Merge pull request #30 from BioKIC/master

Merge BioKIC/Symbiota developments

classes/ChecklistLoaderManager.php

@@ -40,7 +40,9 @@ public function uploadCsvList($thesId){
 			ob_flush();
 			flush();
 			while($valueArr = fgetcsv($fh)){
-				$sciNameStr = $this->cleanInStr($valueArr[$headerArr["sciname"]]);
+				//Remove UTF-8 NO-BREAK SPACE codepoints
+				$sciNameStr = str_replace(chr(194).chr(160), ' ', $valueArr[$headerArr['sciname']]);
+				$sciNameStr = $this->cleanInStr($sciNameStr);
 				if($sciNameStr){
 					$tid = 0;
 					$rankId = 0;
@@ -60,7 +62,7 @@ public function uploadCsvList($thesId){
 							'WHERE ts.taxauthid = 1 ';
 					}
 					$cleanSciName = $this->encodeString($sciNameArr['sciname']);
-					$sql .= 'AND (t.sciname IN("'.$sciNameStr.'"'.($cleanSciName?',"'.$cleanSciName.'"':'').'))';
+					$sql .= 'AND (t.sciname IN("'.$sciNameStr.'"'.($cleanSciName && $cleanSciName != $sciNameStr ?',"'.$cleanSciName.'"':'').'))';
 					$rs = $this->conn->query($sql);
 					if($rs){
 						while($row = $rs->fetch_object()){
@@ -106,7 +108,6 @@ public function uploadCsvList($thesId){
 							}
 
 							$sql = 'INSERT INTO fmchklsttaxalink (tid,clid'.$sqlInsert.') VALUES ('.$tid.', '.$this->clid.$sqlValues.')';
-							//echo $sql; exit;
 							if($this->conn->query($sql)){
 								$successCnt++;
 							}

classes/ImageLibraryBrowser.php

@@ -149,9 +149,5 @@ public function getPhotographerList(){
 	public function setSearchTerm($t){
 		$this->searchTerm = filter_var($t, FILTER_SANITIZE_STRING);
 	}
-
-	public function getSearchTerm(){
-		return $this->searchTerm;
-	}
 }
 ?>

classes/Manager.php

@@ -109,7 +109,9 @@ public function sanitizeInt($int){
 	}
 
 	public function cleanOutStr($str){
-		$str = htmlspecialchars($str);
+		//Sanitize output
+		if(!is_string($str)) $str = '';
+		$str = htmlspecialchars($str, HTML_SPECIAL_CHARS_FLAGS);
 		return $str;
 	}
 

classes/OccurrenceLoans.php

@@ -481,16 +481,15 @@ public function getTransactions($collid,$iid){
 	public function getSpecimenList($loanid, $sortTag = ''){
 		$retArr = array();
 		if(is_numeric($loanid)){
-			$sql = 'SELECT o.collid, l.loanid, l.occid, l.returndate, l.notes, o.catalognumber, o.othercatalognumbers, o.sciname, '.
-				'CONCAT_WS(" ",o.recordedby,IFNULL(o.recordnumber,o.eventdate)) AS collector, CONCAT_WS(", ",stateprovince,county,locality) AS locality '.
-				'FROM omoccurloanslink l INNER JOIN omoccurrences o ON l.occid = o.occid '.
-				'WHERE l.loanid = '.$loanid.' '.
-				'ORDER BY o.catalognumber+1, o.othercatalognumbers+1';
+			$sql = 'SELECT o.collid, l.loanid, l.occid, l.returndate, l.notes, o.catalognumber, o.othercatalognumbers, o.sciname,
+				CONCAT_WS(" ",o.recordedby,IFNULL(o.recordnumber,o.eventdate)) AS collector, CONCAT_WS(", ",stateprovince,county,locality) AS locality
+				FROM omoccurloanslink l INNER JOIN omoccurrences o ON l.occid = o.occid
+				WHERE l.loanid = '.$loanid.'
+				ORDER BY o.catalognumber+1, o.othercatalognumbers+1';
 			if($rs = $this->conn->query($sql)){
 				while($r = $rs->fetch_object()){
 					$retArr[$r->occid]['collid'] = $r->collid;
 					$retArr[$r->occid]['catalognumber'] = $r->catalognumber;
-					if($r->othercatalognumbers) $retArr[$r->occid]['othercatalognumbers'][] = $r->othercatalognumbers;
 					if($r->catalognumber){
 						$retArr[$r->occid]['catalognumber'] = $r->catalognumber;
 						$this->idTagArr['1-catalognumber'] = 'Catalog Numbers';
@@ -520,8 +519,14 @@ public function getSpecimenList($loanid, $sortTag = ''){
 				ORDER BY i.sortBy, i.identifierValue';
 			if($rs = $this->conn->query($sql)){
 				while($r = $rs->fetch_object()){
-					$retArr[$r->occid]['othercatalognumbers'][] = $r->identifierValue;
 					$idTag = $r->identifierName;
+					$idValue = ($idTag ? $idTag.': ' : '').$r->identifierValue;
+					if(isset($retArr[$r->occid]['othercatalognumbers'])){
+						foreach($retArr[$r->occid]['othercatalognumbers'] as $k => $v){
+							if($v == $r->identifierValue || $v == $idValue) unset($retArr[$r->occid]['othercatalognumbers'][$k]);
+						}
+					}
+					$retArr[$r->occid]['othercatalognumbers'][] = $idValue;
 					if(!$idTag) $idTag = 'otherCatalogNumbers';
 					$this->idTagArr['3-'.strtolower($idTag)] = $idTag;
 					if($sortTag && $sortTag != 'catalognumber'){

classes/OccurrenceProtectedSpecies.php

@@ -84,27 +84,32 @@ public function getStateList(){
 	}
 
 	public function setTaxonFilter($searchTaxon){
-		$sql = 'SELECT ts.tidaccepted FROM taxa t INNER JOIN taxstatus ts ON t.tid = ts.tid WHERE t.sciname LIKE "'.$searchTaxon.'%" AND ts.taxauthid = 1';
-		$rs = $this->conn->query($sql);
-		if($rs) {
-			while($r = $rs->fetch_object()){
-				$this->taxaArr[] = $r->tidaccepted;
+		$searchTaxon = trim($searchTaxon).'%';
+		if($searchTaxon){
+			$sql = 'SELECT ts.tidaccepted FROM taxa t INNER JOIN taxstatus ts ON t.tid = ts.tid WHERE t.sciname LIKE ? AND ts.taxauthid = 1';
+			if($stmt = $this->conn->prepare($sql)){
+				$stmt->bind_param('s', $searchTaxon);
+				$stmt->execute();
+				$stmt->bind_result($tid);
+				while($stmt->fetch()){
+					$this->taxaArr[] = $tid;
+				}
+				$stmt->close();
 			}
-		}
-		$rs->free();
 
-		if($this->taxaArr){
-			//Get synonyms
-			$sql = 'SELECT tid  FROM taxstatus WHERE tidaccepted IN('.implode(',',$this->taxaArr).")";
-			$rs = $this->conn->query($sql);
-			if($rs) {
-				while($r = $rs->fetch_object()){
-					$this->taxaArr[] = $r->tid;
+			if($this->taxaArr){
+				//Get synonyms
+				$sql = 'SELECT tid FROM taxstatus WHERE tidaccepted IN('.implode(',',$this->taxaArr).")";
+				$rs = $this->conn->query($sql);
+				if($rs) {
+					while($r = $rs->fetch_object()){
+						$this->taxaArr[] = $r->tid;
+					}
 				}
+				$rs->free();
 			}
-			$rs->free();
+			else $this->taxaArr[] = 0;
 		}
-		else $this->taxaArr[] = 0;
 	}
 
 	public function getSpecimenCnt(){

classes/OccurrenceTaxaManager.php

@@ -365,7 +365,8 @@ public function getTaxaSearchTerm(){
 		return '';
 	}
 
-	protected function cleanOutStr($str){
+	public function cleanOutStr($str){
+		if(!is_string($str)) $str = '';
 		if(strpos($str, '=') !== false) $str = '';
 		return htmlspecialchars($str);
 	}

classes/SpecUploadDwca.php

@@ -89,8 +89,42 @@ public function uploadFile(){
 	}
 
 	private function createTargetSubDir(){
-		$localFolder = str_replace(' ','',$this->collMetadataArr['institutioncode'].($this->collMetadataArr['collectioncode']?$this->collMetadataArr['collectioncode'].'_':'')).time().'/';
-		if(mkdir($this->uploadTargetPath.$localFolder)) $this->uploadTargetPath .= $localFolder;
+		$this->deleteTempFiles();
+		$localFolder = 'collid_'.$this->collId.'/';
+		if(file_exists($this->uploadTargetPath.$localFolder)){
+			//Reset upload directory
+			$this->deleteTempFiles($localFolder, false);
+		}
+		else{
+			if(mkdir($this->uploadTargetPath.$localFolder)) $this->uploadTargetPath .= $localFolder;
+		}
+	}
+
+	private function deleteTempFiles($pathFragment = '', $filetimeLimit = '-2 days'){
+		$dirPath = $this->uploadTargetPath.$pathFragment;
+		$allowedToBeDeleted = array('csv','txt','xml','zip');
+		if($handle = opendir($dirPath)) {
+			$loopCnt = 0;
+			while(false !== ($item = readdir($handle))) {
+				if($item){
+					if(is_file($dirPath.$item) || strtolower(substr($item,-4)) == '.zip'){
+						$ext = pathinfo($dirPath.$item, PATHINFO_EXTENSION);
+						if(in_array(strtolower($ext), $allowedToBeDeleted)){
+							if($filetimeLimit){
+								if(!filemtime($dirPath.$item) || filemtime($dirPath.$item) > strtotime($filetimeLimit)) continue;
+							}
+							if(is_writable($dirPath.$item)) unlink($dirPath.$item);
+						}
+					}
+					elseif(is_dir($dirPath.$item) && $item != '.' && $item != '..'){
+						$this->deleteTempFiles($pathFragment.$item.'/', $filetimeLimit);
+					}
+					if($loopCnt > 15) break;
+				}
+				$loopCnt++;
+			}
+			closedir($handle);
+		}
 	}
 
 	private function unpackArchive(){
@@ -723,13 +757,6 @@ private function setImageSourceArr(){
 	private function removeFiles($pathFrag = ''){
 		//First remove files
 		$dirPath = $this->uploadTargetPath.$pathFrag;
-		if(!$pathFrag){
-			//If files were not uploaded to temp directory, don't delete
-			//$this->setUploadTargetPath();
-			if(stripos($dirPath,$this->uploadTargetPath) === false){
-				return false;
-			}
-		}
 		if($handle = opendir($dirPath)) {
 			while(false !== ($item = readdir($handle))) {
 				if($item){
@@ -739,8 +766,7 @@ private function removeFiles($pathFrag = ''){
 						}
 					}
 					elseif(is_dir($dirPath.$item) && $item != '.' && $item != '..'){
-						$pathFrag .= $item.'/';
-						$this->removeFiles($pathFrag);
+						$this->removeFiles($pathFrag . $item.'/');
 					}
 					if($this->loopCnt > 15) break;
 				}
@@ -749,7 +775,7 @@ private function removeFiles($pathFrag = ''){
 			closedir($handle);
 		}
 		//Delete directory
-		if(stripos($dirPath,$this->uploadTargetPath) === 0){
+		if(stripos($dirPath, $this->uploadTargetPath) === 0){
 			rmdir($dirPath);
 		}
 	}

classes/TaxonomyUtilities.php

@@ -12,7 +12,8 @@ class TaxonomyUtilities {
 	public static function parseScientificName($inStr, $conn = null, $rankId = 0, $kingdomName = null){
 		//Converts scinetific name with author embedded into separate fields
 		$retArr = array('unitname1'=>'','unitname2'=>'','unitind3'=>'','unitname3'=>'');
-		$inStr = trim($inStr);
+		//Remove UTF-8 NO-BREAK SPACE codepoints
+		$inStr = trim(str_replace(chr(194).chr(160), ' ', $inStr));
 		if($inStr && is_string($inStr)){
 			//Remove underscores, common in NPS data
 			$inStr = preg_replace('/_+/',' ',$inStr);

collections/loans/outgoing.php

@@ -5,16 +5,17 @@
 if(!$SYMB_UID) header('Location: '.$CLIENT_ROOT.'/profile/index.php?refurl=../collections/loans/outgoing.php?'.htmlspecialchars($_SERVER['QUERY_STRING'], ENT_QUOTES));
 
 $collid = $_REQUEST['collid'];
-$loanId = array_key_exists('loanid',$_REQUEST)?$_REQUEST['loanid']:0;
-$tabIndex = array_key_exists('tabindex',$_REQUEST)?$_REQUEST['tabindex']:0;
-$sortTag = (isset($_REQUEST['sortTag'])?$_REQUEST['sortTag']:'');
-$formSubmit = array_key_exists('formsubmit',$_REQUEST)?$_REQUEST['formsubmit']:'';
+$loanId = array_key_exists('loanid', $_REQUEST) ? $_REQUEST['loanid'] : 0;
+$tabIndex = array_key_exists('tabindex', $_REQUEST) ? $_REQUEST['tabindex'] : 0;
+$sortTag = (isset($_REQUEST['sortTag']) ? $_REQUEST['sortTag'] : '');
+$formSubmit = array_key_exists('formsubmit', $_REQUEST) ? $_REQUEST['formsubmit'] : '';
+
+$loanManager = new OccurrenceLoans();
 
 //Sanitation
-if(!is_numeric($collid)) $collid = 0;
-if(!is_numeric($loanId)) $loanId = 0;
-if(!is_numeric($tabIndex)) $tabIndex = 0;
-$sortTag = filter_var($sortTag, FILTER_SANITIZE_STRING);
+$collid = $loanManager->sanitizeInt($collid);
+$loanId = $loanManager->sanitizeInt($loanId);
+$tabIndex = $loanManager->sanitizeInt($tabIndex);
 
 $isEditor = 0;
 if($SYMB_UID && $collid){
@@ -24,7 +25,6 @@
 	}
 }
 
-$loanManager = new OccurrenceLoans();
 if($collid) $loanManager->setCollId($collid);
 
 $statusStr = '';
@@ -178,7 +178,7 @@ function verifyLoanOutEditForm(){
 			<div id="tabs" style="margin:0px;">
 			    <ul>
 					<li><a href="#outloandetaildiv"><span>Loan Details</span></a></li>
-					<li><a href="specimentab.php?collid=<?php echo $collid.'&loanid='.$loanId.'&sortTag='.$sortTag; ?>"><span>Specimens</span></a></li>
+					<li><a href="specimentab.php?collid=<?php echo $collid.'&loanid='.$loanId.'&sortTag='.$loanManager->cleanOutStr($sortTag); ?>"><span>Specimens</span></a></li>
 					<li><a href="#outloandeldiv"><span>Admin</span></a></li>
 				</ul>
 				<div id="outloandetaildiv">

collections/loans/specimentab.php

@@ -6,14 +6,14 @@
 
 $collid = $_REQUEST['collid'];
 $loanId = $_REQUEST['loanid'];
-$sortTag = (isset($_REQUEST['sortTag'])?$_REQUEST['sortTag']:'');
+$sortTag = (isset($_REQUEST['sortTag']) ? $_REQUEST['sortTag'] : '');
+
+$loanManager = new OccurrenceLoans();
 
 //Sanitation
-if(!is_numeric($collid)) $collid = 0;
-if(!is_numeric($loanId)) $loanId = 0;
-$sortTag = filter_var($sortTag, FILTER_SANITIZE_STRING);
+$collid = $loanManager->sanitizeInt($collid);
+$loanId = $loanManager->sanitizeInt($loanId);
 
-$loanManager = new OccurrenceLoans();
 if($collid) $loanManager->setCollId($collid);
 $specList = $loanManager->getSpecimenList($loanId, $sortTag);
 ?>

collections/misc/protectedspecies.php

@@ -3,10 +3,10 @@
 
 include_once('../../config/symbini.php');
 include_once($SERVER_ROOT.'/classes/OccurrenceProtectedSpecies.php');
-header("Content-Type: text/html; charset=".$CHARSET);
+header('Content-Type: text/html; charset=' . $CHARSET);
 
-$action = array_key_exists('submitaction',$_REQUEST)?$_REQUEST['submitaction']:'';
-$searchTaxon = array_key_exists('searchtaxon',$_POST)?$_POST['searchtaxon']:'';
+$searchTaxon = array_key_exists('searchtaxon', $_REQUEST) ? $_REQUEST['searchtaxon'] : '';
+$action = array_key_exists('submitaction', $_REQUEST) ? $_REQUEST['submitaction'] : '';
 
 $isEditor = 0;
 if($IS_ADMIN || array_key_exists('RareSppAdmin',$USER_RIGHTS)){
@@ -23,7 +23,7 @@
 		$rsManager->deleteSpecies($_REQUEST['tidtodel']);
 	}
 }
-if($searchTaxon) $rsManager->setTaxonFilter($searchTaxon);
+$rsManager->setTaxonFilter($searchTaxon);
 $rsArr = $rsManager->getProtectedSpeciesList();
 ?>
 <html>
@@ -108,7 +108,7 @@ function submitAddSpecies(f){
 	<?php
 	if($isEditor){
 		?>
-		<div style="float:right;cursor:pointer;" onclick="javascript:toggle('editobj');" title="Toggle Editing Functions">
+		<div style="float:right;cursor:pointer;" onclick="toggle('editobj');" title="Toggle Editing Functions">
 			<img style="border:0px;" src="../../images/edit.png" />
 		</div>
 		<?php
@@ -121,7 +121,7 @@ function submitAddSpecies(f){
 			<form name="searchform" action="protectedspecies.php" method="post">
 				<div style="margin:3px">
 					Taxon Search:
-					<input id="searchtaxon" name="searchtaxon" type="text" value="<?php echo $searchTaxon; ?>" />
+					<input id="searchtaxon" name="searchtaxon" type="text" value="<?php echo htmlspecialchars($searchTaxon, HTML_SPECIAL_CHARS_FLAGS); ?>" />
 				</div>
 				<div style="margin:3px">
 					<input name="submitaction" type="submit" value="Search" />

config/symbbase.php

@@ -2,7 +2,7 @@
 header('X-Frame-Options: DENY');
 header('Cache-control: private'); // IE 6 FIX
 date_default_timezone_set('America/Phoenix');
-$CODE_VERSION = '3.0.13';
+$CODE_VERSION = '3.0.14';
 
 if(!isset($CLIENT_ROOT) && isset($clientRoot)) $CLIENT_ROOT = $clientRoot;
 if(substr($CLIENT_ROOT,-1) == '/') $CLIENT_ROOT = substr($CLIENT_ROOT,0,strlen($CLIENT_ROOT)-1);

docs/pull_request_template.md

@@ -1,16 +1,24 @@
-Pull Request Checklist:
+# Pull Request Checklist:
 
+# Pre-Approval
+
+- [ ] There is a description section in the pull request that details what the proposed changes do. It can be very brief if need be, but it ought to exist.
+- [ ] Hotfixes should be branched off of the `master` branch and merged back into the `master` branch. Subsequently, a PR from `master` into `Development` should be made.
 - [ ] Features and backlog bugs should be merged into the `Development` branch, **NOT** `master`
-- [ ] Hotfixes should be merged into both the `Development` and `master` branches (at the same time).
 - [ ] All new text is preferrably internationalized (i.e., no end-user-visible text is hard-coded on the PHP pages)
 - [ ] There are no linter errors
 - [ ] New features have responsive design (i.e., look aesthetically pleasing both full screen and with small or mobile screens)
 - [ ] [Symbiota coding standards](https://docs.google.com/document/d/1-FwCZP5Zu4f-bPwsKeVVsZErytALOJyA2szjbfSUjmc/edit?usp=sharing) have been followed
 - [ ] If any files have been reformatted (e.g., by an autoformatter), the reformat is its own, separate commit in the PR
 - [ ] Comment which GitHub issue(s), if any does this PR address
+- [ ] If this PR makes any changes that would require addional configuration of any Symbiota portals outside of the files tracked in this repository, make sure that those changes are detailed in [this document](https://docs.google.com/document/d/1T7xbXEf2bjjm-PMrlXpUBa69aTMAIROPXVqJqa2ow_I/edit?usp=sharing).
+
+# Post-Approval
+
 - [ ] It is the code author's responsibility to merge their own pull request after it has been approved
 - [ ] If this PR represents a merge into the `Development` branch, remember to use the **squash & merge** option
 - [ ] If this PR represents a merge from the `Development` branch into the master branch, remember to use the **merge** option
 - [ ] If the dev team has agreed that this PR represents the last PR going into the Development branch before a tagged release (i.e., before an imminent merge into the master branch), make sure to notify the team and [lock the `Development` branch](https://github.com/BioKIC/Symbiota/settings/branches) to prevent accidental merges while QA takes place
+- [ ] Don't forget to delete your feature branch upon merge. Ignore this step as required.
 
 Thanks for contributing and keeping it clean!

imagelib/index.php

@@ -5,8 +5,8 @@
 else include_once($SERVER_ROOT.'/content/lang/imagelib/index.en.php');
 header("Content-Type: text/html; charset=".$CHARSET);
 
-$taxon = array_key_exists('taxon',$_REQUEST)?htmlspecialchars(strip_tags($_REQUEST['taxon'])):'';
-$target = array_key_exists('target',$_REQUEST)?trim($_REQUEST['target']):'';
+$taxon = array_key_exists('taxon', $_REQUEST) ? $_REQUEST['taxon'] : '';
+$target = array_key_exists('target', $_REQUEST) ? trim($_REQUEST['target']):'';
 
 $imgManager = new ImageLibraryBrowser();
 $imgManager->setSearchTerm($taxon);
@@ -54,9 +54,9 @@
 			<div style="margin:10px 0px 0px 0px;">
 				<form name="searchform1" action="index.php" method="post">
 					<fieldset style="background-color:#FFFFCC;padding:10px;">
-						<legend style="font-weight:bold;"><?php echo $LANG['SCINAME_SEARCH']; ?></legend>
-						<input type="text" name="taxon" value="<?php echo $taxon; ?>" title="<?php echo $LANG['ENTER_TAXON_NAME']; ?>" />
-						<button name="submit" value="Search" type="submit"><?php echo $LANG['SEARCH']; ?></button>
+						<legend style="font-weight:bold;"><?= $LANG['SCINAME_SEARCH'] ?></legend>
+						<input type="text" name="taxon" value="<?= $imgManager->cleanOutStr($taxon) ?>" title="<?= $LANG['ENTER_TAXON_NAME'] ?>" />
+						<button name="submit" value="Search" type="submit"><?= $LANG['SEARCH'] ?></button>
 					</fieldset>
 				</form>
 			</div>