Merge pull request #1148 from BioKIC/master

Hotfix 2023 08 08 (#606)

admin/schemamanager.php

@@ -53,6 +53,8 @@
 							$schemaManager->setPort($port);
 							$schemaManager->setUsername($username);
 							$schemaManager->installPatch();
+							$verHistory = $schemaManager->getVersionHistory();
+							$curentVersion = $schemaManager->getCurrentVersion();
 						}
 						?>
 					</fieldset>

classes/ChecklistVoucherAdmin.php

@@ -354,7 +354,7 @@ public function linkVouchers($occidArr){
 		return $statusCnt;
 	}
 
-	public function linkVoucher($taxa, $occid, $morphoSpecies=''){
+	public function linkVoucher($taxa, $occid, $morphoSpecies = '', $editorNotes = null, $notes = null){
 		$status = false;
 		if($this->voucherIsLinked($occid)){
 			$this->errorMessage = 'voucherAlreadyLinked';
@@ -364,7 +364,7 @@ public function linkVoucher($taxa, $occid, $morphoSpecies=''){
 		$clTaxaID = $this->getClTaxaID($taxa, $morphoSpecies);
 		if(!$clTaxaID) $clTaxaID = $this->insertChecklistTaxaLink($taxa);
 		if($clTaxaID){
-			$status = $this->insertVoucher($clTaxaID, $occid);
+			$status = $this->insertVoucher($clTaxaID, $occid, $editorNotes, $notes);
 		}
 		return $status;
 	}
@@ -495,6 +495,22 @@ private function transferVouchers($target, $source){
 		return $status;
 	}
 
+	public function deleteVoucher($voucherID){
+		$status = false;
+		if(is_numeric($voucherID)){
+			$sql = 'DELETE FROM fmvouchers WHERE (voucherID = ?)';
+			if($stmt = $this->conn->prepare($sql)) {
+				$stmt->bind_param('i', $voucherID);
+				$stmt->execute();
+				if($stmt->affected_rows) $status = true;
+				elseif($stmt->error) $this->errorMessage = 'ERROR deleting vouchers: '.$stmt->error;
+				$stmt->close();
+			}
+			else $this->errorMessage = 'ERROR preparing statement for voucher deletion: '.$this->conn->error;
+		}
+		return $status;
+	}
+
 	//Misc support and data functions
 	protected function getClTaxaID($tid, $morphoSpecies = ''){
 		$clTaxaID = 0;

classes/ChecklistVoucherManager.php

@@ -258,22 +258,6 @@ private function addVoucherRecord($vOccId, $vNotes, $vEditNotes){
 		return false;
 	}
 
-	public function deleteVoucher($voucherID){
-		$status = false;
-		if(is_numeric($voucherID)){
-			$sql = 'DELETE FROM fmvouchers WHERE (voucherID = ?)';
-			if($stmt = $this->conn->prepare($sql)) {
-				$stmt->bind_param('i', $voucherID);
-				$stmt->execute();
-				if($stmt->affected_rows) $status = true;
-				elseif($stmt->error) $this->errorMessage = 'ERROR deleting vouchers: '.$stmt->error;
-				$stmt->close();
-			}
-			else $this->errorMessage = 'ERROR preparing statement for voucher deletion: '.$this->conn->error;
-		}
-		return $status;
-	}
-
 	//Setters and getters
 	public function setTid($t){
 		if(is_numeric($t)){

classes/KeyCharAdmin.php

@@ -195,13 +195,14 @@ public function createCharState($postArr, $un){
 				$rs->free();
 			}
 			$csName = $postArr['charstatename'];
-			$glossID = $postArr['glossid'];
+			$glossID = null;
+			if(isset($postArr['glossid']) && is_numeric($postArr['glossid'])) $glossID = $postArr['glossid'];
 			$description = $postArr['description'];
 			$notes = $postArr['notes'];
 			$sortSequence = $postArr['sortsequence'];
 			$sql = 'INSERT INTO kmcs(cid,cs,charstatename,implicit,glossid,description,notes,sortsequence,enteredby) '.
 				'VALUES('.$this->cid.',"'.$csValue.'","'.$this->cleanInStr($csName).'",1,'.
-				(is_numeric($glossID)?$glossID:'NULL').','.
+				($glossID?$glossID:'NULL').','.
 				($description?'"'.$this->cleanInStr($description).'"':'NULL').','.
 				($notes?'"'.$this->cleanInStr($notes).'"':'NULL').','.
 				(is_numeric($sortSequence)?$this->cleanInStr($sortSequence):100).',"'.$un.'") ';

classes/Manager.php

@@ -104,7 +104,11 @@ public function getDomain(){
 		return $domain;
 	}
 
-	protected function cleanOutStr($str){
+	public function sanitizeInt($int){
+		return filter_var($int, FILTER_SANITIZE_NUMBER_INT);
+	}
+
+	public function cleanOutStr($str){
 		$str = htmlspecialchars($str);
 		return $str;
 	}

classes/OccurrenceIndividual.php

@@ -1,6 +1,7 @@
 <?php
 include_once('Manager.php');
 include_once('OccurrenceAccessStats.php');
+include_once('ChecklistVoucherAdmin.php');
 
 class OccurrenceIndividual extends Manager{
 
@@ -838,62 +839,50 @@ public function getVoucherChecklists(){
 
 	public function linkVoucher($postArr){
 		$status = false;
-		if($this->occid){
-			if($clTaxaID = $this->getClTaxaID($postArr['vclid'], $postArr['vtid'])){
-				$status = $this->insertVoucher($clTaxaID, $this->occid, $postArr['veditnotes'], $postArr['vnotes']);
-			}
-		}
-		return $status;
-	}
-
-	private function getClTaxaID($clid, $tid, $morphoSpecies = ''){
-		$clTaxaID = 0;
-		if(is_numeric($clid) && is_numeric($tid)){
-			$sql = 'SELECT clTaxaID FROM fmchklsttaxalink WHERE clid = ? AND tid = ? AND morphospecies = ?';
-			if($stmt = $this->conn->prepare($sql)) {
-				$stmt->bind_param('iis', $clid, $tid, $morphoSpecies);
-				$stmt->execute();
-				$stmt->bind_result($clTaxaID);
-				$stmt->fetch();
-				$stmt->close();
-			}
-			else $this->errorMessage = 'ERROR preparing statement for getSciname: '.$this->conn->error;
-		}
-		return $clTaxaID;
-	}
-
-	private function insertVoucher($clTaxaID, $occid, $editorNotes = null, $notes = null){
-		$status = false;
-		if(is_numeric($clTaxaID) && is_numeric($occid)){
-			if($editorNotes == '') $editorNotes = null;
-			if($notes == '') $notes = null;
-			$con = MySQLiConnectionFactory::getCon("write");
-			$sql = 'INSERT INTO fmvouchers(clTaxaID, occid, editorNotes, notes) VALUES (?,?,?,?)';
-			if($stmt = $con->prepare($sql)) {
-				$stmt->bind_param('iiss', $clTaxaID, $occid, $editorNotes, $notes);
-				$stmt->execute();
-				if($stmt->affected_rows && !$stmt->error){
-					$status = $stmt->insert_id;
+		if($this->occid && is_numeric($postArr['vclid'])){
+			if(isset($GLOBALS['USER_RIGHTS']['ClAdmin']) && in_array($postArr['vclid'], $GLOBALS['USER_RIGHTS']['ClAdmin'])){
+				$voucherManager = new ChecklistVoucherAdmin($this->conn);
+				$voucherManager->setClid($postArr['vclid']);
+				if($voucherManager->linkVoucher($postArr['vtid'], $this->occid, '', $postArr['veditnotes'], $postArr['vnotes'])){
+					$status = true;
 				}
-				elseif($stmt->error) $this->errorMessage = 'ERROR inserting voucher: '.$stmt->error;
-				$stmt->close();
+				else $this->errorMessage = $voucherManager->getErrorMessage();
 			}
-			else $this->errorMessage = 'ERROR preparing statement for voucher insert: '.$this->conn->error;
-			if(!($con === null)) $con->close();
 		}
 		return $status;
 	}
 
 	public function deleteVoucher($voucherID){
-		$status = true;
-		if(is_numeric($voucherID)){
-			$sql = 'DELETE FROM fmvouchers WHERE (voucherID = '.$voucherID.') ';
- 			$con = MySQLiConnectionFactory::getCon("write");
-			if(!$con->query($sql)){
-				$this->errorMessage = 'ERROR loading '.$con->error;
+		$status = false;
+		$clid = 0;
+		//Make sure user has checklist admin permission for checklist
+		$sql = 'SELECT c.clid
+			FROM fmvouchers v INNER JOIN fmchklsttaxalink c ON v.clTaxaID = c.clTaxaID
+			WHERE v.voucherID = ?';
+		if($stmt = $this->conn->prepare($sql)){
+			$stmt->bind_param('i', $voucherID);
+			$stmt->execute();
+			$stmt->bind_result($clid);
+			$stmt->fetch();
+			$stmt->close();
+		}
+		if(!$clid){
+			$this->errorMessage = 'ERROR deleting voucher: unable to verify target checklist for voucher';
+			return false;
+		}
+		if(isset($GLOBALS['USER_RIGHTS']['ClAdmin']) && in_array($clid, $GLOBALS['USER_RIGHTS']['ClAdmin'])){
+			$voucherManager = new ChecklistVoucherAdmin();
+			if($voucherManager->deleteVoucher($voucherID)){
+				$status = true;
+			}
+			else{
+				$this->errorMessage = $voucherManager->getErrorMessage();
 				$status = false;
 			}
-			if(!($con === null)) $con->close();
+		}
+		else{
+			$this->errorMessage = 'ERROR deleting voucher: permission error';
+			return false;
 		}
 		return $status;
 	}

classes/OccurrenceManager.php

@@ -598,12 +598,13 @@ public function getLocalSearchStr(){
 	}
 
 	protected function setSearchTerm($termKey, $termValue){
-		$this->searchTermArr[$termKey] = $this->cleanInputStr($termValue);
+		if(!$termValue) return false;
+		$this->searchTermArr[$this->cleanInputStr($termKey)] = $this->cleanInputStr($termValue);
 	}
 
 	public function getSearchTerm($k){
 		if($k && isset($this->searchTermArr[$k])){
-			return trim($this->searchTermArr[$k],' ;');
+			return $this->cleanOutStr(trim($this->searchTermArr[$k],' ;'));
 		}
 		return '';
 	}
@@ -613,14 +614,14 @@ public function getQueryTermStr(){
 		$retStr = '';
 		foreach($this->searchTermArr as $k => $v){
 			if(is_array($v)) $v = implode(',', $v);
-			$retStr .= '&'.$k.'='.urlencode($v);
+			if($v) $retStr .= '&'.$this->cleanOutStr($k).'='.$this->cleanOutStr($v);
 		}
 		if(isset($this->taxaArr['search'])){
-			$retStr .= '&taxa='.urlencode($this->taxaArr['search']);
+			$retStr .= '&taxa='.$this->cleanOutStr($this->taxaArr['search']);
 			if($this->taxaArr['usethes']) $retStr .= '&usethes=1';
 			$retStr .= '&taxontype='.$this->taxaArr['taxontype'];
 		}
-		return trim($retStr,' &');
+		return substr($retStr, 1);
 	}
 
 	public function addOccurrencesToDataset($datasetID){
@@ -664,7 +665,11 @@ protected function readRequestVariables(){
 				}
 				$this->setTaxonRequestVariable($taxaArr);
 			}
-			if($parsedArr) $this->searchTermArr = $parsedArr;
+			foreach($parsedArr as $k => $v){
+				$k = $this->cleanInputStr($k);
+				$v = $this->cleanInputStr($v);
+				if($k && $v) $this->searchTermArr[$k] = $v;
+			}
 		}
 		//Search will be confinded to a clid vouchers, collid, catid, or will remain open to all collection
 		if(array_key_exists('targetclid',$_REQUEST) && is_numeric($_REQUEST['targetclid'])){

classes/OccurrenceTaxaManager.php

@@ -361,16 +361,18 @@ public function getTaxaSearchStr(){
 	}
 
 	public function getTaxaSearchTerm(){
-		if(isset($this->taxaArr['search'])) return $this->taxaArr['search'];
+		if(isset($this->taxaArr['search'])) return $this->cleanOutStr($this->taxaArr['search']);
 		return '';
 	}
 
 	protected function cleanOutStr($str){
+		if(strpos($str, '=') !== false) $str = '';
 		return htmlspecialchars($str);
 	}
 
 	protected function cleanInputStr($str){
 		if(stripos($str, 'sleep(') !== false) return '';
+		if(strpos($str, '=') !== false) return '';
 		$str = preg_replace('/%%+/', '%',$str);
 		$str = preg_replace('/^[\s%]+/', '',$str);
 		$str = trim($str,' ,;');

classes/SpecUploadBase.php

@@ -837,9 +837,14 @@ protected function recordCleaningStage2(){
 			if($this->collMetadataArr["managementtype"] == 'Snapshot' || $this->uploadType == $this->SKELETAL){
 				//Match records that were processed via the portal, walked back to collection's central database, and come back to portal
 				$this->outputMsg('<li style="margin-left:10px;">Populating source identifiers (dbpk) to relink specimens processed within portal...</li>');
-				$sql = 'UPDATE IGNORE uploadspectemp u INNER JOIN omoccurrences o ON (u.catalogNumber = o.catalogNumber) AND (u.collid = o.collid) '.
-					'SET u.occid = o.occid, o.dbpk = u.dbpk '.
-					'WHERE (u.collid IN('.$this->collId.')) AND (u.occid IS NULL) AND (o.dbpk IS NULL) AND (u.catalogNumber IS NOT NULL) ';
+				$sql = 'UPDATE IGNORE uploadspectemp u INNER JOIN omoccurrences o ON (u.occurrenceID = o.occurrenceID) AND (u.collid = o.collid)
+					SET u.occid = o.occid, o.dbpk = u.dbpk
+					WHERE (u.collid IN('.$this->collId.')) AND (u.occid IS NULL) AND (o.dbpk IS NULL) ';
+				$this->conn->query($sql);
+
+				$sql = 'UPDATE IGNORE uploadspectemp u INNER JOIN omoccurrences o ON (u.catalogNumber = o.catalogNumber) AND (u.collid = o.collid)
+					SET u.occid = o.occid, o.dbpk = u.dbpk
+					WHERE (u.collid IN('.$this->collId.')) AND (u.occid IS NULL) AND (o.dbpk IS NULL)';
 				$this->conn->query($sql);
 			}
 

collections/editor/includes/resourcetab.php

@@ -351,7 +351,7 @@ function submitAddGeneticResource(f){
 					<input name="csmode" type="hidden" value="<?php echo $crowdSourceMode; ?>" />
 					<input name="occid" type="hidden" value="<?php echo $occid; ?>" />
 					<input name="tabtarget" type="hidden" value="3" />
-					<input name="submitaction" type="submit" value="<?php echo $LANG['LINK_TO_CHECKLIST_2']; ?>" />
+					<button name="submitaction" type="submit" value="linkChecklistVoucher"><?php echo $LANG['LINK_TO_CHECKLIST_2']; ?></button>
 				</form>
 			</div>
 			<?php

collections/editor/occurrenceeditor.php

@@ -312,7 +312,7 @@
 				$statusStr = $occManager->editIdentificationRanking($_POST['confidenceranking'],$_POST['notes']);
 				$tabTarget = 1;
 			}
-			elseif($action == 'Link to Checklist as Voucher'){
+			elseif($action == 'linkChecklistVoucher'){
 				$statusStr = $occManager->linkChecklistVoucher($_POST['clidvoucher'],$_POST['tidvoucher']);
 			}
 			elseif($action == 'deletevoucher'){

collections/individual/index.php

@@ -95,11 +95,6 @@
 
 if($SYMB_UID){
 	//Form action submitted
-	if(array_key_exists('delvouch',$_GET)){
-		if(!$indManager->deleteVoucher($_GET['delvouch'])){
-			$statusStr = $indManager->getErrorMessage();
-		}
-	}
 	if(array_key_exists('commentstr',$_POST)){
 		if(!$indManager->addComment($_POST['commentstr'])){
 			$statusStr = $indManager->getErrorMessage();
@@ -123,11 +118,16 @@
 			$statusStr = $indManager->getErrorMessage();
 		}
 	}
-	elseif($submit == 'Add Voucher'){
+	elseif($submit == 'addVoucher'){
 		if(!$indManager->linkVoucher($_POST)){
 			$statusStr = $indManager->getErrorMessage();
 		}
 	}
+	elseif(array_key_exists('delvouch',$_GET)){
+		if(!$indManager->deleteVoucher($_GET['delvouch'])){
+			$statusStr = $indManager->getErrorMessage();
+		}
+	}
 	if($isEditor){
 		if($submit == 'restoreRecord'){
 			if($indManager->restoreRecord($occid)){

collections/individual/linkedresources.php

@@ -4,18 +4,12 @@
 @include_once($SERVER_ROOT.'/content/lang/collections/individual/linkedresources.'.$LANG_TAG.'.php');
 header("Content-Type: text/html; charset=".$CHARSET);
 
-$occid = $_GET["occid"];
-$tid = $_GET["tid"];
-$clid = array_key_exists("clid",$_REQUEST)?$_REQUEST["clid"]:0;
-
-//Sanitize input variables
-if(!is_numeric($occid)) $occid = 0;
-if(!is_numeric($tid)) $tid = 0;
-if(!is_numeric($clid)) $clid = 0;
+$occid = filter_var($_GET['occid'], FILTER_SANITIZE_NUMBER_INT);
+$tid = array_key_exists('tid', $_REQUEST) ? filter_var($_GET['tid'], FILTER_SANITIZE_NUMBER_INT) : 0;
+$clid = array_key_exists('clid', $_REQUEST) ? filter_var($_REQUEST['clid'], FILTER_SANITIZE_NUMBER_INT) : 0;
 
 $indManager = new OccurrenceIndividual();
 $indManager->setOccid($occid);
-
 ?>
 <style>
 	.section-title{  }
@@ -54,12 +48,12 @@
 					if($tid){
 						?>
 						<div style="margin:10px;">
-							<form action="../../checklists/clsppeditor.php" method="post" onsubmit="return verifyVoucherForm(this);">
+							<form action="index.php" method="post" onsubmit="return verifyVoucherForm(this);">
 								<div>
 									<?php echo (isset($LANG['ADDVOUCHERCHECK'])?$LANG['ADDVOUCHERCHECK']:'Add as voucher to checklist'); ?>:
-									<input name='voccid' type='hidden' value='<?php echo $occid; ?>'>
-									<input name='tid' type='hidden' value='<?php echo $tid; ?>'>
-									<select id='clid' name='clid'>
+									<input name='occid' type='hidden' value='<?php echo $occid; ?>'>
+									<input name='vtid' type='hidden' value='<?php echo $tid; ?>'>
+									<select id='vclid' name='vclid'>
 						  				<option value='0'><?php echo (isset($LANG['SELECTCHECKLIST'])?$LANG['SELECTCHECKLIST']:'Select a Checklist'); ?></option>
 						  				<option value='0'>--------------------------</option>
 						  				<?php
@@ -78,7 +72,8 @@
 									<input name="veditnotes" type="text" size="50" title="<?php echo (isset($LANG['VIEWABLEEDITORS'])?$LANG['VIEWABLEEDITORS']:'Viewable only to checklist editors'); ?>">
 								</div>
 								<div>
-									<button type='submit' name='action' value="Add Voucher"><?php echo (isset($LANG['ADDVOUCHER'])?$LANG['ADDVOUCHER']:'Add Voucher'); ?></button>
+									<input name="tabindex" type="hidden" value="2" >
+									<button type='submit' name='formsubmit' value="addVoucher"><?php echo (isset($LANG['ADDVOUCHER'])?$LANG['ADDVOUCHER']:'Add Voucher'); ?></button>
 								</div>
 							</form>
 						</div>