Update: 2026-05-08 04:58:23

app/modules_app/users/create.php

@@ -31,7 +31,7 @@ $errors = Validator::validate($data, [
     'name'     => 'required',
     'email'    => 'required|email',
     'phone'    => 'required',
-    'password' => 'required',
+    'password' => 'required|strong_password',
     'role'     => 'required'
 ]);
 

app/modules_app/users/index.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Users List Endpoint (Role-Based & Tenant-Aware)
+ * Users List Endpoint (Role-Based, Tenant-Aware, Paginated)
  */
 
 use App\Core\Database;
@@ -14,37 +14,58 @@ $db = Database::getInstance();
 $role = $decoded['role'];
 $tenantId = $decoded['tenant_id'] ?? null;
 
+if ($role !== 'super_admin' && $role !== 'admin') {
+    json_error('Unauthorized', 403);
+}
+
 try {
-    // 2. Build Query based on Role
+    $pagination = paginate_params(25, 100);
+
+    // 2. Build WHERE clause based on Role
+    $where = '';
+    $params = [];
+
     if ($role === 'super_admin') {
-        // Super Admin sees ALL users from ALL tenants
-        $stmt = $db->query("
-            SELECT u.id, u.name, u.email, u.phone, u.role, u.is_active, u.created_at, t.name as tenant_name
-            FROM users u
-            LEFT JOIN tenants t ON u.tenant_id = t.id
-            ORDER BY u.created_at DESC
-        ");
-    } elseif ($role === 'admin') {
-        // Admin sees only users in THEIR tenant (Accounting Office)
-        $stmt = $db->prepare("
-            SELECT u.id, u.name, u.email, u.phone, u.role, u.is_active, u.created_at, t.name as tenant_name
-            FROM users u
-            LEFT JOIN tenants t ON u.tenant_id = t.id
-            WHERE u.tenant_id = ?
-            ORDER BY u.created_at DESC
-        ");
-        $stmt->execute([$tenantId]);
+        $where = '1=1';
     } else {
-        // Other roles shouldn't see user list
-        json_error('Unauthorized', 403);
+        $where = 'u.tenant_id = ?';
+        $params = [$tenantId];
     }
 
+    // Optional filters
+    $roleFilter = $_GET['role'] ?? null;
+    $activeFilter = $_GET['is_active'] ?? null;
+
+    if ($roleFilter) {
+        $where .= ' AND u.role = ?';
+        $params[] = $roleFilter;
+    }
+    if ($activeFilter !== null && $activeFilter !== '') {
+        $where .= ' AND u.is_active = ?';
+        $params[] = (int)$activeFilter;
+    }
+
+    // 3. Count total
+    $countStmt = $db->prepare("SELECT COUNT(*) FROM users u WHERE $where");
+    $countStmt->execute($params);
+    $total = (int)$countStmt->fetchColumn();
+
+    // 4. Fetch page
+    $stmt = $db->prepare("
+        SELECT u.id, u.name, u.email, u.phone, u.role, u.is_active, u.created_at, t.name as tenant_name
+        FROM users u
+        LEFT JOIN tenants t ON u.tenant_id = t.id
+        WHERE $where
+        ORDER BY u.created_at DESC
+        LIMIT {$pagination['limit']} OFFSET {$pagination['offset']}
+    ");
+    $stmt->execute($params);
     $users = $stmt->fetchAll();
 
-    // 3. Decrypt data and format
+    // 5. Decrypt data
     $dec = function($val) {
         if (empty($val)) return '';
-        $result = \App\Core\Encryption::decrypt((string)$val);
+        $result = Encryption::decrypt((string)$val);
         return ($result !== false && $result !== null) ? $result : (string)$val;
     };
 
@@ -54,18 +75,13 @@ try {
         if (!empty($user['phone'])) {
             $user['phone'] = $dec($user['phone']);
         }
-        
         if (!empty($user['tenant_name'])) {
             $user['tenant_name'] = $dec($user['tenant_name']);
         }
     }
 
-    if (empty($users)) {
-        error_log("USERS LIST: No users found for role: $role, tenant_id: $tenantId");
-    }
-
-    json_success($users);
+    json_paginated($users, $total, $pagination);
 
 } catch (\Exception $e) {
-    json_error('SQL Error in Users List: ' . $e->getMessage(), 500);
+    safe_error($e, 'users/index');
 }