Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c56d2f41e63b39764ad6c260672a55a3d5eaea0
Siro/backend/ggg.php
Hamza-Ayed 3543fdd2cd Fix #21: High-severity fixes (H-01 through H-06) 
H-01: Egypt document uploads - added path traversal prevention (basename),
       replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
       (ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
       driverID or user must be admin); non-admins blocked from changing
       password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
       JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
       fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
2026-06-17 07:56:57 +03:00

54 lines
1.4 KiB
PHP
Raw Blame History

<?php
require_once __DIR__ . '/core/bootstrap.php';
header('Content-Type: application/json; charset=utf-8');
// التحقق من صلاحية الأدمن عبر JWT
$jwtService = new JwtService($redis ?? null);
$admin = $jwtService->authenticate();
if ($admin->role !== 'admin' && $admin->role !== 'super_admin') {
http_response_code(403);
echo json_encode(['status' => 'error', 'message' => 'Unauthorized. Admin access required.']);
exit;
}
$raw = file_get_contents('php://input');
$data = json_decode($raw, true);
if (!is_array($data)) {
$data = $_POST;
}
$action = $data['action'] ?? '';
$text = trim($data['text'] ?? '');
if ($text === '' || ($action !== 'encrypt' && $action !== 'decrypt')) {
http_response_code(400);
echo json_encode([
'status' => 'error',
'message' => 'Invalid input: need action=encrypt|decrypt and non-empty text.',
]);
exit;
}
try {
if ($action === 'encrypt') {
$result = $encryptionHelper->encryptData($text);
} else {
$result = $encryptionHelper->decryptData($text);
}
echo json_encode([
'status' => 'success',
'action' => $action,
'result' => (string) $result,
]);
} catch (Exception $e) {
error_log("[ggg.php] " . $e->getMessage());
http_response_code(500);
echo json_encode([
'status' => 'error',
'message' => 'Operation failed.',
]);
}
Reference in New Issue View Git Blame Copy Permalink