diff --git a/scripts/client/public/js/detailProduct.js b/scripts/client/public/js/detailProduct.js
index f5985f7e8d5286872546c5a87b836d04ebf9edae..368771fa5ffa09958f18d6d8ae3ae282aee9f8b9 100644
--- a/scripts/client/public/js/detailProduct.js
+++ b/scripts/client/public/js/detailProduct.js
@@ -26,7 +26,7 @@ function getProduct() {
}
}
};
- xhttp.open("GET", "http://localhost:8000/api/productcontroller/getproduct?product_id="+product_id, true);
+ xhttp.open("GET", "http://localhost:8000/api/ProductController/getProduct?product_id="+product_id, true);
xhttp.setRequestHeader("Accept", "application/json");
xhttp.withCredentials = true;
xhttp.send();
@@ -71,19 +71,20 @@ function addAmount() {
function buyProduct() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function(){
- if (this.readyState == 4 && this.status == 200) {
- console.log(this.responseText);
- let res = JSON.parse(this.responseText);
- if (res['status']) {
- alert("Item successfully purchased!");
- window.location.href = "http://localhost:8000/pages/home";
- } else {
- if (res['data'] == 'not_logged_in') {
- alert("You are not logged in, please log in first!");
- window.location.href = "http://localhost:8000/pages/login";
+ if (this.readyState == 4) {
+ if (this.status == 200) {
+ console.log(this.responseText);
+ let res = JSON.parse(this.responseText);
+ if (res['status']) {
+ alert("Item successfully purchased!");
+ window.location.href = "http://localhost:8000/pages/home";
} else {
alert(res['data']);
}
+ } else {
+ var errorData = JSON.parse(xhttp.responseText);
+ alert(errorData.message);
+ window.location.href = errorData.location;
}
}
};
@@ -95,7 +96,7 @@ function buyProduct() {
"amount": nums,
"total": price
};
- xhttp.open("POST","http://localhost:8000/api/productcontroller/buyProduct",true);
+ xhttp.open("POST","http://localhost:8000/api/ProductController/buyProduct",true);
xhttp.setRequestHeader("Accept", "application/json");
xhttp.setRequestHeader("Content-Type", "application/json");
xhttp.withCredentials = true;
diff --git a/scripts/client/public/js/product.js b/scripts/client/public/js/product.js
index a9beb0c3fb0db6144283da00a98694b69374339c..2c87565826892d3bf90d68ee126fe83c6e0cfd34 100644
--- a/scripts/client/public/js/product.js
+++ b/scripts/client/public/js/product.js
@@ -100,7 +100,7 @@ function selectProduct(numPage) {
"order_by_name": order_by_name,
"filter_price": filter_price
};
- xhttp.open("POST","http://localhost:8000/api/productcontroller/queryproduct/"+numPage+"/8/",true);
+ xhttp.open("POST","http://localhost:8000/api/ProductController/queryProduct/"+numPage+"/8/",true);
xhttp.setRequestHeader("Accept", "application/json");
xhttp.setRequestHeader("Content-Type", "application/json");
xhttp.withCredentials = true;
diff --git a/scripts/server/app/controllers/ProductController.php b/scripts/server/app/controllers/ProductController.php
index 7753eb07acfa084733215804a4d142d8ea5c5fb3..0998d726d7067a3c9595490d5bb113ec2afe3cab 100644
--- a/scripts/server/app/controllers/ProductController.php
+++ b/scripts/server/app/controllers/ProductController.php
@@ -208,10 +208,6 @@ class ProductController extends Controller {
return json_response_fail(METHOD_NOT_ALLOWED);
}
- if (!isset($_SESSION['user_id'])) {
- return json_response_fail(NOT_LOGGED_IN);
- }
-
$user_id = $_SESSION['user_id'];
$product_id = $_POST['product_id'];
$amount = $_POST['amount'];
diff --git a/scripts/server/app/core/App.php b/scripts/server/app/core/App.php
index 781acbedaaaef66de912b101245b6144362ec514..8125c89f38c91aafb68a36df39d32d0335143169 100644
--- a/scripts/server/app/core/App.php
+++ b/scripts/server/app/core/App.php
@@ -45,9 +45,91 @@ class App {
$_POST = json_decode(file_get_contents('php://input'), true);
}
}
+
+ if (isset($_SESSION['user_id'])) {
+ $this->user = $_SESSION['user_id'];
+ $this->role = $_SESSION['role'];
+ }
+
+ // Implement logic to check user already login or not
+ if (!$this->checkLogin()) {
+ http_response_code(403); // Forbidden status code
+ echo json_encode(['status' => false, 'message' => 'You need to login first', 'location' => '/pages/login']);
+ return;
+ }
+
+ // Implement logic for role-based access controller
+ if (!$this->checkAccess()) {
+ http_response_code(403); // Forbidden status code
+ echo json_encode(['status' => false, 'message' => 'You are not allowed to access this page', 'location' => '/pages/home']);
+ return;
+ }
+
call_user_func_array([$this->controller, $this->method], $this->params);
}
+ protected function checkLogin() {
+ $accessControl1 = [
+ // Define the allowed ednpoint for unloggedin user
+ 'ProductController' => [
+ 'showAllProducts', 'queryProduct', 'getProduct'
+ ],
+ 'CategoryController' => [
+ 'showAllcategories'
+ ],
+ 'Auth' => [
+ 'info', 'login', 'signup'
+ ]
+ ];
+
+ $controllerName1 = get_class($this->controller);
+
+ if (isset($accessControl1[$controllerName1]) && in_array($this->method, $accessControl1[$controllerName1])) {
+ if (!isset($_SESSION['user_id'])) {
+ return true;
+ } else {
+ return true;
+ }
+ } else {
+ // If the method is not explicitly restricted, restrict
+ if (isset($_SESSION['user_id'])) {
+ return true;
+ } else {
+ return false;
+ }
+ }
+ }
+
+ protected function checkAccess() {
+ $accessControl = [
+ // Define the only admin method controller
+ 'ProductController' => [
+ 'getAllProducts', 'getProductsByPage', 'deleteProduct', 'createProduct', 'editProduct'
+ ],
+ 'TopUpController' => [
+ 'getAllTopUps', 'getTopUpsByPage', 'createTopUp', 'approveTopUp', 'rejectTopUp', 'deleteTopUp'
+ ],
+ 'UserController' => [
+ 'getAllUsers', 'getUsersByPage', 'createUser', 'deleteUser'
+ ],
+ ];
+
+ $controllerName = get_class($this->controller);
+
+ if (isset($accessControl[$controllerName]) && in_array($this->method, $accessControl[$controllerName])) {
+ if (isset($this->role) && $this->role === 'admin') {
+ // Admin has access to the method
+ return true;
+ } else {
+ // User doesn't have access to the method
+ return false;
+ }
+ }
+
+ // If the method is not explicitly restricted, allow access
+ return true;
+ }
+
public function parseURL() {
if (isset($_GET['url'])) {
$url = rtrim($_GET['url'], '/');
diff --git a/scripts/server/app/core/Database.php b/scripts/server/app/core/Database.php
index 5e96a8b324907d60f0ab1591080784845a9dce19..5d3249a7c200d26dc169aea954ee19d9ba7fa13d 100644
--- a/scripts/server/app/core/Database.php
+++ b/scripts/server/app/core/Database.php
@@ -11,11 +11,6 @@ class Database {
try {
$dsn = 'pgsql:host=' . DB_HOST . ';port=' . DB_PORT . ';dbname=' . DB_NAME;
$this->dbh = new PDO($dsn, DB_USER, DB_PASSWORD, $option);
- /* $this->dbh = new PDO(
- "pgsql:host=ep-wandering-sound-44516679.ap-southeast-1.aws.neon.tech;port=5432;dbname=neondb;options='endpoint=ep-wandering-sound-44516679';sslmode=require",
- "mikeleo03",
- "47EevsXYILOx"
- ); */
} catch (PDOException $e) {
die($e->getMessage());
}