feat: gestione login tramite OTP/Token

Author: Bacca1997

actions.php

@@ -29,6 +29,7 @@
 use Modules\Emails\Template;
 use Notifications\EmailNotification;
 use Util\Zip;
+use Permissions;
 
 if (empty($structure) || empty($structure['enabled'])) {
     exit(tr('Accesso negato'));
@@ -41,7 +42,28 @@
 // Upload allegati e rimozione
 if (filter('op') == 'aggiungi-allegato' || filter('op') == 'rimuovi-allegato') {
     // Controllo sui permessi di scrittura per il modulo
-    if (Modules::getPermission($id_module) != 'rw') {
+    $has_write_permission = false;
+
+    // Verifica permessi in base al tipo di accesso
+    if (Permissions::isTokenAccess()) {
+        // Per accesso tramite token, verifica i permessi del token
+        $token_info = $_SESSION['token_access'];
+        $token_permission = $token_info['permessi'] ?? 'r';
+
+        // Per gli allegati, verifica i permessi specifici del token
+        if (filter('op') == 'aggiungi-allegato') {
+            // Caricamento allegati: permessi 'ra', 'rwa' o 'rw'
+            $has_write_permission = in_array($token_permission, ['ra', 'rwa', 'rw']);
+        } elseif (filter('op') == 'rimuovi-allegato') {
+            // Rimozione allegati: solo permessi 'rwa' o 'rw'
+            $has_write_permission = in_array($token_permission, ['rwa', 'rw']);
+        }
+    } else {
+        // Per accesso normale, usa i permessi standard del modulo
+        $has_write_permission = (Modules::getPermission($id_module) == 'rw');
+    }
+
+    if (!$has_write_permission) {
         flash()->error(tr('Non hai permessi di scrittura per il modulo _MODULE_', [
             '_MODULE_' => '"'.Module::find($id_module)->getTranslation('title').'"',
         ]));
@@ -154,7 +176,14 @@
             }
         }
 
-        redirect(base_path().'/editor.php?id_module='.$id_module.'&id_record='.$id_record.((!empty($options['id_plugin'])) ? '#tab_'.$options['id_plugin'] : ''));
+        // Determina il redirect appropriato in base al tipo di accesso
+        if (Permissions::isTokenAccess() && !empty($_SESSION['token_access']['id_module_target']) && !empty($_SESSION['token_access']['id_record_target'])) {
+            // Per accesso tramite token, redirect a shared_editor.php
+            redirect(base_path().'/shared_editor.php?id_module='.$id_module.'&id_record='.$id_record.((!empty($options['id_plugin'])) ? '#tab_'.$options['id_plugin'] : ''));
+        } else {
+            // Per accesso normale, redirect a editor.php
+            redirect(base_path().'/editor.php?id_module='.$id_module.'&id_record='.$id_record.((!empty($options['id_plugin'])) ? '#tab_'.$options['id_plugin'] : ''));
+        }
     }
 }
 

ajax.php

@@ -70,7 +70,9 @@
 
     case 'list_attachments':
         $category = get('id_category') ? Categoria::find(get('id_category'))->name : null;
-        echo '{( "name": "filelist_and_upload", "id_module": "'.$id_module.'", "id_record": "'.$id_record.'", "id_plugin": "'.$id_plugin.'", "category": "'.$category.'" )}';
+        $upload_only = get('upload_only') === 'true' ? 'true' : 'false';
+        $disable_edit = get('disable_edit') === 'true' ? 'true' : 'false';
+        echo '{( "name": "filelist_and_upload", "id_module": "'.$id_module.'", "id_record": "'.$id_record.'", "id_plugin": "'.$id_plugin.'", "category": "'.$category.'", "upload_only": "'.$upload_only.'", "disable_edit": "'.$disable_edit.'" )}';
 
         break;
 

assets/src/js/functions/allegati.js

@@ -143,7 +143,9 @@ function ricaricaAllegati(gestione) {
         id_module: gestione.data('id_module'),
         id_plugin: gestione.data('id_plugin'),
         id_record: gestione.data('id_record'),
-        id_category: gestione.data('id_category')
+        id_category: gestione.data('id_category'),
+        upload_only: gestione.data('upload_only') === true || gestione.data('upload_only') === 'true' ? 'true' : 'false',
+        disable_edit: gestione.data('disable_edit') === true || gestione.data('disable_edit') === 'true' ? 'true' : 'false'
     }).toString();
 
     $(id).load(globals.rootdir + "/ajax.php?" + params, function () {

composer.json

@@ -34,6 +34,7 @@
         "digitick/sepa-xml": "^2.1",
         "doctrine/sql-formatter": "^1.5",
         "dragonmantank/cron-expression": "^1.0",
+        "endroid/qr-code": "^6.0",
         "ezyang/htmlpurifier": "^4.8",
         "filp/whoops": "^2.15.0",
         "greenlion/php-sql-parser": "^4.5",

index.php

@@ -25,6 +25,7 @@
 use Illuminate\Database\QueryException;
 
 $op = filter('op');
+$token = filter('token');
 
 $microsoft = null;
 
@@ -77,6 +78,13 @@
 }
 
 if (Auth::check() && isset($dbo) && $dbo->isConnected() && $dbo->isInstalled()) {
+    if (Permissions::isTokenAccess()) {
+        if (!empty($_SESSION['token_access']['id_module_target']) && !empty($_SESSION['token_access']['id_record_target'])) {
+            redirect(base_path().'/shared_editor.php?id_module='.$_SESSION['token_access']['id_module_target'].'&id_record='.$_SESSION['token_access']['id_record_target']);
+            exit;
+        }
+    }
+        
     $module = Auth::firstModule();
 
     if (!empty($module)) {
@@ -87,6 +95,12 @@
     exit;
 }
 
+// Gestione accesso tramite token OTP
+if (!empty($token) && $dbo->isConnected() && $dbo->isInstalled()) {
+    redirect(base_path().'/token_login.php?token='.urlencode($token));
+    exit;
+}
+
 // Modalità manutenzione
 if (!empty($config['maintenance_ip'])) {
     include_once base_dir().'/include/init/maintenance.php';

lib/util.php

@@ -597,3 +597,42 @@ function adjustBrightness($hexCode, $adjustPercent)
         return '#'.implode('', $hexCode);
     }
 }
+
+if (!function_exists('blurEmail')) {
+    /**
+     * Funzione per offuscare parzialmente un indirizzo email
+     *
+     * @param string $email Indirizzo email da offuscare
+     * @return string Email offuscata con asterischi
+     */
+    function blurEmail($email) {
+        if (empty($email) || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
+            return $email;
+        }
+
+        $parts = explode('@', $email);
+        $username = $parts[0];
+        $domain = $parts[1];
+
+        $username_length = strlen($username);
+
+        if ($username_length <= 2) {
+            // Se il nome utente è molto corto, mostra solo il primo carattere
+            $blurred_username = substr($username, 0, 1) . str_repeat('*', max(1, $username_length - 1));
+        } elseif ($username_length <= 4) {
+            // Per nomi utente corti, mostra primi 2 caratteri
+            $blurred_username = substr($username, 0, 2) . str_repeat('*', $username_length - 2);
+        } else {
+            // Per nomi utente lunghi, mostra primi 2 e ultimi 1 carattere
+            $visible_start = 2;
+            $visible_end = 1;
+            $stars_count = max(3, $username_length - $visible_start - $visible_end);
+
+            $blurred_username = substr($username, 0, $visible_start) .
+                            str_repeat('*', $stars_count) .
+                            substr($username, -$visible_end);
+        }
+
+        return $blurred_username . '@' . $domain;
+    }
+}

modules/emails/src/Mail.php

@@ -39,14 +39,14 @@ public static function build(?User $user = null, $template = null, $id_record =
     {
         $model = new static();
 
-        $model->created_by = $user->id;
+        $model->created_by = (!empty($user) ? $user->id : null);
 
         if (!empty($template)) {
             $model->id_template = $template->id;
             $model->id_account = $template->account->id;
         }
 
-        $model->id_record = $id_record;
+        $model->id_record = (!empty($id_record) ? $id_record : null);
 
         $model->save();
 

modules/otp_tokens/actions.php

@@ -0,0 +1,109 @@
+<?php
+
+/*
+ * OpenSTAManager: il software gestionale open source per l'assistenza tecnica e la fatturazione
+ * Copyright (C) DevCode s.r.l.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+include_once __DIR__.'/../../core.php';
+
+switch (post('op')) {
+    case 'update':
+        $id_utente = post('id_utente');
+        $descrizione = post('descrizione');
+        $tipo_accesso = post('tipo_accesso');
+        $valido_dal = post('valido_dal') ?: null;
+        $valido_al = post('valido_al') ?: null;
+        $id_module_target = post('id_module_target') ?: 0;
+        $id_record_target = post('id_record_target') ?: 0;
+        $permessi = post('permessi') ?: null;
+        $email = post('email');
+
+        // Validazione email per token OTP
+        if ($tipo_accesso == 'otp' && empty($email)) {
+            flash()->error(tr('L\'email è obbligatoria per i token con OTP'));
+            break;
+        }
+
+        if ($tipo_accesso == 'otp' && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
+            flash()->error(tr('Inserire un indirizzo email valido'));
+            break;
+        }
+
+        // Aggiornamento record
+        $dbo->update('zz_otp_tokens', [
+            'id_utente' => $id_utente,
+            'descrizione' => $descrizione,
+            'tipo_accesso' => $tipo_accesso,
+            'valido_dal' => $valido_dal,
+            'valido_al' => $valido_al,
+            'id_module_target' => $id_module_target,
+            'id_record_target' => $id_record_target,
+            'permessi' => $permessi,
+            'email' => $email,
+        ], ['id' => $id_record]);
+
+        flash()->info(tr('Token aggiornato correttamente'));
+        break;
+
+    case 'add':
+        $descrizione = post('descrizione');
+        // Generazione token sicuro
+        $token = secure_random_string(32);
+
+        // Inserimento nuovo record
+        $dbo->insert('zz_otp_tokens', [
+            'token' => $token,
+            'descrizione' => $descrizione,
+            'enabled' => 0,
+        ]);
+
+        $id_record = $dbo->lastInsertedID();
+
+        if (isAjaxRequest()) {
+            echo json_encode(['id' => $id_record, 'text' => $descrizione]);
+        }
+
+        flash()->info(tr('Token creato correttamente'));
+        break;
+
+    case 'delete':
+        $dbo->query('DELETE FROM zz_otp_tokens WHERE id='.prepare($id_record));
+        flash()->info(tr('Token eliminato!'));
+        break;
+
+    case 'enable':
+        $dbo->update('zz_otp_tokens', [
+            'enabled' => 1,
+        ], ['id' => $id_record]);
+
+        flash()->info(tr('Token abilitato!'));
+        break;
+
+    case 'disable':
+        $dbo->update('zz_otp_tokens', [
+            'enabled' => 0,
+        ], ['id' => $id_record]);
+
+        flash()->info(tr('Token disabilitato!'));
+        break;
+
+    case 'delete':
+        $dbo->query('DELETE FROM zz_otp_tokens WHERE id='.prepare($id_record));
+
+        flash()->info(tr('Token eliminato!'));
+        break;
+}

modules/otp_tokens/add.php

@@ -0,0 +1,53 @@
+<?php
+/*
+ * OpenSTAManager: il software gestionale open source per l'assistenza tecnica e la fatturazione
+ * Copyright (C) DevCode s.r.l.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+include_once __DIR__.'/../../core.php';
+
+?>
+
+<form action="" method="post" id="add-form">
+    <fieldset>
+        <input type="hidden" name="op" value="add">
+        <input type="hidden" name="backto" value="record-edit">
+
+        <div class="card card-primary">
+            <div class="card-header">
+                <h3 class="card-title"><?php echo tr('Nuovo Token'); ?></h3>
+            </div>
+
+            <div class="card-body">
+
+                <div class="row">
+                    <div class="col-md-12">
+                        {[ "type": "text", "label": "<?php echo tr('Descrizione'); ?>", "name": "descrizione", "required": 1, "placeholder": "<?php echo tr('Inserisci una descrizione per il token'); ?>" ]}
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <!-- PULSANTI -->
+        <div class="row">
+            <div class="col-md-12 text-right">
+                <button type="submit" class="btn btn-primary">
+                    <i class="fa fa-plus"></i> <?php echo tr('Aggiungi'); ?>
+                </button>
+            </div>
+        </div>
+    </fieldset>
+</form>