X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=admin%2Fattachments.php;h=2f41d80c14cc15cef973f5dedb2e4b3b0b1232e9;hb=c85c10b86be48b2b1df728f4751adbb38f2ac8d4;hp=4d75a5087f35bacc2536269eff61a6b01369498c;hpb=953b3605810699962454b624e19bd0779b17e7f7;p=fa-stable.git diff --git a/admin/attachments.php b/admin/attachments.php index 4d75a508..2f41d80c 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -12,16 +12,19 @@ $path_to_root=".."; $page_security = 'SA_ATTACHDOCUMENT'; +include_once($path_to_root . "/includes/db_pager.inc"); include_once($path_to_root . "/includes/session.inc"); include_once($path_to_root . "/includes/date_functions.inc"); include_once($path_to_root . "/includes/ui.inc"); include_once($path_to_root . "/includes/data_checks.inc"); +include_once($path_to_root . "/admin/db/attachments_db.inc"); +include_once($path_to_root . "/admin/db/transactions_db.inc"); if (isset($_GET['vw'])) $view_id = $_GET['vw']; else -$view_id = find_submit('view'); + $view_id = find_submit('view'); if ($view_id != -1) { $row = get_attachment($view_id); @@ -33,11 +36,11 @@ if ($view_id != -1) $type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream'; header("Content-type: ".$type); header('Content-Length: '.$row['filesize']); - if ($type == 'application/octet-stream') - header('Content-Disposition: attachment; filename='.$row['filename']); - else + //if ($type == 'application/octet-stream') + // header('Content-Disposition: attachment; filename='.$row['filename']); + //else header("Content-Disposition: inline"); - echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']); + echo file_get_contents(company_path(). "/attachments/".$row['unique_name']); exit(); } } @@ -59,7 +62,7 @@ if ($download_id != -1) header("Content-type: ".$type); header('Content-Length: '.$row['filesize']); header('Content-Disposition: attachment; filename='.$row['filename']); - echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']); + echo file_get_contents(company_path()."/attachments/".$row['unique_name']); exit(); } } @@ -76,15 +79,18 @@ if (isset($_GET['filterType'])) // catch up external links $_POST['filterType'] = $_GET['filterType']; if (isset($_GET['trans_no'])) $_POST['trans_no'] = $_GET['trans_no']; - + if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') { - if (isset($_FILES['filename']) && $_FILES['filename']['size'] > 0) - { + if (!transaction_exists($_POST['filterType'], $_POST['trans_no'])) + display_error(_("Selected transaction does not exists.")); + elseif ($Mode == 'ADD_ITEM' && (!isset($_FILES['filename']) || $_FILES['filename']['size'] == 0)) + display_error(_("Select attachment file.")); + else { //$content = base64_encode(file_get_contents($_FILES['filename']['tmp_name'])); $tmpname = $_FILES['filename']['tmp_name']; - $dir = $comp_path."/".user_company(). "/attachments"; + $dir = company_path()."/attachments"; if (!file_exists($dir)) { mkdir ($dir,0777); @@ -93,60 +99,53 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') fwrite($fp, $index_file); fclose($fp); } - if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$_POST['unique_name'])) - unlink($dir."/".$_POST['unique_name']); - $unique_name = uniqid(''); - move_uploaded_file($tmpname, $dir."/".$unique_name); - //save the file - $filename = $_FILES['filename']['name']; + $filename = basename($_FILES['filename']['name']); $filesize = $_FILES['filename']['size']; $filetype = $_FILES['filename']['type']; - } - else - { - $unique_name = $filename = $filetype = ""; - $filesize = 0; - } - $date = date2sql(Today()); - if ($Mode == 'ADD_ITEM') - { - $sql = "INSERT INTO ".TB_PREF."attachments (type_no, trans_no, description, filename, unique_name, - filesize, filetype, tran_date) VALUES (".db_escape($_POST['filterType'])."," - .db_escape($_POST['trans_no']).",".db_escape($_POST['description']).", " - .db_escape($filename).", ".db_escape($unique_name).", ".db_escape($filesize) - .", ".db_escape($filetype).", '$date')"; - db_query($sql, "Attachment could not be inserted"); - display_notification(_("Attachment has been inserted.")); - } - else - { - $sql = "UPDATE ".TB_PREF."attachments SET - type_no=".db_escape($_POST['filterType']).", - trans_no=".db_escape($_POST['trans_no']).", - description=".db_escape($_POST['description']).", "; - if ($filename != "") + + // file name compatible with POSIX + // protect against directory traversal + if ($Mode == 'UPDATE_ITEM') + { + $row = get_attachment($selected_id); + if ($row['filename'] == "") + exit(); + $unique_name = $row['unique_name']; + if ($filename && file_exists($dir."/".$unique_name)) + unlink($dir."/".$unique_name); + } + else + $unique_name = uniqid(''); + + //save the file + move_uploaded_file($tmpname, $dir."/".$unique_name); + + if ($Mode == 'ADD_ITEM') + { + add_attachment($_POST['filterType'], $_POST['trans_no'], $_POST['description'], + $filename, $unique_name, $filesize, $filetype); + display_notification(_("Attachment has been inserted.")); + } + else { - $sql .= "filename=".db_escape($filename).", - unique_name=".db_escape($unique_name).", - filesize=".db_escape($filesize).", - filetype=".db_escape($filetype); - } - $sql .= "tran_date='$date' WHERE id=".db_escape($selected_id); - db_query($sql, "Attachment could not be updated"); - display_notification(_("Attachment has been updated.")); + update_attachment($selected_id, $_POST['filterType'], $_POST['trans_no'], $_POST['description'], + $filename, $unique_name, $filesize, $filetype); + display_notification(_("Attachment has been updated.")); + } } + refresh_pager('trans_tbl'); + $Ajax->activate('_page_body'); $Mode = 'RESET'; -} +} if ($Mode == 'Delete') { $row = get_attachment($selected_id); - $dir = $comp_path."/".user_company(). "/attachments"; + $dir = company_path()."/attachments"; if (file_exists($dir."/".$row['unique_name'])) unlink($dir."/".$row['unique_name']); - $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = ".db_escape($selected_id); - db_query($sql, "Could not delete attachment"); + delete_attachment($selected_id); display_notification(_("Attachment has been deleted.")); $Mode = 'RESET'; } @@ -160,77 +159,78 @@ if ($Mode == 'RESET') function viewing_controls() { - start_form(); - - start_table("class='tablestyle_noborder'"); + global $selected_id; + + start_table(TABLESTYLE_NOBORDER); - systypes_list_row(_("Type:"), 'filterType', null, true); + start_row(); + systypes_list_cells(_("Type:"), 'filterType', null, true); + if (list_updated('filterType')) + $selected_id = -1;; + end_row(); end_table(1); - end_form(); } -//---------------------------------------------------------------------------------------- +function trans_view($trans) +{ + return get_trans_view_str($trans["type_no"], $trans["trans_no"]); +} + +function edit_link($row) +{ + return button('Edit'.$row["id"], _("Edit"), _("Edit"), ICON_EDIT); +} -function get_attached_documents($type) +function view_link($row) { - $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=".db_escape($type) - ." ORDER BY trans_no"; - return db_query($sql, "Could not retrieve attachments"); + return button('view'.$row["id"], _("View"), _("View"), ICON_VIEW); } -function get_attachment($id) +function download_link($row) { - $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=".db_escape($id); - $result = db_query($sql, "Could not retrieve attachments"); - return db_fetch($result); + return button('download'.$row["id"], _("Download"), _("Download"), ICON_DOWN); +} + +function delete_link($row) +{ + return button('Delete'.$row["id"], _("Delete"), _("Delete"), ICON_DELETE); } function display_rows($type) { - global $table_style; + $sql = get_sql_for_attached_documents($type); + $cols = array( + _("#") => array('fun'=>'trans_view', 'ord'=>''), + _("Description") => array('name'=>'description'), + _("Filename") => array('name'=>'filename'), + _("Size") => array('name'=>'filesize'), + _("Filetype") => array('name'=>'filetype'), + _("Date Uploaded") => array('name'=>'tran_date', 'type'=>'date'), + array('insert'=>true, 'fun'=>'edit_link'), + array('insert'=>true, 'fun'=>'view_link'), + array('insert'=>true, 'fun'=>'download_link'), + array('insert'=>true, 'fun'=>'delete_link') + ); + $table =& new_db_pager('trans_tbl', $sql, $cols); - $rows = get_attached_documents($type); - $th = array(_("#"), _("Description"), _("Filename"), _("Size"), _("Filetype"), _("Date Uploaded"), "", "", "", ""); - - div_start('transactions'); - start_form(); - start_table($table_style); - table_header($th); - $k = 0; - while ($row = db_fetch($rows)) - { - alt_table_row_color($k); - - label_cell(get_trans_view_str($type, $row['trans_no'])); - label_cell($row['description']); - label_cell($row['filename']); - label_cell($row['filesize']); - label_cell($row['filetype']); - label_cell(sql2date($row['tran_date'])); - edit_button_cell("Edit".$row['id'], _("Edit")); - button_cell("view".$row['id'], _("View"), false, ICON_VIEW); - button_cell("download".$row['id'], _("Download"), false, ICON_DOWN); - delete_button_cell("Delete".$row['id'], _("Delete")); - end_row(); - } - end_table(1); - hidden('filterType', $type); - end_form(); - div_end(); + $table->width = "60%"; + + display_db_pager($table); } //---------------------------------------------------------------------------------------- +start_form(true); + viewing_controls(); -if (isset($_POST['filterType'])) - display_rows($_POST['filterType']); +display_rows($_POST['filterType']); -start_form(true); +br(2); -start_table($table_style2); +start_table(TABLESTYLE2); if ($selected_id != -1) { @@ -251,10 +251,8 @@ text_row_ex(_("Description").':', 'description', 40); file_row(_("Attached File") . ":", 'filename', 'filename'); end_table(1); -if (isset($_POST['filterType'])) - hidden('filterType', $_POST['filterType']); -submit_add_or_update_center($selected_id == -1, '', 'both'); +submit_add_or_update_center($selected_id == -1, '', 'process'); end_form();