From 0a57a61e17eade2e2689ced6ff2a622f24c11b8e Mon Sep 17 00:00:00 2001
From: Luke Tainton <luke@tainton.uk>
Date: Sun, 9 Aug 2020 20:16:13 +0100
Subject: [PATCH] :sparkles: Implement file download function

Signed-off-by: Luke Tainton <luke@tainton.uk>
---
 app/includes/app_functions.php  | 106 ++++++++++++++++++++++++++++++++
 app/includes/prereqs.php        | 103 +------------------------------
 app/public/actions/download.php |  46 ++++++++++++++
 app/public/actions/upload.php   |   2 +-
 app/public/view.php             |  67 ++++++++++----------
 5 files changed, 192 insertions(+), 132 deletions(-)
 create mode 100644 app/includes/app_functions.php
 create mode 100644 app/public/actions/download.php

diff --git a/app/includes/app_functions.php b/app/includes/app_functions.php
new file mode 100644
index 0000000..52ca0fb
--- /dev/null
+++ b/app/includes/app_functions.php
@@ -0,0 +1,106 @@
+<?php
+  function get_user_name($db, $user_uuid) {
+    try {
+      $stmt = "SELECT given_name, family_name FROM users WHERE uuid=:uuid";
+      $sql = $db->prepare($stmt);
+      $sql->bindParam(':uuid', $user_uuid);
+      $sql->execute();
+      $sql->setFetchMode(PDO::FETCH_ASSOC);
+      $result = $sql->fetchAll();
+      $usr = $result[0]['given_name'] . " " . $result[0]['family_name'];
+    } catch (PDOException $e) {
+      echo("Error: " . $e->getMessage());
+    }
+    return $usr;
+  }
+
+  function get_my_requests($db) {
+    $ticket_stmt = "SELECT * FROM tickets WHERE created_by=:uuid";
+    $ticket_sql = $db->prepare($ticket_stmt);
+    $ticket_sql->bindParam(':uuid', $_SESSION['uuid']);
+    $ticket_sql->execute();
+    $ticket_sql->setFetchMode(PDO::FETCH_ASSOC);
+    $ticket_result = $ticket_sql->fetchAll();
+    return $ticket_result;
+  }
+
+  function get_subscribed_requests($db) {
+      $requests = array();
+      $sub_tickets_stmt = "SELECT ticket_uuid FROM ticket_subscribers WHERE user_uuid=:uuid";
+      $sub_tickets_sql = $db->prepare($sub_tickets_stmt);
+      $sub_tickets_sql->bindParam(':uuid', $_SESSION['uuid']);
+      $sub_tickets_sql->execute();
+      $sub_tickets_sql->setFetchMode(PDO::FETCH_ASSOC);
+      $sub_tickets_result = $sub_tickets_sql->fetchAll();
+      foreach ($sub_tickets_result as $tkt) {
+        $stmt = "SELECT * FROM tickets WHERE uuid=:uuid";
+        $sql = $db->prepare($stmt);
+        $sql->bindParam(':uuid', $tkt['ticket_uuid']);
+        $sql->execute();
+        $sql->setFetchMode(PDO::FETCH_ASSOC);
+        $result = $sql->fetchAll();
+        array_push($requests, $result[0]);
+      }
+      return $requests;
+  }
+
+  function get_request($db, $uuid) {
+    $ticket_stmt = "SELECT * FROM tickets WHERE uuid=:uuid";
+    $ticket_sql = $db->prepare($ticket_stmt);
+    $ticket_sql->bindParam(':uuid', $uuid);
+    $ticket_sql->execute();
+    $ticket_sql->setFetchMode(PDO::FETCH_ASSOC);
+    $ticket_result = $ticket_sql->fetchAll();
+    $request = $ticket_result[0];
+    return $request;
+  }
+
+
+  function get_updates($db, $request) {
+    $updates_stmt = "SELECT * FROM ticket_updates WHERE ticket=:uuid";
+    $updates_sql = $db->prepare($updates_stmt);
+    $updates_sql->bindParam(':uuid', $request['uuid']);
+    $updates_sql->execute();
+    $updates_sql->setFetchMode(PDO::FETCH_ASSOC);
+    $updates_result = $updates_sql->fetchAll();
+    return $updates_result;
+  }
+
+  function get_files($db, $request) {
+    $stmt = "SELECT * FROM ticket_uploads WHERE ticket=:uuid";
+    $sql = $db->prepare($stmt);
+    $sql->bindParam(':uuid', $request['uuid']);
+    $sql->execute();
+    $sql->setFetchMode(PDO::FETCH_ASSOC);
+    $result = $sql->fetchAll();
+    return $result;
+  }
+
+  function get_single_file($db, $file) {
+    $stmt = "SELECT * FROM ticket_uploads WHERE id=:fileid";
+    $sql = $db->prepare($stmt);
+    $sql->bindParam(':fileid', $file['id']);
+    $sql->execute();
+    $sql->setFetchMode(PDO::FETCH_ASSOC);
+    $result = $sql->fetchAll();
+    $file = $result[0];
+    return $file;
+  }
+
+  function get_subscribers($db, $request) {
+    $subs = array();
+    $users_stmt = "SELECT user_uuid FROM ticket_subscribers WHERE ticket_uuid=:uuid";
+    $users_sql = $db->prepare($users_stmt);
+    $users_sql->bindParam(':uuid', $request['uuid']);
+    $users_sql->execute();
+    $users_sql->setFetchMode(PDO::FETCH_ASSOC);
+    $users_result = $users_sql->fetchAll();
+    foreach ($users_result as $u) {
+      array_push($subs, $u['user_uuid']);
+    }
+    return $subs;
+  }
+
+  function isAuthorised($user, $authorised_users, $request) {
+    if ( in_array($user, $authorised_users) || $_SESSION['uuid'] == $request['created_by']) { return true; } else { return false; }
+  }
diff --git a/app/includes/prereqs.php b/app/includes/prereqs.php
index f2badaa..148df35 100644
--- a/app/includes/prereqs.php
+++ b/app/includes/prereqs.php
@@ -37,6 +37,9 @@ if ($_ENV['OIDC_DISABLE_SSL'] == "true") {
 
 
 // Custom functions
+
+require_once __DIR__ . "/app_functions.php";
+
 function oidc_set_vars($sub, $uid, $fname, $lname, $email) {
   $_SESSION['uuid'] = $sub;
   $_SESSION['username'] = $uid;
@@ -53,103 +56,3 @@ function is_signed_in() {
     return false;
   }
 }
-
-function create_alert($type, $msg) {
-  $thisAlert = array($type, $msg);
-  array_push($_SESSION['alerts'], $thisAlert);
-}
-
-function get_user_name($db, $user_uuid) {
-  try {
-    $stmt = "SELECT given_name, family_name FROM users WHERE uuid=:uuid";
-    $sql = $db->prepare($stmt);
-    $sql->bindParam(':uuid', $user_uuid);
-    $sql->execute();
-    $sql->setFetchMode(PDO::FETCH_ASSOC);
-    $result = $sql->fetchAll();
-    $usr = $result[0]['given_name'] . " " . $result[0]['family_name'];
-  } catch (PDOException $e) {
-    echo("Error: " . $e->getMessage());
-  }
-  return $usr;
-}
-
-function get_my_requests($db) {
-  $ticket_stmt = "SELECT * FROM tickets WHERE created_by=:uuid";
-  $ticket_sql = $db->prepare($ticket_stmt);
-  $ticket_sql->bindParam(':uuid', $_SESSION['uuid']);
-  $ticket_sql->execute();
-  $ticket_sql->setFetchMode(PDO::FETCH_ASSOC);
-  $ticket_result = $ticket_sql->fetchAll();
-  return $ticket_result;
-}
-
-function get_subscribed_requests($db) {
-    $requests = array();
-    $sub_tickets_stmt = "SELECT ticket_uuid FROM ticket_subscribers WHERE user_uuid=:uuid";
-    $sub_tickets_sql = $db->prepare($sub_tickets_stmt);
-    $sub_tickets_sql->bindParam(':uuid', $_SESSION['uuid']);
-    $sub_tickets_sql->execute();
-    $sub_tickets_sql->setFetchMode(PDO::FETCH_ASSOC);
-    $sub_tickets_result = $sub_tickets_sql->fetchAll();
-    foreach ($sub_tickets_result as $tkt) {
-      $stmt = "SELECT * FROM tickets WHERE uuid=:uuid";
-      $sql = $db->prepare($stmt);
-      $sql->bindParam(':uuid', $tkt['ticket_uuid']);
-      $sql->execute();
-      $sql->setFetchMode(PDO::FETCH_ASSOC);
-      $result = $sql->fetchAll();
-      array_push($requests, $result[0]);
-    }
-    return $requests;
-}
-
-function get_request($db, $uuid) {
-  $ticket_stmt = "SELECT * FROM tickets WHERE uuid=:uuid";
-  $ticket_sql = $db->prepare($ticket_stmt);
-  $ticket_sql->bindParam(':uuid', $uuid);
-  $ticket_sql->execute();
-  $ticket_sql->setFetchMode(PDO::FETCH_ASSOC);
-  $ticket_result = $ticket_sql->fetchAll();
-  $request = $ticket_result[0];
-  return $request;
-}
-
-
-function get_updates($db, $request) {
-  $updates_stmt = "SELECT * FROM ticket_updates WHERE ticket=:uuid";
-  $updates_sql = $db->prepare($updates_stmt);
-  $updates_sql->bindParam(':uuid', $request['uuid']);
-  $updates_sql->execute();
-  $updates_sql->setFetchMode(PDO::FETCH_ASSOC);
-  $updates_result = $updates_sql->fetchAll();
-  return $updates_result;
-}
-
-function get_files($db, $request) {
-  $updates_stmt = "SELECT * FROM ticket_uploads WHERE ticket=:uuid";
-  $updates_sql = $db->prepare($updates_stmt);
-  $updates_sql->bindParam(':uuid', $request['uuid']);
-  $updates_sql->execute();
-  $updates_sql->setFetchMode(PDO::FETCH_ASSOC);
-  $updates_result = $updates_sql->fetchAll();
-  return $updates_result;
-}
-
-function get_subscribers($db, $request) {
-  $subs = array();
-  $users_stmt = "SELECT user_uuid FROM ticket_subscribers WHERE ticket_uuid=:uuid";
-  $users_sql = $db->prepare($users_stmt);
-  $users_sql->bindParam(':uuid', $request['uuid']);
-  $users_sql->execute();
-  $users_sql->setFetchMode(PDO::FETCH_ASSOC);
-  $users_result = $users_sql->fetchAll();
-  foreach ($users_result as $u) {
-    array_push($subs, $u['user_uuid']);
-  }
-  return $subs;
-}
-
-function isAuthorised($user, $authorised_users, $request) {
-  if ( in_array($user, $authorised_users) || $_SESSION['uuid'] == $request['created_by']) { return true; } else { return false; }
-}
diff --git a/app/public/actions/download.php b/app/public/actions/download.php
new file mode 100644
index 0000000..953fcd1
--- /dev/null
+++ b/app/public/actions/download.php
@@ -0,0 +1,46 @@
+<?php
+
+    $PAGE_NAME = "Download file";
+    require_once __DIR__ . "/../../includes/prereqs.php";
+    use Ramsey\Uuid\Uuid;
+
+    $file = get_single_file($db, $_GET['file']);
+    $request = get_request($db, $file['ticket']);
+    $authorised_users = get_subscribers($db, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
+
+    $local_filename = $_ENV['ATTACHMENTS_PATH']."/".$file['id'];
+    $remote_filename = $file['filename'];
+
+    if ($is_authorised == true) {
+        if (file_exists($local_filename)) {
+            //Get file type and set it as Content Type
+            $finfo = finfo_open(FILEINFO_MIME_TYPE);
+            header('Content-Type: ' . finfo_file($finfo, $local_filename));
+            finfo_close($finfo);
+
+            //Use Content-Disposition: attachment to specify the filename
+            header('Content-Disposition: attachment; filename='.$remote_filename);
+
+            //No cache
+            header('Expires: 0');
+            header('Cache-Control: must-revalidate');
+            header('Pragma: public');
+
+            //Define file size
+            header('Content-Length: ' . filesize($local_filename));
+
+            ob_clean();
+            flush();
+            readfile($local_filename);
+            $alert = array("success", "File download started.");
+        } else {
+            $alert = array("danger", "The requested file does not exist.");
+        }
+    } else {
+        $alert = array("danger", "You are not authorised to download that file.");
+    }
+    $newURL = "/view?rid=" . $request['uuid'];
+    echo("<script>window.location = '$newURL'</script>");
+
+?>
diff --git a/app/public/actions/upload.php b/app/public/actions/upload.php
index 2bd4690..1e16db0 100644
--- a/app/public/actions/upload.php
+++ b/app/public/actions/upload.php
@@ -17,7 +17,7 @@
             $file_size = $_FILES['file']['size'];
             $file_type = $_FILES['file']['type'];
             $file_tmp = $_FILES['file']['tmp_name'];
-            move_uploaded_file($file_tmp,"/srv/attachments/".$file_name);
+            move_uploaded_file($file_tmp,$_ENV['ATTACHMENTS_PATH']."/".$file_uuid);
             $stmt = "INSERT INTO ticket_uploads (id, ticket, user, filename) VALUES (:fileuuid, :ticket, :user, :name)";
             $sql = $db->prepare($stmt);
             $sql->bindParam(':fileuuid', $file_uuid);
diff --git a/app/public/view.php b/app/public/view.php
index b02bae3..3f7b613 100644
--- a/app/public/view.php
+++ b/app/public/view.php
@@ -58,17 +58,17 @@
         </div>
       </section>
       <section>
-        <div class="container">
+        <div class="container-fluid">
           <div class="row">
-            <div class="col-4">
-              <div class="card mx-auto" style="margin-bottom:50px;">
+            <div class="col-3">
+              <div class="card mx-auto">
                 <div class="card-header"><span class="mdi mdi-information-outline"></span> Information</div>
                 <ul class="list-group list-group-flush">
                   <li class="list-group-item">
                     <div class="container">
                       <div class="row">
                         <span style="display: inline;"><b>Status:</b></span>
-                        <span style="display: inline; margin-left: 1%;">New</span>
+                        <span style="display: inline; margin-left: 1%;"><?php echo($request['status']); ?></span>
                       </div>
                     </div>
                   </li>
@@ -76,7 +76,7 @@
                     <div class="container">
                       <div class="row">
                         <span style="display: inline;"><b>Created by:</b></span>
-                        <span style="display: inline; margin-left: 1%;">Luke Tainton</span>
+                        <span style="display: inline; margin-left: 1%;"><?php echo(get_user_name($db, $request['created_by'])); ?></span>
                       </div>
                     </div>
                   </li>
@@ -84,14 +84,15 @@
                     <div class="container">
                       <div class="row">
                         <span style="display: inline;"><b>Assigned to:</b></span>
-                        <span class="text-muted" style="display: inline; margin-left: 1%;">None</span>                      </div>
+                        <span class="text-muted" style="display: inline; margin-left: 1%;"><?php echo(get_user_name($db, $request['status']) || "None"); ?></span>
+                      </div>
                     </div>
                   </li>
                   <li class="list-group-item">
                     <div class="container">
                       <div class="row">
                         <span style="display: inline;"><b>Created:</b></span>
-                        <span style="display: inline; margin-left: 1%;">2020-08-04 13:26:22</span>
+                        <span style="display: inline; margin-left: 1%;"><?php echo($request['created_on']); ?></span>
                       </div>
                     </div>
                   </li>
@@ -99,36 +100,40 @@
                     <div class="container">
                       <div class="row">
                         <span style="display: inline;"><b>Last updated:</b></span>
-                        <span style="display: inline; margin-left: 1%;">2020-08-04 13:26:22</span>
+                        <span style="display: inline; margin-left: 1%;"><?php echo($request['last_updated']); ?></span>
                       </div>
                     </div>
                   </li>
                 </ul>
               </div>
-            <div class="card mx-auto" style="margin-bottom:25px;">
-                <div class="card-header"><span class="mdi mdi-file-document-outline"></span> Uploaded files</div>
-                <ul class="list-group list-group-flush">
-                  <?php
-                    if (count($files) == 0) {
-                      echo("<center><b>No files uploaded</b></center>");
-                    } else {
-                      foreach($files as $file) {
-                  ?>
-                    <li class="list-group-item">
-                      <div class="container">
-                        <div class="row">
-                          <span style="display: inline;"><b><?php echo(get_user_name($db, $file['user'])); ?></b></span><span class="text-muted"><i> <?php echo(" " . $file['created']); ?></i></span>
-                        </div>
-                        <div class="row">
-                          <span><?php echo($file['path']); ?></span>
-                        </div>
-                      </div>
-                    </li>
-                  <?php } } ?>
-                </ul>
-              </div></div>
+            </div>
 
-            <div class="col-8">
+            <div class="col-3">
+              <div class="card mx-auto">
+                  <div class="card-header"><span class="mdi mdi-file-document-outline"></span> Files</div>
+                  <ul class="list-group list-group-flush">
+                    <?php
+                      if (count($files) == 0) {
+                        echo("<center><b>No files uploaded</b></center>");
+                      } else {
+                        foreach($files as $file) {
+                    ?>
+                      <li class="list-group-item">
+                        <div class="container">
+                          <div class="row">
+                            <span style="display: inline;"><b><?php echo(get_user_name($db, $file['user'])); ?></b></span><span class="text-muted"><i> <?php echo(" " . $file['created']); ?></i></span>
+                          </div>
+                          <div class="row">
+                            <a target="_blank" href="<?php echo('/actions/download?file=' . $file['id']); ?>"><span><?php echo($file['path']); ?></span></a>
+                          </div>
+                        </div>
+                      </li>
+                    <?php } } ?>
+                  </ul>
+                </div>
+              </div>
+
+            <div class="col-6">
               <div class="card mx-auto">
                 <div class="card-header"><span class="mdi mdi-update"></span> Updates</div>
                 <ul class="list-group list-group-flush">