diff --git a/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php b/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php index 8ea6ef50..9952669c 100644 --- a/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php +++ b/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php @@ -23,18 +23,9 @@ if (!$email || !$password) { // 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check) $allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: ''; $allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv))); -if (empty($allowedEmails)) { - $allowedEmails = [ - 'driver_tester@siromove.com', - 'passenger_tester@siromove.com', - ]; -} + $cleanEmail = strtolower(trim($email)); $isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com'; -if (!$isTester) { - echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]); - exit(); -} // تشفير الإيميل لاستخدامه في الاستعلام $encryptedEmail = $encryptionHelper->encryptData($email); @@ -44,21 +35,7 @@ try { // SQL لاسترجاع المستخدم بناءً على البريد الإلكتروني المشفر $sql = "SELECT - driver.id, - driver.phone, - driver.email, - driver.gender, - driver.birthdate, - driver.site, - driver.first_name, - driver.last_name, - driver.bankCode, - driver.accountBank, - driver.employmentType, - driver.maritalStatus, - driver.created_at, - driver.updated_at, - driver.password, + driver.*, phone_verification.is_verified, CarRegistration.make, CarRegistration.model, @@ -77,6 +54,12 @@ try { $data = $stmt->fetch(PDO::FETCH_ASSOC); if ($data) { + // التحقق من أن الحساب معلم كحساب فحص في قاعدة البيانات أو البيئة + $isTestInDb = (isset($data['is_test']) && $data['is_test'] == 1) || (isset($data['isTest']) && $data['isTest'] == 1); + if (!$isTestInDb && !$isTester) { + jsonError("Access denied. Not a tester account."); + exit(); + } // فحص الباسورد (في نظامنا، يمكن أن يكون الباسورد هو HMAC أو نص عادي للفاحصين) // لنفترض أن الفاحص له باسورد عادي أو مشفر بـ bcrypt if (password_verify($password, $data['password']) || $password === $data['password']) { diff --git a/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php b/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php index 7367426e..f53e5bad 100644 --- a/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php +++ b/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php @@ -25,10 +25,6 @@ $allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmail $cleanEmail = strtolower(trim($email)); $isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com'; -if (!$isTester) { - echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]); - exit(); -} try { $con = Database::get('main'); @@ -37,19 +33,7 @@ try { $encryptedEmail = $encryptionHelper->encryptData($email); $sql = "SELECT - p.`id`, - p.`phone`, - p.`email`, - p.`gender`, - p.`status`, - p.`birthdate`, - p.`site`, - p.`first_name`, - p.`last_name`, - p.`sosPhone`, - p.`education`, - p.`employmentType`, - p.`maritalStatus`, + p.*, phone_verification_passenger.verified, invitesToPassengers.isInstall, invitesToPassengers.inviteCode, @@ -72,6 +56,12 @@ try { $count = $stmt->rowCount(); if ($count > 0) { + // التحقق من أن الحساب معلم كحساب فحص في قاعدة البيانات أو البيئة + $isTestInDb = (isset($data['is_test']) && $data['is_test'] == 1) || (isset($data['isTest']) && $data['isTest'] == 1); + if (!$isTestInDb && !$isTester) { + jsonError("Access denied. Not a tester account."); + exit(); + } // فك تشفير البيانات للرد if(isset($data['phone'])) $data['phone'] = $encryptionHelper->decryptData($data['phone']); if(isset($data['email'])) $data['email'] = $encryptionHelper->decryptData($data['email']);