OwlCyberSecurity - MANAGER

Edit File: content.php

<?php
// This file acts as a central router and form processor for your application.

// Include necessary configuration first.
require_once './config/config.php';

// Start session
session_start();

// --- TEMPORARY DEBUGGING - ADD THESE LINES ---
error_reporting(E_ALL);
ini_set('display_errors', 1);
// --- END TEMPORARY DEBUGGING ---

// **************************************************************************
// SOLUTION: Move the $allowed_pages array definition HERE!
// Define a whitelist of allowed files to be included to prevent security risks
$allowed_pages = [
    'login.php',
    'index.php',
    'logout.php',
    'customers.php',
    'add_customer.php',
    'booking.php',
    'add_booking.php',
    'generate_pdf.php',
    'admin_users.php',
    'add_admin.php',      
    'edit_admin.php',     
    'delete_user.php'     
    // Add any other .php files that are actual pages in your application here.
];
// **************************************************************************

// Determine the target page based on GET parameter or default
$target_page = 'login.php'; // Default page if not logged in or no specific page requested

if (isset($_GET['page'])) {
    // If a 'page' GET parameter exists, use it to construct the requested filename.
    $requested_page = $_GET['page'] . '.php'; 
} else {
    // If no 'page' GET parameter, it means the browser requested a file directly (e.g., edit_admin.php).
    // Use basename($_SERVER['SCRIPT_NAME']) to get the actual filename requested by the browser.
    // Example: If the URL is http://testthree.onebox.pk/edit_admin.php,
    // basename($_SERVER['SCRIPT_NAME']) will give us 'edit_admin.php'.
    $script_name = basename($_SERVER['SCRIPT_NAME']);
    
    // Now, check if this actual script name is in our list of allowed pages.
    // THIS LINE (now around line 30, but after definition) WILL WORK NOW!
    if (in_array($script_name, $allowed_pages)) { // This is the line that was failing before
        // If it's an allowed script, then that's our requested page.
        $requested_page = $script_name; 
    } else {
        // If it's NOT in the allowed list, then fall back to default behavior:
        // Go to index.php if logged in, or login.php if not.
        if (isset($_SESSION['user_logged_in']) && $_SESSION['user_logged_in'] === TRUE) {
            $requested_page = 'index.php'; 
        } else {
            $requested_page = 'login.php'; 
        }
    }
}

// Validate the requested page
if (in_array($requested_page, $allowed_pages) && file_exists(__DIR__ . '/' . $requested_page)) {
    $target_page = $requested_page;
} else {
    // If an invalid page is requested, fall back to a safe default.
    if (isset($_SESSION['user_logged_in']) && $_SESSION['user_logged_in'] === TRUE) {
        $target_page = 'index.php'; 
    } else {
        $target_page = 'login.php'; 
    }
}

// *** IMPORTANT: The POST processing logic for login needs to go into login.php itself,
//     or a file included by login.php, since authenticate.php does not exist. ***
//     We are still waiting for you to find this code.

// Finally, include the determined target page.
require_once __DIR__ . '/' . $target_page;

exit();
?>