Rippchen/php/process_registration.php

<?php
include 'db_connection.php';
session_start();

if (!isset($_SESSION['username'])) {
    //  header("Location: ../login.php"); // Redirect to login
    echo json_encode(['success' => false, 'error' => 'Not logged in.']);
    exit();
}

// Check if the user is an admin (you'd likely have an 'admin' column in your User table)
$check_admin_stmt = $db->prepare("SELECT id FROM User WHERE username = :username AND active = 2"); // 2 for admin
$check_admin_stmt->bindParam(':username', $_SESSION['username']);
$check_admin_stmt->execute();
$is_admin = $check_admin_stmt->fetchColumn();

if (!$is_admin) {
    echo json_encode(['success' => false, 'error' => 'Unauthorized access.']);
    exit();
}

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if ($_POST['action'] == 'process') {
        $user_id = sanitize_input($_POST['user_id']);
        $accept = sanitize_input($_POST['accept']);

        $update_stmt = $db->prepare("UPDATE User SET active = :active WHERE id = :user_id");
        $update_stmt->bindParam(':active', $accept, PDO::PARAM_BOOL);
        $update_stmt->bindParam(':user_id', $user_id, PDO::PARAM_INT);

        if ($update_stmt->execute()) {
            echo json_encode(['success' => true, 'message' => 'User status updated.']);
            exit();
        } else {
            echo json_encode(['success' => false, 'error' => 'Error updating user status: ' . print_r($update_stmt->errorInfo(), true)]);
            exit();
        }
    }  else if ($_POST['action'] == 'change_password') {
        $old_password = sanitize_input($_POST['old_password']);
        $new_password = sanitize_input($_POST['new_password']);
        $confirm_new_password = sanitize_input($_POST['confirm_new_password']);

        if ($new_password != $confirm_new_password) {
            echo json_encode(['success' => false, 'error' => 'New passwords do not match.']);
            exit();
        }
        $user_id = $_SESSION['user_id'];
        $get_user_stmt = $db->prepare("SELECT password FROM User WHERE id = :user_id");
        $get_user_stmt->bindParam(':user_id', $user_id);
        $get_user_stmt->execute();
        $row = $get_user_stmt->fetch(PDO::FETCH_ASSOC);

        if($row){
            if (password_verify($old_password, $row['password'])) {
                $hashed_new_password = password_hash($new_password, PASSWORD_DEFAULT);
                $update_password_stmt = $db->prepare("UPDATE User SET password = :new_password WHERE id = :user_id");
                $update_password_stmt->bindParam(':new_password', $hashed_new_password);
                $update_password_stmt->bindParam(':user_id', $user_id);

                if ($update_password_stmt->execute()) {
                    echo json_encode(['success' => true, 'message' => 'Password changed successfully.']);
                    exit();
                } else {
                    echo json_encode(['success' => false, 'error' => 'Error changing password: ' . print_r($update_password_stmt->errorInfo(), true)]);
                    exit();
                }
            } else {
                echo json_encode(['success' => false, 'error' => 'Incorrect old password.']);
                exit();
            }
        }
        else{
            echo json_encode(['success' => false, 'error' => 'User not found.']);
            exit();
        }
    }
} else if ($_SERVER["REQUEST_METHOD"] == "GET" && $_GET['action'] == 'get_requests') {
    $get_requests_stmt = $db->prepare("SELECT id, vorname, nachname, username FROM User WHERE active = 0");
    $get_requests_stmt->execute();
    $requests = $get_requests_stmt->fetchAll(PDO::FETCH_ASSOC);

    if ($requests) {
        $output = "<ul>";
        foreach ($requests as $request) {
            $output .= "<li>{$request['vorname']} {$request['nachname']} ({$request['username']}) -
                        <button class='accept-btn' data-user-id='{$request['id']}'>Accept</button>
                        <button class='reject-btn' data-user-id='{$request['id']}'>Reject</button>
                        </li>";
        }
        $output .= "</ul>";
        echo $output;
        exit();
    } else {
        echo "<p>No pending registration requests.</p>";
        exit();
    }
}else {
    echo json_encode(['success' => false, 'error' => 'Invalid request method.']);
    exit();
}
?>