getConnection(); $stmt = $pdo->prepare(" SELECT d.*, e.auth_user_id FROM employee_documents d JOIN employees e ON e.id = d.employee_id WHERE d.id = :id LIMIT 1 "); $stmt->execute(['id' => $id]); $doc = $stmt->fetch(PDO::FETCH_ASSOC); if (!$doc) { http_response_code(404); exit('Documento non trovato.'); } /* Access check: HR roles can download any; otherwise only own employee */ $roleStmt = $pdo->prepare(" SELECT r.name FROM auth_users u LEFT JOIN auth_roles r ON r.id = u.role_id WHERE u.id = :id LIMIT 1 "); $roleStmt->execute(['id' => $currentUserId]); $role = (string)$roleStmt->fetchColumn(); $hrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager']; $isHr = in_array($role, $hrRoles, true); if (!$isHr && (int)$doc['auth_user_id'] !== $currentUserId) { http_response_code(403); exit('Accesso negato.'); } $path = __DIR__ . '/../../files/employees/' . (int)$doc['employee_id'] . '/documents/' . $doc['stored_name']; if (!is_file($path)) { http_response_code(404); exit('File non trovato sul server.'); } while (ob_get_level() > 0) { ob_end_clean(); } header('Content-Type: ' . (!empty($doc['mime_type']) ? $doc['mime_type'] : 'application/octet-stream')); header('Content-Disposition: attachment; filename="' . rawurlencode($doc['original_name']) . '"'); header('Content-Length: ' . filesize($path)); header('Cache-Control: private, max-age=0, must-revalidate'); readfile($path); exit;