Fix #21: High-severity fixes (H-01 through H-06)
H-01: Egypt document uploads - added path traversal prevention (basename),
replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
(ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
driverID or user must be admin); non-admins blocked from changing
password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
This commit is contained in:
Hamza-Ayed
@@ -8,6 +8,13 @@ if (!$driverID) {
|
||||
exit;
|
||||
}
|
||||
|
||||
// التحقق من أن المستخدم يملك هذا الحساب أو هو أدمن
|
||||
$canUpdate = ($role === 'admin' || $role === 'super_admin' || (string)$user_id === (string)$driverID);
|
||||
if (!$canUpdate) {
|
||||
jsonError("Unauthorized: You can only update your own account");
|
||||
exit;
|
||||
}
|
||||
|
||||
/* ---------------------------------------------------------
|
||||
DRIVER TABLE
|
||||
--------------------------------------------------------- */
|
||||
@@ -20,13 +27,16 @@ $driverFieldsAllowed = [
|
||||
"expirationDate", "created_at", "updated_at"
|
||||
];
|
||||
|
||||
// Fields that must be encrypted
|
||||
// إزالة الحقول الحساسة من التحديث إذا كان المستخدم ليس أدمن
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
$driverFieldsAllowed = array_diff($driverFieldsAllowed, ['password', 'status', 'email', 'phone']);
|
||||
}
|
||||
|
||||
$encryptedDriverFields = [
|
||||
"phone", "email", "password", "national_number","gender", "name_arabic", "first_name",
|
||||
"last_name", "birthdate", "site", "maritalStatus", "employmentType", "accountBank", "bankCode"
|
||||
];
|
||||
|
||||
|
||||
$driverSet = [];
|
||||
$driverParams = [":id" => $driverID];
|
||||
|
||||
@@ -43,7 +53,6 @@ foreach ($driverFieldsAllowed as $field) {
|
||||
}
|
||||
}
|
||||
|
||||
// Execute Driver Update
|
||||
$driverUpdated = false;
|
||||
if (!empty($driverSet)) {
|
||||
$driverSql = "UPDATE `driver` SET " . implode(", ", $driverSet) . " WHERE `id` = :id";
|
||||
@@ -65,7 +74,7 @@ $carSet = [];
|
||||
$carParams = [":driverID" => $driverID];
|
||||
|
||||
foreach ($carFieldsAllowed as $field) {
|
||||
if ($field === "id") continue; // skip primary key in SET
|
||||
if ($field === "id") continue;
|
||||
if (isset($_POST[$field]) && $_POST[$field] !== "") {
|
||||
$value = filterRequest($field);
|
||||
$carSet[] = "`$field` = :$field";
|
||||
@@ -73,7 +82,6 @@ foreach ($carFieldsAllowed as $field) {
|
||||
}
|
||||
}
|
||||
|
||||
// Execute Car Update
|
||||
$carUpdated = false;
|
||||
if (!empty($carSet)) {
|
||||
$carSql = "UPDATE `CarRegistration` SET " . implode(", ", $carSet) . " WHERE `driverID` = :driverID";
|
||||
@@ -82,12 +90,8 @@ if (!empty($carSet)) {
|
||||
$carUpdated = $stmtCar->rowCount() > 0;
|
||||
}
|
||||
|
||||
/* ---------------------------------------------------------
|
||||
RESPONSE
|
||||
--------------------------------------------------------- */
|
||||
if ($driverUpdated || $carUpdated) {
|
||||
jsonSuccess(null, "Driver & Car updated successfully");
|
||||
} else {
|
||||
jsonError("No changes were applied");
|
||||
}
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user