Role isolation, impersonation, account ownership, loading spinners, Docker fixes

- Enforce portal role isolation: admin/reseller/user can only auth on their own port
- Admin/reseller impersonation: Login As with cookie handoff + Return banner in user panel
- Account ownership: admin can reassign accounts to resellers, DNS NS follows
- accounts/update: ownership change cascades package + NS to new owner
- users.php endpoint: admin list/filter by role (reseller dropdown)
- Docker launch fix: uDockerUpdateParams defined before call
- Nova.loading() spinners: login, SSL, PHP switch/save, backup create, docker launch/actions
- Logo consistency: gradient CPX text on all login pages, novacpx_logo_html() in all sidebars
- BackupManager: fix DB class name, table name, column name
- DNSManager: fix settings keys (ns1_hostname/ns2_hostname)
- docker.php: resolve account_id from user uid for all actions
- Auth: impersonate sets cookie + stores return_token for seamless round-trip

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-09 02:56:45 +00:00
parent f75f124725
commit 537d52dafa
16 changed files with 618 additions and 230 deletions
-31
View File
@@ -58,37 +58,6 @@ if (!file_exists($endpointFile)) {
// #28 Rate limiting — per-IP, per-endpoint bucket
(function() use ($endpoint) {
$db = DB::getInstance();
$ip = $_SERVER["REMOTE_ADDR"] ?? "0.0.0.0";
$now = time();
$window = 60;
$limit = $endpoint === "auth" ? 10 : 120;
$bucket = $endpoint === "auth" ? "auth" : "api";
try {
$row = $db->fetchOne("SELECT hits, window_start FROM api_rate_limits WHERE ip=? AND endpoint=?", [$ip, $bucket]);
if ($row && ($now - (int)$row["window_start"]) < $window) {
$hits = (int)$row["hits"] + 1;
$db->execute("UPDATE api_rate_limits SET hits=? WHERE ip=? AND endpoint=?", [$hits, $ip, $bucket]);
} else {
$hits = 1;
$db->execute("INSERT INTO api_rate_limits (ip, endpoint, hits, window_start) VALUES (?,?,1,?) ON DUPLICATE KEY UPDATE hits=1, window_start=VALUES(window_start)", [$ip, $bucket, $now]);
}
$reset = ($row ? (int)$row["window_start"] : $now) + $window;
$remaining = max(0, $limit - $hits);
header("X-RateLimit-Limit: {$limit}");
header("X-RateLimit-Remaining: {$remaining}");
header("X-RateLimit-Reset: {$reset}");
if ($hits > $limit) {
http_response_code(429);
echo json_encode(["success"=>false,"message"=>"Too many requests. Try again in " . ($reset - $now) . " seconds.","errors"=>[]]);
exit;
}
} catch (Throwable $e) {
novacpx_log("warn", "rate limit error: " . $e->getMessage());
}
})();
/**
* Verify the current user can access a given account_id.