalled() === false && $module != 'Install') {
header('Location:install/Install.php');
exit;
}
if (empty($module)) {
if ($this->hasLogin()) {
$defaultModule = AppConfig::main('default_module');
if (!empty($defaultModule) && $defaultModule != 'Home') {
$module = $defaultModule;
$qualifiedModuleName = $defaultModule;
$view = 'List';
if ($module == 'Calendar') {
// To load MyCalendar instead of list view for calendar
//TODO: see if it has to enhanced and get the default view from module model
$view = 'Calendar';
}
} else {
$module = 'Home';
$qualifiedModuleName = 'Home';
$view = 'DashBoard';
}
} else {
$module = 'Users';
$qualifiedModuleName = 'Settings:Users';
$view = 'Login';
}
$request->set('module', $module);
$request->set('view', $view);
}
if (!empty($action)) {
$componentType = 'Action';
$componentName = $action;
} else {
$componentType = 'View';
if (empty($view)) {
$view = 'Index';
}
$componentName = $view;
}
$handlerClass = Vtiger_Loader::getComponentClassName($componentType, $componentName, $qualifiedModuleName);
$handler = new $handlerClass();
if ($handler) {
vglobal('currentModule', $module);
$csrfProtection = vglobal('csrfProtection');
if ($csrfProtection) {
// Ensure handler validates the request
$handler->validateRequest($request);
}
if ($handler->loginRequired()) {
$this->checkLogin($request);
}
//TODO : Need to review the design as there can potential security threat
$skipList = array('Users', 'Home', 'CustomView', 'Import', 'Export', 'Inventory', 'Vtiger', 'Migration', 'Install');
if (!in_array($module, $skipList) && stripos($qualifiedModuleName, 'Settings') === false) {
$this->triggerCheckPermission($handler, $request);
}
// Every settings page handler should implement this method
if (stripos($qualifiedModuleName, 'Settings') === 0 || $module == 'Users') {
$handler->checkPermission($request);
}
$notPermittedModules = array('ModComments', 'Integration', 'DashBoard');
if (in_array($module, $notPermittedModules) && $view == 'List') {
header('Location:index.php?module=Home&view=DashBoard');
}
$this->triggerPreProcess($handler, $request);
$response = $handler->process($request);
$this->triggerPostProcess($handler, $request);
} else {
throw new AppException(vtranslate('LBL_HANDLER_NOT_FOUND'));
}
} catch (AppException $e) {
$log->error($e->getMessage() . ' => ' . $e->getFile() . ':' . $e->getLine());
Vtiger_Functions::throwNewException($e->getMessage(), false);
if (AppConfig::debug('DISPLAY_DEBUG_BACKTRACE')) {
exit('<pre>' . $e->getTraceAsString() . '</pre>');
}
} catch (NoPermittedToRecordException $e) {
//No permissions for the record
$log->error($e->getMessage() . ' => ' . $e->getFile() . ':' . $e->getLine());
Vtiger_Functions::throwNewException($e->getMessage(), false, 'NoPermissionsForRecord.tpl');
if (AppConfig::debug('DISPLAY_DEBUG_BACKTRACE')) {
exit('<pre>' . $e->getTraceAsString() . '</pre>');
}
} catch (Exception $e) {
$log->error($e->getMessage() . ' => ' . $e->getFile() . ':' . $e->getLine());
Vtiger_Functions::throwNewException($e->getMessage(), false);
if (AppConfig::debug('DISPLAY_DEBUG_BACKTRACE')) {
exit('<pre>' . $e->getTraceAsString() . '</pre>');
}
}
if ($response) {
$response->emit();
}
}
/**
* This function is used to upload the attachment in the server and save that attachment information in db.
* @param int $id - entity id to which the file to be uploaded
* @param string $module - the current module name
* @param array $file_details - array which contains the file information(name, type, size, tmp_name and error)
* return void
*/
function uploadAndSaveFile($id, $module, $file_details, $attachmentType = 'Attachment')
{
$log = LoggerManager::getInstance();
$log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method.");
$adb = PearDatabase::getInstance();
$current_user = vglobal('current_user');
$date_var = date("Y-m-d H:i:s");
//to get the owner id
$ownerid = $this->column_fields['assigned_user_id'];
if (!isset($ownerid) || $ownerid == '') {
$ownerid = $current_user->id;
}
if (isset($file_details['original_name']) && $file_details['original_name'] != null) {
$file_name = $file_details['original_name'];
} else {
$file_name = $file_details['name'];
}
$saveFile = 'true';
//only images are allowed for Image Attachmenttype
$mimeType = Vtiger_Functions::getMimeContentType($file_details['tmp_name']);
$mimeTypeContents = explode('/', $mimeType);
// For contacts and products we are sending attachmentType as value
if ($attachmentType == 'Image' || $file_details['size'] && $mimeTypeContents[0] == 'image') {
$saveFile = validateImageFile($file_details);
}
if ($saveFile == 'false') {
return false;
}
$binFile = sanitizeUploadFileName($file_name, AppConfig::main('upload_badext'));
$current_id = $adb->getUniqueID('vtiger_crmentity');
$filename = ltrim(basename(' ' . $binFile));
//allowed filename like UTF-8 characters
$filetype = $file_details['type'];
$filesize = $file_details['size'];
$filetmp_name = $file_details['tmp_name'];
//get the file path inwhich folder we want to upload the file
$upload_file_path = decideFilePath($module);
//upload the file in server
$upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . '_' . $binFile);
$save_file = 'true';
//only images are allowed for these modules
if ($module == 'Contacts' || $module == 'Products') {
$save_file = validateImageFile($file_details);
}
if ($save_file == 'true' && $upload_status == 'true') {
//This is only to update the attached filename in the vtiger_notes vtiger_table for the Notes module
$params = ['crmid' => $current_id, 'smcreatorid' => $current_user->id, 'smownerid' => $ownerid, 'setype' => $module . " Image", 'description' => $this->column_fields['description'], 'createdtime' => $adb->formatDate($date_var, true), 'modifiedtime' => $adb->formatDate($date_var, true)];
if ($module == 'Contacts' || $module == 'Products') {
$params['setype'] = $module . " Image";
} else {
$params['setype'] = $module . " Attachment";
}
$adb->insert('vtiger_crmentity', $params);
$params = ['attachmentsid' => $current_id, 'name' => $filename, 'description' => $this->column_fields['description'], 'type' => $filetype, 'path' => $upload_file_path];
$adb->insert('vtiger_attachments', $params);
if ($_REQUEST['mode'] == 'edit') {
if ($id != '' && vtlib_purify($_REQUEST['fileid']) != '') {
$delparams = [$id, vtlib_purify($_REQUEST['fileid'])];
$adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', $delparams);
}
}
if ($module == 'Documents') {
$adb->delete('vtiger_seattachmentsrel', 'crmid = ?', [$id]);
}
if ($module == 'Contacts') {
$att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid where vtiger_crmentity.setype='Contacts Image' and vtiger_seattachmentsrel.crmid=?";
$res = $adb->pquery($att_sql, array($id));
$attachmentsid = $adb->query_result($res, 0, 'attachmentsid');
if ($attachmentsid != '') {
$adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', [$id, $attachmentsid]);
$adb->delete('vtiger_crmentity', 'crmid = ?', [$attachmentsid]);
$adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]);
} else {
$adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]);
}
} else {
$adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]);
}
return true;
} else {
$log->debug("Skip the save attachment process.");
return false;
}
}
function process(Vtiger_Request $request)
{
$username = $request->get('username');
$password = $request->get('password');
if ($request->get('mode') == 'install') {
$dirPath = 'install';
Users_Module_Model::deleteLangFiles();
$configTemplate = "config/config.template.php";
if (file_exists($configTemplate)) {
unlink($configTemplate);
}
Vtiger_Functions::recurseDelete($dirPath);
}
$checkBlocked = Settings_BruteForce_Module_Model::checkBlocked();
$bruteForceSettings = Settings_BruteForce_Module_Model::getBruteForceSettings();
if ($checkBlocked && $bruteForceSettings['active']) {
Settings_BruteForce_Module_Model::sendNotificationEmail();
header('Location: index.php?module=Users&parent=Settings&view=Login&error=2');
exit;
}
$user = CRMEntity::getInstance('Users');
$user->column_fields['user_name'] = $username;
$moduleModel = Users_Module_Model::getInstance('Users');
if ($user->doLogin($password)) {
if (AppConfig::main('session_regenerate_id')) {
Vtiger_Session::regenerateId(true);
}
// to overcome session id reuse.
$userid = $user->retrieve_user_id($username);
Vtiger_Session::set('AUTHUSERID', $userid);
// For Backward compatability
// TODO Remove when switch-to-old look is not needed
Vtiger_Session::set('authenticated_user_id', $userid);
Vtiger_Session::set('app_unique_key', AppConfig::main('application_unique_key'));
Vtiger_Session::set('authenticated_user_language', AppConfig::main('default_language'));
Vtiger_Session::set('user_name', $username);
Vtiger_Session::set('full_user_name', Vtiger_Functions::getUserRecordLabel($userid));
if ($request->has('language') && AppConfig::main('langInLoginView')) {
Vtiger_Session::set('language', $request->get('language'));
}
if ($request->has('layout')) {
Vtiger_Session::set('layout', $request->get('layout'));
}
//Enabled session variable for KCFINDER
$_SESSION['KCFINDER'] = [];
$_SESSION['KCFINDER']['disabled'] = false;
$_SESSION['KCFINDER']['uploadURL'] = 'cache/upload';
$_SESSION['KCFINDER']['uploadDir'] = '../../cache/upload';
$deniedExts = implode(' ', AppConfig::main('upload_badext'));
$_SESSION['KCFINDER']['deniedExts'] = $deniedExts;
// End
//Track the login History
$moduleModel->saveLoginHistory($user->column_fields['user_name']);
//End
if (isset($_SESSION['return_params'])) {
$return_params = urldecode($_SESSION['return_params']);
header("Location: index.php?{$return_params}");
exit;
} else {
header('Location: index.php');
exit;
}
} else {
//Track the login History
$browser = Settings_BruteForce_Module_Model::browserDetect();
$moduleModel->saveLoginHistory($username, 'Failed login', $browser);
header('Location: index.php?module=Users&parent=Settings&view=Login&error=1');
exit;
}
}
protected function validateReferer()
{
$user = vglobal('current_user');
// Referer check if present - to over come
if (isset($_SERVER['HTTP_REFERER']) && $user) {
//Check for user post authentication.
if (stripos($_SERVER['HTTP_REFERER'], AppConfig::main('site_URL')) !== 0 && $this->get('module') != 'Install') {
throw new CsrfException('Illegal request');
}
}
return true;
}
