mirror of
https://github.com/myronblair/tomtomgames
synced 2026-06-30 09:41:11 -05:00
Fix 6 code review findings: auth, mysqldump stderr, dead code, audit logs
- backup.php: replace manual admin check with requireAdmin(); suppress mysqldump password warning (2>&1 → 2>/dev/null) to prevent corrupt dumps - ttg-backup.sh: same mysqldump stderr fix - admin.php toggle_user: fix undefined $adminId/$userId in logAdminAction call — use $_SESSION['user_id'] and $uid instead - admin.php chat_clear_all: wrap in try/catch and add logAdminAction audit - admin.php: delete unreachable broadcast query block after break statement - admin/index.php: fix cashouts_total formatted as currency — use parseInt (tokens are whole numbers, not dollars) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+1
-1
@@ -1270,7 +1270,7 @@ async function loadPlatformStats() {
|
||||
<div style="font-size:11px;color:var(--text2);font-weight:700;letter-spacing:.5px">PURCH</div>
|
||||
</div>
|
||||
<div style="flex:1;text-align:center;border-left:1px solid var(--border)">
|
||||
<div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--green)">${parseFloat(p.cashouts_total).toLocaleString(undefined,{minimumFractionDigits:2,maximumFractionDigits:2})} 🪙</div>
|
||||
<div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--green)">${parseInt(p.cashouts_total).toLocaleString()} 🪙</div>
|
||||
<div style="font-size:11px;color:var(--text2);font-weight:700;letter-spacing:.5px">CASH</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
+8
-13
@@ -360,8 +360,8 @@ switch ($action) {
|
||||
$data = json_decode(file_get_contents('php://input'), true);
|
||||
$uid = (int)($data['user_id'] ?? 0);
|
||||
if ($uid === MASTER_ADMIN_ID) { echo json_encode(['success'=>false,'error'=>'Cannot suspend the master admin.']); exit; }
|
||||
logAdminAction('USER_STATUS_CHANGE', $adminId, 'user', isset($userId)?(int)$userId:0, 'Changed user status to: '.($data['status']??'unknown'), '', ($data['status']??''), 'warning');
|
||||
db()->prepare("UPDATE users SET status=IF(status='active','suspended','active') WHERE id=?")->execute([$uid]);
|
||||
logAdminAction('USER_STATUS_CHANGE', (int)$_SESSION['user_id'], 'user', $uid, 'Changed user status', '', ($data['status']??''), 'warning');
|
||||
echo json_encode(['success'=>true]);
|
||||
break;
|
||||
|
||||
@@ -461,16 +461,6 @@ switch ($action) {
|
||||
}
|
||||
echo json_encode(['success'=>true]);
|
||||
break;
|
||||
$rows = db()->query("
|
||||
SELECT b.*, u.username AS sender_name,
|
||||
(SELECT COUNT(*) FROM broadcast_reads WHERE broadcast_id=b.id) AS read_count,
|
||||
(SELECT COUNT(*) FROM broadcast_replies WHERE broadcast_id=b.id) AS reply_count,
|
||||
(SELECT COUNT(*) FROM users WHERE is_admin=0 AND status='active') AS total_players
|
||||
FROM broadcasts b JOIN users u ON b.admin_id=u.id
|
||||
ORDER BY b.sent_at DESC LIMIT 50
|
||||
")->fetchAll();
|
||||
echo json_encode(['success'=>true,'broadcasts'=>$rows]);
|
||||
break;
|
||||
|
||||
case 'broadcast_list':
|
||||
try {
|
||||
@@ -1050,8 +1040,13 @@ switch ($action) {
|
||||
// ─── CHAT: clear ALL chats ────────────────────────────
|
||||
case 'chat_clear_all':
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
|
||||
db()->exec("DELETE FROM chat_messages");
|
||||
echo json_encode(['success'=>true]);
|
||||
try {
|
||||
db()->exec("DELETE FROM chat_messages");
|
||||
logAdminAction('CHAT_CLEAR_ALL', (int)$_SESSION['user_id'], 'chat', 0, 'Cleared all chat messages', '', '', 'warning');
|
||||
echo json_encode(['success'=>true]);
|
||||
} catch (Exception $e) {
|
||||
echo json_encode(['success'=>false,'error'=>'Failed to clear chat']);
|
||||
}
|
||||
break;
|
||||
case 'chat_unread':
|
||||
$count = db()->query("SELECT COUNT(*) FROM chat_messages WHERE sender='user' AND is_read=0")->fetchColumn();
|
||||
|
||||
+2
-6
@@ -9,11 +9,7 @@ if ($action !== 'download') {
|
||||
header('Content-Type: application/json');
|
||||
}
|
||||
|
||||
if (!isLoggedIn() || empty($_SESSION['is_admin'])) {
|
||||
if ($action !== 'download') echo json_encode(['success'=>false,'error'=>'Forbidden']);
|
||||
else { http_response_code(403); echo 'Forbidden'; }
|
||||
exit;
|
||||
}
|
||||
requireAdmin();
|
||||
|
||||
$backupDir = '/home/tomtomgames.com/backups';
|
||||
if (!is_dir($backupDir)) @mkdir($backupDir, 0750, true);
|
||||
@@ -43,7 +39,7 @@ switch ($action) {
|
||||
|
||||
// Export database
|
||||
$dbCmd = sprintf(
|
||||
'/usr/bin/mysqldump -u %s -p%s %s > %s 2>&1',
|
||||
'/usr/bin/mysqldump -u %s -p%s %s > %s 2>/dev/null',
|
||||
escapeshellarg(DB_USER), escapeshellarg(DB_PASS),
|
||||
escapeshellarg(DB_NAME), escapeshellarg($sqlFile)
|
||||
);
|
||||
|
||||
@@ -15,7 +15,7 @@ mkdir -p "$BACKUP_DIR"
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Starting backup..."
|
||||
|
||||
# Export database
|
||||
/usr/bin/mysqldump -u "$DB_USER" "-p${DB_PASS}" "$DB_NAME" > "$SQL_FILE" 2>&1
|
||||
/usr/bin/mysqldump -u "$DB_USER" "-p${DB_PASS}" "$DB_NAME" > "$SQL_FILE" 2>/dev/null
|
||||
if [ $? -ne 0 ] || [ ! -s "$SQL_FILE" ]; then
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: Database export failed"
|
||||
rm -f "$SQL_FILE"
|
||||
|
||||
Reference in New Issue
Block a user