diff --git a/admin_users.php b/admin_users.php
index 0e24fef..82e1bd9 100644
--- a/admin_users.php
+++ b/admin_users.php
@@ -15,14 +15,15 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
if ($action === 'create_user') {
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
+ $role = $_POST['role'] ?? 'admin';
if ($username === '' || $password === '') {
$error = qh_t('Username and password are required.', 'اسم المستخدم وكلمة المرور مطلوبان.');
} else {
try {
$hash = password_hash($password, PASSWORD_DEFAULT);
- $stmt = $pdo->prepare("INSERT INTO users (username, password) VALUES (:username, :password)");
- $stmt->execute(['username' => $username, 'password' => $hash]);
+ $stmt = $pdo->prepare("INSERT INTO users (username, password, role) VALUES (:username, :password, :role)");
+ $stmt->execute(['username' => $username, 'password' => $hash, 'role' => $role]);
$success = qh_t('User created successfully.', 'تم إنشاء المستخدم بنجاح.');
} catch (PDOException $e) {
if ($e->getCode() == 23000) {
@@ -36,6 +37,7 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
$id = (int)($_POST['id'] ?? 0);
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
+ $role = $_POST['role'] ?? 'admin';
if ($id <= 0 || $username === '') {
$error = qh_t('Invalid user data.', 'بيانات المستخدم غير صالحة.');
@@ -43,11 +45,11 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
try {
if ($password !== '') {
$hash = password_hash($password, PASSWORD_DEFAULT);
- $stmt = $pdo->prepare("UPDATE users SET username = :username, password = :password WHERE id = :id");
- $stmt->execute(['username' => $username, 'password' => $hash, 'id' => $id]);
+ $stmt = $pdo->prepare("UPDATE users SET username = :username, password = :password, role = :role WHERE id = :id");
+ $stmt->execute(['username' => $username, 'password' => $hash, 'role' => $role, 'id' => $id]);
} else {
- $stmt = $pdo->prepare("UPDATE users SET username = :username WHERE id = :id");
- $stmt->execute(['username' => $username, 'id' => $id]);
+ $stmt = $pdo->prepare("UPDATE users SET username = :username, role = :role WHERE id = :id");
+ $stmt->execute(['username' => $username, 'role' => $role, 'id' => $id]);
}
$success = qh_t('User updated successfully.', 'تم تحديث المستخدم بنجاح.');
} catch (PDOException $e) {
@@ -74,10 +76,13 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
}
try {
- $users = $pdo->query("SELECT id, username, created_at FROM users ORDER BY id ASC")->fetchAll();
+ $users = $pdo->query("SELECT id, username, role, created_at FROM users ORDER BY id ASC")->fetchAll();
} catch (PDOException $e) {
- if ($e->getCode() == '42S02') {
- $pdo->exec("CREATE TABLE IF NOT EXISTS users (id INT UNSIGNED AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL UNIQUE, password VARCHAR(255) NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci");
+ if (str_contains($e->getMessage(), "Unknown column 'role'")) {
+ $pdo->exec("ALTER TABLE users ADD COLUMN role VARCHAR(20) DEFAULT 'admin'");
+ $users = $pdo->query("SELECT id, username, role, created_at FROM users ORDER BY id ASC")->fetchAll();
+ } elseif ($e->getCode() == '42S02') {
+ $pdo->exec("CREATE TABLE IF NOT EXISTS users (id INT UNSIGNED AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL UNIQUE, password VARCHAR(255) NOT NULL, role VARCHAR(20) DEFAULT 'admin', created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci");
$users = [];
$error = qh_t('Users table was missing and has been created.', 'كان جدول المستخدمين مفقوداً وتم إنشاؤه.');
} else {
@@ -86,6 +91,13 @@ try {
}
$stats = qh_admin_stats();
+$roles = [
+ 'admin' => qh_t('Admin', 'مدير'),
+ 'reception' => qh_t('Reception', 'استقبال'),
+ 'nursing' => qh_t('Nursing', 'تمريض'),
+ 'doctor' => qh_t('Doctor', 'طبيب'),
+];
+
qh_page_start(
'admin',
qh_t('System Users', 'مستخدمو النظام'),
@@ -125,6 +137,7 @@ qh_page_start(
| ID |
|
+ |
|
|
@@ -134,13 +147,17 @@ qh_page_start(
| # |
|
+
+
+ |
|
1): ?>
@@ -157,7 +174,7 @@ qh_page_start(
|
- |
+ |
|
@@ -186,6 +203,14 @@ qh_page_start(
+
+
+
+
@@ -216,6 +241,14 @@ qh_page_start(
+
+
+
+
@@ -238,12 +271,18 @@ document.addEventListener('DOMContentLoaded', function () {
const button = event.relatedTarget;
const id = button.getAttribute('data-id');
const username = button.getAttribute('data-username');
+ const role = button.getAttribute('data-role');
editModal.querySelector('#editUserId').value = id;
editModal.querySelector('#editUserUsername').value = username;
+
+ const roleSelect = editModal.querySelector('#editUserRole');
+ if (roleSelect && role) {
+ roleSelect.value = role;
+ }
});
}
});
PDO::ERRMODE_EXCEPTION]);
-
// Rewrite db/config.php
$configContent = " PDO::ERRMODE_EXCEPTION,\n" .
" PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,\n" .
" ]);\n" .
diff --git a/login.php b/login.php
index 26b1ea2..1a20860 100644
--- a/login.php
+++ b/login.php
@@ -16,13 +16,14 @@ if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'POST') {
$error = qh_t('Please enter your username and password.', 'يرجى إدخال اسم المستخدم وكلمة المرور.');
} else {
try {
- $stmt = db()->prepare("SELECT id, password FROM users WHERE username = :username LIMIT 1");
+ $stmt = db()->prepare("SELECT id, password, role FROM users WHERE username = :username LIMIT 1");
$stmt->execute(['username' => $username]);
$user = $stmt->fetch();
if ($user && password_verify($password, $user['password'])) {
$_SESSION['user_id'] = (int) $user['id'];
$_SESSION['username'] = $username;
+ $_SESSION['role'] = $user['role'] ?? 'admin';
qh_redirect('index.php');
} else {
$error = qh_t('Invalid username or password.', 'اسم المستخدم أو كلمة المرور غير صحيحة.');
diff --git a/queue_bootstrap.php b/queue_bootstrap.php
index 47bf5dd..ee6eaa8 100644
--- a/queue_bootstrap.php
+++ b/queue_bootstrap.php
@@ -15,6 +15,25 @@ if (file_exists(__DIR__ . "/.installed") && !in_array($currentPage, $publicPages
header("Location: login.php");
exit;
}
+
+ $role = $_SESSION["role"] ?? "admin";
+ $allowed = false;
+ if ($role === "admin") {
+ $allowed = true;
+ } elseif ($currentPage === "index.php") {
+ $allowed = true;
+ } elseif ($role === "reception" && $currentPage === "reception.php") {
+ $allowed = true;
+ } elseif ($role === "nursing" && $currentPage === "nursing.php") {
+ $allowed = true;
+ } elseif ($role === "doctor" && $currentPage === "doctor.php") {
+ $allowed = true;
+ }
+
+ if (!$allowed) {
+ header("Location: index.php");
+ exit;
+ }
}
@@ -109,6 +128,9 @@ SQL;
try { db()->exec("ALTER TABLE hospital_profile_settings ADD COLUMN default_language VARCHAR(10) DEFAULT 'en'"); } catch (\Throwable $e) {}
}
+ try { db()->exec("CREATE TABLE IF NOT EXISTS users (id INT UNSIGNED AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL UNIQUE, password VARCHAR(255) NOT NULL, role VARCHAR(20) DEFAULT 'admin', created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci"); } catch (\Throwable $e) {}
+ try { db()->exec("ALTER TABLE users ADD COLUMN role VARCHAR(20) DEFAULT 'admin'"); } catch (\Throwable $e) {}
+
function qh_seed_demo_data(): void
{
$pdo = db();
@@ -1014,7 +1036,7 @@ function qh_admin_handle_request(): void
}
$action = trim((string) ($_POST['action'] ?? ''));
- if ($action === '' || in_array($action, ['add_video', 'delete_video', 'toggle_status', 'add_news', 'delete_news', 'toggle_news_status'])) {
+ if ($action === '' || in_array($action, ['add_video', 'delete_video', 'toggle_status', 'add_news', 'delete_news', 'toggle_news_status', 'create_user', 'update_user', 'delete_user'])) {
return;
}