new system prototype

This commit is contained in:
2026-04-15 10:19:42 +02:00
parent e805f225bc
commit 034b108c7e
80 changed files with 12212 additions and 890 deletions

View File

@ -1,62 +1,61 @@
<?php
// /var/www/html/db_view.php
require_once __DIR__ . '/common.php';
require_once __DIR__ . '/db_init.php';
header('Content-Type: text/html; charset=UTF-8');
// ---- 1) Token prüfen (aus Authorization: Bearer <token>) ----
$auth = $_SERVER['HTTP_AUTHORIZATION'] ?? ($_SERVER['Authorization'] ?? '');
if (stripos($auth, 'Bearer ') !== 0) {
http_response_code(401); echo "Fehlender Bearer-Token"; exit;
}
$token = substr($auth, 7);
if (!token_is_valid($token)) {
http_response_code(403); echo "Ungültiger oder abgelaufener Token"; exit;
}
$tokenRec = require_valid_token();
// ---- 2) Master-verschlüsselte DB laden & entschlüsseln ----
$dbPath = __DIR__ . '/uploads/questionnaire_database';
if (!file_exists($dbPath)) { http_response_code(404); echo "Datenbank nicht gefunden"; exit; }
$dbPath = QDB_PATH;
if (!file_exists($dbPath)) { http_response_code(404); echo "Database not found"; exit; }
$enc = file_get_contents($dbPath);
if ($enc === false) { http_response_code(500); echo "Lesefehler"; exit; }
if ($enc === false) { http_response_code(500); echo "Read error"; exit; }
try {
$plain = aes256_cbc_decrypt_bytes($enc, get_master_key_bytes());
} catch (Throwable $e) {
http_response_code(500); echo "Entschlüsselung fehlgeschlagen"; exit;
http_response_code(500); echo "Decryption failed"; exit;
}
// ---- 3) In temporäre SQLite-Datei schreiben ----
$tmp = tempnam(sys_get_temp_dir(), 'qdb_');
file_put_contents($tmp, $plain);
// ---- 4) Tabellen lesen & als HTML ausgeben ----
try {
$pdo = new PDO("sqlite:$tmp");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Tabellenliste
$tables = [];
$rs = $pdo->query("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' ORDER BY name");
foreach ($rs as $row) $tables[] = $row['name'];
// Ausgabe
// Tables that should not be shown (auth data)
$hidden = ['users'];
echo "<style>h2{margin:24px 0 8px} table{border-collapse:collapse;width:100%} th,td{border:1px solid #ddd;padding:6px 8px;text-align:left} th{background:#f7f7f7}</style>";
echo "<p><b>Tabellen:</b> " . htmlspecialchars(implode(', ', $tables)) . "</p>";
echo "<p><b>Tables:</b> " . htmlspecialchars(implode(', ', array_diff($tables, $hidden))) . "</p>";
[$rbacClause, $rbacParams] = rbac_client_filter($tokenRec);
foreach ($tables as $t) {
echo "<h2>" . htmlspecialchars($t) . "</h2>";
if (in_array($t, $hidden, true)) continue;
// Spaltenüberschriften via PRAGMA
$cols = [];
$cr = $pdo->query("PRAGMA table_info(" . $pdo->quote($t) . ")");
// PRAGMA table_info akzeptiert kein quote(..) direkt, also besser plain escapen:
// Workaround:
echo "<h2>" . htmlspecialchars($t) . "</h2>";
$t_esc = preg_replace('/[^A-Za-z0-9_]/', '', $t);
$cols = [];
$cr = $pdo->query("PRAGMA table_info($t_esc)");
foreach ($cr as $c) $cols[] = $c['name'];
// Daten holen (ohne Limit; bei sehr großen Tabellen ggf. LIMIT einbauen)
$stmt = $pdo->query("SELECT * FROM $t_esc");
$clientScoped = in_array('clientCode', $cols, true);
if ($clientScoped && ($tokenRec['role'] ?? '') !== 'admin') {
$sql = "SELECT t.* FROM $t_esc t JOIN client ON client.clientCode = t.clientCode WHERE $rbacClause";
$stmt = $pdo->prepare($sql);
foreach ($rbacParams as $k => $v) $stmt->bindValue($k, $v);
$stmt->execute();
} else {
$stmt = $pdo->query("SELECT * FROM $t_esc");
}
echo "<table><thead><tr>";
foreach ($cols as $c) echo "<th>" . htmlspecialchars($c) . "</th>";
echo "</tr></thead><tbody>";
@ -72,7 +71,8 @@ try {
echo "</tbody></table>";
}
} catch (Throwable $e) {
http_response_code(500); echo "SQLite-Fehler: " . htmlspecialchars($e->getMessage());
error_log($e->getMessage());
http_response_code(500); echo "Server error";
} finally {
@unlink($tmp);
}