X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=admin%2Fattachments.php;h=dafa3e022fb1ea592e93b3415269b6aa5ced7ffc;hb=081465f30442afc4f008a1c7038bef320466a730;hp=5ecc7c5aa3f245301128266558340bd08e2a8c86;hpb=4bdf378edb47a0535195bad7deff6adf56af6088;p=fa-stable.git

diff --git a/admin/attachments.php b/admin/attachments.php
index 5ecc7c5a..dafa3e02 100644
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -1,16 +1,16 @@
 <?php
 /**********************************************************************
     Copyright (C) FrontAccounting, LLC.
-	Released under the terms of the GNU Affero General Public License,
-	AGPL, as published by the Free Software Foundation, either version 
-	3 of the License, or (at your option) any later version.
+	Released under the terms of the GNU General Public License, GPL, 
+	as published by the Free Software Foundation, either version 3 
+	of the License, or (at your option) any later version.
     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
-    See the License here <http://www.gnu.org/licenses/agpl-3.0.html>.
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
 $path_to_root="..";
-$page_security = 8;
+$page_security = 'SA_ATTACHDOCUMENT';
 
 include_once($path_to_root . "/includes/session.inc");
 
@@ -18,43 +18,57 @@ include_once($path_to_root . "/includes/date_functions.inc");
 include_once($path_to_root . "/includes/ui.inc");
 include_once($path_to_root . "/includes/data_checks.inc");
 
+if (isset($_GET['vw']))
+	$view_id = $_GET['vw'];
+else
 $view_id = find_submit('view');
 if ($view_id != -1)
 {
 	$row = get_attachment($view_id);
 	if ($row['filename'] != "")
 	{
-		$type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream';	
-    	header("Content-type: ".$type);
-    	header('Content-Length: '.$row['filesize']);
-    	if ($type == 'application/octet-stream')
-    		header('Content-Disposition: attachment; filename='.$row['filename']);
-    	else
-	 		header("Content-Disposition: inline");
-    	echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']);
-    	exit();
+		if(in_ajax()) {
+			$Ajax->popup($_SERVER['PHP_SELF'].'?vw='.$view_id);
+		} else {
+			$type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream';	
+    		header("Content-type: ".$type);
+    		header('Content-Length: '.$row['filesize']);
+	    	if ($type == 'application/octet-stream')
+    			header('Content-Disposition: attachment; filename='.$row['filename']);
+    		else
+	 			header("Content-Disposition: inline");
+	    	echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']);
+    		exit();
+		}
 	}	
 }
+if (isset($_GET['dl']))
+	$download_id = $_GET['dl'];
+else
+	$download_id = find_submit('download');
 
-$download_id = find_submit('download');
 if ($download_id != -1)
 {
 	$row = get_attachment($download_id);
 	if ($row['filename'] != "")
 	{
-		$type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream';	
-    	header("Content-type: ".$type);
-    	header('Content-Length: '.$row['filesize']);
-    	header('Content-Disposition: attachment; filename='.$row['filename']);
-    	echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']);
-    	exit();
+		if(in_ajax()) {
+			$Ajax->redirect($_SERVER['PHP_SELF'].'?dl='.$download_id);
+		} else {
+			$type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream';	
+    		header("Content-type: ".$type);
+	    	header('Content-Length: '.$row['filesize']);
+    		header('Content-Disposition: attachment; filename='.$row['filename']);
+    		echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']);
+	    	exit();
+		}
 	}	
 }
 
 $js = "";
 if ($use_popup_windows)
 	$js .= get_js_open_window(800, 500);
-page(_("Attach Documents"), false, false, "", $js);
+page(_($help_context = "Attach Documents"), false, false, "", $js);
 
 simple_page_mode(true);
 //----------------------------------------------------------------------------------------
@@ -98,25 +112,27 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
 	if ($Mode == 'ADD_ITEM')
 	{
 		$sql = "INSERT INTO ".TB_PREF."attachments (type_no, trans_no, description, filename, unique_name,
-			filesize, filetype, tran_date) VALUES (".$_POST['filterType'].",".$_POST['trans_no'].",".
-			db_escape($_POST['description']).", '$filename', '$unique_name', '$filesize', '$filetype', '$date')";
+			filesize, filetype, tran_date) VALUES (".db_escape($_POST['filterType']).","
+			.db_escape($_POST['trans_no']).",".db_escape($_POST['description']).", "
+			.db_escape($filename).", ".db_escape($unique_name).", ".db_escape($filesize)
+			.", ".db_escape($filetype).", '$date')";
 		db_query($sql, "Attachment could not be inserted");		
 		display_notification(_("Attachment has been inserted.")); 
 	}
 	else
 	{
 		$sql = "UPDATE ".TB_PREF."attachments SET
-			type_no=".$_POST['filterType'].",
-			trans_no=".$_POST['trans_no'].",
+			type_no=".db_escape($_POST['filterType']).",
+			trans_no=".db_escape($_POST['trans_no']).",
 			description=".db_escape($_POST['description']).", ";
 		if ($filename != "")
 		{
-			$sql .= "filename='$filename',
-			unique_name='$unique_name',
-			filesize='$filesize',
-			filetype='$filetype', ";
+			$sql .= "filename=".db_escape($filename).",
+			unique_name=".db_escape($unique_name).",
+			filesize=".db_escape($filesize).",
+			filetype=".db_escape($filetype);
 		}	
-		$sql .= "tran_date='$date' WHERE id=$selected_id";
+		$sql .= "tran_date='$date' WHERE id=".db_escape($selected_id);
 		db_query($sql, "Attachment could not be updated");		
 		display_notification(_("Attachment has been updated.")); 
 	}
@@ -129,7 +145,7 @@ if ($Mode == 'Delete')
 	$dir =  $comp_path."/".user_company(). "/attachments";
 	if (file_exists($dir."/".$row['unique_name']))
 		unlink($dir."/".$row['unique_name']);
-	$sql = "DELETE FROM ".TB_PREF."attachments WHERE id = $selected_id";
+	$sql = "DELETE FROM ".TB_PREF."attachments WHERE id = ".db_escape($selected_id);
 	db_query($sql, "Could not delete attachment");
 	display_notification(_("Attachment has been deleted.")); 
 	$Mode = 'RESET';
@@ -144,7 +160,7 @@ if ($Mode == 'RESET')
 
 function viewing_controls()
 {
-    start_form(false, true);
+    start_form();
 
     start_table("class='tablestyle_noborder'");
 
@@ -159,13 +175,14 @@ function viewing_controls()
 
 function get_attached_documents($type)
 {
-	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=$type ORDER BY trans_no";
+	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=".db_escape($type)
+	." ORDER BY trans_no";
 	return db_query($sql, "Could not retrieve attachments");
 }
 
 function get_attachment($id)
 {
-	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=$id";
+	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=".db_escape($id);
 	$result = db_query($sql, "Could not retrieve attachments");
 	return db_fetch($result);
 }
@@ -213,7 +230,7 @@ if (isset($_POST['filterType']))
 
 start_form(true);
 
-start_table("$table_style2 width=30%");
+start_table($table_style2);
 
 if ($selected_id != -1)
 {
@@ -239,7 +256,7 @@ end_table(1);
 if (isset($_POST['filterType']))
 	hidden('filterType', $_POST['filterType']);
 
-submit_add_or_update_center($selected_id == -1, '', true);
+submit_add_or_update_center($selected_id == -1, '', 'both');
 
 end_form();