Merge pull request #1112 from itflow-org/portal-contacts-bugfix

Portal contacts

Author: johnnyq

portal/contact_edit.php

@@ -21,7 +21,12 @@
 
 $contact_id = intval($_GET['id']);
 
-$sql_contact = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_primary, contact_technical, contact_billing, contact_auth_method FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $session_client_id AND contacts.contact_archived_at IS NULL LIMIT 1");
+$sql_contact = mysqli_query(
+    $mysqli, "SELECT contact_id, contact_name, contact_email, contact_primary, contact_technical, contact_billing, user_auth_method
+    FROM contacts
+    LEFT JOIN users ON user_id = contact_user_id
+    WHERE contact_id = $contact_id AND contact_client_id = $session_client_id AND contacts.contact_archived_at IS NULL LIMIT 1"
+);
 
 $row = mysqli_fetch_array($sql_contact);
 
@@ -32,7 +37,7 @@
     $contact_primary = intval($row['contact_primary']);
     $contact_technical = intval($row['contact_technical']);
     $contact_billing = intval($row['contact_billing']);
-    $contact_auth_method = nullable_htmlentities($row['contact_auth_method']);
+    $contact_auth_method = nullable_htmlentities($row['user_auth_method']);
 } else {
     header("Location: portal_post.php?logout");
     exit();

portal/portal_post.php

@@ -324,43 +324,90 @@
     header('Location: index.php');
 }
 
-if (isset($_POST['edit_contact'])) {
-    $contact_id = intval($_POST['contact_id']);
+if (isset($_POST['add_contact'])) {
     $contact_name = sanitizeInput($_POST['contact_name']);
     $contact_email = sanitizeInput($_POST['contact_email']);
     $contact_technical = intval($_POST['contact_technical']);
     $contact_billing = intval($_POST['contact_billing']);
     $contact_auth_method = sanitizeInput($_POST['contact_auth_method']);
 
-    mysqli_query($mysqli, "UPDATE contacts SET contact_name = '$contact_name', contact_email = '$contact_email', contact_billing = $contact_billing, contact_technical = $contact_technical WHERE contact_id = $contact_id AND contact_client_id = $session_client_id AND contact_archived_at IS NULL AND contact_primary = 0");
+    // Check the email isn't already in use
+    $sql = mysqli_query($mysqli, "SELECT user_id FROM users WHERE user_email = '$contact_email'");
+    if ($sql && mysqli_num_rows($sql) > 0) {
+        $_SESSION['alert_type'] = "danger";
+        $_SESSION['alert_message'] = "Cannot add contact as that email address is already in use";
+        header('Location: contact_add.php');
+        exit();
+    }
+
+    // Create user account with rand password for the contact
+    $contact_user_id = 0;
+    if ($contact_name && $contact_email && $contact_auth_method) {
+
+        $password_hash = password_hash(randomString(), PASSWORD_DEFAULT);
+
+        mysqli_query($mysqli, "INSERT INTO users SET user_name = '$contact_name', user_email = '$contact_email', user_password = '$password_hash', user_auth_method = '$contact_auth_method', user_type = 2");
+
+        $contact_user_id = mysqli_insert_id($mysqli);
+    }
+
+    // Create contact record
+    mysqli_query($mysqli, "INSERT INTO contacts SET contact_name = '$contact_name', contact_email = '$contact_email', contact_billing = $contact_billing, contact_technical = $contact_technical, contact_client_id = $session_client_id, contact_user_id = $contact_user_id");
+    $contact_id = mysqli_insert_id($mysqli);
 
     // Logging
-    logAction("Contact", "Edit", "Client contact $session_contact_name edited contact $contact_name in the client portal", $session_client_id, $contact_id);
+    logAction("Contact", "Create", "Client contact $session_contact_name created contact $contact_name in the client portal", $session_client_id, $contact_id);
 
-    $_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> updated";
-    
-    header('Location: contacts.php');
+    customAction('contact_create', $contact_id);
 
-    customAction('contact_update', $contact_id);
+    $_SESSION['alert_message'] = "Contact $contact_name created";
+
+    header('Location: contacts.php');
 }
 
-if (isset($_POST['add_contact'])) {
+if (isset($_POST['edit_contact'])) {
+    $contact_id = intval($_POST['contact_id']);
     $contact_name = sanitizeInput($_POST['contact_name']);
     $contact_email = sanitizeInput($_POST['contact_email']);
     $contact_technical = intval($_POST['contact_technical']);
     $contact_billing = intval($_POST['contact_billing']);
     $contact_auth_method = sanitizeInput($_POST['contact_auth_method']);
 
-    mysqli_query($mysqli, "INSERT INTO contacts SET contact_name = '$contact_name', contact_email = '$contact_email', contact_billing = $contact_billing, contact_technical = $contact_technical, contact_client_id = $session_client_id");
+    // Get the existing contact_user_id - we look it up ourselves so the user can't just overwrite random users
+    $sql = mysqli_query($mysqli,"SELECT contact_user_id FROM contacts WHERE contact_id = $contact_id AND contact_client_id = $session_client_id");
+    $row = mysqli_fetch_array($sql);
+    $contact_user_id = intval($row['contact_user_id']);
+
+    // Check the email isn't already in use
+    $sql = mysqli_query($mysqli, "SELECT user_id FROM users WHERE user_email = '$contact_email' AND user_id != $contact_user_id");
+    if ($sql && mysqli_num_rows($sql) > 0) {
+        $_SESSION['alert_type'] = "danger";
+        $_SESSION['alert_message'] = "Cannot update contact as that email address is already in use";
+        header('Location: contact_edit.php?id=' . $contact_id);
+        exit();
+    }
 
-    $contact_id = mysqli_insert_id($mysqli);
+    // Update Existing User
+    if ($contact_user_id > 0) {
+        mysqli_query($mysqli, "UPDATE users SET user_name = '$contact_name', user_email = '$contact_email', user_auth_method = '$contact_auth_method' WHERE user_id = $contact_user_id");
 
-    // Logging
-    logAction("Contact", "Create", "Client contact $session_contact_name created contact $contact_name in the client portal", $session_client_id, $contact_id);
+    // Else, create New User
+    } elseif ($contact_user_id == 0 && $contact_name && $contact_email && $contact_auth_method) {
+        $password_hash = password_hash(randomString(), PASSWORD_DEFAULT);
+        mysqli_query($mysqli, "INSERT INTO users SET user_name = '$contact_name', user_email = '$contact_email', user_password = '$password_hash', user_auth_method = '$contact_auth_method', user_type = 2");
 
-    customAction('contact_create', $contact_id);
+        $contact_user_id = mysqli_insert_id($mysqli);
+    }
 
-    $_SESSION['alert_message'] = "Contact <strong>$contact_name</strong> created";
+    // Update contact
+    mysqli_query($mysqli, "UPDATE contacts SET contact_name = '$contact_name', contact_email = '$contact_email', contact_billing = $contact_billing, contact_technical = $contact_technical, contact_user_id = $contact_user_id WHERE contact_id = $contact_id AND contact_client_id = $session_client_id AND contact_archived_at IS NULL AND contact_primary = 0");
 
+    // Logging
+    logAction("Contact", "Edit", "Client contact $session_contact_name edited contact $contact_name in the client portal", $session_client_id, $contact_id);
+
+    $_SESSION['alert_message'] = "Contact $contact_name updated";
+    
     header('Location: contacts.php');
+
+    customAction('contact_update', $contact_id);
 }