diff --git a/db/migrations/024_add_is_active_to_users.sql b/db/migrations/024_add_is_active_to_users.sql new file mode 100644 index 0000000..6c7c147 --- /dev/null +++ b/db/migrations/024_add_is_active_to_users.sql @@ -0,0 +1 @@ +ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT 0; \ No newline at end of file diff --git a/includes/auth_check.php b/includes/auth_check.php index 8efb8b7..340564b 100644 --- a/includes/auth_check.php +++ b/includes/auth_check.php @@ -3,8 +3,46 @@ if (session_status() == PHP_SESSION_NONE) { session_start(); } -// If user is not logged in or is not an admin, redirect to login page -if (!isset($_SESSION['user_id']) || ($_SESSION['role'] !== 'admin' && $_SESSION['role'] !== 'teacher')) { +// If user is not logged in, redirect to login page +if (!isset($_SESSION['user_id'])) { header("Location: login.php"); exit; } + +// Check if the user's account is active +require_once __DIR__ . '/../db/config.php'; +try { + $pdo = db(); + $stmt = $pdo->prepare("SELECT is_active FROM users WHERE id = ?"); + $stmt->execute([$_SESSION['user_id']]); + $is_active = $stmt->fetchColumn(); + + if (!$is_active) { + // User is not active, log them out and redirect to subscription page + $_SESSION['user_id_for_activation'] = $_SESSION['user_id']; // Preserve user ID for activation + + // Unset all other session variables + unset($_SESSION['user_id']); + unset($_SESSION['username']); + unset($_SESSION['role']); + unset($_SESSION['school_id']); + if (isset($_SESSION['can_edit_workload'])) { + unset($_SESSION['can_edit_workload']); + } + + header("Location: /subscription.php?reason=inactive"); + exit; + } +} catch (PDOException $e) { + // On DB error, log out user for safety + session_destroy(); + header("Location: /login.php?error=db_error"); + exit; +} + +// Role-based access check (existing logic) +$allowed_roles = ['admin', 'teacher']; +if (!isset($_SESSION['role']) || !in_array($_SESSION['role'], $allowed_roles)) { + header("Location: /login.php?error=unauthorized"); + exit; +} diff --git a/login.php b/login.php index d4ac40d..f5f4457 100644 --- a/login.php +++ b/login.php @@ -25,23 +25,31 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $user = $stmt->fetch(PDO::FETCH_ASSOC); if ($user && password_verify($password, $user['password'])) { - // Password is correct, start session - $_SESSION['user_id'] = $user['id']; - $_SESSION['username'] = $user['username']; - $_SESSION['role'] = $user['role']; - $_SESSION['school_id'] = $user['school_id']; + // Check if account is active + if ($user['is_active']) { + // Password is correct, start session + $_SESSION['user_id'] = $user['id']; + $_SESSION['username'] = $user['username']; + $_SESSION['role'] = $user['role']; + $_SESSION['school_id'] = $user['school_id']; - // If the user is a teacher, fetch their workload editing permission - if ($user['role'] === 'teacher') { - $stmt = $pdo->prepare("SELECT can_edit_workload FROM teachers WHERE user_id = ?"); - $stmt->execute([$user['id']]); - $teacher_permission = $stmt->fetchColumn(); - $_SESSION['can_edit_workload'] = (bool)$teacher_permission; + // If the user is a teacher, fetch their workload editing permission + if ($user['role'] === 'teacher') { + $stmt = $pdo->prepare("SELECT can_edit_workload FROM teachers WHERE user_id = ?"); + $stmt->execute([$user['id']]); + $teacher_permission = $stmt->fetchColumn(); + $_SESSION['can_edit_workload'] = (bool)$teacher_permission; + } + + // Redirect to the main page + header("Location: dashboard.php"); + exit; + } else { + // Account is not active, redirect to subscription page + $_SESSION['user_id_for_activation'] = $user['id']; + header("Location: subscription.php"); + exit; } - - // Redirect to the main page - header("Location: dashboard.php"); - exit; } else { $error = 'Invalid username or password.'; } @@ -74,6 +82,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {

Login

+ +
Your account has been activated! Please log in to continue.
+ +
diff --git a/register.php b/register.php index 4f42a53..1051cbe 100644 --- a/register.php +++ b/register.php @@ -43,7 +43,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $stmt = $pdo->prepare("INSERT INTO users (username, password, email, school_id, role) VALUES (?, ?, ?, ?, 'admin')"); if ($stmt->execute([$username, $hashed_password, $email, $school_id])) { $pdo->commit(); - $message = 'Registration successful! You can now login.'; + + // Start session and store user ID for activation + session_start(); + $_SESSION['user_id_for_activation'] = $pdo->lastInsertId(); + + // Redirect to subscription page + header("Location: subscription.php"); + exit; } else { $error = 'Failed to register user.'; $pdo->rollBack(); diff --git a/subscription.php b/subscription.php new file mode 100644 index 0000000..d7c94ee --- /dev/null +++ b/subscription.php @@ -0,0 +1,80 @@ +prepare("UPDATE users SET is_active = 1 WHERE id = ?"); + if ($stmt->execute([$user_id])) { + // Activation successful + unset($_SESSION['user_id_for_activation']); + session_destroy(); // Clean up session + + // Redirect to login with a success message + header('Location: login.php?status=activated'); + exit; + } else { + $error = "Failed to activate your account. Please contact support."; + } + } catch (PDOException $e) { + $error = "Database error: " . $e->getMessage(); + } + } +} +?> + + + + + + Activate Your Account - Haki Schedule + + + + + + +
+
+
+
+
+

One More Step!

+

Your account has been created, but you need to activate it to get access to the application.

+ + +
+ + +
+

Basic Plan

+

$10/month

+

Full access for one school administrator.

+
+
+ +
+
+
+

For now, clicking 'Activate' will simulate a successful payment. In a real application, you would be redirected to a payment processor.

+
+
+
+
+
+ + + +