From fa09f6cc09a31aa3b4c8a86a4499f9eb2942f4c6 Mon Sep 17 00:00:00 2001
From: Jukka Lampikoski <jukka@lampikoski.com>
Date: Mon, 9 Mar 2026 17:52:14 +0200
Subject: [PATCH] Add admin_update_user API endpoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 api.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/api.php b/api.php
index a4dbaa6..fe63fc8 100644
--- a/api.php
+++ b/api.php
@@ -889,6 +889,25 @@ switch ($action) {
         }
         ok(['users' => $result]);
 
+    case 'admin_update_user':
+        if (!isAdmin()) err('Unauthorized', 403);
+        $userId = $body['userId'] ?? '';
+        if (!$userId) err('Missing userId');
+        $users = readData('users.json', []);
+        $found = false;
+        foreach ($users as &$u) {
+            if ($u['id'] === $userId) {
+                if (isset($body['email']))    $u['email']    = htmlspecialchars(trim($body['email']), ENT_QUOTES | ENT_HTML5, 'UTF-8');
+                if (isset($body['nickname'])) $u['nickname'] = htmlspecialchars(trim($body['nickname']), ENT_QUOTES | ENT_HTML5, 'UTF-8');
+                $found = true;
+                break;
+            }
+        }
+        unset($u);
+        if (!$found) err('User not found');
+        writeData('users.json', $users);
+        ok();
+
     // ─── Käyttäjätunnukset ─────────────────────────────────────
     case 'user_register':
         $nickname = trim($body['nickname'] ?? '');