<?php
/**
* Copyright (C) 2021 Double Bastion LLC
*
* This file is part of Roundpin, which is licensed under the
* GNU Affero General Public License Version 3.0. The license terms
* are detailed in the "LICENSE.txt" file located in the root directory.
*/
session_start();
// header('Set-Cookie: PHPSESSID= ' . session_id() . '; SameSite=strict; Secure=true; HttpOnly=true;');
if (isset($_POST['s_ajax_call']) && ($_POST['s_ajax_call'] == $_SESSION['validate_s_access'])) {
define('ACCESSCONST', TRUE);
require('db-connect.php');
$sipUsername = $_POST['sip_username'];
$username = $_POST['username'];
$newrole = $_POST['newrole'];
$usergroups = $_POST['usergroups'];
// Get the role of the user who performs the update, from the 'app_users' table
$queryprm = $mysqli->prepare("SELECT id, userrole, username FROM app_users WHERE username = ?");
$queryprm->bind_param("s", $username);
$queryprm->execute();
$queryprmres = $queryprm->get_result()->fetch_assoc();
$cruserrole = $queryprmres["userrole"];
if ($cruserrole == 'admin' || $cruserrole == 'superadmin') {
// Get the role of the user whose role is being updated, from the 'app_users' table
$queryusr = $mysqli->prepare("SELECT id, userrole, sip_username FROM app_users WHERE sip_username = ?");
$queryusr->bind_param("s", $sipUsername);
$queryusr->execute();
$queryusrres = $queryusr->get_result()->fetch_assoc();
$rolefromdb = $queryusrres["userrole"];
if ($cruserrole == 'superadmin') {
$query = $mysqli->prepare("UPDATE `app_users` SET `userrole`=?, `user_groups`=? WHERE `sip_username`=?");
$query->bind_param("sss", $newrole, $usergroups, $sipUsername);
if ($query->execute()) { $messagetosend = 'success'; } else { $messagetosend = 'An error occurred while attempting to save user data to the database!'; }
} elseif ($cruserrole == 'admin' && $newrole == 'superadmin') {
$messagetosend = 'Admins cannot make other users Superadmins.';
} elseif ($cruserrole == 'admin' && $newrole == 'regular_user' && $rolefromdb != 'regular_user') {
$messagetosend = 'Admins cannot assign the role of Regular User to Admins or Superadmins.';
} elseif ($cruserrole == 'admin' && $newrole == 'regular_user' && $rolefromdb == 'regular_user') {
$query = $mysqli->prepare("UPDATE `app_users` SET `userrole`=?, `user_groups`=? WHERE `sip_username`=?");
$query->bind_param("sss", $newrole, $usergroups, $sipUsername);
if ($query->execute()) { $messagetosend = 'success'; } else { $messagetosend = 'An error occurred while attempting to save user data to the database!'; }
} elseif ($cruserrole == 'admin' && $newrole == 'admin' && $rolefromdb == 'regular_user') {
$query = $mysqli->prepare("UPDATE `app_users` SET `userrole`=?, `user_groups`=? WHERE `sip_username`=?");
$query->bind_param("sss", $newrole, $usergroups, $sipUsername);
if ($query->execute()) { $messagetosend = 'success'; } else { $messagetosend = 'An error occurred while attempting to save user data to the database!'; }
} elseif ($cruserrole == 'admin' && $newrole == 'admin' && $rolefromdb == 'admin') {
$messagetosend = 'Admins cannot change the user groups of other Admins.';
} elseif ($cruserrole == 'admin' && $newrole == 'admin' && $rolefromdb == 'superadmin') {
$messagetosend = 'Admins cannot assign the role of Admin to Superadmins.';
}
} else { $messagetosend = 'Only Admins and Superadmins can change the role and user groups of Roundpin users.'; }
$response = array('result' => $messagetosend);
echo json_encode($response);
} else {
header("Location: ../login.php");
}
?>