Site Builder
Editing:
user-acl.php
writable 0666
<?php /***************************************************************** * Admin · Per‑user page‑access matrix + “Add page” dropdown * ---------------------------------------------------------------- * © 2025 BestDealOn – Free to modify. Requires PHP 8.1+ *****************************************************************/ require_once __DIR__.'/../lib/auth.php'; require_login(); if (current_user()['role']!=='admin') forbidden_page(); require_once __DIR__.'/../lib/db.php'; /* ----------------------------------------------------------------- Which user are we managing? ---------------------------------------------------------------- */ $uid = intval($_GET['id'] ?? 0); $userStmt = $db->prepare('SELECT * FROM users WHERE id = ? LIMIT 1'); $userStmt->execute([$uid]); $user = $userStmt->fetch(PDO::FETCH_ASSOC); if (!$user) exit('User not found'); /* ----------------------------------------------------------------- 1. Handle POST (unchanged) ---------------------------------------------------------------- */ if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (!hash_equals($_SESSION['csrf'] ?? '', $_POST['csrf'] ?? '')) exit('Bad CSRF'); /* A) “Add page …” */ if (!empty($_POST['addSlug'])) { $slug = basename($_POST['addSlug']); // keep safe $filePath = __DIR__ . '/../create/' . $slug . '.php'; if (is_file($filePath)) { /* ensure exists in pages table */ $p = $db->prepare('SELECT id FROM pages WHERE slug = ? LIMIT 1'); $p->execute([$slug]); $page = $p->fetch(PDO::FETCH_ASSOC); if (!$page) { $db->prepare('INSERT INTO pages (slug,file) VALUES (?,?)') ->execute([$slug, "create/$slug.php"]); $pageId = $db->lastInsertId(); } else $pageId = $page['id']; /* give this user access */ $db->prepare('INSERT IGNORE INTO user_pages (user_id,page_id) VALUES (?,?)')->execute([$uid, $pageId]); header("Location: user-acl.php?id=$uid&added=1"); exit; } } /* B) normal “Save changes” */ if (isset($_POST['page'])) { $allow = array_map('intval', $_POST['page']); $db->beginTransaction(); $db->prepare('DELETE FROM user_pages WHERE user_id = ?')->execute([$uid]); if ($allow) { $ins = $db->prepare('INSERT INTO user_pages (user_id,page_id) VALUES(?,?)'); foreach ($allow as $pid) $ins->execute([$uid, $pid]); } $db->commit(); header("Location: user-acl.php?id=$uid&saved=1"); exit; } } /* ----------------------------------------------------------------- 2 a. Build global page lists (matrix + “Add page”) ---------------------------------------------------------------- */ $pages = $db->query('SELECT id, slug FROM pages ORDER BY slug') ->fetchAll(PDO::FETCH_ASSOC); $ownedIds = $db->prepare('SELECT page_id FROM user_pages WHERE user_id = ?'); $ownedIds->execute([$uid]); $ownedIds = array_column($ownedIds->fetchAll(PDO::FETCH_ASSOC), 'page_id'); /* files in /create not yet registered */ $unused = []; foreach (glob(__DIR__.'/../create/*.php') as $f) { $slug = basename($f, '.php'); if (!array_filter($pages, fn($p) => $p['slug'] === $slug)) $unused[] = $slug; } /* ----------------------------------------------------------------- 2 b. Allowed pages (slug + full file path) – for quick‑edit menu ---------------------------------------------------------------- */ $allowedPagesStmt = $db->prepare( 'SELECT p.slug, p.file FROM pages p JOIN user_pages up ON up.page_id = p.id WHERE up.user_id = ? ORDER BY p.slug' ); $allowedPagesStmt->execute([$uid]); $allowedPages = $allowedPagesStmt->fetchAll(PDO::FETCH_ASSOC); /* ----------------------------------------------------------------- 3. Helper – craft the deep‑link for this user ---------------------------------------------------------------- */ $code = strtolower($user['username']); // phone OR handle $isDigits = ctype_digit($code); $paramKey = ($isDigits && strlen($code) === 10) ? 'ph' : 'user'; $makeUrl = function (array $row) use ($code, $paramKey) : string { return '/members/' . $row['file'] . '?' . $paramKey . '=' . rawurlencode($code); }; /* ----------------------------------------------------------------- 4. CSRF token ---------------------------------------------------------------- */ $_SESSION['csrf'] = bin2hex(random_bytes(16)); ?> <!doctype html> <title>Edit page access – BestDealOn</title> <meta name=viewport content="width=device-width,initial-scale=1"> <style> :root{--b:#0066ff;--bg:#f9fbff;--fg:#111;font-family:-apple-system,BlinkMacSystemFont, Segoe UI,Roboto,Helvetica,Arial,sans-serif} *{box-sizing:border-box}body{margin:0;background:var(--bg);color:var(--fg)} main{max-width:720px;margin:2.4rem auto;padding:0 1rem} .card{background:#fff;padding:2rem;border-radius:12px;box-shadow:0 6px 24px rgba(0,0,0,.07)} h1{margin-top:0;font-size:1.55rem} table{width:100%;border-collapse:collapse;font-size:.92rem;margin-top:1rem} th,td{padding:.55rem .65rem;border-bottom:1px solid #e2e8f3;text-align:left} th{background:#f1f6ff;font-weight:600} tr:nth-child(even) td{background:#f9fafe} input[type=checkbox]{width:18px;height:18px;vertical-align:middle;accent-color:var(--b)} select,button{padding:.55rem .8rem;border:1px solid #ccd2e2;border-radius:6px;font:inherit} button{background:var(--b);color:#fff;border:none;font-weight:600;cursor:pointer} button:hover{filter:brightness(1.07)} .notice{background:#e6f5d8;color:#06690b;padding:.6rem .9rem;border-radius:8px;margin-top:1rem} .quick-edit{margin:2rem 0 0;display:flex;gap:.7rem;flex-wrap:wrap;align-items:center} .quick-edit select{min-width:220px;font-weight:700;text-transform:uppercase} @media(prefers-color-scheme:dark){ :root{--bg:#0d1117;--fg:#e6edf3;--b:#2f81f7} .card{background:#161b22;box-shadow:0 4px 14px rgba(0,0,0,.6)} th{background:#0d47a1} table,th,td{border-color:#30363d} tr:nth-child(even) td{background:#1b1f27} select,button{border-color:#30363d;background:#0d1117;color:var(--fg)} } </style> <main class=card> <h1>Page access · <?= htmlspecialchars($user['email']) ?></h1> <?php if(isset($_GET['saved'])):?> <p class=notice>✔ Permissions updated.</p> <?php elseif(isset($_GET['added'])):?> <p class=notice>✔ Page added & enabled.</p> <?php endif ?> <!-- Add‑page section --> <?php if ($unused): ?> <form method=post style="margin-bottom:1.4rem;display:flex;gap:.6rem;flex-wrap:wrap"> <input type=hidden name=csrf value="<?= $_SESSION['csrf'] ?>"> <select name=addSlug required style="flex:1;min-width:180px"> <option value="">Add page from /create…</option> <?php foreach ($unused as $slug): ?> <option value="<?= htmlspecialchars($slug) ?>"><?= htmlspecialchars($slug) ?></option> <?php endforeach ?> </select> <button>Add page</button> </form> <?php endif ?> <!-- Permissions matrix --> <form method=post> <input type=hidden name=csrf value="<?= $_SESSION['csrf'] ?>"> <table> <tr><th>Page</th><th style="text-align:center">Allow edit?</th></tr> <?php foreach ($pages as $p): ?> <tr> <td><?= htmlspecialchars($p['slug']) ?></td> <td style="text-align:center"> <input type=checkbox name="page[]" value="<?= $p['id'] ?>" <?= in_array($p['id'],$ownedIds) ? 'checked' : '' ?>> </td> </tr> <?php endforeach ?> </table> <button style="margin-top:1.4rem">Save changes</button> </form> <!-- ▼▼ NEW: Quick‑edit jump‑list ▼▼ --> <?php if ($allowedPages): ?> <div class="quick-edit"> <label for="qEdit"><strong>Jump to edit page:</strong></label> <select id="qEdit" onchange="if(this.value) location.href=this.value"> <option value="">— select page —</option> <?php foreach ($allowedPages as $row): ?> <option value="<?= htmlspecialchars($makeUrl($row)) ?>"> <?= strtoupper(htmlspecialchars($row['slug'])) ?> </option> <?php endforeach ?> </select> </div> <?php endif ?> <p style="margin-top:2rem"><a href="users.php">← Back to list</a></p> </main>
Save changes
Create folder
writable 0777
Create
Cancel