mirror of
https://github.com/myronblair/tomtomgames
synced 2026-06-30 17:51:08 -05:00
Restrict Agent Info and Credit Accounting to master admin only; protect master admin account
- Agent Info: master admin sees full edit form; other admins see view-only panel with Copy and Open URL buttons - Credit Accounting: master admin can manage entries; other admins see total only (Manage Credits button hidden) - API: credits_create/update/delete require master admin; platform update strips agent fields for non-master - Players: suspend/delete buttons disabled when viewing master admin account (UI + JS guards) - URL fields (Agent Link, Games Link): open-in-new-tab arrow button added in both edit and view modes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+15
-7
@@ -4,8 +4,9 @@ try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) {
|
||||
ob_end_clean();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
$action = $_GET['action'] ?? 'list';
|
||||
$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
|
||||
$action = $_GET['action'] ?? 'list';
|
||||
$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
|
||||
$isMasterAdmin = $isAdmin && (int)($_SESSION['user_id'] ?? 0) === MASTER_ADMIN_ID;
|
||||
|
||||
switch ($action) {
|
||||
|
||||
@@ -79,8 +80,15 @@ switch ($action) {
|
||||
$sort_order = (int)($d['sort_order'] ?? 99);
|
||||
$is_active = (int)(bool)($d['is_active'] ?? 1);
|
||||
if (!$id || !$name || !$player_url) { echo json_encode(['success'=>false,'error'=>'ID, name, and player URL required']); exit; }
|
||||
db()->prepare("UPDATE platforms SET name=?,player_url=?,agent_link=?,agent_login=?,agent_password=?,games_link=?,agent_guide=?,sub_agent_login=?,sub_agent_password=?,cashier_login=?,cashier_password=?,color=?,sort_order=?,is_active=? WHERE id=?")
|
||||
->execute([$name,$player_url,$agent_link,$agent_login,$agent_password,$games_link,$agent_guide,$sub_agent_login,$sub_agent_password,$cashier_login,$cashier_password,$color,$sort_order,$is_active,$id]);
|
||||
if ($isMasterAdmin) {
|
||||
// Master admin: update all fields including agent info
|
||||
db()->prepare("UPDATE platforms SET name=?,player_url=?,agent_link=?,agent_login=?,agent_password=?,games_link=?,agent_guide=?,sub_agent_login=?,sub_agent_password=?,cashier_login=?,cashier_password=?,color=?,sort_order=?,is_active=? WHERE id=?")
|
||||
->execute([$name,$player_url,$agent_link,$agent_login,$agent_password,$games_link,$agent_guide,$sub_agent_login,$sub_agent_password,$cashier_login,$cashier_password,$color,$sort_order,$is_active,$id]);
|
||||
} else {
|
||||
// Regular admin: update only non-sensitive fields
|
||||
db()->prepare("UPDATE platforms SET name=?,player_url=?,color=?,sort_order=?,is_active=? WHERE id=?")
|
||||
->execute([$name,$player_url,$color,$sort_order,$is_active,$id]);
|
||||
}
|
||||
echo json_encode(['success'=>true]);
|
||||
break;
|
||||
|
||||
@@ -119,7 +127,7 @@ switch ($action) {
|
||||
|
||||
// ── Admin: add credit entry ───────────────────────────
|
||||
case 'credits_create':
|
||||
if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
|
||||
if (!$isMasterAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
|
||||
$d = json_decode(file_get_contents('php://input'), true);
|
||||
$pid = (int)($d['platform_id'] ?? 0);
|
||||
$credits = (float)($d['credits_purchased'] ?? 0);
|
||||
@@ -137,7 +145,7 @@ switch ($action) {
|
||||
|
||||
// ── Admin: update credit entry ────────────────────────
|
||||
case 'credits_update':
|
||||
if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
|
||||
if (!$isMasterAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
|
||||
$d = json_decode(file_get_contents('php://input'), true);
|
||||
$id = (int)($d['id'] ?? 0);
|
||||
$credits = (float)($d['credits_purchased'] ?? 0);
|
||||
@@ -157,7 +165,7 @@ switch ($action) {
|
||||
|
||||
// ── Admin: delete credit entry ────────────────────────
|
||||
case 'credits_delete':
|
||||
if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
|
||||
if (!$isMasterAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
|
||||
$d = json_decode(file_get_contents('php://input'), true);
|
||||
$id = (int)($d['id'] ?? 0);
|
||||
if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
|
||||
|
||||
Reference in New Issue
Block a user