mirror/Wallos
1
0
Fork 0
mirror of https://github.com/ellite/Wallos.git synced 2026-05-12 14:58:31 -05:00
Code Issues Packages Projects Releases Wiki Activity

csrf on admin

Browse Source
This commit is contained in:
Miguel Ribeiro
2025-10-18 23:10:34 +02:00
parent 46a959dc80
commit 7d09cd4cc9
22 changed files with 590 additions and 746 deletions
Download Patch File Download Diff File Expand all files Collapse all files
endpoints/admin/adduser.php
+131 -158
View File
@@ -1,20 +1,6 @@
<?php
require_once '../../includes/connect_endpoint.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
// Check that user is an admin
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
require_once '../../includes/validate_endpoint_admin.php';
$currencies = [
['id' => 1, 'name' => 'Euro', 'symbol' => '€', 'code' => 'EUR'],
@@ -116,155 +102,142 @@ function validate($value)
return $value;
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$loggedInUserId = $userId;
$loggedInUserId = $userId;
$email = validate($data['email']);
$username = validate($data['username']);
$password = $data['password'];
$email = validate($data['email']);
$username = validate($data['username']);
$password = $data['password'];
if (empty($username) || empty($password) || empty($email)) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
$stmt = $db->prepare('SELECT COUNT(*) FROM user WHERE username = :username OR email = :email');
$stmt->bindValue(':username', $username, SQLITE3_INTEGER);
$stmt->bindValue(':email', $email, SQLITE3_TEXT);
$result = $stmt->execute();
$row = $result->fetchArray();
// Error if user exist
if ($row[0] > 0) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
// Get main currency and language from admin user
$stmt = $db->prepare('SELECT main_currency, language FROM user WHERE id = :id');
$stmt->bindValue(':id', $loggedInUserId, SQLITE3_TEXT);
$result = $stmt->execute();
$row = $result->fetchArray();
$currency = $row['main_currency'] ?? 1;
$language = $row['language'] ?? 'en';
$avatar = "images/avatars/0.svg";
// Get code for main currency
$stmt = $db->prepare('SELECT code FROM currencies WHERE id = :id');
$stmt->bindValue(':id', $currency, SQLITE3_TEXT);
$row = $stmt->execute();
$main_currency = $row->fetchArray()['code'];
$query = "INSERT INTO user (username, email, password, main_currency, avatar, language, budget) VALUES (:username, :email, :password, :main_currency, :avatar, :language, :budget)";
$stmt = $db->prepare($query);
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);
$stmt->bindValue(':username', $username, SQLITE3_TEXT);
$stmt->bindValue(':email', $email, SQLITE3_TEXT);
$stmt->bindValue(':password', $hashedPassword, SQLITE3_TEXT);
$stmt->bindValue(':main_currency', 1, SQLITE3_TEXT);
$stmt->bindValue(':avatar', $avatar, SQLITE3_TEXT);
$stmt->bindValue(':language', $language, SQLITE3_TEXT);
$stmt->bindValue(':budget', 0, SQLITE3_INTEGER);
$result = $stmt->execute();
if ($result) {
// Get id of the newly created user
$newUserId = $db->lastInsertRowID();
// Add username as household member for that user
$query = "INSERT INTO household (name, user_id) VALUES (:name, :user_id)";
$stmt = $db->prepare($query);
$stmt->bindValue(':name', $username, SQLITE3_TEXT);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
if ($newUserId > 1) {
// Add categories for that user
$query = 'INSERT INTO categories (name, "order", user_id) VALUES (:name, :order, :user_id)';
$stmt = $db->prepare($query);
foreach ($categories as $index => $category) {
$stmt->bindValue(':name', $category['name'], SQLITE3_TEXT);
$stmt->bindValue(':order', $index + 1, SQLITE3_INTEGER);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
}
// Add payment methods for that user
$query = 'INSERT INTO payment_methods (name, icon, "order", user_id) VALUES (:name, :icon, :order, :user_id)';
$stmt = $db->prepare($query);
foreach ($payment_methods as $index => $payment_method) {
$stmt->bindValue(':name', $payment_method['name'], SQLITE3_TEXT);
$stmt->bindValue(':icon', $payment_method['icon'], SQLITE3_TEXT);
$stmt->bindValue(':order', $index + 1, SQLITE3_INTEGER);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
}
// Add currencies for that user
$query = "INSERT INTO currencies (name, symbol, code, rate, user_id) VALUES (:name, :symbol, :code, :rate, :user_id)";
$stmt = $db->prepare($query);
foreach ($currencies as $currency) {
$stmt->bindValue(':name', $currency['name'], SQLITE3_TEXT);
$stmt->bindValue(':symbol', $currency['symbol'], SQLITE3_TEXT);
$stmt->bindValue(':code', $currency['code'], SQLITE3_TEXT);
$stmt->bindValue(':rate', 1, SQLITE3_FLOAT);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
}
// Retrieve main currency id
$query = "SELECT id FROM currencies WHERE code = :code AND user_id = :user_id";
$stmt = $db->prepare($query);
$stmt->bindValue(':code', $main_currency, SQLITE3_TEXT);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$result = $stmt->execute();
$currency = $result->fetchArray(SQLITE3_ASSOC);
// Update user main currency
$query = "UPDATE user SET main_currency = :main_currency WHERE id = :user_id";
$stmt = $db->prepare($query);
$stmt->bindValue(':main_currency', $currency['id'], SQLITE3_INTEGER);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
// Add settings for that user
$query = "INSERT INTO settings (dark_theme, monthly_price, convert_currency, remove_background, color_theme, hide_disabled, user_id, disabled_to_bottom, show_original_price, mobile_nav)
VALUES (2, 0, 0, 0, 'blue', 0, :user_id, 0, 0, 0)";
$stmt = $db->prepare($query);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
// If email verification is required add the user to the email_verification table
$query = "SELECT * FROM admin";
$stmt = $db->prepare($query);
$result = $stmt->execute();
$settings = $result->fetchArray(SQLITE3_ASSOC);
}
$db->close();
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
}
} else {
if (empty($username) || empty($password) || empty($email)) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
?>
$stmt = $db->prepare('SELECT COUNT(*) FROM user WHERE username = :username OR email = :email');
$stmt->bindValue(':username', $username, SQLITE3_INTEGER);
$stmt->bindValue(':email', $email, SQLITE3_TEXT);
$result = $stmt->execute();
$row = $result->fetchArray();
// Error if user exist
if ($row[0] > 0) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
// Get main currency and language from admin user
$stmt = $db->prepare('SELECT main_currency, language FROM user WHERE id = :id');
$stmt->bindValue(':id', $loggedInUserId, SQLITE3_TEXT);
$result = $stmt->execute();
$row = $result->fetchArray();
$currency = $row['main_currency'] ?? 1;
$language = $row['language'] ?? 'en';
$avatar = "images/avatars/0.svg";
// Get code for main currency
$stmt = $db->prepare('SELECT code FROM currencies WHERE id = :id');
$stmt->bindValue(':id', $currency, SQLITE3_TEXT);
$row = $stmt->execute();
$main_currency = $row->fetchArray()['code'];
$query = "INSERT INTO user (username, email, password, main_currency, avatar, language, budget) VALUES (:username, :email, :password, :main_currency, :avatar, :language, :budget)";
$stmt = $db->prepare($query);
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);
$stmt->bindValue(':username', $username, SQLITE3_TEXT);
$stmt->bindValue(':email', $email, SQLITE3_TEXT);
$stmt->bindValue(':password', $hashedPassword, SQLITE3_TEXT);
$stmt->bindValue(':main_currency', 1, SQLITE3_TEXT);
$stmt->bindValue(':avatar', $avatar, SQLITE3_TEXT);
$stmt->bindValue(':language', $language, SQLITE3_TEXT);
$stmt->bindValue(':budget', 0, SQLITE3_INTEGER);
$result = $stmt->execute();
if ($result) {
// Get id of the newly created user
$newUserId = $db->lastInsertRowID();
// Add username as household member for that user
$query = "INSERT INTO household (name, user_id) VALUES (:name, :user_id)";
$stmt = $db->prepare($query);
$stmt->bindValue(':name', $username, SQLITE3_TEXT);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
if ($newUserId > 1) {
// Add categories for that user
$query = 'INSERT INTO categories (name, "order", user_id) VALUES (:name, :order, :user_id)';
$stmt = $db->prepare($query);
foreach ($categories as $index => $category) {
$stmt->bindValue(':name', $category['name'], SQLITE3_TEXT);
$stmt->bindValue(':order', $index + 1, SQLITE3_INTEGER);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
}
// Add payment methods for that user
$query = 'INSERT INTO payment_methods (name, icon, "order", user_id) VALUES (:name, :icon, :order, :user_id)';
$stmt = $db->prepare($query);
foreach ($payment_methods as $index => $payment_method) {
$stmt->bindValue(':name', $payment_method['name'], SQLITE3_TEXT);
$stmt->bindValue(':icon', $payment_method['icon'], SQLITE3_TEXT);
$stmt->bindValue(':order', $index + 1, SQLITE3_INTEGER);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
}
// Add currencies for that user
$query = "INSERT INTO currencies (name, symbol, code, rate, user_id) VALUES (:name, :symbol, :code, :rate, :user_id)";
$stmt = $db->prepare($query);
foreach ($currencies as $currency) {
$stmt->bindValue(':name', $currency['name'], SQLITE3_TEXT);
$stmt->bindValue(':symbol', $currency['symbol'], SQLITE3_TEXT);
$stmt->bindValue(':code', $currency['code'], SQLITE3_TEXT);
$stmt->bindValue(':rate', 1, SQLITE3_FLOAT);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
}
// Retrieve main currency id
$query = "SELECT id FROM currencies WHERE code = :code AND user_id = :user_id";
$stmt = $db->prepare($query);
$stmt->bindValue(':code', $main_currency, SQLITE3_TEXT);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$result = $stmt->execute();
$currency = $result->fetchArray(SQLITE3_ASSOC);
// Update user main currency
$query = "UPDATE user SET main_currency = :main_currency WHERE id = :user_id";
$stmt = $db->prepare($query);
$stmt->bindValue(':main_currency', $currency['id'], SQLITE3_INTEGER);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
// Add settings for that user
$query = "INSERT INTO settings (dark_theme, monthly_price, convert_currency, remove_background, color_theme, hide_disabled, user_id, disabled_to_bottom, show_original_price, mobile_nav)
VALUES (2, 0, 0, 0, 'blue', 0, :user_id, 0, 0, 0)";
$stmt = $db->prepare($query);
$stmt->bindValue(':user_id', $newUserId, SQLITE3_INTEGER);
$stmt->execute();
// If email verification is required add the user to the email_verification table
$query = "SELECT * FROM admin";
$stmt = $db->prepare($query);
$result = $stmt->execute();
$settings = $result->fetchArray(SQLITE3_ASSOC);
}
$db->close();
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
}
endpoints/admin/deleteunusedlogos.php
+1 -15
View File
@@ -1,21 +1,7 @@
<?php
require_once '../../includes/connect_endpoint.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
// Check that user is an admin
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
require_once '../../includes/validate_endpoint_admin.php';
$query = 'SELECT logo FROM subscriptions';
$stmt = $db->prepare($query);
endpoints/admin/deleteuser.php
+106 -131
View File
@@ -1,142 +1,117 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
// Check that user is an admin
if ($userId !== 1) {
$userId = $data['userId'];
if ($userId == 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$userId = $data['userId'];
if ($userId == 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
} else {
// Delete user
$stmt = $db->prepare('DELETE FROM user WHERE id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete subscriptions
$stmt = $db->prepare('DELETE FROM subscriptions WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete settings
$stmt = $db->prepare('DELETE FROM settings WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete fixer
$stmt = $db->prepare('DELETE FROM fixer WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete custom colors
$stmt = $db->prepare('DELETE FROM custom_colors WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete currencies
$stmt = $db->prepare('DELETE FROM currencies WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete categories
$stmt = $db->prepare('DELETE FROM categories WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete household
$stmt = $db->prepare('DELETE FROM household WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete payment methods
$stmt = $db->prepare('DELETE FROM payment_methods WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete email notifications
$stmt = $db->prepare('DELETE FROM email_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete telegram notifications
$stmt = $db->prepare('DELETE FROM telegram_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete webhook notifications
$stmt = $db->prepare('DELETE FROM webhook_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete gotify notifications
$stmt = $db->prepare('DELETE FROM gotify_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete pushover notifications
$stmt = $db->prepare('DELETE FROM pushover_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Dele notification settings
$stmt = $db->prepare('DELETE FROM notification_settings WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete last exchange update
$stmt = $db->prepare('DELETE FROM last_exchange_update WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete email verification
$stmt = $db->prepare('DELETE FROM email_verification WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete totp
$stmt = $db->prepare('DELETE FROM totp WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete total yearly cost
$stmt = $db->prepare('DELETE FROM total_yearly_cost WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
}
} else {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
// Delete user
$stmt = $db->prepare('DELETE FROM user WHERE id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
?>
// Delete subscriptions
$stmt = $db->prepare('DELETE FROM subscriptions WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete settings
$stmt = $db->prepare('DELETE FROM settings WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete fixer
$stmt = $db->prepare('DELETE FROM fixer WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete custom colors
$stmt = $db->prepare('DELETE FROM custom_colors WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete currencies
$stmt = $db->prepare('DELETE FROM currencies WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete categories
$stmt = $db->prepare('DELETE FROM categories WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete household
$stmt = $db->prepare('DELETE FROM household WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete payment methods
$stmt = $db->prepare('DELETE FROM payment_methods WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete email notifications
$stmt = $db->prepare('DELETE FROM email_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete telegram notifications
$stmt = $db->prepare('DELETE FROM telegram_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete webhook notifications
$stmt = $db->prepare('DELETE FROM webhook_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete gotify notifications
$stmt = $db->prepare('DELETE FROM gotify_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete pushover notifications
$stmt = $db->prepare('DELETE FROM pushover_notifications WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Dele notification settings
$stmt = $db->prepare('DELETE FROM notification_settings WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete last exchange update
$stmt = $db->prepare('DELETE FROM last_exchange_update WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete email verification
$stmt = $db->prepare('DELETE FROM email_verification WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete totp
$stmt = $db->prepare('DELETE FROM totp WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
// Delete total yearly cost
$stmt = $db->prepare('DELETE FROM total_yearly_cost WHERE user_id = :id');
$stmt->bindValue(':id', $userId, SQLITE3_INTEGER);
$result = $stmt->execute();
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
}
endpoints/admin/enableoidc.php
+13 -36
View File
@@ -1,45 +1,22 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$oidcEnabled = isset($data['oidcEnabled']) ? $data['oidcEnabled'] : 0;
$stmt = $db->prepare('UPDATE admin SET oidc_oauth_enabled = :oidcEnabled WHERE id = 1');
$stmt->bindParam(':oidcEnabled', $oidcEnabled, SQLITE3_INTEGER);
$stmt->execute();
if ($db->changes() > 0) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
"success" => true,
"message" => translate('success', $i18n)
]));
}
// Check that user is an admin
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$oidcEnabled = isset($data['oidcEnabled']) ? $data['oidcEnabled'] : 0;
$stmt = $db->prepare('UPDATE admin SET oidc_oauth_enabled = :oidcEnabled WHERE id = 1');
$stmt->bindParam(':oidcEnabled', $oidcEnabled, SQLITE3_INTEGER);
$stmt->execute();
if ($db->changes() > 0) {
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
} else {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
} else {
die(json_encode([
"success" => false,
endpoints/admin/saveoidcsettings.php
+47 -70
View File
@@ -1,48 +1,32 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
// Check that user is an admin
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
$oidcName = isset($data['oidcName']) ? trim($data['oidcName']) : '';
$oidcClientId = isset($data['oidcClientId']) ? trim($data['oidcClientId']) : '';
$oidcClientSecret = isset($data['oidcClientSecret']) ? trim($data['oidcClientSecret']) : '';
$oidcAuthUrl = isset($data['oidcAuthUrl']) ? trim($data['oidcAuthUrl']) : '';
$oidcTokenUrl = isset($data['oidcTokenUrl']) ? trim($data['oidcTokenUrl']) : '';
$oidcUserInfoUrl = isset($data['oidcUserInfoUrl']) ? trim($data['oidcUserInfoUrl']) : '';
$oidcRedirectUrl = isset($data['oidcRedirectUrl']) ? trim($data['oidcRedirectUrl']) : '';
$oidcLogoutUrl = isset($data['oidcLogoutUrl']) ? trim($data['oidcLogoutUrl']) : '';
$oidcUserIdentifierField = isset($data['oidcUserIdentifierField']) ? trim($data['oidcUserIdentifierField']) : '';
$oidcScopes = isset($data['oidcScopes']) ? trim($data['oidcScopes']) : '';
$oidcAuthStyle = isset($data['oidcAuthStyle']) ? trim($data['oidcAuthStyle']) : '';
$oidcAutoCreateUser = isset($data['oidcAutoCreateUser']) ? (int) $data['oidcAutoCreateUser'] : 0;
$oidcPasswordLoginDisabled = isset($data['oidcPasswordLoginDisabled']) ? (int) $data['oidcPasswordLoginDisabled'] : 0;
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$checkStmt = $db->prepare('SELECT COUNT(*) as count FROM oauth_settings WHERE id = 1');
$result = $checkStmt->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$oidcName = isset($data['oidcName']) ? trim($data['oidcName']) : '';
$oidcClientId = isset($data['oidcClientId']) ? trim($data['oidcClientId']) : '';
$oidcClientSecret = isset($data['oidcClientSecret']) ? trim($data['oidcClientSecret']) : '';
$oidcAuthUrl = isset($data['oidcAuthUrl']) ? trim($data['oidcAuthUrl']) : '';
$oidcTokenUrl = isset($data['oidcTokenUrl']) ? trim($data['oidcTokenUrl']) : '';
$oidcUserInfoUrl = isset($data['oidcUserInfoUrl']) ? trim($data['oidcUserInfoUrl']) : '';
$oidcRedirectUrl = isset($data['oidcRedirectUrl']) ? trim($data['oidcRedirectUrl']) : '';
$oidcLogoutUrl = isset($data['oidcLogoutUrl']) ? trim($data['oidcLogoutUrl']) : '';
$oidcUserIdentifierField = isset($data['oidcUserIdentifierField']) ? trim($data['oidcUserIdentifierField']) : '';
$oidcScopes = isset($data['oidcScopes']) ? trim($data['oidcScopes']) : '';
$oidcAuthStyle = isset($data['oidcAuthStyle']) ? trim($data['oidcAuthStyle']) : '';
$oidcAutoCreateUser = isset($data['oidcAutoCreateUser']) ? (int)$data['oidcAutoCreateUser'] : 0;
$oidcPasswordLoginDisabled = isset($data['oidcPasswordLoginDisabled']) ? (int)$data['oidcPasswordLoginDisabled'] : 0;
$checkStmt = $db->prepare('SELECT COUNT(*) as count FROM oauth_settings WHERE id = 1');
$result = $checkStmt->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
if ($row['count'] > 0) {
// Update existing row
$stmt = $db->prepare('UPDATE oauth_settings SET
if ($row['count'] > 0) {
// Update existing row
$stmt = $db->prepare('UPDATE oauth_settings SET
name = :oidcName,
client_id = :oidcClientId,
client_secret = :oidcClientSecret,
@@ -57,45 +41,38 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
auto_create_user = :oidcAutoCreateUser,
password_login_disabled = :oidcPasswordLoginDisabled
WHERE id = 1');
} else {
// Insert new row
$stmt = $db->prepare('INSERT INTO oauth_settings (
} else {
// Insert new row
$stmt = $db->prepare('INSERT INTO oauth_settings (
id, name, client_id, client_secret, authorization_url, token_url, user_info_url, redirect_url, logout_url, user_identifier_field, scopes, auth_style, auto_create_user, password_login_disabled
) VALUES (
1, :oidcName, :oidcClientId, :oidcClientSecret, :oidcAuthUrl, :oidcTokenUrl, :oidcUserInfoUrl, :oidcRedirectUrl, :oidcLogoutUrl, :oidcUserIdentifierField, :oidcScopes, :oidcAuthStyle, :oidcAutoCreateUser, :oidcPasswordLoginDisabled
)');
}
}
$stmt->bindParam(':oidcName', $oidcName, SQLITE3_TEXT);
$stmt->bindParam(':oidcClientId', $oidcClientId, SQLITE3_TEXT);
$stmt->bindParam(':oidcClientSecret', $oidcClientSecret, SQLITE3_TEXT);
$stmt->bindParam(':oidcAuthUrl', $oidcAuthUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcTokenUrl', $oidcTokenUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcUserInfoUrl', $oidcUserInfoUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcRedirectUrl', $oidcRedirectUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcLogoutUrl', $oidcLogoutUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcUserIdentifierField', $oidcUserIdentifierField, SQLITE3_TEXT);
$stmt->bindParam(':oidcScopes', $oidcScopes, SQLITE3_TEXT);
$stmt->bindParam(':oidcAuthStyle', $oidcAuthStyle, SQLITE3_TEXT);
$stmt->bindParam(':oidcAutoCreateUser', $oidcAutoCreateUser, SQLITE3_INTEGER);
$stmt->bindParam(':oidcPasswordLoginDisabled', $oidcPasswordLoginDisabled, SQLITE3_INTEGER);
$stmt->execute();
if ($db->changes() > 0) {
$db->close();
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
} else {
$db->close();
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
$stmt->bindParam(':oidcName', $oidcName, SQLITE3_TEXT);
$stmt->bindParam(':oidcClientId', $oidcClientId, SQLITE3_TEXT);
$stmt->bindParam(':oidcClientSecret', $oidcClientSecret, SQLITE3_TEXT);
$stmt->bindParam(':oidcAuthUrl', $oidcAuthUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcTokenUrl', $oidcTokenUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcUserInfoUrl', $oidcUserInfoUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcRedirectUrl', $oidcRedirectUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcLogoutUrl', $oidcLogoutUrl, SQLITE3_TEXT);
$stmt->bindParam(':oidcUserIdentifierField', $oidcUserIdentifierField, SQLITE3_TEXT);
$stmt->bindParam(':oidcScopes', $oidcScopes, SQLITE3_TEXT);
$stmt->bindParam(':oidcAuthStyle', $oidcAuthStyle, SQLITE3_TEXT);
$stmt->bindParam(':oidcAutoCreateUser', $oidcAutoCreateUser, SQLITE3_INTEGER);
$stmt->bindParam(':oidcPasswordLoginDisabled', $oidcPasswordLoginDisabled, SQLITE3_INTEGER);
$stmt->execute();
if ($db->changes() > 0) {
$db->close();
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
} else {
$db->close();
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
endpoints/admin/saveopenregistrations.php
+53 -72
View File
@@ -1,85 +1,66 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
// Check that user is an admin
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
$openRegistrations = $data['open_registrations'];
$maxUsers = $data['max_users'];
$requireEmailVerification = $data['require_email_validation'];
$serverUrl = $data['server_url'];
$disableLogin = $data['disable_login'];
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$openRegistrations = $data['open_registrations'];
$maxUsers = $data['max_users'];
$requireEmailVerification = $data['require_email_validation'];
$serverUrl = $data['server_url'];
$disableLogin = $data['disable_login'];
if ($disableLogin == 1) {
if ($openRegistrations == 1) {
echo json_encode([
"success" => false,
"message" => translate('error', $i18n)
]);
die();
}
$sql = "SELECT COUNT(*) as userCount FROM user";
$stmt = $db->prepare($sql);
$result = $stmt->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$userCount = $row['userCount'];
if ($userCount > 1) {
echo json_encode([
"success" => false,
"message" => translate('error', $i18n)
]);
die();
}
}
if ($requireEmailVerification == 1 && $serverUrl == "") {
echo json_encode([
"success" => false,
"message" => translate('fill_all_fields', $i18n)
]);
die();
}
$sql = "UPDATE admin SET registrations_open = :openRegistrations, max_users = :maxUsers, require_email_verification = :requireEmailVerification, server_url = :serverUrl, login_disabled = :disableLogin WHERE id = 1";
$stmt = $db->prepare($sql);
$stmt->bindParam(':openRegistrations', $openRegistrations, SQLITE3_INTEGER);
$stmt->bindParam(':maxUsers', $maxUsers, SQLITE3_INTEGER);
$stmt->bindParam(':requireEmailVerification', $requireEmailVerification, SQLITE3_INTEGER);
$stmt->bindParam(':serverUrl', $serverUrl, SQLITE3_TEXT);
$stmt->bindParam(':disableLogin', $disableLogin, SQLITE3_INTEGER);
$result = $stmt->execute();
if ($result) {
echo json_encode([
"success" => true,
"message" => translate('success', $i18n)
]);
} else {
if ($disableLogin == 1) {
if ($openRegistrations == 1) {
echo json_encode([
"success" => false,
"message" => translate('error', $i18n)
]);
die();
}
$sql = "SELECT COUNT(*) as userCount FROM user";
$stmt = $db->prepare($sql);
$result = $stmt->execute();
$row = $result->fetchArray(SQLITE3_ASSOC);
$userCount = $row['userCount'];
if ($userCount > 1) {
echo json_encode([
"success" => false,
"message" => translate('error', $i18n)
]);
die();
}
}
?>
if ($requireEmailVerification == 1 && $serverUrl == "") {
echo json_encode([
"success" => false,
"message" => translate('fill_all_fields', $i18n)
]);
die();
}
$sql = "UPDATE admin SET registrations_open = :openRegistrations, max_users = :maxUsers, require_email_verification = :requireEmailVerification, server_url = :serverUrl, login_disabled = :disableLogin WHERE id = 1";
$stmt = $db->prepare($sql);
$stmt->bindParam(':openRegistrations', $openRegistrations, SQLITE3_INTEGER);
$stmt->bindParam(':maxUsers', $maxUsers, SQLITE3_INTEGER);
$stmt->bindParam(':requireEmailVerification', $requireEmailVerification, SQLITE3_INTEGER);
$stmt->bindParam(':serverUrl', $serverUrl, SQLITE3_TEXT);
$stmt->bindParam(':disableLogin', $disableLogin, SQLITE3_INTEGER);
$result = $stmt->execute();
if ($result) {
echo json_encode([
"success" => true,
"message" => translate('success', $i18n)
]);
} else {
echo json_encode([
"success" => false,
"message" => translate('error', $i18n)
]);
}
endpoints/admin/savesmtpsettings.php
+31 -51
View File
@@ -1,64 +1,44 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$smtpAddress = $data['smtpaddress'];
$smtpPort = $data['smtpport'];
$encryption = $data['encryption'];
$smtpUsername = $data['smtpusername'];
$smtpPassword = $data['smtppassword'];
$fromEmail = $data['fromemail'];
if (empty($smtpAddress) || empty($smtpPort)) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
"message" => translate('fill_all_fields', $i18n)
]));
}
// Check that user is an admin
if ($userId !== 1) {
// Save settings
$stmt = $db->prepare('UPDATE admin SET smtp_address = :smtp_address, smtp_port = :smtp_port, encryption = :encryption, smtp_username = :smtp_username, smtp_password = :smtp_password, from_email = :from_email');
$stmt->bindValue(':smtp_address', $smtpAddress, SQLITE3_TEXT);
$stmt->bindValue(':smtp_port', $smtpPort, SQLITE3_TEXT);
$encryption = empty($data['encryption']) ? 'tls' : $data['encryption'];
$stmt->bindValue(':encryption', $encryption, SQLITE3_TEXT);
$stmt->bindValue(':smtp_username', $smtpUsername, SQLITE3_TEXT);
$stmt->bindValue(':smtp_password', $smtpPassword, SQLITE3_TEXT);
$stmt->bindValue(':from_email', $fromEmail, SQLITE3_TEXT);
$result = $stmt->execute();
if ($result) {
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
} else {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$smtpAddress = $data['smtpaddress'];
$smtpPort = $data['smtpport'];
$encryption = $data['encryption'];
$smtpUsername = $data['smtpusername'];
$smtpPassword = $data['smtppassword'];
$fromEmail = $data['fromemail'];
if (empty($smtpAddress) || empty($smtpPort)) {
die(json_encode([
"success" => false,
"message" => translate('fill_all_fields', $i18n)
]));
}
// Save settings
$stmt = $db->prepare('UPDATE admin SET smtp_address = :smtp_address, smtp_port = :smtp_port, encryption = :encryption, smtp_username = :smtp_username, smtp_password = :smtp_password, from_email = :from_email');
$stmt->bindValue(':smtp_address', $smtpAddress, SQLITE3_TEXT);
$stmt->bindValue(':smtp_port', $smtpPort, SQLITE3_TEXT);
$encryption = empty($data['encryption']) ? 'tls' : $data['encryption'];
$stmt->bindValue(':encryption', $encryption, SQLITE3_TEXT);
$stmt->bindValue(':smtp_username', $smtpUsername, SQLITE3_TEXT);
$stmt->bindValue(':smtp_password', $smtpPassword, SQLITE3_TEXT);
$stmt->bindValue(':from_email', $fromEmail, SQLITE3_TEXT);
$result = $stmt->execute();
if ($result) {
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
} else {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
}
?>
}
endpoints/admin/updatenotification.php
+16 -36
View File
@@ -1,46 +1,26 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$updateNotification = $data['notificationEnabled'];
// Save settings
$stmt = $db->prepare('UPDATE admin SET update_notification = :update_notification');
$stmt->bindValue(':update_notification', $updateNotification, SQLITE3_INTEGER);
$result = $stmt->execute();
if ($result) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
"success" => true,
"message" => translate('success', $i18n)
]));
}
// Check that user is an admin
if ($userId !== 1) {
} else {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$postData = file_get_contents("php://input");
$data = json_decode($postData, true);
$updateNotification = $data['notificationEnabled'];
// Save settings
$stmt = $db->prepare('UPDATE admin SET update_notification = :update_notification');
$stmt->bindValue(':update_notification', $updateNotification, SQLITE3_INTEGER);
$result = $stmt->execute();
if ($result) {
die(json_encode([
"success" => true,
"message" => translate('success', $i18n)
]));
} else {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
}
?>
}
endpoints/categories/category.php
+7 -7
View File
@@ -19,7 +19,7 @@ switch ($action) {
handleSortCategories($db, $userId, $i18n);
break;
default:
echo json_encode(["success" => false, "errorMessage" => translate('error', $i18n)]);
echo json_encode(["success" => false, "message" => translate('error', $i18n)]);
break;
}
@@ -55,7 +55,7 @@ function handleAddCategory($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_add_category', $i18n)
"message" => translate('failed_add_category', $i18n)
];
echo json_encode($response);
}
@@ -82,14 +82,14 @@ function handleEditCategory($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_edit_category', $i18n)
"message" => translate('failed_edit_category', $i18n)
];
echo json_encode($response);
}
} else {
$response = [
"success" => false,
"errorMessage" => translate('fill_all_fields', $i18n)
"message" => translate('fill_all_fields', $i18n)
];
echo json_encode($response);
}
@@ -110,7 +110,7 @@ function handleDeleteCategory($db, $userId, $i18n)
if ($count > 0) {
$response = [
"success" => false,
"errorMessage" => translate('category_in_use', $i18n)
"message" => translate('category_in_use', $i18n)
];
echo json_encode($response);
} else {
@@ -128,7 +128,7 @@ function handleDeleteCategory($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_remove_category', $i18n)
"message" => translate('failed_remove_category', $i18n)
];
echo json_encode($response);
}
@@ -136,7 +136,7 @@ function handleDeleteCategory($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_remove_category', $i18n)
"message" => translate('failed_remove_category', $i18n)
];
echo json_encode($response);
}
endpoints/currency/currency.php
+1 -1
View File
@@ -16,7 +16,7 @@ switch ($action) {
handleDeleteCurrency($db, $userId, $i18n);
break;
default:
echo json_encode(["success" => false, "errorMessage" => translate('error', $i18n)]);
echo json_encode(["success" => false, "message" => translate('error', $i18n)]);
break;
}
endpoints/db/backup.php
+2 -11
View File
@@ -1,12 +1,6 @@
<?php
require_once '../../includes/connect_endpoint.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
require_once '../../includes/validate_endpoint_admin.php';
function addFolderToZip($dir, $zipArchive, $zipdir = '')
{
@@ -67,7 +61,4 @@ if ($zip->close() === false) {
"numFiles" => $numberOfFilesAdded,
"file" => $filename
]));
}
?>
}
endpoints/db/restore.php
+74 -94
View File
@@ -1,21 +1,9 @@
<?php
require_once '../../includes/connect_endpoint.php';
require_once '../../includes/validate_endpoint_admin.php';
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
function emptyRestoreFolder() {
function emptyRestoreFolder()
{
$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator('../../.tmp', RecursiveDirectoryIterator::SKIP_DOTS),
RecursiveIteratorIterator::CHILD_FIRST
@@ -27,96 +15,88 @@ function emptyRestoreFolder() {
}
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_FILES['file'])) {
$file = $_FILES['file'];
$fileTmpName = $file['tmp_name'];
$fileError = $file['error'];
if ($fileError === 0) {
$fileDestination = '../../.tmp/restore.zip';
move_uploaded_file($fileTmpName, $fileDestination);
$zip = new ZipArchive();
if ($zip->open($fileDestination) === true) {
$zip->extractTo('../../.tmp/restore/');
$zip->close();
} else {
die(json_encode([
"success" => false,
"message" => "Failed to extract the uploaded file"
]));
}
if (file_exists('../../.tmp/restore/wallos.db')) {
if (file_exists('../../db/wallos.db')) {
unlink('../../db/wallos.db');
}
rename('../../.tmp/restore/wallos.db', '../../db/wallos.db');
if (file_exists('../../.tmp/restore/logos/')) {
$dir = '../../images/uploads/logos/';
$di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
$ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
foreach ($ri as $file) {
if ($file->isDir()) {
rmdir($file->getPathname());
} else {
unlink($file->getPathname());
}
}
$dir = new RecursiveDirectoryIterator('../../.tmp/restore/logos/');
$ite = new RecursiveIteratorIterator($dir);
$allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
foreach ($ite as $filePath) {
if (in_array(pathinfo($filePath, PATHINFO_EXTENSION), $allowedExtensions)) {
$destination = str_replace('../../.tmp/restore/', '../../images/uploads/', $filePath);
$destinationDir = pathinfo($destination, PATHINFO_DIRNAME);
if (!is_dir($destinationDir)) {
mkdir($destinationDir, 0755, true);
}
copy($filePath, $destination);
}
}
}
emptyRestoreFolder();
echo json_encode([
"success" => true,
"message" => translate("success", $i18n)
]);
} else {
emptyRestoreFolder();
die(json_encode([
"success" => false,
"message" => "wallos.db does not exist in the backup file"
]));
}
if (isset($_FILES['file'])) {
$file = $_FILES['file'];
$fileTmpName = $file['tmp_name'];
$fileError = $file['error'];
if ($fileError === 0) {
$fileDestination = '../../.tmp/restore.zip';
move_uploaded_file($fileTmpName, $fileDestination);
$zip = new ZipArchive();
if ($zip->open($fileDestination) === true) {
$zip->extractTo('../../.tmp/restore/');
$zip->close();
} else {
echo json_encode([
die(json_encode([
"success" => false,
"message" => "Failed to upload file"
]);
"message" => "Failed to extract the uploaded file"
]));
}
if (file_exists('../../.tmp/restore/wallos.db')) {
if (file_exists('../../db/wallos.db')) {
unlink('../../db/wallos.db');
}
rename('../../.tmp/restore/wallos.db', '../../db/wallos.db');
if (file_exists('../../.tmp/restore/logos/')) {
$dir = '../../images/uploads/logos/';
$di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
$ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
foreach ($ri as $file) {
if ($file->isDir()) {
rmdir($file->getPathname());
} else {
unlink($file->getPathname());
}
}
$dir = new RecursiveDirectoryIterator('../../.tmp/restore/logos/');
$ite = new RecursiveIteratorIterator($dir);
$allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
foreach ($ite as $filePath) {
if (in_array(pathinfo($filePath, PATHINFO_EXTENSION), $allowedExtensions)) {
$destination = str_replace('../../.tmp/restore/', '../../images/uploads/', $filePath);
$destinationDir = pathinfo($destination, PATHINFO_DIRNAME);
if (!is_dir($destinationDir)) {
mkdir($destinationDir, 0755, true);
}
copy($filePath, $destination);
}
}
}
emptyRestoreFolder();
echo json_encode([
"success" => true,
"message" => translate("success", $i18n)
]);
} else {
emptyRestoreFolder();
die(json_encode([
"success" => false,
"message" => "wallos.db does not exist in the backup file"
]));
}
} else {
echo json_encode([
"success" => false,
"message" => "No file uploaded"
"message" => "Failed to upload file"
]);
}
} else {
echo json_encode([
"success" => false,
"message" => "Invalid request method"
"message" => "No file uploaded"
]);
}
?>
}
endpoints/household/household.php
+6 -6
View File
@@ -39,7 +39,7 @@ function handleAddMember($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_add_household', $i18n)
"message" => translate('failed_add_household', $i18n)
];
echo json_encode($response);
}
@@ -69,14 +69,14 @@ function handleEditMember($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_edit_household', $i18n)
"message" => translate('failed_edit_household', $i18n)
];
echo json_encode($response);
}
} else {
$response = [
"success" => false,
"errorMessage" => translate('fill_all_fields', $i18n)
"message" => translate('fill_all_fields', $i18n)
];
echo json_encode($response);
}
@@ -97,7 +97,7 @@ function handleDeleteMember($db, $userId, $i18n)
if ($count > 0) {
$response = [
"success" => false,
"errorMessage" => translate('household_in_use', $i18n)
"message" => translate('household_in_use', $i18n)
];
echo json_encode($response);
} else {
@@ -115,7 +115,7 @@ function handleDeleteMember($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_remove_household', $i18n)
"message" => translate('failed_remove_household', $i18n)
];
echo json_encode($response);
}
@@ -123,7 +123,7 @@ function handleDeleteMember($db, $userId, $i18n)
} else {
$response = [
"success" => false,
"errorMessage" => translate('failed_remove_household', $i18n)
"message" => translate('failed_remove_household', $i18n)
];
echo json_encode($response);
}
endpoints/payments/add.php
+4 -4
View File
@@ -29,7 +29,7 @@ function getLogoFromUrl($url, $uploadDir, $name, $i18n, $settings)
if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https?:\/\//i', $url)) {
$response = [
"success" => false,
"errorMessage" => "Invalid URL format."
"message" => "Invalid URL format."
];
echo json_encode($response);
exit();
@@ -40,7 +40,7 @@ function getLogoFromUrl($url, $uploadDir, $name, $i18n, $settings)
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
$response = [
"success" => false,
"errorMessage" => "Invalid IP Address."
"message" => "Invalid IP Address."
];
echo json_encode($response);
exit();
@@ -202,7 +202,7 @@ $iconUrl = validate($_POST['icon-url']);
if ($name === "" || ($iconUrl === "" && empty($_FILES['paymenticon']['name']))) {
$response = [
"success" => false,
"errorMessage" => translate('fill_all_fields', $i18n)
"message" => translate('fill_all_fields', $i18n)
];
echo json_encode($response);
exit();
@@ -219,7 +219,7 @@ if ($iconUrl !== "") {
if (strpos($fileType, 'image') === false) {
$response = [
"success" => false,
"errorMessage" => translate('fill_all_fields', $i18n)
"message" => translate('fill_all_fields', $i18n)
];
echo json_encode($response);
exit();
endpoints/subscription/add.php
+2 -2
View File
@@ -28,7 +28,7 @@ function getLogoFromUrl($url, $uploadDir, $name, $settings, $i18n)
if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https?:\/\//i', $url)) {
$response = [
"success" => false,
"errorMessage" => "Invalid URL format."
"message" => "Invalid URL format."
];
echo json_encode($response);
exit();
@@ -39,7 +39,7 @@ function getLogoFromUrl($url, $uploadDir, $name, $settings, $i18n)
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
$response = [
"success" => false,
"errorMessage" => "Invalid IP Address."
"message" => "Invalid IP Address."
];
echo json_encode($response);
exit();
endpoints/user/save_user.php
+6 -6
View File
@@ -230,7 +230,7 @@ if (
if ($otherUser) {
$response = [
"success" => false,
"errorMessage" => translate('email_exists', $i18n)
"message" => translate('email_exists', $i18n)
];
echo json_encode($response);
exit();
@@ -248,7 +248,7 @@ if (
if (strpos($fileType, 'image') === false) {
$response = [
"success" => false,
"errorMessage" => translate('fill_all_fields', $i18n)
"message" => translate('fill_all_fields', $i18n)
];
echo json_encode($response);
exit();
@@ -264,7 +264,7 @@ if (
if ($password != $confirm) {
$response = [
"success" => false,
"errorMessage" => translate('passwords_dont_match', $i18n)
"message" => translate('passwords_dont_match', $i18n)
];
echo json_encode($response);
exit();
@@ -272,7 +272,7 @@ if (
} else {
$response = [
"success" => false,
"errorMessage" => translate('passwords_dont_match', $i18n)
"message" => translate('passwords_dont_match', $i18n)
];
echo json_encode($response);
exit();
@@ -330,7 +330,7 @@ if (
} else {
$response = [
"success" => false,
"errorMessage" => translate('error_updating_user_data', $i18n)
"message" => translate('error_updating_user_data', $i18n)
];
echo json_encode($response);
}
@@ -339,7 +339,7 @@ if (
} else {
$response = [
"success" => false,
"errorMessage" => translate('fill_all_fields', $i18n)
"message" => translate('fill_all_fields', $i18n)
];
echo json_encode($response);
exit();
includes/validate_endpoint.php
+2 -2
View File
@@ -6,13 +6,13 @@
require_once __DIR__ . '/../libs/csrf.php';
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
echo json_encode(["success" => false, "errorMessage" => "Invalid request method"]);
echo json_encode(["success" => false, "message" => "Invalid request method"]);
exit;
}
$csrf = $_POST['csrf_token'] ?? ($_SERVER['HTTP_X_CSRF_TOKEN'] ?? '');
if (!verify_csrf_token($csrf)) {
echo json_encode(["success" => false, "errorMessage" => "Invalid CSRF token"]);
echo json_encode(["success" => false, "message" => "Invalid CSRF token"]);
exit;
}
includes/validate_endpoint_admin.php
+9
View File
@@ -0,0 +1,9 @@
<?php
require_once __DIR__ . '/validate_endpoint.php';
// Check that user is an admin
if ($userId !== 1) {
die(json_encode([
"success" => false,
"message" => translate('error', $i18n)
]));
}
scripts/admin.js
+61 -26
View File
@@ -3,6 +3,7 @@ function makeFetchCall(url, data, button) {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data),
})
@@ -69,6 +70,7 @@ function saveSmtpSettingsButton() {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data),
})
@@ -94,37 +96,45 @@ function backupDB() {
const button = document.getElementById("backupDB");
button.disabled = true;
fetch('endpoints/db/backup.php')
fetch("endpoints/db/backup.php", {
method: "POST",
headers: {
"X-CSRF-Token": window.csrfToken,
},
})
.then(response => response.json())
.then(data => {
if (data.success) {
const link = document.createElement('a');
const link = document.createElement("a");
const filename = data.file;
link.href = '.tmp/' + filename;
link.href = ".tmp/" + filename;
const date = new Date();
const year = date.getFullYear();
const month = String(date.getMonth() + 1).padStart(2, '0');
const day = String(date.getDate()).padStart(2, '0');
const hours = String(date.getHours()).padStart(2, '0');
const minutes = String(date.getMinutes()).padStart(2, '0');
const month = String(date.getMonth() + 1).padStart(2, "0");
const day = String(date.getDate()).padStart(2, "0");
const hours = String(date.getHours()).padStart(2, "0");
const minutes = String(date.getMinutes()).padStart(2, "0");
const timestamp = `${year}${month}${day}-${hours}${minutes}`;
link.download = `Wallos-Backup-${timestamp}.zip`;
document.body.appendChild(link);
link.click();
document.body.removeChild(link);
button.disabled = false;
} else {
showErrorMessage(data.errorMessage);
button.disabled = false;
showErrorMessage(data.message || translate("backup_failed"));
}
})
.catch(error => {
showErrorMessage(error);
console.error(error);
showErrorMessage(translate("unknown_error"));
})
.finally(() => {
button.disabled = false;
});
}
function openRestoreDBFileSelect() {
document.getElementById('restoreDBFile').click();
};
@@ -134,34 +144,47 @@ function restoreDB() {
const file = input.files[0];
if (!file) {
console.error('No file selected');
showErrorMessage(translate('no_file_selected'));
return;
}
const formData = new FormData();
formData.append('file', file);
const button = document.getElementById('restoreDB');
button.disabled = true;
fetch('endpoints/db/restore.php', {
method: 'POST',
body: formData
headers: {
'X-CSRF-Token': window.csrfToken, // ✅ CSRF protection
},
body: formData,
})
.then(response => response.json())
.then(data => {
if (data.success) {
showSuccessMessage(data.message);
// After restoring, run migrations then log out (force re-login)
fetch('endpoints/db/migrate.php')
.then(response => response.text())
.then(() => {
window.location.href = 'logout.php';
})
.catch(error => {
.catch(() => {
window.location.href = 'logout.php';
});
} else {
showErrorMessage(data.message);
showErrorMessage(data.message || translate('restore_failed'));
}
})
.catch(error => showErrorMessage('Error:', error));
.catch(error => {
console.error(error);
showErrorMessage(translate('unknown_error'));
})
.finally(() => {
button.disabled = false;
});
}
function saveAccountRegistrationsButton() {
@@ -185,7 +208,8 @@ function saveAccountRegistrationsButton() {
fetch('endpoints/admin/saveopenregistrations.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data)
})
@@ -213,7 +237,8 @@ function removeUser(userId) {
fetch('endpoints/admin/deleteuser.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data)
})
@@ -250,7 +275,8 @@ function addUserButton() {
fetch('endpoints/admin/adduser.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data)
})
@@ -275,7 +301,13 @@ function deleteUnusedLogos() {
const button = document.getElementById('deleteUnusedLogos');
button.disabled = true;
fetch('endpoints/admin/deleteunusedlogos.php')
fetch('endpoints/admin/deleteunusedlogos.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
}
})
.then(response => response.json())
.then(data => {
if (data.success) {
@@ -304,7 +336,8 @@ function toggleUpdateNotification() {
fetch('endpoints/admin/updatenotification.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data)
})
@@ -346,7 +379,7 @@ function toggleOidcEnabled() {
toggle.disabled = true;
const oidcEnabled = toggle.checked ? 1 : 0;
const data = {
oidcEnabled: oidcEnabled
};
@@ -354,7 +387,8 @@ function toggleOidcEnabled() {
fetch('endpoints/admin/enableoidc.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data)
})
@@ -412,7 +446,8 @@ function saveOidcSettingsButton() {
fetch('endpoints/admin/saveoidcsettings.php', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-Token': window.csrfToken,
},
body: JSON.stringify(data)
})
scripts/profile.js
+1 -1
View File
@@ -27,7 +27,7 @@ document.addEventListener('DOMContentLoaded', function () {
location.reload();
}
} else {
showErrorMessage(data.errorMessage || translate("failed_save_user"));
showErrorMessage(data.message || translate("failed_save_user"));
}
})
.catch(error => {
scripts/settings.js
+15 -15
View File
@@ -111,7 +111,7 @@ function addMemberButton(memberId) {
container.appendChild(div);
} else {
showErrorMessage(responseData.errorMessage || translate("failed_add_member"));
showErrorMessage(responseData.message || translate("failed_add_member"));
}
})
.catch(error => {
@@ -147,7 +147,7 @@ function removeMember(memberId) {
if (divToRemove) divToRemove.remove();
showSuccessMessage(responseData.message);
} else {
showErrorMessage(responseData.errorMessage || translate("failed_remove_member"));
showErrorMessage(responseData.message || translate("failed_remove_member"));
}
})
.catch(error => {
@@ -194,7 +194,7 @@ function editMember(memberId) {
if (responseData.success) {
showSuccessMessage(responseData.message);
} else {
showErrorMessage(responseData.errorMessage || translate("failed_save_member"));
showErrorMessage(responseData.message || translate("failed_save_member"));
}
})
.catch(error => {
@@ -269,7 +269,7 @@ function addCategoryButton(categoryId) {
row.appendChild(deleteLink);
container.appendChild(row);
} else {
showErrorMessage(responseData.errorMessage);
showErrorMessage(responseData.message);
}
})
.catch(error => {
@@ -306,7 +306,7 @@ function removeCategory(categoryId) {
if (divToRemove) divToRemove.remove();
showSuccessMessage(responseData.message);
} else {
showErrorMessage(responseData.errorMessage || translate('failed_remove_category'));
showErrorMessage(responseData.message || translate('failed_remove_category'));
}
})
.catch(error => {
@@ -353,7 +353,7 @@ function editCategory(categoryId) {
if (responseData.success) {
showSuccessMessage(responseData.message);
} else {
showErrorMessage(responseData.errorMessage || translate('failed_save_category'));
showErrorMessage(responseData.message || translate('failed_save_category'));
}
})
.catch(error => {
@@ -437,7 +437,7 @@ function addCurrencyButton(currencyId) {
container.appendChild(div);
} else {
showErrorMessage(responseData.errorMessage || translate('failed_add_currency'));
showErrorMessage(responseData.message || translate('failed_add_currency'));
}
})
.catch(error => {
@@ -781,7 +781,7 @@ function addPaymentMethod() {
resetFormIcon();
reloadPaymentMethods();
} else {
showErrorMessage(data.errorMessage || translate("failed_add_payment_method"));
showErrorMessage(data.message || translate("failed_add_payment_method"));
}
})
.catch(error => {
@@ -812,7 +812,7 @@ function deletePaymentMethod(paymentId) {
paymentToRemove.remove();
}
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
})
.catch((error) => {
@@ -842,7 +842,7 @@ function savePaymentMethodsSorting() {
if (data.success) {
showSuccessMessage(data.message);
} else {
showErrorMessage(data.errorMessage || translate("failed_sort_payment_methods"));
showErrorMessage(data.message || translate("failed_sort_payment_methods"));
}
})
.catch(error => {
@@ -941,7 +941,7 @@ function storeSettingsOnDB(endpoint, value) {
if (data.success) {
showSuccessMessage(data.message);
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
});
}
@@ -1020,7 +1020,7 @@ function saveCategorySorting() {
if (data.success) {
showSuccessMessage(data.message);
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
})
.catch(error => {
@@ -1068,7 +1068,7 @@ function fetch_ai_models() {
modelSelect.appendChild(option);
});
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
})
.catch(error => {
@@ -1116,7 +1116,7 @@ function saveAiSettingsButton() {
runAiActionButton.classList.add("hidden");
}
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
})
.catch(error => {
@@ -1144,7 +1144,7 @@ function runAiRecommendations() {
if (data.success) {
showSuccessMessage(data.message);
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
})
.catch(error => {
scripts/theme.js
+2 -2
View File
@@ -23,7 +23,7 @@ function switchTheme() {
if (data.success) {
showSuccessMessage(data.message);
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
}
button.disabled = false;
}).catch(error => {
@@ -85,7 +85,7 @@ function setDarkTheme(theme) {
showSuccessMessage(data.message);
} else {
showErrorMessage(data.errorMessage);
showErrorMessage(data.message);
darkThemeButton.disabled = false;
lightThemeButton.disabled = false;
automaticThemeButton.disabled = false;