35512-vm/users.php

<?php
require_once 'db/config.php';
require_once 'auth-check.php';
require_once 'auth-helpers.php';

//echo "Test";
//exit();

// Only Admins can access this page
if (!can($_SESSION['user_role'], 'user', 'read')) {
    header('Location: index.php?error=access_denied');
    exit;
}

// Get allowed fields for the current user
$allowed_fields_str = can($_SESSION['user_role'], 'user', 'read');
$allowed_fields = $allowed_fields_str ? explode(',', $allowed_fields_str) : [];

function get_users($fields) {
    if (empty($fields)) {
        return []; // No read permission
    }
    // Always include id for edit/delete links
    if (!in_array('id', $fields)) {
        $fields[] = 'id';
    }
    
    $select_fields = implode(', ', $fields);

    try {
        $pdo = db();
        $stmt = $pdo->query("SELECT $select_fields FROM users ORDER BY created_at DESC");
        return $stmt->fetchAll(PDO::FETCH_ASSOC);
    } catch (PDOException $e) {
        return ['error' => 'Database error: ' . $e->getMessage()];
    }
}

$users = get_users($allowed_fields);

?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>User Management - IC-Inventory</title>
    <meta name="description" content="User management for IC-Inventory.">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
    <script src="https://unpkg.com/feather-icons"></script>
</head>
<body>

<div class="wrapper">
    <?php require_once 'templates/sidebar.php'; ?>

    <main id="content">
        <div class="header">
            <h1>User Management</h1>
            <div>
                <?php if (can($_SESSION['user_role'], 'user', 'create')): ?>
                    <a href="add-user.php" class="btn btn-primary">Add New User</a>
                <?php endif; ?>
                <div class="theme-switcher" id="theme-switcher">
                    <i data-feather="moon"></i>
                </div>
            </div>
        </div>

        <?php if (isset($_GET['success']) && $_GET['success'] === 'user_added'): ?>
            <div class="alert alert-success">User successfully added!</div>
        <?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_updated'): ?>
            <div class="alert alert-success">User successfully updated!</div>
        <?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_deleted'): ?>
            <div class="alert alert-success">User successfully deleted!</div>
        <?php elseif (isset($_GET['error']) && $_GET['error'] === 'self_delete'): ?>
            <div class="alert alert-danger">You cannot delete your own account.</div>
        <?php endif; ?>

        <div class="surface p-4">
            <?php if (isset($users['error'])): ?>
                <div class="alert alert-danger">
                    <?php echo htmlspecialchars($users['error']); ?>
                </div>
            <?php elseif (empty($users)): ?>
                <div class="text-center p-5">
                    <h4>No users found.</h4>
                    <?php if (can($_SESSION['user_role'], 'user', 'create')): ?>
                        <p>Get started by adding your first user.</p>
                        <a href="add-user.php" class="btn btn-primary">Add User</a>
                    <?php endif; ?>
                </div>
            <?php else: ?>
                <div class="table-responsive">
                    <table class="table">
                        <thead>
                            <tr>
                                <?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
                                    <th><?php echo ucfirst(str_replace('_', ' ', $field)); ?></th>
                                <?php endforeach; ?>
                                <th>Actions</th>
                            </tr>
                        </thead>
                        <tbody>
                            <?php foreach ($users as $user): ?>
                                <tr>
                                    <?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
                                        <td><?php echo htmlspecialchars($user[$field]); ?></td>
                                    <?php endforeach; ?>
                                    <td>
                                        <?php if (can($_SESSION['user_role'], 'user', 'update')): ?>
                                            <a href="edit-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-primary">Edit</a>
                                        <?php endif; ?>
                                        <?php if (can($_SESSION['user_role'], 'user', 'delete')): ?>
                                            <a href="delete-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this user?');">Delete</a>
                                        <?php endif; ?>
                                    </td>
                                </tr>
                            <?php endforeach; ?>
                        </tbody>
                    </table>
                </div>
            <?php endif; ?>
        </div>
    </main>
</div>

<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
<script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
<script>
    feather.replace();
</script>
</body>
</html>