query("SHOW COLUMNS FROM sales_users LIKE 'role'"); $exists = ($result && $result->num_rows > 0); // If column doesn't exist, try to add it if (!$exists) { $db->query("ALTER TABLE sales_users ADD COLUMN role VARCHAR(50) DEFAULT 'agent'"); $exists = true; } } return $exists; } /** * Handle login action * @param mysqli $db Database connection * @return void */ function handleLogin(mysqli $db): void { $input = json_decode(file_get_contents('php://input'), true); $username = $input['username'] ?? ''; // Check if role column exists and use appropriate query $hasRoleColumn = roleColumnExists($db); if ($hasRoleColumn) { $stmt = $db->prepare("SELECT password, full_name, role FROM sales_users WHERE username = ?"); } else { $stmt = $db->prepare("SELECT password, full_name, 'agent' as role FROM sales_users WHERE username = ?"); } $stmt->bind_param("s", $username); $stmt->execute(); $res = $stmt->get_result()->fetch_assoc(); if ($res && password_verify($input['password'], $res['password'])) { $_SESSION['user'] = $username; $_SESSION['full_name'] = $res['full_name']; $_SESSION['role'] = $res['role'] ?? 'agent'; // Recovery cookie payload $cookie_payload = base64_encode(json_encode([ 'user' => $username, 'full_name' => $res['full_name'], 'role' => $res['role'] ?? 'agent', 'expires' => MIDNIGHT_TIMESTAMP ])); setcookie('telvero_remember', $cookie_payload, MIDNIGHT_TIMESTAMP, '/', '', isset($_SERVER['HTTPS']), true); echo json_encode([ 'success' => true, 'user' => $res['full_name'], 'role' => $res['role'] ?? 'agent' ]); } else { http_response_code(401); echo json_encode(['error' => 'Login mislukt']); } } /** * Handle session check action * @return void */ function handleCheckSession(): void { if (isset($_SESSION['user'])) { echo json_encode([ 'authenticated' => true, 'user' => $_SESSION['full_name'] ?? $_SESSION['user'], 'role' => $_SESSION['role'] ?? 'agent' ]); } else { echo json_encode(['authenticated' => false]); } } /** * Handle logout action * @return void */ function handleLogout(): void { session_destroy(); setcookie('telvero_remember', '', time() - 3600, '/'); echo json_encode(['success' => true]); } /** * Check if user is authenticated * @return bool */ function isAuthenticated(): bool { return isset($_SESSION['user']); } /** * Check if user has administrator role * @return bool */ function isAdmin(): bool { return isset($_SESSION['role']) && $_SESSION['role'] === 'administrator'; } /** * Get current user's role * @return string */ function getUserRole(): string { return $_SESSION['role'] ?? 'agent'; } /** * Get current username * @return string|null */ function getCurrentUsername(): ?string { return $_SESSION['user'] ?? null; } /** * Require authentication - exits if not authenticated * @return void */ function requireAuth(): void { if (!isAuthenticated()) { http_response_code(403); echo json_encode(['error' => 'Not authenticated']); exit; } } /** * Require administrator role - exits if not admin * Logs unauthorized access attempts * @param mysqli $db Database connection for logging * @param string $page The page being accessed * @return void */ function requireAdmin(mysqli $db, string $page): void { if (!isAuthenticated()) { logUnauthorizedAccess($db, null, $page, 'not_authenticated'); http_response_code(403); die("Toegang geweigerd. Log eerst in."); } if (!isAdmin()) { logUnauthorizedAccess($db, getCurrentUsername(), $page, 'insufficient_permissions'); http_response_code(403); die("Toegang geweigerd. U heeft geen toegang tot deze pagina."); } } /** * Log unauthorized access attempt to the database * @param mysqli $db Database connection * @param string|null $username The username attempting access (null if not logged in) * @param string $page The page being accessed * @param string $reason The reason for denial * @return void */ function logUnauthorizedAccess(mysqli $db, ?string $username, string $page, string $reason): void { $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown'; $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown'; $details = json_encode([ 'page' => $page, 'reason' => $reason, 'ip' => $ip, 'user_agent' => $userAgent ]); $stmt = $db->prepare("INSERT INTO sales_logs (username, action_type, details, created_at) VALUES (?, 'unauthorized_access', ?, NOW())"); $usernameForLog = $username ?? 'anonymous'; $stmt->bind_param("ss", $usernameForLog, $details); $stmt->execute(); }