Cleanup develop files

.gitignore

@@ -0,0 +1,2 @@
+_notes/
+.vscode/

changelog.md

@@ -1,4 +1,34 @@
 # CHANGE LOG
+**7 September 2016
+
+* Fix: Issue handling illegal characters in group names
+* Fix: Better handling of authorization when attempting to edit a workorder.
+* Fix: Corrent some spelling errors.
+* Improvement: Current approver can add collaborator to a workorder. * db changes see _update.
+* Improvement: Sends update email to workorder creator when something changes.
+* Improvement: Move workorder approve/edit into page_content and dbquery routing structure.
+* Improvement: Refactor php/html in several places for greater clarity.
+* Improvement: Add simple pubsub javascript library for easy frontend ui eventing.
+* Improvement: Move appconfig.php to /config/appconfig.php * just makes sense.
+* Improvement: Bump minor version
+
+**6 August 2016**
+
+* Fix: Pay engineering debt. forms_db_controller.php better follows data adapter pattern used in other classes.
+* Fix: classes/login.php now including user fname and lname in query.
+* Fix: XDebug with PHP on Windows showing multiple undefined variables. Fixed by initializing vars to null in multiple pages.
+* Fix: Form preview on workorder forms list page now working. Added header_forms_admin.php to include JS code.
+* Fix: Remove old db conn info in appconfig.php Not needed any longer.
+* Fix: UserDataAdapter AdminUpdate function protected against SQL injection.
+* Fix: Update .gitignore to ignore Visual Studio Code IDE config files in .vscode folder.
+* Improvement: Supports using environment variables for db connection. See config/db.php for details.
+
+**4 August 2016**
+
+* Fix: #7 district level approver list can now be left blank if needed. Final will be handled by last group level approver.
+* Fix: #10 Special characters in goup name can now include / char.
+* Fix: #11 If forms fields have identical label text they will now render correctly in email and when viewing/editing.
+
 **16 July 2016**
 
 * Fix: Fixed the query section of the update user page.  Now you can update user information

readme.md

@@ -1,4 +1,4 @@
-# Workorders v2.0.0
+# Workorders v2.1.0
 
 A simple way for large groups to organize work using custom forms!
 
@@ -14,4 +14,5 @@ A simple way for large groups to organize work using custom forms!
 * User permission levels.
 * User registration can be limited based on domain.
 * Users can view work orders that need their approval.
-* Users can view work orders they have submitted.
+* Users can view work orders they have submitted.
+* Collaboration feature allows including others in the workflow process as needed. 

src/_page_processor.php

@@ -2,7 +2,7 @@
 
 require_once("config/db.php");
 require_once("classes/Login.php");
-require_once('./resources/appconfig.php');
+require_once('config/appconfig.php');
 
 require_once "./resources/library/appinfo.php";
 $appInfoDbAdapter = new AppInfo($dsn, $user_name, $pass_word);
@@ -87,8 +87,8 @@
 	*/
 
 
-
-				if($include_address == ""){
+			$folder = null; // set default value or error in navbar. XDebug
+			if(isset($include_address) == false || $include_address == ""){
 				$include_address = "page_content/index.php";
 			}
 			if(isset($_GET['I'])){
@@ -158,12 +158,12 @@
 
             <div class="container-fluid">
             <?php
-			if($BASE_URL == "http://localhost/workorder"){
+			if(getenv("WO_ENV_ENABLED") == 1 || $BASE_URL == "http://localhost/workorder"){
                 ?>
                     <div class="col-lg-12">
                         <div class="alert alert-danger alert-dismissable">
                             <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&times;</button>
-                            <i class="fa fa-info-circle"></i>  <strong>ALERT </strong> Your are on the local server
+                            <i class="fa fa-info-circle"></i>  <strong>ALERT </strong> You are on the local server
                         </div>
                     </div>
 			<?php

src/_update/db_update_6-14-2016.sql

@@ -1,5 +1,10 @@
 CREATE TABLE IF NOT EXISTS `groups` ( `GRP_id` INT NOT NULL AUTO_INCREMENT , `GRP_name` VARCHAR(50) NOT NULL COMMENT 'Currently GRP_id is not saved in users table GRP_name is' , PRIMARY KEY (`GRP_id`)) ENGINE = MyISAM;
 /*
 Add a permissions section to user table
+NOTE:  user_perms field in users table defines what users are allowed to see in the interface
+ie
+1 = super admin  - can see all, do all
+2 = admin - can approve workorders (sees needs approval button)
+3 = user - can only create new workorders for approval
 */
 ALTER TABLE `users` ADD `user_perms` TINYINT NOT NULL DEFAULT '3' COMMENT 'smaller=higher perms' AFTER `form_manager`;

src/_update/db_update_8-13-2016_rb.sql

@@ -0,0 +1,5 @@
+ALTER TABLE `workorders` ADD `collaborators` TEXT COMMENT 'Current collaborators as JSON array of email addresses' AFTER `comments`;
+
+ALTER TABLE `users` ADD `collaborator` TINYINT(1) NOT NULL DEFAULT 0 COMMENT 'User is a collaborator when set to non zero value' AFTER `user_perms`;
+
+ALTER TABLE `users` DROP COLUMN `form_manager`;

src/classes/Login.php

@@ -67,7 +67,7 @@ private function dologinWithPostData()
 
                 // database query, getting all the info of the selected user (allows login via email address in the
                 // username field)
-                $sql = "SELECT user_name, user_email, user_password_hash, user_group, form_manager, user_perms
+                $sql = "SELECT user_name, user_email, user_password_hash, user_group, user_perms, user_fname, user_lname
                         FROM users
                         WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_name . "';";
                 $result_of_login_check = $this->db_connection->query($sql);
@@ -88,7 +88,6 @@ private function dologinWithPostData()
                         $_SESSION['user_lname'] = $result_row->user_lname;
                         $_SESSION['user_email'] = $result_row->user_email;
                         $_SESSION['user_group'] = $result_row->user_group;
-                        $_SESSION['form_manager'] = $result_row->form_manager;
                         $_SESSION['user_perms'] = $result_row->user_perms;
                         $_SESSION['user_login_status'] = 1;
 

src/resources/appconfig.php → src/config/appconfig.php

@@ -10,11 +10,7 @@ abstract class Config {
     const BaseUrl = "http://www.example.com/";
     const SiteTitleShort = "FLOW";
     const SiteTitleLong = "Work Flow";
-    const DbDsn = "mysql:host=localhost;dbname=formsdb";
-    const DbUsername = "";
-    const DbPassword = "";
     const WorkorderApproverScript = "workorderview.php";
     const WorkorderViewOnlyScript = "workorderview.php";
 }
-
 ?>

src/config/db.php

@@ -3,6 +3,15 @@
 /**
  * Configuration for: Database Connection
  *
+ * NOTE: There are two ways to configure the DB connection.
+ * 1) Environment variables
+ *    WO_ENV_ENABLED=1
+ *    WO_DB_NAME=yourDBname
+ *    WO_DB_USERNAME=yourDBusername
+ *    WO_DB_PASSWORD=yourDBpassword
+ * 2) Modify values in this config file below
+ *    Change DB_NAME, DB_USERNAME_HERE, and DB_PASSWORD_HERE
+ * 
  * For more information about constants please @see http://php.net/manual/en/function.define.php
  * If you want to know why we use "define" instead of "const" @see http://stackoverflow.com/q/2447791/1114320
  *
@@ -11,13 +20,24 @@
  * DB_USER: user for your database. the user needs to have rights for SELECT, UPDATE, DELETE and INSERT.
  * DB_PASS: the password of the above user
  */
-  $database_name = "DB_NAME";
-  $dsn = 'mysql:host=localhost;dbname='.$database_name;
-  $user_name = 'DB_USERNAME_HERE'; //DEFUAULT DB_USERNAME_HERE
-  $pass_word = 'DB_PASSWORD_HERE';
+  if(getenv("WO_ENV_ENABLED") == 1)
+  {
+    // Set these in your local environment
+    $database_name = getenv("WO_DB_NAME"); // DO NOT MODIFY HERE
+    $dsn = 'mysql:host=localhost;dbname='.$database_name;
+    $user_name = getenv('WO_DB_USERNAME'); // DO NOT MODIFY HERE
+    $pass_word = getenv('WO_DB_PASSWORD'); // DO NOT MODIFY HERE
+  } else {
+    // Modify the values below IF you are NOT using environment variables for config.
+    $database_name = "DB_NAME"; // SET DB NAME HERE
+    $dsn = 'mysql:host=localhost;dbname='.$database_name;
+    $user_name = 'DB_USERNAME_HERE'; // SET DB USERNAME HERE
+    $pass_word = 'DB_PASSWORD_HERE'; // SET DB PASSWORD HERE
 
-  if($user_name == 'DB_USERNAME_HERE'){
-	echo "<h1 style=\"color:red\">Woah!!! Hold on there Sparky, you need to update the util/forms_db_info.php befor running this program!</h1>";  
+    if($user_name == 'DB_USERNAME_HERE'){
+      echo "<h1 style=\"color:red\">Woah!!! Hold on there Sparky, you need to update the config/db.php before running this program!</h1>";
+      die();  
+    }
   }
 
 define("DB_HOST", "127.0.0.1");

src/dbquery/qryADMIN/formbuild_qry.php

@@ -10,13 +10,13 @@
             $formAvailable = 0;
             if (isset($_POST["formAvailable"])) { $formAvailable = 1; }
             if (isset($_POST["updateform"])){
-              $fdc = new FormsDataController();
+              $fdc = new FormsDataController($dsn, $user_name, $pass_word);
               $QUERY_PROCESS = $fdc->updateForm($_POST["id"], $_POST["formname"], $_POST["formdesc"], $_POST["xmldata"], $_POST["workflow"], $_POST["notifyOnFinalApproval"], $formAvailable, $_POST["groupWorkflows"]);
             } elseif (isset($_POST["deleteform"])) {
-              $fdc = new FormsDataController();
+              $fdc = new FormsDataController($dsn, $user_name, $pass_word);
               $QUERY_PROCESS = $fdc->deleteForm($_POST["id"]);
             } elseif (isset($_POST["addform"])) {
-              $fdc = new FormsDataController();
+              $fdc = new FormsDataController($dsn, $user_name, $pass_word);
               $QUERY_PROCESS = $fdc->addForm($_POST["formname"], $_POST["formdesc"], $_POST["xmldata"], $_POST["workflow"], $_POST["notifyOnFinalApproval"], $formAvailable, $_POST["groupWorkflows"]);
               if (!$QUERY_PROCESS){
                 echo "<div class='alert alert-danger'>All fields are required. Keep calm and try again...</div>";

src/dbquery/qryUSER/edit_user_qry.php

@@ -2,7 +2,7 @@
 
 require_once "./resources/library/user.php";
 
-$usrDbAdapter = new UserDataAdapter($dsn, $user_name, $pass_word, $currentUserEmail);
+$usrDbAdapter = new UserDataAdapter($dsn, $user_name, $pass_word);
 
 
 $element = "User";

src/dbquery/qryWORKORDER/add_collab_qry.php

@@ -0,0 +1,37 @@
+<?php
+/************************************************************************************************
+Adds a user as a collaborator to a workorder 
+Author: Raymond Brady
+Date Created: 8/16/2016
+************************************************************************************************/
+require_once('./resources/library/workorder.php');
+
+$element = "Workorder";
+$element_function = "updated";
+
+if (!isset($_SESSION['user_email']) || !isset($_POST['id']) || !isset($_POST['key']) || !isset($_POST['collabcomment']) || !isset($_POST['collabUserSelect'])) {
+    $QUERY_PROCESS = "ERROR|Required fields are missing.";
+    return;
+}
+// Gather data, process POST, and update the workorder with collaborator
+$currentUserEmail = filter_var($_SESSION['user_email'], FILTER_SANITIZE_EMAIL);
+$id = filter_var(trim($_POST['id']), FILTER_SANITIZE_NUMBER_INT);
+$key = filter_var(trim($_POST['key']), FILTER_SANITIZE_STRING);
+$commentInput = filter_var(trim($_POST['collabcomment']), FILTER_SANITIZE_STRING);
+$comment = "Requesting collaboration for this item.";
+if ($commentInput != null ){
+    $comment = $commentInput;
+}
+
+$collabUser = filter_var(trim($_POST['collabUserSelect']), FILTER_SANITIZE_NUMBER_INT);
+
+$workorderDataAdapter = new WorkorderDataAdapter($dsn, $user_name, $pass_word, $currentUserEmail);
+$QUERY_PROCESS = $workorderDataAdapter->AddCollaborator($id, $comment, $collabUser);
+
+$wo = $workorderDataAdapter->Select($id);
+$woViewModel = new WorkorderViewModel($wo, $key, $currentUserEmail);
+// send emails.
+$fromEmailAddress = 'noreply@dumasisd.org';
+$emailAdapter = new WorkorderEmailAdapter($fromEmailAddress);
+$emailAdapter->SendAddCollab($wo, $woViewModel);
+?>

src/dbquery/qryWORKORDER/add_comment_qry.php

@@ -0,0 +1,24 @@
+<?php
+/************************************************************************************************
+Adds a comment to a workorder 
+Author: Raymond Brady
+Date Created: 8/22/2016
+************************************************************************************************/
+require_once('./resources/library/workorder.php');
+
+$element = "Workorder";
+$element_function = "updated";
+
+if (!isset($_SESSION['user_email']) || !isset($_POST['id']) || !isset($_POST['collabcomment'])) {
+    $QUERY_PROCESS = "ERROR|Required fields are missing.";
+    return;
+}
+// Gather data, process POST, and update the workorder with collaborator
+$currentUserEmail = filter_var($_SESSION['user_email'], FILTER_SANITIZE_EMAIL);
+$id = filter_var(trim($_POST['id']), FILTER_SANITIZE_NUMBER_INT);
+$key = filter_var(trim($_POST['key']), FILTER_SANITIZE_STRING);
+$comment = filter_var(trim($_POST['collabcomment']), FILTER_SANITIZE_STRING);
+
+$workorderDataAdapter = new WorkorderDataAdapter($dsn, $user_name, $pass_word, $currentUserEmail);
+$QUERY_PROCESS = $workorderDataAdapter->AddComment($id, $comment);
+?>

src/dbquery/qryWORKORDER/end_collab_qry.php

@@ -0,0 +1,36 @@
+<?php
+/************************************************************************************************
+Ends ALL user collaboration for a workorder 
+Author: Raymond Brady
+Date Created: 9/6/2016
+************************************************************************************************/
+require_once('./resources/library/workorder.php');
+
+$element = "Workorder";
+$element_function = "updated";
+
+if (!isset($_SESSION['user_email']) || !isset($_POST['id']) || !isset($_POST['key'])) {
+    $QUERY_PROCESS = "ERROR|Required fields are missing.";
+    return;
+}
+// Gather data, process POST, and update the workorder
+$currentUserEmail = filter_var($_SESSION['user_email'], FILTER_SANITIZE_EMAIL);
+$id = filter_var(trim($_POST['id']), FILTER_SANITIZE_NUMBER_INT);
+$key = filter_var(trim($_POST['key']), FILTER_SANITIZE_STRING);
+$comment = "Thanks for the assist! I ended collaboration.";
+if (isset($_POST['endcollabcomment']) && $_POST['endcollabcomment'] != null ){
+    $comment = filter_var(trim($_POST['endcollabcomment']), FILTER_SANITIZE_STRING);
+}
+
+$workorderDataAdapter = new WorkorderDataAdapter($dsn, $user_name, $pass_word, $currentUserEmail);
+// read the record before making the changes. Used for sending collab emails
+$wo = $workorderDataAdapter->Select($id);
+$woViewModel = new WorkorderViewModel($wo, $key, $currentUserEmail);
+
+$QUERY_PROCESS = $workorderDataAdapter->EndCollaboration($id, $comment);
+
+// send emails.
+$fromEmailAddress = 'noreply@dumasisd.org';
+$emailAdapter = new WorkorderEmailAdapter($fromEmailAddress);
+$emailAdapter->SendEndCollab($wo, $woViewModel);
+?>