Check for admin

System
2025-01-05 13:24:10 +00:00 · 2025-01-05 13:23:55 +00:00
6 changed files with 117 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ etsyTokens.json
 .DS_Store
 node_modules/
 vendor/
+logs/
--- a/.htaccess
+++ b/.htaccess
@@ -0,0 +1,57 @@
+RewriteEngine On
+
+# Fix for nginx proxy to avoid internal server errors
+RewriteBase /
+
+# Redirect all traffic to the public folder, but allow existing files/directories
+RewriteCond %{REQUEST_URI} !^/public/
+RewriteCond %{DOCUMENT_ROOT}/public%{REQUEST_URI} -f [OR]
+RewriteCond %{DOCUMENT_ROOT}/public%{REQUEST_URI} -d
+RewriteRule ^(.*)$ /public/$1 [L,QSA]
+
+# Handle cases where the file doesn't exist
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /public/index.php [L]
+
+# Ensure directory listing is disabled
+Options -Indexes
+
+# Enable compression
+<IfModule mod_deflate.c>
+    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
+</IfModule>
+
+# Leverage browser caching
+<IfModule mod_expires.c>
+    ExpiresActive On
+    ExpiresByType text/html "access plus 1 month"
+    ExpiresByType image/gif "access plus 1 year"
+    ExpiresByType image/jpeg "access plus 1 year"
+    ExpiresByType image/png "access plus 1 year"
+    ExpiresByType text/css "access plus 1 month"
+    ExpiresByType text/javascript "access plus 1 month"
+    ExpiresByType application/javascript "access plus 1 month"
+    ExpiresByType application/x-shockwave-flash "access plus 1 month"
+    ExpiresByType application/pdf "access plus 1 month"
+</IfModule>
+
+# Basic security headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "SAMEORIGIN"
+    Header set X-XSS-Protection "1; mode=block"
+</IfModule>
+
+# Handle 404 errors
+ErrorDocument 404 /public/404.html
+
+# Handle PHP execution if needed
+<FilesMatch "\.php$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+
+# Deny access to sensitive files
+<FilesMatch "^\.(htaccess|htpasswd|env|ini|log|sh|sql|bak|config)$">
+    Require all denied
+</FilesMatch>
--- a/public/addFilament.php
+++ b/public/addFilament.php
@@ -1,4 +1,6 @@
-<?php include '../src/session_check.php'; ?>
+<?php include '../src/session_check.php'; 
+checkUserRole(['admin']);
+?>

 <html lang="en" data-bs-theme="light">
 <head>
--- a/src/filamentTracker/addFilament.php
+++ b/src/filamentTracker/addFilament.php
@@ -5,6 +5,7 @@ require_once '../envLoader.php';
 loadEnv(__DIR__ . '/../../.env');

 include '../src/session_check.php';
+checkUserRole(['admin']);

 use Goutte\Client;

--- a/src/header.php
+++ b/src/header.php
@@ -75,5 +75,28 @@
 						</ul>
 					</div>
 				</nav>
+				<?php if (isset($_SESSION['errorMessage'])): ?>
+					<div id="sessionAlert" class="alert alert-danger alert-dismissible fade show" role="alert">
+						<?php echo $_SESSION['errorMessage']; ?>
+						<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+					</div>
+					<script>
+						document.addEventListener('DOMContentLoaded', function () {
+							setTimeout(function () {
+								let alertElement = document.getElementById('sessionAlert');
+								if (alertElement) {
+									alertElement.classList.remove('show');
+									alertElement.classList.add('fade');
+									alertElement.addEventListener('transitionend', function () {
+										alertElement.remove();
+									});
+								}
+							}, 4000);
+
+							// Clear the session variable after rendering
+							<?php unset($_SESSION['errorMessage']); ?>
+						});
+					</script>
+				<?php endif; ?>
 			</div>
 		</header>
--- a/src/session_check.php
+++ b/src/session_check.php
@@ -1,6 +1,38 @@
 <?php
 session_start();
+
+// Configuration for session timeout (in seconds)
+define('SESSION_TIMEOUT', 1800); // 30 minutes
+
+// Check if the user is logged in
 if (!isset($_SESSION['userId'])) {
+    redirectToLogin("You must be logged in to access this page.");
+}
+
+// Session Timeout Check
+if (isset($_SESSION['lastActivity']) && (time() - $_SESSION['lastActivity']) > SESSION_TIMEOUT) {
+    // Session expired
+    session_unset();
+    session_destroy();
+    redirectToLogin("Session expired. Please log in again.");
+} else {
+    $_SESSION['lastActivity'] = time(); // Update activity timestamp
+}
+
+// Function to check user roles
+function checkUserRole($allowedRoles = []) {
+    if (!isset($_SESSION['role']) || !in_array($_SESSION['role'], $allowedRoles)) {
+        $_SESSION['errorMessage'] = "Access denied: You do not have the required permissions.";
+        header("Location: dashboard.php");  // Redirect to dashboard or another page
+        exit();
+    }
+}
+
+// Function to redirect to login with optional message
+function redirectToLogin($message = '') {
+    if (!empty($message)) {
+        $_SESSION['errorMessage'] = $message;
+    }
    header("Location: login.php");
    exit();
 }
Author	SHA1	Message	Date
Hickmeister	bcb7d7ea7d	Check for admin	2025-01-05 13:24:10 +00:00
Hickmeister	e9908bd65b	System	2025-01-05 13:23:55 +00:00