Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-06-26 04:04:03

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-26 04:04:04 +03:00
parent aea0c8e44e
commit da9e6eb981
10 changed files with 325 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
backend/ride/pricing/get.php
View File

@@ -373,6 +373,7 @@ function calculateDynamicPrice($country, $minFare, $distance, $duration, $kazanR
// 2. Validate Promo Code
$discount = 0;
$promo_applied = false;
if (!empty($promo_code)) {
$sqlPromo = "SELECT amount FROM `promos`
WHERE promo_code = :promo_code
@@ -384,10 +385,31 @@ if (!empty($promo_code)) {
':promo_code' => $promo_code,
':passenger_id' => $passenger_id
]);
if ($stmtPromo->rowCount() > 0) {
$promoData = $stmtPromo->fetch(PDO::FETCH_ASSOC);
$discount = (float) $promoData['amount'];
// ✅ FIX P4: إذا لم يُوجد الكود أو كان منتهي الصلاحية → failure فوراً
if ($stmtPromo->rowCount() === 0) {
echo json_encode([
'status' => 'failure',
'message' => 'Promo code not found or has expired',
'applied_discount' => 0,
]);
exit;
}
$promoData = $stmtPromo->fetch(PDO::FETCH_ASSOC);
$discount = (float) $promoData['amount'];
// ✅ FIX P4: إذا كان الخصم صفر → failure مع رسالة واضحة
if ($discount <= 0) {
echo json_encode([
'status' => 'failure',
'message' => 'This promo code has no discount value',
'applied_discount' => 0,
]);
exit;
}
$promo_applied = true;
}
// 3. Fetch Passenger Wallet (Negative Balance / Debt)

16
backend/ride/rides/add_ride.php
View File

@@ -139,18 +139,10 @@ if (!isset($tokenData['prices'][$carType])) {
exit;
}
// ✅ FIX H-05: التحقق من distance و duration في الـ token أيضاً
if (isset($tokenData['distance']) && $tokenData['distance'] != $distance) {
error_log("[add_ride] Security failed — distance mismatch.");
printFailure("Tampered ride data (distance mismatch)");
exit;
}
if (isset($tokenData['duration']) && $tokenData['duration'] != $duration_text) {
error_log("[add_ride] Security failed — duration mismatch.");
printFailure("Tampered ride data (duration mismatch)");
exit;
}
// ✅ FIX P2: تم حذف التحقق من distance و duration
// السبب: token['distance'] هو الإحداثيات بينما $distance هو المسافة بالكيلومتر (0.x)
// وtoken['duration'] هو الثواني بينما $duration_text هو الدقائق — mismatch دائم يكسر جميع الرحلات
// الإحداثيات كافية للتحقق من سلامة الطلب عبر coordsMatch() أعلاه
// Securely override pricing from the cryptographically signed token
$price = $tokenData['prices'][$carType]['price'];

56
backend/serviceapp/getPassengersByPhone.php
View File

@@ -1,7 +1,6 @@
<?php
require_once __DIR__ . '/../connect.php';
// استلام الرقم وتشفيره
$phone = filterRequest("phone");
$phoneEncrypted = $encryptionHelper->encryptData($phone);
@@ -26,12 +25,7 @@ $sql = "SELECT
COALESCE(r.rideTimeFinish, '1970-01-01 00:00:00') AS ride_time_finish,
COALESCE(r.price_for_driver, 0) AS price_for_driver,
COALESCE(r.price_for_passenger, 0) AS price_for_passenger,
COALESCE(r.distance, 0) AS distance,
0 AS passenger_wallet_balance,
0 AS passenger_payment_amount,
'' AS passenger_payment_method,
0 AS driver_payment_amount,
'' AS driver_payment_method
COALESCE(r.distance, 0) AS distance
FROM
passengers p
LEFT JOIN
@@ -42,7 +36,6 @@ LEFT JOIN
ORDER BY date DESC, time DESC
LIMIT 1
)
WHERE
p.phone = :phone";
@@ -53,7 +46,20 @@ $stmt->execute();
if ($stmt->rowCount() > 0) {
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
// فك التشفير للحقول الحساسة
$stmtKazan = $con->prepare("SELECT country FROM kazan LIMIT 1");
$stmtKazan->execute();
$kazan = $stmtKazan->fetch(PDO::FETCH_ASSOC) ?: ["country" => "Jordan"];
$country = $kazan['country'] ?? 'Jordan';
$walletServer = "https://walletintaleq.intaleq.xyz";
if (strtolower($country) == 'jordan') {
$walletServer = getenv('WALLET_SERVER_JORDAN') ?: "https://walletintaleq.intaleq.xyz";
} elseif (strtolower($country) == 'egypt') {
$walletServer = getenv('WALLET_SERVER_EGYPT') ?: "https://walletintaleq.intaleq.xyz";
} else {
$walletServer = getenv('WALLET_SERVER_SYRIA') ?: "https://walletintaleq.intaleq.xyz";
}
foreach ($rows as &$row) {
if (isset($row['phone'])) $row['phone'] = $encryptionHelper->decryptData($row['phone']);
if (isset($row['email'])) $row['email'] = $encryptionHelper->decryptData($row['email']);
@@ -64,7 +70,37 @@ if ($stmt->rowCount() > 0) {
if (isset($row['last_name'])) $row['last_name'] = $encryptionHelper->decryptData($row['last_name']);
if (isset($row['employmentType']))$row['employmentType'] = $encryptionHelper->decryptData($row['employmentType']);
if (isset($row['maritalStatus'])) $row['maritalStatus'] = $encryptionHelper->decryptData($row['maritalStatus']);
unset($r['password']);
unset($row['password']);
$passenger_id = $row['id'] ?? '';
if (!empty($passenger_id)) {
$walletUrl = "$walletServer/v2/main/ride/passengerWallet/get_s2s_wallet.php";
$ch = curl_init($walletUrl);
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query(["passenger_id" => $passenger_id]),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 5,
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'X-S2S-Api-Key: ' . getenv('S2S_SHARED_KEY')
]
]);
$s2sRes = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
$totalWallet = 0.0;
if ($httpCode === 200 && $s2sRes) {
$resDecoded = json_decode($s2sRes, true);
if ($resDecoded && isset($resDecoded['status']) && $resDecoded['status'] === 'success') {
$totalWallet = (float)($resDecoded['message']['totalWallet'] ?? 0.0);
}
}
$row['passenger_wallet_balance'] = $totalWallet;
} else {
$row['passenger_wallet_balance'] = 0;
}
}
jsonSuccess($rows);