From 2779e7a1c130d89497bd93bbc1852c1cf53a2960 Mon Sep 17 00:00:00 2001 From: Tihon Date: Mon, 16 Mar 2026 18:15:48 +0200 Subject: [PATCH] chatwoot admin panel fixes --- nginx-testforapp-test-base.conf | 3 ++- .../honey/controller/AdminUserController.java | 21 ++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/nginx-testforapp-test-base.conf b/nginx-testforapp-test-base.conf index 95eb4e7..ab88dd6 100644 --- a/nginx-testforapp-test-base.conf +++ b/nginx-testforapp-test-base.conf @@ -70,13 +70,14 @@ location ~ ^/dfab0676b6cb6b257370fb5743d8ddac42ab8153c2661072e8ef2717a10fcfaa/(a access_log off; } +# Admin panel: allow embedding in Chatwoot iframe (frame-ancestors); do not set X-Frame-Options here so CSP applies location /dfab0676b6cb6b257370fb5743d8ddac42ab8153c2661072e8ef2717a10fcfaa/ { alias /opt/app/admin-panel/; index index.html; try_files $uri $uri/ /dfab0676b6cb6b257370fb5743d8ddac42ab8153c2661072e8ef2717a10fcfaa/index.html; expires 0; add_header Cache-Control "no-store, no-cache, must-revalidate"; - add_header X-Frame-Options "SAMEORIGIN" always; + add_header Content-Security-Policy "frame-ancestors 'self' https://honey-support.online;" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; } diff --git a/src/main/java/com/honey/honey/controller/AdminUserController.java b/src/main/java/com/honey/honey/controller/AdminUserController.java index 3a80f1a..7ce0d6e 100644 --- a/src/main/java/com/honey/honey/controller/AdminUserController.java +++ b/src/main/java/com/honey/honey/controller/AdminUserController.java @@ -1,7 +1,9 @@ package com.honey.honey.controller; import com.honey.honey.dto.*; +import com.honey.honey.model.UserA; import com.honey.honey.service.AdminUserService; +import com.honey.honey.service.UserService; import lombok.RequiredArgsConstructor; import org.springframework.data.domain.Page; import org.springframework.data.domain.PageRequest; @@ -33,6 +35,7 @@ public class AdminUserController { private static final Set WITHDRAWAL_SORT_FIELDS = Set.of("id", "usdAmount", "cryptoName", "amountToSend", "txhash", "status", "paymentId", "createdAt", "resolvedAt"); private final AdminUserService adminUserService; + private final UserService userService; private boolean isGameAdmin() { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); @@ -115,8 +118,24 @@ public class AdminUserController { return ResponseEntity.ok(response); } + /** + * Resolve Honey user ID from Telegram user ID. + * Used by the Chatwoot embed when the contact has no honey_user_id set: + * Chatwoot (Telegram channel) often uses Telegram user ID as contact identifier. + */ + @GetMapping("/by-telegram-id") + @PreAuthorize("hasAnyRole('ADMIN', 'GAME_ADMIN', 'TICKETS_SUPPORT')") + public ResponseEntity> getUserByTelegramId(@RequestParam("telegram_id") Long telegramId) { + if (telegramId == null) { + return ResponseEntity.badRequest().build(); + } + return userService.getUserByTelegramId(telegramId) + .map(user -> ResponseEntity.ok(Map.of("id", user.getId()))) + .orElse(ResponseEntity.notFound().build()); + } + @GetMapping("/{id}") - @PreAuthorize("hasAnyRole('ADMIN', 'GAME_ADMIN')") + @PreAuthorize("hasAnyRole('ADMIN', 'GAME_ADMIN', 'TICKETS_SUPPORT')") public ResponseEntity getUserDetail(@PathVariable Integer id) { AdminUserDetailDto userDetail = adminUserService.getUserDetail(id, isGameAdmin()); if (userDetail == null) {