Update: 2026-06-16 22:44:11

2026-06-16 22:44:11 +03:00
parent b516fbc4ed
commit 2c3816badb
97 changed files with 10137 additions and 116 deletions
--- a/walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addFromAdmin.php
+++ b/walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addFromAdmin.php
@@ -1,17 +1,67 @@
 <?php
+/**
+ * addFromAdmin.php — إضافة رصيد من المسؤول (Admin Only)
+ * 
+ * ═══════════════════════════════════════════════════════════════
+ * SECURITY FIX: كان هذا الملف بدون أي مصادقة! ❌
+ * الآن يتطلب:
+ *   1. JWT مصادق (عبر authenticateJWT)
+ *   2. التحقق من دور المسؤول (admin role)
+ *   3. التحقق من المبلغ (حد أقصى)
+ *   4. تسجيل تدقيق لكل عملية (audit log)
+ * ═══════════════════════════════════════════════════════════════
+ */

-// Include the database connection file
-include "../../jwtconnect.php";
-//ride/driverWallet/add.php
-// Get the request parameters
-$driverID = filterRequest("driverID");
-$paymentID = filterRequest("paymentID");
-$amount = filterRequest("amount");
+// Include the database connection WITH JWT authentication
+include "../../connect.php";
+// connect.php calls authenticateJWT() → 5-layer security check ✅
+
+// ── 1. استخراج user_id من JWT المصادق ──────────────────────────
+$adminUserId = $decodedToken->user_id ?? $decodedToken->sub ?? null;
+$adminRole   = $decodedToken->role ?? null;
+
+// ── 2. التحقق من صلاحيات المسؤول ────────────────────────────
+// فقط المسؤول يمكنه إضافة رصيد يدوياً
+if ($adminRole !== 'admin' && $adminRole !== 'super_admin') {
+    error_log(sprintf(
+        '⚠️ [SECURITY] Non-admin attempted addFromAdmin | user=%s | role=%s | IP=%s',
+        $adminUserId,
+        $adminRole ?? '(null)',
+        $_SERVER['REMOTE_ADDR'] ?? 'unknown'
+    ));
+    http_response_code(403);
+    printFailure("Forbidden: Admin access required");
+    exit;
+}
+
+// ── 3. استخراج والتحقق من البيانات ──────────────────────────
+$driverID      = filterRequest("driverID");
+$paymentID     = filterRequest("paymentID");
+$amount        = filterRequest("amount");
 $paymentMethod = filterRequest("paymentMethod");
-$phone = filterRequest("phone");
+$phone         = filterRequest("phone");

+if (empty($driverID) || !isset($amount) || empty($paymentMethod)) {
+    printFailure("Missing required parameters: driverID, amount, paymentMethod");
+    exit;
+}

-    // Add payment to the driver's wallet table
+// ── 4. التحقق من المبلغ ─────────────────────────────────────
+$amount = floatval($amount);
+if ($amount <= 0 || $amount > 1000000) {
+    error_log(sprintf(
+        '⚠️ [SECURITY] Invalid amount in addFromAdmin | admin=%s | amount=%s | driverID=%s',
+        $adminUserId, $amount, $driverID
+    ));
+    printFailure("Invalid amount: must be between 0 and 1,000,000");
+    exit;
+}
+
+// ── 5. العملية الذرية ─────────────────────────────────────────
+try {
+    $con->beginTransaction();
+
+    // إدخال سجل المحفظة
    $sql = "INSERT INTO `driverWallet` (
        `driverID`,
        `paymentID`,
@@ -25,27 +75,51 @@ $phone = filterRequest("phone");
    );";

    $stmt = $con->prepare($sql);
-    $stmt->execute(array(
-        ':driverID' => $driverID,
-        ':paymentID' => $paymentID,
-        ':amount' => $amount,
+    $stmt->execute([
+        ':driverID'      => $driverID,
+        ':paymentID'     => $paymentID ?? ('admin_' . time() . '_' . bin2hex(random_bytes(4))),
+        ':amount'        => $amount,
        ':paymentMethod' => $paymentMethod
-    ));
+    ]);

    if ($stmt->rowCount() > 0) {
-        // Print a success message
+        // ── 6. تسجيل تدقيق (Audit Log) ─────────────────────────
+        $auditStmt = $con->prepare(
+            "INSERT INTO `admin_audit_log` (`admin_id`, `action`, `table_name`, `record_id`, `details`)
+             VALUES (:admin_id, :action, :table_name, :record_id, :details)"
+        );
+        $auditStmt->execute([
+            ':admin_id'   => $adminUserId,
+            ':action'     => 'addFromAdmin_wallet',
+            ':table_name' => 'driverWallet',
+            ':record_id'  => $driverID,
+            ':details'    => json_encode([
+                'amount'        => $amount,
+                'paymentMethod' => $paymentMethod,
+                'phone'         => $phone,
+                'ip'            => $_SERVER['REMOTE_ADDR'] ?? 'unknown',
+                'timestamp'     => date('Y-m-d H:i:s')
+            ], JSON_UNESCAPED_UNICODE)
+        ]);
+
+        $con->commit();
+
        printSuccess("Record saved successfully");
-       $messageBody = "تم إضافة رصيد بقيمة $amount إلى محفظتك بنجاح."; // "Balance of $amount added successfully."
-       
-      sendWhatsAppFromServer($phone, $messageBody);
-        
-        // Mark the token as used in the database
-     /*   $stmt = $con->prepare("UPDATE payment_tokens SET isUsed = TRUE WHERE id = :tokenID");
-        $stmt->execute(array(
-            ':tokenID' => $tokenData['id']
-        ));*/
+
+        // إرسال إشعار واتساب للسائق
+        if (!empty($phone)) {
+            $messageBody = "تم إضافة رصيد بقيمة $amount إلى محفظتك بنجاح.";
+            sendWhatsAppFromServer($phone, $messageBody);
+        }
    } else {
-        // Print a failure message
+        $con->rollBack();
        printFailure("Failed to save record");
    }
+} catch (Exception $e) {
+    if ($con->inTransaction()) {
+        $con->rollBack();
+    }
+    error_log("[addFromAdmin] Error: " . $e->getMessage());
+    printFailure("An error occurred");
+}