<?php
defined($security_key) or exit;

//------------------------------------------
// users
//------------------------------------------
//Connect to DB
$pdo = dbConnect($dbname);

//CONTENT FROM API (POST)
$post_content = json_decode($input,true);
$owner_user = 0;

//SoldTo is empty
if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}

//default whereclause
list($whereclause,$condition) = getWhereclause('profile',$permission,$partner,'');

//SET PARAMETERS FOR QUERY
$id = (isset($post_content['id'])) ? $post_content['id']: ''; //check for rowID
$command = ($id == '')? 'insert' : 'update';  //IF rowID = empty then INSERT
if (isset($post_content['delete'])){$command = 'delete';} //change command to delete
if (isset($post_content['reset'])){$command = 'reset';} //change command to reset
$date = date('Y-m-d H:i:s');

//CREATE EMPTY STRINGS
$clause = '';
$clause_insert ='';
$input_insert = '';

$post_content['updatedby'] = $username;

//GET EXISTING USER DATA
if ($id != '' && $command != 'reset'){
//Define Query
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
$user_data = $stmt->fetch();

$owner_user = (($user_data['username'] == $username)? 1 : 0);

$user_name_old = $user_data['username'];
$view_old = $user_data['view'];
$partnerhierarchy_old = json_decode($user_data['partnerhierarchy']);

// Allow clearing values by checking if key exists (even if empty)
$salesid_new = (array_key_exists('salesid', $post_content)) ? $post_content['salesid'] : ($partnerhierarchy_old->salesid ?? '');
$soldto_new = (array_key_exists('soldto', $post_content)) ? $post_content['soldto'] : ($partnerhierarchy_old->soldto ?? '');
$shipto_new = (array_key_exists('shipto', $post_content)) ? $post_content['shipto'] : ($partnerhierarchy_old->shipto ?? '');
$location_new = (array_key_exists('location', $post_content)) ? $post_content['location'] : ($partnerhierarchy_old->location ?? '');
    
    if (getHierarchyLevel($partner) == 0){
        //ADMIN+ ONLY ARE ALLOWED TO CHANGE SALES AND SOLD
        $account = array(
            "salesid"=>$salesid_new,
            "soldto"=>$soldto_new,
            "shipto"=>$shipto_new,
            "location"=>$location_new
        );
    }elseif (getHierarchyLevel($partner) == 1) {
        //ADMIN ONLY ARE ALLOWED TO CHANGE SOLD
        $account = array(
            "salesid"=>$partner->salesid,
            "soldto"=>$soldto_new,
            "shipto"=>$shipto_new,
            "location"=>$location_new
        );
    }
    else {
        $account = array(
            "salesid"=>$partner->salesid,
            "soldto"=>$partner->soldto,
            "shipto"=>$shipto_new,
            "location"=>$location_new
        );
    }
} elseif ($command == 'insert') {
    //ID is empty => INSERT / NEW RECORD
    if (getHierarchyLevel($partner) == 0){
        //ADMIN+ ONLY ARE ALLOWED TO CHANGE SALES AND SOLD
        $account = array(
            "salesid"=>$post_content['salesid'],
            "soldto"=>$post_content['soldto'],
            "shipto"=>$post_content['shipto'],
            "location"=>$post_content['location']
        );
    }
    elseif (getHierarchyLevel($partner) == 1){
        //ADMIN ONLY ARE ALLOWED TO CHANGE SOLD
        $account = array(
            "salesid"=>$partner->salesid,
            "soldto"=>$post_content['soldto'],
            "shipto"=>$post_content['shipto'],
            "location"=>$post_content['location']
        );
    }  
    else {
        $account = array(
            "salesid"=>$partner->salesid,
            "soldto"=>$partner->soldto,
            "shipto"=>$post_content['shipto'],
            "location"=>$post_content['location']
        );
    } 
} elseif ($id != '' && $command == 'reset'){
    //Reset user requested
    //Get username
    $stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
    $stmt->execute([$id]);
    $user_data = $stmt->fetch();
    //generate resetkey
    $post_content['resetkey'] = generate_jwt($headers, $payload);
    //STEP 1- create resetkey
    $headers = array('alg'=>'HS256','typ'=>'JWT');
    $payload = array('username'=>$user_data['username'], 'exp'=>(time() + 1800));
    $resetkey = generate_jwt($headers, $payload);
    //STEP 2- Store resetkey
    $sql = 'UPDATE users SET resetkey = ?, updatedby = ? WHERE id = ? '.$whereclause.'';
    $stmt = $pdo->prepare($sql);
    $stmt->execute([$resetkey,$username,$id]);
    //STEP 3 - Send to user
    $mail_location = (file_exists($_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_reset.php') ? $_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_reset.php' : './assets/mail/email_template_reset.php');
    include_once $mail_location;
    send_mail($user_data['email'],$subject,$message,'','');
}

$accounthierarchy = json_encode($account, JSON_UNESCAPED_UNICODE);

//Create resetkey & tokens
$headers = array('alg'=>'HS256','typ'=>'JWT');
$payload = array('username'=>$post_content['username'], 'exp'=>(time() + 1800));
$post_content['service'] = (isset($post_content['service']) && $post_content['service'] == 1) ? bin2hex(random_bytes(25)) : '';
$post_content['userkey'] = (isset($post_content['userkey']) && $post_content['userkey'] == 1) ? bin2hex(random_bytes(25)) : '';

//ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE
if ($command == 'update'){ 
    if (isset($post_content['password'])){ 
        $post_content['password'] = password_hash($password, PASSWORD_DEFAULT);
    }
    $post_content['partnerhierarchy'] = $accounthierarchy;
}
elseif ($command == 'insert'){
    $post_content['resetkey'] = $resetkey = generate_jwt($headers, $payload);
    $post_content['password'] = generate_jwt($headers, $payload);
    $post_content['partnerhierarchy'] = $accounthierarchy;
    $post_content['salesID'] = $partner->salesid;
    $post_content['language'] = isset($post_content['language']) ? $post_content['language'] : 'US';
}
else {
    //do nothing
}

//+++++++++++++++++++++++++++++++++++++++++++++
//RESET VIEW/PERMISSION BASED ON USER PERMISSION
//+++++++++++++++++++++++++++++++++++++++++++++

$hierarchy_level = getHierarchyLevel($partner);

if($post_content['view']){
    switch ($hierarchy_level) {
        case '0':
            //ADMIN+ no override
           break;
        case '1':
            //ADMINS cannot set ADMIN+ => reset to admin
            $post_content['view'] = ($post_content['view'] == 5) ? 4 : $post_content['view'];
            break;
        default:
            //OTHERS CANNOT SET HIGHER -> IF SET THEN MANIPULATION EXPECTED -> SET USER to READONLY
            $post_content['view'] = ($post_content['view'] == 4 || $post_content['view'] == 5) ? 3 : $post_content['view'];
            break;
    }
}
//+++++++++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++++++++++++++++++++++++++


//CREAT NEW ARRAY AND MAP TO CLAUSE
if(isset($post_content) && $post_content!=''){   
    foreach ($post_content as $key => $var){
        if ($key == 'submit' || $key == 'id' || str_contains($key, 'old_') || $key == 'salesid' || $key == 'soldto' || $key == 'shipto' || $key == 'location'){
            //do nothing
        }
        else {
            $criterias[$key] = $var;
            $clause .= ' , '.$key.' = ?';
            $clause_insert .= ' , '.$key.'';
            $input_insert .= ', ?'; // ? for each insert item
            $execute_input[]= $var; // Build array for input
        }
    }
}

//CLEAN UP INPUT
$clause = substr($clause, 2); //Clean clause - remove first comma
$clause_insert = substr($clause_insert, 2); //Clean clause - remove first comma
$input_insert = substr($input_insert, 1); //Clean clause - remove first comma

//QUERY AND VERIFY ALLOWED
if ($command == 'update' && (isAllowed('user',$profile,$permission,'U') === 1 || $owner_user === 1)){
    $sql = 'UPDATE users SET '.$clause.' WHERE id = ? '.$whereclause.'';

    $execute_input[] = $id;
    $stmt = $pdo->prepare($sql);
    $stmt->execute($execute_input);

    //Update the username in all tables when changed
    if ($post_content['username'] != $user_name_old){
    $sql_like = '%'.$user_name_old.'%';
    $sql1= 'UPDATE equipment SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql2= 'UPDATE communication SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql3= 'UPDATE contracts SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql4= 'UPDATE feedback SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql5= 'UPDATE equipment_history SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql6= 'UPDATE opportunities SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql7= 'UPDATE orders SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql8= 'UPDATE products SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql_users = 'UPDATE account SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';
    $sql_partner = 'UPDATE partner SET createdby = REPLACE(createdby, ? , ?) WHERE createdby LIKE ?';

    //SQL_users
    $stmt = $pdo->prepare($sql_users);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL_partners
    $stmt = $pdo->prepare($sql_partner);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    
    $pdo = dbConnect($dbname);
    //SQL1
    $stmt = $pdo->prepare($sql1);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL2
    $stmt = $pdo->prepare($sql2);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL3
    $stmt = $pdo->prepare($sql3);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL4
    $stmt = $pdo->prepare($sql4);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL5
    $stmt = $pdo->prepare($sql5);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL6
    $stmt = $pdo->prepare($sql6);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL7
    $stmt = $pdo->prepare($sql7);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    //SQL8
    $stmt = $pdo->prepare($sql8);
    $stmt->execute([$user_name_old,$post_content['username'], $sql_like]);
    } 
} 
elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){
    
    //check if user exists
    $stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
    $stmt->execute([$post_content['username']]);
    $user_exist = $stmt->fetch();

    $exists = (isset($user_exist['username']))? 1 : 0;
    if($user_exist == 0 ){
        $sql = 'INSERT INTO users ('.$clause_insert.') VALUES ('.$input_insert.')';
        $stmt = $pdo->prepare($sql);
        $stmt->execute($execute_input);

        // Get the new user ID
        $new_user_id = $pdo->lastInsertId();

        //STEP 2- Send to user
        $mail_location = (file_exists($_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php') ? $_SERVER['DOCUMENT_ROOT'].'/custom/'.$domain.'/mail/email_template_new.php' : './assets/mail/email_template_new.php');
        include_once $mail_location;
        send_mail($post_content['email'],$subject,$message,'','');

        // Return the new user ID
        $result = json_encode(['id' => (int)$new_user_id], JSON_UNESCAPED_UNICODE);
        echo $result;
    } else {
        //------------------------------------------
        //JSON_ENCODE
        //------------------------------------------
        $messages = json_encode($exists, JSON_UNESCAPED_UNICODE);

        //Send results
        echo $messages;            
    }
}
elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){
    //delete equipment
    $stmt = $pdo->prepare('DELETE FROM users WHERE id = ? '.$whereclause.'');
    $stmt->execute([ $id ]);

    //Add deletion to changelog
    changelog($dbname,'users',$id,'Delete','Delete',$username);
} else
{
    //do nothing
}


?>