user profile

public/userarea/ajax/employee_profile/get_training_attachments.php

@@ -0,0 +1,58 @@
+<?php
+require_once(__DIR__ . '/../auth_check.php');
+require_once(__DIR__ . '/../../class/db-functions.php');
+
+header('Content-Type: application/json');
+
+$trainingId = (int)($_GET['training_id'] ?? 0);
+if ($trainingId <= 0) {
+    echo json_encode(['success' => false, 'message' => 'ID formazione non valido.']);
+    exit;
+}
+
+$pdo = DBHandlerSelect::getInstance()->getConnection();
+
+/* Access: HR or owner */
+$ownerStmt = $pdo->prepare("
+    SELECT e.auth_user_id
+    FROM employee_trainings t
+    JOIN employees e ON e.id = t.employee_id
+    WHERE t.id = :id LIMIT 1
+");
+$ownerStmt->execute(['id' => $trainingId]);
+$ownerAuthUserId = $ownerStmt->fetchColumn();
+if ($ownerAuthUserId === false) {
+    echo json_encode(['success' => false, 'message' => 'Formazione non trovata.']);
+    exit;
+}
+
+$roleStmt = $pdo->prepare("
+    SELECT r.name FROM auth_users u
+    LEFT JOIN auth_roles r ON r.id = u.role_id
+    WHERE u.id = :id LIMIT 1
+");
+$roleStmt->execute(['id' => $currentUserId]);
+$role = (string)$roleStmt->fetchColumn();
+$hrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager'];
+$isHr = in_array($role, $hrRoles, true);
+
+if (!$isHr && (int)$ownerAuthUserId !== $currentUserId) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'message' => 'Accesso negato.']);
+    exit;
+}
+
+$stmt = $pdo->prepare("
+    SELECT id, original_name, mime_type, size, created_at
+    FROM employee_training_attachments
+    WHERE training_id = :tid
+    ORDER BY created_at DESC
+");
+$stmt->execute(['tid' => $trainingId]);
+$attachments = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+echo json_encode([
+    'success'     => true,
+    'attachments' => $attachments,
+    'can_edit'    => $isHr,
+]);