user profile

public/userarea/ajax/hr_auth_check.php

@@ -0,0 +1,32 @@
+<?php
+/**
+ * HR auth check for AJAX endpoints that require HR-management permissions.
+ * Allowed roles: Admin, User, Superuser, employee-hr, manager.
+ * Sets $currentUserId and $currentUserRole, or returns 401/403 JSON.
+ */
+require_once(__DIR__ . '/auth_check.php');
+require_once(__DIR__ . '/../class/db-functions.php');
+
+$pdo = DBHandlerSelect::getInstance()->getConnection();
+
+$stmt = $pdo->prepare("
+    SELECT r.name AS role_name
+    FROM auth_users u
+    LEFT JOIN auth_roles r ON r.id = u.role_id
+    WHERE u.id = :id
+    LIMIT 1
+");
+$stmt->execute(['id' => $currentUserId]);
+$currentUserRole = (string)$stmt->fetchColumn();
+
+$allowedHrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager'];
+
+if (!in_array($currentUserRole, $allowedHrRoles, true)) {
+    header('Content-Type: application/json');
+    http_response_code(403);
+    echo json_encode([
+        'success' => false,
+        'message' => 'Permessi insufficienti per questa operazione.',
+    ]);
+    exit;
+}