 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/lavocat.quebec/private_html/php-migration/api/ |
<?php
/**
* Users API Endpoint
* Migrated from Next.js API routes
*/
header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
// Handle preflight OPTIONS request
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(200);
exit;
}
require_once '../config/config.php';
require_once '../auth/Auth.php';
require_once '../models/User.php';
require_once '../config/database.php';
$auth = new Auth();
$database = new Database();
$db = $database->getConnection();
$userModel = new User($db);
$method = $_SERVER['REQUEST_METHOD'];
$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$pathParts = explode('/', trim($path, '/'));
// Get user ID from URL if present
$userId = isset($pathParts[2]) ? $pathParts[2] : null;
try {
switch ($method) {
case 'GET':
if ($userId) {
// Get specific user
if (!$auth->isLoggedIn()) {
http_response_code(401);
echo json_encode(['error' => 'Unauthorized']);
exit;
}
$currentUser = $auth->getCurrentUser();
// Users can only view their own profile unless they're admin
if ($userId !== $currentUser['id'] && !$auth->isAdmin()) {
http_response_code(403);
echo json_encode(['error' => 'Forbidden']);
exit;
}
if ($userModel->findById($userId)) {
// Remove sensitive data
unset($userModel->password);
unset($userModel->resetPasswordToken);
unset($userModel->resetPasswordTokenExpiry);
echo json_encode([
'success' => true,
'user' => $userModel
]);
} else {
http_response_code(404);
echo json_encode(['error' => 'User not found']);
}
} else {
// Get all users (admin only)
if (!$auth->isLoggedIn() || !$auth->isAdmin()) {
http_response_code(401);
echo json_encode(['error' => 'Unauthorized']);
exit;
}
$page = isset($_GET['page']) ? (int)$_GET['page'] : 1;
$limit = isset($_GET['limit']) ? (int)$_GET['limit'] : 10;
$filters = [];
if (isset($_GET['role'])) {
$filters['role'] = $_GET['role'];
}
if (isset($_GET['isVerified'])) {
$filters['isVerified'] = (bool)$_GET['isVerified'];
}
if (isset($_GET['search'])) {
$filters['search'] = $_GET['search'];
}
$users = $userModel->getAll($page, $limit, $filters);
$total = $userModel->count($filters);
// Remove sensitive data
foreach ($users as &$user) {
unset($user['password']);
unset($user['resetPasswordToken']);
unset($user['resetPasswordTokenExpiry']);
}
echo json_encode([
'success' => true,
'users' => $users,
'pagination' => [
'page' => $page,
'limit' => $limit,
'total' => $total,
'pages' => ceil($total / $limit)
]
]);
}
break;
case 'POST':
// Create new user (registration)
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
$input = $_POST;
}
$result = $auth->register(
$input['email'] ?? '',
$input['password'] ?? '',
$input['name'] ?? '',
$input['role'] ?? 'USER'
);
if ($result['success']) {
http_response_code(201);
echo json_encode($result);
} else {
http_response_code(400);
echo json_encode($result);
}
break;
case 'PUT':
// Update user
if (!$auth->isLoggedIn()) {
http_response_code(401);
echo json_encode(['error' => 'Unauthorized']);
exit;
}
$currentUser = $auth->getCurrentUser();
// Users can only update their own profile unless they're admin
if ($userId !== $currentUser['id'] && !$auth->isAdmin()) {
http_response_code(403);
echo json_encode(['error' => 'Forbidden']);
exit;
}
$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
$input = $_POST;
}
if ($userModel->findById($userId)) {
// Update allowed fields
$allowedFields = [
'name', 'username', 'bio', 'title', 'specialization', 'barNumber',
'yearsOfExperience', 'education', 'certifications', 'officeLocation',
'workPhone', 'linkedinUrl', 'websiteUrl', 'availability', 'timezone',
'pronouns', 'isProfilePublic', 'hourlyRate', 'proBono', 'gender',
'phone', 'address', 'emergencyContact', 'emergencyPhone', 'dateOfBirth',
'occupation', 'language', 'notifications', 'theme'
];
foreach ($allowedFields as $field) {
if (isset($input[$field])) {
$userModel->$field = $input[$field];
}
}
// Only admins can update certain fields
if ($auth->isAdmin()) {
$adminFields = ['role', 'isVerified', 'isActive', 'status'];
foreach ($adminFields as $field) {
if (isset($input[$field])) {
$userModel->$field = $input[$field];
}
}
}
if ($userModel->update()) {
echo json_encode([
'success' => true,
'message' => 'User updated successfully'
]);
} else {
http_response_code(500);
echo json_encode(['error' => 'Failed to update user']);
}
} else {
http_response_code(404);
echo json_encode(['error' => 'User not found']);
}
break;
case 'DELETE':
// Delete user (admin only)
if (!$auth->isLoggedIn() || !$auth->isAdmin()) {
http_response_code(401);
echo json_encode(['error' => 'Unauthorized']);
exit;
}
if ($userModel->findById($userId)) {
if ($userModel->delete()) {
echo json_encode([
'success' => true,
'message' => 'User deleted successfully'
]);
} else {
http_response_code(500);
echo json_encode(['error' => 'Failed to delete user']);
}
} else {
http_response_code(404);
echo json_encode(['error' => 'User not found']);
}
break;
default:
http_response_code(405);
echo json_encode(['error' => 'Method not allowed']);
break;
}
} catch (Exception $e) {
http_response_code(500);
echo json_encode([
'error' => 'Internal server error',
'message' => $e->getMessage()
]);
}
?>