X-Git-Url: https://git.harvie.cz/?a=blobdiff_plain;f=index.php;h=caf25a0ef3039c92e95f2ea419b87abbc7565589;hb=042a49887f093945b7ef913556e506c30ce2bbda;hp=7361d3053532e26d7fabcfa3ad96a5c668253b14;hpb=4ece8e8078c74faac1037693e70656a8a50cb778;p=mirrors%2FSokoMan.git diff --git a/index.php b/index.php index 7361d30..caf25a0 100755 --- a/index.php +++ b/index.php @@ -34,10 +34,11 @@ require_once('Barcode.class.php'); * @author Tomas Mudrunka */ class HTML { - function row($row,$type=false) { + function row($row,$type=false,$class=false) { $html = ''; + $class = $class ? $class=" class='$class' " : ''; if($type) $html.="<$type>"; - $html.=''; + $html.=""; $td = $type == 'thead' ? 'th' : 'td'; foreach($row as $var) { if(trim($var) == '') $var = ' '; @@ -48,15 +49,18 @@ class HTML { return $html; } - function table(&$table, $params='border=1') { + function table(&$table, $parity_class=array('tr_odd','tr_even'), $params='border=1') { $html=""; $header=true; + $even=false; foreach($table as $row) { if($header) { $html.=$this->row(array_keys($row),'thead'); $header=false; } - $html.=$this->row($row); + $class = $parity_class ? $parity_class[$even] : false; + $html.=$this->row($row,false,$class); + $even = !$even; } $html.='
'; return $html; @@ -77,7 +81,17 @@ class HTML { return $this->link($this->img($src,$title,$options),$link,$internal,$translate); } + function textarea($name=false, $value='', $placeholder=false, $options=false, $prefix='') { + $html = T($prefix)."textarea($name, $value, $placeholder, $options, $prefix); $html = T($prefix)."$html"; } + function favicon($url='/favicon.ico') { + return ''; + + } + function head($title=false,$charset='UTF-8',$more='') { $title = $title ? "\n$title" : ''; $html= ''; $html.= ''.$title.$more; + $html.= $this->favicon(dirname($_SERVER['SCRIPT_NAME']).'/favicon.ico'); $html.= ''; return $html; } @@ -159,7 +179,8 @@ class Sklad_HTML extends HTML { //TODO: Split into few more methods $home = URL_HOME; $script = $_SERVER['SCRIPT_NAME']; $search = htmlspecialchars(@trim($_GET['q'])); - $message = strip_tags(@trim($_GET['message']),''); + $message = strip_tags(@trim($_GET['message']),'
'); + $fortune = 'test'; $instance = INSTANCE_ID != '' ? '/'.INSTANCE_ID : ''; $user_id = htmlspecialchars($user['id']); $user_gid = htmlspecialchars($user['gid']); @@ -181,6 +202,7 @@ td,body { background-color: white; } table { background-color: orange; border: orange; } a, a img { text-decoration:none; color: darkblue; border:none; } li a, a:hover { text-decoration:underline; } +.tr_even td { background-color: lemonchiffon; } .menu li { float: left; @@ -219,8 +241,8 @@ EOF; $assistants=array(); foreach(scandir(DIR_ASSISTANTS) as $item) { if($item == '.' || $item == '..') continue; - $item = preg_replace('/\.inc\.php$/','',$item); - $assistants[$item] = "assistant/$item"; + $item = preg_replace('/\.inc\.php$/','',$item,-1,$count); + if($count) $assistants[$item] = "assistant/$item"; } $tables=array('item','model','category','producer','vendor','room','status'); @@ -240,7 +262,7 @@ EOF; $html .= '
'; - $html .= $this->form("$script/assistant/go", 'GET', array( + $html .= $this->form("$script/api/go", 'GET', array( array('q','','text','smart id...', 'autofocus'), array(false,'go','submit') ), 'style="float: left;"'); @@ -258,6 +280,9 @@ EOF;
$message
+
+$fortune +
EOF; return $html; @@ -296,13 +321,14 @@ EOF; $relations = array( //TODO: Autodetect??? 'model' => array( 'model_id' => array(array('item',$where_url)), - 'model_barcode' => array(array('store','assistant/%d?barcode=%v')) + 'model_barcode' => array(array('store','assistant/%d?barcode=%v')), + 'model_name' => array(array('google','http://google.com/search?q=%v',true)) //TODO: add manufacturer to google query ), 'item' => array( 'item_serial' => array(array('dispose','assistant/%d?serial=%v'),array('sell','assistant/%d?serial=%v')) ), - 'category' => array('category_id' => array(array('item',$where_url))), - 'producer' => array('producer_id' => array(array('item',$where_url))), + 'category' => array('category_id' => array(array('item',$where_url), array('model',$where_url))), + 'producer' => array('producer_id' => array(array('item',$where_url), array('model',$where_url))), 'vendor' => array('vendor_id' => array(array('item',$where_url))), 'room' => array('room_id' => array(array('item',$where_url))), 'status' => array('status_id' => array(array('item',$where_url))) @@ -313,10 +339,10 @@ EOF; foreach($relations[$class][$column] as $destination) { $destination_url = str_replace( array('%d','%c','%v'), - array($destination[0],$column,$value), + array(urlencode($destination[0]),urlencode($column),urlencode($value)), $destination[1] ); - @$table[$id][$class.$suffix_relations] .= $this->link($destination[0], $destination_url).','; + @$table[$id][$class.$suffix_relations] .= $this->link($destination[0], $destination_url, !isset($destination[2])).','; } } } @@ -358,16 +384,32 @@ EOF; $table = $table_sorted; } + function table_hide_columns(&$table, $class) { //TODO: Move to build_query_select() !!! :-))) + $fields_hide = array( + 'item' => array('model_descript','model_price_in','model_price_out','model_barcode','model_countable','model_reserve','model_eshop_hide','room_descript','room_author','producer_name','producer_note','vendor_note') + ); + //print_r($table); die(); + if(isset($fields_hide[$class])) foreach($table as $id => $row) { + foreach($fields_hide[$class] as $field) unset($table[$id][$field]); + } + } + function render_item_table($table,$class=false) { + if(empty($table)) return '

'.T('holy primordial emptiness is all you can find here...').'


'; $this->table_add_images($table); if($class) $this->table_add_relations($table,$class); $this->table_add_barcodes($table); $this->table_collapse($table); + if($class) $this->table_hide_columns($table,$class); $this->table_sort($table); return $this->table($table); } function render_insert_inputs($class,$columns,$selectbox,$current,$hidecols,$update) { + $textarea = array( + 'item' => array('item_note'), + 'model' => array('model_descript') + ); $html = ''; foreach($columns as $column) { $html.=T($class).':'.T($column['Field']).': '; @@ -382,6 +424,9 @@ EOF; case isset($selectbox[$column['Field']]): $html.=$this->select($name,$selectbox[$column['Field']],$val); break; + case isset($textarea[$class]) && in_array($column['Field'],$textarea[$class]): + $html.=$this->input($name, $val, 'textarea'); + break; default: $html.=$this->input($name, $val); break; @@ -406,6 +451,7 @@ EOF; } else $hr = '
'; //$args[] = false; $args[] = $parts; + $html .= call_user_func_array(array($this, 'render_insert_form'), $args); $html .= $hr; } @@ -487,8 +533,9 @@ class Sklad_DB extends PDO { 'item' => array('model', 'category', 'producer', 'vendor', 'room', 'status'), 'model' => array('category', 'producer') ); //TODO Autodetect using foreign keys? - $search_fields = array( - 'item' => array('item_id','item_serial','model_name','model_barcode','model_descript','producer_name','vendor_name') + $fields_search = array( + 'item' => array('item_id','item_serial','model_name','model_barcode','model_descript','producer_name','vendor_name'), + 'model' => array('model_id','model_name','model_barcode','model_descript','producer_name') ); //TODO Autodetect //Init @@ -504,16 +551,16 @@ class Sklad_DB extends PDO { //WHERE/REGEXP if($search) { $search = $this->quote($search); - if(!isset($search_fields[$class])) die(trigger_error(T("Can't search in $class table yet :-("))); //TODO: post_redirect_get + if(!isset($fields_search[$class])) die(trigger_error(T("Can't search in $class table yet :-("))); //TODO: post_redirect_get $sql_search = ''; - foreach($search_fields[$class] as $column) $sql_search .= "OR $column REGEXP $search "; + foreach($fields_search[$class] as $column) $sql_search .= "OR $column REGEXP $search "; $where[] = "FALSE $sql_search"; } elseif($id) $where[] = "$class$suffix_id = $id"; if(!$history && $this->contains_history($class)) $where[] = $class.'_valid_till=0'; if($where) $sql .= 'WHERE ('.implode(') AND (', $where).")\n"; //ORDER - if(!$order) $order = $class.$suffix_id; + if(!$order) $order = $class.$suffix_id.' DESC'; if($this->contains_history($class)) $order .= ",${class}_valid_from DESC"; $sql .= "ORDER BY $order\n"; //LIMIT/OFFSET @@ -573,7 +620,11 @@ class Sklad_DB extends PDO { } function columns_get_selectbox($columns, $class=false, $suffix_id='_id', $suffix_name='_name') { - $selectbox=array(); + $selectbox=array( //TODO: Hardcoded... + 'model_countable' => array(0 => 'no', 1 => 'yes'), + 'model_eshop_hide' => array(0 => 'no', 1 => 'yes'), + 'vendor_id' => array('COMPULSORY' => 'select...') + ); foreach($columns as $column) { if($column['Field'] == 'user_id') continue; //TODO HACK Blacklist: tabulka nemusi obsahovat *_name!!! momentalne se to tyka jen tabulky user (a item - u ty to nevadi)! if($class && $column['Field'] == $class.$suffix_id) continue; @@ -732,11 +783,11 @@ class Sklad_UI { return $this->html->render_insert_form($class, $columns, $selectbox); } - function render_form_edit($class, $id) { + function render_form_edit($class, $id, $multi_insert) { $columns = $this->db->get_columns($class); $selectbox = $this->db->columns_get_selectbox($columns, $class); $current = $this->db->get_listing($class, $id, 1); - return $this->html->render_insert_form($class, $columns, $selectbox, $current); + return $this->html->render_insert_form($class, $columns, $selectbox, $current, false, false, $multi_insert); } function render_single_record_details($class, $id) { @@ -775,7 +826,7 @@ class Sklad_UI { $html.=$this->render_listing_navigation($class, '*', $limit, $offset); } if($edit) { - $html.= $this->render_form_edit($class, $id); + $html.= $this->render_form_edit($class, $id, false); $action = $_SERVER['SCRIPT_NAME']."/$class/$id/delete"; $html.=$this->html->form($action,'POST',array( array(false,'DELETE','submit'), @@ -791,18 +842,19 @@ class Sklad_UI { } function check_auth() { - new HTTP_Auth('SkladovejSystem', true, array($this->db->auth,'check_auth')); + new HTTP_Auth('WareHouse ['.BACKEND_AUTH.']', true, array($this->db->auth,'check_auth')); } - function post_redirect_get($location, $message='', $error=false) { - $url_args = $message != '' ? '?message='.urlencode(T($message)) : ''; + function post_redirect_get($location, $message='', $error=false, $translate=true) { + $messaget = $translate ? T($message) : $message; + $url_args = $messaget != '' ? '?message='.urlencode($messaget) : ''; $location = $this->html->internal_url($location).$url_args; header('Location: '.$location); if($error) trigger_error($message); $location=htmlspecialchars($location); die( "". - T($message)."
Location: $location" + $messaget."
Location: $location" ); } @@ -818,6 +870,16 @@ class Sklad_UI { return $out; } + function check_input_validity($field, $value='', $ruleset=0) { + $rules = array(0 => array( + 'model_barcode' => '/./', + 'item_serial' => '/./', + 'vendor_id' => '/^[0-9]*$/' + )); + if(isset($rules[$ruleset][$field]) && !preg_match($rules[$ruleset][$field], trim($value))) return false; + return true; + } + function process_http_request_post($action=false, $class=false, $id=false, $force_redirect=false) { if($_SERVER['REQUEST_METHOD'] != 'POST') return; //echo('
'); //DEBUG (maybe todo remove), HEADERS ALREADY SENT!!!!
@@ -832,7 +894,14 @@ class Sklad_UI {
 			$values=array();
 			foreach($_POST['values'] as $table => $columns) {
 				foreach($columns as $column => $ids) {
-					foreach($ids as $id => $val) $values[$table][$id][$column] = $val;
+					foreach($ids as $id => $val) {
+						$values[$table][$id][$column] = trim($val);
+						if(!$this->check_input_validity($column,$val)) {
+							$message = "Spatny vstup: $column [$id] = \"$val\"; ". //XSS
+								$this->html->link('GO BACK', 'javascript:history.back()', false, false);
+			        $this->post_redirect_get('', $message, false, false);
+						}
+					}
 				}
 			}
 			//die(print_r($values));
@@ -883,22 +952,27 @@ class Sklad_UI {
 		}
 
 		$PATH_INFO=@trim($_SERVER[PATH_INFO]);
+		if($PATH_INFO == '' || $PATH_INFO == '/') $PATH_INFO = FRONTEND_PAGE_WELCOME;
 		$PATH_CHUNKS = preg_split('/\//', $PATH_INFO);
 		//Sephirot:
 		if(!isset($PATH_CHUNKS[1])) $PATH_CHUNKS[1]='';
-		if($_SERVER['REQUEST_METHOD'] != 'POST' && $PATH_CHUNKS[1]!='barcode') //TODO: tyhle podminky naznacujou, ze je v navrhu nejaka drobna nedomyslenost...
+		if($_SERVER['REQUEST_METHOD'] != 'POST' && $PATH_CHUNKS[1]!='barcode' && $PATH_CHUNKS[1]!='api') //TODO: tyhle podminky naznacujou, ze je v navrhu nejaka drobna nedomyslenost...
 			echo $this->html->header($PATH_INFO,$this->db->auth->get_user());
 		switch($PATH_CHUNKS[1]) { //TODO: Move some branches to plugins if possible
 			case 'test':	//test
 				die('Tell me why you cry');
 				break;
-			case 'assistant': //assistant
+			case 'assistant': case 'api': //assistant|api
+				$incdirs = array(
+					'assistant'	=> DIR_ASSISTANTS,
+					'api'	=> DIR_APIS
+				);
 				$PATH_CHUNKS[3] = isset($PATH_CHUNKS[3]) ? trim($PATH_CHUNKS[3]) : false;
 				$assistant_vars['SUBPATH'] = array_slice($PATH_CHUNKS, 3);
 				$assistant_vars['URL_INTERNAL'] = 'assistant/'.$PATH_CHUNKS[2];
 				$assistant_vars['URL'] = $_SERVER['SCRIPT_NAME'].'/'.$assistant_vars['URL_INTERNAL'];
 				$assistant_vars['ASSISTANT'] = $PATH_CHUNKS[2];
-				echo $this->safe_include(DIR_ASSISTANTS,$PATH_CHUNKS[2],$assistant_vars);
+				echo $this->safe_include($incdirs[$PATH_CHUNKS[1]],$PATH_CHUNKS[2],$assistant_vars);
 				break;
 			case 'barcode': //barcode
 				Barcode::download_barcode(implode('/',array_slice($PATH_CHUNKS, 2)));
@@ -924,8 +998,8 @@ class Sklad_UI {
 								$edit=true;
 							default:	//?/?/?
 								$history = $PATH_CHUNKS[3] == 'history' ? true : false;
-								$limit	= (int) (isset($PATH_CHUNKS[3]) ? $PATH_CHUNKS[3] : '0');
-								$offset	= (int) (isset($PATH_CHUNKS[4]) ? $PATH_CHUNKS[4] : '0');
+								$limit	= is_numeric($PATH_CHUNKS[3]) ? (int) $PATH_CHUNKS[3] : FRONTEND_LISTING_LIMIT;
+								$offset	= isset($PATH_CHUNKS[4]) ? (int) $PATH_CHUNKS[4] : 0;
 								$where = @is_array($_GET['where']) ? $_GET['where'] : false;
 								echo $this->render_items($class, $id, $limit, $offset, $where, $search, $history);
 								echo $this->render_listing_extensions($class, $id, $limit, $offset, $edit);