From ccdfd96f562bc7119edbb54c5d869d8faffdc306 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Thu, 15 Aug 2024 23:52:25 +0100 Subject: [PATCH] Tickets & Tasks - Add ability to un-complete/undo a completed task - Require CSRF verification when deleting tickets and tasks --- post/tasks.php | 31 +++++++++++++++++++++++++++++++ post/ticket.php | 3 +++ ticket.php | 13 +++++++++---- 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/post/tasks.php b/post/tasks.php index f3cc71f8c..fff81f4a5 100644 --- a/post/tasks.php +++ b/post/tasks.php @@ -61,6 +61,9 @@ validateTechRole(); + // CSRF Check + validateCSRFToken($_GET['csrf_token']); + $task_id = intval($_GET['delete_task']); // Get Client ID, task name from tasks and tickets using the task_id @@ -105,5 +108,33 @@ $_SESSION['alert_message'] = "You completed Task $task_name Great Job!"; + header("Location: " . $_SERVER["HTTP_REFERER"]); +} + +if (isset($_GET['undo_complete_task'])) { + + validateTechRole(); + + $task_id = intval($_GET['undo_complete_task']); + + // Get Client ID + $sql = mysqli_query($mysqli, "SELECT * FROM tasks LEFT JOIN tickets ON ticket_id = task_ticket_id WHERE task_id = $task_id"); + $row = mysqli_fetch_array($sql); + $client_id = intval($row['ticket_client_id']); + $task_name = sanitizeInput($row['task_name']); + $ticket_id = intval($row['ticket_id']); + + mysqli_query($mysqli, "UPDATE tasks SET task_completed_at = NULL, task_completed_by = NULL WHERE task_id = $task_id"); + + // Add reply + mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Undo Completed Task - $task_name', ticket_reply_time_worked = '00:01:00', ticket_reply_type = 'Internal', ticket_reply_by = $session_user_id, ticket_reply_ticket_id = $ticket_id"); + + $ticket_reply_id = mysqli_insert_id($mysqli); + + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Task', log_action = 'Edit', log_description = '$session_name un-completed task $task_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $task_id"); + + $_SESSION['alert_message'] = "You marked Task $task_name as incomplete"; + header("Location: " . $_SERVER["HTTP_REFERER"]); } \ No newline at end of file diff --git a/post/ticket.php b/post/ticket.php index 0ff1d3ae2..2609c8914 100644 --- a/post/ticket.php +++ b/post/ticket.php @@ -629,6 +629,9 @@ validateAdminRole(); + // CSRF Check + validateCSRFToken($_GET['csrf_token']); + $ticket_id = intval($_GET['delete_ticket']); // Get Ticket and Client ID for logging and alert message diff --git a/ticket.php b/ticket.php index a06509112..dc96f2799 100644 --- a/ticket.php +++ b/ticket.php @@ -50,7 +50,7 @@ $ticket_prefix = nullable_htmlentities($row['ticket_prefix']); $ticket_number = intval($row['ticket_number']); $ticket_category = intval($row['ticket_category']); - $ticket_category_display = htmlentities($row['category_name']); + $ticket_category_display = nullable_htmlentities($row['category_name']); $ticket_subject = nullable_htmlentities($row['ticket_subject']); $ticket_details = $purifier->purify($row['ticket_details']); $ticket_priority = nullable_htmlentities($row['ticket_priority']); @@ -502,7 +502,7 @@ - + Delete @@ -916,7 +916,7 @@ $task_id = intval($row['task_id']); $task_name = nullable_htmlentities($row['task_name']); $task_order = intval($row['task_order']); - $task_description = nullable_htmlentities($row['task_description']); + //$task_description = nullable_htmlentities($row['task_description']); // not in db yet $task_completed_at = nullable_htmlentities($row['task_completed_at']); ?> @@ -940,8 +940,13 @@ Edit + + + Mark incomplete + + - + Delete