prepare( 'SELECT u.record_id, u.safesure_users_name, u.name, u.email, u.user_type_id, ut.user_type_name, u.clients_multi, u.assessor_number, u.moderator_number FROM safesure_users u LEFT JOIN user_type ut ON ut.record_id = u.user_type_id WHERE u.safesure_users_name LIKE ? OR u.name LIKE ? OR u.email LIKE ? ORDER BY u.safesure_users_name ASC' ); $stmt->execute([$search, $search, $search]); json_success(['users' => $stmt->fetchAll()]); break; case 'get': if (!$id) json_error('ID required'); $stmt = $db->prepare('SELECT u.*, ut.user_type_name FROM safesure_users u LEFT JOIN user_type ut ON ut.record_id = u.user_type_id WHERE u.record_id=?'); $stmt->execute([$id]); $row = $stmt->fetch(); if (!$row) json_error('Not found', 404); unset($row['password']); json_success(['user' => $row]); break; case 'user_types': $rows = $db->query('SELECT * FROM user_type ORDER BY record_id')->fetchAll(); json_success(['user_types' => $rows]); break; case 'create': require_admin($user); $username = trim($_POST['safesure_users_name'] ?? ''); $name = trim($_POST['name'] ?? ''); $email = trim($_POST['email'] ?? ''); $password = trim($_POST['password'] ?? ''); $type_id = (int)($_POST['user_type_id'] ?? 2); $clients = trim($_POST['clients_multi'] ?? ''); $assessor = trim($_POST['assessor_number'] ?? ''); $moderator = trim($_POST['moderator_number'] ?? ''); if (empty($username) || empty($password)) json_error('Username and password required'); // Check duplicate $chk = $db->prepare('SELECT record_id FROM safesure_users WHERE safesure_users_name=?'); $chk->execute([$username]); if ($chk->fetch()) json_error('Username already exists'); $hash = hash('sha256', $password); $db->prepare( 'INSERT INTO safesure_users (safesure_users_name,password,user_type_id,email,clients_multi,assessor_number,moderator_number,name) VALUES (?,?,?,?,?,?,?,?)' )->execute([$username, $hash, $type_id, $email, $clients, $assessor, $moderator, $name]); json_success(['id' => $db->lastInsertId()], 'User created'); break; case 'update': require_admin($user); if (!$id) json_error('ID required'); $sets = []; $vals = []; $text_fields = ['safesure_users_name','name','email','clients_multi','assessor_number','moderator_number']; foreach ($text_fields as $f) { if (isset($_POST[$f])) { $sets[] = "$f=?"; $vals[] = $_POST[$f]; } } if (isset($_POST['user_type_id'])) { $sets[] = 'user_type_id=?'; $vals[] = (int)$_POST['user_type_id']; } if (!empty($_POST['password'])) { $sets[] = 'password=?'; $vals[] = hash('sha256', $_POST['password']); } if (empty($sets)) json_error('Nothing to update'); $vals[] = $id; $db->prepare('UPDATE safesure_users SET ' . implode(',', $sets) . ' WHERE record_id=?')->execute($vals); json_success([], 'User updated'); break; case 'delete': require_admin($user); if (!$id) json_error('ID required'); if ($id === (int)$user['record_id']) json_error('Cannot delete yourself'); $db->prepare('DELETE FROM safesure_users WHERE record_id=?')->execute([$id]); $db->prepare('DELETE FROM api_tokens WHERE safesure_users_id=?')->execute([$id]); json_success([], 'User deleted'); break; default: json_error('Unknown action'); } } catch (Throwable $e) { json_error('DB error: ' . $e->getMessage() . ' in ' . basename($e->getFile()) . ':' . $e->getLine(), 500); }