+/*
+ Conversion of old security roles stored into $security_groups table
+*/
+function convert_roles($pref)
+{
+ global $security_groups, $security_headings, $security_areas, $path_to_root;
+ include_once($path_to_root."/includes/access_levels.inc");
+
+ $trans_sec = array(
+ 1 => array('SA_CHGPASSWD', 'SA_SETUPDISPLAY', 'SA_BANKTRANSVIEW',
+ 'SA_ITEMSTRANSVIEW','SA_SUPPTRANSVIEW', 'SA_SALESORDER',
+ 'SA_SALESALLOC', 'SA_SALESTRANSVIEW'),
+ 2 => array('SA_DIMTRANSVIEW', 'SA_STANDARDCOST', 'SA_ITEMSTRANSVIEW',
+ 'SA_ITEMSSTATVIEW', 'SA_SALESPRICE', 'SA_MANUFTRANSVIEW',
+ 'SA_WORKORDERANALYTIC', 'SA_WORKORDERCOST', 'SA_SUPPTRANSVIEW',
+ 'SA_SUPPLIERALLOC', 'SA_STEMPLATE', 'SA_SALESTRANSVIEW',
+ 'SA_SALESINVOICE', 'SA_SALESDELIVERY', 'SA_CUSTPAYMREP',
+ 'SA_CUSTBULKREP', 'SA_PRICEREP', 'SA_SALESBULKREP', 'SA_SALESMANREP',
+ 'SA_SALESBULKREP', 'SA_CUSTSTATREP', 'SA_SUPPLIERANALYTIC',
+ 'SA_SUPPPAYMREP', 'SA_SUPPBULKREP', 'SA_ITEMSVALREP', 'SA_ITEMSANALYTIC',
+ 'SA_BOMREP', 'SA_MANUFBULKREP', 'SA_DIMENSIONREP', 'SA_BANKREP', 'SA_GLREP',
+ 'SA_GLANALYTIC', 'SA_TAXREP', 'SA_SALESANALYTIC', 'SA_SALESQUOTE'),
+ 3 => array('SA_GLACCOUNTGROUP', 'SA_GLACCOUNTCLASS','SA_PAYMENT',
+ 'SA_DEPOSIT', 'SA_JOURNALENTRY', 'SA_INVENTORYMOVETYPE',
+ 'SA_LOCATIONTRANSFER', 'SA_INVENTORYADJUSTMENT', 'SA_WORKCENTRES',
+ 'SA_MANUFISSUE', 'SA_SUPPLIERALLOC', 'SA_CUSTOMER', 'SA_CRSTATUS',
+ 'SA_SALESMAN', 'SA_SALESAREA', 'SA_SALESALLOC', 'SA_SALESCREDITINV',
+ 'SA_SALESPAYMNT', 'SA_SALESCREDIT', 'SA_SALESGROUP', 'SA_SRECURRENT',
+ 'SA_TAXRATES', 'SA_ITEMTAXTYPE', 'SA_TAXGROUPS', 'SA_QUICKENTRY'),
+ 4 => array('SA_REORDER', 'SA_PURCHASEPRICING', 'SA_PURCHASEORDER'),
+ 5 => array('SA_VIEWPRINTTRANSACTION', 'SA_BANKTRANSFER', 'SA_SUPPLIER',
+ 'SA_SUPPLIERINVOICE', 'SA_SUPPLIERPAYMNT', 'SA_SUPPLIERCREDIT'),
+ 8 => array('SA_ATTACHDOCUMENT', 'SA_RECONCILE', 'SA_GLANALYTIC',
+ 'SA_TAXREP', 'SA_BANKTRANSVIEW', 'SA_GLTRANSVIEW'),
+ 9 => array('SA_FISCALYEARS', 'SA_CURRENCY', 'SA_EXCHANGERATE',
+ 'SA_BOM'),
+ 10 => array('SA_PAYTERMS', 'SA_GLSETUP', 'SA_SETUPCOMPANY',
+ 'SA_FORMSETUP', 'SA_DIMTRANSVIEW', 'SA_DIMENSION', 'SA_BANKACCOUNT',
+ 'SA_GLACCOUNT', 'SA_BUDGETENTRY', 'SA_MANUFRECEIVE',
+ 'SA_MANUFRELEASE', 'SA_WORKORDERENTRY', 'SA_MANUFTRANSVIEW',
+ 'SA_WORKORDERCOST'),
+ 11 => array('SA_ITEMCATEGORY', 'SA_ITEM', 'SA_UOM', 'SA_INVENTORYLOCATION',
+ 'SA_GRN', 'SA_FORITEMCODE', 'SA_SALESKIT'),
+ 14 => array('SA_SHIPPING', 'SA_VOIDTRANSACTION', 'SA_SALESTYPES'),
+ 15 => array('SA_PRINTERS', 'SA_PRINTPROFILE', 'SA_BACKUP', 'SA_USERS',
+ 'SA_POSSETUP'),
+ 20 => array('SA_CREATECOMPANY', 'SA_CREATELANGUAGE', 'SA_CREATEMODULES',
+ 'SA_SOFTWAREUPGRADE', 'SA_SECROLES', 'SA_DIMTAGS', 'SA_GLACCOUNTTAGS')
+ );
+ $new_ids = array();
+ foreach ($security_groups as $role_id => $areas) {
+ $area_set = array();
+ $sections = array();
+ foreach ($areas as $a) {
+ if (isset($trans_sec[$a]))
+ foreach ($trans_sec[$a] as $id) {
+ if ($security_areas[$id][0] != 0)
+// error_log('invalid area id: '.$a.':'.$id);
+ $area_set[] = $security_areas[$id][0];
+ $sections[$security_areas[$id][0]&~0xff] = 1;
+ }
+ }
+ $sections = array_keys($sections);
+ sort($sections); sort($area_set);
+ import_security_role($security_headings[$role_id], $sections, $area_set);
+ $new_ids[$role_id] = db_insert_id();
+ }
+ $result = get_users(true);
+ $users = array();
+ while($row = db_fetch($result)) { // complete old user ids and roles
+ $users[$row['role_id']][] = $row['id'];
+ }
+ foreach($users as $old_id => $uids)
+ foreach( $uids as $id) {
+ $sql = "UPDATE ".TB_PREF."users set role_id=".$new_ids[$old_id].
+ " WHERE id=$id";
+ $ret = db_query($sql, 'cannot update users roles');
+ if(!$ret) return false;
+ }
+ return true;
+}
+
+function import_security_role($name, $sections, $areas)
+{
+ $sql = "INSERT INTO ".TB_PREF."security_roles (role, description, sections, areas)
+ VALUES (".db_escape('FA 2.1 '.$name).",".db_escape($name).","
+ .db_escape(implode(';',$sections)).",".db_escape(implode(';',$areas)).")";
+
+ db_query($sql, "could not add new security role");
+}
+
+/*
+ Changes in extensions system.
+ This function is executed once on first Upgrade System display.
+*/
+function fix_extensions() {
+ global $path_to_root, $db_connections;
+
+ if (!file_exists($path_to_root.'/modules/installed_modules.php'))
+ return true; // already converted
+
+ if (!is_writable($path_to_root.'/modules/installed_modules.php')) {
+ display_error(_('Cannot upgrade extensions system: file /modules/installed_modules.php is not writeable'));
+ return false;
+ }
+
+ $exts = array();
+ include($path_to_root.'/installed_extensions.php');
+ foreach($installed_extensions as $ext) {
+ $ext['filename'] = $ext['app_file']; unset($ext['app_file']);
+ $ext['tab'] = $ext['name'];
+ $ext['name'] = access_string($ext['title'], true);
+ $ext['path'] = $ext['folder']; unset($ext['folder']);
+ $ext['type'] = 'extension';
+ $ext['active'] = '1';
+ $exts[] = $ext;
+ }
+
+ if (!write_extensions($exts))
+ return false;
+
+ $cnt = count($db_connections);
+ for ($i = 0; $i < $cnt; $i++)
+ write_extensions($exts, $i);
+
+ unlink($path_to_root.'/modules/installed_modules.php');
+ return true;
+}
+
+/*
+ Find and update all database records with special chars in text fields
+ to ensure all of them are changed to html entites.
+*/
+function sanitize_database($pref, $test = false) {
+
+ if ($test)
+ error_log('Sanitizing database ...');
+
+ $tsql = "SHOW TABLES LIKE '".($pref=='' ? '' : substr($pref,0,-1).'\\_')."%'";
+ $tresult = db_query($tsql, "Cannot select all tables with prefix '$pref'");
+ while($tbl = db_fetch($tresult)) {
+ $table = $tbl[0];
+ $csql = "SHOW COLUMNS FROM $table";
+ $cresult = db_query($csql, "Cannot select column names for table '$table'");
+ $textcols = $keys = array();
+ while($col = db_fetch($cresult)) {
+ if (strpos($col['Type'], 'char')!==false
+ || strpos($col['Type'], 'text')!==false)
+ $textcols[] = '`'.$col['Field'].'`';
+ if ($col['Key'] == 'PRI') {
+ $keys[] = '`'.$col['Field'].'`';
+ }
+ }
+
+ if (empty($keys)) { // comments table have no primary key, so give up
+ continue;
+ }
+ if ($test)
+ error_log("Table $table (".implode(',',$keys)."):(".implode(',',$textcols)."):");
+
+ if (!count($textcols)) continue;
+
+ // fetch all records containing special characters in text fields
+ $sql = "SELECT ".implode(',', array_unique(array_merge($keys,$textcols)))
+ ." FROM {$table} WHERE
+ CONCAT(".implode(',', $textcols).") REGEXP '[\\'\"><&]'";
+ $result = db_query($sql, "Cannot select all suspicious fields in $table");
+
+ // and fix them
+ while($rec= db_fetch($result)) {
+ $sql = "UPDATE {$table} SET ";
+ $val = $key = array();
+ foreach ($textcols as $f) {
+ $val[] = $f.'='.db_escape($rec[substr($f,1,-1)]);
+ }
+ $sql .= implode(',', $val). ' WHERE ';
+ foreach ($keys as $k) {
+ $key[] = $k.'=\''.$rec[substr($k,1,-1)].'\'';
+ }
+ $sql .= implode( ' AND ', $key);
+ if ($test)
+ error_log("\t(".implode(',',$val).") updated");
+ else
+ db_query($sql, 'cannot update record');
+ }
+ }
+ if ($test)
+ error_log('Sanitizing done.');
+}
+