admin/35512-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
35512-vm/users.php
Flatlogic Bot 378cb2cb10 google login
2025-11-08 21:16:26 +00:00

165 lines
6.7 KiB
PHP
Raw Permalink Blame History

<?php
session_start();
require_once 'db/config.php';
require_once 'auth-check.php';
require_once 'auth-helpers.php';
// Only Admins can access this page
if (!can($_SESSION['user_role_id'], 'user', 'read')) {
header('Location: index.php?error=access_denied');
exit;
}
// Get allowed fields for the current user
$allowed_fields_str = can($_SESSION['user_role_id'], 'user', 'read');
$allowed_fields = ($allowed_fields_str && $allowed_fields_str !== '*') ? explode(',', $allowed_fields_str) : [];
if ($allowed_fields_str === '*') {
try {
$pdo = db();
$stmt = $pdo->query("SHOW COLUMNS FROM users");
$columns = $stmt->fetchAll(PDO::FETCH_COLUMN);
// Exclude sensitive fields like password
$allowed_fields = array_diff($columns, ['password']);
} catch (PDOException $e) {
// Handle error, maybe default to a safe subset of fields
$allowed_fields = ['id', 'name', 'email', 'role'];
}
}
function get_users($fields) {
if (empty($fields)) {
return []; // No read permission
}
// Always include id for edit/delete links
if (!in_array('id', $fields)) {
$fields[] = 'id';
}
// Replace role_id with a join to get the role name
$select_parts = [];
foreach ($fields as $field) {
if ($field === 'role_id') {
$select_parts[] = 'r.name as role_name';
} else {
$select_parts[] = 'u.' . $field;
}
}
$select_fields = implode(', ', $select_parts);
try {
$pdo = db();
$sql = "SELECT $select_fields
FROM users u
LEFT JOIN roles r ON u.role_id = r.id
ORDER BY u.created_at DESC";
$stmt = $pdo->query($sql);
return $stmt->fetchAll(PDO::FETCH_ASSOC);
} catch (PDOException $e) {
return ['error' => 'Database error: ' . $e->getMessage()];
}
}
$users = get_users($allowed_fields);
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>User Management - IC-Inventory</title>
<meta name="description" content="User management for IC-Inventory.">
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
<script src="https://unpkg.com/feather-icons"></script>
</head>
<body>
<div class="wrapper">
<?php require_once 'templates/sidebar.php'; ?>
<main id="content">
<div class="header">
<h1>User Management</h1>
<div>
<?php if (can($_SESSION['user_role_id'], 'user', 'create')): ?>
<a href="add-user.php" class="btn btn-primary">Add New User</a>
<?php endif; ?>
<div class="theme-switcher" id="theme-switcher">
<i data-feather="moon"></i>
</div>
</div>
</div>
<?php if (isset($_GET['success']) && $_GET['success'] === 'user_added'): ?>
<div class="alert alert-success">User successfully added!</div>
<?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_updated'): ?>
<div class="alert alert-success">User successfully updated!</div>
<?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_deleted'): ?>
<div class="alert alert-success">User successfully deleted!</div>
<?php elseif (isset($_GET['error']) && $_GET['error'] === 'self_delete'): ?>
<div class="alert alert-danger">You cannot delete your own account.</div>
<?php endif; ?>
<div class="surface p-4">
<?php if (isset($users['error'])): ?>
<div class="alert alert-danger">
<?php echo htmlspecialchars($users['error']); ?>
</div>
<?php elseif (empty($users)): ?>
<div class="text-center p-5">
<h4>No users found.</h4>
<?php if (can($_SESSION['user_role_id'], 'user', 'create')): ?>
<p>Get started by adding your first user.</p>
<a href="add-user.php" class="btn btn-primary">Add User</a>
<?php endif; ?>
</div>
<?php else: ?>
<div class="table-responsive">
<table class="table">
<thead>
<tr>
<?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
<th><?php echo ucfirst(str_replace('_', ' ', ($field === 'role_id' ? 'role' : $field))); ?></th>
<?php endforeach; ?>
<th>Actions</th>
</tr>
</thead>
<tbody>
<?php foreach ($users as $user): ?>
<tr>
<?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
<td><?php echo htmlspecialchars($user[$field === 'role_id' ? 'role_name' : $field]); ?></td>
<?php endforeach; ?>
<td>
<?php if (can($_SESSION['user_role_id'], 'user', 'update')): ?>
<a href="edit-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-primary">Edit</a>
<?php endif; ?>
<?php if (can($_SESSION['user_role_id'], 'user', 'delete')): ?>
<a href="delete-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this user?');">Delete</a>
<?php endif; ?>
</td>
</tr>
<?php endforeach; ?>
</tbody>
</table>
</div>
<?php endif; ?>
</div>
</main>
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
<script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
<script>
feather.replace();
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink