From 26d665f2fecfe3852f3cf9e7f5f51163158929c0 Mon Sep 17 00:00:00 2001
From: Fabian Schieder <fabian.schieder.1010@gmail.com>
Date: Sun, 25 Jan 2026 22:41:19 +0100
Subject: [PATCH] Refactor profile picture upload path handling and improve
 error logging

---
 upload.php | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/upload.php b/upload.php
index 6ab0c75..7ecc937 100644
--- a/upload.php
+++ b/upload.php
@@ -60,25 +60,48 @@ if (!$mime || !isset($allowedMimeToExt[$mime]))
 
 $ext = $allowedMimeToExt[$mime];
 
-$targetDir = '/assets/images/profilePictures';
+// Wichtig: Auf Linux ist ein Pfad mit führendem "/" ein Pfad ab Dateisystem-Root.
+// Für move_uploaded_file() brauchen wir einen Dateisystempfad; die Public-URL ist separat.
+$documentRoot = isset($_SERVER['DOCUMENT_ROOT']) ? (string)$_SERVER['DOCUMENT_ROOT'] : '';
+$webRoot = rtrim($documentRoot, "\\/");
+$targetDir = $webRoot !== ''
+    ? $webRoot . '/assets/images/profilePictures'
+    : __DIR__ . '/assets/images/profilePictures';
+
 if (!is_dir($targetDir))
 {
-    @mkdir($targetDir, 0755, true);
+    $mkOk = @mkdir($targetDir, 0755, true);
+    if (!$mkOk)
+    {
+        error_log('Upload: mkdir failed for ' . $targetDir);
+        header('Location: account.php?upload=err');
+        exit();
+    }
+}
+
+if (!is_writable($targetDir))
+{
+    error_log('Upload: targetDir not writable: ' . $targetDir);
+    header('Location: account.php?upload=err');
+    exit();
 }
 
 // Fallback-kompatibler Name (auch ohne random_bytes)
 $rand = uniqid('', true);
 $rand = str_replace('.', '', $rand);
 $filename = 'user_' . $userId . '_' . $rand . '.' . $ext;
-$targetPath = $targetDir . DIRECTORY_SEPARATOR . $filename;
+$targetPath = rtrim($targetDir, "\\/") . DIRECTORY_SEPARATOR . $filename;
 
 if (!move_uploaded_file($tmp, $targetPath))
 {
+    $lastErr = error_get_last();
+    $lastErrMsg = (is_array($lastErr) && isset($lastErr['message'])) ? (string)$lastErr['message'] : 'unknown';
+    error_log('Upload: move_uploaded_file failed to ' . $targetPath . ' - ' . $lastErrMsg);
     header('Location: account.php?upload=err');
     exit();
 }
 
-// Pfad, der in HTML genutzt wird (relativ zur Webroot)
+// Pfad, der in HTML genutzt wird (URL relativ zur Webroot)
 $publicPath = '/assets/images/profilePictures/' . $filename;
 
 $servername = "localhost";