芝麻web文件管理V1.00

编辑当前文件:/home/pulsehostuk9/public_html/teafund.pulsehost.co.uk/api/stock_alert_update.php

<?php
// Stock alerts update (ack/resolve) — robust CSRF (no server error), always redirect with a toast.
require_once __DIR__ . '/../includes/auth.php';
require_once __DIR__ . '/../includes/db.php';
require_once __DIR__ . '/../includes/csrf.php';
require_manage();

function go($qs){ header('Location: /admin/?tab=tools&' . $qs); exit; }

try {
  // --- Robust CSRF: never throw ---
  $csrf = $_POST['csrf_token'] ?? '';
  $csrf_ok = false;
  try {
    if (function_exists('csrf_validate')) {
      $csrf_ok = csrf_validate($csrf);
    } else {
      if (session_status() !== PHP_SESSION_ACTIVE) @session_start();
      $session_token = $_SESSION['csrf_token'] ?? '';
      if ($session_token && is_string($csrf)) {
        $csrf_ok = hash_equals((string)$session_token, (string)$csrf);
      }
    }
  } catch (Throwable $e) {
    error_log('[stock_alert_update csrf] ' . $e->getMessage());
    $csrf_ok = false;
  }
  if (!$csrf_ok) go('stock_error=csrf');

// Inputs
  $alert_id = isset($_POST['alert_id']) ? (int)$_POST['alert_id'] : 0;
  $action   = $_POST['action'] ?? '';
  if (!$alert_id || !in_array($action, ['ack','resolve'], true)) go('stock_error=bad_request');

$pdo = get_pdo();

// Ensure table exists (defensive)
  $pdo->exec("CREATE TABLE IF NOT EXISTS stock_alerts (
    id INT AUTO_INCREMENT PRIMARY KEY,
    fund_id INT NULL,
    item ENUM('cordial','milk','coffee','tea','sugar','other') NOT NULL,
    note VARCHAR(255) NULL,
    status ENUM('new','ack','resolved') NOT NULL DEFAULT 'new',
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    created_by_ip VARCHAR(45) NULL,
    user_agent VARCHAR(255) NULL,
    INDEX(status), INDEX(created_at), INDEX(item)
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci");

// Load alert
  $stmt = $pdo->prepare("SELECT * FROM stock_alerts WHERE id=?");
  if (!$stmt || !$stmt->execute([$alert_id])) go('stock_error=db_read');
  $alert = $stmt->fetch(PDO::FETCH_ASSOC);
  if (!$alert) go('stock_error=not_found');

// Update status
  $newStatus = ($action === 'resolve') ? 'resolved' : 'ack';
  $upd = $pdo->prepare("UPDATE stock_alerts SET status=? WHERE id=?");
  if (!$upd || !$upd->execute([$newStatus, $alert_id])) go('stock_error=db_write');

// Slack notify (best effort)
  $notify_path = __DIR__ . '/../includes/notify.php';
  if (file_exists($notify_path)) {
    require_once $notify_path;
    if (function_exists('slack_enabled') && slack_enabled() && function_exists('slack_notify_stock_update')) {
      $fundName = null;
      if (!empty($alert['fund_id'])) {
        $fn = $pdo->prepare("SELECT name FROM funds WHERE id=?");
        if ($fn && $fn->execute([(int)$alert['fund_id']])) $fundName = $fn->fetchColumn() ?: null;
      }
      @slack_notify_stock_update($alert, $action, $fundName);
    }
  }

// Success
  if ($action === 'ack') go('stock_ack=1'); else go('stock_resolved=1');

} catch (Throwable $e) {
  error_log('[stock_alert_update fatal] ' . $e->getMessage());
  go('stock_error=server');
}