<?php
require_once(__DIR__ . '/../auth_check.php');
require_once(__DIR__ . '/../../class/db-functions.php');

header('Content-Type: application/json');

$trainingId = (int)($_GET['training_id'] ?? 0);
if ($trainingId <= 0) {
    echo json_encode(['success' => false, 'message' => 'ID formazione non valido.']);
    exit;
}

$pdo = DBHandlerSelect::getInstance()->getConnection();

/* Access: HR or owner */
$ownerStmt = $pdo->prepare("
    SELECT e.auth_user_id
    FROM employee_trainings t
    JOIN employees e ON e.id = t.employee_id
    WHERE t.id = :id LIMIT 1
");
$ownerStmt->execute(['id' => $trainingId]);
$ownerAuthUserId = $ownerStmt->fetchColumn();
if ($ownerAuthUserId === false) {
    echo json_encode(['success' => false, 'message' => 'Formazione non trovata.']);
    exit;
}

$roleStmt = $pdo->prepare("
    SELECT r.name FROM auth_users u
    LEFT JOIN auth_roles r ON r.id = u.role_id
    WHERE u.id = :id LIMIT 1
");
$roleStmt->execute(['id' => $currentUserId]);
$role = (string)$roleStmt->fetchColumn();
$hrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager'];
$isHr = in_array($role, $hrRoles, true);

if (!$isHr && (int)$ownerAuthUserId !== $currentUserId) {
    http_response_code(403);
    echo json_encode(['success' => false, 'message' => 'Accesso negato.']);
    exit;
}

$stmt = $pdo->prepare("
    SELECT id, original_name, mime_type, size, created_at
    FROM employee_training_attachments
    WHERE training_id = :tid
    ORDER BY created_at DESC
");
$stmt->execute(['tid' => $trainingId]);
$attachments = $stmt->fetchAll(PDO::FETCH_ASSOC);

echo json_encode([
    'success'     => true,
    'attachments' => $attachments,
    'can_edit'    => $isHr,
]);