Merge pull request #390 from bbalet/v1.0.1

V1.0.1
bbalet · May 1, 2023 · 3fb7eca · 3fb7eca
2 parents 150a28d + 3531881
commit 3fb7eca
Show file tree

Hide file tree

Showing 937 changed files with 1,425 additions and 1,417 deletions.
diff --git a/application/config/config.php b/application/config/config.php
@@ -187,6 +187,20 @@
 $config['function_trigger']	= 'm';
 $config['directory_trigger']	= 'd'; // experimental not currently in use
 
+/*
+  |--------------------------------------------------------------------------
+  | Log File Extension
+  |--------------------------------------------------------------------------
+  |
+  | The default filename extension for log files. The default 'php' allows for
+  | protecting the log files via basic scripting, when they are to be stored
+  | under a publicly accessible directory.
+  |
+  | Note: Leaving it blank will default to 'php'.
+  |
+ */
+$config['log_file_extension'] = 'log';
+
 /*
 |--------------------------------------------------------------------------
 | Error Logging Threshold

diff --git a/application/config/demo/config.php b/application/config/demo/config.php
@@ -187,6 +187,20 @@
 $config['function_trigger']	= 'm';
 $config['directory_trigger']	= 'd'; // experimental not currently in use
 
+/*
+  |--------------------------------------------------------------------------
+  | Log File Extension
+  |--------------------------------------------------------------------------
+  |
+  | The default filename extension for log files. The default 'php' allows for
+  | protecting the log files via basic scripting, when they are to be stored
+  | under a publicly accessible directory.
+  |
+  | Note: Leaving it blank will default to 'php'.
+  |
+ */
+$config['log_file_extension'] = 'log';
+
 /*
 |--------------------------------------------------------------------------
 | Error Logging Threshold

diff --git a/application/config/demo/saml.php b/application/config/demo/saml.php
@@ -2,7 +2,7 @@
 /**
  * SAML Configuration file (for Onelogin PHP Library)
  * Full documentation is available at https://developers.onelogin.com/saml/php
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.5.0

diff --git a/application/config/routes.php b/application/config/routes.php
@@ -40,7 +40,6 @@
 
 //_______________________________________________
 //Admin : global features
-$route['admin/qrcode'] = 'admin/qrCode';
 $route['admin/settings'] = 'admin/settings';
 $route['admin/diagnostic'] = 'admin/diagnostic';
 $route['admin/oauthclients'] = 'admin/oauthClients';

diff --git a/application/config/saml-example-onelogin.php b/application/config/saml-example-onelogin.php
@@ -2,7 +2,7 @@
 /**
  * SAML Configuration file (for Onelogin PHP Library)
  * Full documentation is available at https://developers.onelogin.com/saml/php
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.5.0

diff --git a/application/config/saml.php b/application/config/saml.php
@@ -2,7 +2,7 @@
 /**
  * SAML Configuration file (for Onelogin PHP Library)
  * Full documentation is available at https://developers.onelogin.com/saml/php
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.5.0

diff --git a/application/config/testing/config.php b/application/config/testing/config.php
@@ -187,6 +187,20 @@
 $config['function_trigger']	= 'm';
 $config['directory_trigger']	= 'd'; // experimental not currently in use
 
+/*
+  |--------------------------------------------------------------------------
+  | Log File Extension
+  |--------------------------------------------------------------------------
+  |
+  | The default filename extension for log files. The default 'php' allows for
+  | protecting the log files via basic scripting, when they are to be stored
+  | under a publicly accessible directory.
+  |
+  | Note: Leaving it blank will default to 'php'.
+  |
+ */
+$config['log_file_extension'] = 'log';
+
 /*
 |--------------------------------------------------------------------------
 | Error Logging Threshold

diff --git a/application/config/testing/saml.php b/application/config/testing/saml.php
@@ -2,7 +2,7 @@
 /**
  * SAML Configuration file (for Onelogin PHP Library)
  * Full documentation is available at https://developers.onelogin.com/saml/php
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.5.0

diff --git a/application/controllers/Admin.php b/application/controllers/Admin.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves the administration pages
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.4.2
@@ -163,17 +163,4 @@ public function oauthTokensPurge() {
         redirect('admin/oauthclients#sessions');
     }
 
-    /**
-     * Output a QRCode containing the URL of the Jorani instance and the e-mail of the connected user
-     * @author Benjamin BALET <[email protected]>
-     */
-    public function qrCode() {
-        require_once(APPPATH . 'third_party/QRCode.php');
-        $this->load->model('users_model');
-        $user = $this->users_model->getUsers($this->user_id);
-        $qr = new QRCodeGenerator\QRCode();
-        $qr = $qr->getMinimumQRCode(base_url() . '#' . $user['login'] .
-                 '#' . $user['email'], QR_ERROR_CORRECT_LEVEL_L);
-        echo $qr->printHTML();
-    }
 }
diff --git a/application/controllers/Api.php b/application/controllers/Api.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller is the entry point for the REST API
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license    http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link       https://github.com/bbalet/jorani
  * @since      0.3.0

diff --git a/application/controllers/Authorization.php b/application/controllers/Authorization.php
@@ -5,7 +5,7 @@
  * docuementation of PHP OAuth2 server:
  * http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
  * 
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license    http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link       https://github.com/bbalet/jorani
  * @since      0.6.0

diff --git a/application/controllers/Calendar.php b/application/controllers/Calendar.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller displays the calendars of the leave requests
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Connection.php b/application/controllers/Connection.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller manages the connection to the application
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0
@@ -193,8 +193,14 @@ public function logout() {
      */
     public function language() {
         $this->load->helper('form');
-        $this->session->set_userdata('language_code', $this->input->get_post('language', true));
-        $this->session->set_userdata('language', $this->polyglot->code2language($this->input->get_post('language', true)));
+
+        //Prevent transversal path attack and the selection of an unavailable language
+        $languages = explode(",", $this->config->item('languages'));
+        $language = $this->input->get_post('language', true);
+        if (in_array($language, $languages)) {
+            $this->session->set_userdata('language_code', $language);
+            $this->session->set_userdata('language', $this->polyglot->code2language($language));
+        }
         if ($this->input->post('last_page') == FALSE) {
             $this->redirectToLastPage();
         } else {

diff --git a/application/controllers/Contracts.php b/application/controllers/Contracts.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller allows to manage the contracts
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Entitleddays.php b/application/controllers/Entitleddays.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves the ajax endpoints that manages entitled days
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Extra.php b/application/controllers/Extra.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller contains the actions allowing an employee to list and manage its overtime requests
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Hr.php b/application/controllers/Hr.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves all the actions performed by human resources department
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Ics.php b/application/controllers/Ics.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves all the ICS (webcal, ical) feeds exposed by Jorani.
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.4.0
@@ -93,13 +93,12 @@ private function getTimezoneAndLanguageOfUser($userId) {
     public function dayoffs($userId, $contract) {
         //Get timezone and language of the user
         $this->getTimezoneAndLanguageOfUser($userId);
+        $vcalendar = new VObject\Component\VCalendar();
+
         //Load the list of day off associated to the contract
         $this->load->model('dayoffs_model');
         $result = $this->dayoffs_model->getDaysOffForContract($contract);
-        if (empty($result)) {
-            echo "";
-        } else {
-            $vcalendar = new VObject\Component\VCalendar();
+        if (!empty($result)) {
             foreach ($result as $event) {
                 $startdate = new \DateTime($event->date, new \DateTimeZone($this->timezone));
                 $enddate = new \DateTime($event->date, new \DateTimeZone($this->timezone));
@@ -129,8 +128,8 @@ public function dayoffs($userId, $contract) {
                     'DTEND' => $enddate
                 ));    
             }
-            echo $vcalendar->serialize();
         }
+        echo $vcalendar->serialize();
     }
 
     /**

diff --git a/application/controllers/Leaves.php b/application/controllers/Leaves.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller contains the actions allowing an employee to list and manage its leave requests
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0
@@ -830,7 +830,7 @@ public function validate() {
         $enddate = preg_replace("([^0-9-])", "", $enddate);
         $startdatetype = $this->input->post('startdatetype', TRUE);     //Mandatory field checked by frontend
         $enddatetype = $this->input->post('enddatetype', TRUE);       //Mandatory field checked by frontend
-        $leave_id = $this->input->post('leave_id', TRUE);
+        $leave_id = intval($this->input->post('leave_id', TRUE));
         $leaveValidator = new stdClass;
         $deductDayOff = FALSE;
         if (isset($id) && isset($type)) {

diff --git a/application/controllers/Leavetypes.php b/application/controllers/Leavetypes.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller allows to manage the list of leave types
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0
@@ -88,7 +88,7 @@ public function edit($id) {
             $this->types_model->updateTypes($id,
                     $this->input->post('name'),
                     $this->input->post('deduct_days_off'),
-                    $this->input->post('acronym'));
+                    mb_substr($this->input->post('acronym'), 0, 10));
             $this->session->set_flashdata('msg', lang('leavetypes_popup_update_flash_msg'));
             redirect('leavetypes');
         }

diff --git a/application/controllers/Organization.php b/application/controllers/Organization.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller contains the actions allowing to manage and display the organization tree
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.2.0

diff --git a/application/controllers/Overtime.php b/application/controllers/Overtime.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller contains the actions allowing a manager to list and manage overtime requests
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Pages.php b/application/controllers/Pages.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller loads the static and custom pages of the application
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.4.0

diff --git a/application/controllers/Positions.php b/application/controllers/Positions.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves all the actions performed on postions
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Reports.php b/application/controllers/Reports.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves the list of custom reports and the system reports.
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.2.0

diff --git a/application/controllers/Requests.php b/application/controllers/Requests.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller allows a manager to list and manage leave requests submitted to him
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.1.0

diff --git a/application/controllers/Rest.php b/application/controllers/Rest.php
@@ -3,7 +3,7 @@
  * This controller is the entry point for the REST API used by mobile and HTML5
  * Clients. They use CORS requests. Each call to end points uses BasicAuth 
  * except the preflight exchange. So it should be used with a TLS connection
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.3.0

diff --git a/application/controllers/RestAdmin.php b/application/controllers/RestAdmin.php
@@ -3,7 +3,7 @@
  * This controller is the entry point for the REST API used by mobile and HTML5
  * Clients. They use CORS requests. Each call to end points uses BasicAuth 
  * except the preflight exchange. So it should be used with a TLS connection
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.3.0

diff --git a/application/controllers/RestLeaves.php b/application/controllers/RestLeaves.php
@@ -3,7 +3,7 @@
  * This controller is the entry point for the REST API used by mobile and HTML5
  * Clients. They use CORS requests. Each call to end points uses BasicAuth 
  * except the preflight exchange. So it should be used with a TLS connection
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.3.0

diff --git a/application/controllers/RestRequests.php b/application/controllers/RestRequests.php
@@ -3,7 +3,7 @@
  * This controller is the entry point for the REST API used by mobile and HTML5
  * Clients. They use CORS requests. Each call to end points uses BasicAuth 
  * except the preflight exchange. So it should be used with a TLS connection
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license      http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link            https://github.com/bbalet/jorani
  * @since         0.3.0

diff --git a/application/controllers/RestUsers.php b/application/controllers/RestUsers.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This controller serves the user management REST API
- * @copyright  Copyright (c) 2014-2019 Benjamin BALET
+ * @copyright  Copyright (c) 2014-2023 Benjamin BALET
  * @license    http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
  * @link       https://github.com/bbalet/jorani
  * @since      0.6.6