fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp
This commit is contained in:
Hamza-Ayed
@@ -1,6 +1,12 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
function normalize_phone($s) { return preg_replace('/\D+/', '', (string)$s); }
|
||||
|
||||
$id = filterRequest("id"); // أو
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$id = filterRequest("id"); // مفضّل
|
||||
|
||||
@@ -9,38 +13,41 @@ $first_name = filterRequest("first_name");
|
||||
$last_name = filterRequest("last_name");
|
||||
$new_phone = filterRequest("phone");
|
||||
|
||||
if (empty($id) ) { jsonError("Provide id or phone_lookup"); exit; }
|
||||
if (empty($id)) { jsonError("Passenger ID is required"); exit; }
|
||||
if ($first_name === null && $last_name === null && $new_phone === null) {
|
||||
jsonError("Nothing to update"); exit;
|
||||
}
|
||||
|
||||
$sets = [];
|
||||
$params = [];
|
||||
$new_phone = $encryptionHelper->encryptData($new_phone);
|
||||
$first_name = $encryptionHelper->encryptData($first_name);
|
||||
$last_name = $encryptionHelper->encryptData($last_name);
|
||||
|
||||
$enc_norm = $encryptionHelper->encryptData($norm);
|
||||
if ($first_name !== null) { $sets[] = "first_name = :first_name"; $params['first_name'] = trim($first_name); }
|
||||
if ($last_name !== null) { $sets[] = "last_name = :last_name"; $params['last_name'] = trim($last_name); }
|
||||
if ($new_phone !== null) {
|
||||
$sets[] = "phone = :phone";
|
||||
$params['phone'] = trim($new_phone);
|
||||
if ($first_name !== null) {
|
||||
$encFirst = $encryptionHelper->encryptData($first_name);
|
||||
$sets[] = "first_name = :first_name";
|
||||
$params['first_name'] = trim($encFirst);
|
||||
}
|
||||
if ($last_name !== null) {
|
||||
$encLast = $encryptionHelper->encryptData($last_name);
|
||||
$sets[] = "last_name = :last_name";
|
||||
$params['last_name'] = trim($encLast);
|
||||
}
|
||||
if ($new_phone !== null) {
|
||||
$encPhone = $encryptionHelper->encryptData($new_phone);
|
||||
$sets[] = "phone = :phone";
|
||||
$params['phone'] = trim($encPhone);
|
||||
|
||||
// منع تكرار الهاتف على راكب آخر
|
||||
$q = $con->prepare("SELECT id FROM passengers WHERE phone = :ph LIMIT 1");
|
||||
$q->execute(['ph' => $params['phone']]);
|
||||
$row = $q->fetch(PDO::FETCH_ASSOC);
|
||||
if ($row) {
|
||||
if (!empty($id) && $row['id'] != $id) { jsonError("Phone already used by another passenger"); exit; }
|
||||
if (empty($id) && $row['id'] != $phoneLookup) { jsonError("Phone already used by another passenger"); exit; }
|
||||
if ($row && $row['id'] != $id) {
|
||||
jsonError("Phone already used by another passenger");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
$whereSql = "";
|
||||
$whereParams = [];
|
||||
if (!empty($id)) { $whereSql = "id = :pid"; $whereParams['pid'] = $id; }
|
||||
else { $whereSql = "phone = :plk"; $whereParams['plk'] = $phoneLookup; }
|
||||
$whereSql = "id = :pid";
|
||||
$whereParams = ['pid' => $id];
|
||||
|
||||
$sql = "UPDATE passengers SET ".implode(", ", $sets).", updated_at = CURRENT_TIMESTAMP WHERE $whereSql";
|
||||
$stmt = $con->prepare($sql);
|
||||
|
||||
Reference in New Issue
Block a user