Merge pull request #197 from BioKIC/master

Hotfix 3.1.6 (BioKIC#2068)

api/app/Http/Controllers/OccurrenceAnnotationController.php

@@ -112,7 +112,7 @@ public function showAllAnnotations(Request $request){
 		$fullCnt = 0;
 		$result = null;
 		if($type == 'internal'){
-			$annotation = DB::table('omoccuredits as e')->select('e.*', 'o.occurrenceID')
+			$annotation = DB::table('omoccuredits as e')->select('e.*', 'o.occurrenceID', 'o.recordID')
 				->join('omoccurrences as o', 'e.occid', '=', 'o.occid')
 				->where('o.collid', $collid);
 			if($fieldName){
@@ -129,7 +129,7 @@ public function showAllAnnotations(Request $request){
 			$result = $this->formatInternalResults($result);
 		}
 		elseif($type == 'external'){
-			$annotation = DB::table('omoccurrevisions as r')->select('r.*', 'o.occurrenceID')
+			$annotation = DB::table('omoccurrevisions as r')->select('r.*', 'o.occurrenceID', 'o.recordID')
 				->join('omoccurrences as o', 'o.occid', '=', 'r.occid')
 				->where('o.collid', $collid);
 			if($source){

classes/GeographicThesaurus.php

@@ -260,7 +260,9 @@ public function getChildren(array $parentIDs): array {
 			$result = SymbUtil::execute_query($this->conn,$sql, $parentIDs);
 			$children = $result->fetch_all(MYSQLI_ASSOC);
 			$result->free();
-			$children_ids = array_map(fn($v) => $v["geoThesID"], $children);
+			$children_ids = array_map(function($v) {
+				return $v["geoThesID"];
+			}, $children);
 
 			return array_merge($children, $this->getChildren($children_ids));
 		} catch(Exception $e) {
@@ -517,7 +519,9 @@ public function getGBGeoList($countryCode){
 					foreach ($retArr as $key => $value) {
 						if($key === 'ADM0') continue;
 						$geoLevel = $this->getGeoLevel($key);
-						$geoThesIDs = array_filter($children, fn($val) => $val['hasPolygon'] === 1 && $val['geoLevel'] === $geoLevel);
+						$geoThesIDs = array_filter($children, function($val) use ($geoLevel) {
+							return $val['hasPolygon'] === 1 && $val['geoLevel'] === $geoLevel;
+						});
 						if(count($geoThesIDs) > 0) {
 							$retArr[$key]['geoThesID'] = $geoThesIDs;
 							$retArr[$key]['polygon'] = 1;
@@ -697,13 +701,18 @@ public function addGeoBoundary(string $url, bool $addMissing = false, int $baseP
 			}
 			$geoThesIDs = array_filter(
 				$geoThesIDs,
-				fn($val) => $val['hasPolygon'] === 0
+				function($val) {
+					return $val['hasPolygon'] === 0;
+				}
 			);
 
 			if(is_array($geoThesIDs) && count($geoThesIDs) != 1) {
 				$testPoint = $this->getPointWithinPoly($feature->geometry->coordinates);
 				$parents = !empty($geoThesIDs)?
-				array_filter(array_map(fn($val) => $val['parentID'], $geoThesIDs), fn($val) => $val !== null):
+				array_filter(
+					array_map(function($val) { return $val['parentID']; }, $geoThesIDs),
+					function($val) { return $val !== null; }
+				) :
 				$potentialParents;
 
 				if($testPoint) {
@@ -716,7 +725,9 @@ public function addGeoBoundary(string $url, bool $addMissing = false, int $baseP
 					);
 					$geoThesIDs = array_filter(
 						$this->getGeoThesIDByName($properties->shapeName, $geoLevel, [$parentID]),
-						fn($val) => $val['hasPolygon'] === 0,
+						function($val) {
+							return $val['hasPolygon'] === 0;
+						}
 					);
 				}
 			}
@@ -775,7 +786,7 @@ public function getGeoLevelString(int $geolevel) {
 		}
 	}
 
-	public function searchGeothesaurus(string $geoterm, int|null $geolevel = null, string|null $parent = null, bool $distict_geoterms = false): array {
+	public function searchGeothesaurus(string $geoterm, $geolevel = null, $parent = null, bool $distict_geoterms = false): array {
 		$sql = <<<SQL
 		SELECT g.geoThesID, g.geoterm, g.geoLevel, g.parentID, g2.geoterm AS parentterm, g2.geoLevel AS parentlevel FROM geographicthesaurus g 
 		LEFT JOIN geographicthesaurus g2 ON g2.geoThesID = g.parentID

classes/GlossaryManager.php

@@ -32,9 +32,9 @@ class GlossaryManager extends Manager {
 
  	public function __construct(){
  		parent::__construct(null, 'write');
-		$this->imageRootPath = $GLOBALS['$IMAGE_ROOT_PATH'];
+		$this->imageRootPath = $GLOBALS['IMAGE_ROOT_PATH'];
 		if(substr($this->imageRootPath,-1) != "/") $this->imageRootPath .= "/";
-		$this->imageRootUrl = $GLOBALS['$IMAGE_ROOT_URL'];
+		$this->imageRootUrl = $GLOBALS['IMAGE_ROOT_URL'];
 		if(substr($this->imageRootUrl,-1) != "/") $this->imageRootUrl .= "/";
 		if(!empty($GLOBALS['IMG_TN_WIDTH'])){
 			$this->tnPixWidth = $GLOBALS['IMG_TN_WIDTH'];
@@ -1543,4 +1543,4 @@ public function getGlossGroupId(){
 		return $this->glossGroupId;
 	}
 }
-?>
+?>

classes/ImageShared.php

@@ -765,8 +765,8 @@ public function setPhotographer($v){
 	}
 
 	public function setPhotographerUid($v){
-		$v = OccurrenceUtilities::verifyUser($v, $this->conn);
-		$this->photographerUid = $v;
+		//$v = OccurrenceUtilities::verifyUser($v, $this->conn);
+		if(is_numeric($v)) $this->photographerUid = $v;
 	}
 
 	public function setImgLgUrl($v){

classes/InstitutionManager.php

@@ -24,8 +24,22 @@ public function getInstitutionData(){
 				$stmt->bind_param('i', $this->iid);
 				$stmt->execute();
 				$rs = $stmt->get_result();
-				while($r = $rs->fetch_assoc()){
-					$retArr = $r;
+				if($r = $rs->fetch_object()){
+					$retArr['iid'] = $r->iid;
+					$retArr['institutioncode'] = $this->cleanOutStr($r->institutioncode);
+					$retArr['institutionname'] = $this->cleanOutStr($r->institutionname);
+					$retArr['institutionname2'] = $this->cleanOutStr($r->institutionname2);
+					$retArr['address1'] = $this->cleanOutStr($r->address1);
+					$retArr['address2'] = $this->cleanOutStr($r->address2);
+					$retArr['city'] = $this->cleanOutStr($r->city);
+					$retArr['stateprovince'] = $this->cleanOutStr($r->stateprovince);
+					$retArr['postalcode'] = $this->cleanOutStr($r->postalcode);
+					$retArr['country'] = $this->cleanOutStr($r->country);
+					$retArr['phone'] = $this->cleanOutStr($r->phone);
+					$retArr['contact'] = $this->cleanOutStr($r->contact);
+					$retArr['email'] = $this->cleanOutStr($r->email);
+					$retArr['url'] = $this->cleanOutStr($r->url);
+					$retArr['notes'] = $r->notes;	//Do not sanitize at this time. Html tags are included when content is added from GBIF's GrSciColl. Wait until we have resolve the html sanitation issue.
 				}
 				$rs->free();
 				$stmt->close();

classes/OccurrenceEditorImages.php

@@ -394,13 +394,13 @@ public function addImage($postArr){
 		}
 
 		//Set image metadata variables
-		if(array_key_exists('caption',$postArr)) $imgManager->setCaption($postArr['caption']);
-		if(array_key_exists('photographeruid',$postArr)) $imgManager->setPhotographerUid($postArr['photographeruid']);
-		if(array_key_exists('photographer',$postArr)) $imgManager->setPhotographer($postArr['photographer']);
-		if(array_key_exists('sourceurl',$postArr)) $imgManager->setSourceUrl($postArr['sourceurl']);
-		if(array_key_exists('copyright',$postArr)) $imgManager->setCopyright($postArr['copyright']);
-		if(array_key_exists('notes',$postArr)) $imgManager->setNotes($postArr['notes']);
-		if(array_key_exists('sortoccurrence',$postArr)) $imgManager->setSortOccurrence($postArr['sortoccurrence']);
+		if(!empty($postArr['caption'])) $imgManager->setCaption($postArr['caption']);
+		if(!empty($postArr['photographeruid'])) $imgManager->setPhotographerUid($postArr['photographeruid']);
+		if(!empty($postArr['photographer'])) $imgManager->setPhotographer($postArr['photographer']);
+		if(!empty($postArr['sourceurl'])) $imgManager->setSourceUrl($postArr['sourceurl']);
+		if(!empty($postArr['copyright'])) $imgManager->setCopyright($postArr['copyright']);
+		if(!empty($postArr['notes'])) $imgManager->setNotes($postArr['notes']);
+		if(!empty($postArr['sortoccurrence'])) $imgManager->setSortOccurrence($postArr['sortoccurrence']);
 		if(strpos($this->collMap['colltype'], 'Observations') !== false)  $imgManager->setSortSeq(40);
 
 		$sourceImgUri = $postArr['imgurl'];

classes/OccurrenceEditorManager.php

@@ -1711,7 +1711,9 @@ public function mergeRecords($targetOccid,$sourceOccid){
 				SELECT detid FROM omoccurdeterminations where occid = ? and isCurrent = 1;
 				SQL;
 				$result = SymbUtil::execute_query($this->conn, $sql, [$occid]);
-				return array_map(fn($v) => $v[0], $result->fetch_all());
+				return array_map(function ($v) {
+					return $v[0];
+				}, $result->fetch_all());
 			};
 
 			//Fetch List of Old Current Determinations

classes/OccurrenceIndividual.php

@@ -194,11 +194,13 @@ public function setOccurData(){
 	}
 
 	public function applyProtections($isSecuredReader){
+		$retBool = false;
 		if($this->occArr){
 			$protectTaxon = false;
 			/*
 			 if(isset($this->occArr['scinameprotected']) && $this->occArr['scinameprotected'] && !$isSecuredReader){
 			 $protectTaxon = true;
+			 $retBool = true;
 			 $this->occArr['taxonsecure'] = 1;
 			 $this->occArr['sciname'] = $this->occArr['scinameprotected'];
 			 $this->occArr['family'] = $this->occArr['familyprotected'];
@@ -209,6 +211,7 @@ public function applyProtections($isSecuredReader){
 			$protectLocality = false;
 			if($this->occArr['localitysecurity'] == 1 && !$isSecuredReader){
 				$protectLocality = true;
+				$retBool = true;
 				$this->occArr['localsecure'] = 1;
 				$redactArr = array('recordnumber','eventdate','verbatimeventdate','locality','locationid','decimallatitude','decimallongitude','verbatimcoordinates',
 					'locationremarks', 'georeferenceremarks', 'geodeticdatum', 'coordinateuncertaintyinmeters', 'minimumelevationinmeters', 'maximumelevationinmeters',
@@ -227,6 +230,7 @@ public function applyProtections($isSecuredReader){
 			if(!$protectLocality && !$protectTaxon) $this->setImages();
 			if(!$protectLocality) $this->setExsiccati();
 		}
+		return $retBool;
 	}
 
 	private function setDeterminations(){
@@ -1369,7 +1373,7 @@ public function isTaxonomicEditor(){
 	}
 
 	public function activateOrcidID($inStr){
-		$retStr = $this->cleanOutStr($inStr);
+		$retStr = $inStr;
 		$m = array();
 		if(preg_match('#((https://orcid.org/)?\d{4}-\d{4}-\d{4}-\d{3}[0-9X])#', $retStr, $m)){
 			$orcidAnchor = $m[1];

classes/OccurrenceManager.php

@@ -108,7 +108,7 @@ protected function setSqlWhere(){
 			}
 			$this->displaySearchArr[] = $this->LANG['CHECKLIST_ID'] . ': ' . $this->searchTermArr['clid'];
 		}
-		elseif(array_key_exists('db',$this->searchTermArr) && $this->searchTermArr['db']){
+		elseif(array_key_exists('db',$this->searchTermArr)){
 			$pattern = '/[^\d,]/';
 			if (preg_match($pattern, $this->searchTermArr['db'])==0) {
 				$sqlWhere .= OccurrenceSearchSupport::getDbWhereFrag($this->cleanInStr($this->searchTermArr['db']));

classes/OccurrenceSearchSupport.php

@@ -361,7 +361,8 @@ public static function getDbRequestVariable(){
 		if(($p = strpos($dbStr, ';')) !== false){
 			$dbStr = substr($dbStr, 0, $p);
 		}
-		if(!preg_match('/^[a-z0-9,;]+$/', $dbStr)) $dbStr = 'all';
+		if(strpos($dbStr, "'")) $dbStr = '0';		//SQL Injection attempt, thus set to return nothing rather than a query that puts a load on the db server
+		elseif(!preg_match('/^[a-z0-9,;]+$/', $dbStr)) $dbStr = 'all';
 		return $dbStr;
 	}
 

classes/OccurrenceTaxaManager.php

@@ -409,7 +409,7 @@ public function cleanOutStr($str){
 
 	protected function cleanInputStr($str){
 		if(!is_string($str) && !is_numeric($str) && !is_bool($str)) return '';
-		if(stripos($str, 'sleep(') !== false) return '';
+		if(preg_match('/^\d+\'+$/', $str)) return 0;	//SQL Injection attempt, thus set to return nothing rather than a query that puts a load on the db server
 		$str = preg_replace('/%%+/', '%',$str);
 		$str = preg_replace('/^[\s%]+/', '',$str);
 		$str = trim($str,' ,;');

classes/OccurrenceUtilities.php

@@ -1061,26 +1061,28 @@ public static function occurrenceArrayCleaning($recMap){
 	public static function verifyUser($user, $conn){
 		//If input is numberic, verify against uid, or convert username or email to uid
 		$uid = null;
-		$paramArr = array();
-		$typeStr = '';
-		$sql = 'SELECT uid FROM users WHERE ';
-		if(is_numeric($user)){
-			$sql .= 'uid = ?';
-			$paramArr[] = $user;
-			$typeStr = 'i';
-		}
-		else{
-			$sql .= 'username = ? OR email = ?';
-			$paramArr[] = $user;
-			$paramArr[] = $user;
-			$typeStr = 'ss';
-		}
-		if($stmt = $conn->prepare($sql)){
-			$stmt->bind_param($typeStr, ...$paramArr);
-			$stmt->execute();
-			$stmt->bind_result($uid);
-			$stmt->fetch();
-			$stmt->close();
+		if($user){
+			$paramArr = array();
+			$typeStr = '';
+			$sql = 'SELECT uid FROM users WHERE ';
+			if(is_numeric($user)){
+				$sql .= 'uid = ?';
+				$paramArr[] = $user;
+				$typeStr = 'i';
+			}
+			else{
+				$sql .= 'username = ? OR email = ?';
+				$paramArr[] = $user;
+				$paramArr[] = $user;
+				$typeStr = 'ss';
+			}
+			if($stmt = $conn->prepare($sql)){
+				$stmt->bind_param($typeStr, ...$paramArr);
+				$stmt->execute();
+				$stmt->bind_result($uid);
+				$stmt->fetch();
+				$stmt->close();
+			}
 		}
 		return $uid;
 	}

collections/editor/occurrenceeditor.php

@@ -444,10 +444,7 @@
 	<link href="<?= $CSS_BASE_PATH ?>/jquery-ui.css" type="text/css" rel="stylesheet">
 	<link href="<?= $CSS_BASE_PATH ?>/symbiota/variables.css" type="text/css" rel="stylesheet">
 	<?php
-	include_once($SERVER_ROOT.'/includes/head.php');
-	?>
-
-    <?php
+	//include_once($SERVER_ROOT.'/includes/head.php');
     if($crowdSourceMode == 1){
 		?>
 		<link href="includes/config/occureditorcrowdsource.css?ver=5" type="text/css" rel="stylesheet" id="editorCssLink" />

collections/georef/geolocate.php

@@ -77,7 +77,7 @@
 	<script type="text/javascript">
 	    function transferCoord(evt) {
 	        if(evt.origin.indexOf('geo-locate.org') < 0) {
-				alert("iframe url does not have permision to interact with me");
+				alert("iframe url does not have permision to interact with me; url: " + evt.origin);
 	        }
 	        else {//alert(evt.data);
 	            var breakdown = evt.data.split("|");
@@ -217,4 +217,4 @@ function removeAccents($string) {
 
     return $string;
 }
-?>
+?>

collections/individual/domManipulationUtils.js

@@ -1,3 +1,15 @@
+const addElemFirst = (parentDivId, targetChildDivId) => {
+  const parent = document.getElementById(parentDivId);
+  const targetChild = document.getElementById(targetChildDivId);
+  if (!parent || !targetChild) {
+    return;
+  }
+  if (!parent.contains(targetChild)) {
+    return;
+  }
+  parent.prepend(targetChild);
+};
+
 const reorderElements = (parentDivId, desiredDivIds, removeDivIds) => {
   const parent = document.getElementById(parentDivId);
   const allChildren = Array.from(parent.children);

collections/individual/index.php

@@ -33,6 +33,7 @@
 $indManager->setOccurData();
 if(!$occid) $occid = $indManager->getOccid();
 if(!$collid) $collid = $indManager->getCollid();
+$occArr = $indManager->getOccData();
 
 $isSecuredReader = false;
 $isEditor = false;
@@ -64,8 +65,10 @@
 		$isSecuredReader = true;
 	}
 }
-$indManager->applyProtections($isSecuredReader);
-$occArr = $indManager->getOccData();
+if($indManager->applyProtections($isSecuredReader)){
+	//Protections applied, thus reset occurrence array
+	$occArr = $indManager->getOccData();
+}
 $collMetadata = $indManager->getMetadata();
 $genticArr = $indManager->getGeneticArr();
 

collections/map/index.php

@@ -421,7 +421,15 @@ function buildTaxaLegend() {
 			}
 
 			let taxaArr = Object.values(taxaLegendMap).sort((a, b) => {
-				if(a.family === b.family) return 0;
+				if(a.family === b.family) {
+					if(a.sn === b.sn) {
+						return 0;
+					} else if(a.sn> b.sn) {
+						return 1;
+					} else {
+						return -1;
+					}
+				}
 				else if(a.family > b.family) return 1;
 				else return -1;			
 			})

collections/map/rpc/searchCollections.php

@@ -50,7 +50,7 @@
 
 $host = false;
 if(isset($SERVER_HOST)) {
-   $host = ((str_contains($SERVER_HOST, '127.0.0.1') || str_contains($SERVER_HOST, 'localhost'))? "http://": "https://") . $SERVER_HOST . $CLIENT_ROOT;
+   $host = ((strpos($SERVER_HOST, '127.0.0.1') !== false || strpos($SERVER_HOST, 'localhost') !== false) ? "http://" : "https://") . $SERVER_HOST . $CLIENT_ROOT;
 }
 
 foreach ($coordArr as $collName => $coll) {