nickpons666/contenedor_ibiza
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Mejoras en seguridad de sesiones y pagina para cambiar contraseña

Browse Source 
- Corregido warning de session_save_path/session_name al iniciar sesion
- CSRF ahora usa Session::init() para configuracion correcta de sesion
- Agregada pagina independiente para cambiar contraseña de ayudantes
- Boton Cambiar Contraseña en navbar de pagina de ayudantes
- Mejorada disposicion de tablas en pagina de asignaciones
This commit is contained in:
nickpons666
2026-01-20 15:53:33 -06:00
parent 05631e4a63
commit 230b8a8aeb
7 changed files with 186 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
public/admin/asignaciones.php
View File

@@ -205,72 +205,44 @@ $pageTitle = 'Asignación de Turnos';
<div class="col-md-6">
<div class="card shadow-sm">
<div class="card-header bg-info text-white">
<h5 class="mb-0">Horarios Activos</h5>
<div class="card-header bg-secondary text-white">
<h5 class="mb-0">Historial de Asignaciones</h5>
</div>
<div class="card-body">
<div class="table-responsive">
<table class="table table-sm mb-0">
<thead>
<tr>
<th>Día</th>
<th>Hora</th>
</tr>
</thead>
<tbody>
<?php foreach ($horarios as $h): ?>
<tr>
<td><?= ucfirst($h['dia_semana']) ?></td>
<td><?= date('H:i', strtotime($h['hora_apertura'])) ?> - <?= date('H:i', strtotime($h['hora_cierre'])) ?></td>
</tr>
<form method="GET" class="mb-3">
<label class="form-label">Seleccionar semana:</label>
<div class="d-flex gap-2">
<select class="form-select" name="semana" style="max-width: 320px;">
<?php foreach ($semanasAgrupadas as $grupo): ?>
<optgroup label="<?= $grupo['nombre'] ?>">
<?php foreach ($grupo['semanas'] as $s): ?>
<option value="<?= $s['fecha'] ?>" <?= $s['fecha'] === ($_GET['semana'] ?? $currentWeekStart) ? 'selected' : '' ?>>
Semana <?= $s['posicion'] ?> de 4 - <?= date('d/m', strtotime($s['fecha'])) ?>
</option>
<?php endforeach; ?>
</optgroup>
<?php endforeach; ?>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</select>
<button type="submit" class="btn btn-outline-primary">Ver</button>
</div>
</form>
<div class="card shadow-sm">
<div class="card-header bg-secondary text-white">
<h5 class="mb-0">Historial de Asignaciones</h5>
</div>
<div class="card-body">
<form method="GET" class="mb-3">
<label class="form-label">Seleccionar semana:</label>
<div class="d-flex gap-2">
<select class="form-select" name="semana" style="max-width: 320px;">
<?php foreach ($semanasAgrupadas as $grupo): ?>
<optgroup label="<?= $grupo['nombre'] ?>">
<?php foreach ($grupo['semanas'] as $s): ?>
<option value="<?= $s['fecha'] ?>" <?= $s['fecha'] === ($_GET['semana'] ?? $currentWeekStart) ? 'selected' : '' ?>>
Semana <?= $s['posicion'] ?> de 4 - <?= date('d/m', strtotime($s['fecha'])) ?>
</option>
<?php endforeach; ?>
</optgroup>
<?php endforeach; ?>
</select>
<button type="submit" class="btn btn-outline-primary">Ver</button>
</div>
</form>
<?php
$semanaVer = $_GET['semana'] ?? $currentWeekStart;
$asignacionVer = $asignacionModel->getAsignacionPorSemana($semanaVer);
?>
<?php if ($asignacionVer): ?>
<div class="alert alert-info">
<?php $posicionSemanaVer = calcularPosicionCiclo($semanaVer); ?>
<strong>Semana <?= $posicionSemanaVer ?> de 4 (<?= date('d/m/y', strtotime($semanaVer)) ?>):</strong>
<?= htmlspecialchars($asignacionVer['nombre']) ?>
</div>
<form method="POST" class="d-flex gap-2">
<?= CSRF::getTokenField() ?>
<input type="hidden" name="action" value="asignar">
<input type="hidden" name="semana" value="<?= $semanaVer ?>">
<?php
$semanaVer = $_GET['semana'] ?? $currentWeekStart;
$asignacionVer = $asignacionModel->getAsignacionPorSemana($semanaVer);
?>
<?php if ($asignacionVer): ?>
<div class="alert alert-info">
<?php $posicionSemanaVer = calcularPosicionCiclo($semanaVer); ?>
<strong>Semana <?= $posicionSemanaVer ?> de 4 (<?= date('d/m/y', strtotime($semanaVer)) ?>):</strong>
<?= htmlspecialchars($asignacionVer['nombre']) ?>
</div>
<form method="POST" class="d-flex gap-2">
<?= CSRF::getTokenField() ?>
<input type="hidden" name="action" value="asignar">
<input type="hidden" name="semana" value="<?= $semanaVer ?>">
<select class="form-select" name="user_id" style="max-width: 250px;">
<option value="">Cambiar persona...</option>
<?php foreach ($ayudantes as $a): ?>
@@ -303,6 +275,7 @@ No hay asignación para la semana <?= $posicionSinAsignar ?> de 4 (<?= date('d/m
<?php endif; ?>
</div>
</div>
</div>
<!-- Sección de Asignación Masiva -->
<div class="card shadow-sm mt-4">

3
public/ayudante.php
View File

@@ -75,9 +75,10 @@ $domingo->modify('-' . (int)$domingo->format('w') . ' days');
<nav class="navbar navbar-dark bg-primary">
<div class="container">
<a class="navbar-brand" href="/ayudante.php">Contenedor Ibiza</a>
<span class="navbar-text">
<span class="navbar-text me-3">
Hola, <?= htmlspecialchars($user['nombre']) ?>
</span>
<a href="/cambiar-password.php" class="btn btn-outline-light btn-sm me-3">Cambiar Contraseña</a>
<a href="/logout.php" class="btn btn-outline-light btn-sm">Cerrar Sesión</a>
</div>
</nav>

119
public/cambiar-password.php Normal file
View File

@@ -0,0 +1,119 @@
<?php
require_once __DIR__ . '/../src/Auth.php';
require_once __DIR__ . '/../src/User.php';
require_once __DIR__ . '/../src/CSRF.php';
$auth = new Auth();
$auth->requireAuth();
if ($auth->isAdmin()) {
header('Location: /admin/index.php');
exit;
}
$user = $auth->getCurrentUser();
$message = '';
$messageType = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!CSRF::isValidRequest()) {
$message = 'Error de validación del formulario';
$messageType = 'danger';
} else {
$passwordActual = $_POST['password_actual'] ?? '';
$passwordNueva = $_POST['password_nueva'] ?? '';
$passwordConfirmar = $_POST['password_confirmar'] ?? '';
if (empty($passwordActual) || empty($passwordNueva) || empty($passwordConfirmar)) {
$message = 'Todos los campos son obligatorios';
$messageType = 'danger';
} elseif ($passwordNueva !== $passwordConfirmar) {
$message = 'Las contraseñas nuevas no coinciden';
$messageType = 'danger';
} elseif (strlen($passwordNueva) < 6) {
$message = 'La contraseña debe tener al menos 6 caracteres';
$messageType = 'danger';
} else {
$userModel = new User();
$userData = $userModel->getById($user['id']);
if ($userData && password_verify($passwordActual, $userData['password'])) {
if ($userModel->updatePassword($user['id'], $passwordNueva)) {
$message = 'Contraseña actualizada correctamente';
$messageType = 'success';
} else {
$message = 'Error al actualizar la contraseña';
$messageType = 'danger';
}
} else {
$message = 'La contraseña actual es incorrecta';
$messageType = 'danger';
}
}
}
}
?>
<!DOCTYPE html>
<html lang="es">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Cambiar Contraseña - Contenedor Ibiza</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<nav class="navbar navbar-dark bg-primary">
<div class="container">
<a class="navbar-brand" href="/ayudante.php">Contenedor Ibiza</a>
<span class="navbar-text">
Hola, <?= htmlspecialchars($user['nombre']) ?>
</span>
<a href="/ayudante.php" class="btn btn-outline-light btn-sm">Volver</a>
</div>
</nav>
<div class="container mt-4">
<div class="row justify-content-center">
<div class="col-md-6">
<div class="card shadow">
<div class="card-header bg-dark text-white">
<h5 class="mb-0">Cambiar Contraseña</h5>
</div>
<div class="card-body">
<?php if ($message): ?>
<div class="alert alert-<?= $messageType ?>"><?= htmlspecialchars($message) ?></div>
<?php endif; ?>
<form method="POST">
<?= CSRF::getTokenField() ?>
<div class="mb-3">
<label for="password_actual" class="form-label">Contraseña Actual</label>
<input type="password" class="form-control" id="password_actual" name="password_actual" required>
</div>
<div class="mb-3">
<label for="password_nueva" class="form-label">Nueva Contraseña</label>
<input type="password" class="form-control" id="password_nueva" name="password_nueva" required minlength="6">
<small class="text-muted">Mínimo 6 caracteres</small>
</div>
<div class="mb-4">
<label for="password_confirmar" class="form-label">Confirmar Nueva Contraseña</label>
<input type="password" class="form-control" id="password_confirmar" name="password_confirmar" required minlength="6">
</div>
<div class="d-flex gap-2">
<button type="submit" class="btn btn-primary">Actualizar Contraseña</button>
<a href="/ayudante.php" class="btn btn-secondary">Cancelar</a>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>

9
public/partials/navbar.php
View File

@@ -27,14 +27,14 @@ $dbName = getenv('DB_NAME') ?: 'No configurado';
<li class="nav-item">
<a class="nav-link <?= $currentPage === 'asignaciones' ? 'active' : '' ?>" href="/admin/asignaciones.php">Asignaciones</a>
</li>
<li class="nav-item">
<a class="nav-link <?= $currentPage === 'logs' ? 'active' : '' ?>" href="/admin/logs.php">Logs</a>
</li>
<li class="nav-item">
<a class="nav-link <?= $currentPage === 'webhook' ? 'active' : '' ?>" href="/admin/webhook.php">🤖 Bot</a>
</li>
</ul>
<ul class="navbar-nav">
<li class="nav-item">
<a class="nav-link <?= $currentPage === 'logs' ? 'active' : '' ?>" href="/admin/logs.php">Logs</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown">
<?= htmlspecialchars($user['nombre'] ?? 'Usuario') ?>
@@ -45,6 +45,9 @@ $dbName = getenv('DB_NAME') ?: 'No configurado';
<li><span class="dropdown-item-text d-block small text-muted"><strong>DB Host:</strong> <?= htmlspecialchars($dbHost) ?></span></li>
<li><span class="dropdown-item-text d-block small text-muted"><strong>DB Name:</strong> <?= htmlspecialchars($dbName) ?></span></li>
<li><hr class="dropdown-divider"></li>
<?php if ($user['rol'] ?? '' === 'ayudante'): ?>
<li><a class="dropdown-item" href="/cambiar-password.php">Cambiar Contraseña</a></li>
<?php endif; ?>
<li><a class="dropdown-item" href="/logout.php">Cerrar Sesión</a></li>
</ul>
</li>

14
src/CSRF.php Normal file → Executable file
View File

@@ -1,13 +1,13 @@
<?php
require_once __DIR__ . '/Session.php';
class CSRF {
private static $tokenName = 'csrf_token';
private static $tokenLifetime = 3600;
public static function generateToken() {
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
Session::init();
$token = bin2hex(random_bytes(32));
$_SESSION[self::$tokenName] = [
@@ -19,9 +19,7 @@ class CSRF {
}
public static function getToken() {
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
Session::init();
if (isset($_SESSION[self::$tokenName])) {
$data = $_SESSION[self::$tokenName];
@@ -35,9 +33,7 @@ class CSRF {
}
public static function validateToken($token) {
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
Session::init();
if (!isset($_SESSION[self::$tokenName]) || empty($token)) {
return false;

18
src/Session.php Normal file → Executable file
View File

@@ -2,18 +2,26 @@
class Session {
private static $sessionPath;
private static $initialized = false;
public static function init() {
$sessionPath = dirname(__DIR__) . '/sessions';
if (!is_dir($sessionPath)) {
mkdir($sessionPath, 0733, true);
if (self::$initialized) {
return;
}
session_save_path($sessionPath);
session_name('contenedor_session');
self::$sessionPath = dirname(__DIR__) . '/sessions';
if (!is_dir(self::$sessionPath)) {
mkdir(self::$sessionPath, 0733, true);
}
session_save_path(self::$sessionPath);
session_name('contenedor_session');
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
self::$initialized = true;
}
public static function set($key, $value) {

6
src/User.php
View File

@@ -111,6 +111,12 @@ class User {
return $stmt->execute($params);
}
public function updatePassword($id, $newPassword) {
$password = password_hash($newPassword, PASSWORD_DEFAULT);
$stmt = $this->db->prepare("UPDATE users SET password = ? WHERE id = ?");
return $stmt->execute([$password, $id]);
}
public function deactivate($id) {
$stmt = $this->db->prepare("UPDATE users SET activo = 0 WHERE id = ?");
return $stmt->execute([$id]);