<?php
/**
 * HR auth check for AJAX endpoints that require HR-management permissions.
 * Allowed roles: Admin, User, Superuser, employee-hr, manager.
 * Sets $currentUserId and $currentUserRole, or returns 401/403 JSON.
 */
require_once(__DIR__ . '/auth_check.php');
require_once(__DIR__ . '/../class/db-functions.php');

$pdo = DBHandlerSelect::getInstance()->getConnection();

$stmt = $pdo->prepare("
    SELECT r.name AS role_name
    FROM auth_users u
    LEFT JOIN auth_roles r ON r.id = u.role_id
    WHERE u.id = :id
    LIMIT 1
");
$stmt->execute(['id' => $currentUserId]);
$currentUserRole = (string)$stmt->fetchColumn();

$allowedHrRoles = ['Admin', 'Superuser', 'employee-hr', 'manager'];

if (!in_array($currentUserRole, $allowedHrRoles, true)) {
    header('Content-Type: application/json');
    http_response_code(403);
    echo json_encode([
        'success' => false,
        'message' => 'Permessi insufficienti per questa operazione.',
    ]);
    exit;
}