From 230b8a8aeb580fd2fa4d287ff0fbf6ec2b0a4d45 Mon Sep 17 00:00:00 2001
From: nickpons666 <nickpons666@example.com>
Date: Tue, 20 Jan 2026 15:53:33 -0600
Subject: [PATCH] =?UTF-8?q?Mejoras=20en=20seguridad=20de=20sesiones=20y=20?=
 =?UTF-8?q?pagina=20para=20cambiar=20contrase=C3=B1a?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Corregido warning de session_save_path/session_name al iniciar sesion
- CSRF ahora usa Session::init() para configuracion correcta de sesion
- Agregada pagina independiente para cambiar contraseña de ayudantes
- Boton Cambiar Contraseña en navbar de pagina de ayudantes
- Mejorada disposicion de tablas en pagina de asignaciones
---
 public/admin/asignaciones.php |  97 ++++++++++-----------------
 public/ayudante.php           |   3 +-
 public/cambiar-password.php   | 119 ++++++++++++++++++++++++++++++++++
 public/partials/navbar.php    |   9 ++-
 src/CSRF.php                  |  14 ++--
 src/Session.php               |  18 +++--
 src/User.php                  |   6 ++
 7 files changed, 186 insertions(+), 80 deletions(-)
 create mode 100644 public/cambiar-password.php
 mode change 100644 => 100755 src/CSRF.php
 mode change 100644 => 100755 src/Session.php

diff --git a/public/admin/asignaciones.php b/public/admin/asignaciones.php
index 9506e5e..673190c 100755
--- a/public/admin/asignaciones.php
+++ b/public/admin/asignaciones.php
@@ -205,72 +205,44 @@ $pageTitle = 'Asignación de Turnos';
             
             <div class="col-md-6">
                 <div class="card shadow-sm">
-                    <div class="card-header bg-info text-white">
-                        <h5 class="mb-0">Horarios Activos</h5>
+                    <div class="card-header bg-secondary text-white">
+                        <h5 class="mb-0">Historial de Asignaciones</h5>
                     </div>
                     <div class="card-body">
-                        <div class="table-responsive">
-                            <table class="table table-sm mb-0">
-                                <thead>
-                                    <tr>
-                                        <th>Día</th>
-                                        <th>Hora</th>
-                                    </tr>
-                                </thead>
-                                <tbody>
-                                    <?php foreach ($horarios as $h): ?>
-                                        <tr>
-                                            <td><?= ucfirst($h['dia_semana']) ?></td>
-                                            <td><?= date('H:i', strtotime($h['hora_apertura'])) ?> - <?= date('H:i', strtotime($h['hora_cierre'])) ?></td>
-                                        </tr>
+                        <form method="GET" class="mb-3">
+                            <label class="form-label">Seleccionar semana:</label>
+                            <div class="d-flex gap-2">
+                                <select class="form-select" name="semana" style="max-width: 320px;">
+                                    <?php foreach ($semanasAgrupadas as $grupo): ?>
+                                        <optgroup label="<?= $grupo['nombre'] ?>">
+                                            <?php foreach ($grupo['semanas'] as $s): ?>
+                                                <option value="<?= $s['fecha'] ?>" <?= $s['fecha'] === ($_GET['semana'] ?? $currentWeekStart) ? 'selected' : '' ?>>
+                                                    Semana <?= $s['posicion'] ?> de 4 - <?= date('d/m', strtotime($s['fecha'])) ?>
+                                                </option>
+                                            <?php endforeach; ?>
+                                        </optgroup>
                                     <?php endforeach; ?>
-                                </tbody>
-                            </table>
-                        </div>
-                    </div>
-                </div>
-            </div>
-        </div>
+                                </select>
+                                <button type="submit" class="btn btn-outline-primary">Ver</button>
+                            </div>
+                        </form>
 
-        <div class="card shadow-sm">
-            <div class="card-header bg-secondary text-white">
-                <h5 class="mb-0">Historial de Asignaciones</h5>
-            </div>
-            <div class="card-body">
-                <form method="GET" class="mb-3">
-<label class="form-label">Seleccionar semana:</label>
-                        <div class="d-flex gap-2">
-                            <select class="form-select" name="semana" style="max-width: 320px;">
-                                <?php foreach ($semanasAgrupadas as $grupo): ?>
-                                    <optgroup label="<?= $grupo['nombre'] ?>">
-                                        <?php foreach ($grupo['semanas'] as $s): ?>
-                                            <option value="<?= $s['fecha'] ?>" <?= $s['fecha'] === ($_GET['semana'] ?? $currentWeekStart) ? 'selected' : '' ?>>
-                                                Semana <?= $s['posicion'] ?> de 4 - <?= date('d/m', strtotime($s['fecha'])) ?>
-                                            </option>
-                                        <?php endforeach; ?>
-                                    </optgroup>
-                                <?php endforeach; ?>
-                            </select>
-                        <button type="submit" class="btn btn-outline-primary">Ver</button>
-                    </div>
-                </form>
-
-                <?php
-                $semanaVer = $_GET['semana'] ?? $currentWeekStart;
-                $asignacionVer = $asignacionModel->getAsignacionPorSemana($semanaVer);
-                ?>
-                
-                <?php if ($asignacionVer): ?>
-                    <div class="alert alert-info">
-                        <?php $posicionSemanaVer = calcularPosicionCiclo($semanaVer); ?>
-<strong>Semana <?= $posicionSemanaVer ?> de 4 (<?= date('d/m/y', strtotime($semanaVer)) ?>):</strong>
-                        <?= htmlspecialchars($asignacionVer['nombre']) ?>
-                    </div>
-                    
-                    <form method="POST" class="d-flex gap-2">
-                        <?= CSRF::getTokenField() ?>
-                        <input type="hidden" name="action" value="asignar">
-                        <input type="hidden" name="semana" value="<?= $semanaVer ?>">
+                        <?php
+                        $semanaVer = $_GET['semana'] ?? $currentWeekStart;
+                        $asignacionVer = $asignacionModel->getAsignacionPorSemana($semanaVer);
+                        ?>
+                        
+                        <?php if ($asignacionVer): ?>
+                            <div class="alert alert-info">
+                                <?php $posicionSemanaVer = calcularPosicionCiclo($semanaVer); ?>
+                                <strong>Semana <?= $posicionSemanaVer ?> de 4 (<?= date('d/m/y', strtotime($semanaVer)) ?>):</strong>
+                                <?= htmlspecialchars($asignacionVer['nombre']) ?>
+                            </div>
+                            
+                            <form method="POST" class="d-flex gap-2">
+                                <?= CSRF::getTokenField() ?>
+                                <input type="hidden" name="action" value="asignar">
+                                <input type="hidden" name="semana" value="<?= $semanaVer ?>">
                         <select class="form-select" name="user_id" style="max-width: 250px;">
                             <option value="">Cambiar persona...</option>
                             <?php foreach ($ayudantes as $a): ?>
@@ -303,6 +275,7 @@ No hay asignación para la semana <?= $posicionSinAsignar ?> de 4 (<?= date('d/m
                 <?php endif; ?>
             </div>
         </div>
+    </div>
 
         <!-- Sección de Asignación Masiva -->
         <div class="card shadow-sm mt-4">
diff --git a/public/ayudante.php b/public/ayudante.php
index 56695ba..c1eecf5 100755
--- a/public/ayudante.php
+++ b/public/ayudante.php
@@ -75,9 +75,10 @@ $domingo->modify('-' . (int)$domingo->format('w') . ' days');
     <nav class="navbar navbar-dark bg-primary">
         <div class="container">
             <a class="navbar-brand" href="/ayudante.php">Contenedor Ibiza</a>
-            <span class="navbar-text">
+            <span class="navbar-text me-3">
                 Hola, <?= htmlspecialchars($user['nombre']) ?>
             </span>
+            <a href="/cambiar-password.php" class="btn btn-outline-light btn-sm me-3">Cambiar Contraseña</a>
             <a href="/logout.php" class="btn btn-outline-light btn-sm">Cerrar Sesión</a>
         </div>
     </nav>
diff --git a/public/cambiar-password.php b/public/cambiar-password.php
new file mode 100644
index 0000000..03d0d5f
--- /dev/null
+++ b/public/cambiar-password.php
@@ -0,0 +1,119 @@
+<?php
+require_once __DIR__ . '/../src/Auth.php';
+require_once __DIR__ . '/../src/User.php';
+require_once __DIR__ . '/../src/CSRF.php';
+
+$auth = new Auth();
+$auth->requireAuth();
+
+if ($auth->isAdmin()) {
+    header('Location: /admin/index.php');
+    exit;
+}
+
+$user = $auth->getCurrentUser();
+$message = '';
+$messageType = '';
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!CSRF::isValidRequest()) {
+        $message = 'Error de validación del formulario';
+        $messageType = 'danger';
+    } else {
+        $passwordActual = $_POST['password_actual'] ?? '';
+        $passwordNueva = $_POST['password_nueva'] ?? '';
+        $passwordConfirmar = $_POST['password_confirmar'] ?? '';
+
+        if (empty($passwordActual) || empty($passwordNueva) || empty($passwordConfirmar)) {
+            $message = 'Todos los campos son obligatorios';
+            $messageType = 'danger';
+        } elseif ($passwordNueva !== $passwordConfirmar) {
+            $message = 'Las contraseñas nuevas no coinciden';
+            $messageType = 'danger';
+        } elseif (strlen($passwordNueva) < 6) {
+            $message = 'La contraseña debe tener al menos 6 caracteres';
+            $messageType = 'danger';
+        } else {
+            $userModel = new User();
+            $userData = $userModel->getById($user['id']);
+
+            if ($userData && password_verify($passwordActual, $userData['password'])) {
+                if ($userModel->updatePassword($user['id'], $passwordNueva)) {
+                    $message = 'Contraseña actualizada correctamente';
+                    $messageType = 'success';
+                } else {
+                    $message = 'Error al actualizar la contraseña';
+                    $messageType = 'danger';
+                }
+            } else {
+                $message = 'La contraseña actual es incorrecta';
+                $messageType = 'danger';
+            }
+        }
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="es">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Cambiar Contraseña - Contenedor Ibiza</title>
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+    <nav class="navbar navbar-dark bg-primary">
+        <div class="container">
+            <a class="navbar-brand" href="/ayudante.php">Contenedor Ibiza</a>
+            <span class="navbar-text">
+                Hola, <?= htmlspecialchars($user['nombre']) ?>
+            </span>
+            <a href="/ayudante.php" class="btn btn-outline-light btn-sm">Volver</a>
+        </div>
+    </nav>
+
+    <div class="container mt-4">
+        <div class="row justify-content-center">
+            <div class="col-md-6">
+                <div class="card shadow">
+                    <div class="card-header bg-dark text-white">
+                        <h5 class="mb-0">Cambiar Contraseña</h5>
+                    </div>
+                    <div class="card-body">
+                        <?php if ($message): ?>
+                            <div class="alert alert-<?= $messageType ?>"><?= htmlspecialchars($message) ?></div>
+                        <?php endif; ?>
+
+                        <form method="POST">
+                            <?= CSRF::getTokenField() ?>
+                            
+                            <div class="mb-3">
+                                <label for="password_actual" class="form-label">Contraseña Actual</label>
+                                <input type="password" class="form-control" id="password_actual" name="password_actual" required>
+                            </div>
+                            
+                            <div class="mb-3">
+                                <label for="password_nueva" class="form-label">Nueva Contraseña</label>
+                                <input type="password" class="form-control" id="password_nueva" name="password_nueva" required minlength="6">
+                                <small class="text-muted">Mínimo 6 caracteres</small>
+                            </div>
+                            
+                            <div class="mb-4">
+                                <label for="password_confirmar" class="form-label">Confirmar Nueva Contraseña</label>
+                                <input type="password" class="form-control" id="password_confirmar" name="password_confirmar" required minlength="6">
+                            </div>
+                            
+                            <div class="d-flex gap-2">
+                                <button type="submit" class="btn btn-primary">Actualizar Contraseña</button>
+                                <a href="/ayudante.php" class="btn btn-secondary">Cancelar</a>
+                            </div>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
+</body>
+</html>
diff --git a/public/partials/navbar.php b/public/partials/navbar.php
index 1dcb301..37ebe58 100755
--- a/public/partials/navbar.php
+++ b/public/partials/navbar.php
@@ -27,14 +27,14 @@ $dbName = getenv('DB_NAME') ?: 'No configurado';
                 <li class="nav-item">
                     <a class="nav-link <?= $currentPage === 'asignaciones' ? 'active' : '' ?>" href="/admin/asignaciones.php">Asignaciones</a>
                 </li>
-                <li class="nav-item">
-                    <a class="nav-link <?= $currentPage === 'logs' ? 'active' : '' ?>" href="/admin/logs.php">Logs</a>
-                </li>
                 <li class="nav-item">
                     <a class="nav-link <?= $currentPage === 'webhook' ? 'active' : '' ?>" href="/admin/webhook.php">🤖 Bot</a>
                 </li>
             </ul>
             <ul class="navbar-nav">
+                <li class="nav-item">
+                    <a class="nav-link <?= $currentPage === 'logs' ? 'active' : '' ?>" href="/admin/logs.php">Logs</a>
+                </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown">
                         <?= htmlspecialchars($user['nombre'] ?? 'Usuario') ?>
@@ -45,6 +45,9 @@ $dbName = getenv('DB_NAME') ?: 'No configurado';
                         <li><span class="dropdown-item-text d-block small text-muted"><strong>DB Host:</strong> <?= htmlspecialchars($dbHost) ?></span></li>
                         <li><span class="dropdown-item-text d-block small text-muted"><strong>DB Name:</strong> <?= htmlspecialchars($dbName) ?></span></li>
                         <li><hr class="dropdown-divider"></li>
+                        <?php if ($user['rol'] ?? '' === 'ayudante'): ?>
+                            <li><a class="dropdown-item" href="/cambiar-password.php">Cambiar Contraseña</a></li>
+                        <?php endif; ?>
                         <li><a class="dropdown-item" href="/logout.php">Cerrar Sesión</a></li>
                     </ul>
                 </li>
diff --git a/src/CSRF.php b/src/CSRF.php
old mode 100644
new mode 100755
index 32d93a9..0d549c4
--- a/src/CSRF.php
+++ b/src/CSRF.php
@@ -1,13 +1,13 @@
 <?php
 
+require_once __DIR__ . '/Session.php';
+
 class CSRF {
     private static $tokenName = 'csrf_token';
     private static $tokenLifetime = 3600;
 
     public static function generateToken() {
-        if (session_status() === PHP_SESSION_NONE) {
-            session_start();
-        }
+        Session::init();
 
         $token = bin2hex(random_bytes(32));
         $_SESSION[self::$tokenName] = [
@@ -19,9 +19,7 @@ class CSRF {
     }
 
     public static function getToken() {
-        if (session_status() === PHP_SESSION_NONE) {
-            session_start();
-        }
+        Session::init();
 
         if (isset($_SESSION[self::$tokenName])) {
             $data = $_SESSION[self::$tokenName];
@@ -35,9 +33,7 @@ class CSRF {
     }
 
     public static function validateToken($token) {
-        if (session_status() === PHP_SESSION_NONE) {
-            session_start();
-        }
+        Session::init();
 
         if (!isset($_SESSION[self::$tokenName]) || empty($token)) {
             return false;
diff --git a/src/Session.php b/src/Session.php
old mode 100644
new mode 100755
index f6ec2de..92b897f
--- a/src/Session.php
+++ b/src/Session.php
@@ -2,18 +2,26 @@
 
 class Session {
     private static $sessionPath;
+    private static $initialized = false;
 
     public static function init() {
-        $sessionPath = dirname(__DIR__) . '/sessions';
-        if (!is_dir($sessionPath)) {
-            mkdir($sessionPath, 0733, true);
+        if (self::$initialized) {
+            return;
         }
-        session_save_path($sessionPath);
-        session_name('contenedor_session');
 
+        self::$sessionPath = dirname(__DIR__) . '/sessions';
+        if (!is_dir(self::$sessionPath)) {
+            mkdir(self::$sessionPath, 0733, true);
+        }
+        
+        session_save_path(self::$sessionPath);
+        session_name('contenedor_session');
+        
         if (session_status() === PHP_SESSION_NONE) {
             session_start();
         }
+        
+        self::$initialized = true;
     }
 
     public static function set($key, $value) {
diff --git a/src/User.php b/src/User.php
index 2868f01..e31ba87 100755
--- a/src/User.php
+++ b/src/User.php
@@ -111,6 +111,12 @@ class User {
         return $stmt->execute($params);
     }
 
+    public function updatePassword($id, $newPassword) {
+        $password = password_hash($newPassword, PASSWORD_DEFAULT);
+        $stmt = $this->db->prepare("UPDATE users SET password = ? WHERE id = ?");
+        return $stmt->execute([$password, $id]);
+    }
+
     public function deactivate($id) {
         $stmt = $this->db->prepare("UPDATE users SET activo = 0 WHERE id = ?");
         return $stmt->execute([$id]);