From 95de2da48e83990a731d803195928d1f9f81ffe6 Mon Sep 17 00:00:00 2001 From: Flatlogic Bot Date: Sun, 28 Sep 2025 22:00:58 +0000 Subject: [PATCH] beta.0001 --- add-credential.php | 4 ++-- audit-log.php | 2 +- dashboard.php | 2 +- db/temp_update_clients.php | 37 ----------------------------------- delete-client.php | 2 +- delete-credential.php | 10 +++++++--- edit-client.php | 2 +- edit-credential.php | 40 ++++++++++++++++++++++++-------------- 8 files changed, 38 insertions(+), 61 deletions(-) delete mode 100644 db/temp_update_clients.php diff --git a/add-credential.php b/add-credential.php index 1feea2b..6b7492d 100644 --- a/add-credential.php +++ b/add-credential.php @@ -21,8 +21,8 @@ if (!isset($_GET['client_id']) || empty($_GET['client_id'])) { $client_id = $_GET['client_id']; // Fetch client details to display -$stmt = $pdo->prepare("SELECT name FROM clients WHERE client_id = ?"); -$stmt->execute([$client_id]); +$stmt = $pdo->prepare("SELECT name FROM clients WHERE client_id = ? AND user_id = ?"); +$stmt->execute([$client_id, $_SESSION['user_id']]); $client = $stmt->fetch(PDO::FETCH_ASSOC); if (!$client) { diff --git a/audit-log.php b/audit-log.php index d7dd1cd..98bc2ca 100644 --- a/audit-log.php +++ b/audit-log.php @@ -17,7 +17,7 @@ $pdo = db(); $stmt = $pdo->query( "SELECT ae.*, u.display_name " . "FROM audit_events ae " . - "LEFT JOIN users u ON ae.user_id = u.id " . + "LEFT JOIN users u ON ae.user_id = u.user_id " . "ORDER BY ae.created_at DESC LIMIT 200" // Limit to recent 200 events for performance ); $events = $stmt->fetchAll(PDO::FETCH_ASSOC); diff --git a/dashboard.php b/dashboard.php index e8374e7..3544792 100644 --- a/dashboard.php +++ b/dashboard.php @@ -167,7 +167,7 @@ if (isset($_GET['client_id'])) { Edit - Delete + Delete diff --git a/db/temp_update_clients.php b/db/temp_update_clients.php deleted file mode 100644 index 81179fa..0000000 --- a/db/temp_update_clients.php +++ /dev/null @@ -1,37 +0,0 @@ -prepare("SELECT id FROM users WHERE email = ?"); -$stmt->execute(['admin@flexpass.local']); -$adminUser = $stmt->fetch(PDO::FETCH_ASSOC); - -if (!$adminUser) { - echo "Admin user not found. Please seed the database first (php db/seed.php).\n"; - exit(1); -} - -$adminId = $adminUser['id']; -echo "Found admin user ID: {$adminId}\n"; - -// 2. Update existing clients -try { - $updateStmt = $pdo->prepare("UPDATE clients SET user_id = ? WHERE user_id IS NULL OR user_id = ''"); - $updateStmt->execute([$adminId]); - $rowCount = $updateStmt->rowCount(); - echo "Updated {$rowCount} client(s) to belong to the admin user.\n"; -} catch (PDOException $e) { - // This will fail if the column doesn't exist yet, which is fine. - echo "Could not update clients (the user_id column might not exist yet): " . $e->getMessage() . "\n"; -} - -// 3. Modify the migration to be safer -$migrationFile = __DIR__ . '/migrations/002_add_user_id_to_clients.sql'; -$migrationSQL = "ALTER TABLE `clients` ADD COLUMN `user_id` CHAR(36);"; // Add as nullable first - -file_put_contents($migrationFile, $migrationSQL); -echo "Migration 002 updated to be safer.\n"; - -?> \ No newline at end of file diff --git a/delete-client.php b/delete-client.php index 09ebcc6..951bd3a 100644 --- a/delete-client.php +++ b/delete-client.php @@ -44,7 +44,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $stmt = $pdo->prepare("DELETE FROM clients WHERE client_id = ? AND user_id = ?"); $stmt->execute([$clientId, $_SESSION['user_id']]); - log_audit_event('client_delete', $_SESSION['user_id'], "Client '{$client['name']}' (ID: {$clientId}) and all associated data deleted."); + log_audit_event('client_delete', $_SESSION['user_id'], 'client', $clientId); // Using session to pass success message $_SESSION['success_message'] = "Client '" . htmlspecialchars($client['name']) . "' and all associated data have been deleted."; diff --git a/delete-credential.php b/delete-credential.php index a9dd6f2..8e250cb 100644 --- a/delete-credential.php +++ b/delete-credential.php @@ -43,10 +43,14 @@ try { if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (isset($_POST['confirm_delete'])) { try { - $stmt = $pdo->prepare("DELETE FROM credentials WHERE credential_id = ?"); - $stmt->execute([$credentialId]); + $stmt = $pdo->prepare( + "DELETE c FROM credentials c " . + "JOIN clients cl ON c.client_id = cl.client_id " . + "WHERE c.credential_id = ? AND cl.user_id = ?" + ); + $stmt->execute([$credentialId, $_SESSION['user_id']]); - log_audit_event('credential_delete', $_SESSION['user_id'], "Credential '{$credential['name']}' (ID: {$credentialId}) deleted."); + log_audit_event('credential_delete', $_SESSION['user_id'], 'credential', $credentialId); header('Location: dashboard.php?client_id=' . $credential['client_id'] . '&status=credential_deleted'); exit; diff --git a/edit-client.php b/edit-client.php index f3e6931..fc5cf3e 100644 --- a/edit-client.php +++ b/edit-client.php @@ -51,7 +51,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { try { $stmt = $pdo->prepare("UPDATE clients SET name = ?, status = ? WHERE client_id = ? AND user_id = ?"); $stmt->execute([$name, $status, $clientId, $_SESSION['user_id']]); - log_audit_event('client_edit', $_SESSION['user_id'], "Client '{$name}' (ID: {$clientId}) updated."); + log_audit_event('client_edit', $_SESSION['user_id'], 'client', $clientId); header('Location: dashboard.php?client_id=' . $clientId . '&status=client_updated'); exit; } catch (PDOException $e) { diff --git a/edit-credential.php b/edit-credential.php index f3736d7..5560542 100644 --- a/edit-credential.php +++ b/edit-credential.php @@ -19,8 +19,12 @@ $pdo = db(); $credential_id = $_GET['credential_id']; // Fetch the credential -$stmt = $pdo->prepare("SELECT * FROM credentials WHERE credential_id = ?"); -$stmt->execute([$credential_id]); + $stmt = $pdo->prepare( + "SELECT c.* FROM credentials c " . + "JOIN clients cl ON c.client_id = cl.client_id " . + "WHERE c.credential_id = ? AND cl.user_id = ?" + ); + $stmt->execute([$credential_id, $_SESSION['user_id']]); $credential = $stmt->fetch(PDO::FETCH_ASSOC); if (!$credential) { @@ -43,20 +47,26 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (empty($name) || empty($username)) { $error = "Credential Name and Username are required."; } else { - // If password is not changed, don't update it - if (empty($password)) { - $updateStmt = $pdo->prepare( - "UPDATE credentials SET name = ?, username = ?, url = ?, notes = ?, updated_at = NOW() WHERE credential_id = ?" - ); - $updateStmt->execute([$name, $username, $url, $notes, $credential_id]); - } else { - $updateStmt = $pdo->prepare( - "UPDATE credentials SET name = ?, username = ?, password = ?, url = ?, notes = ?, updated_at = NOW() WHERE credential_id = ?" - ); - $updateStmt->execute([$name, $username, $password, $url, $notes, $credential_id]); - } + // To securely update, we must join against the clients table to check the user_id. + $sql = "UPDATE credentials c " . + "JOIN clients cl ON c.client_id = cl.client_id " . + "SET c.name = ?, c.username = ?, c.url = ?, c.notes = ?, c.updated_at = NOW()"; - log_audit_event('credential_update', $_SESSION['user_id'], 'credential', $credential_id); + $params = [$name, $username, $url, $notes]; + + if (!empty($password)) { + $sql .= ", c.password = ?"; + $params[] = $password; + } + + $sql .= " WHERE c.credential_id = ? AND cl.user_id = ?"; + $params[] = $credential_id; + $params[] = $_SESSION['user_id']; + + $updateStmt = $pdo->prepare($sql); + $updateStmt->execute($params); + + log_audit_event('credential_edit', $_SESSION['user_id'], 'credential', $credential_id); // Redirect back to the client detail page with a success message header("Location: dashboard.php?client_id=$client_id&status=credential_updated");