File Manager V1.5

[SYSTEM@ROOT]: /var/www/html/
INJECT_FILE:
NEW_ENTRY:

FILE_CONTENT: reject_listing.php

<?php
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS");
header("Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Requested-With, User-Agent");
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Max-Age: 86400");
header("Access-Control-Expose-Headers: Authorization, Content-Type");
header("Content-Type: application/json; charset=UTF-8");

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

require 'vendor/autoload.php';
require 'db.php';
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Dotenv\Dotenv;

$dotenv = Dotenv::createImmutable(__DIR__);
$dotenv->load();

try {
    $pdo = new PDO(
        "mysql:host={$_ENV['DB_HOST']};dbname={$_ENV['DB_NAME']};charset=utf8mb4",
        $_ENV['DB_USER'],
        $_ENV['DB_PASSWORD']
    );
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Database connection failed: ' . $e->getMessage()]);
    exit;
}

// Используем универсальную функцию для получения токена
$jwt = getAuthToken();
if (!$jwt) {
    http_response_code(401);
    echo json_encode(['success' => false, 'message' => 'Authorization header missing']);
    exit;
}

try {
    $decoded = JWT::decode($jwt, new Key($_ENV['JWT_SECRET'], 'HS256'));
} catch (Exception $e) {
    http_response_code(401);
    echo json_encode(['success' => false, 'message' => 'Invalid token: ' . $e->getMessage()]);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $input = file_get_contents('php://input');
    $data = json_decode($input, true);

    if (empty($data['id'])) {
        http_response_code(400);
        echo json_encode(['success' => false, 'message' => 'Listing ID is required']);
        exit;
    }

    try {
        // Проверяем существование объявления
        $stmt = $pdo->prepare("SELECT user_id, status FROM car_listings WHERE id = ?");
        $stmt->execute([$data['id']]);
        $listing = $stmt->fetch(PDO::FETCH_ASSOC);

        if (!$listing) {
            http_response_code(404);
            echo json_encode(['success' => false, 'message' => 'Listing not found']);
            exit;
        }

        // Проверяем права доступа: владелец объявления или админ (user_type 4)
        if ($decoded->user_id != $listing['user_id'] && $decoded->user_type != 4) {
            http_response_code(403);
            echo json_encode(['success' => false, 'message' => 'Access denied']);
            exit;
        }

        // Опциональный комментарий для отклонения
        $comment = isset($data['comment']) ? $data['comment'] : null;

        // Обновляем статус на 'rejected'
        if ($comment) {
            $stmt = $pdo->prepare("UPDATE car_listings SET status = 'rejected', admin_comment = ? WHERE id = ?");
            $stmt->execute([$comment, $data['id']]);
        } else {
            $stmt = $pdo->prepare("UPDATE car_listings SET status = 'rejected' WHERE id = ?");
            $stmt->execute([$data['id']]);
        }

        echo json_encode([
            'success' => true,
            'message' => 'Listing rejected successfully',
            'data' => [
                'id' => $data['id'],
                'status' => 'rejected'
            ]
        ]);
    } catch (PDOException $e) {
        http_response_code(500);
        echo json_encode(['success' => false, 'message' => 'Database error: ' . $e->getMessage()]);
    }
} else {
    http_response_code(405);
    echo json_encode(['success' => false, 'message' => 'Method not allowed. Use POST']);
}
?>
[ KEMBALI ]
LOG_SESSION: 11:16:49 | ADDR: 216.73.216.86 | VERSION: 1.5_KNTL