fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp
This commit is contained in:
Hamza-Ayed
@@ -2,7 +2,13 @@
|
||||
// File: send_whatsapp_message.php
|
||||
// هذا السكربت يرسل رسالة واتساب فقط باستخدام RaseelPlus API
|
||||
|
||||
require_once __DIR__ . '/../connect.php'; // فقط إذا كنت تحتاج للوصول إلى environment
|
||||
require_once __DIR__ . '/../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
error_log("--- [send_whatsapp_message.php] Script execution started ---");
|
||||
|
||||
@@ -16,6 +22,18 @@ if (empty($receiver) || empty($message)) {
|
||||
exit();
|
||||
}
|
||||
|
||||
// Validate phone number format (basic international format)
|
||||
if (!preg_match('/^\+?[1-9]\d{6,14}$/', $receiver)) {
|
||||
jsonError('Invalid phone number format.');
|
||||
exit();
|
||||
}
|
||||
|
||||
// Limit message length to prevent abuse
|
||||
if (strlen($message) > 4096) {
|
||||
jsonError('Message too long. Maximum 4096 characters.');
|
||||
exit();
|
||||
}
|
||||
|
||||
// بيانات Raseel
|
||||
$instanceId = getenv("RASEEL_DRIVER_INSTANCE_ID");
|
||||
$accessToken = getenv("RASEEL_DRIVER_ACCESS_TOKEN");
|
||||
|
||||
Reference in New Issue
Block a user