<?php
require_once './Includes/auth.php';
require_once './Includes/rbac.php';
redirect_if_not_logged_in();
if (!can_manage_roles()) {
die('<div class="alert alert-error">Access Denied</div>');
}
// --- helper for HTML escaping ---
function h($v) { return htmlspecialchars($v, ENT_QUOTES); }
$message = '';
// --- handle Role Creation ---
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['create_role'])) {
$role_name = mysqli_real_escape_string($conn, $_POST['role_name']);
$sql = "INSERT INTO workflowManager_Role (name) VALUES ('$role_name')";
$message = mysqli_query($conn, $sql)
? '<div class="alert alert-success">Role created successfully!</div>'
: '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
// --- handle Role Renaming ---
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['rename_role'])) {
$role_id = intval($_POST['role_id']);
$new_name = mysqli_real_escape_string($conn, $_POST['new_name']);
$sql = "UPDATE workflowManager_Role SET name = '$new_name' WHERE pk_role = $role_id";
$message = mysqli_query($conn, $sql)
? '<div class="alert alert-success">Role renamed!</div>'
: '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
// --- handle Role Deletion ---
if (isset($_GET['delete_role'])) {
$role_id = intval($_GET['delete_role']);
mysqli_query($conn, "DELETE FROM workflowManager_hasPermission WHERE pkfk_role = $role_id");
$sql = "DELETE FROM workflowManager_Role WHERE pk_role = $role_id";
$message = mysqli_query($conn, $sql)
? '<div class="alert alert-success">Role deleted!</div>'
: '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
// --- handle Permission Assignment ---
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['assign_permission'])) {
$role_id = intval($_POST['role_id']);
$permission_id = intval($_POST['permission_id']);
$sql = "INSERT INTO workflowManager_hasPermission (pkfk_role, pkfk_permission)
VALUES ($role_id, $permission_id)";
$message = mysqli_query($conn, $sql)
? '<div class="alert alert-success">Permission assigned!</div>'
: '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
// --- handle Permission Removal ---
if (isset($_GET['remove_permission'])) {
$role_id = intval($_GET['role_id']);
$permission_id = intval($_GET['permission_id']);
$sql = "DELETE FROM workflowManager_hasPermission
WHERE pkfk_role = $role_id AND pkfk_permission = $permission_id";
$message = mysqli_query($conn, $sql)
? '<div class="alert alert-success">Permission removed!</div>'
: '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
// --- fetch Roles and Permissions ---
$roles_sql = "SELECT * FROM workflowManager_Role";
$roles_result = mysqli_query($conn, $roles_sql);
$perms_sql = "SELECT * FROM workflowManager_Permission";
$perms_result = mysqli_query($conn, $perms_sql);
?>
<h2>Role Management</h2>
<?= $message ?>
<div class="management-container">
<!-- Create Role Section -->
<div class="management-section">
<h3>Create New Role</h3>
<form method="POST">
<div class="form-group">
<label>Role Name:</label>
<input type="text" name="role_name" required>
</div>
<button type="submit" name="create_role" class="btn">Create Role</button>
</form>
</div>
<!-- Assign Permission Section -->
<div class="management-section">
<h3>Assign Permission to Role</h3>
<form method="POST">
<div class="form-group">
<label>Select Role:</label>
<select name="role_id" required>
<?php mysqli_data_seek($roles_result, 0); while ($role = mysqli_fetch_assoc($roles_result)): ?>
<option value="<?= $role['pk_role'] ?>"><?= h($role['name']) ?></option>
<?php endwhile; ?>
</select>
</div>
<div class="form-group">
<label>Select Permission:</label>
<select name="permission_id" required>
<?php while ($perm = mysqli_fetch_assoc($perms_result)): ?>
<option value="<?= $perm['pk_permission'] ?>"><?= h($perm['action']) ?></option>
<?php endwhile; ?>
</select>
</div>
<button type="submit" name="assign_permission" class="btn">Assign Permission</button>
</form>
</div>
</div>
<!-- Roles and Permissions Table -->
<h3>Existing Roles</h3>
<table class="data-table">
<tr>
<th>ID</th>
<th>Role Name</th>
<th>Permissions</th>
<th>Actions</th>
</tr>
<?php
// reset the internal pointer of a MySQL result set to the start, so you can loop over it again for other uses
mysqli_data_seek($roles_result, 0);
while ($role = mysqli_fetch_assoc($roles_result)):
$role_id = $role['pk_role'];
$perms_sql = "SELECT p.pk_permission, p.action
FROM workflowManager_hasPermission hp
INNER JOIN workflowManager_Permission p ON hp.pkfk_permission = p.pk_permission
WHERE hp.pkfk_role = $role_id";
$role_perms = mysqli_query($conn, $perms_sql);
?>
<tr>
<td><?= h($role['pk_role']) ?></td>
<td>
<form method="POST" class="inline-form">
<input type="hidden" name="role_id" value="<?= h($role_id) ?>">
<input type="text" name="new_name" value="<?= h($role['name']) ?>">
<button type="submit" name="rename_role" class="btn small-btn">Rename</button>
</form>
</td>
<td>
<?php if (mysqli_num_rows($role_perms) > 0): ?>
<div class="role-permissions-list">
<?php while ($perm = mysqli_fetch_assoc($role_perms)): ?>
<div class="role-permission-item">
<span><?= h($perm['action']) ?></span>
<a href="#"
class="btn btn-danger small-btn remove-permission"
data-role-id="<?= h($role_id) ?>"
data-permission-id="<?= h($perm['pk_permission']) ?>">
Remove
</a>
</div>
<?php endwhile; ?>
</div>
<?php else: ?>
<em>No permissions assigned</em>
<?php endif; ?>
</td>
<td>
<a href="#"
class="btn btn-danger delete-role"
data-role-id="<?= h($role_id) ?>">
Delete Role
</a>
</td>
</tr>
<?php endwhile; ?>
</table>
<script>
// confirm and handle role deletion
document.querySelectorAll('.delete-role').forEach(btn => {
btn.addEventListener('click', function(e) {
e.preventDefault();
const roleId = this.getAttribute('data-role-id');
if (confirm('Are you sure you want to delete this role and all its permissions?')) {
window.location.href = `?page=admin_roles&delete_role=${roleId}`;
}
});
});
// confirm and handle permission removal
document.querySelectorAll('.remove-permission').forEach(btn => {
btn.addEventListener('click', function(e) {
e.preventDefault();
const roleId = this.getAttribute('data-role-id');
const permId = this.getAttribute('data-permission-id');
if (confirm('Are you sure you want to remove this permission?')) {
window.location.href = `?page=admin_roles&remove_permission=1&role_id=${roleId}&permission_id=${permId}`;
}
});
});
</script>