From f3e9c9c867672fbc9b01b7a134d4fffea36c66b2 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Wed, 11 Sep 2024 18:02:18 +0100
Subject: [PATCH] API Tidy

- Remove old client ID queries, these are now built into the API keys. If a key has access to all clients, a client ID can be provided in the query.
- Small fixes to assets URI lookup
- Add read endpoint for vendors
---
 api/v1/assets/read.php       | 24 +++++++++---------------
 api/v1/certificates/read.php |  9 +--------
 api/v1/clients/read.php      | 14 +++-----------
 api/v1/contacts/read.php     |  5 +----
 api/v1/documents/read.php    |  6 +-----
 api/v1/domains/read.php      |  9 +--------
 api/v1/invoices/read.php     |  4 +---
 api/v1/locations/read.php    |  4 +---
 api/v1/networks/read.php     |  9 +--------
 api/v1/products/read.php     |  2 --
 api/v1/quotes/read.php       |  4 +---
 api/v1/software/read.php     | 11 +----------
 api/v1/tickets/read.php      | 10 +++++++---
 api/v1/vendors/read.php      | 19 +++++++++++++++++++
 14 files changed, 47 insertions(+), 83 deletions(-)
 create mode 100644 api/v1/vendors/read.php

diff --git a/api/v1/assets/read.php b/api/v1/assets/read.php
index a0e5d5c74..bf3d1d148 100644
--- a/api/v1/assets/read.php
+++ b/api/v1/assets/read.php
@@ -12,42 +12,36 @@
 
 } elseif (isset($_GET['asset_type'])) {
     // Asset query via type
-
     $type = mysqli_real_escape_string($mysqli, ucfirst($_GET['asset_type']));
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
 } elseif (isset($_GET['asset_name'])) {
     // Asset query via name
-
     $name = mysqli_real_escape_string($mysqli, $_GET['asset_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
 } elseif (isset($_GET['asset_serial'])) {
     // Asset query via serial
-
     $serial = mysqli_real_escape_string($mysqli, $_GET['asset_serial']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
-} elseif (isset($_GET['client_id'])) {
-    // Asset query via client ID
-
-    $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
-
 } elseif (isset($_GET['asset_mac'])) {
     // Asset query via mac
-
     $mac = mysqli_real_escape_string($mysqli, $_GET['asset_mac']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets LEFT JOIN asset_interfaces ON interface_asset_id = asset_id AND interface_primary = 1 WHERE interface_mac = '$mac' AND asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
 } elseif (isset($_GET['asset_uri'])) {
-    // Asset query via mac
-
-    $mac = mysqli_real_escape_string($mysqli, $_GET['asset_uri']);
+    // Asset query via uri
+    $uri = mysqli_real_escape_string($mysqli, $_GET['asset_uri']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_uri = '$uri' AND asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
-}
-// All assets
-else {
+} elseif (isset($_GET['asset_uri_2'])) {
+    // Asset query via uri2
+    $uri2 = mysqli_real_escape_string($mysqli, $_GET['asset_uri']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_uri_2 = '$uri2' AND asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
+
+}else {
+    // All assets (by client ID or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM assets LEFT JOIN asset_interfaces ON interface_asset_id = asset_id AND interface_primary = 1 WHERE asset_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/certificates/read.php b/api/v1/certificates/read.php
index fb29b0c44..7d08673c7 100644
--- a/api/v1/certificates/read.php
+++ b/api/v1/certificates/read.php
@@ -12,18 +12,11 @@
 
 } elseif (isset($_GET['certificate_name'])) {
     // Certificate by name
-
     $name = mysqli_real_escape_string($mysqli, $_GET['certificate_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
 
-} elseif (isset($_GET['client_id'])) {
-    // Certificate via client ID
-
-    $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
-
 } else {
-    // All certificates
-
+    // All certificates (by client ID or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/clients/read.php b/api/v1/clients/read.php
index 88710361f..a6f0bdae8 100644
--- a/api/v1/clients/read.php
+++ b/api/v1/clients/read.php
@@ -4,21 +4,13 @@
 
 require_once '../require_get_method.php';
 
-
-// Specific client via ID (single)
-if (isset($_GET['client_id'])) {
-    $id = intval($_GET['client_id']);
-    $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$id' AND client_id LIKE '$client_id'");
-
-} elseif (isset($_GET['client_name'])) {
-    // Specific client via name (single)
-
+// Specific client via name (single)
+if (isset($_GET['client_name'])) {
     $name = mysqli_real_escape_string($mysqli, $_GET['client_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_name = '$name' AND client_id LIKE '$client_id'");
 
 } else {
-    // All clients
-
+    // All clients (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id LIKE '$client_id' ORDER BY client_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/contacts/read.php b/api/v1/contacts/read.php
index f06676754..114c11ddb 100644
--- a/api/v1/contacts/read.php
+++ b/api/v1/contacts/read.php
@@ -12,19 +12,16 @@
 
 } elseif (isset($_GET['contact_email'])) {
     // Specific contact via email (single)
-
     $email = mysqli_real_escape_string($mysqli, $_GET['contact_email']);
     $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id'");
 
 } elseif (isset($_GET['contact_phone_or_mobile'])) {
     // Specific contact via phone number or mobile (single)
-
     $phone_or_mob = mysqli_real_escape_string($mysqli, $_GET['contact_phone_or_mobile']);
     $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_mobile = '$phone_or_mob' OR contact_phone = '$phone_or_mob' AND contact_client_id LIKE '$client_id' LIMIT 1");
 
 } else {
-    // All contacts
-
+    // All contacts (by client ID, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' ORDER BY contact_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/documents/read.php b/api/v1/documents/read.php
index 7a8d402b1..a376381b6 100644
--- a/api/v1/documents/read.php
+++ b/api/v1/documents/read.php
@@ -10,12 +10,8 @@
     $id = intval($_GET['document_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$id' AND document_client_id LIKE '$client_id'");
 
-} elseif (isset($_GET['client_id'])) {
-    // Documents via client ID (multiple)
-    $sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_client_id LIKE '$client_id' AND document_archived_at IS NULL");
-
 } else {
-    // All documents
+    // All documents (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_client_id LIKE '$client_id' ORDER BY document_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/domains/read.php b/api/v1/domains/read.php
index 624a17c4a..b65aab999 100644
--- a/api/v1/domains/read.php
+++ b/api/v1/domains/read.php
@@ -12,18 +12,11 @@
 
 } elseif (isset($_GET['domain_name'])) {
     // Domain by name
-
     $name = mysqli_real_escape_string($mysqli, $_GET['domain_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
-} elseif (isset($_GET['client_id'])) {
-    // Domain via client ID
-
-    $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
-
 } else {
-    // All domains
-
+    // All domains (by client ID or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/invoices/read.php b/api/v1/invoices/read.php
index 25f15a4c8..f9f40425a 100644
--- a/api/v1/invoices/read.php
+++ b/api/v1/invoices/read.php
@@ -7,13 +7,11 @@
 
 if (isset($_GET['invoice_id'])) {
     // Invoice via ID (single)
-
     $id = intval($_GET['invoice_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_id = '$id' AND invoice_client_id LIKE '$client_id'");
 
 } else {
-    // All invoices
-
+    // All invoices (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id LIKE '$client_id' ORDER BY invoice_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/locations/read.php b/api/v1/locations/read.php
index c9fa4c795..d26efd0de 100644
--- a/api/v1/locations/read.php
+++ b/api/v1/locations/read.php
@@ -7,13 +7,11 @@
 
 if (isset($_GET['location_id'])) {
     // Location via ID (single)
-
     $id = intval($_GET['location_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM locations WHERE location_id = '$id' AND location_client_id LIKE '$client_id'");
 
 } else {
-    // All locations
-
+    // All locations (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM locations WHERE location_client_id LIKE '$client_id' ORDER BY location_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/networks/read.php b/api/v1/networks/read.php
index 55a440eb7..168757aed 100644
--- a/api/v1/networks/read.php
+++ b/api/v1/networks/read.php
@@ -12,18 +12,11 @@
 
 } elseif (isset($_GET['network_name'])) {
     // Network by name
-
     $name = mysqli_real_escape_string($mysqli, $_GET['network_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
 
-} elseif (isset($_GET['client_id'])) {
-    // Network via client ID
-
-    $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
-
 } else {
-    // All networks
-
+    // All networks (by client ID or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/products/read.php b/api/v1/products/read.php
index 0dbdd8e74..71b4985f2 100644
--- a/api/v1/products/read.php
+++ b/api/v1/products/read.php
@@ -9,13 +9,11 @@
 
 if (isset($_GET['product_id']) && $client_id == "%") {
     // product via ID (single)
-
     $id = intval($_GET['product_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM products WHERE product_id = '$id'");
 
 } elseif ($client_id == "%") {
     // All products
-
     $sql = mysqli_query($mysqli, "SELECT * FROM products ORDER BY product_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/quotes/read.php b/api/v1/quotes/read.php
index 6c851414b..7331de498 100644
--- a/api/v1/quotes/read.php
+++ b/api/v1/quotes/read.php
@@ -7,13 +7,11 @@
 
 if (isset($_GET['quote_id'])) {
     // quote via ID (single)
-
     $id = intval($_GET['quote_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM quotes WHERE quote_id LIKE '$id' AND quote_client_id = '$client_id'");
 
 } else {
-    // All quotes
-
+    // All quotes (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM quotes WHERE quote_client_id LIKE '$client_id' ORDER BY quote_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/software/read.php b/api/v1/software/read.php
index 37c4fc0a3..7ff2dbf55 100644
--- a/api/v1/software/read.php
+++ b/api/v1/software/read.php
@@ -12,30 +12,21 @@
 
 } elseif (isset($_GET['software_key'])) {
     // Specific software via key
-
     $key = mysqli_real_escape_string($mysqli, $_GET['software_license']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_key = '$key' AND software_client_id LIKE '$client_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
 
 } elseif (isset($_GET['software_name'])) {
     // Software by name
-
     $name = mysqli_real_escape_string($mysqli, $_GET['software_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 
 } elseif (isset($_GET['software_type'])) {
     // Software via type
-
     $type = intval($_GET['software_type']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
 
-} elseif (isset($_GET['client_id'])) {
-    // Software via client ID
-
-    $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
-
 } else {
-    // All software(s)
-
+    // All software(s) (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/tickets/read.php b/api/v1/tickets/read.php
index 2945a4462..408190aec 100644
--- a/api/v1/tickets/read.php
+++ b/api/v1/tickets/read.php
@@ -8,11 +8,15 @@
 // Specific ticket via ID (single)
 if (isset($_GET['ticket_id'])) {
     $id = intval($_GET['ticket_id']);
-    $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id'");
+    $sql = mysqli_query(
+        $mysqli,
+        "SELECT * FROM tickets
+        LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id
+        WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id'"
+    );
 
 } else {
-    // All tickets
-
+    // All tickets (by client ID if given, or all in general if key permits)
     $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/vendors/read.php b/api/v1/vendors/read.php
new file mode 100644
index 000000000..e6971f52a
--- /dev/null
+++ b/api/v1/vendors/read.php
@@ -0,0 +1,19 @@
+<?php
+
+require_once '../validate_api_key.php';
+
+require_once '../require_get_method.php';
+
+// Specific vendor via their ID (single)
+if (isset($_GET['vendor_id'])) {
+    $id = intval($_GET['vendor_id']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM vendors WHERE vendor_id = '$id' AND vendor_client_id LIKE '$client_id'");
+
+} else {
+    // All Vendors (by client ID or all in general if key permits)
+    $sql = mysqli_query($mysqli, "SELECT * FROM vendors WHERE vendor_client_id LIKE '$client_id' ORDER BY vendor_id LIMIT $limit OFFSET $offset");
+}
+
+// Output
+require_once "../read_output.php";
+