Merge pull request #61 from PurdueIEEE/realv2

Realv2

README.md

@@ -1,5 +1,14 @@
 # boilerbooks
 The ultimate IEEE record keeping system!
 
-This program is written using PHP. The website is displayed using the bootstrap framework. It is currently hosted at money.krakos.net.
+This program is written using PHP. The website is displayed using the bootstrap framework. It is currently hosted at money.pieee.org.
+
 In order to properly develop code you will likely need access to the database. 
+
+It is also important to setup a mysqldump cron job for database backups (I suggest removing backups after 30 days to save space)
+
+Also use rsync (or a better solution) to make remote backups of the mysqldump's, certs, and the uploaded receipts
+
+Also auto renew the ssl cert
+
+Also setup ssmtp (http://www.havetheknowhow.com/Configure-the-server/Install-ssmtp.html)

api/purchaseid/index.php

@@ -2,38 +2,21 @@
 	/* This API provides info on a purchase for display. It also formats an ifram of the receipt
 	/* Consider adding additional security to prevent certain people from seeing all receipts */
 
-	$title = 'Boiler Books';
-	$mypurchasesactive = "active";
-	include '../../menu.php';
+	include '../verify.php';
 
-	include '../../dbinfo.php';
-	$usr = $_SESSION['user'];
+	$decode = 0;
 
-	// Clear old variables
-	$_SESSION['date'] = '';
-	$_SESSION['mdate'] = '';
-	$_SESSION['receipt'] = '';
-	$_SESSION['item'] = '';
-	$_SESSION['purchasereason'] = '';
-	$_SESSION['vendor'] = '';
-	$_SESSION['purchaseby'] = '';
-	$_SESSION['approvedby'] = '';
-	$_SESSION['category'] = '';
-	$_SESSION['status'] = '';
-	$_SESSION['cost'] = '';
-	$_SESSION['comments'] = '';
+	$usr = $_SESSION['user'];
 
 	$purchaseid = test_input($_GET["purchaseid"]);
-	$_SESSION['purchaseid'] = $purchaseid;
-	echo "For purchaseid " . $purchaseid .  ":<br><br>";
 
 	try {
 		$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
 		// set the PDO error mode to exception
 		$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 
 		$sql = "SELECT DATE_FORMAT(p.purchasedate,'%m/%d/%Y') as date, p.modifydate as mdate, p.item, p.purchasereason, p.vendor, p.committee, p.category, p.receipt, p.status,
-		p.cost, p.comments
+		p.cost, p.comments, p.fundsource, p.fiscalyear, p.username
 		, (SELECT CONCAT(U.first, ' ', U.last) FROM Users U WHERE U.username = p.username) purchasedby
 		, (SELECT CONCAT(U.first, ' ', U.last) FROM Users U WHERE U.username = p.approvedby) approvedby
 		 FROM Purchases p 
@@ -42,20 +25,41 @@
 
 
 		foreach ($conn->query($sql) as $row) {
-			$_SESSION['date'] = $row['date'];
-			$_SESSION['mdate'] = $row['mdate'];
-			$_SESSION['receipt'] = $row['receipt'];
-			$_SESSION['item'] = $row['item'];
-			$_SESSION['purchasereason'] = $row['purchasereason'];
-			$_SESSION['vendor'] = $row['vendor'];
-			$_SESSION['purchaseby'] = $row['purchasedby'];
-			$_SESSION['approvedby'] = $row['approvedby'];
-			$_SESSION['category'] = $row['category'];
-			$_SESSION['status'] = $row['status'];
-			$_SESSION['cost'] = $row['cost'];
-			$_SESSION['comments'] = $row['comments'];
+			$date = $row['date'];
+			$mdate = $row['mdate'];
+			$receipt = $row['receipt'];
+			$item = $row['item'];
+			$purchasereason = $row['purchasereason'];
+			$vendor = $row['vendor'];
+			$purchasedby = $row['purchasedby'];
+			$approvedby = $row['approvedby'];
+			$category = $row['category'];
+			$status = $row['status'];
+			$cost = $row['cost'];
+			$comments = $row['comments'];
+			$fundsource = $row['fundsource'];
+			$fiscalyear = $row['fiscalyear'];
+			$committee = $row['committee'];
+			$usrn = $row['username'];
 		}
 
+		$resultArray = array("date" => $date, "mdate" => $mdate, "receipt" => $receipt, "item" => $item, "purchasereason" => $purchasereason, "vendor" => $vendor, "purchasedby" => $purchasedby, "approvedby" => $approvedby, "category" => $category, "status" => $status, "cost" => $cost, "comments" => $comments, "fundsource" => $fundsource, "fiscalyear" => $fiscalyear, "committee" => $committee, "username" => $usrn);
+		$resultArray = json_encode($resultArray);
+		echo $resultArray;
+		$decoded = json_decode($resultArray);
+
+		if ($decode == 1) {
+			echo "<br><br>";
+		    foreach($decoded as $key => $val)
+		    {
+		        //echo $row;
+		        echo $key . ': ' . $val;
+		        echo '<br>';
+		    }
+		}
+
+
+
 	}
 	catch(PDOException $e)
 		{
@@ -64,30 +68,12 @@
 
 	$conn = null;
 
-	// Prepare receipt iframe
-	if ($_SESSION['receipt'] != '') {
-		$pdfreceipt = "https://money.pieee.org" . $_SESSION['receipt'];
-		$_SESSION['iframestuff'] = '<div class="row">
-		<div class="col-sm-4"></div>
-		<div class="col-sm-6">
-			<iframe src= ' . $pdfreceipt . ' width="500" height="700">
-				<a href=' . $pdfreceipt . '>Download receipt</a>
-			</iframe>
-		</div>
-		<div class="col-sm-2"></div>
-	</div>';
-
-	}
-	else {
-		$_SESSION['iframestuff'] = '';
-	}
-
-
 
+	$headerStuff = "Location: /purchase.php?purchaseid=" . $purchaseid;
+	//header($headerStuff); 
+
 
 
-	$headerStuff = "Location: /purchase.php?purchaseid=" . $purchaseid;
-	header($headerStuff); 
 ?>
 
 

api/request/index.php

@@ -57,7 +57,6 @@
 
 
 	/*** Get info of person to approve purchase ***/
-	include '../dbinfo.php';
 	$names = '';
 	$emails = '';
 

api/user/password.php

@@ -0,0 +1,87 @@
+<?php
+	include '../../dbinfo.php';
+
+
+	$email = $items = "";
+	$email = test_input($_POST["email"]);
+	$usrn = test_input($_POST["usrn"]);
+	//echo $email . '<br>';
+	try {
+		$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
+		// set the PDO error mode to exception
+		$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+		// anyone with approval status in a committee for any amount can view the entire committee
+		$sql = "SELECT U.username AS usrn FROM Users U WHERE email = '$email' AND U.username = '$usrn'";
+
+		foreach ($conn->query($sql) as $row) {
+			$items .= $row['usrn'] . ', ';
+
+		}
+		$items = rtrim($items,', ');
+	}
+	catch(PDOException $e)
+		{
+			$returnStat = "Error";
+		}
+
+		$conn = null;
+		//echo '<br>The users are:<br>' . $items . '<br>';
+
+
+	if ($items != '') {
+		echo "Hello " . $usrn . ". You're random string is: <br>";
+		$randNum = base64_encode(random_bytes(64));
+		echo $randNum . "<br>and the updated random string is: <br>";
+		// string replace because I'm sturgling with URL encoding 
+  		$randNum = str_replace('+','_',$randNum);
+  		$randNum = str_replace('/','-',$randNum);
+  		$randNum = str_replace('=','-',$randNum);
+		echo $randNum . "<br>and the hashed/updated random string is: <br>";
+		$randNumEn = password_hash($randNum,PASSWORD_DEFAULT);
+		echo $randNumEn . "<br>";
+
+		try {
+			$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
+			// set the PDO error mode to exception
+			$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+			$sql = "UPDATE Users SET resettime = NOW(), passwordreset='$randNumEn', modifydate=NOW() WHERE username = '$usrn'";
+			$conn->exec($sql);
+			echo "New updated created successfully";
+		}
+	catch(PDOException $e)
+	{
+		echo $sql . "<br>" . $e->getMessage();
+	}
+
+	$conn = null;
+
+
+		/*** Send email ***/
+		 $to = $email;
+		 $subject = "Boiler Books Password Reset";
+
+		 $user = $_SESSION['user'];
+		 $message = "<p>Hello! A password reset was requested for " . $usrn . ". Please go to the following URL to reset your password:<br>" . $_SERVER[HTTP_HOST] . "/user/newpasswordreset.php?usrn=" . $usrn . "&rstlink=" . $randNum;
+
+		 $header = "From:ieeeboilerbooks@gmail.com \r\n";
+		 $header .= "MIME-Version: 1.0\r\n";
+		 $header .= "Content-type: text/html\r\n";
+
+			 $retval = mail ($to,$subject,$message,$header);
+
+			 if( $retval == true ) {
+			 	//echo "Message sent successfully...";
+			 }else {
+			 	//echo "Message could not be sent...";
+			 }
+			 $header = 'Location: /user/forgotpassword.php?found=1&email=' . $email . '&usrn=' . $usrn;
+		header($header); 
+
+	}
+	else {
+		$header = 'Location: /user/forgotpassword.php?found=0&email=' . $email . '&usrn=' . $usrn;
+		header($header); 
+	}
+
+
+?>

api/user/username.php

@@ -0,0 +1,59 @@
+<?php
+	include '../../dbinfo.php';
+	include '../../header.php';
+
+
+	$email = $items = "";
+	$email = test_input($_POST["email"]); //change back to POST
+	//echo $email . '<br>';
+	try {
+		$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
+		// set the PDO error mode to exception
+		$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+		// anyone with approval status in a committee for any amount can view the entire committee
+		$sql = "SELECT U.username AS usrn FROM Users U WHERE email = '$email'";
+
+		foreach ($conn->query($sql) as $row) {
+			$items .= $row['usrn'] . ', ';
+
+		}
+		$items = rtrim($items,', ');
+	}
+	catch(PDOException $e)
+		{
+			$returnStat = "Error";
+		}
+
+		$conn = null;
+		//echo '<br>The users are:<br>' . $items . '<br>';
+
+
+	if ($items != '') {
+		/*** Send email ***/
+		 $to = $email;
+		 $subject = "Boiler Books Username";
+
+		 $user = $_SESSION['user'];
+		 $message = "<p>Hello! A remainder of your username was requested. The following username(s) are associated with this email:<br>" . $items . ". <br><br>Please visit <a href='https://" . $_SERVER[HTTP_HOST] . "'>https://" . $_SERVER[HTTP_HOST] . "</a> to login with your username. You can also request a password reset on the Boiler Books homepage.<br><br>Thanks,<br>Boiler Books Team";
+
+		 $header = "From:ieeeboilerbooks@gmail.com \r\n";
+		 $header .= "MIME-Version: 1.0\r\n";
+		 $header .= "Content-type: text/html\r\n";
+
+			 $retval = mail ($to,$subject,$message,$header);
+
+			 if( $retval == true ) {
+			 	//echo "Message sent successfully...";
+			 }else {
+			 	//echo "Message could not be sent...";
+			 }
+			 $header = 'Location: /user/forgotusername.php?found=1&email=' . $email;
+		header($header); 
+	}
+	else {
+		$header = 'Location: /user/forgotusername.php?found=0&email=' . $email;
+		header($header); 
+	}
+
+
+?>

api/verify.php

@@ -0,0 +1,79 @@
+<?php
+	/* This file is included before beginning other API calls in order to ensure the user is properly logged in.
+	* Variables are passed using GET. There is no response, as the user is redirected to the login page if they 
+	* do not have the appropriate permissions
+	* Required:
+	*	apikey: The api key that is generated upon login for each user
+	*	user: The currently logged in user. This will be verified against the API key
+	* Optional:
+	*	role1: If you would like to verify the user has a certain role you may pass this variable (eg. 
+	* treasurer)
+	*	role2: If you would like to verify the user has another certain role you may pass this variable (eg. 
+	* 	president). Options will be successfully returned if either role1 OR role2 are fulfilled 
+	*/
+
+
+	include '../../dbinfo.php';
+
+	// define variables and set to empty values
+	$apikey = $user = $role1 = $role2 = "";
+
+	$apikey = test_input($_GET["apikey"]); 
+	$user = test_input($_GET["user"]); 
+	$role1 = test_input($_GET["role1"]); 
+	$role2 = test_input($_GET["role2"]); 
+
+
+	try {
+		$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
+		// set the PDO error mode to exception
+		$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+		$sql = "SELECT apikey, apikeygentime 
+			FROM Users U 
+			WHERE U.username = '$user'
+			AND U.username in (
+				SELECT A.username 
+				    FROM approval A 
+				    WHERE A.username = U.username
+				    AND (A.role = '$role1' OR A.role = '$role2' OR ('$role1'='' AND '$role2'=''))
+			)
+			";
+		$stmt = $conn->prepare($sql);
+		$stmt->execute();
+
+		$results = $stmt->fetchAll();
+		foreach ($results as $pswd) {
+			$dbpsw = $pswd['apikey'];
+			$dbtime = $pswd['apikeygentime'];
+		}
+		$now = date('Y-m-d H:i:s');
+
+		$datetime1 = new DateTime($dbtime);
+		$datetime2 = new DateTime($now);
+		$interval = $datetime1->diff($datetime2);
+		//echo $interval->format('%i minutes');
+		$timediff = $interval->format('%i');
+
+		if (!(password_verify($apikey,$dbpsw) && ($timediff<=120)))
+		{
+
+			$headerinfo = "Location: /index.php?returnto=" . $_SERVER['REQUEST_URI'];
+			header($headerinfo);
+			die();
+		}
+
+
+		}
+	catch(PDOException $e)
+		{
+			echo $sql . "<br>" . $e->getMessage();
+			$headerinfo = "Location: /index.php?returnto=" . $_SERVER['REQUEST_URI'];
+			header($headerinfo);
+			die();
+		}
+
+	$conn = null;
+
+?>
+
+