user profile

public/userarea/ajax/employee_profile/download_training_attachment.php

@@ -0,0 +1,56 @@
+<?php
+require_once(__DIR__ . '/../auth_check.php');
+require_once(__DIR__ . '/../../class/db-functions.php');
+
+$id = (int)($_GET['id'] ?? 0);
+if ($id <= 0) {
+    http_response_code(400);
+    exit('ID non valido.');
+}
+
+$pdo = DBHandlerSelect::getInstance()->getConnection();
+
+$stmt = $pdo->prepare("
+    SELECT a.*, t.employee_id, e.auth_user_id
+    FROM employee_training_attachments a
+    JOIN employee_trainings t ON t.id = a.training_id
+    JOIN employees e ON e.id = t.employee_id
+    WHERE a.id = :id
+    LIMIT 1
+");
+$stmt->execute(['id' => $id]);
+$att = $stmt->fetch(PDO::FETCH_ASSOC);
+if (!$att) {
+    http_response_code(404);
+    exit('Allegato non trovato.');
+}
+
+/* Access: HR or owning employee */
+$roleStmt = $pdo->prepare("
+    SELECT r.name FROM auth_users u
+    LEFT JOIN auth_roles r ON r.id = u.role_id
+    WHERE u.id = :id LIMIT 1
+");
+$roleStmt->execute(['id' => $currentUserId]);
+$role = (string)$roleStmt->fetchColumn();
+$hrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager'];
+$isHr = in_array($role, $hrRoles, true);
+
+if (!$isHr && (int)$att['auth_user_id'] !== $currentUserId) {
+    http_response_code(403);
+    exit('Accesso negato.');
+}
+
+$path = __DIR__ . '/../../files/employees/' . (int)$att['employee_id'] . '/trainings/' . $att['stored_name'];
+if (!is_file($path)) {
+    http_response_code(404);
+    exit('File non trovato sul server.');
+}
+
+while (ob_get_level() > 0) { ob_end_clean(); }
+header('Content-Type: ' . (!empty($att['mime_type']) ? $att['mime_type'] : 'application/octet-stream'));
+header('Content-Disposition: attachment; filename="' . rawurlencode($att['original_name']) . '"');
+header('Content-Length: ' . filesize($path));
+header('Cache-Control: private, max-age=0, must-revalidate');
+readfile($path);
+exit;