//
// includes
include_once "../include/config.php";
include_once "../include/amberphplib/main.php";
// erase any data - gets rid of stale errors and user sessions.
$_SESSION["error"] = array();
$_SESSION["user"] = array();
if (user_online()) {
// user is already logged in!
$_SESSION["error"]["message"][] = "You are already logged in!";
$_SESSION["error"]["username_amberdms_bs"] = "error";
$_SESSION["error"]["password_amberdms_bs"] = "error";
} else {
// check & convert input
if ($GLOBALS["config"]["instance"] == "hosted") {
$instance = security_form_input("/^[0-9a-z]*\$/", "instance_amberdms_bs", 1, "Please provide a valid customer instance ID.");
} else {
$instance = NULL;
}
$username = @security_form_input_predefined("any", "username_amberdms_bs", 1, "Please enter a username.");
$password = @security_form_input_predefined("any", "password_amberdms_bs", 4, "Please enter a password.");
if ($_SESSION["error"]["message"]) {
// errors occured
header("Location: ../index.php?page=user/login.php");
exit(0);
}
// call the user functions to authenticate the user and handle blacklisting
$result = user_login($instance, $username, $password);
if ($result == 1) {
// login succeded
// if user has been redirected to login from a previous page, lets take them to that page.
include_once "../include/amberphplib/main.php";
if (user_permissions_get("admin")) {
/*
Load Data
*/
$data["ACCOUNTS_AP_INVOICENUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_AP_INVOICENUM", 1, "");
$data["ACCOUNTS_AR_INVOICENUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_AR_INVOICENUM", 1, "");
$data["ACCOUNTS_GL_TRANSNUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_GL_TRANSNUM", 1, "");
$data["ACCOUNTS_QUOTES_NUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_QUOTES_NUM", 1, "");
$data["ACCOUNTS_CREDIT_NUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_CREDIT_NUM", 1, "");
$data["CODE_ACCOUNT"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_ACCOUNT", 1, "");
$data["CODE_CUSTOMER"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_CUSTOMER", 1, "");
$data["CODE_VENDOR"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_VENDOR", 1, "");
$data["CODE_PRODUCT"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_PRODUCT", 1, "");
$data["CODE_PROJECT"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_PROJECT", 1, "");
$data["CODE_STAFF"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_STAFF", 1, "");
$data["ACCOUNTS_SERVICES_ADVANCEBILLING"] = @security_form_input_predefined("int", "ACCOUNTS_SERVICES_ADVANCEBILLING", 1, "");
$data["ACCOUNTS_SERVICES_DATESHIFT"] = @security_form_input_predefined("int", "ACCOUNTS_SERVICES_DATESHIFT", 1, "");
$data["ACCOUNTS_TERMS_DAYS"] = @security_form_input_predefined("int", "ACCOUNTS_TERMS_DAYS", 0, "");
$data["ACCOUNTS_AUTOPAY"] = @security_form_input_predefined("checkbox", "ACCOUNTS_AUTOPAY", 0, "");
$data["ACCOUNTS_EMAIL_ADDRESS"] = @security_form_input_predefined("email", "ACCOUNTS_EMAIL_ADDRESS", 1, "");
$data["ACCOUNTS_EMAIL_AUTOBCC"] = @security_form_input_predefined("checkbox", "ACCOUNTS_EMAIL_AUTOBCC", 1, "");
$data["ACCOUNTS_INVOICE_AUTOEMAIL"] = @security_form_input_predefined("checkbox", "ACCOUNTS_INVOICE_AUTOEMAIL", 0, "");
$data["ACCOUNTS_INVOICE_BATCHREPORT"] = @security_form_input_predefined("checkbox", "ACCOUNTS_INVOICE_BATCHREPORT", 0, "");
$data["SERVICES_USAGEALERTS_ENABLE"] = @security_form_input_predefined("checkbox", "SERVICES_USAGEALERTS_ENABLE", 0, "");
$data["ORDERS_BILL_ONSERVICE"] = @security_form_input_predefined("checkbox", "ORDERS_BILL_ONSERVICE", 0, "");
$data["ORDERS_BILL_ENDOFMONTH"] = @security_form_input_predefined("checkbox", "ORDERS_BILL_ENDOFMONTH", 0, "");
$data["TIMESHEET_BOOKTOFUTURE"] = @security_form_input_predefined("any", "TIMESHEET_BOOKTOFUTURE", 0, "");
$data["ACCOUNTS_INVOICE_LOCK"] = @security_form_input_predefined("int", "ACCOUNTS_INVOICE_LOCK", 0, "");
$data["ACCOUNTS_GL_LOCK"] = @security_form_input_predefined("int", "ACCOUNTS_GL_LOCK", 0, "");
$data["JOURNAL_LOCK"] = @security_form_input_predefined("int", "JOURNAL_LOCK", 0, "");
log_debug("start", "ERASED LOGGING AS PART OF USER SESSION CLEANUP");
log_debug("start", "");
} else {
$_SESSION["error"] = array();
$_SESSION["user"] = array();
}
if (user_online()) {
// user is already logged in!
$_SESSION["error"]["message"][] = "You are already logged in!";
$_SESSION["error"]["username_namedmanager"] = "error";
$_SESSION["error"]["password_namedmanager"] = "error";
} else {
// check & convert input
$instance = NULL;
$username = security_form_input("/^[A-Za-z0-9.]*\$/", "username_namedmanager", 1, "Please enter a username.");
$password = security_form_input("/^\\S*\$/", "password_namedmanager", 1, "Please enter a password.");
if ($_SESSION["error"]["message"]) {
// errors occured
header("Location: ../index.php?page=user/login.php");
exit(0);
}
// call the user functions to authenticate the user and handle blacklisting
$result = user_login($instance, $username, $password);
if ($result == 1) {
// login succeded
// if user has been redirected to login from a previous page, lets take them to that page.
if ($_SESSION["login"]["previouspage"]) {
header("Location: ../index.php?" . $_SESSION["login"]["previouspage"] . "");
$_SESSION["login"] = array();
exit(0);
} else {
function security_form_input_predefined($type, $valuename, $numchar, $errormsg)
{
$expression = NULL;
// run through the actions for each item type
switch ($type) {
case "any":
$expression = "/^[\\S\\s]*\$/";
break;
case "date":
// TODO: audit the error handling in this function, seems like it's generating
// messages which are used for no reason.
// if there is no errormsg supplied, set a default one by looking
// up the translation of the fieldname and reporting it.
if ($errormsg == "") {
$translation = language_translate_string($_SESSION["user"]["lang"], $valuename);
$errormsg = "Invalid {$translation} supplied, please correct.";
}
// dates are a special field, since they have to be passed
// from the form as 3 different inputs, but we want to re-assemble them
// into a single YYYY-MM-DD format
$date_dd = intval($_POST[$valuename . "_dd"]);
$date_mm = intval($_POST[$valuename . "_mm"]);
$date_yyyy = intval($_POST[$valuename . "_yyyy"]);
// make sure a date has been provided
if ($numchar) {
if ($date_dd < 1 || $date_dd > 31) {
$errormsg_tmp = "Invalid date input";
}
if ($date_mm < 1 || $date_mm > 12) {
$errormsg_tmp = "Invalid date input";
}
if ($date_yyyy < 1600 || $date_yyyy > 2999) {
$errormsg_tmp = "Invalid date input";
}
} else {
// the date is not a required field, but we need to make sure any input is valid
if ($date_dd > 31) {
$errormsg_tmp = "Invalid date input";
}
if ($date_mm > 12) {
$errormsg_tmp = "Invalid date input";
}
if ($date_yyyy > 2999) {
$errormsg_tmp = "Invalid date input";
}
}
// make sure user has filled in all 3 date fields
if ($date_dd && (!$date_mm || !$date_yyyy)) {
$errormsg_tmp = "Invalid date input";
}
if ($date_mm && (!$date_dd || !$date_yyyy)) {
$errormsg_tmp = "Invalid date input";
}
if ($date_yyyy && (!$date_dd || !$date_mm)) {
$errormsg_tmp = "Invalid date input";
}
// pad dates
$date_dd = sprintf("%02d", $date_dd);
$date_mm = sprintf("%02d", $date_mm);
$date_yyyy = sprintf("%04d", $date_yyyy);
// join the dates
$date_final = "{$date_yyyy}-{$date_mm}-{$date_dd}";
if ($errormsg_tmp) {
// there has been an error - flag the hourmins field as being incorrect input
$_SESSION["error"]["message"][] = $errormsg;
$_SESSION["error"]["" . $valuename . "-error"] = 1;
$_SESSION["error"][$valuename] = 0;
} else {
// save value incase of errors
$_SESSION["error"][$valuename] = $date_final;
}
// return the value
return $date_final;
break;
case "hourmins":
// hourmins is a special field - we want to take
// two fields (hours + mins) and add then together
// to produce the number of seconds.
// if there is no errormsg supplied, set a default one by looking
// up the translation of the fieldname and reporting it.
if ($errormsg == "") {
$translation = language_translate_string($_SESSION["user"]["lang"], $valuename);
$errormsg = "Invalid {$translation} supplied, please correct.";
}
$time_hh = intval($_POST[$valuename . "_hh"]);
$time_mm = intval($_POST[$valuename . "_mm"]);
// caclulate the time in seconds
$timestamp = $time_mm * 60 + $time_hh * 60 * 60;
// make sure a value has been provided
if ($numchar && $timestamp == 0) {
$_SESSION["error"]["message"][] = $errormsg;
$_SESSION["error"]["" . $valuename . "-error"] = 1;
$_SESSION["error"][$valuename] = 0;
} else {
$_SESSION["error"][$valuename] = $timestamp;
}
return $timestamp;
break;
case "date_string":
$expression = "/^[0-9]*-[0-9]*-[0-9]*\$/";
break;
case "int":
$expression = "/^[0-9]*\$/";
break;
case "money":
// if there is no errormsg supplied, set a default one by looking
// up the translation of the fieldname and reporting it.
if ($errormsg == "") {
$translation = language_translate_string($_SESSION["user"]["lang"], $valuename);
$errormsg = "Invalid {$translation} supplied, please correct.";
}
// replace configs with standard symbols for processing
$config_array = array($GLOBALS["config"]["CURRENCY_DEFAULT_SYMBOL"], $GLOBALS["config"]["CURRENCY_DEFAULT_THOUSANDS_SEPARATOR"], $GLOBALS["config"]["CURRENCY_DEFAULT_DECIMAL_SEPARATOR"]);
$default_array = array("", "", ".");
$formatted_string = str_replace($config_array, $default_array, $_POST[$valuename]);
$_POST[$valuename] = $formatted_string;
// verify as a floating point number
$expression = "/^[0-9]*.[0-9]*\$/";
$value = security_form_input($expression, $valuename, $numchar, $errormsg);
// perform padding
if ($value != "error") {
$value = sprintf("%0.2f", $value);
}
// trigger error if value is 0.00
if ($numchar && $value == "0.00") {
$_SESSION["error"]["message"][] = $errormsg;
$_SESSION["error"]["" . $valuename . "-error"] = 1;
$_SESSION["error"][$valuename] = 0;
}
return $value;
break;
case "float":
// value could be a float, or an integer - we need to check for either
if (preg_match("/^[0-9]*\$/", $_POST[$valuename])) {
// is an int
$expression = "/^[0-9]*\$/";
} else {
// either float or invalid - run check for int
$expression = "/^[0-9]*.[0-9]*\$/";
}
break;
case "email":
$expression = "/^([A-Za-z0-9._-])+\\@(([A-Za-z0-9-])+\\.)+([A-Za-z0-9])+\$/";
break;
case "multiple_email":
// Single email address
$email_regex = "/^<?(([A-Za-z0-9._-])+\\@(([A-Za-z0-9-])+\\.)+([A-Za-z0-9])+)>?\$/";
// Whole email address string
$expression = "/^(([A-Za-z0-9._-])+\\@(([A-Za-z0-9-])+\\.)+([A-Za-z0-9])+,?\\s?)+\$/";
// grab submitted data from $_POST
$unsafe_email_addresses = $_POST[$valuename];
// split at spaces and commas
$email_address_string_parts = preg_split("/[\\s,]+/", $unsafe_email_addresses);
$email_addresses = array();
foreach ($email_address_string_parts as $email_address_string_part) {
// check each item against the email address regex, capture the email address
preg_match($email_regex, $email_address_string_part, $matches);
// if we have an email address, add it to the array
if ($matches[1] != '') {
$email_addresses[] = $matches[1];
}
}
// implode the email addresses using a comma and a space
$new_email_address_string = implode(", ", $email_addresses);
// recheck the string., if it passes, return it
preg_match($expression, $new_email_address_string, $matches);
if ($matches[0] == $new_email_address_string) {
return $matches[0];
} else {
return "error";
}
break;
case "ipv4":
$expression = "/^(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)(?:[.](?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)){3}\$/";
break;
case "ipv4_cidr":
$expression = "/^(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)(?:[.](?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)){3}[\\/]*[1-9]*\$/";
break;
case "ipv6":
if (filter_var($_POST[$valuename], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
return $_POST[$valuename];
} else {
// there has been an error - flag the hourmins field as being incorrect input
$_SESSION["error"]["message"][] = "Provided address is not a valid IPv6 address";
$_SESSION["error"]["" . $valuename . "-error"] = 1;
$_SESSION["error"][$valuename] = 0;
return "error";
}
break;
case "ipv6_cidr":
list($network, $cidr) = split("/", $_POST[$valuename]);
if (filter_var($network, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
return "{$network}/{$cidr}";
} else {
// there has been an error - flag the hourmins field as being incorrect input
$_SESSION["error"]["message"][] = "Provided address is not a valid IPv6 address";
$_SESSION["error"]["" . $valuename . "-error"] = 1;
$_SESSION["error"][$valuename] = 0;
return "error";
}
break;
case "checkbox":
if ($_POST[$valuename]) {
$_SESSION["error"][$valuename] = 1;
return 1;
} else {
$_SESSION["error"][$valuename] = 0;
return 0;
}
break;
default:
print "Warning: No such security check for type {$type}<br>";
$expression = "/^[\\S\\s]*\$/";
break;
}
return security_form_input($expression, $valuename, $numchar, $errormsg);
}
/*
Form Input
*/
$obj_name_server_group = new name_server_group();
$obj_name_server_group->id = security_form_input_predefined("int", "id_name_server_group", 0, "");
// are we editing an existing server group or adding a new one?
if ($obj_name_server_group->id) {
if (!$obj_name_server_group->verify_id()) {
log_write("error", "process", "The name server group you have attempted to edit - " . $obj_name_server_group->id . " - does not exist in this system.");
} else {
// load existing data
$obj_name_server_group->load_data();
}
}
// basic fields
$obj_name_server_group->data["group_name"] = security_form_input("/^\\w*\$/", "group_name", 1, "Group name must be a alpha numeric word with optional underscores - no spaces or other symbols.");
$obj_name_server_group->data["group_description"] = security_form_input_predefined("any", "group_description", 0, "");
/*
Verify Data
*/
// ensure the group name is unique
if (!$obj_name_server_group->verify_group_name()) {
log_write("error", "process", "The requested group name already exists, have you checked that the group you're trying to add doesn't already exist?");
error_flag_field("group_name");
}
/*
Process Data
*/
if (error_check()) {
if ($obj_name_server_group->id) {
$_SESSION["error"]["form"]["name_server_group_edit"] = "failed";
$obj_name_server->data["route53_access_key"] = security_form_input_predefined("any", "route53_access_key", 1, "");
$obj_name_server->data["route53_secret_key"] = security_form_input_predefined("any", "route53_secret_key", 0, "");
// we store both credentials in the single api filed as serialized keys
if (empty($obj_name_server->data["route53_secret_key"]) && !empty($obj_name_server->data["api_auth_key"])) {
// we have existing credetials, unserize the old secret key and pass it back.
$keys = unserialize($obj_name_server->data["api_auth_key"]);
$obj_name_server->data["route53_secret_key"] = $keys["route53_secret_key"];
} else {
// new credentials,generate an array to serialize
$keys = array('route53_access_key' => $obj_name_server->data["route53_access_key"], 'route53_secret_key' => $obj_name_server->data["route53_secret_key"]);
}
$obj_name_server->data["api_auth_key"] = serialize($keys);
break;
case "api":
default:
$obj_name_server->data["server_name"] = security_form_input("/^\\S*\$/", "server_name", 1, "Must be a valid hostname.");
$obj_name_server->data["server_primary"] = security_form_input_predefined("checkbox", "server_primary", 0, "");
$obj_name_server->data["server_record"] = security_form_input_predefined("checkbox", "server_record", 0, "");
$obj_name_server->data["api_auth_key"] = security_form_input_predefined("any", "api_auth_key", 1, "");
break;
}
// Other basic fields
$obj_name_server->data["server_description"] = security_form_input_predefined("any", "server_description", 0, "");
$obj_name_server->data["id_group"] = security_form_input_predefined("int", "id_group", 1, "");
/*
Verify Data
*/
// ensure the server name is unique
if (!$obj_name_server->verify_server_name()) {
log_write("error", "process", "The requested server name already exists, have you checked that the server you're trying to add doesn't already exist?");
error_flag_field("server_name");
