<?php
/**
 * Users List Endpoint (with Decryption)
 */

use App\Core\Database;
use App\Core\Encryption;
use App\Middleware\AuthMiddleware;

// 1. Auth Check
$decoded = AuthMiddleware::check();

// 2. Simple Role-Based Access Control (RBAC)
if ($decoded['role'] !== 'super_admin' && $decoded['role'] !== 'admin') {
    json_error('غير مصرح لك بالوصول لهذه البيانات', 403);
}

// 3. Fetch Data
$db = Database::getInstance();
$stmt = $db->prepare("SELECT id, name, email, role, is_active, created_at FROM users");
$stmt->execute();
$users = $stmt->fetchAll();

// 4. Decrypt sensitive data for the UI
foreach ($users as &$user) {
    // Try to decrypt. If it fails (e.g. data was plain text), keep original.
    $decryptedName = Encryption::decrypt($user['name']);
    $user['name'] = $decryptedName !== false ? $decryptedName : $user['name'];

    $decryptedEmail = Encryption::decrypt($user['email']);
    $user['email'] = $decryptedEmail !== false ? $decryptedEmail : $user['email'];
}

json_success($users);