admin/39038-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

user permission

Browse Source
This commit is contained in:
Flatlogic Bot 2026-03-08 14:02:56 +00:00
parent acca4d8e6f
commit f510b10571
7 changed files with 445 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

293
admin_platform_users.php Normal file
View File

@ -0,0 +1,293 @@
<?php
declare(strict_types=1);
require_once __DIR__ . '/includes/layout.php';
// Ensure user is logged in and is an admin
if (!isset($_SESSION['user_id']) || ($_SESSION['user_role'] ?? '') !== 'admin') {
header('Location: login.php');
exit;
}
// Check permission
if (!has_permission('manage_platform_users')) {
render_header(t('nav_platform_users'), 'platform_users');
echo '<div class="container py-5"><div class="alert alert-danger">Access Denied. You do not have permission to manage platform users.</div></div>';
render_footer();
exit;
}
$pdo = db();
$message = '';
$error = '';
// Handle Actions
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$action = $_POST['action'] ?? '';
if ($action === 'create' || $action === 'edit') {
$id = isset($_POST['id']) ? (int)$_POST['id'] : null;
$email = trim($_POST['email'] ?? '');
$fullName = trim($_POST['full_name'] ?? '');
$password = $_POST['password'] ?? '';
$selectedPermissions = $_POST['permissions'] ?? [];
if (empty($email) || empty($fullName)) {
$error = t('error_required');
} else {
try {
$pdo->beginTransaction();
if ($action === 'create') {
// Check if email exists
$stmtCheck = $pdo->prepare("SELECT id FROM users WHERE email = ?");
$stmtCheck->execute([$email]);
if ($stmtCheck->fetch()) {
$error = t('error_email_exists');
} else {
if (empty($password)) {
$error = t('error_required');
} else {
$stmt = $pdo->prepare("INSERT INTO users (email, password, full_name, role, status) VALUES (?, ?, ?, 'admin', 'active')");
$stmt->execute([$email, password_hash($password, PASSWORD_DEFAULT), $fullName]);
$id = (int)$pdo->lastInsertId();
$message = t('user_created');
}
}
} else { // Edit
// Check if email exists for other user
$stmtCheck = $pdo->prepare("SELECT id FROM users WHERE email = ? AND id != ?");
$stmtCheck->execute([$email, $id]);
if ($stmtCheck->fetch()) {
$error = t('error_email_exists');
} else {
$sql = "UPDATE users SET email = ?, full_name = ? WHERE id = ?";
$params = [$email, $fullName, $id];
if (!empty($password)) {
$sql = "UPDATE users SET email = ?, full_name = ?, password = ? WHERE id = ?";
$params = [$email, $fullName, password_hash($password, PASSWORD_DEFAULT), $id];
}
$stmt = $pdo->prepare($sql);
$stmt->execute($params);
$message = t('user_updated');
}
}
if (!$error && $id) {
// Update Permissions
$pdo->prepare("DELETE FROM user_permissions WHERE user_id = ?")->execute([$id]);
if (!empty($selectedPermissions)) {
$stmtPerm = $pdo->prepare("INSERT INTO user_permissions (user_id, permission_id) VALUES (?, ?)");
foreach ($selectedPermissions as $permId) {
$stmtPerm->execute([$id, $permId]);
}
}
}
if (!$error) {
$pdo->commit();
} else {
$pdo->rollBack();
}
} catch (Exception $e) {
$pdo->rollBack();
$error = $e->getMessage();
}
}
} elseif ($action === 'delete') {
$id = (int)($_POST['id'] ?? 0);
if ($id === $_SESSION['user_id']) {
$error = "You cannot delete your own account.";
} else {
$pdo->prepare("DELETE FROM users WHERE id = ? AND role = 'admin'")->execute([$id]);
$message = t('user_deleted');
}
}
}
// Fetch Users
$stmtUsers = $pdo->query("SELECT id, email, full_name, created_at FROM users WHERE role = 'admin' ORDER BY created_at DESC");
$users = $stmtUsers->fetchAll();
// Fetch Permissions
$stmtPerms = $pdo->query("SELECT id, slug, name, description FROM permissions ORDER BY name ASC");
$allPermissions = $stmtPerms->fetchAll();
render_header(t('nav_platform_users'), 'platform_users', true);
?>
<div class="row g-0">
<div class="col-md-2 bg-white border-end min-vh-100">
<?php render_admin_sidebar('platform_users'); ?>
</div>
<div class="col-md-10 p-4">
<div class="d-flex justify-content-between align-items-center mb-4">
<h1 class="h3 fw-bold mb-0 text-dark"><?= e(t('nav_platform_users')) ?></h1>
<button class="btn btn-primary rounded-pill fw-bold px-4 shadow-sm" data-bs-toggle="modal" data-bs-target="#userModal" onclick="resetForm()">
<i class="bi bi-plus-lg me-2"></i><?= e(t('create_user')) ?>
</button>
</div>
<?php if ($message): ?>
<div class="alert alert-success shadow-sm border-0 rounded-3 mb-4"><?= e($message) ?></div>
<?php endif; ?>
<?php if ($error): ?>
<div class="alert alert-danger shadow-sm border-0 rounded-3 mb-4"><?= e($error) ?></div>
<?php endif; ?>
<div class="card shadow-sm border-0 rounded-4">
<div class="card-body p-0">
<div class="table-responsive">
<table class="table table-hover align-middle mb-0">
<thead class="bg-light">
<tr>
<th class="ps-4 py-3 text-secondary text-uppercase small fw-bold">ID</th>
<th class="py-3 text-secondary text-uppercase small fw-bold"><?= e(t('full_name')) ?></th>
<th class="py-3 text-secondary text-uppercase small fw-bold"><?= e(t('email_address')) ?></th>
<th class="py-3 text-secondary text-uppercase small fw-bold"><?= e(t('created_at')) ?></th>
<th class="pe-4 py-3 text-end text-secondary text-uppercase small fw-bold"><?= e(t('actions')) ?></th>
</tr>
</thead>
<tbody>
<?php if (empty($users)): ?>
<tr>
<td colspan="5" class="text-center py-5 text-muted"><?= e(t('no_users')) ?></td>
</tr>
<?php else: ?>
<?php foreach ($users as $user): ?>
<tr>
<td class="ps-4 fw-bold">#<?= e($user['id']) ?></td>
<td><?= e($user['full_name']) ?></td>
<td><?= e($user['email']) ?></td>
<td class="text-muted small"><?= e(date('M j, Y', strtotime($user['created_at']))) ?></td>
<td class="pe-4 text-end">
<button class="btn btn-sm btn-outline-primary rounded-pill px-3 me-1" onclick="editUser(<?= e(json_encode($user)) ?>)">
<i class="bi bi-pencil-fill me-1"></i><?= e(t('edit_user')) ?>
</button>
<?php if ($user['id'] !== $_SESSION['user_id']): ?>
<button class="btn btn-sm btn-outline-danger rounded-pill px-3" onclick="confirmDelete(<?= $user['id'] ?>)">
<i class="bi bi-trash-fill"></i>
</button>
<?php endif; ?>
</td>
</tr>
<?php endforeach; ?>
<?php endif; ?>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<!-- User Modal -->
<div class="modal fade" id="userModal" tabindex="-1" aria-hidden="true">
<div class="modal-dialog modal-lg">
<div class="modal-content border-0 shadow rounded-4">
<div class="modal-header border-0 pb-0">
<h5 class="modal-title fw-bold" id="modalTitle"><?= e(t('create_user')) ?></h5>
<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
</div>
<form method="post" id="userForm">
<div class="modal-body p-4">
<input type="hidden" name="action" id="formAction" value="create">
<input type="hidden" name="id" id="userId">
<div class="row g-3 mb-4">
<div class="col-md-6">
<label class="form-label fw-bold"><?= e(t('full_name')) ?></label>
<input type="text" name="full_name" id="fullName" class="form-control rounded-3" required>
</div>
<div class="col-md-6">
<label class="form-label fw-bold"><?= e(t('email_address')) ?></label>
<input type="email" name="email" id="email" class="form-control rounded-3" required>
</div>
<div class="col-md-12">
<label class="form-label fw-bold"><?= e(t('password')) ?> <span class="text-muted fw-normal small" id="passwordHint">(Leave empty to keep current)</span></label>
<input type="password" name="password" id="password" class="form-control rounded-3" autocomplete="new-password">
</div>
</div>
<h6 class="fw-bold mb-3 border-bottom pb-2"><?= e(t('manage_permissions')) ?></h6>
<div class="row g-3">
<?php foreach ($allPermissions as $perm): ?>
<div class="col-md-6">
<div class="form-check p-3 border rounded-3 bg-light h-100">
<input class="form-check-input" type="checkbox" name="permissions[]" value="<?= $perm['id'] ?>" id="perm_<?= $perm['id'] ?>">
<label class="form-check-label w-100" for="perm_<?= $perm['id'] ?>">
<div class="fw-bold text-dark"><?= e($perm['name']) ?></div>
<div class="small text-muted"><?= e($perm['description']) ?></div>
</label>
</div>
</div>
<?php endforeach; ?>
</div>
</div>
<div class="modal-footer border-0 pt-0 pb-4 pe-4">
<button type="button" class="btn btn-light rounded-pill px-4" data-bs-dismiss="modal">Cancel</button>
<button type="submit" class="btn btn-primary rounded-pill px-4 fw-bold shadow-sm">Save Changes</button>
</div>
</form>
</div>
</div>
</div>
<!-- Delete Form -->
<form method="post" id="deleteForm">
<input type="hidden" name="action" value="delete">
<input type="hidden" name="id" id="deleteId">
</form>
<script>
function resetForm() {
document.getElementById('userForm').reset();
document.getElementById('formAction').value = 'create';
document.getElementById('userId').value = '';
document.getElementById('modalTitle').innerText = '<?= e(t('create_user')) ?>';
document.getElementById('passwordHint').innerText = '(Required)';
document.getElementById('password').required = true;
// Uncheck all permissions
document.querySelectorAll('input[name="permissions[]"]').forEach(el => el.checked = false);
}
function editUser(user) {
resetForm();
document.getElementById('formAction').value = 'edit';
document.getElementById('userId').value = user.id;
document.getElementById('fullName').value = user.full_name;
document.getElementById('email').value = user.email;
document.getElementById('modalTitle').innerText = '<?= e(t('edit_user')) ?>';
document.getElementById('passwordHint').innerText = '(Leave empty to keep current)';
document.getElementById('password').required = false;
// Fetch user permissions via AJAX (or simpler, just reload the page - but for UX let's fetch)
// For simplicity in this demo, we'll fetch them via a separate hidden endpoint or just pre-load all permissions for all users in PHP?
// Let's pre-load permissions for all users to avoid AJAX complexity here.
const userPermissions = <?= json_encode($pdo->query("SELECT user_id, permission_id FROM user_permissions")->fetchAll(PDO::FETCH_GROUP | PDO::FETCH_COLUMN)) ?>;
const perms = userPermissions[user.id] || [];
perms.forEach(permId => {
const el = document.getElementById('perm_' + permId);
if (el) el.checked = true;
});
const modal = new bootstrap.Modal(document.getElementById('userModal'));
modal.show();
}
function confirmDelete(id) {
if (confirm('<?= e(t('confirm_delete')) ?>')) {
document.getElementById('deleteId').value = id;
document.getElementById('deleteForm').submit();
}
}
</script>
<?php render_footer(); ?>

8
admin_shippers.php
View File

@ -6,6 +6,14 @@ require_once __DIR__ . '/includes/layout.php';
$errors = [];
$flash = null;
// Check permission
if (!has_permission('manage_shippers')) {
render_header(t('shippers'), 'shippers');
echo '<div class="container py-5"><div class="alert alert-danger">Access Denied. You do not have permission to manage shippers.</div></div>';
render_footer();
exit;
}
// Handle action (Approve / Reject / Delete if necessary)
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'], $_POST['user_id'])) {
$userId = (int)$_POST['user_id'];

8
admin_truck_owners.php
View File

@ -6,6 +6,14 @@ require_once __DIR__ . '/includes/layout.php';
$errors = [];
$flash = null;
// Check permission
if (!has_permission('manage_truck_owners')) {
render_header(t('truck_owners'), 'truck_owners');
echo '<div class="container py-5"><div class="alert alert-danger">Access Denied. You do not have permission to manage truck owners.</div></div>';
render_footer();
exit;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'], $_POST['user_id'])) {
$userId = (int)$_POST['user_id'];
$action = $_POST['action'];

67
db/migrations/add_platform_permissions.php Normal file
View File

@ -0,0 +1,67 @@
<?php
require_once __DIR__ . '/../../db/config.php';
$pdo = db();
try {
// 1. Create permissions table
$pdo->exec("
CREATE TABLE IF NOT EXISTS permissions (
id INT AUTO_INCREMENT PRIMARY KEY,
slug VARCHAR(100) NOT NULL UNIQUE,
name VARCHAR(100) NOT NULL,
description TEXT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
// 2. Create user_permissions table
$pdo->exec("
CREATE TABLE IF NOT EXISTS user_permissions (
user_id INT NOT NULL,
permission_id INT NOT NULL,
PRIMARY KEY (user_id, permission_id),
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
FOREIGN KEY (permission_id) REFERENCES permissions(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
");
// 3. Seed default permissions
$permissions = [
['slug' => 'manage_platform_users', 'name' => 'Manage Platform Users', 'description' => 'Create and manage admin users and their permissions.'],
['slug' => 'manage_shippers', 'name' => 'Manage Shippers', 'description' => 'View, approve, and edit shipper accounts.'],
['slug' => 'manage_truck_owners', 'name' => 'Manage Truck Owners', 'description' => 'View, approve, and edit truck owner accounts.'],
['slug' => 'manage_shipments', 'name' => 'Manage Shipments', 'description' => 'View and edit shipments.'],
['slug' => 'manage_content', 'name' => 'Manage Content', 'description' => 'Edit FAQs, Landing Pages, and other content.'],
['slug' => 'manage_settings', 'name' => 'Manage Settings', 'description' => 'Edit global application settings.'],
['slug' => 'view_reports', 'name' => 'View Reports', 'description' => 'Access dashboard reports and statistics.']
];
$stmtInsert = $pdo->prepare("INSERT IGNORE INTO permissions (slug, name, description) VALUES (:slug, :name, :description)");
foreach ($permissions as $perm) {
$stmtInsert->execute($perm);
}
// 4. Assign all permissions to existing admins
// First, get all permission IDs
$stmtPerms = $pdo->query("SELECT id FROM permissions");
$allPermIds = $stmtPerms->fetchAll(PDO::FETCH_COLUMN);
// Get all admin users
$stmtAdmins = $pdo->query("SELECT id FROM users WHERE role = 'admin'");
$adminIds = $stmtAdmins->fetchAll(PDO::FETCH_COLUMN);
$stmtAssign = $pdo->prepare("INSERT IGNORE INTO user_permissions (user_id, permission_id) VALUES (:uid, :pid)");
foreach ($adminIds as $uid) {
foreach ($allPermIds as $pid) {
$stmtAssign->execute(['uid' => $uid, 'pid' => $pid]);
}
}
echo "Permissions tables created and seeded successfully.";
} catch (PDOException $e) {
echo "Error: " . $e->getMessage();
}

56
includes/app.php
View File

@ -192,6 +192,18 @@ $translations = [
'welcome_back_owner' => 'Find loads and submit your best rate.',
'total_offers' => 'Total Offers',
'won_shipments' => 'Won Shipments',
'nav_platform_users' => 'Platform Users',
'manage_permissions' => 'Manage Permissions',
'create_user' => 'Create User',
'edit_user' => 'Edit User',
'delete_user' => 'Delete User',
'confirm_delete' => 'Are you sure you want to delete this user?',
'permissions' => 'Permissions',
'no_users' => 'No platform users found.',
'user_created' => 'User created successfully.',
'user_updated' => 'User updated successfully.',
'user_deleted' => 'User deleted successfully.',
'error_email_exists' => 'Email already exists.'
),
"ar" => array (
'app_name' => 'CargoLink',
@ -372,6 +384,18 @@ $translations = [
'welcome_back_owner' => 'ابحث عن الأحمال وقدم أفضل سعر لديك.',
'total_offers' => 'إجمالي العروض',
'won_shipments' => 'الشحنات الفائزة',
'nav_platform_users' => 'مستخدمو المنصة',
'manage_permissions' => 'إدارة الصلاحيات',
'create_user' => 'إنشاء مستخدم',
'edit_user' => 'تعديل المستخدم',
'delete_user' => 'حذف المستخدم',
'confirm_delete' => 'هل أنت متأكد أنك تريد حذف هذا المستخدم؟',
'permissions' => 'الصلاحيات',
'no_users' => 'لم يتم العثور على مستخدمين.',
'user_created' => 'تم إنشاء المستخدم بنجاح.',
'user_updated' => 'تم تحديث المستخدم بنجاح.',
'user_deleted' => 'تم حذف المستخدم بنجاح.',
'error_email_exists' => 'البريد الإلكتروني موجود بالفعل.'
)
];
@ -549,3 +573,35 @@ function get_setting(string $key, $default = ''): string
$settings = get_settings();
return $settings[$key] ?? $default;
}
function has_permission(string $permissionSlug, ?int $userId = null): bool
{
if ($userId === null) {
if (!isset($_SESSION['user_id'])) {
return false;
}
$userId = $_SESSION['user_id'];
}
static $cache = [];
$key = $userId . ':' . $permissionSlug;
if (isset($cache[$key])) {
return $cache[$key];
}
try {
$stmt = db()->prepare(
"SELECT 1
FROM user_permissions up
JOIN permissions p ON up.permission_id = p.id
WHERE up.user_id = ? AND p.slug = ?"
);
$stmt->execute([$userId, $permissionSlug]);
$result = (bool) $stmt->fetchColumn();
$cache[$key] = $result;
return $result;
} catch (Throwable $e) {
return false;
}
}

15
includes/layout.php
View File

@ -1,7 +1,7 @@
<?php
require_once __DIR__ . '/app.php';
function render_header(string $title, string $active = '', bool $isFluid = false): void
function render_header(string $title, string $active = '', bool $isFluid = false, bool $showNav = true): void
{
global $lang, $dir;
$projectDescription = $_SERVER['PROJECT_DESCRIPTION'] ?? '';
@ -40,6 +40,7 @@ function render_header(string $title, string $active = '', bool $isFluid = false
<link rel="stylesheet" href="/assets/css/custom.css?v=<?= time() ?>">
</head>
<body class="app-body">
<?php if ($showNav): ?>
<nav class="navbar navbar-expand-lg navbar-light bg-white border-bottom sticky-top shadow-sm py-3 z-3">
<div class="<?= $isFluid ? 'container-fluid px-4' : 'container' ?>">
<a class="navbar-brand fs-4 d-flex align-items-center" href="<?= e(url_with_lang('index.php')) ?>">
@ -126,11 +127,12 @@ function render_header(string $title, string $active = '', bool $isFluid = false
</div>
</div>
</nav>
<?php endif; ?>
<main class="<?= $isFluid ? 'container-fluid p-0' : 'container py-5' ?>">
<?php
}
function render_footer(): void
function render_footer(bool $showFooter = true): void
{
global $lang;
$appName = get_setting('company_name', t('app_name'));
@ -140,6 +142,7 @@ function render_footer(): void
$companyAddress = get_setting('company_address', '');
?>
</main>
<?php if ($showFooter): ?>
<footer class="bg-white border-top py-5 mt-auto">
<div class="container">
<div class="row g-4 mb-4">
@ -203,6 +206,7 @@ function render_footer(): void
</div>
</div>
</footer>
<?php endif; ?>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
<script src="/assets/js/main.js?v=<?= time() ?>"></script>
</body>
@ -214,7 +218,7 @@ function render_admin_sidebar(string $active = 'dashboard'): void
{
$settingsActive = in_array($active, ['company_profile', 'integrations', 'notification_templates']);
$locationsActive = in_array($active, ['countries', 'cities']);
$usersActive = in_array($active, ['shippers', 'truck_owners', 'register']);
$usersActive = in_array($active, ['shippers', 'truck_owners', 'register', 'platform_users']);
$pagesActive = in_array($active, ['faqs', 'landing_pages']);
?>
<aside class="admin-sidebar d-flex flex-column h-100 py-4 px-3">
@ -272,6 +276,9 @@ function render_admin_sidebar(string $active = 'dashboard'): void
<a class="admin-nav-link <?= $active === 'truck_owners' ? 'active' : '' ?>" href="<?= e(url_with_lang('admin_truck_owners.php')) ?>">
<i class="bi bi-truck me-2"></i><?= e(t('truck_owners')) ?>
</a>
<a class="admin-nav-link <?= $active === 'platform_users' ? 'active' : '' ?>" href="<?= e(url_with_lang('admin_platform_users.php')) ?>">
<i class="bi bi-person-badge me-2"></i><?= e(t('nav_platform_users')) ?>
</a>
<a class="admin-nav-link <?= $active === 'register' ? 'active' : '' ?>" href="<?= e(url_with_lang('register.php')) ?>">
<i class="bi bi-person-plus me-2"></i><?= e(t('user_registration')) ?>
</a>
@ -302,4 +309,4 @@ function render_admin_sidebar(string $active = 'dashboard'): void
</div>
</aside>
<?php
}
}

4
login.php
View File

@ -73,7 +73,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
}
render_header('Login / Reset Password', 'login');
render_header('Login / Reset Password', 'login', false, false);
?>
<div class="row justify-content-center">
<div class="col-md-6 col-lg-5">
@ -153,4 +153,4 @@ render_header('Login / Reset Password', 'login');
</div>
</div>
<?php render_footer(); ?>
<?php render_footer(false); ?>