34705-vm/api/get_users.php

<?php
require_once __DIR__ . '/../db/config.php';

session_start();
header('Content-Type: application/json');

// Admin-only endpoint
if (!isset($_SESSION['user_id']) || $_SESSION['role'] !== 'admin') {
    http_response_code(403);
    echo json_encode(['status' => 'error', 'message' => 'Forbidden: Admins only.']);
    exit;
}

try {
    $pdo = db();

    // Select all users but omit the password hash
    $stmt = $pdo->query('SELECT id, username, email, role, created_at FROM users ORDER BY created_at DESC');
    $users = $stmt->fetchAll();

    echo json_encode(['status' => 'success', 'users' => $users]);

} catch (PDOException $e) {
    http_response_code(500);
    echo json_encode(['status' => 'error', 'message' => 'Database error: ' . $e->getMessage()]);
}