From 1f59131dc0a6842bed11c85e7cbf82234e8e0510 Mon Sep 17 00:00:00 2001
From: Luke Tainton <luke@tainton.uk>
Date: Sun, 9 Aug 2020 14:52:54 +0100
Subject: [PATCH] :sparkles: Code refactoring and tidying up

Signed-off-by: Luke Tainton <luke@tainton.uk>
---
 app/includes/header.php             |  4 +-
 app/public/actions/close.php        | 45 +++++++++++++++++++++++
 app/public/actions/create.php       | 44 ++++++++++++++++++++++
 app/public/{ => actions}/login.php  |  2 +-
 app/public/{ => actions}/logout.php |  2 +-
 app/public/actions/update.php       | 48 ++++++++++++++++++++++++
 app/public/actions/upload.php       | 57 +++++++++++++++++++++++++++++
 app/public/new.php                  | 43 +---------------------
 app/public/update.php               | 25 ++-----------
 app/public/upload.php               | 33 +----------------
 app/public/view.php                 |  4 +-
 11 files changed, 206 insertions(+), 101 deletions(-)
 create mode 100644 app/public/actions/close.php
 create mode 100644 app/public/actions/create.php
 rename app/public/{ => actions}/login.php (97%)
 rename app/public/{ => actions}/logout.php (62%)
 create mode 100644 app/public/actions/update.php
 create mode 100644 app/public/actions/upload.php

diff --git a/app/includes/header.php b/app/includes/header.php
index acf4ec9..28ffdd6 100644
--- a/app/includes/header.php
+++ b/app/includes/header.php
@@ -50,12 +50,12 @@
                     <a class="dropdown-item text-muted" href="#"><?php echo($_SESSION['username']); ?></a>
                     <a class="dropdown-item" href="<?php echo($_ENV['OIDC_HOST'] . "/account?referrer=" . $_ENV['OIDC_CLIENT_ID'] . "&referrer_uri=" . urlencode($_ENV['APP_URL'])); ?>">Profile</a>
                     <!-- <div class="dropdown-divider"></div> -->
-                    <a class="dropdown-item" href="/logout">Log out</a>
+                    <a class="dropdown-item" href="/actions/logout">Log out</a>
                   </div>
                 </li>
               <?php } else { ?>
                 <li class="nav-item">
-                  <a class="nav-link" href="/login">Log in</a>
+                  <a class="nav-link" href="/actions/login">Log in</a>
                 </li>
               <?php } ?>
             </ul>
diff --git a/app/public/actions/close.php b/app/public/actions/close.php
new file mode 100644
index 0000000..b7f4623
--- /dev/null
+++ b/app/public/actions/close.php
@@ -0,0 +1,45 @@
+<?php
+    require_once __DIR__ . "/../../includes/header.php";
+
+    // Get authorised subscribers
+    try {
+        $users_stmt = "SELECT user_uuid FROM ticket_subscribers WHERE ticket_uuid=:uuid";
+        $users_sql = $db->prepare($users_stmt);
+        $users_sql->bindParam(':uuid', $_GET['rid']);
+        $users_sql->execute();
+        $users_sql->setFetchMode(PDO::FETCH_ASSOC);
+        $users_result = $users_sql->fetchAll();
+      } catch (PDOException $e) {
+        $new_ticket_alert = array("danger", "Failed to get subscribers: " . $e->getMessage());
+      }
+  
+      $authorised_users = array();
+      foreach($users_result as $user) {
+        array_push($authorised_users, $user['user_uuid']);
+      }
+  
+      if (in_array($_SESSION['uuid'], $authorised_users) || $_SESSION['uuid'] == $request['created_by']) {
+        $is_authorised = true;
+      } else {
+        $is_authorised = false;
+      }
+
+    // Close request
+    if ($is_authorised == true) {
+        if($_SERVER['REQUEST_METHOD'] == 'POST') {
+        try {
+            // Process ticket data
+            $stmt = "UPDATE tickets SET status = 'Closed' WHERE uuid=:uuid";
+            $sql = $db->prepare($stmt);
+            $sql->bindParam(':uuid', $_POST['rid']);
+            $sql->execute();
+        } catch (PDOException $e) {
+            $new_ticket_alert = array("danger", "Failed to close request: " . $e->getMessage());
+        }
+        header('Location: /', true);
+        }
+    } else {
+        $new_ticket_alert = array("danger", "You are not authorised to close this request.");
+    }
+
+?>
\ No newline at end of file
diff --git a/app/public/actions/create.php b/app/public/actions/create.php
new file mode 100644
index 0000000..f2cd138
--- /dev/null
+++ b/app/public/actions/create.php
@@ -0,0 +1,44 @@
+<?php
+    require_once __DIR__ . "/../../includes/header.php";
+    use Ramsey\Uuid\Uuid;
+
+    // If form submitted, save to database
+    if($_SERVER['REQUEST_METHOD'] == 'POST') {
+    try {
+        // Process ticket data
+        $tkt_uuid = Uuid::uuid4()->toString();
+        $stmt = "INSERT INTO tickets (uuid, title, description, created_by) VALUES (:tktuuid, :title, :description, :user)";
+        $sql = $db->prepare($stmt);
+        $sql->bindParam(':tktuuid', $tkt_uuid);
+        $sql->bindParam(':title', $_POST['title']);
+        $sql->bindParam(':description', $_POST['description']);
+        $sql->bindParam(':user', $_SESSION['uuid']);
+        $sql->execute();
+    } catch (PDOException $e) {
+        // echo("Error: <br>" . $e->getMessage() . "<br>");
+        $new_ticket_alert = array("danger", "Failed to save request: " . $e->getMessage());
+    }
+
+    // If file is uploaded, process that
+    if(isset($_FILES['file']) && $_FILES['file']['name'] != "") {
+        try {
+        $file_name = $_FILES['file']['name'];
+        $file_size = $_FILES['file']['size'];
+        $file_type = $_FILES['file']['type'];
+        $file_tmp = $_FILES['file']['tmp_name'];
+        move_uploaded_file($file_tmp,"/srv/attachments/".$file_name);
+        $stmt = "INSERT INTO ticket_uploads (ticket, user, filename) VALUES (:ticket, :user, :name)";
+        $sql = $db->prepare($stmt);
+        $sql->bindParam(':ticket', $tkt_uuid);
+        $sql->bindParam(':user', $_SESSION['uuid']);
+        $sql->bindParam(':name', $file_name);
+        $sql->execute();
+        } catch (PDOException $e) {
+        // echo("Error: <br>" . $e->getMessage() . "<br>");
+        $new_ticket_alert = array("danger", "Failed to upload file: " . $e->getMessage());
+        }
+    }
+
+    header('Location: /view?rid=' . $tkt_uuid, true);
+    }
+?>
\ No newline at end of file
diff --git a/app/public/login.php b/app/public/actions/login.php
similarity index 97%
rename from app/public/login.php
rename to app/public/actions/login.php
index c2b1be0..aad4408 100644
--- a/app/public/login.php
+++ b/app/public/actions/login.php
@@ -1,6 +1,6 @@
 <?php
     $PAGE_NAME = "Logging in...";
-    require_once __DIR__ . "/../includes/prereqs.php";
+    require_once __DIR__ . "/../../includes/prereqs.php";
 
     // Perform the OIDC authentication
     try {
diff --git a/app/public/logout.php b/app/public/actions/logout.php
similarity index 62%
rename from app/public/logout.php
rename to app/public/actions/logout.php
index c4651ef..6bca8f6 100644
--- a/app/public/logout.php
+++ b/app/public/actions/logout.php
@@ -1,6 +1,6 @@
 <?php
     $PAGE_NAME = "Logging out...";
-    require_once __DIR__ . "/../includes/prereqs.php";
+    require_once __DIR__ . "/../../includes/prereqs.php";
 
     session_destroy();
 
diff --git a/app/public/actions/update.php b/app/public/actions/update.php
new file mode 100644
index 0000000..bfa40eb
--- /dev/null
+++ b/app/public/actions/update.php
@@ -0,0 +1,48 @@
+<?php
+    require_once __DIR__ . "/../../includes/header.php";
+
+    // Get authorised subscribers
+    try {
+      $users_stmt = "SELECT user_uuid FROM ticket_subscribers WHERE ticket_uuid=:uuid";
+      $users_sql = $db->prepare($users_stmt);
+      $users_sql->bindParam(':uuid', $_GET['rid']);
+      $users_sql->execute();
+      $users_sql->setFetchMode(PDO::FETCH_ASSOC);
+      $users_result = $users_sql->fetchAll();
+    } catch (PDOException $e) {
+      $new_ticket_alert = array("danger", "Failed to get subscribers: " . $e->getMessage());
+    }
+
+
+    $authorised_users = array();
+    foreach($users_result as $user) {
+      array_push($authorised_users, $user['user_uuid']);
+    }
+
+    if (in_array($_SESSION['uuid'], $authorised_users) || $_SESSION['uuid'] == $request['created_by']) {
+      $is_authorised = true;
+    } else {
+      $is_authorised = false;
+    }
+
+    // If form submitted, save to database
+    if($_SERVER['REQUEST_METHOD'] == 'POST') {
+      if ($is_authorised == true) {
+        try {
+          // Process ticket data
+          $stmt = "INSERT INTO ticket_updates (ticket, user, msg) VALUES (:tktuuid, :user, :msg)";
+          $sql = $db->prepare($stmt);
+          $sql->bindParam(':tktuuid', $_POST['rid']);
+          $sql->bindParam(':user', $_SESSION['uuid']);
+          $sql->bindParam(':msg', $_POST['msg']);
+          $sql->execute();
+        } catch (PDOException $e) {
+          $new_ticket_alert = array("danger", "Failed to save update: " . $e->getMessage());
+        }
+      } else {
+        $new_ticket_alert = array("danger", "You are not authorised to update this request.");
+        header('Location: /view?rid=' . $_POST['rid'], true);
+      }
+    }
+
+?>
\ No newline at end of file
diff --git a/app/public/actions/upload.php b/app/public/actions/upload.php
new file mode 100644
index 0000000..eda90a0
--- /dev/null
+++ b/app/public/actions/upload.php
@@ -0,0 +1,57 @@
+<?php
+    require_once __DIR__ . "/../../includes/header.php";
+
+    // Get authorised subscribers
+    try {
+      $users_stmt = "SELECT user_uuid FROM ticket_subscribers WHERE ticket_uuid=:uuid";
+      $users_sql = $db->prepare($users_stmt);
+      $users_sql->bindParam(':uuid', $_GET['rid']);
+      $users_sql->execute();
+      $users_sql->setFetchMode(PDO::FETCH_ASSOC);
+      $users_result = $users_sql->fetchAll();
+    } catch (PDOException $e) {
+      $new_ticket_alert = array("danger", "Failed to get subscribers: " . $e->getMessage());
+    }
+
+
+    $authorised_users = array();
+    foreach($users_result as $user) {
+      array_push($authorised_users, $user['user_uuid']);
+    }
+
+    if (in_array($_SESSION['uuid'], $authorised_users) || $_SESSION['uuid'] == $request['created_by']) {
+      $is_authorised = true;
+    } else {
+      $is_authorised = false;
+    }
+
+    // If form submitted, save to database
+    if($_SERVER['REQUEST_METHOD'] == 'POST') {
+      if ($is_authorised == true) {
+        if(isset($_FILES['file']) && $_FILES['file']['name'] != "") {
+          try {
+            $file_uuid = Uuid::uuid4()->toString();
+            $file_name = $_FILES['file']['name'];
+            $file_size = $_FILES['file']['size'];
+            $file_type = $_FILES['file']['type'];
+            $file_tmp = $_FILES['file']['tmp_name'];
+            move_uploaded_file($file_tmp,"/srv/attachments/".$file_name);
+            $stmt = "INSERT INTO ticket_uploads (id, ticket, user, filename) VALUES (:fileuuid, :ticket, :user, :name)";
+            $sql = $db->prepare($stmt);
+            $sql->bindParam(':fileuuid', $file_uuid);
+            $sql->bindParam(':ticket', $_POST['rid']);
+            $sql->bindParam(':user', $_SESSION['uuid']);
+            $sql->bindParam(':name', $file_name);
+            $sql->execute();
+          } catch (PDOException $e) {
+            $new_ticket_alert = array("danger", "Failed to upload file: " . $e->getMessage());
+          }
+          header('Location: /view?rid=' . $_POST['rid'], true);
+        }
+      } else {
+        $new_ticket_alert = array("danger", "You are not authorised to update this request.");
+        header('Location: /view?rid=' . $_POST['rid'], true);
+      }
+    }
+
+?>
\ No newline at end of file
diff --git a/app/public/new.php b/app/public/new.php
index dceb64b..047d87f 100644
--- a/app/public/new.php
+++ b/app/public/new.php
@@ -1,47 +1,6 @@
 <?php
     $PAGE_NAME = "New request";
     require_once __DIR__ . "/../includes/header.php";
-    use Ramsey\Uuid\Uuid;
-
-    // If form submitted, save to database
-    if($_SERVER['REQUEST_METHOD'] == 'POST') {
-      try {
-        // Process ticket data
-        $tkt_uuid = Uuid::uuid4()->toString();
-        $stmt = "INSERT INTO tickets (uuid, title, description, created_by) VALUES (:tktuuid, :title, :description, :user)";
-        $sql = $db->prepare($stmt);
-        $sql->bindParam(':tktuuid', $tkt_uuid);
-        $sql->bindParam(':title', $_POST['title']);
-        $sql->bindParam(':description', $_POST['description']);
-        $sql->bindParam(':user', $_SESSION['uuid']);
-        $sql->execute();
-      } catch (PDOException $e) {
-        // echo("Error: <br>" . $e->getMessage() . "<br>");
-        $new_ticket_alert = array("danger", "Failed to save request: " . $e->getMessage());
-      }
-
-      // If file is uploaded, process that
-      if(isset($_FILES['file']) && $_FILES['file']['name'] != "") {
-        try {
-          $file_name = $_FILES['file']['name'];
-          $file_size = $_FILES['file']['size'];
-          $file_type = $_FILES['file']['type'];
-          $file_tmp = $_FILES['file']['tmp_name'];
-          move_uploaded_file($file_tmp,"/srv/attachments/".$file_name);
-          $stmt = "INSERT INTO ticket_uploads (ticket, user, filename) VALUES (:ticket, :user, :name)";
-          $sql = $db->prepare($stmt);
-          $sql->bindParam(':ticket', $tkt_uuid);
-          $sql->bindParam(':user', $_SESSION['uuid']);
-          $sql->bindParam(':name', $file_name);
-          $sql->execute();
-        } catch (PDOException $e) {
-          // echo("Error: <br>" . $e->getMessage() . "<br>");
-          $new_ticket_alert = array("danger", "Failed to upload file: " . $e->getMessage());
-        }
-      }
-
-      header('Location: /view?rid=' . $tkt_uuid, true);
-    }
 
     if (!is_signed_in()) {
       $new_ticket_alert = array("danger", "You need to log in to access this page.");
@@ -83,7 +42,7 @@
 
     <section>
       <div class="card mx-auto" style="width: 50%;margin-bottom: 50px;">
-        <form style="padding: 2%" action="/new" method="post" enctype="multipart/form-data">
+        <form style="padding: 2%" action="/actions/create" method="post" enctype="multipart/form-data">
           <div class="form-group">
             <label for="title">Title: </label>
             <input type="text" class="form-control" id="title" name="title">
diff --git a/app/public/update.php b/app/public/update.php
index 0acc362..22ebb08 100644
--- a/app/public/update.php
+++ b/app/public/update.php
@@ -1,23 +1,6 @@
 <?php
     $PAGE_NAME = "Update Request";
     require_once __DIR__ . "/../includes/header.php";
-
-    // If form submitted, save to database
-    if($_SERVER['REQUEST_METHOD'] == 'POST') {
-      try {
-        // Process ticket data
-        $stmt = "INSERT INTO ticket_updates (ticket, user, msg) VALUES (:tktuuid, :user, :msg)";
-        $sql = $db->prepare($stmt);
-        $sql->bindParam(':tktuuid', $_POST['rid']);
-        $sql->bindParam(':user', $_SESSION['uuid']);
-        $sql->bindParam(':msg', $_POST['msg']);
-        $sql->execute();
-      } catch (PDOException $e) {
-        // echo("Error: <br>" . $e->getMessage() . "<br>");
-        $new_ticket_alert = array("danger", "Failed to save update: " . $e->getMessage());
-      }
-      header('Location: /view?rid=' . $_POST['rid'], true);
-    }
     
     // Get ticket
     try {
@@ -36,7 +19,7 @@
     try {
       $updates_stmt = "SELECT * FROM ticket_updates WHERE ticket=:uuid";
       $updates_sql = $db->prepare($updates_stmt);
-      $updates_sql->bindParam(':uuid', $_GET['rid']);
+      $updates_sql->bindParam(':uuid', $request['uuid']);
       $updates_sql->execute();
       $updates_sql->setFetchMode(PDO::FETCH_ASSOC);
       $updates_result = $updates_sql->fetchAll();
@@ -48,7 +31,7 @@
     try {
       $users_stmt = "SELECT user_uuid FROM ticket_subscribers WHERE ticket_uuid=:uuid";
       $users_sql = $db->prepare($users_stmt);
-      $users_sql->bindParam(':uuid', $_GET['rid']);
+      $users_sql->bindParam(':uuid', $request['uuid']);
       $users_sql->execute();
       $users_sql->setFetchMode(PDO::FETCH_ASSOC);
       $users_result = $users_sql->fetchAll();
@@ -185,9 +168,9 @@
             <div class="col-12">
               <div class="card mx-auto">
                 <div class="card-header"><span class="mdi mdi-send-outline"></span> Post update</div>
-                  <form action="/update" method="post" enctype="multipart/form-data">
+                  <form action="/actions/update" method="post" enctype="multipart/form-data">
                     <div class="form-group">
-                      <input type="hidden" id="rid" name="rid" value="b4b3d4cf-d64d-11ea-b64d-0019997c933f">
+                      <input type="hidden" id="rid" name="rid" value="<?php echo($request['uuid']); ?>">
                     </div>
                     <div class="form-group" style="margin: 2%;">
                       <textarea type="text" class="form-control" id="msg" name="msg" rows="3"></textarea>
diff --git a/app/public/upload.php b/app/public/upload.php
index 83a9620..8ba8031 100644
--- a/app/public/upload.php
+++ b/app/public/upload.php
@@ -2,32 +2,6 @@
     $PAGE_NAME = "Upload file";
     require_once __DIR__ . "/../includes/header.php";
 
-    // If form submitted, save to database
-    if($_SERVER['REQUEST_METHOD'] == 'POST') {
-      // If file is uploaded, process that
-      if(isset($_FILES['file']) && $_FILES['file']['name'] != "") {
-        try {
-          $file_uuid = Uuid::uuid4()->toString();
-          $file_name = $_FILES['file']['name'];
-          $file_size = $_FILES['file']['size'];
-          $file_type = $_FILES['file']['type'];
-          $file_tmp = $_FILES['file']['tmp_name'];
-          move_uploaded_file($file_tmp,"/srv/attachments/".$file_name);
-          $stmt = "INSERT INTO ticket_uploads (id, ticket, user, filename) VALUES (:fileuuid, :ticket, :user, :name)";
-          $sql = $db->prepare($stmt);
-          $sql->bindParam(':fileuuid', $file_uuid);
-          $sql->bindParam(':ticket', $_POST['rid']);
-          $sql->bindParam(':user', $_SESSION['uuid']);
-          $sql->bindParam(':name', $file_name);
-          $sql->execute();
-        } catch (PDOException $e) {
-          // echo("Error: <br>" . $e->getMessage() . "<br>");
-          $new_ticket_alert = array("danger", "Failed to upload file: " . $e->getMessage());
-        }
-      }
-      header('Location: /view?rid=' . $tkt_uuid, true);
-    }
-
     // Get ticket
     try {
       $ticket_stmt = "SELECT * FROM tickets WHERE uuid=:uuid";
@@ -102,11 +76,6 @@
           <h1><?php echo($request['title']); ?></h1>
           <p style="color: gray; font-style: italic;"><?php echo("#" . sprintf("%'.05d\n", $request["id"])); ?></p>
           <p class="lead text-muted"><?php echo($request['description']); ?></p>
-          <p>
-            <a href='/update?rid=<?php echo($tkt["uuid"]); ?>' class='btn btn-primary my-2'>Update the request</a>
-            <a href='/upload?rid=<?php echo($tkt["uuid"]); ?>' class='btn btn-secondary my-2'>Add attachment(s)</a>
-            <a href='/close?rid=<?php echo($tkt["uuid"]); ?>' class='btn btn-danger my-2'>Close the request</a>
-          </p>
         </div>
       </section>
       <section>
@@ -199,7 +168,7 @@
             <div class="col-12">
               <div class="card mx-auto">
                 <div class="card-header"><span class="mdi mdi-cloud-upload-outline"></span> Upload file(s)</div>
-                  <form action="/upload" method="post" enctype="multipart/form-data">
+                  <form action="/actions/upload" method="post" enctype="multipart/form-data">
                     <div class="form-group">
                       <input type="hidden" id="rid" name="rid" value="b4b3d4cf-d64d-11ea-b64d-0019997c933f">
                     </div>
diff --git a/app/public/view.php b/app/public/view.php
index 542f0a3..b3089e5 100644
--- a/app/public/view.php
+++ b/app/public/view.php
@@ -78,7 +78,7 @@
           <p>
             <a href='/update?rid=<?php echo($request["uuid"]); ?>' class='btn btn-primary my-2'>Update the request</a>
             <a href='/upload?rid=<?php echo($request["uuid"]); ?>' class='btn btn-secondary my-2'>Add attachment(s)</a>
-            <a href='/close?rid=<?php echo($request["uuid"]); ?>' class='btn btn-danger my-2'>Close the request</a>
+            <a href='/actions/close?rid=<?php echo($request["uuid"]); ?>' class='btn btn-danger my-2'>Close the request</a>
           </p>
         </div>
       </section>
@@ -150,7 +150,7 @@
                     <li class="list-group-item">
                       <div class="container">
                         <div class="row">
-                          <span style="display: inline;"><b><?php echo(get_user_name($db, $update['user'])); ?></b></span><span class="text-muted"><i><?php echo(" " . $update['created']); ?></i></span>
+                          <span style="display: inline;"><b><?php echo(get_user_name($db, $update['user'])); ?></b></span><span class="text-muted"><i> <?php echo(" " . $update['created']); ?></i></span>
                         </div>
                         <div class="row">
                           <span><?php echo($update['msg']); ?></span>