Hotfix 3.1.6 (#2068)

* Minor editor fix

- Remove head from editor due to causing more disruptions than benefits due to variations within portals central css stylings. Best to integrate head into new redesign of occurrence editor.

* Update hotfix version (3.1.6)

* closes #1954 Fixes use of hidden button and button submit value

Fix transfer taxa form so that action is submited in the request

* Fixing Login Form CSS closes #1975

# Issue #1975

# Summary
input id value for email was "login" and css rule `#login {float:
right}` was being applied to this accidently causing some odd behavior.
Changed id of login so the collid wouldn't happen and bumped the width
of the form so that it will display correctly.

* resolve merge conflict

* Occurrence Profile bugs

- Adjust editor permissions check so that it includes  creator of general research collections (observerUid = active user)
- Avoid double sanitation of identifier and collector

* Update geolocate.php (#1996)

Fixes minor typo that occurs in error message

* hotfix - protection

- If collid input is a number + single quote, assume it's an SQL Inject support and set value to 0, which returns nothing, rather than putting a load on the server

* Institution Sanitation issue

- Remove sanitation off outbound notes content to avoid interfering with embedded html tags that are added when this field is appended with GriSciColl info.
- Remove sanitation notes which were only meant to communicate to internal team when sanitation content was originally added.
Resolves following issue, in part: #1982

* API Annotation Bug

- Fix issue with missing recordID field from SQL statement definition

* added the changes to hotfix

* Bug adding image

- If user is null, user verification code incorrectly checks to see if there is a user with an empty string username or email. Thus, add code that skips checking user table if login details are an empty value
- Don't add empty strings to database. Keep them as null values.
- Comment out user verification check. Just test to make sure it's a number.

* remove associations changes

* Closes #2040 Sorts By Sciname within family (#2052)

# Issue #2040

# Summary
Adds extra sort conditions so that records are sorted by sciname after
being storted by family.

* Closes #2049 Fixes typo on globals variable

# Issues #2049

# Summary
Fixes typo for `IMAGE_ROOT_PATH` and `IMAGE_ROOT_URL` global variables.
Note this will be overritten in the coming 3.2 changes with the
multimedia changes so maybe it would be worth merging.

* Fix country synonyms, some U.S. states, add U.S. state abbreviations (#2059)

* Closes #2064 Fixing String Number multiply

# Issues #2064

# Summary
Adds as is_numeric check on 'page' request variable so that the
`$pageNumber` variable is alwasys a number

* Update geolocate.php per Nelson's suggestion (#2066)

See #1702 (comment)

Co-authored-by: Edward Gilbert <[email protected]>

* Update db_schema_patch-3.1.sql

- Explicitly set the index for omoccurrences.locality to a length of 100, thus avoid DB setting it to a default larger length that is beyond what is needed nor practical.
Addresses issue: #2050

* removed arrow functions and union types

* replaced str_contains with str_pos

---------

Co-authored-by: Edward Gilbert <[email protected]>
Co-authored-by: MuchQuak <[email protected]>
Co-authored-by: Logan Wilt <[email protected]>
Co-authored-by: atticus29 <[email protected]>
Co-authored-by: Lindsay Walker <[email protected]>
Co-authored-by: Nikita Salikov <[email protected]>
Co-authored-by: NikitaSalikov <[email protected]>
Co-authored-by: Katie Pearson <[email protected]>

api/app/Http/Controllers/OccurrenceAnnotationController.php

@@ -112,7 +112,7 @@ public function showAllAnnotations(Request $request){
 		$fullCnt = 0;
 		$result = null;
 		if($type == 'internal'){
-			$annotation = DB::table('omoccuredits as e')->select('e.*', 'o.occurrenceID')
+			$annotation = DB::table('omoccuredits as e')->select('e.*', 'o.occurrenceID', 'o.recordID')
 				->join('omoccurrences as o', 'e.occid', '=', 'o.occid')
 				->where('o.collid', $collid);
 			if($fieldName){
@@ -129,7 +129,7 @@ public function showAllAnnotations(Request $request){
 			$result = $this->formatInternalResults($result);
 		}
 		elseif($type == 'external'){
-			$annotation = DB::table('omoccurrevisions as r')->select('r.*', 'o.occurrenceID')
+			$annotation = DB::table('omoccurrevisions as r')->select('r.*', 'o.occurrenceID', 'o.recordID')
 				->join('omoccurrences as o', 'o.occid', '=', 'r.occid')
 				->where('o.collid', $collid);
 			if($source){

classes/GeographicThesaurus.php

@@ -260,7 +260,9 @@ public function getChildren(array $parentIDs): array {
 			$result = SymbUtil::execute_query($this->conn,$sql, $parentIDs);
 			$children = $result->fetch_all(MYSQLI_ASSOC);
 			$result->free();
-			$children_ids = array_map(fn($v) => $v["geoThesID"], $children);
+			$children_ids = array_map(function($v) {
+				return $v["geoThesID"];
+			}, $children);
 
 			return array_merge($children, $this->getChildren($children_ids));
 		} catch(Exception $e) {
@@ -517,7 +519,9 @@ public function getGBGeoList($countryCode){
 					foreach ($retArr as $key => $value) {
 						if($key === 'ADM0') continue;
 						$geoLevel = $this->getGeoLevel($key);
-						$geoThesIDs = array_filter($children, fn($val) => $val['hasPolygon'] === 1 && $val['geoLevel'] === $geoLevel);
+						$geoThesIDs = array_filter($children, function($val) use ($geoLevel) {
+							return $val['hasPolygon'] === 1 && $val['geoLevel'] === $geoLevel;
+						});
 						if(count($geoThesIDs) > 0) {
 							$retArr[$key]['geoThesID'] = $geoThesIDs;
 							$retArr[$key]['polygon'] = 1;
@@ -697,13 +701,18 @@ public function addGeoBoundary(string $url, bool $addMissing = false, int $baseP
 			}
 			$geoThesIDs = array_filter(
 				$geoThesIDs,
-				fn($val) => $val['hasPolygon'] === 0
+				function($val) {
+					return $val['hasPolygon'] === 0;
+				}
 			);
 
 			if(is_array($geoThesIDs) && count($geoThesIDs) != 1) {
 				$testPoint = $this->getPointWithinPoly($feature->geometry->coordinates);
 				$parents = !empty($geoThesIDs)?
-				array_filter(array_map(fn($val) => $val['parentID'], $geoThesIDs), fn($val) => $val !== null):
+				array_filter(
+					array_map(function($val) { return $val['parentID']; }, $geoThesIDs),
+					function($val) { return $val !== null; }
+				) :
 				$potentialParents;
 
 				if($testPoint) {
@@ -716,7 +725,9 @@ public function addGeoBoundary(string $url, bool $addMissing = false, int $baseP
 					);
 					$geoThesIDs = array_filter(
 						$this->getGeoThesIDByName($properties->shapeName, $geoLevel, [$parentID]),
-						fn($val) => $val['hasPolygon'] === 0,
+						function($val) {
+							return $val['hasPolygon'] === 0;
+						}
 					);
 				}
 			}
@@ -775,7 +786,7 @@ public function getGeoLevelString(int $geolevel) {
 		}
 	}
 
-	public function searchGeothesaurus(string $geoterm, int|null $geolevel = null, string|null $parent = null, bool $distict_geoterms = false): array {
+	public function searchGeothesaurus(string $geoterm, $geolevel = null, $parent = null, bool $distict_geoterms = false): array {
 		$sql = <<<SQL
 		SELECT g.geoThesID, g.geoterm, g.geoLevel, g.parentID, g2.geoterm AS parentterm, g2.geoLevel AS parentlevel FROM geographicthesaurus g 
 		LEFT JOIN geographicthesaurus g2 ON g2.geoThesID = g.parentID

classes/GlossaryManager.php

@@ -32,9 +32,9 @@ class GlossaryManager extends Manager {
 
  	public function __construct(){
  		parent::__construct(null, 'write');
-		$this->imageRootPath = $GLOBALS['$IMAGE_ROOT_PATH'];
+		$this->imageRootPath = $GLOBALS['IMAGE_ROOT_PATH'];
 		if(substr($this->imageRootPath,-1) != "/") $this->imageRootPath .= "/";
-		$this->imageRootUrl = $GLOBALS['$IMAGE_ROOT_URL'];
+		$this->imageRootUrl = $GLOBALS['IMAGE_ROOT_URL'];
 		if(substr($this->imageRootUrl,-1) != "/") $this->imageRootUrl .= "/";
 		if(!empty($GLOBALS['IMG_TN_WIDTH'])){
 			$this->tnPixWidth = $GLOBALS['IMG_TN_WIDTH'];
@@ -1543,4 +1543,4 @@ public function getGlossGroupId(){
 		return $this->glossGroupId;
 	}
 }
-?>
+?>

classes/ImageShared.php

@@ -765,8 +765,8 @@ public function setPhotographer($v){
 	}
 
 	public function setPhotographerUid($v){
-		$v = OccurrenceUtilities::verifyUser($v, $this->conn);
-		$this->photographerUid = $v;
+		//$v = OccurrenceUtilities::verifyUser($v, $this->conn);
+		if(is_numeric($v)) $this->photographerUid = $v;
 	}
 
 	public function setImgLgUrl($v){

classes/InstitutionManager.php

@@ -24,8 +24,22 @@ public function getInstitutionData(){
 				$stmt->bind_param('i', $this->iid);
 				$stmt->execute();
 				$rs = $stmt->get_result();
-				while($r = $rs->fetch_assoc()){
-					$retArr = $r;
+				if($r = $rs->fetch_object()){
+					$retArr['iid'] = $r->iid;
+					$retArr['institutioncode'] = $this->cleanOutStr($r->institutioncode);
+					$retArr['institutionname'] = $this->cleanOutStr($r->institutionname);
+					$retArr['institutionname2'] = $this->cleanOutStr($r->institutionname2);
+					$retArr['address1'] = $this->cleanOutStr($r->address1);
+					$retArr['address2'] = $this->cleanOutStr($r->address2);
+					$retArr['city'] = $this->cleanOutStr($r->city);
+					$retArr['stateprovince'] = $this->cleanOutStr($r->stateprovince);
+					$retArr['postalcode'] = $this->cleanOutStr($r->postalcode);
+					$retArr['country'] = $this->cleanOutStr($r->country);
+					$retArr['phone'] = $this->cleanOutStr($r->phone);
+					$retArr['contact'] = $this->cleanOutStr($r->contact);
+					$retArr['email'] = $this->cleanOutStr($r->email);
+					$retArr['url'] = $this->cleanOutStr($r->url);
+					$retArr['notes'] = $r->notes;	//Do not sanitize at this time. Html tags are included when content is added from GBIF's GrSciColl. Wait until we have resolve the html sanitation issue.
 				}
 				$rs->free();
 				$stmt->close();

classes/OccurrenceEditorImages.php

@@ -394,13 +394,13 @@ public function addImage($postArr){
 		}
 
 		//Set image metadata variables
-		if(array_key_exists('caption',$postArr)) $imgManager->setCaption($postArr['caption']);
-		if(array_key_exists('photographeruid',$postArr)) $imgManager->setPhotographerUid($postArr['photographeruid']);
-		if(array_key_exists('photographer',$postArr)) $imgManager->setPhotographer($postArr['photographer']);
-		if(array_key_exists('sourceurl',$postArr)) $imgManager->setSourceUrl($postArr['sourceurl']);
-		if(array_key_exists('copyright',$postArr)) $imgManager->setCopyright($postArr['copyright']);
-		if(array_key_exists('notes',$postArr)) $imgManager->setNotes($postArr['notes']);
-		if(array_key_exists('sortoccurrence',$postArr)) $imgManager->setSortOccurrence($postArr['sortoccurrence']);
+		if(!empty($postArr['caption'])) $imgManager->setCaption($postArr['caption']);
+		if(!empty($postArr['photographeruid'])) $imgManager->setPhotographerUid($postArr['photographeruid']);
+		if(!empty($postArr['photographer'])) $imgManager->setPhotographer($postArr['photographer']);
+		if(!empty($postArr['sourceurl'])) $imgManager->setSourceUrl($postArr['sourceurl']);
+		if(!empty($postArr['copyright'])) $imgManager->setCopyright($postArr['copyright']);
+		if(!empty($postArr['notes'])) $imgManager->setNotes($postArr['notes']);
+		if(!empty($postArr['sortoccurrence'])) $imgManager->setSortOccurrence($postArr['sortoccurrence']);
 		if(strpos($this->collMap['colltype'], 'Observations') !== false)  $imgManager->setSortSeq(40);
 
 		$sourceImgUri = $postArr['imgurl'];

classes/OccurrenceEditorManager.php

@@ -1711,7 +1711,9 @@ public function mergeRecords($targetOccid,$sourceOccid){
 				SELECT detid FROM omoccurdeterminations where occid = ? and isCurrent = 1;
 				SQL;
 				$result = SymbUtil::execute_query($this->conn, $sql, [$occid]);
-				return array_map(fn($v) => $v[0], $result->fetch_all());
+				return array_map(function ($v) {
+					return $v[0];
+				}, $result->fetch_all());
 			};
 
 			//Fetch List of Old Current Determinations

classes/OccurrenceIndividual.php

@@ -194,11 +194,13 @@ public function setOccurData(){
 	}
 
 	public function applyProtections($isSecuredReader){
+		$retBool = false;
 		if($this->occArr){
 			$protectTaxon = false;
 			/*
 			 if(isset($this->occArr['scinameprotected']) && $this->occArr['scinameprotected'] && !$isSecuredReader){
 			 $protectTaxon = true;
+			 $retBool = true;
 			 $this->occArr['taxonsecure'] = 1;
 			 $this->occArr['sciname'] = $this->occArr['scinameprotected'];
 			 $this->occArr['family'] = $this->occArr['familyprotected'];
@@ -209,6 +211,7 @@ public function applyProtections($isSecuredReader){
 			$protectLocality = false;
 			if($this->occArr['localitysecurity'] == 1 && !$isSecuredReader){
 				$protectLocality = true;
+				$retBool = true;
 				$this->occArr['localsecure'] = 1;
 				$redactArr = array('recordnumber','eventdate','verbatimeventdate','locality','locationid','decimallatitude','decimallongitude','verbatimcoordinates',
 					'locationremarks', 'georeferenceremarks', 'geodeticdatum', 'coordinateuncertaintyinmeters', 'minimumelevationinmeters', 'maximumelevationinmeters',
@@ -227,6 +230,7 @@ public function applyProtections($isSecuredReader){
 			if(!$protectLocality && !$protectTaxon) $this->setImages();
 			if(!$protectLocality) $this->setExsiccati();
 		}
+		return $retBool;
 	}
 
 	private function setDeterminations(){
@@ -1369,7 +1373,7 @@ public function isTaxonomicEditor(){
 	}
 
 	public function activateOrcidID($inStr){
-		$retStr = $this->cleanOutStr($inStr);
+		$retStr = $inStr;
 		$m = array();
 		if(preg_match('#((https://orcid.org/)?\d{4}-\d{4}-\d{4}-\d{3}[0-9X])#', $retStr, $m)){
 			$orcidAnchor = $m[1];

classes/OccurrenceManager.php

@@ -108,7 +108,7 @@ protected function setSqlWhere(){
 			}
 			$this->displaySearchArr[] = $this->LANG['CHECKLIST_ID'] . ': ' . $this->searchTermArr['clid'];
 		}
-		elseif(array_key_exists('db',$this->searchTermArr) && $this->searchTermArr['db']){
+		elseif(array_key_exists('db',$this->searchTermArr)){
 			$pattern = '/[^\d,]/';
 			if (preg_match($pattern, $this->searchTermArr['db'])==0) {
 				$sqlWhere .= OccurrenceSearchSupport::getDbWhereFrag($this->cleanInStr($this->searchTermArr['db']));

classes/OccurrenceSearchSupport.php

@@ -361,7 +361,8 @@ public static function getDbRequestVariable(){
 		if(($p = strpos($dbStr, ';')) !== false){
 			$dbStr = substr($dbStr, 0, $p);
 		}
-		if(!preg_match('/^[a-z0-9,;]+$/', $dbStr)) $dbStr = 'all';
+		if(strpos($dbStr, "'")) $dbStr = '0';		//SQL Injection attempt, thus set to return nothing rather than a query that puts a load on the db server
+		elseif(!preg_match('/^[a-z0-9,;]+$/', $dbStr)) $dbStr = 'all';
 		return $dbStr;
 	}
 

classes/OccurrenceTaxaManager.php

@@ -409,7 +409,7 @@ public function cleanOutStr($str){
 
 	protected function cleanInputStr($str){
 		if(!is_string($str) && !is_numeric($str) && !is_bool($str)) return '';
-		if(stripos($str, 'sleep(') !== false) return '';
+		if(preg_match('/^\d+\'+$/', $str)) return 0;	//SQL Injection attempt, thus set to return nothing rather than a query that puts a load on the db server
 		$str = preg_replace('/%%+/', '%',$str);
 		$str = preg_replace('/^[\s%]+/', '',$str);
 		$str = trim($str,' ,;');

classes/OccurrenceUtilities.php

@@ -1061,26 +1061,28 @@ public static function occurrenceArrayCleaning($recMap){
 	public static function verifyUser($user, $conn){
 		//If input is numberic, verify against uid, or convert username or email to uid
 		$uid = null;
-		$paramArr = array();
-		$typeStr = '';
-		$sql = 'SELECT uid FROM users WHERE ';
-		if(is_numeric($user)){
-			$sql .= 'uid = ?';
-			$paramArr[] = $user;
-			$typeStr = 'i';
-		}
-		else{
-			$sql .= 'username = ? OR email = ?';
-			$paramArr[] = $user;
-			$paramArr[] = $user;
-			$typeStr = 'ss';
-		}
-		if($stmt = $conn->prepare($sql)){
-			$stmt->bind_param($typeStr, ...$paramArr);
-			$stmt->execute();
-			$stmt->bind_result($uid);
-			$stmt->fetch();
-			$stmt->close();
+		if($user){
+			$paramArr = array();
+			$typeStr = '';
+			$sql = 'SELECT uid FROM users WHERE ';
+			if(is_numeric($user)){
+				$sql .= 'uid = ?';
+				$paramArr[] = $user;
+				$typeStr = 'i';
+			}
+			else{
+				$sql .= 'username = ? OR email = ?';
+				$paramArr[] = $user;
+				$paramArr[] = $user;
+				$typeStr = 'ss';
+			}
+			if($stmt = $conn->prepare($sql)){
+				$stmt->bind_param($typeStr, ...$paramArr);
+				$stmt->execute();
+				$stmt->bind_result($uid);
+				$stmt->fetch();
+				$stmt->close();
+			}
 		}
 		return $uid;
 	}

collections/editor/occurrenceeditor.php

@@ -444,10 +444,7 @@
 	<link href="<?= $CSS_BASE_PATH ?>/jquery-ui.css" type="text/css" rel="stylesheet">
 	<link href="<?= $CSS_BASE_PATH ?>/symbiota/variables.css" type="text/css" rel="stylesheet">
 	<?php
-	include_once($SERVER_ROOT.'/includes/head.php');
-	?>
-
-    <?php
+	//include_once($SERVER_ROOT.'/includes/head.php');
     if($crowdSourceMode == 1){
 		?>
 		<link href="includes/config/occureditorcrowdsource.css?ver=5" type="text/css" rel="stylesheet" id="editorCssLink" />

collections/georef/geolocate.php

@@ -77,7 +77,7 @@
 	<script type="text/javascript">
 	    function transferCoord(evt) {
 	        if(evt.origin.indexOf('geo-locate.org') < 0) {
-				alert("iframe url does not have permision to interact with me");
+				alert("iframe url does not have permision to interact with me; url: " + evt.origin);
 	        }
 	        else {//alert(evt.data);
 	            var breakdown = evt.data.split("|");
@@ -217,4 +217,4 @@ function removeAccents($string) {
 
     return $string;
 }
-?>
+?>

collections/individual/domManipulationUtils.js

@@ -1,3 +1,15 @@
+const addElemFirst = (parentDivId, targetChildDivId) => {
+  const parent = document.getElementById(parentDivId);
+  const targetChild = document.getElementById(targetChildDivId);
+  if (!parent || !targetChild) {
+    return;
+  }
+  if (!parent.contains(targetChild)) {
+    return;
+  }
+  parent.prepend(targetChild);
+};
+
 const reorderElements = (parentDivId, desiredDivIds, removeDivIds) => {
   const parent = document.getElementById(parentDivId);
   const allChildren = Array.from(parent.children);

collections/individual/index.php

@@ -33,6 +33,7 @@
 $indManager->setOccurData();
 if(!$occid) $occid = $indManager->getOccid();
 if(!$collid) $collid = $indManager->getCollid();
+$occArr = $indManager->getOccData();
 
 $isSecuredReader = false;
 $isEditor = false;
@@ -64,8 +65,10 @@
 		$isSecuredReader = true;
 	}
 }
-$indManager->applyProtections($isSecuredReader);
-$occArr = $indManager->getOccData();
+if($indManager->applyProtections($isSecuredReader)){
+	//Protections applied, thus reset occurrence array
+	$occArr = $indManager->getOccData();
+}
 $collMetadata = $indManager->getMetadata();
 $genticArr = $indManager->getGeneticArr();
 

collections/map/index.php

@@ -421,7 +421,15 @@ function buildTaxaLegend() {
 			}
 
 			let taxaArr = Object.values(taxaLegendMap).sort((a, b) => {
-				if(a.family === b.family) return 0;
+				if(a.family === b.family) {
+					if(a.sn === b.sn) {
+						return 0;
+					} else if(a.sn> b.sn) {
+						return 1;
+					} else {
+						return -1;
+					}
+				}
 				else if(a.family > b.family) return 1;
 				else return -1;			
 			})

collections/map/rpc/searchCollections.php

@@ -50,7 +50,7 @@
 
 $host = false;
 if(isset($SERVER_HOST)) {
-   $host = ((str_contains($SERVER_HOST, '127.0.0.1') || str_contains($SERVER_HOST, 'localhost'))? "http://": "https://") . $SERVER_HOST . $CLIENT_ROOT;
+   $host = ((strpos($SERVER_HOST, '127.0.0.1') !== false || strpos($SERVER_HOST, 'localhost') !== false) ? "http://" : "https://") . $SERVER_HOST . $CLIENT_ROOT;
 }
 
 foreach ($coordArr as $collName => $coll) {