fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp
This commit is contained in:
Hamza-Ayed
@@ -1,6 +1,12 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once __DIR__ . '/../../connect.php';
|
require_once __DIR__ . '/../../connect.php';
|
||||||
|
|
||||||
|
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||||
|
http_response_code(403);
|
||||||
|
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
$sql = "SELECT
|
$sql = "SELECT
|
||||||
`driver`.`id`,
|
`driver`.`id`,
|
||||||
`driver`.`phone`,
|
`driver`.`phone`,
|
||||||
|
|||||||
@@ -1,16 +1,22 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once __DIR__ . '/../connect.php';
|
require_once __DIR__ . '/../connect.php';
|
||||||
|
|
||||||
// استلام البيانات من الطلب
|
// Allow any authenticated user to report errors, but validate input
|
||||||
$error = filterRequest("error");
|
$error = filterRequest("error");
|
||||||
$userId = filterRequest("userId");
|
$userId = filterRequest("userId");
|
||||||
$userType = filterRequest("userType");
|
$userType = filterRequest("userType");
|
||||||
$phone = filterRequest("phone");
|
$phone = filterRequest("phone");
|
||||||
$device = filterRequest("device");
|
$device = filterRequest("device");
|
||||||
$details = filterRequest("details");
|
$details = filterRequest("details");
|
||||||
|
|
||||||
// تسجيل الخطأ في ملف logs/app.log للمتابعة السريعة
|
// Sanitize log input to prevent log injection
|
||||||
$logMsg = "[$userType ID: $userId] Error: $error | Where: $device | Details: $details";
|
$safeError = str_replace(["\r", "\n"], ' ', substr($error ?? '', 0, 500));
|
||||||
|
$safeUserId = str_replace(["\r", "\n"], ' ', substr($userId ?? '', 0, 50));
|
||||||
|
$safeUserType = str_replace(["\r", "\n"], ' ', substr($userType ?? '', 0, 50));
|
||||||
|
$safeDevice = str_replace(["\r", "\n"], ' ', substr($device ?? '', 0, 200));
|
||||||
|
$safeDetails = str_replace(["\r", "\n"], ' ', substr($details ?? '', 0, 1000));
|
||||||
|
|
||||||
|
$logMsg = "[$safeUserType ID: $safeUserId] Error: $safeError | Where: $safeDevice | Details: $safeDetails";
|
||||||
appLog($logMsg, "APP_ERROR");
|
appLog($logMsg, "APP_ERROR");
|
||||||
|
|
||||||
// جملة SQL لإدخال البيانات، مع إضافة الحقل الجديد
|
// جملة SQL لإدخال البيانات، مع إضافة الحقل الجديد
|
||||||
|
|||||||
@@ -1,6 +1,12 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once __DIR__ . '/../../connect.php';
|
require_once __DIR__ . '/../../connect.php';
|
||||||
|
|
||||||
|
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||||
|
http_response_code(403);
|
||||||
|
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
function normalize_phone($s) { return preg_replace('/\D+/', '', (string)$s); }
|
function normalize_phone($s) { return preg_replace('/\D+/', '', (string)$s); }
|
||||||
|
|
||||||
$id = filterRequest("id"); // أو
|
$id = filterRequest("id"); // أو
|
||||||
|
|||||||
@@ -1,7 +1,11 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once __DIR__ . '/../../connect.php';
|
require_once __DIR__ . '/../../connect.php';
|
||||||
|
|
||||||
|
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||||
|
http_response_code(403);
|
||||||
|
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
$id = filterRequest("id"); // مفضّل
|
$id = filterRequest("id"); // مفضّل
|
||||||
|
|
||||||
@@ -9,38 +13,41 @@ $first_name = filterRequest("first_name");
|
|||||||
$last_name = filterRequest("last_name");
|
$last_name = filterRequest("last_name");
|
||||||
$new_phone = filterRequest("phone");
|
$new_phone = filterRequest("phone");
|
||||||
|
|
||||||
if (empty($id) ) { jsonError("Provide id or phone_lookup"); exit; }
|
if (empty($id)) { jsonError("Passenger ID is required"); exit; }
|
||||||
if ($first_name === null && $last_name === null && $new_phone === null) {
|
if ($first_name === null && $last_name === null && $new_phone === null) {
|
||||||
jsonError("Nothing to update"); exit;
|
jsonError("Nothing to update"); exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
$sets = [];
|
$sets = [];
|
||||||
$params = [];
|
$params = [];
|
||||||
$new_phone = $encryptionHelper->encryptData($new_phone);
|
|
||||||
$first_name = $encryptionHelper->encryptData($first_name);
|
|
||||||
$last_name = $encryptionHelper->encryptData($last_name);
|
|
||||||
|
|
||||||
$enc_norm = $encryptionHelper->encryptData($norm);
|
if ($first_name !== null) {
|
||||||
if ($first_name !== null) { $sets[] = "first_name = :first_name"; $params['first_name'] = trim($first_name); }
|
$encFirst = $encryptionHelper->encryptData($first_name);
|
||||||
if ($last_name !== null) { $sets[] = "last_name = :last_name"; $params['last_name'] = trim($last_name); }
|
$sets[] = "first_name = :first_name";
|
||||||
if ($new_phone !== null) {
|
$params['first_name'] = trim($encFirst);
|
||||||
$sets[] = "phone = :phone";
|
}
|
||||||
$params['phone'] = trim($new_phone);
|
if ($last_name !== null) {
|
||||||
|
$encLast = $encryptionHelper->encryptData($last_name);
|
||||||
|
$sets[] = "last_name = :last_name";
|
||||||
|
$params['last_name'] = trim($encLast);
|
||||||
|
}
|
||||||
|
if ($new_phone !== null) {
|
||||||
|
$encPhone = $encryptionHelper->encryptData($new_phone);
|
||||||
|
$sets[] = "phone = :phone";
|
||||||
|
$params['phone'] = trim($encPhone);
|
||||||
|
|
||||||
// منع تكرار الهاتف على راكب آخر
|
// منع تكرار الهاتف على راكب آخر
|
||||||
$q = $con->prepare("SELECT id FROM passengers WHERE phone = :ph LIMIT 1");
|
$q = $con->prepare("SELECT id FROM passengers WHERE phone = :ph LIMIT 1");
|
||||||
$q->execute(['ph' => $params['phone']]);
|
$q->execute(['ph' => $params['phone']]);
|
||||||
$row = $q->fetch(PDO::FETCH_ASSOC);
|
$row = $q->fetch(PDO::FETCH_ASSOC);
|
||||||
if ($row) {
|
if ($row && $row['id'] != $id) {
|
||||||
if (!empty($id) && $row['id'] != $id) { jsonError("Phone already used by another passenger"); exit; }
|
jsonError("Phone already used by another passenger");
|
||||||
if (empty($id) && $row['id'] != $phoneLookup) { jsonError("Phone already used by another passenger"); exit; }
|
exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$whereSql = "";
|
$whereSql = "id = :pid";
|
||||||
$whereParams = [];
|
$whereParams = ['pid' => $id];
|
||||||
if (!empty($id)) { $whereSql = "id = :pid"; $whereParams['pid'] = $id; }
|
|
||||||
else { $whereSql = "phone = :plk"; $whereParams['plk'] = $phoneLookup; }
|
|
||||||
|
|
||||||
$sql = "UPDATE passengers SET ".implode(", ", $sets).", updated_at = CURRENT_TIMESTAMP WHERE $whereSql";
|
$sql = "UPDATE passengers SET ".implode(", ", $sets).", updated_at = CURRENT_TIMESTAMP WHERE $whereSql";
|
||||||
$stmt = $con->prepare($sql);
|
$stmt = $con->prepare($sql);
|
||||||
|
|||||||
@@ -1,6 +1,12 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once __DIR__ . '/../../connect.php';
|
require_once __DIR__ . '/../../connect.php';
|
||||||
|
|
||||||
|
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||||
|
http_response_code(403);
|
||||||
|
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
|
* تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -1,6 +1,12 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once __DIR__ . '/../../connect.php';
|
require_once __DIR__ . '/../../connect.php';
|
||||||
|
|
||||||
|
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||||
|
http_response_code(403);
|
||||||
|
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
|
* تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -2,7 +2,13 @@
|
|||||||
// File: send_whatsapp_message.php
|
// File: send_whatsapp_message.php
|
||||||
// هذا السكربت يرسل رسالة واتساب فقط باستخدام RaseelPlus API
|
// هذا السكربت يرسل رسالة واتساب فقط باستخدام RaseelPlus API
|
||||||
|
|
||||||
require_once __DIR__ . '/../connect.php'; // فقط إذا كنت تحتاج للوصول إلى environment
|
require_once __DIR__ . '/../connect.php';
|
||||||
|
|
||||||
|
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||||
|
http_response_code(403);
|
||||||
|
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
error_log("--- [send_whatsapp_message.php] Script execution started ---");
|
error_log("--- [send_whatsapp_message.php] Script execution started ---");
|
||||||
|
|
||||||
@@ -16,6 +22,18 @@ if (empty($receiver) || empty($message)) {
|
|||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Validate phone number format (basic international format)
|
||||||
|
if (!preg_match('/^\+?[1-9]\d{6,14}$/', $receiver)) {
|
||||||
|
jsonError('Invalid phone number format.');
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Limit message length to prevent abuse
|
||||||
|
if (strlen($message) > 4096) {
|
||||||
|
jsonError('Message too long. Maximum 4096 characters.');
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
// بيانات Raseel
|
// بيانات Raseel
|
||||||
$instanceId = getenv("RASEEL_DRIVER_INSTANCE_ID");
|
$instanceId = getenv("RASEEL_DRIVER_INSTANCE_ID");
|
||||||
$accessToken = getenv("RASEEL_DRIVER_ACCESS_TOKEN");
|
$accessToken = getenv("RASEEL_DRIVER_ACCESS_TOKEN");
|
||||||
|
|||||||
Reference in New Issue
Block a user