'','first_name'=>'','last_name'=>'','role'=>'admin','active'=>1] : null; if (!$is_add) { $user = db_row('SELECT * FROM admin_users WHERE id=:id', ['id'=>$id]); if (!$user) { http_response_code(404); echo 'Admin not found.'; exit; } } $errors = []; if ($_SERVER['REQUEST_METHOD'] === 'POST') { csrf_verify(); $email = strtolower(trim($_POST['email'] ?? '')); $first_name = trim($_POST['first_name'] ?? ''); $last_name = trim($_POST['last_name'] ?? ''); $role = $_POST['role'] ?? 'admin'; $active = !empty($_POST['active']) ? 1 : 0; $password = (string)($_POST['password'] ?? ''); if (!filter_var($email, FILTER_VALIDATE_EMAIL)) $errors[] = 'Valid email is required.'; if (!in_array($role, ['super_admin','admin','staff'], true)) $errors[] = 'Invalid role.'; if ($is_add && strlen($password) < 8) $errors[] = 'Password must be at least 8 characters when creating a user.'; if (!$is_add && $password !== '' && strlen($password) < 8) $errors[] = 'New password must be at least 8 characters.'; // Don't let super_admin demote themselves to a lower role (would lock them out of user management) if (!$is_add && (int)$user['id'] === (int)auth_admin_id() && $role !== 'super_admin') { $errors[] = 'You can\'t change your own role.'; } // Don't let super_admin deactivate themselves if (!$is_add && (int)$user['id'] === (int)auth_admin_id() && $active === 0) { $errors[] = 'You can\'t deactivate yourself.'; } // Email uniqueness if (!$errors) { $exists = db_row( 'SELECT id FROM admin_users WHERE email = :e AND id <> :id', ['e' => $email, 'id' => $is_add ? 0 : $id] ); if ($exists) $errors[] = 'That email is already used by another admin.'; } if (!$errors) { $data = [ 'email' => $email, 'first_name' => $first_name, 'last_name' => $last_name, 'role' => $role, 'active' => $active, ]; if ($password !== '') { $cost = defined('AUTH_BCRYPT_COST') ? AUTH_BCRYPT_COST : 12; $data['password_hash'] = password_hash($password, PASSWORD_BCRYPT, ['cost' => $cost]); } if ($is_add) { $new_id = db_insert('admin_users', $data); app_log("Admin user created: $email by admin #" . auth_admin_id()); header('Location: users.php?msg=created'); exit; } else { db_update('admin_users', $id, $data); app_log("Admin user #$id updated by admin #" . auth_admin_id()); header('Location: users.php?msg=saved'); exit; } } // On error, repopulate form $user = array_merge($user, [ 'email'=>$email,'first_name'=>$first_name,'last_name'=>$last_name, 'role'=>$role,'active'=>$active, ]); } $page_title = $is_add ? 'New admin user' : 'Edit admin user'; require __DIR__ . '/_guard.php'; ?>

← Admin users

', array_map('htmlspecialchars', $errors)) ?>

Only Super admins can access this user-management page.

autocomplete="new-password" placeholder="">
Cancel