From 6d7a77134141396a63d91d0831b80e5179db9850 Mon Sep 17 00:00:00 2001 From: Flatlogic Bot Date: Sun, 1 Mar 2026 00:35:05 +0000 Subject: [PATCH] LPA-Health-V1.3 --- admin_dashboard.php | 37 ++++++++++- api/delete_lpa.php | 59 +++++++++++++++++ api/generate_pdf.php | 13 +++- api/save_lpa.php | 63 +++++++++++++++++-- apply.php | 17 ++++- dashboard.php | 7 ++- .../05_add_user_id_to_lpa_applications.sql | 3 + 7 files changed, 184 insertions(+), 15 deletions(-) create mode 100644 api/delete_lpa.php create mode 100644 db/migrations/05_add_user_id_to_lpa_applications.sql diff --git a/admin_dashboard.php b/admin_dashboard.php index af9a5f7..0b2f350 100644 --- a/admin_dashboard.php +++ b/admin_dashboard.php @@ -149,7 +149,7 @@ try { 0): ?> - +
ID: #
@@ -169,7 +169,8 @@ try { - PDF + PDF + @@ -185,5 +186,35 @@ try { + - + \ No newline at end of file diff --git a/api/delete_lpa.php b/api/delete_lpa.php new file mode 100644 index 0000000..d01fb4c --- /dev/null +++ b/api/delete_lpa.php @@ -0,0 +1,59 @@ + false, 'error' => 'Unauthorized access.']); + exit; +} + +require_once __DIR__ . '/../db/config.php'; + +// 2. Validate Input +$lpa_id = isset($_POST['id']) ? (int)$_POST['id'] : null; + +if (!$lpa_id) { + echo json_encode(['success' => false, 'error' => 'Application ID is missing.']); + exit; +} + +try { + $pdo = db(); + + // 3. Start Transaction + $pdo->beginTransaction(); + + // 4. Delete related records + + // Delete Attorneys + $stmtAttorneys = $pdo->prepare("DELETE FROM lpa_attorneys WHERE lpa_id = ?"); + $stmtAttorneys->execute([$lpa_id]); + + // Delete Notified Persons + $stmtNotified = $pdo->prepare("DELETE FROM lpa_notified_persons WHERE application_id = ?"); + $stmtNotified->execute([$lpa_id]); + + // 5. Delete the application itself + $stmtLpa = $pdo->prepare("DELETE FROM lpa_applications WHERE id = ?"); + $stmtLpa->execute([$lpa_id]); + + if ($stmtLpa->rowCount() === 0) { + $pdo->rollBack(); + echo json_encode(['success' => false, 'error' => 'Application not found or already deleted.']); + exit; + } + + // 6. Commit Transaction + $pdo->commit(); + + echo json_encode(['success' => true, 'message' => 'LPA application and all related data deleted successfully.']); + +} catch (PDOException $e) { + // Rollback on error + if (isset($pdo)) { + $pdo->rollBack(); + } + error_log("Delete LPA Error: " . $e->getMessage()); + echo json_encode(['success' => false, 'error' => 'A database error occurred.']); +} diff --git a/api/generate_pdf.php b/api/generate_pdf.php index 27ab866..9923b83 100644 --- a/api/generate_pdf.php +++ b/api/generate_pdf.php @@ -1,7 +1,13 @@ prepare("SELECT * FROM lpa_attorneys WHERE lpa_id = ? AND type = 'primary' ORDER BY id ASC"); $stmt->execute([$lpa_id]); @@ -213,4 +224,4 @@ $pdf->Field('Reduced Fee Eligibility', $lpa_data['reduced_fee_eligibility'] ?? ' $pdf->Field('Repeat Application', ($lpa_data['is_repeat_application'] ?? false) ? 'Yes (Case: ' . ($lpa_data['repeat_case_number'] ?? '') . ')' : 'No'); $filename = 'LPA_' . str_replace(' ', '_', ($lpa_data['donor_name'] ?? 'Summary')) . '_' . date('Ymd') . '.pdf'; -$pdf->Output('D', $filename); \ No newline at end of file +$pdf->Output('D', $filename); diff --git a/api/save_lpa.php b/api/save_lpa.php index 59ab10c..752411e 100644 --- a/api/save_lpa.php +++ b/api/save_lpa.php @@ -1,6 +1,14 @@ false, 'error' => 'Authentication required.']); + exit; +} + +$user_id = $_SESSION["user_id"]; if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Check for specific actions first @@ -15,6 +23,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } try { + // Verify ownership + $check = db()->prepare("SELECT id FROM lpa_applications WHERE id = ? AND user_id = ?"); + $check->execute([$lpa_id, $user_id]); + if (!$check->fetch()) { + echo json_encode(['success' => false, 'error' => 'Unauthorized.']); + exit; + } + $stmt = db()->prepare("DELETE FROM lpa_attorneys WHERE id = ? AND lpa_id = ?"); $stmt->execute([$attorney_id, $lpa_id]); echo json_encode(['success' => true, 'message' => 'Attorney removed.']); @@ -32,6 +48,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } try { + // Verify ownership + $check = db()->prepare("SELECT id FROM lpa_applications WHERE id = ? AND user_id = ?"); + $check->execute([$lpa_id, $user_id]); + if (!$check->fetch()) { + echo json_encode(['success' => false, 'error' => 'Unauthorized.']); + exit; + } + $stmt = db()->prepare("DELETE FROM lpa_notified_persons WHERE id = ? AND application_id = ?"); $stmt->execute([$person_id, $lpa_id]); echo json_encode(['success' => true, 'message' => 'Person removed.']); @@ -45,10 +69,25 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $step = isset($_POST['step']) ? (int)$_POST['step'] : 1; $lpa_id = isset($_POST['lpa_id']) ? (int)$_POST['lpa_id'] : null; + // Verify ownership if lpa_id is provided + if ($lpa_id) { + try { + $check = db()->prepare("SELECT id FROM lpa_applications WHERE id = ? AND user_id = ?"); + $check->execute([$lpa_id, $user_id]); + if (!$check->fetch()) { + echo json_encode(['success' => false, 'error' => 'Unauthorized access to this application.']); + exit; + } + } catch (PDOException $e) { + echo json_encode(['success' => false, 'error' => 'Database error.']); + exit; + } + } + try { if ($step === 1) { $lpa_type = $_POST['lpa_type'] ?? ''; - $donor_name = $_POST['donor_name'] ?? ''; + $donor_name = trim($_POST['donor_name'] ?? ''); $other_names = $_POST['other_names'] ?? ''; $donor_dob = $_POST['donor_dob'] ?? ''; $customer_email = $_POST['customer_email'] ?? ''; @@ -62,15 +101,29 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { exit; } + // Check for existing LPA of the same type for the same donor (name and DOB) + $checkSql = "SELECT id FROM lpa_applications WHERE user_id = ? AND lpa_type = ? AND donor_name = ? AND donor_dob = ?"; + $checkParams = [$user_id, $lpa_type, $donor_name, $donor_dob]; + if ($lpa_id) { + $checkSql .= " AND id != ?"; + $checkParams[] = $lpa_id; + } + $checkStmt = db()->prepare($checkSql); + $checkStmt->execute($checkParams); + if ($checkStmt->fetch()) { + echo json_encode(['success' => false, 'error' => "A '$lpa_type' LPA already exists for donor '$donor_name' (born $donor_dob). Each donor may only have one of each type."]); + exit; + } + if ($lpa_id) { // Update existing - $stmt = db()->prepare("UPDATE lpa_applications SET lpa_type = ?, donor_name = ?, other_names = ?, donor_dob = ?, customer_email = ?, donor_address_line1 = ?, donor_address_line2 = ?, donor_town = ?, donor_postcode = ?, step_reached = GREATEST(step_reached, 1) WHERE id = ?"); - $stmt->execute([$lpa_type, $donor_name, $other_names, $donor_dob, $customer_email, $address1, $address2, $town, $postcode, $lpa_id]); + $stmt = db()->prepare("UPDATE lpa_applications SET lpa_type = ?, donor_name = ?, other_names = ?, donor_dob = ?, customer_email = ?, donor_address_line1 = ?, donor_address_line2 = ?, donor_town = ?, donor_postcode = ?, step_reached = GREATEST(step_reached, 1), user_id = ? WHERE id = ?"); + $stmt->execute([$lpa_type, $donor_name, $other_names, $donor_dob, $customer_email, $address1, $address2, $town, $postcode, $user_id, $lpa_id]); $id = $lpa_id; } else { // Create new - $stmt = db()->prepare("INSERT INTO lpa_applications (practice_id, lpa_type, donor_name, other_names, donor_dob, customer_email, donor_address_line1, donor_address_line2, donor_town, donor_postcode, step_reached) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"); - $stmt->execute([1, $lpa_type, $donor_name, $other_names, $donor_dob, $customer_email, $address1, $address2, $town, $postcode, 1]); + $stmt = db()->prepare("INSERT INTO lpa_applications (practice_id, user_id, lpa_type, donor_name, other_names, donor_dob, customer_email, donor_address_line1, donor_address_line2, donor_town, donor_postcode, step_reached) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"); + $stmt->execute([1, $user_id, $lpa_type, $donor_name, $other_names, $donor_dob, $customer_email, $address1, $address2, $town, $postcode, 1]); $id = db()->lastInsertId(); } diff --git a/apply.php b/apply.php index 69ac4e3..6d96bdc 100644 --- a/apply.php +++ b/apply.php @@ -4,9 +4,9 @@ if (!isset($_SESSION["user_id"])) { header("Location: login.php"); exit; } -?> -prepare("SELECT * FROM lpa_applications WHERE id = ?"); $stmt->execute([$lpa_id]); $lpa_data = $stmt->fetch(); + + if (!$lpa_data) { + header("Location: dashboard.php"); + exit; + } + + // Authorization check + if ($lpa_data['user_id'] != $user_id && ($_SESSION['user_role'] ?? '') !== 'Super User') { + header("Location: dashboard.php"); + exit; + } } // Redirect to step 1 if no ID but step > 1 @@ -1401,4 +1412,4 @@ foreach ($notified_persons as $np) { - + \ No newline at end of file diff --git a/dashboard.php b/dashboard.php index 808d390..61c822a 100644 --- a/dashboard.php +++ b/dashboard.php @@ -6,11 +6,12 @@ if (!isset($_SESSION["user_id"])) { } require_once 'db/config.php'; $project_name = $_SERVER['PROJECT_NAME'] ?? 'LPA Online'; +$user_id = $_SESSION["user_id"]; $lpas = []; try { - $stmt = db()->prepare("SELECT * FROM lpa_applications ORDER BY created_at DESC"); - $stmt->execute(); + $stmt = db()->prepare("SELECT * FROM lpa_applications WHERE user_id = ? ORDER BY created_at DESC"); + $stmt->execute([$user_id]); $lpas = $stmt->fetchAll(); } catch (PDOException $e) { error_log($e->getMessage()); @@ -145,4 +146,4 @@ try { - + \ No newline at end of file diff --git a/db/migrations/05_add_user_id_to_lpa_applications.sql b/db/migrations/05_add_user_id_to_lpa_applications.sql new file mode 100644 index 0000000..4dba89c --- /dev/null +++ b/db/migrations/05_add_user_id_to_lpa_applications.sql @@ -0,0 +1,3 @@ +-- Add user_id to lpa_applications +ALTER TABLE lpa_applications ADD COLUMN user_id INT(11) AFTER practice_id; +ALTER TABLE lpa_applications ADD CONSTRAINT fk_user_id FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL;