From 011fab095e24c232d2b92cb666663a1b7e404c6a Mon Sep 17 00:00:00 2001
From: Hosteroid <office@hosteroid.uk>
Date: Mon, 20 Oct 2025 17:51:27 +0300
Subject: [PATCH] Respect user isolation in global stats queries

Updated LayoutHelper::getGlobalStats to accept a user ID and apply user isolation mode when querying domain statistics. DashboardController and base layout now pass the user ID to ensure stats are scoped per user when isolation is enabled.
---
 app/Controllers/DashboardController.php |  2 +-
 app/Helpers/LayoutHelper.php            | 47 ++++++++++++++++++-------
 app/Views/layout/base.php               |  3 +-
 3 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/app/Controllers/DashboardController.php b/app/Controllers/DashboardController.php
index 74c98fb..6b5e55e 100644
--- a/app/Controllers/DashboardController.php
+++ b/app/Controllers/DashboardController.php
@@ -60,7 +60,7 @@ class DashboardController extends Controller
         $formattedExpiringDomains = \App\Helpers\DomainHelper::formatMultiple($expiringThisMonth);
         
         // Get global stats for dashboard cards
-        $globalStats = \App\Helpers\LayoutHelper::getGlobalStats();
+        $globalStats = \App\Helpers\LayoutHelper::getGlobalStats($userId);
 
         $this->view('dashboard/index', [
             'stats' => $stats,
diff --git a/app/Helpers/LayoutHelper.php b/app/Helpers/LayoutHelper.php
index a674507..ca48333 100644
--- a/app/Helpers/LayoutHelper.php
+++ b/app/Helpers/LayoutHelper.php
@@ -35,34 +35,55 @@ class LayoutHelper
     }
     
     /**
-     * Get global stats for sidebar
+     * Get stats for sidebar (respects user isolation)
      */
-    public static function getGlobalStats(): array
+    public static function getGlobalStats(?int $userId = null): array
     {
         try {
             $pdo = \Core\Database::getConnection();
             
+            // Check isolation mode
+            $settingModel = new Setting();
+            $isolationMode = $settingModel->getValue('user_isolation_mode', 'shared');
+            
+            // Build WHERE clause based on isolation mode
+            $whereClause = '';
+            $params = [];
+            
+            if ($isolationMode === 'isolated' && $userId) {
+                $whereClause = ' WHERE user_id = ?';
+                $params[] = $userId;
+            }
+            
             // Get total domains
-            $totalStmt = $pdo->query("SELECT COUNT(*) as count FROM domains");
+            $totalSql = "SELECT COUNT(*) as count FROM domains" . $whereClause;
+            $totalStmt = $pdo->prepare($totalSql);
+            $totalStmt->execute($params);
             $total = $totalStmt->fetch(\PDO::FETCH_ASSOC)['count'] ?? 0;
             
             // Get active domains
-            $activeStmt = $pdo->query("SELECT COUNT(*) as count FROM domains WHERE is_active = 1");
+            $activeSql = "SELECT COUNT(*) as count FROM domains WHERE is_active = 1" . $whereClause;
+            $activeStmt = $pdo->prepare($activeSql);
+            $activeStmt->execute($params);
             $active = $activeStmt->fetch(\PDO::FETCH_ASSOC)['count'] ?? 0;
             
             // Get expiring soon
-            $settingModel = new Setting();
             $notificationDays = $settingModel->getNotificationDays();
             $threshold = !empty($notificationDays) ? max($notificationDays) : 30;
             
-            $expiringSoonStmt = $pdo->prepare(
-                "SELECT COUNT(*) as count FROM domains 
-                 WHERE is_active = 1 
-                 AND expiration_date IS NOT NULL 
-                 AND expiration_date <= DATE_ADD(NOW(), INTERVAL ? DAY) 
-                 AND expiration_date >= NOW()"
-            );
-            $expiringSoonStmt->execute([$threshold]);
+            $expiringSql = "SELECT COUNT(*) as count FROM domains 
+                           WHERE is_active = 1 
+                           AND expiration_date IS NOT NULL 
+                           AND expiration_date <= DATE_ADD(NOW(), INTERVAL ? DAY) 
+                           AND expiration_date >= NOW()" . $whereClause;
+            
+            $expiringParams = [$threshold];
+            if ($isolationMode === 'isolated' && $userId) {
+                $expiringParams[] = $userId;
+            }
+            
+            $expiringSoonStmt = $pdo->prepare($expiringSql);
+            $expiringSoonStmt->execute($expiringParams);
             $expiringSoon = $expiringSoonStmt->fetch(\PDO::FETCH_ASSOC)['count'] ?? 0;
             
             return [
diff --git a/app/Views/layout/base.php b/app/Views/layout/base.php
index 82f3294..9d1da00 100644
--- a/app/Views/layout/base.php
+++ b/app/Views/layout/base.php
@@ -16,7 +16,8 @@ if (isset($_SESSION['user_id'])) {
 
 // Fetch global stats for sidebar (available on all pages)
 if (!isset($globalStats)) {
-    $globalStats = \App\Helpers\LayoutHelper::getGlobalStats();
+    $userId = \Core\Auth::id();
+    $globalStats = \App\Helpers\LayoutHelper::getGlobalStats($userId);
 }
 
 // Get application settings from database