35512-vm/edit-user.php

<?php
session_start();
require_once 'db/config.php';
require_once 'auth-check.php';
require_once 'auth-helpers.php';

if (!can($_SESSION['user_role_id'], 'user', 'update')) {
    header('Location: index.php?error=access_denied');
    exit;
}

$allowed_fields_str = can($_SESSION['user_role_id'], 'user', 'update');
$allowed_fields = ($allowed_fields_str === '*') ? ['name', 'email', 'role_id'] : explode(',', $allowed_fields_str);

$error_message = '';
$user_id = $_GET['id'] ?? null;

if (!$user_id) {
    header('Location: users.php');
    exit;
}

try {
    $pdo = db();
    $stmt = $pdo->prepare('SELECT id, name, email, role_id FROM users WHERE id = ?');
    $stmt->execute([$user_id]);
    $user = $stmt->fetch();

    if (!$user) {
        header('Location: users.php');
        exit;
    }

    // Fetch all roles for the dropdown
    $roles_stmt = $pdo->query('SELECT id, name FROM roles ORDER BY name');
    $roles = $roles_stmt->fetchAll();

} catch (PDOException $e) {
    $error_message = 'Database error: ' . $e->getMessage();
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $data = [];
    $set_parts = [];

    foreach ($allowed_fields as $field) {
        if (isset($_POST[$field])) {
            $data[] = $_POST[$field];
            $set_parts[] = "$field = ?";
        }
    }
    $data[] = $user_id;

    if (empty($set_parts)) {
        $error_message = 'No data submitted.';
    } else {
        try {
            $pdo = db();
            
            // Check if email already exists for another user
            if (in_array('email', $allowed_fields)) {
                $stmt = $pdo->prepare('SELECT id FROM users WHERE email = ? AND id != ?');
                $stmt->execute([$_POST['email'], $user_id]);
                if ($stmt->fetch()) {
                    $error_message = 'A user with this email address already exists.';
                }
            }

            if (!$error_message) {
                $sql = sprintf("UPDATE users SET %s WHERE id = ?", implode(', ', $set_parts));
                $stmt = $pdo->prepare($sql);
                $stmt->execute($data);
                
                header("Location: users.php?success=user_updated");
                exit;
            }
        } catch (PDOException $e) {
            $error_message = 'Database error: ' . $e->getMessage();
        }
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Edit User - IC-Inventory</title>
    <meta name="description" content="Edit an existing user.">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
    <script src="https://unpkg.com/feather-icons"></script>
</head>
<body>

<div class="wrapper">
    <?php require_once 'templates/sidebar.php'; ?>

    <main id="content">
        <div class="header">
            <h1>Edit User</h1>
            <div class="theme-switcher" id="theme-switcher">
                <i data-feather="moon"></i>
            </div>
        </div>

        <div class="surface p-4">
            <?php if ($error_message): ?>
                <div class="alert alert-danger"><?php echo htmlspecialchars($error_message); ?></div>
            <?php endif; ?>

            <?php if ($user): ?>
            <form action="edit-user.php?id=<?php echo $user['id']; ?>" method="post">
                <div class="row">
                    <?php if (in_array('name', $allowed_fields)): ?>
                    <div class="col-md-6 mb-3">
                        <label for="name" class="form-label">Full Name*</label>
                        <input type="text" class="form-control" id="name" name="name" value="<?php echo htmlspecialchars($user['name']); ?>" required>
                    </div>
                    <?php endif; ?>
                    <?php if (in_array('email', $allowed_fields)): ?>
                    <div class="col-md-6 mb-3">
                        <label for="email" class="form-label">Email Address*</label>
                        <input type="email" class="form-control" id="email" name="email" value="<?php echo htmlspecialchars($user['email']); ?>" required>
                    </div>
                    <?php endif; ?>
                </div>
                <div class="row">
                    <?php if (in_array('role_id', $allowed_fields)): ?>
                    <div class="col-md-6 mb-3">
                        <label for="role_id" class="form-label">Role</label>
                        <select class="form-select" id="role_id" name="role_id">
                            <?php foreach ($roles as $role): ?>
                                <option value="<?php echo $role['id']; ?>" <?php echo ($user['role_id'] == $role['id']) ? 'selected' : ''; ?>><?php echo htmlspecialchars($role['name']); ?></option>
                            <?php endforeach; ?>
                        </select>
                    </div>
                    <?php endif; ?>
                </div>
                
                <button type="submit" class="btn btn-primary">Update User</button>
                <a href="users.php" class="btn btn-secondary">Cancel</a>
            </form>
            <?php endif; ?>
        </div>
    </main>
</div>

<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
<script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
<script>
    feather.replace();
</script>
</body>
</html>