false, 'error' => 'Authentication required']); exit; } // Check admin privileges if (!$_SESSION['user']['is_admin']) { http_response_code(403); echo json_encode(['success' => false, 'error' => 'Admin privileges required']); exit; } // CSRF Protection for write operations if ($_SERVER['REQUEST_METHOD'] !== 'GET') { require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php'; $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; if (!CsrfMiddleware::validateToken($csrfToken)) { http_response_code(403); echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']); exit; } } // Use centralized database connection $conn = Database::getConnection(); // Initialize audit log $auditLog = new AuditLogModel($conn); $userId = $_SESSION['user']['user_id']; header('Content-Type: application/json'); $method = $_SERVER['REQUEST_METHOD']; $id = isset($_GET['id']) ? (int)$_GET['id'] : null; switch ($method) { case 'GET': if ($id) { // Get single transition $stmt = $conn->prepare("SELECT * FROM status_transitions WHERE transition_id = ?"); $stmt->bind_param('i', $id); $stmt->execute(); $result = $stmt->get_result(); $transition = $result->fetch_assoc(); $stmt->close(); echo json_encode(['success' => true, 'transition' => $transition]); } else { // Get all transitions $result = $conn->query("SELECT * FROM status_transitions ORDER BY from_status, to_status"); $transitions = []; while ($row = $result->fetch_assoc()) { $transitions[] = $row; } echo json_encode(['success' => true, 'transitions' => $transitions]); } break; case 'POST': $data = json_decode(file_get_contents('php://input'), true); $stmt = $conn->prepare("INSERT INTO status_transitions (from_status, to_status, requires_comment, requires_admin, is_active) VALUES (?, ?, ?, ?, ?)"); $stmt->bind_param('ssiii', $data['from_status'], $data['to_status'], $data['requires_comment'] ?? 0, $data['requires_admin'] ?? 0, $data['is_active'] ?? 1 ); if ($stmt->execute()) { $transitionId = $conn->insert_id; WorkflowModel::clearCache(); // Clear workflow cache // Audit log: workflow transition created $auditLog->log($userId, 'create', 'workflow_transition', (string)$transitionId, [ 'from_status' => $data['from_status'], 'to_status' => $data['to_status'], 'requires_comment' => $data['requires_comment'] ?? 0, 'requires_admin' => $data['requires_admin'] ?? 0 ]); echo json_encode(['success' => true, 'transition_id' => $transitionId]); } else { echo json_encode(['success' => false, 'error' => $stmt->error]); } $stmt->close(); break; case 'PUT': if (!$id) { echo json_encode(['success' => false, 'error' => 'ID required']); exit; } $data = json_decode(file_get_contents('php://input'), true); $stmt = $conn->prepare("UPDATE status_transitions SET from_status = ?, to_status = ?, requires_comment = ?, requires_admin = ?, is_active = ? WHERE transition_id = ?"); $stmt->bind_param('ssiiii', $data['from_status'], $data['to_status'], $data['requires_comment'] ?? 0, $data['requires_admin'] ?? 0, $data['is_active'] ?? 1, $id ); $success = $stmt->execute(); if ($success) { WorkflowModel::clearCache(); // Clear workflow cache // Audit log: workflow transition updated $auditLog->log($userId, 'update', 'workflow_transition', (string)$id, [ 'from_status' => $data['from_status'], 'to_status' => $data['to_status'], 'requires_comment' => $data['requires_comment'] ?? 0, 'requires_admin' => $data['requires_admin'] ?? 0 ]); } echo json_encode(['success' => $success]); $stmt->close(); break; case 'DELETE': if (!$id) { echo json_encode(['success' => false, 'error' => 'ID required']); exit; } // Get transition details before deletion for audit log $getStmt = $conn->prepare("SELECT from_status, to_status FROM status_transitions WHERE transition_id = ?"); $getStmt->bind_param('i', $id); $getStmt->execute(); $getResult = $getStmt->get_result(); $transitionData = $getResult->fetch_assoc(); $getStmt->close(); $stmt = $conn->prepare("DELETE FROM status_transitions WHERE transition_id = ?"); $stmt->bind_param('i', $id); $success = $stmt->execute(); if ($success) { WorkflowModel::clearCache(); // Clear workflow cache // Audit log: workflow transition deleted $auditLog->log($userId, 'delete', 'workflow_transition', (string)$id, [ 'from_status' => $transitionData['from_status'] ?? 'unknown', 'to_status' => $transitionData['to_status'] ?? 'unknown' ]); } echo json_encode(['success' => $success]); $stmt->close(); break; default: http_response_code(405); echo json_encode(['success' => false, 'error' => 'Method not allowed']); } } catch (Exception $e) { http_response_code(500); echo json_encode(['success' => false, 'error' => $e->getMessage()]); }