Project-Pro/pomysloweprezenty.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Jacek Pyziak
2026-03-12 19:58:37 +01:00
parent 51ea37d2ec
commit 0182d60971
15 changed files with 163 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
autoload/Domain/Article/ArticleRepository.php
View File

@@ -318,9 +318,7 @@ class ArticleRepository
if (is_array($results)) {
foreach ($results as $row) {
if (file_exists('../' . $row['src'])) {
unlink('../' . $row['src']);
}
$this->safeUnlink($row['src']);
}
}
@@ -337,9 +335,7 @@ class ArticleRepository
if (is_array($results)) {
foreach ($results as $row) {
if (file_exists('../' . $row['src'])) {
unlink('../' . $row['src']);
}
$this->safeUnlink($row['src']);
}
}
@@ -819,9 +815,7 @@ class ArticleRepository
$results = $this->db->select('pp_articles_files', '*', ['article_id' => null]);
if (is_array($results)) {
foreach ($results as $row) {
if (file_exists('../' . $row['src'])) {
unlink('../' . $row['src']);
}
$this->safeUnlink($row['src']);
}
}
@@ -836,15 +830,31 @@ class ArticleRepository
$results = $this->db->select('pp_articles_images', '*', ['article_id' => null]);
if (is_array($results)) {
foreach ($results as $row) {
if (file_exists('../' . $row['src'])) {
unlink('../' . $row['src']);
}
$this->safeUnlink($row['src']);
}
}
$this->db->delete('pp_articles_images', ['article_id' => null]);
}
/**
* Usuwa plik z dysku tylko jeśli ścieżka pozostaje wewnątrz katalogu upload/.
* Zapobiega path traversal przy danych z bazy.
*/
private function safeUnlink(string $src): void
{
$base = realpath('../upload');
if (!$base) {
return;
}
$full = realpath('../' . ltrim($src, '/'));
if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) {
unlink($full);
} elseif ($full) {
error_log( '[shopPRO] safeUnlink: ścieżka poza upload/: ' . $src );
}
}
/**
* Pobiera artykuly opublikowane w podanym zakresie dat.
*/

18
autoload/Domain/Integrations/IntegrationsRepository.php
View File

@@ -28,10 +28,9 @@ class IntegrationsRepository
public function getSettings( string $provider ): array
{
$table = $this->settingsTable( $provider );
$stmt = $this->db->query( "SELECT * FROM $table" );
$results = $stmt ? $stmt->fetchAll( \PDO::FETCH_ASSOC ) : [];
$rows = $this->db->select( $table, [ 'name', 'value' ] );
$settings = [];
foreach ( $results as $row )
foreach ( $rows ?: [] as $row )
$settings[$row['name']] = $row['value'];
return $settings;
@@ -160,10 +159,15 @@ class IntegrationsRepository
if ( empty( $response['accessToken'] ) )
return false;
$this->saveSetting( 'apilo', 'access-token', $response['accessToken'] );
$this->saveSetting( 'apilo', 'refresh-token', $response['refreshToken'] );
$this->saveSetting( 'apilo', 'access-token-expire-at', $response['accessTokenExpireAt'] );
$this->saveSetting( 'apilo', 'refresh-token-expire-at', $response['refreshTokenExpireAt'] );
try {
$this->saveSetting( 'apilo', 'access-token', $response['accessToken'] );
$this->saveSetting( 'apilo', 'refresh-token', $response['refreshToken'] );
$this->saveSetting( 'apilo', 'access-token-expire-at', $response['accessTokenExpireAt'] );
$this->saveSetting( 'apilo', 'refresh-token-expire-at', $response['refreshTokenExpireAt'] );
} catch ( \Exception $e ) {
error_log( '[shopPRO] Apilo: błąd zapisu tokenów: ' . $e->getMessage() );
return false;
}
return true;
}

2
autoload/Domain/Order/OrderRepository.php
View File

@@ -814,7 +814,7 @@ class OrderRepository
\Shared\Helpers\Helpers::send_email($settings['contact_email'], 'Nowe zamówienie / ' . $settings['firm_name'] . ' / ' . $order['number'] . ' - ' . $order['client_surname'] . ' ' . $order['client_name'], $mail_order);
// zmiana statusu w realizacji jeżeli płatność przy odbiorze
if ($payment_id == 3) {
if (!empty($payment_method['is_cod'])) {
$this->updateOrderStatus($order_id, 4);
$this->insertStatusHistory($order_id, 4, 1);
}

5
autoload/Domain/PaymentMethod/PaymentMethodRepository.php
View File

@@ -122,6 +122,7 @@ class PaymentMethodRepository
'apilo_payment_type_id' => $this->normalizeApiloPaymentTypeId($data['apilo_payment_type_id'] ?? null),
'min_order_amount' => $this->normalizeDecimalOrNull($data['min_order_amount'] ?? null),
'max_order_amount' => $this->normalizeDecimalOrNull($data['max_order_amount'] ?? null),
'is_cod' => (int)(!empty($data['is_cod']) ? 1 : 0),
];
$this->db->update('pp_shop_payment_methods', $row, ['id' => $paymentMethodId]);
@@ -240,7 +241,8 @@ class PaymentMethodRepository
spm.status,
spm.apilo_payment_type_id,
spm.min_order_amount,
spm.max_order_amount
spm.max_order_amount,
spm.is_cod
FROM pp_shop_payment_methods AS spm
INNER JOIN pp_shop_transport_payment_methods AS stpm
ON stpm.id_payment_method = spm.id
@@ -335,6 +337,7 @@ class PaymentMethodRepository
$row['apilo_payment_type_id'] = $this->normalizeApiloPaymentTypeId($row['apilo_payment_type_id'] ?? null);
$row['min_order_amount'] = $this->normalizeDecimalOrNull($row['min_order_amount'] ?? null);
$row['max_order_amount'] = $this->normalizeDecimalOrNull($row['max_order_amount'] ?? null);
$row['is_cod'] = (int)($row['is_cod'] ?? 0);
return $row;
}

30
autoload/Domain/Product/ProductRepository.php
View File

@@ -1601,9 +1601,7 @@ class ProductRepository
$results = $this->db->select( 'pp_shop_products_files', '*', [ 'AND' => [ 'product_id' => $productId, 'to_delete' => 1 ] ] );
if ( is_array( $results ) ) {
foreach ( $results as $row ) {
if ( file_exists( '../' . $row['src'] ) ) {
unlink( '../' . $row['src'] );
}
$this->safeUnlink( $row['src'] );
}
}
$this->db->delete( 'pp_shop_products_files', [ 'AND' => [ 'product_id' => $productId, 'to_delete' => 1 ] ] );
@@ -1614,9 +1612,7 @@ class ProductRepository
$results = $this->db->select( 'pp_shop_products_images', '*', [ 'AND' => [ 'product_id' => $productId, 'to_delete' => 1 ] ] );
if ( is_array( $results ) ) {
foreach ( $results as $row ) {
if ( file_exists( '../' . $row['src'] ) ) {
unlink( '../' . $row['src'] );
}
$this->safeUnlink( $row['src'] );
}
}
$this->db->delete( 'pp_shop_products_images', [ 'AND' => [ 'product_id' => $productId, 'to_delete' => 1 ] ] );
@@ -2125,14 +2121,30 @@ class ProductRepository
$results = $this->db->select( 'pp_shop_products_images', '*', [ 'product_id' => null ] );
if ( is_array( $results ) ) {
foreach ( $results as $row ) {
if ( file_exists( '../' . $row['src'] ) ) {
unlink( '../' . $row['src'] );
}
$this->safeUnlink( $row['src'] );
}
}
$this->db->delete( 'pp_shop_products_images', [ 'product_id' => null ] );
}
/**
* Usuwa plik z dysku tylko jeśli ścieżka pozostaje wewnątrz katalogu upload/.
* Zapobiega path traversal przy danych z bazy.
*/
private function safeUnlink(string $src): void
{
$base = realpath('../upload');
if (!$base) {
return;
}
$full = realpath('../' . ltrim($src, '/'));
if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) {
unlink($full);
} elseif ($full) {
error_log( '[shopPRO] safeUnlink: ścieżka poza upload/: ' . $src );
}
}
/**
* Oznacza plik do usunięcia.
*/

26
autoload/Shared/Security/CsrfToken.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
namespace Shared\Security;
class CsrfToken
{
const SESSION_KEY = 'csrf_token';
public static function getToken(): string
{
if (empty($_SESSION[self::SESSION_KEY])) {
$_SESSION[self::SESSION_KEY] = bin2hex(random_bytes(32));
}
return (string) $_SESSION[self::SESSION_KEY];
}
public static function validate(string $token): bool
{
$sessionToken = isset($_SESSION[self::SESSION_KEY]) ? (string) $_SESSION[self::SESSION_KEY] : '';
return $sessionToken !== '' && hash_equals($sessionToken, $token);
}
public static function regenerate(): void
{
$_SESSION[self::SESSION_KEY] = bin2hex(random_bytes(32));
}
}

11
autoload/admin/App.php
View File

@@ -43,6 +43,15 @@ class App
$sa = \Shared\Helpers\Helpers::get( 's-action' );
if ( !$sa ) return;
if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
$csrfToken = isset( $_POST['_csrf_token'] ) ? (string) $_POST['_csrf_token'] : '';
if ( !\Shared\Security\CsrfToken::validate( $csrfToken ) ) {
\Shared\Helpers\Helpers::alert( 'Nieprawidłowy token bezpieczeństwa. Spróbuj ponownie.' );
header( 'Location: /admin/' );
exit;
}
}
$domain = preg_replace( '/^www\./', '', $_SERVER['SERVER_NAME'] );
$cookie_name = 'admin_remember_' . str_replace( '.', '-', $domain );
$users = new \Domain\User\UserRepository( $mdb );
@@ -84,6 +93,7 @@ class App
exit;
}
\Shared\Security\CsrfToken::regenerate();
self::finalize_admin_login( $user, $domain, $cookie_name, (bool) \Shared\Helpers\Helpers::get( 'remember' ) );
header( 'Location: /admin/articles/list/' );
exit;
@@ -127,6 +137,7 @@ class App
header( 'Location: /admin/' );
exit;
}
\Shared\Security\CsrfToken::regenerate();
self::finalize_admin_login( $user, $domain, $cookie_name, !empty( $pending['remember'] ) );
header( 'Location: /admin/articles/list/' );
exit;

5
autoload/admin/Controllers/ShopPaymentMethodController.php
View File

@@ -184,6 +184,7 @@ class ShopPaymentMethodController
'apilo_payment_type_id' => $paymentMethod['apilo_payment_type_id'] ?? '',
'min_order_amount' => $paymentMethod['min_order_amount'] ?? '',
'max_order_amount' => $paymentMethod['max_order_amount'] ?? '',
'is_cod' => (int)($paymentMethod['is_cod'] ?? 0),
];
$fields = [
@@ -220,6 +221,10 @@ class ShopPaymentMethodController
'tab' => 'settings',
'options' => $apiloOptions,
]),
FormField::switch('is_cod', [
'label' => 'Platnosc przy odbiorze',
'tab' => 'settings',
]),
FormField::switch('status', [
'label' => 'Aktywny',
'tab' => 'settings',

7
autoload/admin/Support/Forms/FormRequestHandler.php
View File

@@ -32,6 +32,13 @@ class FormRequestHandler
'data' => []
];
// Walidacja CSRF
$csrfToken = isset($postData['_csrf_token']) ? (string) $postData['_csrf_token'] : '';
if (!\Shared\Security\CsrfToken::validate($csrfToken)) {
$result['errors'] = ['csrf' => 'Nieprawidłowy token bezpieczeństwa. Odśwież stronę i spróbuj ponownie.'];
return $result;
}
// Walidacja
$errors = $this->validator->validate($postData, $formViewModel->fields, $formViewModel->languages);

30
autoload/front/Controllers/ShopBasketController.php
View File

@@ -276,6 +276,19 @@ class ShopBasketController
exit;
}
$existingOrderId = isset( $_SESSION[ self::ORDER_SUBMIT_LAST_ORDER_ID_SESSION_KEY ] )
? (int)$_SESSION[ self::ORDER_SUBMIT_LAST_ORDER_ID_SESSION_KEY ]
: 0;
if ( $existingOrderId > 0 )
{
$existingOrderHash = $this->orderRepository->findHashById( $existingOrderId );
if ( $existingOrderHash )
{
header( 'Location: /zamowienie/' . $existingOrderHash );
exit;
}
}
$client = \Shared\Helpers\Helpers::get_session( 'client' );
$orderSubmitToken = $this->createOrderSubmitToken();
@@ -325,7 +338,10 @@ class ShopBasketController
exit;
}
if ( $order_id = $this->orderRepository->createFromBasket(
$order_id = null;
try
{
$order_id = $this->orderRepository->createFromBasket(
$client[ 'id' ],
\Shared\Helpers\Helpers::get_session( 'basket' ),
\Shared\Helpers\Helpers::get_session( 'basket-transport-method-id' ),
@@ -347,7 +363,17 @@ class ShopBasketController
\Shared\Helpers\Helpers::get_session( 'basket_orlen_point_info' ),
\Shared\Helpers\Helpers::get_session( 'coupon' ),
\Shared\Helpers\Helpers::get_session( 'basket_message' )
) )
);
}
catch ( \Exception $e )
{
error_log( '[basketSave] createFromBasket exception: ' . $e->getMessage() );
\Shared\Helpers\Helpers::error( \Shared\Helpers\Helpers::lang( 'zamowienie-zostalo-zlozone-komunikat-blad' ) );
header( 'Location: /koszyk' );
exit;
}
if ( $order_id )
{
\Shared\Helpers\Helpers::set_session( self::ORDER_SUBMIT_LAST_ORDER_ID_SESSION_KEY, (int)$order_id );
\Shared\Helpers\Helpers::alert( \Shared\Helpers\Helpers::lang( 'zamowienie-zostalo-zlozone-komunikat' ) );

6
autoload/front/Controllers/ShopOrderController.php
View File

@@ -6,6 +6,8 @@ use Domain\Order\OrderAdminService;
class ShopOrderController
{
private const HOTPAY_HASH_SEED = 'ProjectPro1916;';
private $repository;
private $adminService;
@@ -29,8 +31,6 @@ class ShopOrderController
public function paymentStatusTpay()
{
file_put_contents( 'tpay.txt', print_r( $_POST, true ) . print_r( $_GET, true ), FILE_APPEND );
if ( \Shared\Helpers\Helpers::get( 'tr_status' ) == 'TRUE' && \Shared\Helpers\Helpers::get( 'tr_crc' ) )
{
$order = $this->repository->findRawByHash( \Shared\Helpers\Helpers::get( 'tr_crc' ) );
@@ -102,7 +102,7 @@ class ShopOrderController
$summary_tmp += $order['transport_cost'];
endif;
if ( hash( "sha256", "ProjectPro1916;" . round( $summary_tmp, 2 ) . ";" . $_POST["ID_PLATNOSCI"] . ";" . $_POST["ID_ZAMOWIENIA"] . ";" . $_POST["STATUS"] . ";" . $_POST["SEKRET"] ) == $_POST["HASH"] )
if ( hash( "sha256", self::HOTPAY_HASH_SEED . round( $summary_tmp, 2 ) . ";" . $_POST["ID_PLATNOSCI"] . ";" . $_POST["ID_ZAMOWIENIA"] . ";" . $_POST["STATUS"] . ";" . $_POST["SEKRET"] ) == $_POST["HASH"] )
{
if ( $_POST["STATUS"] == "SUCCESS" )
{