119 lines
4.4 KiB
PHP
119 lines
4.4 KiB
PHP
<?php
|
|
$rootPath = dirname(dirname(__DIR__));
|
|
require_once($rootPath . '/src/config/env.php');
|
|
include_once($rootPath . '/src/config/connection.php');
|
|
include_once($rootPath . '/src/config/functions.php');
|
|
|
|
session_start();
|
|
$user_id = $_SESSION['user_id'] ?? null;
|
|
|
|
// CSRF Token Validation
|
|
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
|
|
http_response_code(403);
|
|
die('Security token validation failed. Please try again.');
|
|
}
|
|
|
|
// campsites.php
|
|
$conn = openDatabaseConnection();
|
|
|
|
// Get text inputs
|
|
$name = validateName($_POST['name'] ?? '') ?: '';
|
|
$desc = isset($_POST['description']) ? htmlspecialchars($_POST['description'], ENT_QUOTES, 'UTF-8') : '';
|
|
$country = isset($_POST['country']) ? htmlspecialchars($_POST['country'], ENT_QUOTES, 'UTF-8') : '';
|
|
$province = isset($_POST['province']) ? htmlspecialchars($_POST['province'], ENT_QUOTES, 'UTF-8') : '';
|
|
$lat = isset($_POST['latitude']) ? floatval($_POST['latitude']) : 0.0;
|
|
$lng = isset($_POST['longitude']) ? floatval($_POST['longitude']) : 0.0;
|
|
$website = isset($_POST['website']) ? filter_var($_POST['website'], FILTER_VALIDATE_URL) : '';
|
|
$telephone = validatePhoneNumber($_POST['telephone'] ?? '') ?: '';
|
|
|
|
if (empty($name)) {
|
|
http_response_code(400);
|
|
die('Campsite name is required.');
|
|
}
|
|
|
|
// Handle file upload
|
|
$thumbnailPath = null;
|
|
if (isset($_FILES['thumbnail']) && $_FILES['thumbnail']['error'] !== UPLOAD_ERR_NO_FILE) {
|
|
// Validate file using hardened validation function
|
|
$validationResult = validateFileUpload($_FILES['thumbnail'], 'profile_picture');
|
|
|
|
if ($validationResult === false) {
|
|
http_response_code(400);
|
|
die('Invalid thumbnail image. Only JPG, JPEG, PNG, GIF, and WEBP images under 5MB are allowed.');
|
|
}
|
|
|
|
$uploadDir = $rootPath . "/assets/uploads/campsites/";
|
|
if (!is_dir($uploadDir)) {
|
|
mkdir($uploadDir, 0755, true);
|
|
}
|
|
|
|
if (!is_writable($uploadDir)) {
|
|
http_response_code(500);
|
|
die('Upload directory is not writable.');
|
|
}
|
|
|
|
$randomFilename = $validationResult['filename'];
|
|
$targetFile = $uploadDir . $randomFilename;
|
|
|
|
if (move_uploaded_file($_FILES["thumbnail"]["tmp_name"], $targetFile)) {
|
|
chmod($targetFile, 0644);
|
|
$thumbnailPath = "assets/uploads/campsites/" . $randomFilename;
|
|
} else {
|
|
http_response_code(500);
|
|
die('Failed to move uploaded file.');
|
|
}
|
|
}
|
|
|
|
$id = isset($_POST['id']) ? intval($_POST['id']) : 0;
|
|
|
|
if ($id > 0) {
|
|
// Verify ownership - check if the campsite belongs to the current user
|
|
$ownerCheckStmt = $conn->prepare("SELECT user_id FROM campsites WHERE id = ?");
|
|
$ownerCheckStmt->bind_param("i", $id);
|
|
$ownerCheckStmt->execute();
|
|
$ownerResult = $ownerCheckStmt->get_result();
|
|
|
|
if ($ownerResult->num_rows === 0) {
|
|
http_response_code(404);
|
|
die('Campsite not found.');
|
|
}
|
|
|
|
$ownerRow = $ownerResult->fetch_assoc();
|
|
if ($ownerRow['user_id'] != $user_id) {
|
|
http_response_code(403);
|
|
die('You do not have permission to edit this campsite. Only the owner can make changes.');
|
|
}
|
|
|
|
$ownerCheckStmt->close();
|
|
|
|
// UPDATE
|
|
if ($thumbnailPath) {
|
|
$stmt = $conn->prepare("UPDATE campsites SET name=?, description=?, country=?, province=?, latitude=?, longitude=?, website=?, telephone=?, thumbnail=? WHERE id=?");
|
|
$stmt->bind_param("ssssddsssi", $name, $desc, $country, $province, $lat, $lng, $website, $telephone, $thumbnailPath, $id);
|
|
} else {
|
|
$stmt = $conn->prepare("UPDATE campsites SET name=?, description=?, country=?, province=?, latitude=?, longitude=?, website=?, telephone=? WHERE id=?");
|
|
$stmt->bind_param("ssssddssi", $name, $desc, $country, $province, $lat, $lng, $website, $telephone, $id);
|
|
}
|
|
|
|
// Log the action
|
|
auditLog($user_id, 'CAMPSITE_UPDATE', 'campsites', $id, ['name' => $name]);
|
|
} else {
|
|
// INSERT
|
|
$stmt = $conn->prepare("INSERT INTO campsites (name, description, country, province, latitude, longitude, website, telephone, thumbnail, user_id)
|
|
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
|
|
$stmt->bind_param("ssssddsssi", $name, $desc, $country, $province, $lat, $lng, $website, $telephone, $thumbnailPath, $user_id);
|
|
|
|
// Log the action
|
|
auditLog($user_id, 'CAMPSITE_CREATE', 'campsites', 0, ['name' => $name]);
|
|
}
|
|
|
|
if (!$stmt->execute()) {
|
|
http_response_code(500);
|
|
die('Database error: ' . $stmt->error);
|
|
}
|
|
|
|
$stmt->close();
|
|
|
|
header("Location: campsites");
|
|
?>
|