Add multi-user logbook sharing and permissions

Introduces logbook sharing with read, write, and admin permission levels via a new station_logbooks_permissions table and related migration. Updates controllers, models, and views to support managing collaborators, restricts sensitive actions to owners/admins, and adds UI for sharing management. Also adds user lookup by callsign and improves logbook/station location access logic.

Author: magicbug

application/config/migration.php

@@ -22,7 +22,7 @@
 |
 */
 
-$config['migration_version'] = 233;
+$config['migration_version'] = 234;
 
 /*
 |--------------------------------------------------------------------------

application/controllers/Logbooks.php

@@ -58,13 +58,20 @@ public function edit($id)
 
 		$station_logbook_id = $this->security->xss_clean($id);
 
+		// Check if user has at least write access
+		if (!$this->logbooks_model->check_logbook_is_accessible($station_logbook_id, 'write')) {
+			$this->session->set_flashdata('notice', 'You don\'t have permission to edit this logbook');
+			redirect('logbooks');
+		}
+
 		$station_logbook_details_query = $this->logbooks_model->logbook($station_logbook_id);
 		$data['station_locations_array'] = $this->logbooks_model->list_logbook_relationships($station_logbook_id);
 
 		$data['station_logbook_details'] = $station_logbook_details_query->row();
 		$data['station_locations_list'] = $this->stations->all_of_user();
 
 		$data['station_locations_linked'] = $this->logbooks_model->list_logbooks_linked($station_logbook_id);
+		$data['is_owner'] = $this->logbooks_model->is_logbook_owner($station_logbook_id);
 
 		$data['page_title'] = "Edit Station Logbook";
 
@@ -87,7 +94,12 @@ public function edit($id)
 					$this->logbooks_model->create_logbook_location_link($this->input->post('station_logbook_id'), $this->input->post('SelectedStationLocation'));
 				}
 			} else {
-				$this->logbooks_model->edit();
+				// Only owners can rename logbooks
+				if ($this->logbooks_model->is_logbook_owner($this->input->post('station_logbook_id'))) {
+					$this->logbooks_model->edit();
+				} else {
+					$this->session->set_flashdata('notice', 'Only the owner can rename a logbook');
+				}
 			}
 
             redirect('logbooks/edit/'.$this->input->post('station_logbook_id'));
@@ -111,7 +123,28 @@ public function delete($id) {
 
 	public function delete_relationship($logbook_id, $station_id) {
 		$this->load->model('logbooks_model');
-		$this->logbooks_model->delete_relationship($logbook_id, $station_id);
+		$this->load->model('stations');
+		
+		// Check if user has at least write access to the logbook
+		if (!$this->logbooks_model->check_logbook_is_accessible($logbook_id, 'write')) {
+			$this->session->set_flashdata('notice', 'You don\'t have permission to modify this logbook');
+			redirect('logbooks');
+		}
+		
+		// Get station location details
+		$station = $this->stations->profile($station_id);
+		
+		if ($station) {
+			$is_owner = $this->logbooks_model->is_logbook_owner($logbook_id);
+			$owns_station = ($station->user_id == $this->session->userdata('user_id'));
+			
+			// Only allow unlinking if user is logbook owner OR owns the station location
+			if ($is_owner || $owns_station) {
+				$this->logbooks_model->delete_relationship($logbook_id, $station_id);
+			} else {
+				$this->session->set_flashdata('notice', 'You can only unlink your own station locations');
+			}
+		}
 
 		redirect('logbooks/edit/'.$logbook_id);
 	}
@@ -131,23 +164,49 @@ public function publicslug_validate() {
 
 	public function save_publicsearch() {
 		$this->load->model('logbooks_model');
+		
+		$logbook_id = $this->input->post('logbook_id');
+		
+		// Only owners can modify public settings
+		if (!$this->logbooks_model->is_logbook_owner($logbook_id)) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">Only the owner can modify public settings</div>";
+			return;
+		}
+		
 		// Handle checkbox - if not checked, it won't be sent, so default to 0
 		$public_search = $this->input->post('public_search') ? 1 : 0;
-		$returndata = $this->logbooks_model->save_public_search($public_search, $this->input->post('logbook_id'));
+		$returndata = $this->logbooks_model->save_public_search($public_search, $logbook_id);
 		echo "<div class=\"alert alert-success\" role=\"alert\">Public Search Settings Saved</div>";
 	}
 
 	public function save_publicradiostatus() {
 		$this->load->model('logbooks_model');
+		
+		$logbook_id = $this->input->post('logbook_id');
+		
+		// Only owners can modify public settings
+		if (!$this->logbooks_model->is_logbook_owner($logbook_id)) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">Only the owner can modify public settings</div>";
+			return;
+		}
+		
 		// Handle checkbox - if not checked, it won't be sent, so default to 0
 		$public_radio_status = $this->input->post('public_radio_status') ? 1 : 0;
-		$returndata = $this->logbooks_model->save_public_radio_status($public_radio_status, $this->input->post('logbook_id'));
+		$returndata = $this->logbooks_model->save_public_radio_status($public_radio_status, $logbook_id);
 		echo "<div class=\"alert alert-success\" role=\"alert\">Public Radio Status Settings Saved</div>";
 	}
 
 	public function save_publicslug() {
 		$this->load->model('logbooks_model');
 
+		$logbook_id = $this->input->post('logbook_id');
+		
+		// Only owners can modify public settings
+		if (!$this->logbooks_model->is_logbook_owner($logbook_id)) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">Only the owner can modify public settings</div>";
+			return;
+		}
+
 		$this->load->library('form_validation');
 
 		$this->form_validation->set_rules('public_slug', 'Public Slug', 'required|alpha_numeric');
@@ -164,7 +223,7 @@ public function save_publicslug() {
 
 
 			if($result == true) {
-				$returndata = $this->logbooks_model->save_public_slug($this->input->post('public_slug'), $this->input->post('logbook_id'));
+				$returndata = $this->logbooks_model->save_public_slug($this->input->post('public_slug'), $logbook_id);
 				echo "<div class=\"alert alert-success\" role=\"alert\">Public Slug Saved</div>";
 			} else {
 				echo "<div class=\"alert alert-danger\" role=\"alert\">Oops! This Public Slug is unavailable</div>";
@@ -175,12 +234,153 @@ public function save_publicslug() {
 	public function remove_publicslug() {
 		$this->load->model('logbooks_model');
 
-		$this->logbooks_model->remove_public_slug($this->input->post('logbook_id'));
+		$logbook_id = $this->input->post('logbook_id');
+		
+		// Only owners can modify public settings
+		if (!$this->logbooks_model->is_logbook_owner($logbook_id)) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">Only the owner can modify public settings</div>";
+			return;
+		}
+
+		$this->logbooks_model->remove_public_slug($logbook_id);
 		if ($this->db->affected_rows() > 0) {
 			echo "<div class=\"alert alert-success\" role=\"alert\">Public Slug Removed</div>";
 		} else {
 			echo "<div class=\"alert alert-danger\" role=\"alert\">Oops! This Public Slug could not be removed</div>";
 		}
 	}
 
+	public function manage_sharing($logbook_id) {
+		// Display sharing management interface
+		$this->load->model('logbooks_model');
+		
+		$clean_id = $this->security->xss_clean($logbook_id);
+		
+		// Check if user has admin access or is owner
+		if (!$this->logbooks_model->is_logbook_owner($clean_id) && 
+			!$this->logbooks_model->check_logbook_is_accessible($clean_id, 'admin')) {
+			$this->session->set_flashdata('notice', 'You\'re not allowed to manage sharing for this logbook!');
+			redirect('logbooks');
+		}
+		
+		$data['logbook'] = $this->logbooks_model->logbook($clean_id)->row();
+		$data['collaborators'] = $this->logbooks_model->list_logbook_collaborators($clean_id);
+		$data['is_owner'] = $this->logbooks_model->is_logbook_owner($clean_id);
+		
+		$data['page_title'] = "Manage Logbook Sharing";
+		$this->load->view('interface_assets/header', $data);
+		$this->load->view('logbooks/manage_sharing');
+		$this->load->view('interface_assets/footer');
+	}
+
+	public function add_user() {
+		// Add a user to a logbook via AJAX/HTMX
+		$this->load->model('logbooks_model');
+		
+		$logbook_id = $this->security->xss_clean($this->input->post('logbook_id'));
+		$user_identifier = $this->security->xss_clean($this->input->post('user_identifier'));
+		$permission_level = $this->security->xss_clean($this->input->post('permission_level'));
+		
+		// Check if current user has admin rights or is owner
+		if (!$this->logbooks_model->is_logbook_owner($logbook_id) && 
+			!$this->logbooks_model->check_logbook_is_accessible($logbook_id, 'admin')) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">You don't have permission to add users to this logbook</div>";
+			return;
+		}
+		
+		// Try to find user by email first, then by callsign
+		$user_query = $this->user_model->get_by_email($user_identifier);
+		if ($user_query->num_rows() == 0) {
+			$user_query = $this->user_model->get_by_callsign($user_identifier);
+		}
+		
+		if ($user_query->num_rows() == 0) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">User not found. Please check the email or callsign.</div>";
+			return;
+		}
+		
+		$user = $user_query->row();
+		
+		// Check if user is trying to add themselves
+		if ($user->user_id == $this->session->userdata('user_id')) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">You cannot add yourself to the logbook.</div>";
+			return;
+		}
+		
+		// Check if user is the owner
+		if ($this->logbooks_model->get_user_permission($logbook_id, $user->user_id) == 'owner') {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">This user is the owner of the logbook.</div>";
+			return;
+		}
+		
+		// Add permission
+		$result = $this->logbooks_model->add_logbook_permission($logbook_id, $user->user_id, $permission_level);
+		
+		if ($result) {
+			// Return updated collaborators list
+			$data['collaborators'] = $this->logbooks_model->list_logbook_collaborators($logbook_id);
+			$data['is_owner'] = $this->logbooks_model->is_logbook_owner($logbook_id);
+			$this->load->view('logbooks/components/collaborators_table', $data);
+		} else {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">Failed to add user. Please try again.</div>";
+		}
+	}
+
+	public function remove_user() {
+		// Remove a user from a logbook via AJAX/HTMX
+		$this->load->model('logbooks_model');
+		
+		$logbook_id = $this->security->xss_clean($this->input->post('logbook_id'));
+		$user_id = $this->security->xss_clean($this->input->post('user_id'));
+		
+		// Check if current user has admin rights or is owner
+		if (!$this->logbooks_model->is_logbook_owner($logbook_id) && 
+			!$this->logbooks_model->check_logbook_is_accessible($logbook_id, 'admin')) {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">You don't have permission to remove users from this logbook</div>";
+			return;
+		}
+		
+		// Remove permission
+		$result = $this->logbooks_model->remove_logbook_permission($logbook_id, $user_id);
+		
+		if ($result) {
+			// Return updated collaborators list
+			$data['collaborators'] = $this->logbooks_model->list_logbook_collaborators($logbook_id);
+			$data['is_owner'] = $this->logbooks_model->is_logbook_owner($logbook_id);
+			$this->load->view('logbooks/components/collaborators_table', $data);
+		} else {
+			echo "<div class=\"alert alert-danger\" role=\"alert\">Failed to remove user. Please try again.</div>";
+		}
+	}
+
+	public function validate_user() {
+		// Validate user exists via AJAX/HTMX
+		$this->load->model('user_model');
+		
+		$user_identifier = $this->security->xss_clean($this->input->post('user_identifier'));
+		
+		if (empty($user_identifier)) {
+			echo '';
+			return;
+		}
+		
+		// Try to find user by email first, then by callsign
+		$user_query = $this->user_model->get_by_email($user_identifier);
+		if ($user_query->num_rows() == 0) {
+			$user_query = $this->user_model->get_by_callsign($user_identifier);
+		}
+		
+		if ($user_query->num_rows() > 0) {
+			$user = $user_query->row();
+			// Check if it's the current user
+			if ($user->user_id == $this->session->userdata('user_id')) {
+				echo '<span class="text-warning"><i class="fas fa-exclamation-triangle"></i> Cannot add yourself</span>';
+			} else {
+				echo '<span class="text-success"><i class="fas fa-check-circle"></i> User found: ' . htmlspecialchars($user->user_callsign) . '</span>';
+			}
+		} else {
+			echo '<span class="text-danger"><i class="fas fa-times-circle"></i> User not found</span>';
+		}
+	}
+
 }

application/migrations/234_create_logbook_permissions.php

@@ -0,0 +1,71 @@
+<?php
+
+defined('BASEPATH') OR exit('No direct script access allowed');
+
+/*
+*   Create station_logbooks_permissions table for multi-user logbook sharing
+*/
+
+class Migration_create_logbook_permissions extends CI_Migration {
+
+    public function up()
+    {
+        // Check if table already exists
+        if (!$this->db->table_exists('station_logbooks_permissions')) {
+            // Create station_logbooks_permissions table
+            $this->dbforge->add_field(array(
+            'permission_id' => array(
+                'type' => 'BIGINT',
+                'constraint' => 20,
+                'unsigned' => TRUE,
+                'auto_increment' => TRUE
+            ),
+            'logbook_id' => array(
+                'type' => 'BIGINT',
+                'constraint' => 20,
+                'unsigned' => TRUE,
+            ),
+            'user_id' => array(
+                'type' => 'INT',
+                'constraint' => 11,
+            ),
+            'permission_level' => array(
+                'type' => 'ENUM',
+                'constraint' => array('read', 'write', 'admin'),
+                'default' => 'read',
+            ),
+            'created_at' => array(
+                'type' => 'TIMESTAMP',
+                'default' => 'CURRENT_TIMESTAMP',
+            ),
+            'modified' => array(
+                'type' => 'TIMESTAMP',
+                'null' => TRUE,
+            ),
+        ));
+
+            $this->dbforge->add_key('permission_id', TRUE);
+            $this->dbforge->create_table('station_logbooks_permissions');
+
+            // Add unique constraint on logbook_id + user_id combination
+            $this->db->query('CREATE UNIQUE INDEX idx_logbook_user ON station_logbooks_permissions (logbook_id, user_id)');
+            
+            // Add indexes for performance
+            $this->db->query('CREATE INDEX idx_logbook_id ON station_logbooks_permissions (logbook_id)');
+            $this->db->query('CREATE INDEX idx_user_id ON station_logbooks_permissions (user_id)');
+
+            // Add foreign key for logbook_id only (station_logbooks uses InnoDB)
+            // Note: Cannot add foreign key for user_id because users table uses MyISAM engine
+            $this->db->query('ALTER TABLE station_logbooks_permissions 
+                ADD CONSTRAINT fk_slp_logbook 
+                FOREIGN KEY (logbook_id) 
+                REFERENCES station_logbooks(logbook_id) 
+                ON DELETE CASCADE');
+        }
+    }
+
+    public function down()
+    {
+        $this->dbforge->drop_table('station_logbooks_permissions');
+    }
+}