public function process(Vtiger_Request $request) { $shortURL = str_replace('index.php', '', AppConfig::main('site_URL')); $viewer = $this->getViewer($request); $viewer->assign('URLCSS', $shortURL . Yeti_Layout::getLayoutFile('modules/AJAXChat/Chat.css')); $viewer->assign('URL', $shortURL . "libraries/AJAXChat/index.php"); $viewer->view('Index.tpl', 'AJAXChat'); }
public static function getLayoutFile($name) { $basePath = 'layouts' . '/' . AppConfig::main('defaultLayout') . '/'; $filePath = Vtiger_Loader::resolveNameToPath('~' . $basePath . $name); if (is_file($filePath)) { return $basePath . $name; } $basePath = 'layouts' . '/' . Vtiger_Viewer::getDefaultLayoutName() . '/'; return $basePath . $name; }
public function process(Vtiger_Request $request) { $viewer = $this->getViewer($request); $moduleName = $request->getModule(); $viewer->assign('MODULE', $moduleName); $viewer->assign('ENABLED_MOBILE_MODULE', in_array('mobileModule', vglobal('enabledServices'))); $viewer->assign('CURRENT_VERSION', vglobal('YetiForce_current_version')); $viewer->assign('LANGUAGE_SELECTION', AppConfig::main('langInLoginView')); $viewer->assign('LAYOUT_SELECTION', AppConfig::main('layoutInLoginView')); $viewer->assign('ERROR', $request->get('error')); $viewer->assign('FPERROR', $request->get('fpError')); $viewer->assign('STATUS', $request->get('status')); $viewer->assign('STATUS_ERROR', $request->get('statusError')); $viewer->view('Login.tpl', 'Users'); }
/** * Function to check the file access is made within web root directory. * @param String File path to check * @param Boolean False to avoid die() if check fails */ static function checkFileAccess($filepath, $dieOnFail = true) { // Set the base directory to compare with $use_root_directory = AppConfig::main('root_directory'); if (empty($use_root_directory)) { $use_root_directory = realpath(dirname(__FILE__) . '/../../.'); } $realfilepath = realpath($filepath); /** Replace all \\ with \ first */ $realfilepath = str_replace('\\\\', '\\', $realfilepath); $rootdirpath = str_replace('\\\\', '\\', $use_root_directory); /** Replace all \ with / now */ $realfilepath = str_replace('\\', '/', $realfilepath); $rootdirpath = str_replace('\\', '/', $rootdirpath); if (stripos($realfilepath, $rootdirpath) !== 0) { if ($dieOnFail) { $log = LoggerManager::getInstance(); $log->error(__CLASS__ . ':' . __FUNCTION__ . '(' . $filepath . ') - Sorry! Attempt to access restricted file. realfilepath: ' . print_r($realfilepath, true)); throw new AppException('Sorry! Attempt to access restricted file.'); } return false; } return true; }
public function process(Vtiger_Request $request) { $moduleName = $request->getModule(); $uid = $request->get('uid'); $folder = $request->get('folder'); $rcId = $request->get('rcId'); $account = OSSMail_Record_Model::getAccountByHash($rcId); if (!$account) { throw new NoPermittedException('LBL_PERMISSION_DENIED'); } $rcId = $account['user_id']; $mailViewModel = OSSMailView_Record_Model::getCleanInstance('OSSMailView'); $record = $mailViewModel->checkMailExist($uid, $folder, $rcId); $viewer = $this->getViewer($request); $viewer->assign('RECORD', $record); if ($record) { $reletedRecords = $mailViewModel->getReletedRecords($record); $viewer->assign('RELETED_RECORDS', $reletedRecords); } Vtiger_Module_Model::getModulesByLevel(); $viewer->assign('MODULE_NAME', $moduleName); $viewer->assign('URL', AppConfig::main('site_URL')); $viewer->view('MailActionBar.tpl', $moduleName); }
function GetSite_URL() { $site_URL = AppConfig::main('site_URL'); if (substr($site_URL, -1) != '/') { $site_URL = $site_URL . '/'; } return $site_URL; }
/** * function to return whether the file access is made within vtiger root directory * and it exists. * @global String $root_directory vtiger root directory as given in config.inc.php file. * @param String $filepath relative path to the file which need to be verified * @return Boolean true if file is a valid file within vtiger root directory, false otherwise. */ static function isFileAccessible($filepath) { // Set the base directory to compare with $use_root_directory = AppConfig::main('root_directory'); if (empty($use_root_directory)) { $use_root_directory = realpath(dirname(__FILE__) . '/../../.'); } $realfilepath = realpath($filepath); /** Replace all \\ with \ first */ $realfilepath = str_replace('\\\\', '\\', $realfilepath); $rootdirpath = str_replace('\\\\', '\\', $use_root_directory); /** Replace all \ with / now */ $realfilepath = str_replace('\\', '/', $realfilepath); $rootdirpath = str_replace('\\', '/', $rootdirpath); if (stripos($realfilepath, $rootdirpath) !== 0) { return false; } return true; }
public static function getBacktrace($ignore = 2) { $trace = ''; $rootDirectory = rtrim(AppConfig::main('root_directory'), '/'); foreach (debug_backtrace() as $k => $v) { if ($k < $ignore) { continue; } $file = str_replace($rootDirectory . DIRECTORY_SEPARATOR, '', $v['file']); $trace .= '#' . ($k - $ignore) . ' ' . (isset($v['class']) ? $v['class'] . '->' : '') . $v['function'] . '() in ' . $file . '(' . $v['line'] . '): ' . PHP_EOL; } return $trace; }
/** * Detect if the task was started by never finished. */ function hadTimeout() { if (!$this->isRunning()) { return false; } $maxExecutionTime = intval(ini_get('max_execution_time')); if ($maxExecutionTime == 0) { $maxExecutionTime = AppConfig::main('maxExecutionCronTime'); } $time = $this->getLastEnd(); if ($time == 0) { $time = $this->getLastStart(); } if (time() > $time + $maxExecutionTime) { return true; } return false; }
} else { // Run all service $cronTasks = Vtiger_Cron::listAllActiveInstances(); } $cronStarts = date('Y-m-d H:i:s'); //set global current user permissions $current_user = vglobal('current_user'); $current_user = Users::getActiveAdminUser(); echo sprintf('--------------- %s | Start CRON ----------', date('Y-m-d H:i:s')) . PHP_EOL; foreach ($cronTasks as $cronTask) { try { // Timeout could happen if intermediate cron-tasks fails // and affect the next task. Which need to be handled in this cycle. if ($cronTask->hadTimeout()) { echo sprintf('%s | %s - Cron task had timedout as it was not completed last time it run' . PHP_EOL, date('Y-m-d H:i:s'), $cronTask->getName()); if (AppConfig::main('unblockedTimeoutCronTasks')) { $cronTask->unlockTask(); } } // Not ready to run yet? if ($cronTask->isRunning()) { $log->fatal($cronTask->getName() . ' - Task omitted, it has not been finished during the last scanning'); echo sprintf('%s | %s - Task omitted, it has not been finished during the last scanning' . PHP_EOL, date('Y-m-d H:i:s'), $cronTask->getName()); continue; } // Not ready to run yet? if (!$cronTask->isRunnable()) { $log->info($cronTask->getName() . ' - Not ready to run as the time to run again is not completed'); echo sprintf('%s | %s - Not ready to run as the time to run again is not completed' . PHP_EOL, date('Y-m-d H:i:s'), $cronTask->getName()); continue; }
function process(Vtiger_Request $request) { $log = LoggerManager::getLogger('System'); vglobal('log', $log); Vtiger_Session::init(); if (AppConfig::main('forceSSL') && !Vtiger_Functions::getBrowserInfo()->https) { header("Location: https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"); } // Better place this here as session get initiated //skipping the csrf checking for the forgot(reset) password if (AppConfig::main('csrfProtection') && $request->get('mode') != 'reset' && $request->get('action') != 'Login') { require_once 'libraries/csrf-magic/csrf-magic.php'; require_once 'config/csrf_config.php'; } // TODO - Get rid of global variable $current_user // common utils api called, depend on this variable right now $currentUser = $this->getLogin(); vglobal('current_user', $currentUser); $currentLanguage = Vtiger_Language_Handler::getLanguage(); vglobal('current_language', $currentLanguage); $module = $request->getModule(); $qualifiedModuleName = $request->getModule(false); if ($currentUser && $qualifiedModuleName) { $moduleLanguageStrings = Vtiger_Language_Handler::getModuleStringsFromFile($currentLanguage, $qualifiedModuleName); vglobal('mod_strings', $moduleLanguageStrings['languageStrings']); } if ($currentUser) { $moduleLanguageStrings = Vtiger_Language_Handler::getModuleStringsFromFile($currentLanguage); vglobal('app_strings', $moduleLanguageStrings['languageStrings']); } $view = $request->get('view'); $action = $request->get('action'); $response = false; try { if ($this->isInstalled() === false && $module != 'Install') { header('Location:install/Install.php'); exit; } if (empty($module)) { if ($this->hasLogin()) { $defaultModule = AppConfig::main('default_module'); if (!empty($defaultModule) && $defaultModule != 'Home') { $module = $defaultModule; $qualifiedModuleName = $defaultModule; $view = 'List'; if ($module == 'Calendar') { // To load MyCalendar instead of list view for calendar //TODO: see if it has to enhanced and get the default view from module model $view = 'Calendar'; } } else { $module = 'Home'; $qualifiedModuleName = 'Home'; $view = 'DashBoard'; } } else { $module = 'Users'; $qualifiedModuleName = 'Settings:Users'; $view = 'Login'; } $request->set('module', $module); $request->set('view', $view); } if (!empty($action)) { $componentType = 'Action'; $componentName = $action; } else { $componentType = 'View'; if (empty($view)) { $view = 'Index'; } $componentName = $view; } $handlerClass = Vtiger_Loader::getComponentClassName($componentType, $componentName, $qualifiedModuleName); $handler = new $handlerClass(); if ($handler) { vglobal('currentModule', $module); $csrfProtection = vglobal('csrfProtection'); if ($csrfProtection) { // Ensure handler validates the request $handler->validateRequest($request); } if ($handler->loginRequired()) { $this->checkLogin($request); } //TODO : Need to review the design as there can potential security threat $skipList = array('Users', 'Home', 'CustomView', 'Import', 'Export', 'Inventory', 'Vtiger', 'Migration', 'Install'); if (!in_array($module, $skipList) && stripos($qualifiedModuleName, 'Settings') === false) { $this->triggerCheckPermission($handler, $request); } // Every settings page handler should implement this method if (stripos($qualifiedModuleName, 'Settings') === 0 || $module == 'Users') { $handler->checkPermission($request); } $notPermittedModules = array('ModComments', 'Integration', 'DashBoard'); if (in_array($module, $notPermittedModules) && $view == 'List') { header('Location:index.php?module=Home&view=DashBoard'); } $this->triggerPreProcess($handler, $request); $response = $handler->process($request); $this->triggerPostProcess($handler, $request); } else { throw new AppException(vtranslate('LBL_HANDLER_NOT_FOUND')); } } catch (AppException $e) { $log->error($e->getMessage() . ' => ' . $e->getFile() . ':' . $e->getLine()); Vtiger_Functions::throwNewException($e->getMessage(), false); if (AppConfig::debug('DISPLAY_DEBUG_BACKTRACE')) { exit('<pre>' . $e->getTraceAsString() . '</pre>'); } } catch (NoPermittedToRecordException $e) { //No permissions for the record $log->error($e->getMessage() . ' => ' . $e->getFile() . ':' . $e->getLine()); Vtiger_Functions::throwNewException($e->getMessage(), false, 'NoPermissionsForRecord.tpl'); if (AppConfig::debug('DISPLAY_DEBUG_BACKTRACE')) { exit('<pre>' . $e->getTraceAsString() . '</pre>'); } } catch (Exception $e) { $log->error($e->getMessage() . ' => ' . $e->getFile() . ':' . $e->getLine()); Vtiger_Functions::throwNewException($e->getMessage(), false); if (AppConfig::debug('DISPLAY_DEBUG_BACKTRACE')) { exit('<pre>' . $e->getTraceAsString() . '</pre>'); } } if ($response) { $response->emit(); } }
/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details, $attachmentType = 'Attachment') { $log = LoggerManager::getInstance(); $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); $adb = PearDatabase::getInstance(); $current_user = vglobal('current_user'); $date_var = date("Y-m-d H:i:s"); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } if (isset($file_details['original_name']) && $file_details['original_name'] != null) { $file_name = $file_details['original_name']; } else { $file_name = $file_details['name']; } $saveFile = 'true'; //only images are allowed for Image Attachmenttype $mimeType = Vtiger_Functions::getMimeContentType($file_details['tmp_name']); $mimeTypeContents = explode('/', $mimeType); // For contacts and products we are sending attachmentType as value if ($attachmentType == 'Image' || $file_details['size'] && $mimeTypeContents[0] == 'image') { $saveFile = validateImageFile($file_details); } if ($saveFile == 'false') { return false; } $binFile = sanitizeUploadFileName($file_name, AppConfig::main('upload_badext')); $current_id = $adb->getUniqueID('vtiger_crmentity'); $filename = ltrim(basename(' ' . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath($module); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . '_' . $binFile); $save_file = 'true'; //only images are allowed for these modules if ($module == 'Contacts' || $module == 'Products') { $save_file = validateImageFile($file_details); } if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the vtiger_notes vtiger_table for the Notes module $params = ['crmid' => $current_id, 'smcreatorid' => $current_user->id, 'smownerid' => $ownerid, 'setype' => $module . " Image", 'description' => $this->column_fields['description'], 'createdtime' => $adb->formatDate($date_var, true), 'modifiedtime' => $adb->formatDate($date_var, true)]; if ($module == 'Contacts' || $module == 'Products') { $params['setype'] = $module . " Image"; } else { $params['setype'] = $module . " Attachment"; } $adb->insert('vtiger_crmentity', $params); $params = ['attachmentsid' => $current_id, 'name' => $filename, 'description' => $this->column_fields['description'], 'type' => $filetype, 'path' => $upload_file_path]; $adb->insert('vtiger_attachments', $params); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && vtlib_purify($_REQUEST['fileid']) != '') { $delparams = [$id, vtlib_purify($_REQUEST['fileid'])]; $adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', $delparams); } } if ($module == 'Documents') { $adb->delete('vtiger_seattachmentsrel', 'crmid = ?', [$id]); } if ($module == 'Contacts') { $att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid where vtiger_crmentity.setype='Contacts Image' and vtiger_seattachmentsrel.crmid=?"; $res = $adb->pquery($att_sql, array($id)); $attachmentsid = $adb->query_result($res, 0, 'attachmentsid'); if ($attachmentsid != '') { $adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', [$id, $attachmentsid]); $adb->delete('vtiger_crmentity', 'crmid = ?', [$attachmentsid]); $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } else { $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } } else { $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } return true; } else { $log->debug("Skip the save attachment process."); return false; } }
function process(Vtiger_Request $request) { $username = $request->get('username'); $password = $request->get('password'); if ($request->get('mode') == 'install') { $dirPath = 'install'; Users_Module_Model::deleteLangFiles(); $configTemplate = "config/config.template.php"; if (file_exists($configTemplate)) { unlink($configTemplate); } Vtiger_Functions::recurseDelete($dirPath); } $checkBlocked = Settings_BruteForce_Module_Model::checkBlocked(); $bruteForceSettings = Settings_BruteForce_Module_Model::getBruteForceSettings(); if ($checkBlocked && $bruteForceSettings['active']) { Settings_BruteForce_Module_Model::sendNotificationEmail(); header('Location: index.php?module=Users&parent=Settings&view=Login&error=2'); exit; } $user = CRMEntity::getInstance('Users'); $user->column_fields['user_name'] = $username; $moduleModel = Users_Module_Model::getInstance('Users'); if ($user->doLogin($password)) { if (AppConfig::main('session_regenerate_id')) { Vtiger_Session::regenerateId(true); } // to overcome session id reuse. $userid = $user->retrieve_user_id($username); Vtiger_Session::set('AUTHUSERID', $userid); // For Backward compatability // TODO Remove when switch-to-old look is not needed Vtiger_Session::set('authenticated_user_id', $userid); Vtiger_Session::set('app_unique_key', AppConfig::main('application_unique_key')); Vtiger_Session::set('authenticated_user_language', AppConfig::main('default_language')); Vtiger_Session::set('user_name', $username); Vtiger_Session::set('full_user_name', Vtiger_Functions::getUserRecordLabel($userid)); if ($request->has('language') && AppConfig::main('langInLoginView')) { Vtiger_Session::set('language', $request->get('language')); } if ($request->has('layout')) { Vtiger_Session::set('layout', $request->get('layout')); } //Enabled session variable for KCFINDER $_SESSION['KCFINDER'] = []; $_SESSION['KCFINDER']['disabled'] = false; $_SESSION['KCFINDER']['uploadURL'] = 'cache/upload'; $_SESSION['KCFINDER']['uploadDir'] = '../../cache/upload'; $deniedExts = implode(' ', AppConfig::main('upload_badext')); $_SESSION['KCFINDER']['deniedExts'] = $deniedExts; // End //Track the login History $moduleModel->saveLoginHistory($user->column_fields['user_name']); //End if (isset($_SESSION['return_params'])) { $return_params = urldecode($_SESSION['return_params']); header("Location: index.php?{$return_params}"); exit; } else { header('Location: index.php'); exit; } } else { //Track the login History $browser = Settings_BruteForce_Module_Model::browserDetect(); $moduleModel->saveLoginHistory($username, 'Failed login', $browser); header('Location: index.php?module=Users&parent=Settings&view=Login&error=1'); exit; } }
protected function validateReferer() { $user = vglobal('current_user'); // Referer check if present - to over come if (isset($_SERVER['HTTP_REFERER']) && $user) { //Check for user post authentication. if (stripos($_SERVER['HTTP_REFERER'], AppConfig::main('site_URL')) !== 0 && $this->get('module') != 'Install') { throw new CsrfException('Illegal request'); } } return true; }