fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp
This commit is contained in:
Hamza-Ayed
@@ -1,6 +1,12 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$sql = "SELECT
|
||||
`driver`.`id`,
|
||||
`driver`.`phone`,
|
||||
|
||||
@@ -1,16 +1,22 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../connect.php';
|
||||
|
||||
// استلام البيانات من الطلب
|
||||
$error = filterRequest("error");
|
||||
$userId = filterRequest("userId");
|
||||
// Allow any authenticated user to report errors, but validate input
|
||||
$error = filterRequest("error");
|
||||
$userId = filterRequest("userId");
|
||||
$userType = filterRequest("userType");
|
||||
$phone = filterRequest("phone");
|
||||
$device = filterRequest("device");
|
||||
$phone = filterRequest("phone");
|
||||
$device = filterRequest("device");
|
||||
$details = filterRequest("details");
|
||||
|
||||
// تسجيل الخطأ في ملف logs/app.log للمتابعة السريعة
|
||||
$logMsg = "[$userType ID: $userId] Error: $error | Where: $device | Details: $details";
|
||||
// Sanitize log input to prevent log injection
|
||||
$safeError = str_replace(["\r", "\n"], ' ', substr($error ?? '', 0, 500));
|
||||
$safeUserId = str_replace(["\r", "\n"], ' ', substr($userId ?? '', 0, 50));
|
||||
$safeUserType = str_replace(["\r", "\n"], ' ', substr($userType ?? '', 0, 50));
|
||||
$safeDevice = str_replace(["\r", "\n"], ' ', substr($device ?? '', 0, 200));
|
||||
$safeDetails = str_replace(["\r", "\n"], ' ', substr($details ?? '', 0, 1000));
|
||||
|
||||
$logMsg = "[$safeUserType ID: $safeUserId] Error: $safeError | Where: $safeDevice | Details: $safeDetails";
|
||||
appLog($logMsg, "APP_ERROR");
|
||||
|
||||
// جملة SQL لإدخال البيانات، مع إضافة الحقل الجديد
|
||||
|
||||
@@ -1,6 +1,12 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
function normalize_phone($s) { return preg_replace('/\D+/', '', (string)$s); }
|
||||
|
||||
$id = filterRequest("id"); // أو
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$id = filterRequest("id"); // مفضّل
|
||||
|
||||
@@ -9,38 +13,41 @@ $first_name = filterRequest("first_name");
|
||||
$last_name = filterRequest("last_name");
|
||||
$new_phone = filterRequest("phone");
|
||||
|
||||
if (empty($id) ) { jsonError("Provide id or phone_lookup"); exit; }
|
||||
if (empty($id)) { jsonError("Passenger ID is required"); exit; }
|
||||
if ($first_name === null && $last_name === null && $new_phone === null) {
|
||||
jsonError("Nothing to update"); exit;
|
||||
}
|
||||
|
||||
$sets = [];
|
||||
$params = [];
|
||||
$new_phone = $encryptionHelper->encryptData($new_phone);
|
||||
$first_name = $encryptionHelper->encryptData($first_name);
|
||||
$last_name = $encryptionHelper->encryptData($last_name);
|
||||
|
||||
$enc_norm = $encryptionHelper->encryptData($norm);
|
||||
if ($first_name !== null) { $sets[] = "first_name = :first_name"; $params['first_name'] = trim($first_name); }
|
||||
if ($last_name !== null) { $sets[] = "last_name = :last_name"; $params['last_name'] = trim($last_name); }
|
||||
if ($new_phone !== null) {
|
||||
$sets[] = "phone = :phone";
|
||||
$params['phone'] = trim($new_phone);
|
||||
if ($first_name !== null) {
|
||||
$encFirst = $encryptionHelper->encryptData($first_name);
|
||||
$sets[] = "first_name = :first_name";
|
||||
$params['first_name'] = trim($encFirst);
|
||||
}
|
||||
if ($last_name !== null) {
|
||||
$encLast = $encryptionHelper->encryptData($last_name);
|
||||
$sets[] = "last_name = :last_name";
|
||||
$params['last_name'] = trim($encLast);
|
||||
}
|
||||
if ($new_phone !== null) {
|
||||
$encPhone = $encryptionHelper->encryptData($new_phone);
|
||||
$sets[] = "phone = :phone";
|
||||
$params['phone'] = trim($encPhone);
|
||||
|
||||
// منع تكرار الهاتف على راكب آخر
|
||||
$q = $con->prepare("SELECT id FROM passengers WHERE phone = :ph LIMIT 1");
|
||||
$q->execute(['ph' => $params['phone']]);
|
||||
$row = $q->fetch(PDO::FETCH_ASSOC);
|
||||
if ($row) {
|
||||
if (!empty($id) && $row['id'] != $id) { jsonError("Phone already used by another passenger"); exit; }
|
||||
if (empty($id) && $row['id'] != $phoneLookup) { jsonError("Phone already used by another passenger"); exit; }
|
||||
if ($row && $row['id'] != $id) {
|
||||
jsonError("Phone already used by another passenger");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
$whereSql = "";
|
||||
$whereParams = [];
|
||||
if (!empty($id)) { $whereSql = "id = :pid"; $whereParams['pid'] = $id; }
|
||||
else { $whereSql = "phone = :plk"; $whereParams['plk'] = $phoneLookup; }
|
||||
$whereSql = "id = :pid";
|
||||
$whereParams = ['pid' => $id];
|
||||
|
||||
$sql = "UPDATE passengers SET ".implode(", ", $sets).", updated_at = CURRENT_TIMESTAMP WHERE $whereSql";
|
||||
$stmt = $con->prepare($sql);
|
||||
|
||||
@@ -1,6 +1,12 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
/**
|
||||
* تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
|
||||
*/
|
||||
|
||||
@@ -1,6 +1,12 @@
|
||||
<?php
|
||||
require_once __DIR__ . '/../../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
/**
|
||||
* تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
|
||||
*/
|
||||
|
||||
@@ -2,7 +2,13 @@
|
||||
// File: send_whatsapp_message.php
|
||||
// هذا السكربت يرسل رسالة واتساب فقط باستخدام RaseelPlus API
|
||||
|
||||
require_once __DIR__ . '/../connect.php'; // فقط إذا كنت تحتاج للوصول إلى environment
|
||||
require_once __DIR__ . '/../connect.php';
|
||||
|
||||
if ($role !== 'admin' && $role !== 'super_admin') {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Unauthorized: Admin access required']);
|
||||
exit;
|
||||
}
|
||||
|
||||
error_log("--- [send_whatsapp_message.php] Script execution started ---");
|
||||
|
||||
@@ -16,6 +22,18 @@ if (empty($receiver) || empty($message)) {
|
||||
exit();
|
||||
}
|
||||
|
||||
// Validate phone number format (basic international format)
|
||||
if (!preg_match('/^\+?[1-9]\d{6,14}$/', $receiver)) {
|
||||
jsonError('Invalid phone number format.');
|
||||
exit();
|
||||
}
|
||||
|
||||
// Limit message length to prevent abuse
|
||||
if (strlen($message) > 4096) {
|
||||
jsonError('Message too long. Maximum 4096 characters.');
|
||||
exit();
|
||||
}
|
||||
|
||||
// بيانات Raseel
|
||||
$instanceId = getenv("RASEEL_DRIVER_INSTANCE_ID");
|
||||
$accessToken = getenv("RASEEL_DRIVER_ACCESS_TOKEN");
|
||||
|
||||
Reference in New Issue
Block a user