<?php
/**
 * Check if the user is logged in
 * 
 * This file should be required by all sensitive PHP scripts. It verifies that
 * the client has been logged in, and if not, displays a login page.
 *
 * See also login-ajax.php, which is specific for files that are loaded through
 * Ajax (and typically require a json response).
 * 
 * @author Camil Staps
 *
 * BusinessAdmin: administrative software for small companies
 * Copyright (C) 2015 Camil Staps (ViviSoft)
 * 
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

require_once('./conf.php');

if (isset($_GET['logout'])) {
	$_SESSION['login'] = false;
	header('Location: ' . constants::url_external);
	die();
}

if (!isset($_SESSION['login']) || $_SESSION['login'] === false) {
	if (isset($_POST['username'])) {
		$users = BusinessAdmin::getUsers($_pdo, ['`username`=?'], [$_POST['username']]);
		if (count($users) == 0) {
			$_msg = "No user {$_POST['username']} found.<br/>";
		} else {
			$user = array_pop($users);
			if ($user->verifyPassword($_POST['password'])) {
				$_SESSION['login'] = $user->getId();
				$_user = $user;
				return;
			} else {
				$_msg = "Password incorrect.<br/>";
			}
		}
	}

	include('./header.php');
?>
	<div class="container">
		<div class="row">
			<div class="col-md-4 col-md-offset-4">
				<div class="login-panel panel panel-default">
					<div class="panel-heading">
						<h3 class="panel-title">Login<i class="fa fa-lock fa-fw fa-lg pull-right"></i></h3>
					</div>
					<div class="panel-body">
						<?php
						if (isset($_msg)) {
							echo "<div class='form-group alert alert-danger'>$_msg</div>";
						}
						?>
						<form action="" method="post">
							<div class="form-group">
								<input class="form-control" type="text" name="username" placeholder="Username" autofocus="autofocus"/>
							</div>
							<div class="form-group">
								<input class="form-control" type="password" name="password" placeholder="Password"/>
							</div>
							<input type="submit" class="btn btn-lg btn-success btn-block" value="login"/>
						</form>
					</div>
				</div>
			</div>
		</div>
	</div>
	<?php
	include('./footer.php');
	die();
}

$_user = new user($_pdo, $_SESSION['login']);

if (defined('REQUIRE_ADMIN') && REQUIRE_ADMIN && !$_user->isAdmin()) {
	include('./header.php');
	include('./nav.php');
	?>
	<h1>Access denied</h1>
	<p class="lead">You need to be an administrator to access this page.</p>
	<?php
	include('./footer.php');
	die();
}