<?php
// 启用会话
session_start();

// 设置页面编码
header('Content-Type: text/html; charset=utf-8');

// 加载数据库连接
require_once 'db.php';

// 密码修改处理
if (isset($_POST['action']) && $_POST['action'] == 'change_password') {
    // 验证登录状态
    if (!isset($_SESSION['user'])) {
        header('Location: login.php');
        exit;
    }
    
    // 获取表单数据
    $currentPassword = trim($_POST['current_password']);
    $newPassword = trim($_POST['new_password']);
    $confirmPassword = trim($_POST['confirm_password']);
    $userId = $_SESSION['user']['id'];
    
    // 验证输入
    if (empty($currentPassword) || empty($newPassword) || empty($confirmPassword)) {
        $_SESSION['error'] = '所有字段不能为空';
    } elseif ($newPassword != $confirmPassword) {
        $_SESSION['error'] = '新密码和确认密码不一致';
    } elseif (strlen($newPassword) < 6) {
        $_SESSION['error'] = '新密码长度不能少于6个字符';
    } else {
        // 查询用户当前密码
        $sql = "SELECT password FROM admins WHERE id = ?";
        $admin = $db->queryOne($sql, [$userId]);
        
        if ($admin) {
            // 验证当前密码
            if (password_verify($currentPassword, $admin['password']) || $currentPassword == $admin['password']) {
                // 密码正确，哈希新密码并更新
                $hashedPassword = password_hash($newPassword, PASSWORD_DEFAULT);
                $updateSql = "UPDATE admins SET password = ? WHERE id = ?";
                
                if ($db->execute($updateSql, [$hashedPassword, $userId])) {
                    $_SESSION['success'] = '密码修改成功';
                } else {
                    $_SESSION['error'] = '密码修改失败，请重试';
                }
            } else {
                $_SESSION['error'] = '当前密码错误';
            }
        } else {
            $_SESSION['error'] = '用户不存在';
        }
    }
    
    // 重定向回后台管理页面
    header('Location: index.php');
    exit;
}

// 检查登录状态
if (!isset($_SESSION['user'])) {
    // 未登录，跳转到登录页面
    header('Location: login.php');
    exit;
}

// 已登录，显示后台管理界面
include 'admin.php';
?>