PHP WebShell
Текущая директория: /var/www/bitcardoApp/backyard/common
Просмотр файла: protect.php
<?php
/**
* backyard/common/protect.php
*
* Protects the admin (backyard) area using the EXISTING frontend auth session.
* - Assumes frontend login sets: $_SESSION['loggedIn'] = true and $_SESSION['user_id']
* - Uses users.level_id and user_level table to authorize access
* - Admins are level_id 6..10 (per your rule)
*
* Usage (top of any backyard page):
* require_once __DIR__ . '/protect.php';
* protect_admin(); // requires level_id >= 6
*
* Or require certain level keys OR minimum priority:
* protect_levels(['administrator','admin_finance']); // allow only these keys
* protect_min_priority(50); // allow any with priority >= 50
*/
// ---------- Session ----------
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
// ---------- DB (proxy to root config via backyard/config/db_config.php) ----------
if (!isset($conn) || !($conn instanceof mysqli)) {
// backyard/config/db_config.php should proxy to ../../config/db_config.php
require_once __DIR__ . '/../config/db_config.php';
// After this, $conn must be a valid mysqli
if (!isset($conn) || !($conn instanceof mysqli)) {
http_response_code(500);
exit('DB connection not available.');
}
}
// ---------- Helpers ----------
function by_safe_redirect(string $location): void {
if (!headers_sent()) {
header('Location: ' . $location);
} else {
echo '<script>location.href=' . json_encode($location) . ';</script>';
}
exit;
}
function by_current_url(): string {
$scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
$host = $_SERVER['HTTP_HOST'] ?? 'localhost';
$uri = $_SERVER['REQUEST_URI'] ?? '/';
return $scheme . '://' . $host . $uri;
}
// Fetch a fresh user row with level details
function by_fetch_user_with_level(mysqli $conn, int $user_id): ?array {
$sql = "
SELECT u.user_id, u.email, u.first_name, u.last_name, u.level_id,
ul.level_key, ul.level_name, ul.priority
FROM users u
LEFT JOIN user_level ul ON ul.level_id = u.level_id
WHERE u.user_id = ?
LIMIT 1
";
$stmt = $conn->prepare($sql);
if (!$stmt) return null;
$stmt->bind_param('i', $user_id);
$stmt->execute();
$res = $stmt->get_result();
$row = $res ? $res->fetch_assoc() : null;
$stmt->close();
return $row ?: null;
}
// ---------- Core guards ----------
// Require logged-in frontend user first
function protect_login(): array {
if (empty($_SESSION['loggedIn']) || empty($_SESSION['user_id'])) {
// Save after-login redirect to come back here
$_SESSION['after_login_redirect'] = by_current_url();
by_safe_redirect('/auth/login.php');
}
global $conn;
$uid = (int)$_SESSION['user_id'];
$u = by_fetch_user_with_level($conn, $uid);
if (!$u) {
// user vanished or DB mismatch → force logout and back to login
$_SESSION = [];
session_destroy();
by_safe_redirect('/auth/login.php?relogin=1');
}
return $u; // array with level_id, level_key, priority, etc.
}
// Require admin by your rule: level_id 6..10
function protect_admin(): void {
$u = protect_login();
$level_id = (int)($u['level_id'] ?? 0);
if ($level_id < 6) {
// Logged in but not admin → send to user dashboard
by_safe_redirect('/user/dashboard/index.php?forbidden=1');
}
}
// Allow specific level keys (e.g., ['administrator','admin_finance'])
function protect_levels($allowed): void {
$u = protect_login();
$allowedKeys = (array)$allowed;
$key = strtolower((string)($u['level_key'] ?? ''));
$level_id = (int)($u['level_id'] ?? 0);
// Still enforce admin band: only IDs 6..10 qualify for any backyard access
if ($level_id < 6 || !in_array($key, array_map('strtolower', $allowedKeys), true)) {
by_safe_redirect('/user/dashboard/index.php?forbidden=1');
}
}
// Allow anyone whose priority >= N (per user_level.priority)
function protect_min_priority(int $min): void {
$u = protect_login();
$prio = (int)($u['priority'] ?? 0);
// Also require admin band (6..10)
$level_id = (int)($u['level_id'] ?? 0);
if ($level_id < 6 || $prio < $min) {
by_safe_redirect('/user/dashboard/index.php?forbidden=1');
}
}
Выполнить команду
Для локальной разработки. Не используйте в интернете!