user profile

public/userarea/ajax/employee_profile/get_training_log.php

@@ -0,0 +1,57 @@
+<?php
+require_once(__DIR__ . '/../auth_check.php');
+require_once(__DIR__ . '/../../class/db-functions.php');
+
+header('Content-Type: application/json');
+
+$trainingId = (int)($_GET['training_id'] ?? 0);
+if ($trainingId <= 0) {
+    echo json_encode(['success' => false, 'message' => 'ID formazione non valido.']);
+    exit;
+}
+
+$pdo = DBHandlerSelect::getInstance()->getConnection();
+
+/* Access: HR or owner */
+$ownerStmt = $pdo->prepare("
+    SELECT e.auth_user_id
+    FROM employee_trainings t
+    JOIN employees e ON e.id = t.employee_id
+    WHERE t.id = :id LIMIT 1
+");
+$ownerStmt->execute(['id' => $trainingId]);
+$ownerAuthUserId = $ownerStmt->fetchColumn();
+if ($ownerAuthUserId === false) {
+    echo json_encode(['success' => false, 'message' => 'Formazione non trovata.']);
+    exit;
+}
+
+$roleStmt = $pdo->prepare("
+    SELECT r.name FROM auth_users u
+    LEFT JOIN auth_roles r ON r.id = u.role_id
+    WHERE u.id = :id LIMIT 1
+");
+$roleStmt->execute(['id' => $currentUserId]);
+$role = (string)$roleStmt->fetchColumn();
+$hrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager'];
+$isHr = in_array($role, $hrRoles, true);
+
+if (!$isHr && (int)$ownerAuthUserId !== $currentUserId) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'message' => 'Accesso negato.']);
+    exit;
+}
+
+$stmt = $pdo->prepare("
+    SELECT l.id, l.action, l.field, l.old_value, l.new_value, l.changed_at,
+           TRIM(CONCAT(COALESCE(u.first_name,''),' ',COALESCE(u.last_name,''))) AS changed_by_name,
+           u.email AS changed_by_email
+    FROM employee_training_log l
+    LEFT JOIN auth_users u ON u.id = l.changed_by
+    WHERE l.training_id = :tid
+    ORDER BY l.changed_at DESC, l.id DESC
+");
+$stmt->execute(['tid' => $trainingId]);
+$entries = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+echo json_encode(['success' => true, 'entries' => $entries]);