<?php
require_once './Includes/auth.php';
require_once './Includes/rbac.php';
redirect_if_not_logged_in();
if (!can_manage_roles()) {
die('<div class="alert alert-error">Access Denied</div>');
}
$message = '';
// --- handle User Operations ---
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Add new user
if (isset($_POST['add_user'])) {
$firstName = mysqli_real_escape_string($conn, $_POST['first_name']);
$lastName = mysqli_real_escape_string($conn, $_POST['last_name']);
$iam = mysqli_real_escape_string($conn, $_POST['iam']);
$birthDate = mysqli_real_escape_string($conn, $_POST['birth_date']);
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$sql = "INSERT INTO workflowManager_User (firstName, lastName, iam, birthDate, passwordHash)
VALUES ('$firstName', '$lastName', '$iam', '$birthDate', '$password')";
if (mysqli_query($conn, $sql)) {
$message = '<div class="alert alert-success">User created successfully!</div>';
} else {
$message = '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
}
// update existing user
elseif (isset($_POST['update_user'])) {
$userId = intval($_POST['user_id']);
$firstName = mysqli_real_escape_string($conn, $_POST['first_name']);
$lastName = mysqli_real_escape_string($conn, $_POST['last_name']);
$iam = mysqli_real_escape_string($conn, $_POST['iam']);
$sql = "UPDATE workflowManager_User
SET firstName = '$firstName', lastName = '$lastName', iam = '$iam'
WHERE pk_user = $userId";
if (mysqli_query($conn, $sql)) {
$message = '<div class="alert alert-success">User updated successfully!</div>';
} else {
$message = '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
}
// assign role to user
elseif (isset($_POST['assign_role'])) {
$user_id = intval($_POST['user_id']);
$role_id = intval($_POST['role_id']);
$sql = "INSERT INTO workflowManager_hasRole (pkfk_user, pkfk_role)
VALUES ($user_id, $role_id)";
if (mysqli_query($conn, $sql)) {
$message = '<div class="alert alert-success">Role assigned successfully!</div>';
} else {
$message = '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
}
}
// --- handle GET Operations ---
if (isset($_GET['action'])) {
// delete user
if ($_GET['action'] === 'delete_user') {
$userId = intval($_GET['user_id']);
// first delete user-role associations
mysqli_query($conn, "DELETE FROM workflowManager_hasRole WHERE pkfk_user = $userId");
// then we delete the user
$sql = "DELETE FROM workflowManager_User WHERE pk_user = $userId";
if (mysqli_query($conn, $sql)) {
$message = '<div class="alert alert-success">User deleted successfully!</div>';
} else {
$message = '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
}
// remove role from user
elseif ($_GET['action'] === 'remove_role') {
$user_id = intval($_GET['user_id']);
$role_id = intval($_GET['role_id']);
$sql = "DELETE FROM workflowManager_hasRole
WHERE pkfk_user = $user_id AND pkfk_role = $role_id";
if (mysqli_query($conn, $sql)) {
$message = '<div class="alert alert-success">Role removed successfully!</div>';
} else {
$message = '<div class="alert alert-error">Error: ' . mysqli_error($conn) . '</div>';
}
}
}
$users_sql = "SELECT pk_user, firstName, lastName, iam FROM workflowManager_User";
$users_result = mysqli_query($conn, $users_sql);
$roles_sql = "SELECT pk_role, name FROM workflowManager_Role";
$roles_result = mysqli_query($conn, $roles_sql);
?>
<div class="container">
<h2>User Management</h2>
<?= $message ?>
<!-- User CRUD Section -->
<div class="management-card">
<div class="action-header">
<h3>Manage Users</h3>
<button id="add-user-btn" class="btn">
<i class="fa-solid fa-user-plus"></i> Add User
</button>
</div>
<!-- Add/Edit User Form -->
<div id="user-form-container" style="display:none;">
<form method="POST" id="user-form">
<input type="hidden" name="user_id" id="form-user-id">
<div class="form-row">
<div class="form-group">
<label>First Name</label>
<input type="text" name="first_name" id="form-first-name" required>
</div>
<div class="form-group">
<label>Last Name</label>
<input type="text" name="last_name" id="form-last-name" required>
</div>
</div>
<div class="form-row">
<div class="form-group">
<label>IAM Identifier</label>
<input type="text" name="iam" id="form-iam" required>
</div>
<div class="form-group">
<label>Birth Date</label>
<input type="date" name="birth_date" id="form-birth-date" required>
</div>
<div class="form-group">
<label>Password</label>
<input type="password" name="password" id="form-password" placeholder="Leave blank to keep current">
</div>
</div>
<div class="form-row">
<button type="submit" name="add_user" id="form-submit-btn" class="btn">Add User</button>
<button type="button" id="cancel-form-btn" class="btn btn-danger">Cancel</button>
</div>
</form>
</div>
<!-- User List -->
<div class="user-list">
<?php while ($user = mysqli_fetch_assoc($users_result)): ?>
<div class="user-item" data-user-id="<?= $user['pk_user'] ?>">
<div>
<strong><?= htmlspecialchars($user['firstName'] . ' ' . $user['lastName']) ?></strong>
<div class="text-muted">IAM: <?= htmlspecialchars($user['iam']) ?></div>
</div>
<div class="user-actions">
<button class="btn-icon edit-user"
data-user-id="<?= $user['pk_user'] ?>"
data-first-name="<?= htmlspecialchars($user['firstName']) ?>"
data-last-name="<?= htmlspecialchars($user['lastName']) ?>"
data-iam="<?= htmlspecialchars($user['iam']) ?>">
<i class="fa-solid fa-pen"></i>
</button>
<a href="?page=admin_users&action=delete_user&user_id=<?= $user['pk_user'] ?>"
class="btn-icon delete-user"
onclick="return confirm('Delete this user and all their roles?')">
<i class="fa-solid fa-trash"></i>
</a>
</div>
</div>
<?php endwhile; ?>
</div>
</div>
<!-- Role Management Section -->
<div class="management-card">
<div class="action-header">
<h3>Role Assignment</h3>
<span id="selected-user-indicator" class="text-muted">No user selected</span>
</div>
<div id="user-details">
<p class="text-muted">Select a user to manage roles</p>
</div>
<div id="role-management" style="display:none;">
<h4>Current Roles</h4>
<div id="current-roles" class="user-list" style="max-height: 150px;"></div>
<div class="role-actions">
<h4>Assign New Role</h4>
<form method="POST" id="assign-role-form">
<input type="hidden" name="user_id" id="selected-user-id">
<div class="form-row">
<div class="form-group">
<select name="role_id" required>
<?php mysqli_data_seek($roles_result, 0);
while ($role = mysqli_fetch_assoc($roles_result)): ?>
<option value="<?= $role['pk_role'] ?>">
<?= htmlspecialchars($role['name']) ?>
</option>
<?php endwhile; ?>
</select>
</div>
<button type="submit" name="assign_role" class="btn">Assign Role</button>
</div>
</form>
</div>
</div>
</div>
</div>
<script>
document.addEventListener('DOMContentLoaded', function() {
const userItems = document.querySelectorAll('.user-item');
const userDetails = document.getElementById('user-details');
const roleManagement = document.getElementById('role-management');
const currentRoles = document.getElementById('current-roles');
const selectedUserId = document.getElementById('selected-user-id');
const selectedUserIndicator = document.getElementById('selected-user-indicator');
const addUserBtn = document.getElementById('add-user-btn');
const cancelFormBtn = document.getElementById('cancel-form-btn');
const userFormContainer = document.getElementById('user-form-container');
const userForm = document.getElementById('user-form');
const formSubmitBtn = document.getElementById('form-submit-btn');
const formUserId = document.getElementById('form-user-id');
const formFirstName = document.getElementById('form-first-name');
const formLastName = document.getElementById('form-last-name');
const formIam = document.getElementById('form-iam');
// show user form when "Add User" button is clicked
addUserBtn.addEventListener('click', function() {
userForm.reset();
formUserId.value = '';
formSubmitBtn.name = 'add_user';
formSubmitBtn.textContent = 'Add User';
userFormContainer.style.display = 'block';
});
// hide user form when canceled
cancelFormBtn.addEventListener('click', function() {
userFormContainer.style.display = 'none';
});
// handle edit user button
document.querySelectorAll('.edit-user').forEach(btn => {
btn.addEventListener('click', function() {
// populate form
formUserId.value = this.getAttribute('data-user-id');
formFirstName.value = this.getAttribute('data-first-name');
formLastName.value = this.getAttribute('data-last-name');
formIam.value = this.getAttribute('data-iam');
// update form for update action
formSubmitBtn.name = 'update_user';
formSubmitBtn.textContent = 'Update User';
// show form
userFormContainer.style.display = 'block';
});
});
// handle user selection
userItems.forEach(item => {
item.addEventListener('click', function() {
// update user interface
userItems.forEach(i => i.classList.remove('active'));
this.classList.add('active');
const userId = this.getAttribute('data-user-id');
const userName = this.querySelector('strong').textContent;
selectedUserId.value = userId;
// show user details
userDetails.innerHTML = `<h4>${userName}</h4>`;
selectedUserIndicator.textContent = `Selected: ${userName}`;
// fetch user roles via AJAX
fetch(`Ajax/get_user_roles.php?user_id=${userId}`)
.then(response => response.json())
.then(roles => {
if (roles.length > 0) {
let rolesHtml = '';
roles.forEach(role => {
rolesHtml += `
<div class="role-badge">
${role.name}
<a href="?page=admin_users&action=remove_role&user_id=${userId}&role_id=${role.pk_role}"
class="btn-icon"
onclick="return confirm('Remove this role?')">
<i class="fa-solid fa-xmark"></i>
</a>
</div>`;
});
currentRoles.innerHTML = rolesHtml;
} else {
currentRoles.innerHTML = '<p>No roles assigned</p>';
}
roleManagement.style.display = 'block';
});
});
});
// handle role assignment form submission
document.getElementById('assign-role-form').addEventListener('submit', function(e) {
if (!confirm('Are you sure you want to assign this role?')) {
e.preventDefault();
}
});
});
</script>