From aa44215eb19815cde98f0de66abd591bb6bb3f40 Mon Sep 17 00:00:00 2001
From: tp_dhu <terry.probert@dhuhealthcare.nhs.uk>
Date: Sun, 27 Apr 2025 09:33:53 +0100
Subject: [PATCH] updated authcontroller to implement admin check - needs
 further development for roles

---
 .../Admin/TicketOptionsController.php         | 70 ++++++++++++++++++-
 app/controllers/Admin/UserController.php      | 39 +++++++++++
 app/controllers/AuthController.php            |  5 +-
 app/controllers/BaseController.php            | 18 ++++-
 4 files changed, 127 insertions(+), 5 deletions(-)
 create mode 100644 app/controllers/Admin/UserController.php

diff --git a/app/controllers/Admin/TicketOptionsController.php b/app/controllers/Admin/TicketOptionsController.php
index f19937a..3164c5f 100644
--- a/app/controllers/Admin/TicketOptionsController.php
+++ b/app/controllers/Admin/TicketOptionsController.php
@@ -7,7 +7,7 @@ class TicketOptionsController extends \BaseController
     public function listPriorities()
     {
         $this->requireLogin();
-        // TODO: check admin
+        $this->requireAdmin(); // Added admin check
 
         $model = new \TicketPriority($this->getDB());
         $priorities = $model->findAll();
@@ -20,17 +20,83 @@ class TicketOptionsController extends \BaseController
     public function createPriorityForm()
     {
         $this->requireLogin();
+        $this->requireAdmin(); // Added admin check
         $this->renderView('/ui/views/admin/priorities/create.html');
     }
 
     public function createPriority()
     {
         $this->requireLogin();
+        $this->requireAdmin(); // Added admin check
         $p = new \TicketPriority($this->getDB());
         $p->name = $this->f3->get('POST.name');
         $p->sort_order = $this->f3->get('POST.sort_order');
         $p->save();
+
+        // Redirect after save
+        $this->f3->reroute('/admin/priorities');
+    }
+
+    public function editPriorityForm($f3, $params)
+    {
+        $this->requireLogin();
+        $this->requireAdmin();
+        $priorityId = $params['id'];
+
+        $model = new \TicketPriority($this->getDB());
+        $priority = $model->load(['id = ?', $priorityId]);
+
+        if (!$priority) {
+            $f3->error(404, 'Priority not found');
+            return;
+        }
+
+        $this->renderView('/ui/views/admin/priorities/edit.html', [
+            'priority' => $priority
+        ]);
+    }
+
+    public function updatePriority($f3, $params)
+    {
+        $this->requireLogin();
+        $this->requireAdmin();
+        $priorityId = $params['id'];
+
+        $model = new \TicketPriority($this->getDB());
+        $priority = $model->load(['id = ?', $priorityId]);
+
+        if (!$priority) {
+            $f3->error(404, 'Priority not found');
+            return;
+        }
+
+        $priority->name = $this->f3->get('POST.name');
+        $priority->sort_order = $this->f3->get('POST.sort_order');
+        $priority->save();
+
+        // Redirect after update
+        $this->f3->reroute('/admin/priorities');
+    }
+
+    public function deletePriority($f3, $params)
+    {
+        $this->requireLogin();
+        $this->requireAdmin();
+        $priorityId = $params['id'];
+
+        $model = new \TicketPriority($this->getDB());
+        $priority = $model->load(['id = ?', $priorityId]);
+
+        if (!$priority) {
+            // Optionally show an error message or just redirect
+            $this->f3->reroute('/admin/priorities');
+            return;
+        }
+
+        $priority->erase();
+
+        // Redirect after delete
+        $this->f3->reroute('/admin/priorities');
     }
 
-    // TODO: editPriorityForm(), updatePriorityForm(), deletePriorityForm()
 }
\ No newline at end of file
diff --git a/app/controllers/Admin/UserController.php b/app/controllers/Admin/UserController.php
new file mode 100644
index 0000000..4aa6f2b
--- /dev/null
+++ b/app/controllers/Admin/UserController.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace Admin;
+
+class UserController extends \BaseController implements \CRUD
+{
+    public function index($f3)
+    {
+        // TODO: Implement index() method.
+    }
+
+    public function createForm($f3)
+    {
+        // TODO: Implement createForm() method.
+    }
+
+    public function create($f3)
+    {
+        // TODO: Implement create() method.
+    }
+
+    public function view($id)
+    {
+        // TODO: Implement view() method.
+    }
+
+    public function editForm($id)
+    {
+        // TODO: Implement editForm() method.
+    }
+
+    public function update($id)
+    {
+        // TODO: Implement update() method.
+    }
+
+    
+    
+}
\ No newline at end of file
diff --git a/app/controllers/AuthController.php b/app/controllers/AuthController.php
index 98e117d..88f5713 100644
--- a/app/controllers/AuthController.php
+++ b/app/controllers/AuthController.php
@@ -22,7 +22,7 @@ class AuthController {
         $db = $f3->get('DB');
         // query for user
         $result = $db->exec(
-            'SELECT u.id, u.username, u.password, u.role, r.role as role_name
+            'SELECT u.id, u.username, u.password, u.role, u.is_admin, r.role as role_name
             FROM users u
             LEFT JOIN roles r ON r.id = u.role
             WHERE username =? 
@@ -38,7 +38,8 @@ class AuthController {
                     'id'=> $user['id'],
                     'username' => $user['username'],
                     'role' => $user['role'],
-                    'role_name' => $user['role_name']
+                    'role_name' => $user['role_name'],
+                    'is_admin' => $user['is_admin']
                 ]);
                 
                 if($f3->exists('SESSION.redirect')){
diff --git a/app/controllers/BaseController.php b/app/controllers/BaseController.php
index d417120..b91fa5e 100644
--- a/app/controllers/BaseController.php
+++ b/app/controllers/BaseController.php
@@ -10,6 +10,7 @@ abstract class BaseController
     public function __construct()
     {
         $this->f3 = \Base::instance();
+        
     }
 
 
@@ -36,6 +37,21 @@ abstract class BaseController
         }
     }
 
+    /**
+     * Enforce that the user is logged in AND is an admin before proceeding.
+     */
+    protected function requireAdmin()
+    {
+        $this->requireLogin(); // First, ensure the user is logged in
+
+        // Check if the user is an admin (assuming 'is_admin' property in session)
+        if (!$this->f3->get('SESSION.user.is_admin')) {
+            // Optionally set an error message
+            $this->f3->set('SESSION.error', 'Admin access required.');
+            $this->f3->reroute('/'); // Redirect non-admins to home page
+        }
+    }
+ 
     /**
      * Set up a main layout template and inject the specified view path
      * optional $data to pass variables down to template
@@ -45,7 +61,7 @@ abstract class BaseController
         foreach($data as $key => $value){
             $this->f3->set($key, $value);
         }
-
+ 
         // set {{content}}
         $this->f3->set('content', $viewPath);