Update: 2026-05-04 01:33:55
This commit is contained in:
Hamza-Ayed
@@ -19,7 +19,7 @@ $data = input();
|
||||
// 1. Role Authorization check (Prevent Role Escalation)
|
||||
$allowedRoles = match($decoded['role']) {
|
||||
'super_admin' => ['super_admin', 'admin', 'accountant', 'employee', 'viewer'],
|
||||
'admin' => ['accountant', 'employee', 'viewer'],
|
||||
'admin' => ['accountant', 'employee', 'viewer'], // Cannot create other admins
|
||||
default => []
|
||||
};
|
||||
|
||||
|
||||
55
app/modules_app/users/delete.php
Normal file
55
app/modules_app/users/delete.php
Normal file
@@ -0,0 +1,55 @@
|
||||
<?php
|
||||
/**
|
||||
* Delete User Endpoint (Soft Delete)
|
||||
*/
|
||||
|
||||
use App\Core\Database;
|
||||
use App\Middleware\AuthMiddleware;
|
||||
|
||||
// 1. Auth Check
|
||||
$decoded = AuthMiddleware::check();
|
||||
$db = Database::getInstance();
|
||||
|
||||
$currentUserId = $decoded['user_id'];
|
||||
$currentUserRole = $decoded['role'];
|
||||
$targetUserId = input('id');
|
||||
|
||||
if (!$targetUserId) {
|
||||
json_error('User ID is required', 422);
|
||||
}
|
||||
|
||||
// 2. Prevent self-deletion
|
||||
if ($currentUserId === $targetUserId) {
|
||||
json_error('لا يمكنك حذف حسابك الشخصي من هنا', 403);
|
||||
}
|
||||
|
||||
// 3. Fetch target user to check permissions
|
||||
$stmt = $db->prepare("SELECT * FROM users WHERE id = ?");
|
||||
$stmt->execute([$targetUserId]);
|
||||
$targetUser = $stmt->fetch();
|
||||
|
||||
if (!$targetUser) {
|
||||
json_error('المستخدم غير موجود', 404);
|
||||
}
|
||||
|
||||
// 4. Role-based Authorization
|
||||
if ($currentUserRole === 'super_admin') {
|
||||
// Super Admin can delete anyone except themselves
|
||||
} elseif ($currentUserRole === 'admin') {
|
||||
// Admin can only delete users in THEIR tenant
|
||||
if ($targetUser['tenant_id'] !== $decoded['tenant_id']) {
|
||||
json_error('ليس لديك صلاحية لحذف هذا المستخدم', 403);
|
||||
}
|
||||
// Admin cannot delete other admins (only super_admin can)
|
||||
if ($targetUser['role'] === 'admin' || $targetUser['role'] === 'super_admin') {
|
||||
json_error('لا يمكنك حذف مدير آخر. فقط السوبر أدمن يمكنه ذلك.', 403);
|
||||
}
|
||||
} else {
|
||||
json_error('غير مصرح لك بحذف المستخدمين', 403);
|
||||
}
|
||||
|
||||
// 5. Perform Soft Delete
|
||||
$stmt = $db->prepare("UPDATE users SET deleted_at = NOW(), is_active = 0 WHERE id = ?");
|
||||
$stmt->execute([$targetUserId]);
|
||||
|
||||
json_success(null, 'تم حذف المستخدم بنجاح');
|
||||
Reference in New Issue
Block a user