Restrict Agent Info and Credit Accounting to master admin only; protect master admin account

- Agent Info: master admin sees full edit form; other admins see view-only panel with Copy and Open URL buttons
- Credit Accounting: master admin can manage entries; other admins see total only (Manage Credits button hidden)
- API: credits_create/update/delete require master admin; platform update strips agent fields for non-master
- Players: suspend/delete buttons disabled when viewing master admin account (UI + JS guards)
- URL fields (Agent Link, Games Link): open-in-new-tab arrow button added in both edit and view modes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-04 18:06:17 +00:00
parent f50d1d481d
commit 7eade583f7
2 changed files with 156 additions and 45 deletions
+15 -7
View File
@@ -4,8 +4,9 @@ try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) {
ob_end_clean();
header('Content-Type: application/json');
$action = $_GET['action'] ?? 'list';
$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
$action = $_GET['action'] ?? 'list';
$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
$isMasterAdmin = $isAdmin && (int)($_SESSION['user_id'] ?? 0) === MASTER_ADMIN_ID;
switch ($action) {
@@ -79,8 +80,15 @@ switch ($action) {
$sort_order = (int)($d['sort_order'] ?? 99);
$is_active = (int)(bool)($d['is_active'] ?? 1);
if (!$id || !$name || !$player_url) { echo json_encode(['success'=>false,'error'=>'ID, name, and player URL required']); exit; }
db()->prepare("UPDATE platforms SET name=?,player_url=?,agent_link=?,agent_login=?,agent_password=?,games_link=?,agent_guide=?,sub_agent_login=?,sub_agent_password=?,cashier_login=?,cashier_password=?,color=?,sort_order=?,is_active=? WHERE id=?")
->execute([$name,$player_url,$agent_link,$agent_login,$agent_password,$games_link,$agent_guide,$sub_agent_login,$sub_agent_password,$cashier_login,$cashier_password,$color,$sort_order,$is_active,$id]);
if ($isMasterAdmin) {
// Master admin: update all fields including agent info
db()->prepare("UPDATE platforms SET name=?,player_url=?,agent_link=?,agent_login=?,agent_password=?,games_link=?,agent_guide=?,sub_agent_login=?,sub_agent_password=?,cashier_login=?,cashier_password=?,color=?,sort_order=?,is_active=? WHERE id=?")
->execute([$name,$player_url,$agent_link,$agent_login,$agent_password,$games_link,$agent_guide,$sub_agent_login,$sub_agent_password,$cashier_login,$cashier_password,$color,$sort_order,$is_active,$id]);
} else {
// Regular admin: update only non-sensitive fields
db()->prepare("UPDATE platforms SET name=?,player_url=?,color=?,sort_order=?,is_active=? WHERE id=?")
->execute([$name,$player_url,$color,$sort_order,$is_active,$id]);
}
echo json_encode(['success'=>true]);
break;
@@ -119,7 +127,7 @@ switch ($action) {
// ── Admin: add credit entry ───────────────────────────
case 'credits_create':
if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
if (!$isMasterAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
$d = json_decode(file_get_contents('php://input'), true);
$pid = (int)($d['platform_id'] ?? 0);
$credits = (float)($d['credits_purchased'] ?? 0);
@@ -137,7 +145,7 @@ switch ($action) {
// ── Admin: update credit entry ────────────────────────
case 'credits_update':
if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
if (!$isMasterAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
$d = json_decode(file_get_contents('php://input'), true);
$id = (int)($d['id'] ?? 0);
$credits = (float)($d['credits_purchased'] ?? 0);
@@ -157,7 +165,7 @@ switch ($action) {
// ── Admin: delete credit entry ────────────────────────
case 'credits_delete':
if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
if (!$isMasterAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
$d = json_decode(file_get_contents('php://input'), true);
$id = (int)($d['id'] ?? 0);
if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }