query( "SELECT id, username, email, role, is_active, wilayah_tugas, nama_lengkap, last_login, created_at FROM users ORDER BY id ASC" ); sendSuccess($stmt->fetchAll(), 'Data Users'); break; case 'POST': $d = getInput(); if (empty($d['username']) || empty($d['password']) || empty($d['role'])) { sendError('Data tidak lengkap'); } if (!in_array($d['role'], VALID_ROLES, true)) sendError('Role tidak valid'); $hash = password_hash($d['password'], PASSWORD_BCRYPT, ['cost' => 12]); try { $pdo->prepare( "INSERT INTO users (username, email, password, role, is_active, wilayah_tugas, nama_lengkap) VALUES (?,?,?,?,?,?,?)" )->execute([ $d['username'], $d['email'] ?? null, $hash, $d['role'], isset($d['is_active']) ? (int)$d['is_active'] : 1, $d['wilayah_tugas'] ?? null, $d['nama_lengkap'] ?? '', ]); $id = (int)$pdo->lastInsertId(); logActivity($pdo, 'create', 'users', $id, "Tambah user {$d['username']} ({$d['role']})"); sendSuccess(['id' => $id], 'User disimpan', 201); } catch (Exception $e) { sendError('Username sudah digunakan'); } break; case 'PUT': $d = getInput(); $id = $_GET['id'] ?? null; if (!$id) sendError('ID wajib'); if (!empty($d['role']) && !in_array($d['role'], VALID_ROLES, true)) sendError('Role tidak valid'); if (!empty($d['password'])) { $hash = password_hash($d['password'], PASSWORD_BCRYPT, ['cost' => 12]); $pdo->prepare( "UPDATE users SET username=?, email=?, password=?, role=?, is_active=?, wilayah_tugas=?, nama_lengkap=? WHERE id=?" )->execute([ $d['username'], $d['email'] ?? null, $hash, $d['role'], isset($d['is_active']) ? (int)$d['is_active'] : 1, $d['wilayah_tugas'] ?? null, $d['nama_lengkap'] ?? '', $id, ]); } else { $pdo->prepare( "UPDATE users SET username=?, email=?, role=?, is_active=?, wilayah_tugas=?, nama_lengkap=? WHERE id=?" )->execute([ $d['username'], $d['email'] ?? null, $d['role'], isset($d['is_active']) ? (int)$d['is_active'] : 1, $d['wilayah_tugas'] ?? null, $d['nama_lengkap'] ?? '', $id, ]); } logActivity($pdo, 'update', 'users', (int)$id, "Edit user {$d['username']}"); sendSuccess(null, 'User diperbarui'); break; case 'DELETE': $id = $_GET['id'] ?? null; if (!$id) sendError('ID wajib'); if ($id == 1) sendError('Akun utama tidak dapat dihapus'); if ($id == ($_SESSION['user_id'] ?? null)) sendError('Tidak dapat menghapus akun sendiri'); $pdo->prepare("DELETE FROM users WHERE id=?")->execute([$id]); logActivity($pdo, 'delete', 'users', (int)$id, 'Hapus user'); sendSuccess(null, 'User dihapus'); break; default: sendError('Method not allowed', 405); }