$id]) : null; if ($id && !$task) { http_response_code(404); exit('Task not found.'); } $prefill_member_id = $task['member_id'] ?? (int)($_GET['member_id'] ?? 0); // ── Permissions ────────────────────────────────────────────── // $can_act → status changes, ticking checklist items, posting notes // $can_edit_content → title, description, priority, due date, assignee, // checklist add/delete (the task definition itself) $can_act = true; $can_edit_content = true; if ($task) { $is_creator = ((int)$task['created_by'] === (int)$me['id']); $is_assignee = ((int)$task['assigned_to'] === (int)$me['id']); $can_act = $is_super || $is_creator || $is_assignee; $can_edit_content = $is_super || $is_creator; } $error = ''; /** * Email the task creator when someone else marks the task done. * Skips if the actor IS the creator (no point emailing yourself). */ function task_send_completion_email(array $task_row, array $actor): void { $creator_id = (int)$task_row['created_by']; if ($creator_id === (int)$actor['id']) return; // self-close, skip $creator = db_row('SELECT first_name, last_name, email FROM admin_users WHERE id=:id', ['id' => $creator_id]); if (!$creator || empty($creator['email'])) return; $task_url = rtrim(SITE_URL, '/') . '/admin/task-edit.php?id=' . (int)$task_row['id']; email_enqueue('task_completed', $creator['email'], trim($creator['first_name'].' '.$creator['last_name']), [ 'creator_name' => trim($creator['first_name'].' '.$creator['last_name']) ?: 'team member', 'actor_name' => trim(($actor['first_name'] ?? '').' '.($actor['last_name'] ?? '')) ?: $actor['email'], 'task_title' => $task_row['title'], 'description' => $task_row['description'] ?? '', 'completed_at' => date('j F Y · H:i'), 'task_url' => $task_url, ] ); app_log("Task #{$task_row['id']} completion email queued to creator admin {$creator_id}"); } // ── POST handling — runs BEFORE any HTML output ───────────── if ($_SERVER['REQUEST_METHOD'] === 'POST') { csrf_verify(); $action = $_POST['action'] ?? 'save'; // Permission gate per-action // - Status changes / ticking items / notes → $can_act (creator OR assignee OR super) // - Edit content / add-or-delete items / delete task → $can_edit_content (creator OR super) $needs_content_perm = in_array($action, ['save','delete','item_add','item_delete'], true); $needs_act_perm = in_array($action, ['set_status','item_toggle','note_add','note_delete'], true); if ($needs_act_perm && !$can_act) { $error = 'You don\'t have permission to act on this task.'; } elseif ($needs_content_perm && !$can_edit_content) { $error = 'Only the task creator (or a super admin) can edit the task content or checklist items.'; } else { // Quick status update (called from buttons on existing task) if ($action === 'set_status' && $task) { $new_status = $_POST['status'] ?? ''; if (in_array($new_status, ['open','in_progress','done','cancelled'], true)) { $previous_status = $task['status']; db_exec( "UPDATE admin_tasks SET status=:s, completed_at = CASE WHEN :s2='done' THEN NOW() ELSE completed_at END WHERE id=:id", ['s' => $new_status, 's2' => $new_status, 'id' => $task['id']] ); // Email creator if this transitioned to 'done' if ($new_status === 'done' && $previous_status !== 'done') { task_send_completion_email($task, $me); } header('Location: task-edit.php?id=' . (int)$task['id'] . '&msg=' . urlencode('Status updated to ' . str_replace('_',' ',$new_status))); exit; } } if ($action === 'delete' && $task) { if (!$is_super && (int)$task['created_by'] !== (int)$me['id']) { $error = 'Only the creator (or a super admin) can delete a task.'; } else { db_exec('DELETE FROM admin_tasks WHERE id=:id', ['id' => $task['id']]); header('Location: tasks.php?msg=' . urlencode('Task deleted.')); exit; } } // ── Checklist item actions ──────────────────────────── if ($action === 'item_add' && $task) { $label = trim((string)($_POST['label'] ?? '')); if ($label !== '') { $next_order = (int)db_value( 'SELECT COALESCE(MAX(sort_order),0) + 10 FROM admin_task_items WHERE task_id=:t', ['t' => $task['id']] ); db_insert('admin_task_items', [ 'task_id' => (int)$task['id'], 'label' => mb_substr($label, 0, 500), 'checked' => 0, 'sort_order' => $next_order, ]); } header('Location: task-edit.php?id=' . (int)$task['id'] . '#checklist'); exit; } if ($action === 'item_toggle' && $task) { $item_id = (int)($_POST['item_id'] ?? 0); // Verify it belongs to this task $item = $item_id ? db_row( 'SELECT * FROM admin_task_items WHERE id=:i AND task_id=:t', ['i' => $item_id, 't' => $task['id']] ) : null; if ($item) { $new_checked = $item['checked'] ? 0 : 1; db_exec( "UPDATE admin_task_items SET checked=:c, checked_at = CASE WHEN :c2=1 THEN NOW() ELSE NULL END, checked_by = CASE WHEN :c3=1 THEN :who ELSE NULL END WHERE id=:id", ['c'=>$new_checked, 'c2'=>$new_checked, 'c3'=>$new_checked, 'who'=>$me['id'], 'id'=>$item_id] ); } header('Location: task-edit.php?id=' . (int)$task['id'] . '#checklist'); exit; } if ($action === 'item_delete' && $task) { $item_id = (int)($_POST['item_id'] ?? 0); if ($item_id) { db_exec( 'DELETE FROM admin_task_items WHERE id=:i AND task_id=:t', ['i' => $item_id, 't' => $task['id']] ); } header('Location: task-edit.php?id=' . (int)$task['id'] . '#checklist'); exit; } // ── Note actions ────────────────────────────────────── if ($action === 'note_add' && $task) { $body = trim((string)($_POST['body'] ?? '')); if ($body !== '') { db_insert('admin_task_notes', [ 'task_id' => (int)$task['id'], 'body' => mb_substr($body, 0, 4000), 'author_id' => (int)$me['id'], 'author_name' => trim(($me['first_name'] ?? '').' '.($me['last_name'] ?? '')) ?: $me['email'], ]); } header('Location: task-edit.php?id=' . (int)$task['id'] . '#notes'); exit; } if ($action === 'note_delete' && $task) { $note_id = (int)($_POST['note_id'] ?? 0); $note = $note_id ? db_row( 'SELECT * FROM admin_task_notes WHERE id=:i AND task_id=:t', ['i' => $note_id, 't' => $task['id']] ) : null; // Own note OR super admin if ($note && ($is_super || (int)$note['author_id'] === (int)$me['id'])) { db_exec('DELETE FROM admin_task_notes WHERE id=:i', ['i' => $note_id]); } header('Location: task-edit.php?id=' . (int)$task['id'] . '#notes'); exit; } if ($action === 'save') { $title = trim((string)($_POST['title'] ?? '')); $description = trim((string)($_POST['description'] ?? '')); $priority = (string)($_POST['priority'] ?? 'normal'); $status = (string)($_POST['status'] ?? 'open'); $due_date = trim((string)($_POST['due_date'] ?? '')); $member_id = (int)($_POST['member_id'] ?? 0) ?: null; $assigned_to = (int)($_POST['assigned_to'] ?? 0); if ($title === '') { $error = 'Title is required.'; } elseif (!in_array($priority, ['low','normal','high','urgent'], true)) { $error = 'Invalid priority.'; } elseif (!in_array($status, ['open','in_progress','done','cancelled'], true)) { $error = 'Invalid status.'; } elseif ($due_date !== '' && !preg_match('/^\d{4}-\d{2}-\d{2}$/', $due_date)) { $error = 'Invalid due date.'; } else { // Permission: only super_admin can assign to others $assigning_to_other = ($assigned_to > 0 && $assigned_to !== (int)$me['id']); if ($assigning_to_other && !$is_super) { $error = 'Only a super admin can assign tasks to other team members. ' . 'You can assign this task to yourself, or leave it unassigned.'; } elseif ($assigned_to > 0) { $a = db_row('SELECT id FROM admin_users WHERE id=:id AND active=1', ['id' => $assigned_to]); if (!$a) { $error = 'Selected assignee is not a valid admin user.'; } } if (!$error) { $previous_assignee = $task ? (int)($task['assigned_to'] ?? 0) : 0; $previous_status = $task['status'] ?? null; $payload = [ 'title' => mb_substr($title, 0, 200), 'description' => $description !== '' ? $description : null, 'priority' => $priority, 'status' => $status, 'due_date' => $due_date !== '' ? $due_date : null, 'assigned_to' => $assigned_to ?: null, 'member_id' => $member_id, ]; if ($status === 'done' && $previous_status !== 'done') { $payload['completed_at'] = date('Y-m-d H:i:s'); } elseif ($status !== 'done') { $payload['completed_at'] = null; } if ($task) { db_update('admin_tasks', (int)$task['id'], $payload); $task_id = (int)$task['id']; } else { $payload['created_by'] = (int)$me['id']; $task_id = db_insert('admin_tasks', $payload); // Insert any checklist items submitted with the create form $new_items = $_POST['new_items'] ?? []; if (is_array($new_items)) { $sort = 10; foreach ($new_items as $label) { $label = trim((string)$label); if ($label === '') continue; db_insert('admin_task_items', [ 'task_id' => $task_id, 'label' => mb_substr($label, 0, 500), 'checked' => 0, 'sort_order' => $sort, ]); $sort += 10; } } } // Completion email — fires when status transitions to 'done' if ($task && $status === 'done' && $previous_status !== 'done') { task_send_completion_email($task, $me); } // Email if newly assigned to someone other than the creator $newly_assigned = ($assigned_to > 0) && ($assigned_to !== $previous_assignee) && ($assigned_to !== (int)$me['id']); if ($newly_assigned) { $assignee = db_row( 'SELECT first_name, last_name, email FROM admin_users WHERE id=:id', ['id' => $assigned_to] ); if ($assignee && !empty($assignee['email'])) { $task_url = rtrim(SITE_URL, '/') . '/admin/task-edit.php?id=' . $task_id; email_enqueue('task_assigned', $assignee['email'], trim($assignee['first_name'].' '.$assignee['last_name']), [ 'assignee_name' => trim($assignee['first_name'].' '.$assignee['last_name']) ?: 'team member', 'assigner_name' => trim(($me['first_name'] ?? '').' '.($me['last_name'] ?? '')) ?: $me['email'], 'task_title' => $title, 'description' => $description, 'priority' => ucfirst($priority), 'due_date' => $due_date !== '' ? date('j F Y', strtotime($due_date)) : '', 'task_url' => $task_url, ] ); app_log("Task assignment email queued: task #{$task_id} to admin {$assigned_to}"); } } header('Location: task-edit.php?id=' . $task_id . '&msg=' . urlencode($task ? 'Task updated.' : 'Task created.')); exit; } } } } } // ── If we're here, we're rendering the form ───────────────── // Re-fetch task after potential update, in case validation failed // and we want to show the (uncommitted) values back to the user. if ($id) { $task = db_row('SELECT * FROM admin_tasks WHERE id=:id', ['id' => $id]); } // Lookup data for form $admin_options = $is_super ? db_all("SELECT id, first_name, last_name, email FROM admin_users WHERE active=1 ORDER BY first_name, last_name") : [$me]; // Non-super can only see themselves in the dropdown // Load related member if any $linked_member = null; $linked_member_id = (int)($task['member_id'] ?? $prefill_member_id ?? 0); if ($linked_member_id) { $linked_member = db_row( 'SELECT id, first_name, last_name, business_name FROM members WHERE id=:id', ['id' => $linked_member_id] ); } // Pre-fill values for new vs edit $v_title = htmlspecialchars($task['title'] ?? ''); $v_description = htmlspecialchars($task['description'] ?? ''); $v_priority = $task['priority'] ?? 'normal'; $v_status = $task['status'] ?? 'open'; $v_due_date = $task['due_date'] ?? ''; $v_assigned_to = $task['assigned_to'] ?? (int)$me['id']; // default to me on new task $creator = null; if ($task) { $creator = db_row( 'SELECT first_name, last_name FROM admin_users WHERE id=:id', ['id' => $task['created_by']] ); } // Checklist items $checklist = []; $cl_done = 0; $cl_total = 0; $cl_pct = 0; if ($task) { $checklist = db_all( 'SELECT * FROM admin_task_items WHERE task_id=:t ORDER BY sort_order, id', ['t' => $task['id']] ); $cl_total = count($checklist); foreach ($checklist as $it) if ($it['checked']) $cl_done++; $cl_pct = $cl_total > 0 ? (int)round(($cl_done / $cl_total) * 100) : 0; } // Notes thread $notes = []; if ($task) { $notes = db_all( 'SELECT * FROM admin_task_notes WHERE task_id=:t ORDER BY created_at ASC, id ASC', ['t' => $task['id']] ); } // NOW it's safe to render — load chrome $page_title = $task ? 'Edit task' : 'New task'; require __DIR__ . '/_guard.php'; ?>

← Back to tasks

Created by  ·  Completed

Checklist

0): ?> of done · % No items yet
0): ?>
🎉 All items checked! Ready to mark this task done?
    $it['checked_by']] ); } ?>
>
>

Add a list of items the assignee will tick off as they work through the task.

>

Only a super admin can assign tasks to other team members.

Assigning to someone else will email them a notification.

() View →
Cancel
Mark this task as:

You don't have permission to act on this task. Back to tasks

Notes

Discussion thread for this task. Visible to anyone who can view the task.

No notes yet.

Only the task creator or assignee can post notes.