Merge branch 'master' into production

HaGuesto · HaGuesto · commit f8f8b3d51cc0 · 2026-03-30T18:13:58.000+02:00
diff --git a/assets/js/custom.js b/assets/js/custom.js
@@ -631,9 +631,6 @@ $(".delete-user").on("click", function (e) {
         $.ajax({
             type: "post",
             url: "ajax.php?file=deleteprofile",
-            data: {
-                cms_user_id: el.data("id"),
-            },
             dataType: "json",
             success: function (result) {
                 AjaxCheckSuccess(result);
diff --git a/cron/dailyroutine.php b/cron/dailyroutine.php
@@ -25,6 +25,9 @@
     FROM people AS p 
     LEFT OUTER JOIN camps AS c ON c.id = p.camp_id 
     WHERE (NOT p.deleted OR p.deleted IS NULL) AND p.parent_id IS NULL');
+
+    // All deletions are logged with the same timestamp
+    $now = date('Y-m-d H:i:s');
     while ($row = db_fetch($result)) {
         $row['touch'] = db_value('
         SELECT GREATEST(COALESCE((
@@ -48,9 +51,8 @@
             $row['diff'] = $date2->diff($date1)->format('%a');
 
             if ($row['diff'] > $row['treshold']) {
-                db_query('UPDATE people SET deleted = NOW() WHERE id = :id', ['id' => $row['id']]);
-                simpleSaveChangeHistory('people', $row['id'], 'Record deleted by daily routine');
-                db_touch('people', $row['id']);
+                db_query('UPDATE people SET deleted = :now, modified = :now, modified_by = :user WHERE id = :id', ['user' => $_SESSION['user']['id'], 'id' => $row['id'], 'now' => $now]);
+                simpleSaveChangeHistory('people', $row['id'], 'Record deleted by daily routine', $now);
             }
         }
     }
@@ -61,9 +63,8 @@
     FROM people AS p1, people AS p2 
     WHERE p2.parent_id = p1.id AND p1.deleted AND (NOT p2.deleted OR p2.deleted IS NULL)');
     while ($row = db_fetch($result)) {
-        db_query('UPDATE people SET deleted = NOW() WHERE id = :id', ['id' => $row['id']]);
-        simpleSaveChangeHistory('people', $row['id'], 'Record deleted by daily routine because head of family/beneficiary was deleted');
-        db_touch('people', $row['id']);
+        db_query('UPDATE people SET deleted = :now, modified = :now, modified_by = :user WHERE id = :id', ['user' => $_SESSION['user']['id'], 'id' => $row['id'], 'now' => $now]);
+        simpleSaveChangeHistory('people', $row['id'], 'Record deleted by daily routine because head of family/beneficiary was deleted', $now);
     }
 
     // this notifies us when a new installation of the Drop App is made
diff --git a/db/init.sql b/db/init.sql
diff --git a/include/cms_users.php b/include/cms_users.php
@@ -28,7 +28,7 @@
 
     // Execution of queries in cms_users_page.php
     $cms_users_lower_level_query = '
-			SELECT u.*, NOT u.is_admin AS visible, g.label AS usergroup, 0 AS preventdelete, 0 as disableifistrue
+			SELECT u.*, NOT u.is_admin AS visible, g.label AS usergroup, 0 AS preventdelete, 0 as disableifistrue, 0 AS preventedit
 			FROM cms_users AS u
 			LEFT OUTER JOIN cms_usergroups AS g ON g.id = u.cms_usergroups_id 
 			LEFT OUTER JOIN cms_usergroups_camps AS uc ON uc.cms_usergroups_id = g.id
@@ -46,13 +46,14 @@
     // Do not forget to specify :userGroupLevel and :user in the db call later
     // related to this trello card https://trello.com/c/KI47eGPI
     $cms_users_same_or_upper_level_query = '
-			SELECT u.*, 0 AS visible, g.label AS usergroup, 1 AS preventdelete, 1 as disableifistrue
+			SELECT u.*, IF(u.id = :user, 1, 0) AS visible, g.label AS usergroup, 1 AS preventdelete, 1 as disableifistrue, IF(u.id = :user, 0, 1) AS preventedit
 			FROM cms_users AS u
 			INNER JOIN cms_usergroups AS g ON g.id = u.cms_usergroups_id 
 			INNER JOIN cms_usergroups_camps AS uc ON uc.cms_usergroups_id = g.id
 			INNER JOIN cms_usergroups_levels AS l ON l.id = g.userlevel
-			WHERE (l.level >= :userGroupLevel AND u.id != :user)
-            AND uc.camp_id IN ('.($_SESSION['camp']['id'] ?: 0).')
+            WHERE l.level >= :userGroupLevel
+            AND (u.id != :user OR :userGroupLevel = 100)
+            AND uc.camp_id IN ('.(intval($_SESSION['camp']['id']) ?: 0).')
 			AND NOT (u.valid_lastday < CURDATE() AND UNIX_TIMESTAMP(u.valid_lastday) != 0)
 			AND UNIX_TIMESTAMP(u.deleted) = 0
             GROUP BY u.id
diff --git a/include/cms_users_deactivated.php b/include/cms_users_deactivated.php
@@ -24,7 +24,7 @@
     );
 
     // Execution of queries in cms_users_page.php
-    $cms_users_lower_level_query = 'SELECT u.id, u.naam, SUBSTR(u.email, 1, LENGTH(u.email)-LENGTH(".deleted.")-LENGTH(u.id)) AS email, u.valid_firstday, u.valid_lastday, NOT u.is_admin AS visible, g.label AS usergroup, 0 AS preventdelete, 1 as disableifistrue
+    $cms_users_lower_level_query = 'SELECT u.id, u.naam, SUBSTR(u.email, 1, LENGTH(u.email)-LENGTH(".deleted.")-LENGTH(u.id)) AS email, u.valid_firstday, u.valid_lastday, NOT u.is_admin AS visible, g.label AS usergroup, 0 AS preventdelete, 1 as disableifistrue, 0 as preventedit
 			FROM cms_users AS u
 			LEFT OUTER JOIN cms_usergroups AS g ON g.id = u.cms_usergroups_id 
 			LEFT OUTER JOIN cms_usergroups_camps AS uc ON uc.cms_usergroups_id = g.id
@@ -40,7 +40,7 @@
 
     // Do not forget to specify :usergroup and :user in the db call later
     $cms_users_same_level_query = '
-			SELECT u.id, u.naam, SUBSTR(u.email, 1, LENGTH(u.email)-LENGTH(".deleted.")-LENGTH(u.id)) AS email, u.valid_firstday, u.valid_lastday, 0 AS visible, g.label AS usergroup, 1 AS preventdelete, 1 as disableifistrue
+			SELECT u.id, u.naam, SUBSTR(u.email, 1, LENGTH(u.email)-LENGTH(".deleted.")-LENGTH(u.id)) AS email, u.valid_firstday, u.valid_lastday, 0 AS visible, g.label AS usergroup, 1 AS preventdelete, 1 as disableifistrue, 1 AS preventedit
 			FROM cms_users AS u
 			LEFT OUTER JOIN cms_usergroups AS g ON g.id = u.cms_usergroups_id
 			WHERE u.cms_usergroups_id = :usergroup
diff --git a/include/cms_users_edit.php b/include/cms_users_edit.php
@@ -74,10 +74,41 @@
             WHERE ug.id = :id AND (NOT ug.deleted OR ug.deleted IS NULL)', ['id' => $_POST['cms_usergroups_id'][0]]);
         $is_admin = $_SESSION['user']['is_admin'];
         $organisation_allowed = ($_SESSION['organisation']['id'] == $posteduser['organisation_id']);
-        // allow admins to create another admin account
+        // allow HoO to create another HoO account
         // related to this trello card https://trello.com/c/YAF3Az4P
         $userlevel_allowed = ($_SESSION['usergroup']['userlevel'] > $posteduser['userlevel']) || ($_SESSION['usergroup']['userlevel'] == $posteduser['userlevel'] && '100' == $_SESSION['usergroup']['userlevel']);
 
+        // Prevent HoO user from downgrading their usergroup if they're the only HoO
+        if (!$is_admin
+            && $_POST['id'] == $_SESSION['user']['id']
+            && 100 == $_SESSION['usergroup']['userlevel']) {
+            // Count how many HoO users exist in this organization
+            $hoo_count = db_value(
+                '
+                SELECT COUNT(DISTINCT u.id)
+                FROM cms_users AS u
+                LEFT JOIN cms_usergroups AS ug ON ug.id = u.cms_usergroups_id
+                LEFT JOIN cms_usergroups_levels AS ugl ON ugl.id = ug.userlevel
+                WHERE ug.organisation_id = :org_id
+                    AND ugl.level = 100
+                    AND (NOT u.deleted OR u.deleted IS NULL)
+                    AND (NOT ug.deleted OR ug.deleted IS NULL)
+                    AND NOT (u.valid_lastday < CURDATE() AND UNIX_TIMESTAMP(u.valid_lastday) != 0)',
+                ['org_id' => $_SESSION['organisation']['id']]
+            );
+
+            // If this is the last HoO, prevent the change
+            if ($hoo_count <= 1) {
+                if ($posteduser['userlevel'] < $_SESSION['usergroup']['userlevel']) {
+                    redirect('?action=cms_users_edit&id='.$_POST['id'].'&origin='.$_POST['_origin'].'&warning=1&message=You cannot downgrade yourself. Your organisation must have at least one Head of Operations user.');
+                    trigger_error('You cannot downgrade yourself. Your organisation must have at least one Head of Operations user.', E_USER_NOTICE);
+                } elseif (('' !== $_POST['valid_firstday']) || ('' !== $_POST['valid_lastday'])) {
+                    redirect('?action=cms_users_edit&id='.$_POST['id'].'&origin='.$_POST['_origin'].'&warning=1&message=You cannot edit yourself. Your organisation must have at least one Head of Operations user.');
+                    trigger_error('You cannot edit yourself. Your organisation must have at least one Head of Operations user.', E_USER_NOTICE);
+                }
+            }
+        }
+
         if ($is_admin || ($organisation_allowed && $userlevel_allowed)) {
             $keys = ['naam', 'email', 'cms_usergroups_id', 'valid_firstday', 'valid_lastday'];
             $userId = db_transaction(function () use ($table, $keys, $userId) {
@@ -114,7 +145,12 @@
 		FROM cms_usergroups AS ug
 		LEFT OUTER JOIN cms_usergroups_levels AS ugl ON ugl.id=ug.userlevel
 		WHERE ug.id = :id AND (NOT ug.deleted OR ug.deleted IS NULL)', ['id' => $data['cms_usergroups_id']]);
-    if (!$_SESSION['user']['is_admin'] && ($data && ($data['is_admin'] || ($_SESSION['organisation']['id'] != $requesteduser['organisation_id']) || ($_SESSION['usergroup']['userlevel'] <= $requesteduser['userlevel'])))) {
+    if (!$_SESSION['user']['is_admin']
+        && $data
+        && $data['id'] != $_SESSION['user']['id']
+        && ($data['is_admin']
+         || $_SESSION['organisation']['id'] != $requesteduser['organisation_id']
+         || $_SESSION['usergroup']['userlevel'] <= $requesteduser['userlevel'])) {
         throw new Exception('You do not have access to this user!', 403);
     }
 
@@ -130,11 +166,14 @@
     // display admin role in the usergroup - only for user with admin roles
     // related to this trello card https://trello.com/c/YAF3Az4P
     $usergroups = db_array('
-		SELECT ug.id AS value, ug.label 
-		FROM cms_usergroups AS ug
-		LEFT OUTER JOIN cms_usergroups_levels AS ugl ON (ugl.id=ug.userlevel)
-		WHERE ug.organisation_id = :organisation_id AND (ugl.level < :userlevel OR :is_admin OR (ugl.level <= :userlevel AND 100 = :userlevel)) AND (NOT ug.deleted OR ug.deleted IS NULL)
-		ORDER BY ug.label', ['organisation_id' => $_SESSION['organisation']['id'], 'userlevel' => $_SESSION['usergroup']['userlevel'], 'is_admin' => $_SESSION['user']['is_admin']]);
+        SELECT ug.id AS value, ug.label
+        FROM cms_usergroups AS ug
+        LEFT OUTER JOIN cms_usergroups_levels AS ugl ON (ugl.id=ug.userlevel)
+        WHERE ug.organisation_id = :organisation_id
+        AND (:is_admin OR (ugl.level < :userlevel OR (ugl.level <= :userlevel AND 100 = :userlevel)))
+        AND (:is_admin OR ug.label != "Boxtribute God")
+        AND (NOT ug.deleted OR ug.deleted IS NULL)
+        ORDER BY ug.label', ['organisation_id' => $_SESSION['organisation']['id'], 'userlevel' => $_SESSION['usergroup']['userlevel'], 'is_admin' => $_SESSION['user']['is_admin']]);
     addfield('select', 'Select user group', 'cms_usergroups_id', ['required' => true, 'options' => $usergroups, 'testid' => 'user_group']);
 
     addfield('line');
diff --git a/include/cms_users_expired.php b/include/cms_users_expired.php
@@ -29,7 +29,7 @@
     );
 
     // Execution of queries in cms_users_page.php
-    $cms_users_lower_level_query = 'SELECT u.*, NOT u.is_admin AS visible, g.label AS usergroup, 0 AS preventdelete, 1 as disableifistrue
+    $cms_users_lower_level_query = 'SELECT u.*, NOT u.is_admin AS visible, g.label AS usergroup, 0 AS preventdelete, 1 as disableifistrue, 0 AS preventedit
 			FROM cms_users AS u
 			LEFT OUTER JOIN cms_usergroups AS g ON g.id = u.cms_usergroups_id 
 			LEFT OUTER JOIN cms_usergroups_camps AS uc ON uc.cms_usergroups_id = g.id
@@ -46,7 +46,7 @@
 
     // Do not forget to specify :usergroup and :user in the db call later
     $cms_users_same_level_query = '
-			SELECT u.*, 0 AS visible, g.label AS usergroup, 1 AS preventdelete, 1 as disableifistrue
+			SELECT u.*, 0 AS visible, g.label AS usergroup, 1 AS preventdelete, 1 as disableifistrue, 1 AS preventedit
 			FROM cms_users AS u
 			LEFT OUTER JOIN cms_usergroups AS g ON g.id = u.cms_usergroups_id
 			WHERE u.cms_usergroups_id = :usergroup
diff --git a/include/people.php b/include/people.php
@@ -514,14 +514,15 @@ function () use ($cmsmain, $data) {
                     case 'touch':
                         $ids = explode(',', (string) $_POST['ids']);
                         $userId = $_SESSION['user']['id'];
+                        $now = date('Y-m-d H:i:s');
                         // Query speed optimised for 500 records from 6.2 seconds to 0.54 seconds using  transaction blocks over UPDATE and bulk inserts
-                        db_transaction(function () use ($ids, $userId) {
+                        db_transaction(function () use ($ids, $userId, $now) {
                             foreach ($ids as $id) {
-                                db_query('UPDATE people SET modified = NOW(), modified_by = :user WHERE id = :id', ['id' => $id, 'user' => $userId]);
+                                db_query('UPDATE people SET modified = :now, modified_by = :user WHERE id = :id', ['id' => $id, 'user' => $userId, 'now' => $now]);
                             }
                         });
                         // Bulk insert used to insert into history table
-                        simpleBulkSaveChangeHistory('people', $ids, 'Touched');
+                        simpleBulkSaveChangeHistory('people', $ids, 'Touched', $now);
 
                         $success = true;
                         $message = 'Selected people have been touched';
diff --git a/include/people_deactivated.php b/include/people_deactivated.php
@@ -161,7 +161,7 @@ function () use (&$data) {
                 }
 
                 // Optimized by using bulk inserts and transactions over delete queries
-                [$success, $message, $redirect] = listBulkRealDelete($table, $ids);
+                [$success, $message, $redirect] = listBulkRealDelete($table, $ids, $now);
 
                 return [$success, $message, $redirect];
             });
diff --git a/include/stock_overview.php b/include/stock_overview.php
@@ -118,6 +118,8 @@ function box_state_id_from_filter($applied_filter)
                                 products as b ON upper(a.name)=upper(b.name) 
                             WHERE 
                                 a.camp_id = :camp_id and b.camp_id = :camp_id and a.id<=b.id 
+                                AND (NOT a.deleted OR a.deleted IS NULL)
+                                AND (NOT b.deleted OR b.deleted IS NULL)
                             GROUP BY 
                                 upper(a.name)
                             ) prod_a 
diff --git a/library/ajax/deleteprofile.php b/library/ajax/deleteprofile.php
@@ -1,14 +1,16 @@
 <?php
 
 db_transaction(function () {
+    $now = date('Y-m-d H:i:s');
+    $user_id = $_SESSION['user']['id'];
     // Only append .deleted suffix if the email doesn't already have it
     // This prevents double-deletion if the query is somehow executed twice
     // Pattern checks for .deleted.<digits> after the @ symbol (e.g., user@domain.com.deleted.123)
-    db_query('UPDATE cms_users SET deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $_POST['cms_user_id']]);
-    updateAuth0UserFromDb($_POST['cms_user_id']);
+    db_query('UPDATE cms_users SET modified = :now, modified_by = :id, deleted = :now, email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['now' => $now, 'id' => $user_id]);
+    updateAuth0UserFromDb($user_id);
+    simpleSaveChangeHistory('cms_users', $_POST['cms_user_id'], 'Record deleted without undelete', $now);
 });
 
-simpleSaveChangeHistory('cms_users', $_POST['cms_user_id'], 'Record deleted without undelete');
 // when a user deactive its account we need to ensure that user logged out immediately and then redirected to Auth0 login page
 global $settings;
 logout();
diff --git a/library/ajax/testdbdelete.php b/library/ajax/testdbdelete.php
@@ -62,7 +62,7 @@
 
         if ('true' == $return) {
             db_transaction(function () use ($ids, $return) {
-                [$return, $msg, $redirect] = listRealDelete($_POST['table'], $ids);
+                [$return, $msg, $redirect] = listBulkRealDelete($_POST['table'], $ids);
                 foreach ($ids as $id) {
                     deleteAuth0User($id);
                 }
diff --git a/library/functions.php b/library/functions.php
@@ -272,6 +272,7 @@ function move_boxes($ids, $newlocationid, $mobile = false)
 {
     [$count, $action_label, $mobile_message] = db_transaction(function () use ($ids, $newlocationid) {
         $count = 0;
+        $now = date('Y-m-d H:i:s');
         foreach ($ids as $id) {
             $box = db_row('
                 SELECT 
@@ -311,23 +312,24 @@ function move_boxes($ids, $newlocationid, $mobile = false)
                     '
                     UPDATE stock 
                     SET 
-                        modified = NOW(), 
+                        modified = :now,
                         modified_by = :user_id , 
                         location_id = :location 
                     WHERE id = :id',
-                    ['location' => $newlocationid, 'id' => $id, 'user_id' => $_SESSION['user']['id']]
+                    ['location' => $newlocationid, 'id' => $id, 'now' => $now, 'user_id' => $_SESSION['user']['id']]
                 );
 
                 $from['int'] = $box['location_id'];
                 $to['int'] = $newlocationid;
-                simpleSaveChangeHistory('stock', $id, 'location_id', $from, $to);
+                simpleSaveChangeHistory('stock', $id, 'location_id', $now, $from, $to);
                 db_query(
                     '
                     INSERT INTO itemsout (product_id, size_id, count, movedate, from_location, to_location) 
-                        VALUES (:product_id, :size_id, :count, NOW(), :from_location, :to_location)',
+                        VALUES (:product_id, :size_id, :count, :now, :from_location, :to_location)',
                     ['product_id' => $box['product_id'],
                         'size_id' => $box['size_id'],
                         'count' => $box['items'],
+                        'now' => $now,
                         'from_location' => $box['location_id'],
                         'to_location' => $newlocationid, ]
                 );
@@ -343,12 +345,12 @@ function move_boxes($ids, $newlocationid, $mobile = false)
                     UPDATE stock 
                     SET 
                         box_state_id = :box_state_id, 
-                        modified = NOW(), 
+                        modified = :now,
                         modified_by = :user_id 
                     WHERE id = :id',
-                    ['box_state_id' => $newlocation['box_state_id'], 'id' => $id, 'user_id' => $_SESSION['user']['id']]
+                    ['box_state_id' => $newlocation['box_state_id'], 'id' => $id, 'now' => $now, 'user_id' => $_SESSION['user']['id']]
                 );
-                simpleSaveChangeHistory('stock', $id, 'box_state_id', $from, $to);
+                simpleSaveChangeHistory('stock', $id, 'box_state_id', $now, $from, $to);
                 $mobile_message .= ' and its state changed to '.$newlocation['box_state_name'];
             }
 
diff --git a/library/lib/auth0.php b/library/lib/auth0.php
@@ -145,7 +145,7 @@ function updateAuth0UserFromDb($userId, $setPwd = false)
 
         // the status code will be 201 if the user created successfully
         if (201 !== $response->getStatusCode()) {
-            throw new Exception($response->getStatusCode(), $response->getReasonPhrase());
+            throw new Exception($response->getReasonPhrase(), $response->getStatusCode());
         }
     } elseif (200 !== $response->getStatusCode()) {
         throw new Exception($response->getReasonPhrase(), $response->getStatusCode());
diff --git a/library/lib/database.php b/library/lib/database.php
@@ -248,13 +248,6 @@ function db_tableexists($table, $dbid = false)
     return in_array($table, $tables);
 }
 
-function db_touch($table, $id)
-{
-    if (db_fieldexists($table, 'modified')) {
-        db_query('UPDATE '.$table.' SET modified = NOW(), modified_by = :user WHERE id = :id', ['user' => $_SESSION['user']['id'], 'id' => $id]);
-    }
-}
-
 function db_simulate($query, $array = [], $dbid = false)
 {
     global $defaultdbid;
diff --git a/library/lib/list.php b/library/lib/list.php
diff --git a/library/lib/tools.php b/library/lib/tools.php
diff --git a/pdf/qr.php b/pdf/qr.php
diff --git a/php.ini b/php.ini

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ function () use (&$data) {`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`// Optimized by using bulk inserts and transactions over delete queries`
`164`		`- [$success, $message, $redirect] = listBulkRealDelete($table, $ids);`
	`164`	`+ [$success, $message, $redirect] = listBulkRealDelete($table, $ids, $now);`
`165`	`165`
`166`	`166`	`return [$success, $message, $redirect];`
`167`	`167`	`});`