Skip to content

Attempt to merge main into our semester work#52

Merged
Daniel-Lopez246 merged 9 commits into
GBSA-9477/fix-for-demofrom
main
Apr 9, 2026
Merged

Attempt to merge main into our semester work#52
Daniel-Lopez246 merged 9 commits into
GBSA-9477/fix-for-demofrom
main

Conversation

@Daniel-Lopez246

Copy link
Copy Markdown
Collaborator

No description provided.

@Daniel-Lopez246 Daniel-Lopez246 merged commit 4d09d68 into GBSA-9477/fix-for-demo Apr 9, 2026
1 check passed

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant updates to the CyberCafe system, including a new database seeding script, support ticket schema, and comprehensive backend logic for user, admin, and owner dashboards. However, several critical issues must be addressed before merging. Most notably, a security vulnerability was introduced where all new registrants are assigned the 'owner' role by default. Additionally, multiple files contain unresolved merge conflict markers, and several scripts include debugging code (var_dump), active error display settings, or incorrect redirection paths that will cause runtime failures. Improvements are also needed in error handling to prevent sensitive information exposure in database functions.

$phone_number = trim($_POST['phone_number'] ?? '');
$access_code = trim($_POST['access_code'] ?? '');
$user_role = 'user';
$user_role = 'owner'; //All New Users are set as owner changed if needed

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

Assigning the 'owner' role to all new registrants is a critical security vulnerability. This allows any user who registers to gain full administrative control over the system. The default role should be 'user'.

    $user_role = 'user';

Comment on lines +2 to +10
<<<<<<< HEAD
declare(strict_types=1);
$pageTitle = "A - Dashboard";
=======
require_once $_SERVER['DOCUMENT_ROOT'] . '/Website/config/auth.php';
require_roles(['admin']);
// Set the page title dynamically
$pageTitle = "A - Dashboard";
>>>>>>> main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Unresolved merge conflict markers found in the code. This will cause a syntax error and prevent the script from executing.

declare(strict_types=1);
require_once $_SERVER['DOCUMENT_ROOT'] . '/Website/config/auth.php';
require_roles(['admin']);
$pageTitle = "A - Dashboard";

Comment on lines +2 to +8
<<<<<<< HEAD
declare(strict_types=1);

=======
require_once $_SERVER['DOCUMENT_ROOT'] . '/Website/config/auth.php';
require_roles(['admin']);
>>>>>>> main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Unresolved merge conflict markers found in the code.

declare(strict_types=1);
require_once $_SERVER['DOCUMENT_ROOT'] . '/Website/config/auth.php';
require_roles(['admin']);

Comment on lines +2 to +8
<<<<<<< HEAD
declare(strict_types=1);

=======
require_once $_SERVER['DOCUMENT_ROOT'] . '/Website/config/auth.php';
require_roles(['admin']);
>>>>>>> main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Unresolved merge conflict markers found in the code.

declare(strict_types=1);
require_once $_SERVER['DOCUMENT_ROOT'] . '/Website/config/auth.php';
require_roles(['admin']);

Comment on lines +164 to +166
echo "<pre style='background:red;color:white;padding:20px;'>";
echo "BLOCK URL ERROR: " . $e->getMessage();
echo "</pre>";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Directly echoing exception messages to the browser is a security risk as it can reveal sensitive information about the database structure or server environment. Use error_log() for debugging and show a generic error message to the user.

        error_log("BLOCK URL ERROR: " . $e->getMessage());

Comment on lines +44 to +48
echo '<pre>';
var_dump($activeUsers);
var_dump($bandwidthUsage);
var_dump($allUser);
echo '</pre>';

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Debugging code (var_dump) should be removed before merging into production to avoid leaking internal data structures to the end user.

Comment on lines +91 to +94
echo '<pre>';
var_dump($blockedUrls);
var_dump($restrictedevices);
echo '</pre>';

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Debugging code (var_dump) should be removed.


$result = getUserSessionSummary();

var_dump($result);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Debugging code (var_dump) should be removed.

Comment on lines +3 to +4
ini_set('display_errors', 1);
error_reporting(E_ALL);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Enabling display_errors in production code is a security risk. Error reporting should be handled via logs.

Comment on lines +20 to +35
if ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['add_url'])) {
$url = trim($_POST['add_url']);
if (!str_starts_with($url, 'http')) $url = 'https://' . $url;

blockUrl($url, $_SESSION['user_id'] ?? 'ADMIN');
$_SESSION['flash'] = [
'type' => 'success',
'msg' => 'URL has been blocked: <strong>' . htmlspecialchars($url) . '</strong>'
];
echo "<script>
setTimeout(() => {
window.location.href = window.location.pathname;
}, 100);
</script>";
exit;
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

POST request handling should be moved to the top of the file, before any HTML output (including the header file). This allows for proper HTTP redirects using header('Location: ...') and exit;, which is more robust and standard than using JavaScript setTimeout for redirection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants