mark/telvero-sales-backoffice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Logs / Users links in header and logging security

Browse Source
This commit is contained in:
Mark Pinkster 2026-01-10 18:45:56 +01:00
parent 61b0970465
commit f05152c626
7 changed files with 244 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
api/bootstrap.php
View File

@ -29,12 +29,14 @@ if (!isset($_SESSION['user']) && isset($_COOKIE['telvero_remember'])) {
if ($decoded && $decoded['expires'] > time()) {
$_SESSION['user'] = $decoded['user'];
$_SESSION['full_name'] = $decoded['full_name'];
$_SESSION['role'] = $decoded['role'] ?? 'agent';
}
}
// 3. CAPTURE DATA FOR WP PROTECTION
$cap_user = $_SESSION['user'] ?? null;
$cap_name = $_SESSION['full_name'] ?? null;
$cap_role = $_SESSION['role'] ?? null;
// 4. LOAD WORDPRESS
$wp_load = dirname(__DIR__) . '/wp-load.php';
@ -49,6 +51,7 @@ if (file_exists($wp_load)) {
if ($cap_user && !isset($_SESSION['user'])) {
$_SESSION['user'] = $cap_user;
$_SESSION['full_name'] = $cap_name;
$_SESSION['role'] = $cap_role;
}
// 6. LOAD COMPOSER AUTOLOAD

115
api/middleware/auth.php
View File

@ -3,6 +3,27 @@
* Authentication middleware and handlers
*/
/**
* Check if role column exists in sales_users table
* @param mysqli $db Database connection
* @return bool
*/
function roleColumnExists(mysqli $db): bool
{
static $exists = null;
if ($exists === null) {
$result = $db->query("SHOW COLUMNS FROM sales_users LIKE 'role'");
$exists = ($result && $result->num_rows > 0);
// If column doesn't exist, try to add it
if (!$exists) {
$db->query("ALTER TABLE sales_users ADD COLUMN role VARCHAR(50) DEFAULT 'agent'");
$exists = true;
}
}
return $exists;
}
/**
* Handle login action
* @param mysqli $db Database connection
@ -13,7 +34,14 @@ function handleLogin(mysqli $db): void
$input = json_decode(file_get_contents('php://input'), true);
$username = $input['username'] ?? '';
$stmt = $db->prepare("SELECT password, full_name FROM sales_users WHERE username = ?");
// Check if role column exists and use appropriate query
$hasRoleColumn = roleColumnExists($db);
if ($hasRoleColumn) {
$stmt = $db->prepare("SELECT password, full_name, role FROM sales_users WHERE username = ?");
} else {
$stmt = $db->prepare("SELECT password, full_name, 'agent' as role FROM sales_users WHERE username = ?");
}
$stmt->bind_param("s", $username);
$stmt->execute();
$res = $stmt->get_result()->fetch_assoc();
@ -21,17 +49,23 @@ function handleLogin(mysqli $db): void
if ($res && password_verify($input['password'], $res['password'])) {
$_SESSION['user'] = $username;
$_SESSION['full_name'] = $res['full_name'];
$_SESSION['role'] = $res['role'] ?? 'agent';
// Recovery cookie payload
$cookie_payload = base64_encode(json_encode([
'user' => $username,
'full_name' => $res['full_name'],
'role' => $res['role'] ?? 'agent',
'expires' => MIDNIGHT_TIMESTAMP
]));
setcookie('telvero_remember', $cookie_payload, MIDNIGHT_TIMESTAMP, '/', '', isset($_SERVER['HTTPS']), true);
echo json_encode(['success' => true, 'user' => $res['full_name']]);
echo json_encode([
'success' => true,
'user' => $res['full_name'],
'role' => $res['role'] ?? 'agent'
]);
} else {
http_response_code(401);
echo json_encode(['error' => 'Login mislukt']);
@ -47,7 +81,8 @@ function handleCheckSession(): void
if (isset($_SESSION['user'])) {
echo json_encode([
'authenticated' => true,
'user' => $_SESSION['full_name'] ?? $_SESSION['user']
'user' => $_SESSION['full_name'] ?? $_SESSION['user'],
'role' => $_SESSION['role'] ?? 'agent'
]);
} else {
echo json_encode(['authenticated' => false]);
@ -74,6 +109,33 @@ function isAuthenticated(): bool
return isset($_SESSION['user']);
}
/**
* Check if user has administrator role
* @return bool
*/
function isAdmin(): bool
{
return isset($_SESSION['role']) && $_SESSION['role'] === 'administrator';
}
/**
* Get current user's role
* @return string
*/
function getUserRole(): string
{
return $_SESSION['role'] ?? 'agent';
}
/**
* Get current username
* @return string|null
*/
function getCurrentUsername(): ?string
{
return $_SESSION['user'] ?? null;
}
/**
* Require authentication - exits if not authenticated
* @return void
@ -86,3 +148,50 @@ function requireAuth(): void
exit;
}
}
/**
* Require administrator role - exits if not admin
* Logs unauthorized access attempts
* @param mysqli $db Database connection for logging
* @param string $page The page being accessed
* @return void
*/
function requireAdmin(mysqli $db, string $page): void
{
if (!isAuthenticated()) {
logUnauthorizedAccess($db, null, $page, 'not_authenticated');
http_response_code(403);
die("Toegang geweigerd. Log eerst in.");
}
if (!isAdmin()) {
logUnauthorizedAccess($db, getCurrentUsername(), $page, 'insufficient_permissions');
http_response_code(403);
die("Toegang geweigerd. U heeft geen toegang tot deze pagina.");
}
}
/**
* Log unauthorized access attempt to the database
* @param mysqli $db Database connection
* @param string|null $username The username attempting access (null if not logged in)
* @param string $page The page being accessed
* @param string $reason The reason for denial
* @return void
*/
function logUnauthorizedAccess(mysqli $db, ?string $username, string $page, string $reason): void
{
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown';
$details = json_encode([
'page' => $page,
'reason' => $reason,
'ip' => $ip,
'user_agent' => $userAgent
]);
$stmt = $db->prepare("INSERT INTO sales_logs (username, action_type, details, created_at) VALUES (?, 'unauthorized_access', ?, NOW())");
$usernameForLog = $username ?? 'anonymous';
$stmt->bind_param("ss", $usernameForLog, $details);
$stmt->execute();
}

13
index.html
View File

@ -5,7 +5,7 @@
<meta charset="UTF-8">
<title>Telvero Sales Panel V1</title>
<script src="https://cdn.tailwindcss.com"></script>
<script src="https://unpkg.com/alpinejs" defer></script>
<script src="https://unpkg.com/alpinejs@3.x.x/dist/cdn.min.js" defer></script>
<style>
[x-cloak] {
display: none !important;
@ -61,6 +61,17 @@
</h1>
<div class="flex items-center gap-6 text-sm font-bold text-slate-400">
<span x-text="'Agent: ' + currentUser"></span>
<!-- Admin Links - Only visible for administrators -->
<template x-if="userRole === 'administrator'">
<div class="flex items-center gap-3">
<a href="logs.php" class="bg-emerald-100 text-emerald-600 px-4 py-2 rounded-xl text-[10px] font-black uppercase tracking-widest hover:bg-emerald-200 transition">
📊 Logs
</a>
<a href="users.php" class="bg-purple-100 text-purple-600 px-4 py-2 rounded-xl text-[10px] font-black uppercase tracking-widest hover:bg-purple-200 transition">
👥 Users
</a>
</div>
</template>
<button @click="doLogout()"
class="text-red-500 underline uppercase text-xs font-black">Uitloggen</button>
</div>

5
js/app.js
View File

@ -10,6 +10,7 @@ function salesApp() {
isLoggedIn: false,
isLoading: true,
currentUser: '',
userRole: '',
loginForm: { username: '', password: '' },
// Order state
@ -53,6 +54,7 @@ function salesApp() {
const data = await ApiService.checkSession();
if (data.authenticated) {
this.currentUser = data.user || localStorage.getItem('telvero_user') || 'Agent';
this.userRole = data.role || localStorage.getItem('telvero_role') || 'agent';
await this.loadProducts();
this.isLoggedIn = true;
}
@ -70,7 +72,9 @@ function salesApp() {
const result = await ApiService.login(this.loginForm.username, this.loginForm.password);
if (result.ok) {
this.currentUser = result.data.user;
this.userRole = result.data.role || 'agent';
localStorage.setItem('telvero_user', result.data.user);
localStorage.setItem('telvero_role', result.data.role || 'agent');
await this.loadProducts();
this.isLoggedIn = true;
} else {
@ -84,6 +88,7 @@ function salesApp() {
async doLogout() {
await ApiService.logout();
localStorage.removeItem('telvero_user');
localStorage.removeItem('telvero_role');
location.reload();
},

24
logs.php
View File

@ -2,22 +2,26 @@
/**
* TELVERO LOGS DASHBOARD (V9.5 - DEPRECATED FIX)
*/
session_start();
ini_set('display_errors', 0);
error_reporting(E_ALL);
require __DIR__ . '/vendor/autoload.php';
// Load bootstrap (session, WordPress, autoload, env)
require_once __DIR__ . '/api/bootstrap.php';
if (file_exists(__DIR__ . '/.env')) {
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();
}
// Load configuration (database)
require_once __DIR__ . '/api/config.php';
if (!isset($_SESSION['user'])) {
die("Toegang geweigerd. Log eerst in.");
}
// Load authentication middleware
require_once __DIR__ . '/api/middleware/auth.php';
$db = new mysqli($_ENV['DB_HOST'], $_ENV['DB_USER'], $_ENV['DB_PASS'], $_ENV['DB_NAME']);
// Get database connection
$db = getDatabase();
// Ensure role column exists (this function also adds it if missing)
roleColumnExists($db);
// Require administrator role - will log unauthorized access and exit if not admin
requireAdmin($db, 'logs.php');
// 1. Totalen van vandaag
$today_stats = $db->query("SELECT COUNT(id) as total_orders, IFNULL(SUM(amount), 0) as total_revenue FROM sales_logs WHERE action_type = 'order_created' AND DATE(created_at) = CURDATE()")->fetch_assoc();

12
migrations/001_add_role_column.sql Normal file
View File

@ -0,0 +1,12 @@
-- Migration: Add role column to sales_users table
-- Run this SQL to add the role column for authorization
-- Add role column if it doesn't exist
ALTER TABLE sales_users
ADD COLUMN IF NOT EXISTS role VARCHAR(50) DEFAULT 'agent' NOT NULL;
-- Update existing users to have 'agent' role if they don't have one
UPDATE sales_users SET role = 'agent' WHERE role IS NULL OR role = '';
-- Optional: Set a specific user as administrator (replace 'admin_username' with actual username)
-- UPDATE sales_users SET role = 'administrator' WHERE username = 'admin_username';

120
users.php
View File

@ -2,35 +2,51 @@
/**
* TELVERO USER MANAGEMENT (ENV VERSION)
*/
session_start();
require __DIR__ . '/vendor/autoload.php';
ini_set('display_errors', 1);
error_reporting(E_ALL);
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();
// Load bootstrap (session, WordPress, autoload, env)
require_once __DIR__ . '/api/bootstrap.php';
// Beveiliging: Alleen toegankelijk voor ingelogde gebruikers (behalve bij de allereerste keer)
// if (!isset($_SESSION['user'])) { die("Toegang geweigerd"); }
// Load configuration (database)
require_once __DIR__ . '/api/config.php';
$db = new mysqli($_ENV['DB_HOST'], $_ENV['DB_USER'], $_ENV['DB_PASS'], $_ENV['DB_NAME']);
// Load authentication middleware
require_once __DIR__ . '/api/middleware/auth.php';
if ($db->connect_error) {
die("Database connectie mislukt.");
}
// Get database connection
$db = getDatabase();
// Ensure role column exists (this function also adds it if missing)
roleColumnExists($db);
// Require administrator role - will log unauthorized access and exit if not admin
requireAdmin($db, 'users.php');
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = $_POST['username'];
$pass = password_hash($_POST['password'], PASSWORD_DEFAULT);
$name = $_POST['full_name'];
$role = $_POST['role'] ?? 'agent';
$stmt = $db->prepare("INSERT INTO sales_users (username, password, full_name) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $user, $pass, $name);
$stmt = $db->prepare("INSERT INTO sales_users (username, password, full_name, role) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $user, $pass, $name, $role);
if ($stmt->execute()) {
$msg = "Gebruiker $user succesvol aangemaakt!";
$msg = "Gebruiker $user succesvol aangemaakt met rol: $role!";
} else {
$msg = "Fout bij aanmaken: " . $db->error;
}
}
// Get existing users for display
$users_result = $db->query("SELECT id, username, full_name, COALESCE(role, 'agent') as role FROM sales_users ORDER BY id DESC");
$existing_users = [];
if ($users_result) {
while ($row = $users_result->fetch_assoc()) {
$existing_users[] = $row;
}
}
?>
<!DOCTYPE html>
<html lang="nl">
@ -39,30 +55,66 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
<title>User Management</title>
<script src="https://cdn.tailwindcss.com"></script>
</head>
<body class="bg-slate-100 min-h-screen flex items-center justify-center p-6">
<div class="max-w-md w-full bg-white p-10 rounded-[2.5rem] shadow-2xl">
<h2 class="text-2xl font-black mb-8 italic text-center text-slate-800">BEHEER <span class="text-blue-600">AGENTS</span></h2>
<?php if(isset($msg)) echo "<div class='mb-6 p-4 bg-green-50 text-green-600 rounded-2xl text-sm font-bold border border-green-100 text-center'>$msg</div>"; ?>
<body class="bg-slate-100 min-h-screen p-6">
<div class="max-w-4xl mx-auto">
<header class="flex justify-between items-center mb-8 bg-white p-6 rounded-3xl shadow-sm border-b-4 border-blue-600">
<h1 class="text-2xl font-black italic tracking-tighter">TELVERO <span class="text-blue-600">USERS</span></h1>
<a href="index.html" class="bg-slate-100 border px-6 py-2 rounded-2xl text-[10px] font-black uppercase tracking-widest hover:bg-slate-50 transition">Panel</a>
</header>
<form method="POST" class="space-y-4">
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Gebruikersnaam</label>
<input type="text" name="username" placeholder="Bijv. agent_jan" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all" required>
<div class="grid grid-cols-1 lg:grid-cols-2 gap-8">
<!-- Create User Form -->
<div class="bg-white p-10 rounded-[2.5rem] shadow-2xl">
<h2 class="text-xl font-black mb-8 italic text-center text-slate-800">NIEUWE <span class="text-blue-600">AGENT</span></h2>
<?php if(isset($msg)) echo "<div class='mb-6 p-4 bg-green-50 text-green-600 rounded-2xl text-sm font-bold border border-green-100 text-center'>$msg</div>"; ?>
<form method="POST" class="space-y-4">
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Gebruikersnaam</label>
<input type="text" name="username" placeholder="Bijv. agent_jan" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all" required>
</div>
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Wachtwoord</label>
<input type="password" name="password" placeholder="••••••••" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all" required>
</div>
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Volledige Naam</label>
<input type="text" name="full_name" placeholder="Jan de Vries" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all" required>
</div>
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Rol</label>
<select name="role" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all font-bold">
<option value="agent">Agent</option>
<option value="administrator">Administrator</option>
</select>
</div>
<button type="submit" class="w-full bg-blue-600 text-white p-5 rounded-2xl font-black shadow-lg hover:bg-blue-700 transition active:scale-95 uppercase tracking-tighter">Agent Opslaan</button>
</form>
</div>
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Wachtwoord</label>
<input type="password" name="password" placeholder="••••••••" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all" required>
<!-- Existing Users List -->
<div class="bg-white p-10 rounded-[2.5rem] shadow-2xl">
<h2 class="text-xl font-black mb-8 italic text-center text-slate-800">BESTAANDE <span class="text-blue-600">AGENTS</span></h2>
<div class="space-y-3 max-h-[500px] overflow-y-auto">
<?php foreach($existing_users as $u): ?>
<div class="flex items-center justify-between p-4 bg-slate-50 rounded-2xl border border-slate-100">
<div>
<p class="font-black text-sm text-slate-800"><?php echo htmlspecialchars($u['full_name']); ?></p>
<p class="text-[10px] text-slate-400 font-bold">@<?php echo htmlspecialchars($u['username']); ?></p>
</div>
<span class="px-3 py-1 rounded-full text-[9px] font-black uppercase <?php echo $u['role'] === 'administrator' ? 'bg-purple-100 text-purple-600' : 'bg-blue-100 text-blue-600'; ?>">
<?php echo htmlspecialchars($u['role'] ?? 'agent'); ?>
</span>
</div>
<?php endforeach; ?>
<?php if(empty($existing_users)): ?>
<p class="text-center text-slate-400 text-sm italic">Geen gebruikers gevonden</p>
<?php endif; ?>
</div>
</div>
<div>
<label class="block text-[10px] font-black text-slate-400 uppercase tracking-widest mb-2 px-2">Volledige Naam</label>
<input type="text" name="full_name" placeholder="Jan de Vries" class="w-full border-2 border-slate-50 p-4 rounded-2xl outline-none focus:border-blue-500 bg-slate-50 transition-all" required>
</div>
<button type="submit" class="w-full bg-blue-600 text-white p-5 rounded-2xl font-black shadow-lg hover:bg-blue-700 transition active:scale-95 uppercase tracking-tighter">Agent Opslaan</button>
</form>
<div class="mt-8 text-center">
<a href="index.html" class="text-xs font-bold text-slate-400 hover:text-blue-600 transition underline uppercase">Terug naar Dashboard</a>
</div>
</div>
</body>