 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/soundstudiopro.com/private_html/api/ |
<?php
session_start();
header('Content-Type: application/json');
require_once __DIR__ . '/../config/database.php';
require_once __DIR__ . '/../includes/event_permissions.php';
$user_id = $_SESSION['user_id'] ?? null;
if (!$user_id) {
http_response_code(401);
echo json_encode(['success' => false, 'error' => 'Authentication required']);
exit;
}
$input = json_decode(file_get_contents('php://input'), true);
if (!is_array($input)) {
$input = $_POST;
}
$action = $input['action'] ?? '';
$event_id = isset($input['event_id']) ? (int)$input['event_id'] : 0;
if (!$event_id || !$action) {
http_response_code(400);
echo json_encode(['success' => false, 'error' => 'Invalid request']);
exit;
}
$pdo = getDBConnection();
ensureEventManagersTable($pdo);
$eventStmt = $pdo->prepare("SELECT id, creator_id, title FROM events WHERE id = ?");
$eventStmt->execute([$event_id]);
$event = $eventStmt->fetch(PDO::FETCH_ASSOC);
if (!$event) {
http_response_code(404);
echo json_encode(['success' => false, 'error' => 'Event not found']);
exit;
}
$is_admin = !empty($_SESSION['is_admin']);
$is_creator = (int)$event['creator_id'] === (int)$user_id;
$can_manage = $is_admin || $is_creator || userCanManageEvent($pdo, $user_id, $event_id);
if (!$can_manage) {
http_response_code(403);
echo json_encode(['success' => false, 'error' => 'Permission denied']);
exit;
}
function fetchEventStaff(PDO $pdo, int $eventId, int $creatorId): array {
$stmt = $pdo->prepare("
SELECT em.id, em.user_id, em.role, em.status, u.name, u.email,
CASE WHEN u.id = ? THEN 1 ELSE 0 END as is_creator
FROM event_managers em
JOIN users u ON em.user_id = u.id
WHERE em.event_id = ? AND em.status = 'active'
ORDER BY is_creator DESC, u.name ASC
");
$stmt->execute([$creatorId, $eventId]);
$staff = $stmt->fetchAll(PDO::FETCH_ASSOC);
$creatorExists = array_filter($staff, fn($member) => (int)$member['is_creator'] === 1);
if (!$creatorExists) {
$userStmt = $pdo->prepare("SELECT id as user_id, name, email FROM users WHERE id = ?");
$userStmt->execute([$creatorId]);
if ($owner = $userStmt->fetch(PDO::FETCH_ASSOC)) {
array_unshift($staff, [
'id' => null,
'user_id' => $owner['user_id'],
'role' => 'owner',
'status' => 'active',
'name' => $owner['name'],
'email' => $owner['email'],
'is_creator' => 1
]);
}
}
return $staff;
}
try {
switch ($action) {
case 'list':
echo json_encode([
'success' => true,
'staff' => fetchEventStaff($pdo, $event_id, (int)$event['creator_id'])
]);
break;
case 'add':
if (!$is_admin && !$is_creator) {
http_response_code(403);
echo json_encode(['success' => false, 'error' => 'Only event owners can assign staff']);
break;
}
$email = trim($input['email'] ?? '');
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
http_response_code(400);
echo json_encode(['success' => false, 'error' => 'Valid email required']);
break;
}
$userStmt = $pdo->prepare("SELECT id FROM users WHERE email = ?");
$userStmt->execute([$email]);
$staffUser = $userStmt->fetch(PDO::FETCH_ASSOC);
if (!$staffUser) {
http_response_code(404);
echo json_encode(['success' => false, 'error' => 'User not found']);
break;
}
if ((int)$staffUser['id'] === (int)$event['creator_id']) {
echo json_encode([
'success' => true,
'staff' => fetchEventStaff($pdo, $event_id, (int)$event['creator_id'])
]);
break;
}
$stmt = $pdo->prepare("
INSERT INTO event_managers (event_id, user_id, role, status)
VALUES (?, ?, 'staff', 'active')
ON DUPLICATE KEY UPDATE status = 'active', role = VALUES(role)
");
$stmt->execute([$event_id, $staffUser['id']]);
echo json_encode([
'success' => true,
'staff' => fetchEventStaff($pdo, $event_id, (int)$event['creator_id'])
]);
break;
case 'remove':
if (!$is_admin && !$is_creator) {
http_response_code(403);
echo json_encode(['success' => false, 'error' => 'Only event owners can remove staff']);
break;
}
$targetUserId = isset($input['user_id']) ? (int)$input['user_id'] : 0;
if (!$targetUserId || $targetUserId === (int)$event['creator_id']) {
http_response_code(400);
echo json_encode(['success' => false, 'error' => 'Invalid staff member']);
break;
}
$stmt = $pdo->prepare("DELETE FROM event_managers WHERE event_id = ? AND user_id = ?");
$stmt->execute([$event_id, $targetUserId]);
echo json_encode([
'success' => true,
'staff' => fetchEventStaff($pdo, $event_id, (int)$event['creator_id'])
]);
break;
default:
http_response_code(400);
echo json_encode(['success' => false, 'error' => 'Unknown action']);
break;
}
} catch (Exception $e) {
error_log('Event manager API error: ' . $e->getMessage());
http_response_code(500);
echo json_encode(['success' => false, 'error' => 'Server error']);
}