Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
28d30e3359a764702b6bf00afb76463a5b2dab8d
Siro/walletintaleq.intaleq.xyz/v2/main/ride/driverWallet/addFromAdmin.php
Hamza-Ayed 2c3816badb Update: 2026-06-16 22:44:11
2026-06-16 22:44:11 +03:00

126 lines
5.0 KiB
PHP
Executable File
Raw Blame History

<?php
/**
* addFromAdmin.php — إضافة رصيد من المسؤول (Admin Only)
*
* ═══════════════════════════════════════════════════════════════
* SECURITY FIX: كان هذا الملف بدون أي مصادقة! ❌
* الآن يتطلب:
* 1. JWT مصادق (عبر authenticateJWT)
* 2. التحقق من دور المسؤول (admin role)
* 3. التحقق من المبلغ (حد أقصى)
* 4. تسجيل تدقيق لكل عملية (audit log)
* ═══════════════════════════════════════════════════════════════
*/
// Include the database connection WITH JWT authentication
include "../../connect.php";
// connect.php calls authenticateJWT() → 5-layer security check ✅
// ── 1. استخراج user_id من JWT المصادق ──────────────────────────
$adminUserId = $decodedToken->user_id ?? $decodedToken->sub ?? null;
$adminRole = $decodedToken->role ?? null;
// ── 2. التحقق من صلاحيات المسؤول ────────────────────────────
// فقط المسؤول يمكنه إضافة رصيد يدوياً
if ($adminRole !== 'admin' && $adminRole !== 'super_admin') {
error_log(sprintf(
'⚠️ [SECURITY] Non-admin attempted addFromAdmin | user=%s | role=%s | IP=%s',
$adminUserId,
$adminRole ?? '(null)',
$_SERVER['REMOTE_ADDR'] ?? 'unknown'
));
http_response_code(403);
printFailure("Forbidden: Admin access required");
exit;
}
// ── 3. استخراج والتحقق من البيانات ──────────────────────────
$driverID = filterRequest("driverID");
$paymentID = filterRequest("paymentID");
$amount = filterRequest("amount");
$paymentMethod = filterRequest("paymentMethod");
$phone = filterRequest("phone");
if (empty($driverID) || !isset($amount) || empty($paymentMethod)) {
printFailure("Missing required parameters: driverID, amount, paymentMethod");
exit;
}
// ── 4. التحقق من المبلغ ─────────────────────────────────────
$amount = floatval($amount);
if ($amount <= 0 || $amount > 1000000) {
error_log(sprintf(
'⚠️ [SECURITY] Invalid amount in addFromAdmin | admin=%s | amount=%s | driverID=%s',
$adminUserId, $amount, $driverID
));
printFailure("Invalid amount: must be between 0 and 1,000,000");
exit;
}
// ── 5. العملية الذرية ─────────────────────────────────────────
try {
$con->beginTransaction();
// إدخال سجل المحفظة
$sql = "INSERT INTO `driverWallet` (
`driverID`,
`paymentID`,
`amount`,
`paymentMethod`
) VALUES (
:driverID,
:paymentID,
:amount,
:paymentMethod
);";
$stmt = $con->prepare($sql);
$stmt->execute([
':driverID' => $driverID,
':paymentID' => $paymentID ?? ('admin_' . time() . '_' . bin2hex(random_bytes(4))),
':amount' => $amount,
':paymentMethod' => $paymentMethod
]);
if ($stmt->rowCount() > 0) {
// ── 6. تسجيل تدقيق (Audit Log) ─────────────────────────
$auditStmt = $con->prepare(
"INSERT INTO `admin_audit_log` (`admin_id`, `action`, `table_name`, `record_id`, `details`)
VALUES (:admin_id, :action, :table_name, :record_id, :details)"
);
$auditStmt->execute([
':admin_id' => $adminUserId,
':action' => 'addFromAdmin_wallet',
':table_name' => 'driverWallet',
':record_id' => $driverID,
':details' => json_encode([
'amount' => $amount,
'paymentMethod' => $paymentMethod,
'phone' => $phone,
'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown',
'timestamp' => date('Y-m-d H:i:s')
], JSON_UNESCAPED_UNICODE)
]);
$con->commit();
printSuccess("Record saved successfully");
// إرسال إشعار واتساب للسائق
if (!empty($phone)) {
$messageBody = "تم إضافة رصيد بقيمة $amount إلى محفظتك بنجاح.";
sendWhatsAppFromServer($phone, $messageBody);
}
} else {
$con->rollBack();
printFailure("Failed to save record");
}
} catch (Exception $e) {
if ($con->inTransaction()) {
$con->rollBack();
}
error_log("[addFromAdmin] Error: " . $e->getMessage());
printFailure("An error occurred");
}
Reference in New Issue View Git Blame Copy Permalink