<?php
class EditUserAction implements IAction {
	public function execute() {
		if(!Authorize::isLoggedIn() || !Authorize::hasPermission()) {
			return array("error" => "Access not authorized");
		}

		$userId = $_POST['user_id'] ?? $_GET['user_id'] ?? "";
		$username = $_POST['username'] ?? $_GET['username'] ?? "";
		$displayName = $_POST['display_name'] ?? $_GET['display_name'] ?? "";
		$email = $_POST['email'] ?? $_GET['email'] ?? "";
		$password = $_POST['password'] ?? $_GET['password'] ?? "";
		
		//TODO: scrub inputs
		if(empty($userId) || empty($username) || empty($displayName) || empty($email)) {
			return array("error" => "One or more required fields missing: user_id, username, display_name, email");
		}

		if(in_array($userId, array(1, 2)) && !isset($_SESSION['superadmin'])) {
			return array("error" => "Cannot edit the superadmin account");
		}

		$superAdminEditPassword = !empty($password) && isset($_SESSION['superadmin']) && $_SESSION['superadmin'];

		$db = SqliteDatabase::getSingleton();

		$sql = "UPDATE users SET username = :username, display_name = :display_name, email = :email WHERE rowid = :user_id";

		if($superAdminEditPassword) {
			$sql = "UPDATE users SET username = :username, display_name = :display_name, email = :email, password = :passwordhash WHERE rowid = :user_id";
		}
		$preparedQuery = $db->prepare($sql);
		$preparedQuery->bindValue(':username', $username);
		$preparedQuery->bindValue(':display_name', $displayName);
		$preparedQuery->bindValue(':email', $email);
		if($superAdminEditPassword) {
			$passwordHash = hash("sha256", $password);
			$preparedQuery->bindValue(':passwordhash', $passwordHash);
		}
		$preparedQuery->bindValue(':user_id', $userId);
		try {
			$result = $preparedQuery->execute();
			$loggerData = array();
			$loggerData['display_name'] = $_SESSION['display_name'];
			$loggerData['user_id'] = $_SESSION['user_id'];
			$loggerData['edited_user_id'] = $userId;
			$loggerData['user_display_name'] = $displayName;
			$loggerData['username'] = $username;
			SecurityLogger::action("edit-user", $loggerData, time());
			return array("status" => "success", "message" => "Updated user '" . $username . "' (".$userId.").");
		}
		catch(Exception $e) {
			return array("error" => "Error when updating user '" . $username. "' (".$userId."): invalid fields?" , "exception" => $e->getMessage());
		}
	}
}