include/Webservices/ExtendSession.php

@@ -10,17 +10,19 @@
 
 	function vtws_extendSession(){
 		global $adb,$API_VERSION,$application_unique_key;
-		if(isset($_SESSION["authenticated_user_id"]) && $_SESSION["app_unique_key"] == $application_unique_key){
-			$userId = $_SESSION["authenticated_user_id"];
-			$sessionManager = new SessionManager();
-			$sessionManager->set("authenticatedUserId", $userId);
-			$crmObject = VtigerWebserviceObject::fromName($adb,"Users");
-			$userId = vtws_getId($crmObject->getEntityId(),$userId);
-			$vtigerVersion = vtws_getVtigerVersion();
-			$resp = array("sessionName"=>$sessionManager->getSessionId(),"userId"=>$userId,"version"=>$API_VERSION,"vtigerVersion"=>$vtigerVersion);
-			return $resp;
-		}else{
-			throw new WebServiceException(WebServiceErrorCode::$AUTHFAILURE,"Authencation Failed");
-		}
+		if($_SESSION['authenticatedUserId'] || (isset($_SESSION["authenticated_user_id"]) && $_SESSION["app_unique_key"] == $application_unique_key)){
+			$userId = ($_SESSION["authenticated_user_id"]) ? $_SESSION["authenticated_user_id"] : $_SESSION['authenticatedUserId'];
+			//unsetting as session manager will set it, if set then it is not extended by HTTP_Session::setExpire
+                        unset($_SESSION['__HTTP_Session_Expire_TS']);
+                        $sessionManager = new SessionManager();
+ 			$sessionManager->set("authenticatedUserId", $userId);
+ 			$crmObject = VtigerWebserviceObject::fromName($adb,"Users");
+ 			$userId = vtws_getId($crmObject->getEntityId(),$userId);
+ 			$vtigerVersion = vtws_getVtigerVersion();
+ 			$resp = array("sessionName"=>$sessionManager->getSessionId(),"userId"=>$userId,"version"=>$API_VERSION,"vtigerVersion"=>$vtigerVersion);
+ 			return $resp;
+ 		}else{
+ 			throw new WebServiceException(WebServiceErrorCode::$AUTHFAILURE,"Authencation Failed");
+ 		}
 	}
 ?>
\ No newline at end of file

include/Webservices/FileRetrieve.php

+<?php
+/*+***********************************************************************************
+ * The contents of this file are subject to the vtiger CRM Public License Version 1.0
+ * ("License"); You may not use this file except in compliance with the License
+ * The Original Code is:  vtiger CRM Open Source
+ * The Initial Developer of the Original Code is vtiger.
+ * Portions created by vtiger are Copyright (C) vtiger.
+ * All Rights Reserved.
+ *************************************************************************************/
+
+function vtws_file_retrieve($file_id, $user) {
+
+    global $log, $adb;
+
+    $idComponents = vtws_getIdComponents($file_id);
+    $attachmentId = $idComponents[1];
+    
+    $id = vtws_getAttachmentRecordId($attachmentId);
+    if(!$id || !$attachmentId) {
+        throw new WebServiceException(WebServiceErrorCode::$RECORDNOTFOUND, "Record you are trying to access is not found");
+    } else {
+        $id = vtws_getId($idComponents[0], $id);
+    }
+    
+    $webserviceObject = VtigerWebserviceObject::fromId($adb, $id);
+    $handlerPath = $webserviceObject->getHandlerPath();
+    $handlerClass = $webserviceObject->getHandlerClass();
+    
+    require_once $handlerPath;
+    $handler = new $handlerClass($webserviceObject, $user, $adb, $log);
+
+    // If setype of the record is not equal to webservice entity
+    $meta = $handler->getMeta();
+    $elementType = $meta->getObjectEntityName($id);
+    if ($elementType !== $webserviceObject->getEntityName()) {
+        throw new WebServiceException(WebServiceErrorCode::$INVALIDID, "Id specified is incorrect");
+    }
+
+    // If User don't have access to the module (OR) View is not allowed
+    $types = vtws_listtypes(null, $user);
+    $viewPermission = Users_Privileges_Model::isPermitted($elementType, 'DetailView', $recordId);
+    if (!$viewPermission || !in_array($elementType, $types['types'])) {
+        throw new WebServiceException(WebServiceErrorCode::$ACCESSDENIED, "Permission to perform the operation is denied");
+    }
+
+    $response = $handler->file_retrieve($id, $elementType, $attachmentId);
+    VTWS_PreserveGlobal::flush();
+
+    return $response;
+}
+
+?>

include/Webservices/GetUpdates.php

@@ -82,7 +82,7 @@ require_once 'include/Webservices/DescribeObject.php';
 
 		$accessableModules = array_diff($accessableModules,$ignoreModules);
 
-		if(count($accessableModules)<=0)
+		if(php7_count($accessableModules)<=0)
 		{
 				$output['lastModifiedTime'] = $mtime;
 				$output['more'] = false;

include/Webservices/History.php

@@ -95,7 +95,7 @@ function vtws_history($element, $user) {
 	while ($row = $adb->fetch_array($result)) {
 		$orderedIds[] = $row['id'];
         
-        if ($row['status'] === ModTracker::$LINK) {
+        if ($row['status'] === ModTracker::$LINK || $row['status'] === ModTracker::$UNLINK) {
 			$relationOrderedIds[] = $row['id'];
 		} else {
 			$updatesOrderedIds[] = $row['id'];
@@ -200,4 +200,4 @@ function vtws_history_entityIdHelper($moduleName, $id) {
 		$wsEntityIdCache[$moduleName][$id] = vtws_getWebserviceEntityId($moduleName, $id);
 	}
 	return $wsEntityIdCache[$moduleName][$id];
-}
\ No newline at end of file
+}

include/Webservices/LineItem/VtigerInventoryMeta.php

@@ -51,7 +51,7 @@ class VtigerInventoryMeta extends VtigerCRMObjectMeta {
 		$field['displaytype'] = 1;
 		$field['uitype'] = 1;
 		$fieldDataType = 'V';
-		$typeOfData = $fieldType.'~O';
+		$typeOfData = $fieldDataType.'~O';
 
 		$field['typeofdata'] = $typeOfData;
 		$field['tabid'] = null;
@@ -61,4 +61,4 @@ class VtigerInventoryMeta extends VtigerCRMObjectMeta {
 	}
 	
 }
-?>
\ No newline at end of file
+?>

include/Webservices/LineItem/VtigerInventoryOperation.php

@@ -19,6 +19,10 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 
 	public function create($elementType, $element) {
 		self::$CREATE_OPERATI0N = true;
+		
+		if (!$element['hdnTaxType']) {
+			$element['hdnTaxType'] = Inventory_TaxRecord_Model::getSelectedDefaultTaxMode();
+		}
 		$element = $this->sanitizeInventoryForInsert($element);
 		$element = $this->sanitizeShippingTaxes($element);
 		$lineItems = $element['LineItems'];
@@ -164,14 +168,20 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 			vglobal('updateInventoryProductRel_deduct_stock', $currentValue);
 		} else {
 			$prevAction = $_REQUEST['action'];
+			$prevAjaxAction = $_REQUEST['ajxaction'];
+			
 			// This is added as we are passing data in user format, so in the crmentity insertIntoEntity API
 			// should convert to database format, we have added a check based on the action name there. But
 			// while saving Invoice and Purchase Order we are also depending on the same action file names to
 			// not to update stock if its an ajax save. In this case also we do not want line items to change.
 			$_REQUEST['action'] = 'FROM_WS';
-
+			
+			//To avoid deletion of lineitems we use the ajaxaction DETAILVIEW as if we were updating signle fields from the detail view:
+			$_REQUEST['ajxaction'] = 'DETAILVIEW'; 
+			
 			$parent = parent::revise($element);
 			$_REQUEST['action'] = $prevAction;
+			$_REQUEST['ajxaction'] = $prevAjaxAction;
 			$parent['LineItems'] = $handler->getAllLineItemForParent($parentId);
 		}
 		return array_merge($element,$parent);
@@ -194,7 +204,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 		$element['LineItems'] = $lineItems;
 		$recordCompoundTaxesElement = $this->getCompoundTaxesElement($element, $lineItems);
 		$element = array_merge($element, $recordCompoundTaxesElement);
-		$element['productid'] = $lineItems[0]['productid'];
+		$element['productid'] = isset($lineItems[0]['productid']) ? $lineItems[0]['productid'] : "";
 		$element['LineItems_FinalDetails'] = $this->getLineItemFinalDetails($idComponents[1]);
 		return $element;
 	}
@@ -224,10 +234,6 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 	 */
 	protected function sanitizeInventoryForInsert($element) {
 
-		if (!$element['hdnTaxType']) {
-			$element['hdnTaxType'] = Inventory_TaxRecord_Model::getSelectedDefaultTaxMode();
-		}
-
 		if (!empty($element['hdnTaxType'])) {
 			$_REQUEST['taxtype'] = $element['hdnTaxType'];
 		}
@@ -266,7 +272,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 		}
 
 		$lineItems = $element['LineItems'];
-		$totalNoOfProducts = count($lineItems);
+		$totalNoOfProducts = php7_count($lineItems);
 		$_REQUEST['totalProductCount'] = $totalNoOfProducts;
 		$_REQUEST['REQUEST_FROM_WS'] = true;
 
@@ -336,7 +342,9 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 				unset($_REQUEST['charges'][1]['taxes'][$shTaxId]);
 				if(isset($element['hdnS_H_Percent']) && $element['hdnS_H_Percent'] != 0 && $element['hdnS_H_Amount'] != 0) {
 					$_REQUEST['charges'][1]['taxes'][$shTaxId] = $element['hdnS_H_Percent'];
-					$_REQUEST['s_h_percent'] = ($element['hdnS_H_Amount'] * $element['hdnS_H_Percent'])/100;
+                    $_REQUEST['s_h_percent'] = ($element['hdnS_H_Percent']/$element['hdnS_H_Amount'])*100;
+                    $_REQUEST['charges'][$firstActiveCharge]['taxes'][$shTaxId] = $_REQUEST['s_h_percent'];
+					$element['hdnS_H_Percent'] = $_REQUEST['s_h_percent'];
 					break;
 				} else {
 					$shTaxValue = 0;
@@ -472,7 +480,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 			$result = $this->pearDB->pquery('SELECT * FROM vtiger_inventorychargesrel WHERE recordid = ?', array($id));
 			$rowData = $this->pearDB->fetch_array($result);
 
-			if ($rowData['charges']) {
+			if (isset($rowData['charges']) && $rowData['charges']) {
 				$allCharges = getAllCharges();
 				$shippingTaxes = array();
 				$allShippingTaxes = getAllTaxes('all', 'sh');

include/Webservices/LineItem/VtigerLineItemMeta.php

@@ -92,7 +92,7 @@ class VtigerLineItemMeta extends VtigerCRMActorMeta {
 		if(in_array($fieldName,$mandatoryFieldList)){
 			$typeOfData = $fieldType.'~M';
 		}else if(($dbField->not_null == 1 && $fieldName != 'incrementondel' 
-				&& $dbField->primary_key != 1) || $dbField->unique_key == 1){
+				&& $dbField->primary_key != 1) || (property_exists($dbField, 'unique_key') && $dbField->unique_key == 1)) {
 			$typeOfData = $fieldType.'~M';
 		}else{
 			$typeOfData = $fieldType.'~O';
@@ -105,4 +105,4 @@ class VtigerLineItemMeta extends VtigerCRMActorMeta {
 	}
 
 }
-?>
\ No newline at end of file
+?>

include/Webservices/LineItem/VtigerLineItemOperation.php

@@ -156,7 +156,7 @@ class VtigerLineItemOperation extends VtigerActorOperation {
 			list($typeId,$recordId) = vtws_getIdComponents($element['productid']);
 			$productTaxInfo = $this->getProductTaxList($recordId);
 		}
-		if(count($productTaxInfo) == 0 && strcasecmp($parent['hdnTaxType'], $this->Individual) !==0) {
+		if(php7_count($productTaxInfo) == 0 && strcasecmp($parent['hdnTaxType'], $this->Individual) !==0) {
 			$meta = $this->getMeta();
 			$moduleFields = $meta->getModuleFields();
 			foreach ($moduleFields as $fieldName=>$field) {
@@ -169,9 +169,9 @@ class VtigerLineItemOperation extends VtigerActorOperation {
 	}
 
 	private function updateTaxes($createdElement){
-		if (count($this->taxList) > 0 || (is_array($this->inActiveTaxList) && count($this->inActiveTaxList) > 0)) {
+		if (php7_count($this->taxList) > 0 || (is_array($this->inActiveTaxList) && php7_count($this->inActiveTaxList) > 0)) {
 			$taxList = $this->taxList;
-			if (is_array($this->inActiveTaxList) && count($this->inActiveTaxList) > 0) {
+			if (is_array($this->inActiveTaxList) && php7_count($this->inActiveTaxList) > 0) {
 				$taxList = array_merge($taxList, $this->inActiveTaxList);
 			}
 			$id = vtws_getIdComponents($createdElement['id']);
@@ -206,7 +206,7 @@ class VtigerLineItemOperation extends VtigerActorOperation {
 			$meta = $this->getMeta();
 			$moduleFields = $meta->getModuleFields();
 			$productTaxList = $this->getProductTaxList($productId);
-			if (count($productTaxList) > 0) {
+			if (php7_count($productTaxList) > 0) {
 				$this->providedTaxList = array();
 				foreach ($moduleFields as $fieldName => $field) {
 					if (preg_match('/tax\d+/', $fieldName) != 0) {
@@ -383,7 +383,7 @@ class VtigerLineItemOperation extends VtigerActorOperation {
 			$this->newId = $id[1];
 			$updatedLineItemList[] = $this->_create($elementType, $lineItem);
 			if($element == $lineItem){
-				$createdElement = $updatedLineItemList[count($updatedLineItemList) - 1];
+				$createdElement = $updatedLineItemList[php7_count($updatedLineItemList) - 1];
 			}
 		}
 		$this->setCache($parentId, $updatedLineItemList);

include/Webservices/Login.php

@@ -31,7 +31,9 @@
 		if($user->status != 'Inactive'){
 			return $user;
 		}
-		throw new WebServiceException(WebServiceErrorCode::$AUTHREQUIRED,'Given user is inactive');
+		// Finer exception message could be handy to enumeration attacks - so normalize it. 
+		//throw new WebServiceException(WebServiceErrorCode::$AUTHREQUIRED,'Given user is inactive');
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDUSERPWD,"Invalid username or password");
 	}
 	
 	function vtws_getActiveToken($userId){
@@ -60,4 +62,4 @@
 		return null;
 	}
 	
-?>
\ No newline at end of file
+?>

include/Webservices/ModuleTypes.php

@@ -15,7 +15,7 @@
 
 		static $types = array();
 		if(!empty($fieldTypeList)) {
-			$fieldTypeList = array_map(strtolower, $fieldTypeList);
+			$fieldTypeList = array_map('strtolower', $fieldTypeList);
 			sort($fieldTypeList);
 			$fieldTypeString = implode(',', $fieldTypeList);
 		} else {
@@ -135,4 +135,4 @@
 		return $types[$user->id][$fieldTypeString];
 	}
 
-?>
\ No newline at end of file
+?>

include/Webservices/OperationManager.php

@@ -9,7 +9,7 @@
  *************************************************************************************/
 	
 	function setBuiltIn($json){
-		$json->useBuiltinEncoderDecoder = true;
+		Zend_Json::$useBuiltinEncoderDecoder = true;
 	}
 	
 	class OperationManager{
@@ -35,9 +35,8 @@
 		private $preLogin;
 		private $operationId;
 		private $operationParams;
-		
-		function OperationManager($adb,$operationName,$format, $sessionManager){
-			
+		function __construct($adb,$operationName,$format, $sessionManager)
+		{
 			$this->format = strtolower($format);
 			$this->sessionManager = $sessionManager;
 			$this->formatObjects = array();
@@ -58,6 +57,13 @@
 			$this->inParamProcess["encoded"] = &$this->formatObjects[$this->format]["decode"];
 			$this->fillOperationDetails($operationName);
 		}
+		function OperationManager($adb,$operationName,$format, $sessionManager){
+			// PHP4-style constructor.
+			// This will NOT be invoked, unless a sub-class that extends `foo` calls it.
+			// In that case, call the new-style constructor to keep compatibility.
+			self::__construct($adb,$operationName,$format, $sessionManager);
+			
+		}
 		
 		function isPreLoginOperation(){
 			return $this->preLogin == 1;
@@ -126,10 +132,10 @@
 		}
 		
 		function handleType($type,$value){
-			$result;
-			$value = stripslashes($value);
+			$result = null;
+			$value = $value ? stripslashes($value) : "";
 			$type = strtolower($type);
-			if($this->inParamProcess[$type]){
+			if(isset($this->inParamProcess[$type]) && $this->inParamProcess[$type]){
 				$result = call_user_func($this->inParamProcess[$type],$value);
 			}else{
 				$result = $value;
@@ -142,9 +148,18 @@
 			try{
 				$operation = strtolower($this->operationName);
 				if(!$this->preLogin){
-					$params[] = $user;
+					$params["user"] = $user;
 					return call_user_func_array($this->handlerMethod,$params);
 				}else{
+
+					/* PHP 8.x fix to match target handler arguments (named parameter) */
+					if ($this->handlerMethod == "vtws_login") {
+						if (isset($params["accessKey"])) {
+							$params["pwd"] = $params["accessKey"];
+							unset($params["accessKey"]);
+						}
+					}
+
 					$userDetails = call_user_func_array($this->handlerMethod,$params);
 					if(is_array($userDetails)){
 						return $userDetails;
@@ -154,8 +169,23 @@
 						$webserviceObject = VtigerWebserviceObject::fromName($adb,"Users");
 						$userId = vtws_getId($webserviceObject->getEntityId(),$userDetails->id);
 						$vtigerVersion = vtws_getVtigerVersion();
-						$resp = array("sessionName"=>$this->sessionManager->getSessionId(),"userId"=>$userId,"version"=>$API_VERSION,"vtigerVersion"=>$vtigerVersion);
-						return $resp;
+                        $userInfo = array(
+                            'username' => $userDetails->user_name,
+                            'first_name' => $userDetails->first_name,
+                            'last_name' => $userDetails->last_name,
+                            'email' => $userDetails->email1,
+                            'time_zone' => $userDetails->time_zone,
+                            'hour_format' => $userDetails->hour_format,
+                            'date_format' => $userDetails->date_format,
+                            'is_admin' => $userDetails->is_admin,
+                            'call_duration' => $userDetails->callduration,
+                            'other_event_duration' => $userDetails->othereventduration,
+                            'sessionName'=>$this->sessionManager->getSessionId(),
+                            'userId'=>$userId,
+                            'version'=>$API_VERSION,
+                            'vtigerVersion'=>$vtigerVersion
+                        );
+						return $userInfo;
 					}
 				}
 			} catch (DuplicateException $e) {
@@ -180,4 +210,4 @@
 		
 	}
 	
-?>
\ No newline at end of file
+?>

include/Webservices/PreserveGlobal.php

@@ -14,42 +14,43 @@ class VTWS_PreserveGlobal{
 	
 	static function preserveGlobal($name,$value){
 		//$name store the name of the global.
-		global $$name;
+		global ${$name};
 		//To not push null value . Ideally we should not push null value for any name
 		//But current user null is dangerous so we are checking for only current user
-        if(!empty($$name) || $name != 'current_user') {
-			if(!is_array(VTWS_PreserveGlobal::$globalData[$name])){
+        if(!empty(${$name}) || $name != 'current_user') {
+			if(!isset(VTWS_PreserveGlobal::$globalData[$name]) ||
+				!is_array(VTWS_PreserveGlobal::$globalData[$name])){
 				VTWS_PreserveGlobal::$globalData[$name] = array();		
 			}
 			
-			VTWS_PreserveGlobal::$globalData[$name][] = $$name;
+			VTWS_PreserveGlobal::$globalData[$name][] = ${$name};
 		}
 
-		$$name = $value;
-		return $$name;
+		${$name} = $value;
+		return ${$name};
 	}
 	
 	static function restore($name){
 		//$name store the name of the global.
-		global $$name;
+		global ${$name};
 		
-		if(is_array(VTWS_PreserveGlobal::$globalData[$name]) && count(VTWS_PreserveGlobal::$globalData[$name]) > 0){
-			$$name = array_pop(VTWS_PreserveGlobal::$globalData[$name]);
+		if(is_array(VTWS_PreserveGlobal::$globalData[$name]) && php7_count(VTWS_PreserveGlobal::$globalData[$name]) > 0){
+			${$name} = array_pop(VTWS_PreserveGlobal::$globalData[$name]);
 		}
-		$$name;
+		${$name};
 	}
 	
 	static function getGlobal($name){
-		global $$name;
-		return VTWS_PreserveGlobal::preserveGlobal($name,$$name);
+		global ${$name};
+		return VTWS_PreserveGlobal::preserveGlobal($name,${$name});
 	}
 	
 	static function flush(){
 		foreach (VTWS_PreserveGlobal::$globalData as $name => $detail) {
 			//$name store the name of the global.
-			global $$name;
-			if(is_array(VTWS_PreserveGlobal::$globalData[$name]) && count(VTWS_PreserveGlobal::$globalData[$name]) > 0) {
-				$$name = array_pop(VTWS_PreserveGlobal::$globalData[$name]);
+			global ${$name};
+			if(is_array(VTWS_PreserveGlobal::$globalData[$name]) && php7_count(VTWS_PreserveGlobal::$globalData[$name]) > 0) {
+				${$name} = array_pop(VTWS_PreserveGlobal::$globalData[$name]);
 			}
 		}
 	}

include/Webservices/Query.php

@@ -10,7 +10,7 @@
 
 	require_once("include/Webservices/QueryParser.php");
 	
-	function vtws_query($q,$user){
+	function vtws_query($query,$user){
 		
 		static $vtws_query_cache = array();	
 		
@@ -19,10 +19,10 @@
 		// Cache the instance for re-use		
 		$moduleRegex = "/[fF][rR][Oo][Mm]\s+([^\s;]+)/";
 		$moduleName = '';
-		if(preg_match($moduleRegex, $q, $m)) $moduleName = trim($m[1]);
+		if(preg_match($moduleRegex, $query, $m)) $moduleName = trim($m[1]);
 		
 		if(!isset($vtws_create_cache[$moduleName]['webserviceobject'])) {
-			$webserviceObject = VtigerWebserviceObject::fromQuery($adb,$q);
+			$webserviceObject = VtigerWebserviceObject::fromQuery($adb,$query);
 			$vtws_query_cache[$moduleName]['webserviceobject'] = $webserviceObject;
 		} else {
 			$webserviceObject = $vtws_query_cache[$moduleName]['webserviceobject'];
@@ -61,9 +61,9 @@
 			throw new WebServiceException(WebServiceErrorCode::$ACCESSDENIED,"Permission to read is denied");
 		}
 		
-		$result = $handler->query($q);
+		$result = $handler->query($query);
 		VTWS_PreserveGlobal::flush();
 		return $result;
 	}
 	
-?>
\ No newline at end of file
+?>

include/Webservices/QueryParser.php

@@ -19,11 +19,19 @@
 		private $hasError ;
 		private $error ;
 		private $user; 
-		function Parser($user, $q){
+		function __construct($user, $q)
+		{
 			$this->query = $q;
 			$this->out = array();
 			$this->hasError = false;
-			$this->user = $user; 
+			$this->user = $user;
+		}
+
+		function Parser($user, $q){
+			// PHP4-style constructor.
+			// This will NOT be invoked, unless a sub-class that extends `foo` calls it.
+			// In that case, call the new-style constructor to keep compatibility.
+			self::__construct($user, $q);
 		}
 		
 		function parse(){

include/Webservices/RelatedTypes.php

@@ -24,7 +24,7 @@ function vtws_relatedtypes($elementType, $user) {
 
     $sql = "SELECT vtiger_relatedlists.label, vtiger_tab.name, vtiger_tab.isentitytype FROM vtiger_relatedlists 
             INNER JOIN vtiger_tab ON vtiger_tab.tabid=vtiger_relatedlists.related_tabid 
-            WHERE vtiger_relatedlists.tabid=? AND vtiger_tab.presence = 0";
+            WHERE vtiger_relatedlists.tabid=? AND vtiger_tab.presence = 0 AND vtiger_relatedlists.presence = 0";
 
     $params = array($tabid);
     $rs = $adb->pquery($sql, $params);

include/Webservices/Revise.php

@@ -78,7 +78,7 @@
 		$meta->isUpdateMandatoryFields($element);
 
 		$ownerFields = $meta->getOwnerFields();
-		if(is_array($ownerFields) && sizeof($ownerFields) >0){
+		if(is_array($ownerFields) && php7_sizeof($ownerFields) >0){
 			foreach($ownerFields as $ownerField){
 				if(isset($element[$ownerField]) && $element[$ownerField]!==null && 
 					!$meta->hasAssignPrivilege($element[$ownerField])){

include/Webservices/SessionManager.php

@@ -26,8 +26,8 @@
 		private $sessionVar = "__SessionExists";
 		private $error ;
 		
-		function SessionManager(){
-			
+		function __construct()
+		{
 			global $maxWebServiceSessionLifeSpan, $maxWebServiceSessionIdleTime;
 			
 			$now = time();
@@ -42,6 +42,13 @@
 			//otherwise it subtracts the time from previous time
 			HTTP_Session2::setIdle($this->idleLife, true);
 		}
+		function SessionManager(){
+			// PHP4-style constructor.
+			// This will NOT be invoked, unless a sub-class that extends `foo` calls it.
+			// In that case, call the new-style constructor to keep compatibility.
+			self::__construct();
+			
+		}
 		
 		function isValid(){
 			

include/Webservices/State.php

@@ -14,11 +14,18 @@
 		var $result ;
 		var $error;
 		
-		function State(){
+		function __construct()
+		{
 			$this->success = false;
 			$this->result = array();
 			$this->error = array();
 		}
+		function State(){
+			// PHP4-style constructor.
+			// This will NOT be invoked, unless a sub-class that extends `foo` calls it.
+			// In that case, call the new-style constructor to keep compatibility.
+			self::__construct();
+		}
 		
 		
 	}

include/Webservices/Update.php

@@ -71,7 +71,7 @@
 					throw new WebServiceException(WebServiceErrorCode::$ACCESSDENIED,
 						"Permission to access reference type is denied ".$referenceObject->getEntityName());
 				}
-			}else if($element[$fieldName] !== NULL){
+			}else if(array_key_exists($fieldName, $element) && $element[$fieldName] !== NULL){
 				unset($element[$fieldName]);
 			}
 		}
@@ -79,7 +79,7 @@
 		$meta->hasMandatoryFields($element);
 		
 		$ownerFields = $meta->getOwnerFields();
-		if(is_array($ownerFields) && sizeof($ownerFields) >0){
+		if(is_array($ownerFields) && php7_sizeof($ownerFields) >0){
 			foreach($ownerFields as $ownerField){
 				if(isset($element[$ownerField]) && $element[$ownerField]!==null && 
 					!$meta->hasAssignPrivilege($element[$ownerField])){
@@ -93,4 +93,4 @@
 		return $entity;
 	}
 	
-?>
\ No newline at end of file
+?>

include/Webservices/Utils.php

@@ -57,7 +57,7 @@ function vtws_generateRandomAccessKey($length=10){
 	$accesskey = "";
 	$maxIndex = strlen($source);
 	for($i=0;$i<$length;++$i){
-		$accesskey = $accesskey.substr($source,rand(null,$maxIndex),1);
+		$accesskey = $accesskey.substr($source,rand(0,$maxIndex),1);
 	}
 	return $accesskey;
 }
@@ -117,10 +117,19 @@ function vtws_getUserWebservicesGroups($tabId,$user){
 }
 
 function vtws_getIdComponents($elementid){
+	$elementid = (string)$elementid;
+	if ($elementid && is_numeric($elementid)) return array($elementid); // during (UserId permission check)
+	if (!$elementid || !preg_match("/[0-9]+x[0-9]+/", $elementid)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return explode("x",$elementid);
 }
 
 function vtws_getId($objId, $elemId){
+	if(is_array($elemId)){$elemId=implode(' ',$elemId);}
+	if(!is_numeric($objId) || !is_numeric($elemId)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return $objId."x".$elemId;
 }
 
@@ -139,9 +148,10 @@ function getEmailFieldId($meta, $entityId){
 function vtws_getParameter($parameterArray, $paramName,$default=null){
 
 	if (!get_magic_quotes_gpc()) {
-		if(is_array($parameterArray[$paramName])) {
+		$param = null;
+		if(isset($parameterArray[$paramName]) && is_array($parameterArray[$paramName])) {
 			$param = array_map('addslashes', $parameterArray[$paramName]);
-		} else {
+		} else if (isset($parameterArray[$paramName]) && $parameterArray[$paramName]) {
 			$param = addslashes($parameterArray[$paramName]);
 		}
 	} else {
@@ -476,34 +486,33 @@ function vtws_getModuleHandlerFromId($id,$user){
 }
 
 function vtws_CreateCompanyLogoFile($fieldname) {
-	global $root_directory;
-	$uploaddir = $root_directory ."/test/logo/";
-	$allowedFileTypes = array("jpeg", "png", "jpg", "pjpeg" ,"x-png");
-	$binFile = $_FILES[$fieldname]['name'];
-	$fileType = $_FILES[$fieldname]['type'];
-	$fileSize = $_FILES[$fieldname]['size'];
-	$fileTypeArray = explode("/",$fileType);
-	$fileTypeValue = strtolower($fileTypeArray[1]);
-	if($fileTypeValue == '') {
-		$fileTypeValue = substr($binFile,strrpos($binFile, '.')+1);
-	}
-	if($fileSize != 0) {
-		if(in_array($fileTypeValue, $allowedFileTypes)) {
-			move_uploaded_file($_FILES[$fieldname]["tmp_name"],
-					$uploaddir.$_FILES[$fieldname]["name"]);
-			copy($uploaddir.$_FILES[$fieldname]["name"], $uploaddir.'application.ico');
-			return $binFile;
-		}
-		throw new WebServiceException(WebServiceErrorCode::$INVALIDTOKEN,
-			"$fieldname wrong file type given for upload");
-	}
-	throw new WebServiceException(WebServiceErrorCode::$INVALIDTOKEN,
-			"$fieldname file upload failed");
+    $fileSize = $_FILES[$fieldname]['size'];
+    if($fileSize != 0) {
+        global $root_directory;
+        //Support formats allowed to upload as per CRM UI.
+        $logoSupportedFormats = array('jpeg', 'jpg', 'png', 'gif', 'pjpeg', 'x-png');
+        
+        $file_type_details = explode("/", $_FILES[$fieldname]['type']);
+        $filetype = $file_type_details['1'];
+        if(in_array($filetype, $logoSupportedFormats)) {
+            $uploaddir = $root_directory ."/test/logo/";
+            $binFile = $_FILES[$fieldname]['name'];
+            $saveLogo = validateImageFile($_FILES[$fieldname]);
+            if($saveLogo) {
+                move_uploaded_file($_FILES[$fieldname]["tmp_name"], $uploaddir.$binFile);
+                copy($uploaddir.$binFile, $uploaddir.'application.ico');
+                return $binFile;
+            }
+        }
+        throw new WebServiceException(WebServiceErrorCode::$FAILED_TO_UPDATE,
+            "$fieldname wrong file type given for upload");
+    }
+    throw new WebServiceException(WebServiceErrorCode::$FAILED_TO_UPDATE, "$fieldname file upload failed");
 }
 
 function vtws_getActorEntityName ($name, $idList) {
 	$db = PearDatabase::getInstance();
-	if (!is_array($idList) && count($idList) == 0) {
+	if (!is_array($idList) && php7_count($idList) == 0) {
 		return array();
 	}
 	$entity = VtigerWebserviceObject::fromName($db, $name);
@@ -512,7 +521,7 @@ function vtws_getActorEntityName ($name, $idList) {
 
 function vtws_getActorEntityNameById ($entityId, $idList) {
 	$db = PearDatabase::getInstance();
-	if (!is_array($idList) && count($idList) == 0) {
+	if (!is_array($idList) && php7_count($idList) == 0) {
 		return array();
 	}
 	$nameList = array();
@@ -694,7 +703,7 @@ function vtws_getFieldfromFieldId($fieldId, $fieldObjectList){
  */
 function vtws_getRelatedActivities($leadId,$accountId,$contactId,$relatedId) {
 
-	if(empty($leadId) || empty($relatedId) || (empty($accountId) && empty($contactId))){
+	if(empty($leadId) || empty($relatedId) || empty($contactId)){
 		throw new WebServiceException(WebServiceErrorCode::$LEAD_RELATED_UPDATE_FAILED,
 			"Failed to move related Activities/Emails");
 	}
@@ -855,15 +864,15 @@ function vtws_transferOwnership($ownerId, $newOwnerId, $delete=true) {
 				$sql = "UPDATE $row->tablename set $row->columnname=? WHERE $row->columnname=? AND setype<>?";
 				$db->pquery($sql, array($newOwnerId, $ownerId, 'ModComments'));
 			} elseif ($row->tablename == 'vtiger_users' && $row->columnname == 'reports_to_id') {
-				$sql = "UPDATE $row->tablename SET $row->columnname = CASE WHEN id=$newOwnerId THEN ? ELSE ? END WHERE $row->columnname=?";
-				$db->pquery($sql, array('', $newOwnerId, $ownerId));
+				$sql = "UPDATE $row->tablename SET $row->columnname = CASE WHEN id=? THEN ? ELSE ? END WHERE $row->columnname=?";
+				$db->pquery($sql, array($newOwnerId, '', $newOwnerId, $ownerId));
 			} else {
 				$sql = "UPDATE $row->tablename SET $row->columnname=? WHERE $row->columnname=?";
 				$db->pquery($sql, array($newOwnerId, $ownerId));
 			}
 		}
 	}
-
+                    
 	//update webforms assigned userid
 	$db->pquery("UPDATE vtiger_webforms SET ownerid = ? WHERE ownerid = ?", array($newOwnerId, $ownerId));
 
@@ -918,7 +927,7 @@ function vtws_updateWebformsRoundrobinUsersLists($ownerId, $newOwnerId) {
 					}
 					$usersList = $revisedUsersList;
 				}
-				if (count($usersList) == 0) {
+				if (php7_count($usersList) == 0) {
 					$db->pquery('UPDATE vtiger_webforms SET roundrobin_userid = ?,roundrobin = ? where id =?', array("--None--", 0, $webformId));
 				} else {
 					$usersList = json_encode($usersList);
@@ -962,7 +971,7 @@ function vtws_transferOwnershipForWorkflowTasks($ownerModel, $newOwnerModel) {
 		require_once("modules/com_vtiger_workflow/VTTaskManager.inc");
 		require_once 'modules/com_vtiger_workflow/tasks/'.$className.'.inc';
 		$unserializeTask = unserialize($task);
-		if(array_key_exists("field_value_mapping",$unserializeTask)) {
+		if(property_exists($unserializeTask, "field_value_mapping")) {
 			$fieldMapping = Zend_Json::decode($unserializeTask->field_value_mapping);
 			if (!empty($fieldMapping)) {
 				foreach ($fieldMapping as $key => $condition) {
@@ -985,7 +994,7 @@ function vtws_transferOwnershipForWorkflowTasks($ownerModel, $newOwnerModel) {
 			}
 		} else {
 			//For VTCreateTodoTask and VTCreateEventTask
-			if(array_key_exists('assigned_user_id', $unserializeTask)){
+			if(property_exists($unserializeTask, 'assigned_user_id')){
 				$value = $unserializeTask->assigned_user_id;
 				if($value == $ownerId) {
 					$unserializeTask->assigned_user_id = $newOwnerId;
@@ -1271,7 +1280,7 @@ function vtws_getCompanyId() {
 
 function vtws_recordExists($recordId) {
 	$ids = vtws_getIdComponents($recordId);
-	return !Vtiger_Util_Helper::CheckRecordExistance($ids[1]);
+	return isset($ids[1]) ? !Vtiger_Util_Helper::CheckRecordExistance($ids[1]) : null;
 }
 
 function vtws_isDuplicatesAllowed($webserviceObject){
@@ -1285,4 +1294,36 @@ function vtws_isDuplicatesAllowed($webserviceObject){
 	return $allowed;
 }
 
-?>
\ No newline at end of file
+function vtws_filedetails($fileData){
+    $fileDetails = array();
+    if(!empty($fileData)) {
+        $fileName = $fileData['name'];
+        $fileType = $fileData['type'];
+        $fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
+        $filenamewithpath = $fileData['path'].$fileData['attachmentsid'].'_'.$fileData['storedname'];
+        $filesize = filesize($filenamewithpath);
+        $fileDetails['fileid'] = $fileData['attachmentsid'];
+        $fileDetails['filename'] = $fileName;
+        $fileDetails['filetype'] = $fileType;
+        $fileDetails['filesize'] = $filesize;
+        $fileDetails['filecontents'] = base64_encode(file_get_contents($filenamewithpath));
+    }
+    return $fileDetails;
+}
+
+function vtws_getAttachmentRecordId($attachmentId) {
+    $db = PearDatabase::getInstance();
+    $crmid = false;
+    if(!empty($attachmentId)) {
+        $query = "SELECT vtiger_seattachmentsrel.crmid FROM vtiger_seattachmentsrel "
+                . "INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid=vtiger_seattachmentsrel.crmid"
+                . " WHERE vtiger_seattachmentsrel.attachmentsid = ? AND vtiger_crmentity.deleted = ?";
+        $result = $db->pquery($query, array($attachmentId, 0));
+        
+        if ($db->num_rows($result) > 0) {
+            $crmid = $db->query_result($result, 0, 'crmid');
+        }
+    }
+    return $crmid;
+}
+?>