Simon
5550358b15
- SEC-1: nahrazen exec('fsutil') za PHP-native is_link()+realpath() v NasFileManager - eliminace command injection
- SEC-2: přidáno ověření aktuálního hesla při změně hesla (profile.php + DashProfile.jsx)
- BUG-1: attendance punch obalen do transakce s SELECT FOR UPDATE - prevence race condition při dvojkliku
- BUG-2: eliminován N+1 SQL dotaz pro VAT v invoice listu - výpočet přesunut do subquery
- BUG-5/6: delete a update attendance záznamů obaleny do transakcí - prevence nekonzistentního stavu
- BUG-7: opravena duplikace nabídky - přidáno chybějící pole unit v offer items
ESLint: 0 errors | PHPCS: 0 errors | Build: OK
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
126 lines
4.1 KiB
PHP
126 lines
4.1 KiB
PHP
<?php
|
|
|
|
/**
|
|
* BOHA Automation - Profile API
|
|
*
|
|
* Allows any authenticated user to update their own profile
|
|
*
|
|
* PUT /api/admin/profile.php - Update own profile
|
|
*/
|
|
|
|
declare(strict_types=1);
|
|
|
|
require_once dirname(__DIR__) . '/config.php';
|
|
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
|
|
require_once dirname(__DIR__) . '/includes/AuditLog.php';
|
|
|
|
// Set headers
|
|
setCorsHeaders();
|
|
setSecurityHeaders();
|
|
setNoCacheHeaders();
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
|
|
// Require authentication
|
|
$authData = JWTAuth::requireAuth();
|
|
AuditLog::setUser($authData['user_id'], $authData['user']['username'] ?? 'unknown');
|
|
|
|
$method = $_SERVER['REQUEST_METHOD'];
|
|
|
|
if ($method !== 'PUT') {
|
|
errorResponse('Metoda není povolena', 405);
|
|
}
|
|
|
|
try {
|
|
$pdo = db();
|
|
$userId = $authData['user_id'];
|
|
|
|
// Get existing user (vcetne password_hash pro overeni aktualniho hesla)
|
|
$stmt = $pdo->prepare('
|
|
SELECT id, username, email, first_name, last_name, role_id, is_active,
|
|
last_login, created_at, password_hash
|
|
FROM users WHERE id = ?
|
|
');
|
|
$stmt->execute([$userId]);
|
|
$existingUser = $stmt->fetch();
|
|
|
|
if (!$existingUser) {
|
|
errorResponse('Uživatel nebyl nalezen', 404);
|
|
}
|
|
|
|
$input = getJsonInput();
|
|
|
|
$username = isset($input['username']) ? sanitize($input['username']) : $existingUser['username'];
|
|
$email = isset($input['email']) ? sanitize($input['email']) : $existingUser['email'];
|
|
$firstName = isset($input['first_name']) ? sanitize($input['first_name']) : $existingUser['first_name'];
|
|
$lastName = isset($input['last_name']) ? sanitize($input['last_name']) : $existingUser['last_name'];
|
|
|
|
// Validate email format
|
|
if (!isValidEmail($email)) {
|
|
errorResponse('Neplatný formát e-mailu');
|
|
}
|
|
|
|
// Check username uniqueness (excluding current user)
|
|
$stmt = $pdo->prepare('SELECT id FROM users WHERE username = ? AND id != ?');
|
|
$stmt->execute([$username, $userId]);
|
|
if ($stmt->fetch()) {
|
|
errorResponse('Uživatelské jméno již existuje');
|
|
}
|
|
|
|
// Check email uniqueness (excluding current user)
|
|
$stmt = $pdo->prepare('SELECT id FROM users WHERE email = ? AND id != ?');
|
|
$stmt->execute([$email, $userId]);
|
|
if ($stmt->fetch()) {
|
|
errorResponse('E-mail již existuje');
|
|
}
|
|
|
|
// Update user
|
|
if (!empty($input['password'])) {
|
|
// Overeni aktualniho hesla
|
|
if (empty($input['current_password'])) {
|
|
errorResponse('Pro změnu hesla je nutné zadat aktuální heslo');
|
|
}
|
|
if (!password_verify($input['current_password'], $existingUser['password_hash'])) {
|
|
errorResponse('Aktuální heslo není správné');
|
|
}
|
|
|
|
// Validate password length
|
|
if (strlen($input['password']) < 8) {
|
|
errorResponse('Heslo musí mít alespoň 8 znaků');
|
|
}
|
|
|
|
$passwordHash = password_hash($input['password'], PASSWORD_BCRYPT, ['cost' => BCRYPT_COST]);
|
|
|
|
$stmt = $pdo->prepare('
|
|
UPDATE users
|
|
SET username = ?, email = ?, password_hash = ?, first_name = ?, last_name = ?, password_changed_at = NOW()
|
|
WHERE id = ?
|
|
');
|
|
$stmt->execute([$username, $email, $passwordHash, $firstName, $lastName, $userId]);
|
|
} else {
|
|
$stmt = $pdo->prepare('
|
|
UPDATE users
|
|
SET username = ?, email = ?, first_name = ?, last_name = ?
|
|
WHERE id = ?
|
|
');
|
|
$stmt->execute([$username, $email, $firstName, $lastName, $userId]);
|
|
}
|
|
|
|
// Audit log
|
|
AuditLog::logUpdate('user', $userId, [
|
|
'username' => $existingUser['username'],
|
|
'email' => $existingUser['email'],
|
|
'first_name' => $existingUser['first_name'],
|
|
'last_name' => $existingUser['last_name'],
|
|
], [
|
|
'username' => $username,
|
|
'email' => $email,
|
|
'first_name' => $firstName,
|
|
'last_name' => $lastName,
|
|
], 'Uživatel aktualizoval svůj profil');
|
|
|
|
successResponse(null, 'Profil byl úspěšně aktualizován');
|
|
} catch (PDOException $e) {
|
|
error_log('Profile API error: ' . $e->getMessage());
|
|
errorResponse('Chyba databáze', 500);
|
|
}
|