function staffOnly() { global $thisstaff; if (!$thisstaff || !$thisstaff->isValid()) { Http::response(401, sprintf(__('Access Denied. IP %s'), $_SERVER['REMOTE_ADDR'])); } }
function api_exit($code, $msg = '') { global $remotehost, $cfg; if ($code != EX_SUCCESS && $cfg->alertONMailParseError()) { //Error occured... $_SESSION['api']['errors'] += 1; $_SESSION['api']['time'] = time(); $alert = sprintf("Possible issues with the API\n\n Error Code: %d\nErrors: %d\nRemote IP:%s\n\n%s", $code, $_SESSION['api']['errors'], $_SERVER['REMOTE_ADDR'], $msg); //echo 'API Error(s) '.$msg; Misc::alertAdmin('API Error(s)', $msg); } if ($remotehost) { switch ($code) { case EX_SUCCESS: Http::response(200, $code, 'text/plain'); break; case EX_UNAVAILABLE: Http::response(405, $code, 'text/plain'); break; case EX_NOPERM: Http::response(403, $code, 'text/plain'); break; case EX_DATAERR: case EX_NOINPUT: default: Http::response(416, $code, 'text/plain'); } } exit($code); }
function cannedResp($id, $format = '') { global $thisstaff, $_GET; include_once INCLUDE_DIR . 'class.canned.php'; if (!$id || !($canned = Canned::lookup($id)) || !$canned->isEnabled()) { Http::response(404, 'No such premade reply'); } //Load ticket. if ($_GET['tid']) { include_once INCLUDE_DIR . 'class.ticket.php'; $ticket = Ticket::lookup($_GET['tid']); } switch ($format) { case 'json': $resp['id'] = $canned->getId(); $resp['ticket'] = $canned->getTitle(); $resp['response'] = $ticket ? $ticket->replaceVars($canned->getResponse()) : $canned->getResponse(); $resp['files'] = $canned->getAttachments(); $response = $this->json_encode($resp); break; case 'txt': default: $response = $ticket ? $ticket->replaceVars($canned->getResponse()) : $canned->getResponse(); } return $response; }
function search() { $limit = isset($_GET['limit']) ? (int) $_GET['limit'] : 25; $items = array(); $ticketid = false; if (isset($_GET['id'])) { $WHERE = ' WHERE ticketID LIKE \'' . db_input($_GET['id'], false) . '%\''; $ticketid = true; } elseif (isset($_GET['email'])) { $WHERE = ' WHERE email LIKE \'' . db_input(strtolower($_GET['email']), false) . '%\''; } else { Http::response(400, "id or email argument is required"); } $sql = 'SELECT DISTINCT ticketID,email,name FROM ' . TICKET_TABLE . ' ' . $WHERE . ' ORDER BY created LIMIT ' . $limit; $res = db_query($sql); if ($res && db_num_rows($res)) { while (list($id, $email, $name) = db_fetch_row($res)) { $info = $ticketid ? $email : $id; $id = $ticketid ? $id : $email; # TODO: Return 'name' from email address if 'email' argument # specified? $items[] = array('id' => $id, 'value' => $id, 'info' => $info, 'name' => $name); } } return $this->encode(array('results' => $items)); }
function getTipsJson($namespace, $lang = false) { global $ost, $thisstaff; if (!$lang) { $lang = $thisstaff ? $thisstaff->getLanguage() : Internationalization::getDefaultLanguage(); } $i18n = new Internationalization($lang); $tips = $i18n->getTemplate("help/tips/{$namespace}.yaml"); if (!$tips || !($data = $tips->getData())) { Http::response(404, 'Help content not available'); } // Translate links to the root path of this installation foreach ($data as $tip => &$info) { if ($ost) { $info = $ost->replaceTemplateVariables($info, array('config' => $ost->getConfig())); } if (isset($info['links'])) { foreach ($info['links'] as &$l) { if ($l['href'][0] == '/') { $l['href'] = ROOT_PATH . substr($l['href'], 1); } } } } return $this->json_encode($data); }
function staffOnly() { global $thisstaff; if (!$thisstaff || !$thisstaff->isValid()) { Http::response(401, 'Access Denied. IP ' . $_SERVER['REMOTE_ADDR']); } }
function api_exit($code, $msg = '') { global $remotehost, $cfg; if ($code != EX_SUCCESS) { //Error occured... $_SESSION['api']['errors'] += 1; $_SESSION['api']['time'] = time(); Sys::log(LOG_WARNING, "API error - code #{$code}", $msg); //echo "API Error:.$msg"; } if ($remotehost) { switch ($code) { case EX_SUCCESS: Http::response(200, $code, 'text/plain'); break; case EX_UNAVAILABLE: Http::response(405, $code, 'text/plain'); break; case EX_NOPERM: Http::response(403, $code, 'text/plain'); break; case EX_DATAERR: case EX_NOINPUT: default: Http::response(416, $code, 'text/plain'); } } exit($code); }
function saveListItemProperties($item_id) { if (!($item = DynamicListItem::lookup($item_id))) { Http::response(404, 'No such list item'); } if (!$item->setConfiguration()) { include STAFFINC_DIR . 'templates/list-item-properties.tmpl.php'; } else { $item->save(); } }
function cannedResp($id, $format = 'text') { global $thisstaff, $cfg; include_once INCLUDE_DIR . 'class.canned.php'; if (!$id || !($canned = Canned::lookup($id)) || !$canned->isEnabled()) { Http::response(404, 'No such premade reply'); } if (!$cfg->isHtmlThreadEnabled()) { $format .= '.plain'; } return $canned->getFormattedResponse($format); }
function createNote($ext_id) { global $thisstaff; if (!$thisstaff) { Http::response(403, "Login required"); } elseif (!isset($_POST['note']) || !$_POST['note']) { Http::response(422, "Send `note` parameter"); } elseif (!($note = QuickNote::create(array('staff_id' => $thisstaff->getId(), 'body' => Format::sanitize($_POST['note']), 'created' => new SqlFunction('NOW'), 'ext_id' => $ext_id)))) { Http::response(500, "Unable to create new note"); } elseif (!$note->save(true)) { Http::response(500, "Unable to create new note"); } $show_options = true; include STAFFINC_DIR . 'templates/note.tmpl.php'; }
function search() { if (!isset($_REQUEST['q'])) { Http::response(400, 'Query argument is required'); } $limit = isset($_REQUEST['limit']) ? (int) $_REQUEST['limit'] : 25; $users = array(); $sql = 'SELECT DISTINCT email, name ' . ' FROM ' . TICKET_TABLE . ' WHERE email LIKE \'%' . db_input(strtolower($_REQUEST['q']), false) . '%\' ' . ' ORDER BY created ' . ' LIMIT ' . $limit; if (($res = db_query($sql)) && db_num_rows($res)) { while (list($email, $name) = db_fetch_row($res)) { $users[] = array('email' => $email, 'name' => $name, 'info' => "{$email} - {$name}"); } } return $this->json_encode($users); }
function upgrade() { global $thisstaff, $ost; if (!$thisstaff or !$thisstaff->isAdmin() or !$ost) { Http::response(403, 'Access Denied'); } $upgrader = new Upgrader($ost->getDBSignature(), TABLE_PREFIX, SQL_DIR); //Just report the next action on the first call. if (!$_SESSION['ost_upgrader'] || !$_SESSION['ost_upgrader'][$upgrader->getShash()]['progress']) { $_SESSION['ost_upgrader'][$upgrader->getShash()]['progress'] = $upgrader->getNextAction(); Http::response(200, $upgrader->getNextAction()); exit; } if ($upgrader->isAborted()) { Http::response(416, "We have a problem ... wait a sec."); exit; } if ($upgrader->getNumPendingTasks() && $upgrader->doTasks()) { //More pending tasks - doTasks returns the number of pending tasks Http::response(200, $upgrader->getNextAction()); exit; } elseif ($ost->isUpgradePending()) { if ($upgrader->isUpgradable()) { $version = $upgrader->getNextVersion(); if ($upgrader->upgrade()) { //We're simply reporting progress here - call back will report next action' Http::response(200, "Upgraded to {$version} ... post-upgrade checks!"); exit; } } else { //Abort: Upgrade pending but NOT upgradable - invalid or wrong hash. $upgrader->abort(sprintf('Upgrade Failed: Invalid or wrong hash [%s]', $ost->getDBSignature())); } } elseif (!$ost->isUpgradePending()) { $upgrader->setState('done'); session_write_close(); Http::response(201, "We're done!"); exit; } if ($upgrader->isAborted() || $upgrader->getErrors()) { Http::response(416, "We have a problem ... wait a sec."); exit; } Http::response(200, $upgrader->getNextAction()); }
function getLanguageFile($lang, $key) { global $cfg; $i18n = new Internationalization($lang); switch ($key) { case 'js': $data = $i18n->getTemplate('js/redactor.js')->getRawData(); $data .= $i18n->getTemplate('js/jquery.ui.datepicker.js')->getRawData(); // Strings from various javascript files $data .= $i18n->getTemplate('js/osticket-strings.js')->getRawData(); header('Content-Type: text/javascript; charset=UTF-8'); break; default: Http::response(404, 'No such i18n data'); } Http::cacheable(md5($data), $cfg->lastModified()); echo $data; }
function create($format) { $this->requireApiKey(); # Parse request body $data = $this->getRequest($format); if ($format == "xml") { $data = $data["ticket"]; } # Pull off some meta-data $alert = $data['alert'] ? $data['alert'] : true; $autorespond = $data['autorespond'] ? $data['autorespond'] : true; $source = $data['source'] ? $data['source'] : 'API'; $attachments = $data['attachments'] ? $data['attachments'] : array(); # TODO: Handle attachment encoding (base64) foreach ($attachments as $filename => &$info) { if ($info["encoding"] == "base64") { # XXX: May fail on large inputs. See # http://us.php.net/manual/en/function.base64-decode.php#105512 if (!($info["data"] = base64_decode($info["data"], true))) { Http::response(400, sprintf("%s: Poorly encoded base64 data", $filename)); } } $info['size'] = strlen($info['data']); } # Create the ticket with the data (attempt to anyway) $errors = array(); $ticket = Ticket::create($data, $errors, $source, $autorespond, $alert); # Return errors (?) if (count($errors)) { Http::response(400, "Unable to create new ticket: validation errors:\n" . Format::array_implode(": ", "\n", $errors)); } elseif (!$ticket) { Http::response(500, "Unable to create new ticket: unknown error"); } # Save attachment(s) foreach ($attachments as &$info) { $ticket->saveAttachment($info, $ticket->getLastMsgId(), "M"); } # All done. Return HTTP/201 --> Created Http::response(201, $ticket->getExtId()); }
function upgrade() { global $thisstaff, $ost; if (!$thisstaff or !$thisstaff->isAdmin() or !$ost) { Http::response(403, 'Access Denied'); } $upgrader = new Upgrader(TABLE_PREFIX, UPGRADE_DIR . 'streams/'); if ($upgrader->isAborted()) { Http::response(416, __("We have a problem ... wait a sec.")); exit; } if ($upgrader->getTask() && $upgrader->doTask()) { //More pending tasks - doTasks returns the number of pending tasks Http::response(200, $upgrader->getNextAction()); exit; } elseif ($ost->isUpgradePending()) { if ($upgrader->isUpgradable()) { $version = $upgrader->getNextVersion(); if ($upgrader->upgrade()) { //We're simply reporting progress here - call back will report next action' Http::response(200, sprintf(__("Upgraded to %s ... post-upgrade checks!"), $version)); exit; } } else { //Abort: Upgrade pending but NOT upgradable - invalid or wrong hash. $upgrader->abort(sprintf(__('Upgrade Failed: Invalid or wrong hash [%s]'), $ost->getDBSignature())); } } elseif (!$ost->isUpgradePending()) { $upgrader->setState('done'); session_write_close(); Http::response(201, __("We're done!")); exit; } if ($upgrader->isAborted() || $upgrader->getErrors()) { Http::response(416, __("We have a problem ... wait a sec.")); exit; } Http::response(200, $upgrader->getNextAction()); }
function upload($id) { if (!($field = DynamicFormField::lookup($id))) { Http::response(400, 'No such field'); } $impl = $field->getImpl(); if (!$impl instanceof FileUploadField) { Http::response(400, 'Upload to a non file-field'); } return JsonDataEncoder::encode(array('id' => $impl->ajaxUpload())); }
function updateForms($user_id) { global $thisstaff; if (!$thisstaff) { Http::response(403, "Login required"); } elseif (!($user = User::lookup($user_id))) { Http::response(404, "No such customer"); } elseif (!isset($_POST['forms'])) { Http::response(422, "Send updated forms list"); } // Add new forms $forms = DynamicFormEntry::forUser($user_id); foreach ($_POST['forms'] as $sort => $id) { $found = false; foreach ($forms as $e) { if ($e->get('form_id') == $id) { $e->set('sort', $sort); $e->save(); $found = true; break; } } // New form added if (!$found && ($new = DynamicForm::lookup($id))) { $user->addForm($new, $sort); } } // Deleted forms foreach ($forms as $idx => $e) { if (!in_array($e->get('form_id'), $_POST['forms'])) { $e->delete(); } } Http::response(201, 'Successfully managed'); }
if (!$thisuser || !$thisuser->isValid()) { Http::response(401, 'Access Denied. IP ' . $_SERVER['REMOTE_ADDR']); exit; } //---------check required global vars --------// if (!$_REQUEST['api'] || !$_REQUEST['f']) { Http::response(416, 'Invalid params'); exit; } //------Do the AJAX Dance ----------------// define('OSTAJAXINC', TRUE); $file = 'ajax.' . Format::file_name(strtolower($_REQUEST['api'])) . '.php'; if (!file_exists(INCLUDE_DIR . $file)) { Http::response(405, 'invalid method'); exit; } $class = ucfirst(strtolower($_REQUEST['api'])) . 'AjaxAPI'; $func = $_REQUEST['f']; if (is_callable($func)) { //if the function is callable B4 we include the source file..play with the user... Http::response(500, 'This is secure ajax assjax ' . $_SERVER['REMOTE_ADDR']); exit; } require INCLUDE_DIR . $file; if (!is_callable(array($class, $func))) { Http::response(416, 'invalid method/call ' . Format::htmlchars($func)); exit; } $response = @call_user_func(array($class, $func), $_REQUEST); Http::response(200, $response); exit;
function getData() { # XXX: This is horrible, and is subject to php's memory # restrictions, etc. Don't use this function! ob_start(); try { $this->sendData(false); } catch (IOException $ex) { Http::response(404, 'File not found'); } $data =& ob_get_contents(); ob_end_clean(); return $data; }
function previewTicket($tid) { global $thisstaff; if (!$thisstaff || !($ticket = Ticket::lookup($tid)) || !$ticket->checkStaffAccess($thisstaff)) { Http::response(404, 'No such ticket'); } $staff = $ticket->getStaff(); $lock = $ticket->getLock(); $error = $msg = $warn = null; if ($lock && $lock->getStaffId() == $thisstaff->getId()) { $warn .= ' <span class="Icon lockedTicket">Ticket is locked by ' . $lock->getStaffName() . '</span>'; } elseif ($ticket->isOverdue()) { $warn .= ' <span class="Icon overdueTicket">Marked overdue!</span>'; } ob_start(); echo sprintf('<div style="width:500px; padding: 2px 2px 0 5px;"> <h2>%s</h2><br>', Format::htmlchars($ticket->getSubject())); if ($error) { echo sprintf('<div id="msg_error">%s</div>', $error); } elseif ($msg) { echo sprintf('<div id="msg_notice">%s</div>', $msg); } elseif ($warn) { echo sprintf('<div id="msg_warning">%s</div>', $warn); } echo '<table border="0" cellspacing="" cellpadding="1" width="100%" class="ticket_info">'; $ticket_state = sprintf('<span>%s</span>', ucfirst($ticket->getStatus())); if ($ticket->isOpen()) { if ($ticket->isOverdue()) { $ticket_state .= ' — <span>Overdue</span>'; } else { $ticket_state .= sprintf(' — <span>%s</span>', $ticket->getPriority()); } } echo sprintf(' <tr> <th width="100">Ticket State:</th> <td>%s</td> </tr> <tr> <th>Create Date:</th> <td>%s</td> </tr>', $ticket_state, Format::db_datetime($ticket->getCreateDate())); if ($ticket->isClosed()) { echo sprintf(' <tr> <th>Close Date:</th> <td>%s <span class="faded">by %s</span></td> </tr>', Format::db_datetime($ticket->getCloseDate()), $staff ? $staff->getName() : 'staff'); } elseif ($ticket->getDueDate()) { echo sprintf(' <tr> <th>Due Date:</th> <td>%s</td> </tr>', Format::db_datetime($ticket->getDueDate())); } echo '</table>'; echo '<hr> <table border="0" cellspacing="" cellpadding="1" width="100%" class="ticket_info">'; if ($ticket->isOpen()) { echo sprintf(' <tr> <th width="100">Assigned To:</th> <td>%s</td> </tr>', $ticket->isAssigned() ? implode('/', $ticket->getAssignees()) : ' <span class="faded">— Unassigned —</span>'); } echo sprintf(' <tr> <th width="100">Department:</th> <td>%s</td> </tr> <tr> <th>Help Topic:</th> <td>%s</td> </tr> <tr> <th>From:</th> <td>%s <span class="faded">%s</span></td> </tr>', Format::htmlchars($ticket->getDeptName()), Format::htmlchars($ticket->getHelpTopic()), Format::htmlchars($ticket->getName()), $ticket->getEmail()); echo ' </table>'; $options[] = array('action' => 'Thread (' . $ticket->getThreadCount() . ')', 'url' => "tickets.php?id={$tid}"); if ($ticket->getNumNotes()) { $options[] = array('action' => 'Notes (' . $ticket->getNumNotes() . ')', 'url' => "tickets.php?id={$tid}#notes"); } if ($ticket->isOpen()) { $options[] = array('action' => 'Reply', 'url' => "tickets.php?id={$tid}#reply"); } if ($thisstaff->canAssignTickets()) { $options[] = array('action' => $ticket->isAssigned() ? 'Reassign' : 'Assign', 'url' => "tickets.php?id={$tid}#assign"); } if ($thisstaff->canTransferTickets()) { $options[] = array('action' => 'Transfer', 'url' => "tickets.php?id={$tid}#transfer"); } $options[] = array('action' => 'Post Note', 'url' => "tickets.php?id={$tid}#note"); if ($thisstaff->canEditTickets()) { $options[] = array('action' => 'Edit Ticket', 'url' => "tickets.php?id={$tid}&a=edit"); } if ($options) { echo '<ul class="tip_menu">'; foreach ($options as $option) { echo sprintf('<li><a href="%s">%s</a></li>', $option['url'], $option['action']); } echo '</ul>'; } echo '</div>'; $resp = ob_get_contents(); ob_end_clean(); return $resp; }
function clientLoginPage($msg = 'Unauthorized') { Http::response(403, 'Must login: ' . Format::htmlchars($msg)); exit; }
$ferror = null; $options = array(); if (defined('DBSSLCA')) { $options['ssl'] = array('ca' => DBSSLCA, 'cert' => DBSSLCERT, 'key' => DBSSLKEY); } if (!db_connect(DBHOST, DBUSER, DBPASS, $options)) { $ferror = 'Unable to connect to the database -' . db_connect_error(); } elseif (!db_select_database(DBNAME)) { $ferror = 'Unknown or invalid database ' . DBNAME; } elseif (!($ost = osTicket::start()) || !($cfg = $ost->getConfig())) { $ferror = 'Unable to load config info from DB. Get tech support.'; } if ($ferror) { //Fatal error //try alerting admin using email in config file $msg = $ferror . "\n\n" . THISPAGE; Mailer::sendmail(ADMIN_EMAIL, 'osTicket Fatal Error', $msg, sprintf('"osTicket Alerts"<%s>', ADMIN_EMAIL)); //Display generic error to the user Http::response(500, "<b>Fatal Error:</b> Contact system administrator."); } //Init $session = $ost->getSession(); //System defaults we might want to make global// #pagenation default - user can override it! define('DEFAULT_PAGE_LIMIT', $cfg->getPageSize() ? $cfg->getPageSize() : 25); #Cleanup magic quotes crap. if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { $_POST = Format::strip_slashes($_POST); $_GET = Format::strip_slashes($_GET); $_REQUEST = Format::strip_slashes($_REQUEST); }
if (!$thisstaff->isactive() || !$thisstaff->isGroupActive()) { staffLoginPage('Access Denied. Contact Admin'); exit; } //Staff are not allowed to login in offline mode!! if (!$ost->isSystemOnline() || $ost->isUpgradePending()) { staffLoginPage('System Offline'); exit; } } //Keep the session activity alive $thisstaff->refreshSession(); /******* CSRF Protectin *************/ // Enforce CSRF protection for POSTS if ($_POST && !$ost->checkCSRFToken()) { Http::response(400, 'Valid CSRF Token Required'); exit; } //Add token to the header - used on ajax calls [DO NOT CHANGE THE NAME] $ost->addExtraHeader('<meta name="csrf_token" content="' . $ost->getCSRFToken() . '" />'); /******* SET STAFF DEFAULTS **********/ //Set staff's timezone offset. $_SESSION['TZ_OFFSET'] = $thisstaff->getTZoffset(); $_SESSION['TZ_DST'] = $thisstaff->observeDaylight(); define('PAGE_LIMIT', $thisstaff->getPageLimit() ? $thisstaff->getPageLimit() : DEFAULT_PAGE_LIMIT); //Clear some vars. we use in all pages. $errors = array(); $msg = $warn = $sysnotice = ''; $tabs = array(); $submenu = array(); $exempt = in_array(basename($_SERVER['SCRIPT_NAME']), array('logout.php', 'ajax.php', 'logs.php', 'upgrade.php'));
/** * Called from the ajax handler for async uploads via web clients. */ function ajaxUpload($bypass = false) { $config = $this->getConfiguration(); $files = AttachmentFile::format($_FILES['upload'], !is_numeric($this->get('id'))); if (count($files) != 1) { Http::response(400, 'Send one file at a time'); } $file = array_shift($files); $file['name'] = urldecode($file['name']); if (!$bypass && !$this->isValidFileType($file['name'], $file['type'])) { Http::response(415, 'File type is not allowed'); } $config = $this->getConfiguration(); if (!$bypass && $file['size'] > $config['size']) { Http::response(413, 'File is too large'); } if (!($id = AttachmentFile::upload($file))) { Http::response(500, 'Unable to store file: ' . $file['error']); } return $id; }
function dispatch($url, $prev_args = null) { # Remove named values from the match array $this->matches = array_flip(array_intersect(array_flip($this->matches), range(0, 31))); if (@get_class($this->func) == "Dispatcher") { # Trim the leading match off the $url and call the # sub-dispatcher. This will be the case for lines in the URL # file like # url("^/blah", Dispatcher::include_urls("blah/urls.conf.php")) # Also, pass arguments matched so far (if any) to the receiving # resolve() method by merging the $prev_args into $this->matches # (excluding $this->matches[0], which is the matched URL at this # level) return $this->func->resolve(substr($url, strlen($this->matches[0])), array_merge($prev_args ? $prev_args : array(), array_slice($this->matches, 1))); } else { # Drop the first item of the matches array (which is the whole # matched url). Then merge in any initial arguments. array_shift($this->matches); # Prepend received arguments (from a parent Dispatcher). This is # different from the static args, which are postpended if (is_array($prev_args)) { $args = array_merge($prev_args, $this->matches); } else { $args = $this->matches; } # Add in static args specified in the constructor $args = array_merge($args, $this->args); # Apply the $prefix given list($class, $func) = $this->apply_prefix(); if ($class) { # Create instance of the class, which is the first item, # then call the method which is the second item $func = array(new $class(), $func); } if (!is_callable($func)) { Http::response(500, 'Dispatcher compile error. Function not callable'); } return call_user_func_array($func, $args); } }
vim: expandtab sw=4 ts=4 sts=4: **********************************************************************/ @chdir(dirname(__FILE__) . '/../'); require_once 'client.inc.php'; require_once INCLUDE_DIR . 'class.format.php'; require_once INCLUDE_DIR . 'class.page.php'; // Determine the requested page // - Strip extension $slug = Format::slugify($ost->get_path_info()); // Get the part before the first dash $first_word = explode('-', $slug); $first_word = $first_word[0]; $sql = 'SELECT id, name FROM ' . PAGE_TABLE . ' WHERE name LIKE ' . db_input("{$first_word}%"); $page_id = null; $res = db_query($sql); while (list($id, $name) = db_fetch_row($res)) { if (Format::slugify($name) == $slug) { $page_id = $id; break; } } if (!$page_id || !($page = Page::lookup($page_id))) { Http::response(404, __('Page Not Found')); } if (!$page->isActive() || $page->getType() != 'other') { Http::response(404, __('Page Not Found')); } require CLIENTINC_DIR . 'header.inc.php'; print $page->getBodyWithImages(); require CLIENTINC_DIR . 'footer.inc.php';
/********************************************************************* attachment.php Handles attachment downloads & access validation. Peter Rotich <*****@*****.**> Copyright (c) 2006-2013 osTicket http://www.osticket.com Released under the GNU General Public License WITHOUT ANY WARRANTY. See LICENSE.TXT for details. vim: expandtab sw=4 ts=4 sts=4: **********************************************************************/ require('staff.inc.php'); require_once(INCLUDE_DIR.'class.attachment.php'); //Basic checks if(!$thisstaff || !$_GET['id'] || !$_GET['h'] || !($attachment=Attachment::lookup($_GET['id'])) || !($file=$attachment->getFile())) Http::response(404, __('Unknown or invalid file')); //Validate session access hash - we want to make sure the link is FRESH! and the user has access to the parent ticket!! $vhash=md5($attachment->getFileId().session_id().strtolower($file->getKey())); if(strcasecmp(trim($_GET['h']),$vhash) || !($ticket=$attachment->getTicket()) || !$ticket->checkStaffAccess($thisstaff)) die(__('Access Denied')); //Download the file.. $file->download(); ?>
function response($code, $resp) { Http::response($code, $resp); exit; }
Jared Hancock <*****@*****.**> Copyright (c) 2006-2013 osTicket http://www.osticket.com Released under the GNU General Public License WITHOUT ANY WARRANTY. See LICENSE.TXT for details. vim: expandtab sw=4 ts=4 sts=4: **********************************************************************/ require_once 'staff.inc.php'; //Basic url validation + token check. # PHP < 5.4.7 will not handle a URL like //host.tld/path correctly if (!($url=trim($_GET['url']))) Http::response(422, __('Invalid URL')); $check = (strpos($url, '//') === 0) ? 'http:' . $url : $url; if (!Validator::is_url($check) || !$ost->validateLinkToken($_GET['auth'])) Http::response(403, __('URL link not authorized')); elseif (strpos($_SERVER['HTTP_ACCEPT'], 'text/html') === false) Http::redirect($url); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"/> <meta http-equiv="refresh" content="0;URL=<?php echo $url; ?>"/> </head> <body/> </html>
function cannedResponse($tid, $cid, $format = 'text') { global $thisstaff, $cfg; if (!($ticket = Ticket::lookup($tid)) || !$ticket->checkStaffAccess($thisstaff)) { Http::response(404, 'Unknown ticket ID'); } if ($cid && !is_numeric($cid)) { if (!($response = $ticket->getThread()->getVar($cid))) { Http::response(422, 'Unknown ticket variable'); } // Ticket thread variables are assumed to be quotes $response = "<br/><blockquote>{$response}</blockquote><br/>"; // Return text if html thread is not enabled if (!$cfg->isHtmlThreadEnabled()) { $response = Format::html2text($response, 90); } // XXX: assuming json format for now. return Format::json_encode(array('response' => $response)); } if (!$cfg->isHtmlThreadEnabled()) { $format .= '.plain'; } $varReplacer = function (&$var) use($ticket) { return $ticket->replaceVars($var); }; include_once INCLUDE_DIR . 'class.canned.php'; if (!$cid || !($canned = Canned::lookup($cid)) || !$canned->isEnabled()) { Http::response(404, 'No such premade reply'); } return $canned->getFormattedResponse($format, $varReplacer); }