From ede48b8501bbf967607a7dea430715abc49a5fc0 Mon Sep 17 00:00:00 2001
From: Purple <dev@prpl.it>
Date: Sun, 18 Jan 2026 01:38:59 +0000
Subject: [PATCH] fix aws

---
 webapp/config.php        |  4 +++
 webapp/includes/auth.php | 54 ++++++++++++++++++++++++----------------
 2 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/webapp/config.php b/webapp/config.php
index 991291d..6bd9f51 100644
--- a/webapp/config.php
+++ b/webapp/config.php
@@ -28,6 +28,10 @@ define('AUTH_USERNAME', getenv('AUTH_USERNAME') ?: 'admin');
 define('AUTH_PASSWORD', getenv('AUTH_PASSWORD') ?: 'changeme');
 define('SESSION_TIMEOUT', 86400); // 24 hours
 
+// Admin emails (comma-separated list of emails that should have admin access)
+// Used with Cloudflare Access authentication
+define('ADMIN_EMAILS', getenv('ADMIN_EMAILS') ?: '');
+
 // IP Registry configuration
 define('IPREGISTRY_API_KEY', getenv('IPREGISTRY_API_KEY') ?: '');
 
diff --git a/webapp/includes/auth.php b/webapp/includes/auth.php
index 5453e19..e03d951 100644
--- a/webapp/includes/auth.php
+++ b/webapp/includes/auth.php
@@ -72,34 +72,44 @@ function getCurrentUser() {
  * @return string Role (admin or staff)
  */
 function getUserRole($email) {
-    global $db;
-
-    // If no database connection, check config for admin emails
-    if (!isset($db)) {
-        // Check if user is in admin list from environment/config
-        $adminEmails = getenv('ADMIN_EMAILS') ?: '';
-        $adminList = array_map('trim', explode(',', $adminEmails));
-
-        if (in_array($email, $adminList)) {
-            return ROLE_ADMIN;
-        }
-
+    if (empty($email)) {
         return ROLE_STAFF;
     }
 
-    try {
-        $stmt = $db->prepare("SELECT role FROM users WHERE email = ? AND active = 1");
-        $stmt->execute([$email]);
-        $result = $stmt->fetch(PDO::FETCH_ASSOC);
-
-        if ($result && !empty($result['role'])) {
-            return $result['role'];
+    // First, check environment variable for admin emails (highest priority)
+    $adminEmails = getenv('ADMIN_EMAILS');
+    if (!empty($adminEmails)) {
+        $adminList = array_map('trim', explode(',', $adminEmails));
+        if (in_array($email, $adminList)) {
+            return ROLE_ADMIN;
         }
-    } catch (Exception $e) {
-        // Table might not exist yet, fall through to default
     }
 
-    // Default to staff if not found
+    // Also check if defined as a constant (from config.php)
+    if (defined('ADMIN_EMAILS') && !empty(ADMIN_EMAILS)) {
+        $adminList = array_map('trim', explode(',', ADMIN_EMAILS));
+        if (in_array($email, $adminList)) {
+            return ROLE_ADMIN;
+        }
+    }
+
+    // Try database lookup if getDB function exists
+    if (function_exists('getDB')) {
+        try {
+            $db = getDB();
+            $stmt = $db->prepare("SELECT role FROM users WHERE email = ? AND active = 1");
+            $stmt->execute([$email]);
+            $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+            if ($result && !empty($result['role'])) {
+                return $result['role'];
+            }
+        } catch (Exception $e) {
+            // Table might not exist yet, fall through to default
+        }
+    }
+
+    // Default to staff if not found in env or database
     return ROLE_STAFF;
 }