false, 'error' => 'Not logged in.']);
exit();
}
// Check if the user is an admin (you'd likely have an 'admin' column in your User table)
$check_admin_stmt = $db->prepare("SELECT id FROM User WHERE username = :username AND active = 2"); // 2 for admin
$check_admin_stmt->bindParam(':username', $_SESSION['username']);
$check_admin_stmt->execute();
$is_admin = $check_admin_stmt->fetchColumn();
if (!$is_admin) {
echo json_encode(['success' => false, 'error' => 'Unauthorized access.']);
exit();
}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if ($_POST['action'] == 'process') {
$user_id = sanitize_input($_POST['user_id']);
$accept = sanitize_input($_POST['accept']);
$update_stmt = $db->prepare("UPDATE User SET active = :active WHERE id = :user_id");
$update_stmt->bindParam(':active', $accept, PDO::PARAM_BOOL);
$update_stmt->bindParam(':user_id', $user_id, PDO::PARAM_INT);
if ($update_stmt->execute()) {
echo json_encode(['success' => true, 'message' => 'User status updated.']);
exit();
} else {
echo json_encode(['success' => false, 'error' => 'Error updating user status: ' . print_r($update_stmt->errorInfo(), true)]);
exit();
}
} else if ($_POST['action'] == 'change_password') {
$old_password = sanitize_input($_POST['old_password']);
$new_password = sanitize_input($_POST['new_password']);
$confirm_new_password = sanitize_input($_POST['confirm_new_password']);
if ($new_password != $confirm_new_password) {
echo json_encode(['success' => false, 'error' => 'New passwords do not match.']);
exit();
}
$user_id = $_SESSION['user_id'];
$get_user_stmt = $db->prepare("SELECT password FROM User WHERE id = :user_id");
$get_user_stmt->bindParam(':user_id', $user_id);
$get_user_stmt->execute();
$row = $get_user_stmt->fetch(PDO::FETCH_ASSOC);
if($row){
if (password_verify($old_password, $row['password'])) {
$hashed_new_password = password_hash($new_password, PASSWORD_DEFAULT);
$update_password_stmt = $db->prepare("UPDATE User SET password = :new_password WHERE id = :user_id");
$update_password_stmt->bindParam(':new_password', $hashed_new_password);
$update_password_stmt->bindParam(':user_id', $user_id);
if ($update_password_stmt->execute()) {
echo json_encode(['success' => true, 'message' => 'Password changed successfully.']);
exit();
} else {
echo json_encode(['success' => false, 'error' => 'Error changing password: ' . print_r($update_password_stmt->errorInfo(), true)]);
exit();
}
} else {
echo json_encode(['success' => false, 'error' => 'Incorrect old password.']);
exit();
}
}
else{
echo json_encode(['success' => false, 'error' => 'User not found.']);
exit();
}
}
} else if ($_SERVER["REQUEST_METHOD"] == "GET" && $_GET['action'] == 'get_requests') {
$get_requests_stmt = $db->prepare("SELECT id, vorname, nachname, username FROM User WHERE active = 0");
$get_requests_stmt->execute();
$requests = $get_requests_stmt->fetchAll(PDO::FETCH_ASSOC);
if ($requests) {
$output = "";
foreach ($requests as $request) {
$output .= "- {$request['vorname']} {$request['nachname']} ({$request['username']}) -
";
}
$output .= "
";
echo $output;
exit();
} else {
echo "No pending registration requests.
";
exit();
}
}else {
echo json_encode(['success' => false, 'error' => 'Invalid request method.']);
exit();
}
?>