aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--dbinit.sql2
-rw-r--r--manageservices.php132
-rw-r--r--manageusers.php34
3 files changed, 159 insertions, 9 deletions
diff --git a/dbinit.sql b/dbinit.sql
index d9220d1..bbff3c7 100644
--- a/dbinit.sql
+++ b/dbinit.sql
@@ -16,7 +16,7 @@ CREATE TABLE `arfnet2`.`services` (
`id` INT NOT NULL AUTO_INCREMENT ,
`name` VARCHAR(255) NOT NULL ,
`type` ENUM('free','standard','premium') NOT NULL ,
- `billing` DECIMAL NOT NULL ,
+ `billing` TEXT NOT NULL ,
`description` TEXT NOT NULL ,
PRIMARY KEY (`id`)
);
diff --git a/manageservices.php b/manageservices.php
new file mode 100644
index 0000000..c8a17ed
--- /dev/null
+++ b/manageservices.php
@@ -0,0 +1,132 @@
+<?php
+
+session_start();
+
+if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
+ header("location: /login.php");
+ exit;
+}
+
+$username = $_SESSION["username"];
+$type = $_SESSION["type"];
+
+if ($type != "admin") die("Permission denied.");
+
+require_once "config.php";
+
+// Get services
+$sql = "SELECT id, name, type, billing, description FROM services";
+$stmt = mysqli_prepare($link, $sql);
+mysqli_stmt_execute($stmt);
+$result = mysqli_stmt_get_result($stmt);
+$services = $result->fetch_all(MYSQLI_ASSOC);
+
+// GET actions
+// delete entry
+if (isset($_GET["del"])) {
+ $sql = "DELETE FROM services WHERE id = ?";
+ $stmt = mysqli_prepare($link, $sql);
+ mysqli_stmt_bind_param($stmt, "s", $param_id);
+ $param_id = $_GET["del"];
+ if (!mysqli_stmt_execute($stmt) || mysqli_stmt_affected_rows($stmt) != 1) {
+ echo "SQL error.";
+ } else header("location: ".$_SERVER['SCRIPT_NAME']);
+}
+
+// POST actions
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+ // add entry
+ if (isset($_POST["add"])) {
+ $sql = "INSERT INTO services (name, type, billing, description) VALUES (?, ?, ?, ?)";
+ $stmt = mysqli_prepare($link, $sql);
+ mysqli_stmt_bind_param($stmt, "ssss", $param_name, $param_type, $param_billing, $param_description);
+ $param_name = $_POST["name"];
+ $param_type= $_POST["type"];
+ $param_billing = $_POST["billing"];
+ $param_description = $_POST["description"];
+
+ if (!mysqli_stmt_execute($stmt) || (mysqli_stmt_affected_rows($stmt) != 1)) {
+ echo "SQL error.";
+ } else header("location: ".$_SERVER['SCRIPT_NAME']);
+ }
+}
+
+function getservicebyid($id) {
+ global $services;
+ foreach ($services as $service) {
+ if ($service["id"] == $id) {
+ return $service;
+ }
+ }
+}
+
+?>
+
+<!doctype html>
+<html>
+ <head>
+ <meta charset="UTF-8">
+ <link rel="stylesheet" type="text/css" href="/style.css">
+ <title>ARFNET CSTIMS</title>
+ </head>
+ <body>
+ <header><a href="https://arf20.com/">
+ <img src="arfnet_logo.png" width="64"><span class="title"><strong>ARFNET</strong></span>
+ </a></header>
+ <hr>
+ <main>
+ <div class="row">
+ <div class="col8">
+ <h2 class="center">ARFNET Client Service Ticket and Invoice Management System</h2>
+ <h3><?php echo strtoupper($type[0]).substr($type, 1); ?> panel</h3>
+ <h3>Service offerings</h3>
+
+ <?php
+ if (isset($_GET["edit"])) {
+ $service = getservicebyid($_GET["edit"]);
+ echo "<div class=\"editform\"><h3>Edit service ".$service["id"]."</h3><form action=\"".$_SERVER['SCRIPT_NAME']."\" method=\"post\">\n"
+ ."<label>Name</label><br><input type=\"text\" name=\"name\" value=\"".$service["name"]."\"><br>\n"
+ ."<label>Type</label><br><select name=\"type\"><option value=\"free\" ".($service["type"] == "free" ? "selected" : "").">free</option><option value=\"standard\" ".($user["type"] == "standard" ? "selected" : "").">standard</option><option value=\"premium\" ".($user["type"] == "premium" ? "selected" : "").">premium</option></select><br>\n"
+ ."<label>Billing</label><br><input type=\"text\" name=\"billing\" value=\"".$service["billing"]."\"><br>\n"
+ ."<label>Description</label><br><textarea name=\"description\" rows=\"10\" cols=\"80\" value=\"".$service["description"]."\"><br>\n"
+ ."<br><input type=\"submit\" name=\"save\" value=\"Save\"><a href=\"".$_SERVER['SCRIPT_NAME']."\">cancel</a>"
+ ."</form></div>";
+ }
+
+ if (isset($_GET["add"])) {
+ echo "<div class=\"editform\"><h3>Add service</h3><form action=\"".$_SERVER['SCRIPT_NAME']."\" method=\"post\">\n"
+ ."<label>Name</label><br><input type=\"text\" name=\"name\"><br>\n"
+ ."<label>Type</label><br><select name=\"type\"><option value=\"free\">free</option><option value=\"standard\">standard</option><option value=\"premium\">premium</option></select><br>\n"
+ ."<label>Billing</label><br><input type=\"text\" name=\"billing\"><br>\n"
+ ."<label>Description</label><br><textarea name=\"description\" rows=\"10\" cols=\"80\"></textarea><br>\n"
+ ."<br><input type=\"submit\" name=\"add\" value=\"Add\"><a href=\"".$_SERVER['SCRIPT_NAME']."\">cancel</a>"
+ ."</form></div>";
+ }
+ ?>
+
+ <a href="?add">add</a>
+ <table>
+ <tr><th>id</th><th>name</th><th>type</th><th>billing</th><th>description</th><th>action</th></tr>
+ <?php
+ foreach ($services as $service) {
+ echo "<tr><td>".$service['id']."</td>"
+ ."<td>".$service['name']."</td>"
+ ."<td>".$service['type']."</td>"
+ ."<td>".$service['billing']."</td>"
+ ."<td><pre>".$service['description']."</pre></td>"
+ ."<td><a href=\"?del=".$service['id']."\">del</a> <a href=\"?edit=".$service['id']."\">edit</a></td></tr>\n";
+ }
+ ?>
+ </table>
+
+ </div>
+ <div class="col2">
+ <h3>Logged as <?php echo $username; ?></h3>
+ <h3><a href="/logout.php">Logout</h2>
+ <h3><a href="/admin.php">Back to admin panel</h2>
+ </div>
+ </div>
+ </main>
+ </body>
+</html>
+
diff --git a/manageusers.php b/manageusers.php
index 7fe8cee..15bb6d2 100644
--- a/manageusers.php
+++ b/manageusers.php
@@ -10,6 +10,8 @@ if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
$username = $_SESSION["username"];
$type = $_SESSION["type"];
+if ($type != "admin") die("Permission denied.");
+
require_once "config.php";
// Get users
@@ -27,7 +29,7 @@ if (isset($_GET["del"])) {
mysqli_stmt_bind_param($stmt, "s", $param_id);
$param_id = $_GET["del"];
if (!mysqli_stmt_execute($stmt) || mysqli_stmt_affected_rows($stmt) != 1) {
- echo "SQL error.";
+ echo "SQL error: ".mysqli_stmt_error($stmt);
} else header("location: ".$_SERVER['SCRIPT_NAME']);
}
@@ -46,12 +48,27 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
$param_status = $_POST["status"];
if (!mysqli_stmt_execute($stmt) || (mysqli_stmt_affected_rows($stmt) != 1)) {
- echo "SQL error.";
+ echo "SQL error: ".mysqli_stmt_error($stmt);
} else header("location: ".$_SERVER['SCRIPT_NAME']);
}
- // edit entry
+ // edit entry
+ if (isset($_POST["save"])) {
+ $sql = "UPDATE users SET username = ?, email = ?, password = ?, type = ?, status = ? WHERE id = ?";
+ $stmt = mysqli_prepare($link, $sql);
+ mysqli_stmt_bind_param($stmt, "ssssss", $param_username, $param_email, $param_password, $param_type, $param_status, $param_id);
+ $param_username = $_POST["username"];
+ $param_email = $_POST["email"];
+ $param_password = empty($_POST["password"]) ? getuserbyid($_POST["id"])["password"] : password_hash($_POST["password"], PASSWORD_DEFAULT);
+ $param_type = $_POST["type"];
+ $param_status = $_POST["status"];
+ $param_id = $_POST["id"];
+ if (!mysqli_stmt_execute($stmt) || (mysqli_stmt_affected_rows($stmt) != 1)) {
+ echo "email: ".$_POST["email"];
+ echo "SQL error: ".mysqli_stmt_error($stmt);
+ } else header("location: ".$_SERVER['SCRIPT_NAME']);
+ }
}
function getuserbyid($id) {
@@ -87,24 +104,25 @@ function getuserbyid($id) {
<?php
if (isset($_GET["edit"])) {
$user = getuserbyid($_GET["edit"]);
- echo "<div class=\"editform\"><h3>Edit user ".$user["id"]."</h3><form action=\"/manageusers.php\" method=\"post\">\n"
+ echo "<div class=\"editform\"><h3>Edit user ".$user["id"]."</h3><form action=\"".$_SERVER['SCRIPT_NAME']."\" method=\"post\">\n"
."<label>Username</label><br><input type=\"text\" name=\"username\" value=\"".$user["username"]."\"><br>\n"
."<label>Email</label><br><input type=\"text\" name=\"email\" value=\"".$user["email"]."\"><br>\n"
- ."<label>Password (empty is unchanged)</label><br><input type=\"text\" name=\"email\"><br>\n"
+ ."<label>Password (empty is unchanged)</label><br><input type=\"text\" name=\"password\"><br>\n"
."<label>Type</label><br><select name=\"type\"><option value=\"client\" ".($user["type"] == "client" ? "selected" : "").">client</option><option value=\"helpdesk\" ".($user["type"] == "helpdesk" ? "selected" : "").">helpdesk</option><option value=\"accountant\" ".($user["type"] == "accountant" ? "selected" : "").">accountant</option><option value=\"admin\" ".($user["type"] == "admin" ? "selected" : "").">admin</option></select><br>\n"
."<label>Status</label><br><select name=\"status\"><option value=\"unverified\" ".($user["status"] == "unverified" ? "selected" : "").">unverified</option><option value=\"verified\" ".($user["status"] == "verified" ? "selected" : "").">verified</option></select><br>\n"
- ."<br><input type=\"submit\" name=\"save\" value=\"Save\"><a href=\"/manageusers.php\">cancel</a>"
+ ."<input type=\"hidden\" name=\"id\" value=\"".$user["id"]."\">"
+ ."<br><input type=\"submit\" name=\"save\" value=\"Save\"><a href=\"".$_SERVER['SCRIPT_NAME']."\">cancel</a>"
."</form></div>";
}
if (isset($_GET["add"])) {
- echo "<div class=\"editform\"><h3>Add user</h3><form action=\"/manageusers.php\" method=\"post\">\n"
+ echo "<div class=\"editform\"><h3>Add user</h3><form action=\"".$_SERVER['SCRIPT_NAME']."\" method=\"post\">\n"
."<label>Username</label><br><input type=\"text\" name=\"username\"><br>\n"
."<label>Email</label><br><input type=\"text\" name=\"email\"><br>\n"
."<label>Password</label><br><input type=\"text\" name=\"password\"><br>\n"
."<label>Type</label><br><select name=\"type\"><option value=\"client\">client</option><option value=\"helpdesk\">helpdesk</option><option value=\"accountant\">accountant</option><option value=\"admin\">admin</option></select><br>\n"
."<label>Status</label><br><select name=\"status\"><option value=\"unverified\">unverified</option><option value=\"verified\">verified</option></select><br>\n"
- ."<br><input type=\"submit\" name=\"add\" value=\"Add\"><a href=\"/manageusers.php\">cancel</a>"
+ ."<br><input type=\"submit\" name=\"add\" value=\"Add\"><a href=\"".$_SERVER['SCRIPT_NAME']."\">cancel</a>"
."</form></div>";
}
?>