<?php
require_once __DIR__ . '/config.php';
if (!IS_INSTALLED) { header('Location: setup.php'); exit; }
require_once ROOT_PATH . '/includes/db.php';
require_once ROOT_PATH . '/includes/functions.php';
require_once ROOT_PATH . '/includes/auth.php';
if (is_logged_in()) { header('Location: ' . base_url('admin/')); exit; }
$token = trim($_GET['token'] ?? '');
$invite = $token ? get_invite($token) : null;
$errors = [];
$success = false;
if (!$invite) {
$errors[] = 'Invalid or missing invite link.';
} else {
// Pre-check validity (without email, just structure)
if ($invite['use_count'] >= $invite['max_uses']) $errors[] = 'This invite has already been used the maximum number of times.';
if ($invite['expires_at'] && strtotime($invite['expires_at']) < time()) $errors[] = 'This invite link has expired.';
}
if (empty($errors) && $_SERVER['REQUEST_METHOD'] === 'POST') {
verify_csrf();
$username = trim($_POST['username'] ?? '');
$email = trim($_POST['email'] ?? '');
$password = $_POST['password'] ?? '';
$confirm = $_POST['confirm'] ?? '';
if (strlen($username) < 3) $errors[] = 'Username must be at least 3 characters.';
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) $errors[] = 'Invalid email address.';
if (!empty($invite['email']) && strtolower($invite['email']) !== strtolower($email)) {
$errors[] = 'This invite was created for a specific email address that does not match.';
}
if (strlen($password) < 8) $errors[] = 'Password must be at least 8 characters.';
if ($password !== $confirm) $errors[] = 'Passwords do not match.';
// Check username/email uniqueness
if (empty($errors)) {
$dup = db()->prepare("SELECT id FROM users WHERE username = ? OR email = ?");
$dup->execute([$username, $email]);
if ($dup->fetch()) $errors[] = 'Username or email is already registered.';
}
if (empty($errors)) {
$userId = create_user($username, $email, $password, $invite['role'], (int)$invite['created_by']);
use_invite($token, $userId);
auth_login($username, $password);
flash('success', 'Welcome to IndexGram! Your account has been created.');
header('Location: ' . base_url('admin/')); exit;
}
}
$meta = build_meta(['title' => 'Register — ' . get_setting('site_title', SITE_NAME)]);
include ROOT_PATH . '/includes/header.php';
?>
<div class="window login-window" style="max-width:480px;margin:40px auto">
<div class="win-titlebar">📥 Create Account via Invite</div>
<div class="win-body">
<?php if (!empty($errors)): ?>
<div class="flash flash-error">
<?php foreach ($errors as $e): ?><p><?= h($e) ?></p><?php endforeach; ?>
</div>
<?php endif; ?>
<?php if ($invite && empty($errors) || !empty($_POST)): ?>
<?php if ($invite): ?>
<p>You've been invited to join as: <strong><?= h(ucfirst($invite['role'])) ?></strong>
(by <?= h($invite['creator_name'] ?? 'an admin') ?>)</p>
<?php endif; ?>
<form method="post" autocomplete="on">
<input type="hidden" name="csrf_token" value="<?= csrf_token() ?>">
<div class="form-group">
<label for="username">Username</label>
<input type="text" id="username" name="username" class="input-full"
value="<?= h($_POST['username'] ?? '') ?>" required minlength="3" autocomplete="username">
</div>
<div class="form-group">
<label for="email">Email
<?php if (!empty($invite['email'])): ?>(must be <?= h($invite['email']) ?>)<?php endif; ?>
</label>
<input type="email" id="email" name="email" class="input-full"
value="<?= h($_POST['email'] ?? $invite['email'] ?? '') ?>" required autocomplete="email"
<?= !empty($invite['email']) ? 'readonly' : '' ?>>
</div>
<div class="form-group">
<label for="password">Password <small>(min 8 chars)</small></label>
<input type="password" id="password" name="password" class="input-full" required minlength="8" autocomplete="new-password">
</div>
<div class="form-group">
<label for="confirm">Confirm Password</label>
<input type="password" id="confirm" name="confirm" class="input-full" required autocomplete="new-password">
</div>
<div class="form-actions">
<button type="submit" class="button">Create Account</button>
</div>
</form>
<?php endif; ?>
</div>
</div>
<?php include ROOT_PATH . '/includes/footer.php'; ?>