auth_check.php

<?php
/**
 * auth_check.php
 * Role-based Access Control (RBAC) helper functions
 * Include this file at the top of pages that need authentication/authorization
 */

require_once 'config.php';

/**
 * Check if user is logged in
 * @return bool
 */
function is_logged_in()
{
    return isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true;
}

/**
 * Get current user's role
 * @return string|null Returns 'admin', 'client', 'customer', or null
 */
function get_user_role()
{
    return $_SESSION['role'] ?? null;
}

/**
 * Get current user's ID
 * @return mixed
 */
function get_user_id()
{
    return $_SESSION['userid'] ?? null;
}

/**
 * Get current user's name
 * @return string|null
 */
function get_user_name()
{
    return $_SESSION['name'] ?? null;
}

/**
 * Check if current user is admin
 * @return bool
 */
function is_admin()
{
    return get_user_role() === 'admin';
}

/**
 * Check if current user is client
 * @return bool
 */
function is_client()
{
    return get_user_role() === 'client';
}

/**
 * Check if current user is customer
 * @return bool
 */
function is_customer()
{
    return get_user_role() === 'customer';
}

/**
 * Require authentication - redirect to login if not logged in
 * @param string $redirect_to Page to redirect after login
 */
function require_auth($redirect_to = 'index.php')
{
    if (!is_logged_in()) {
        $_SESSION['redirect_after_login'] = $_SERVER['REQUEST_URI'];
        header("Location: $redirect_to");
        exit;
    }
}

/**
 * Require admin role - redirect to home if not admin
 * @param string $redirect_to Page to redirect if not authorized
 */
function require_admin($redirect_to = 'home.php')
{
    require_auth();
    if (!is_admin()) {
        $_SESSION['error_message'] = 'Access denied. Admin privileges required.';
        header("Location: $redirect_to");
        exit;
    }
}

/**
 * Require client role - redirect to home if not client
 * @param string $redirect_to Page to redirect if not authorized
 */
function require_client($redirect_to = 'home.php')
{
    require_auth();
    if (!is_client()) {
        $_SESSION['error_message'] = 'Access denied. Client privileges required.';
        header("Location: $redirect_to");
        exit;
    }
}

/**
 * Require admin or client role (exclude customers)
 * @param string $redirect_to Page to redirect if not authorized
 */
function require_admin_or_client($redirect_to = 'home.php')
{
    require_auth();
    if (!is_admin() && !is_client()) {
        $_SESSION['error_message'] = 'Access denied. Insufficient privileges.';
        header("Location: $redirect_to");
        exit;
    }
}

/**
 * Check if user has access to a specific diamond
 * Admin: access all diamonds
 * Client: access all available diamonds
 * Customer: only access diamonds shared via invite
 * 
 * @param int $diamond_id
 * @return bool
 */
function can_access_diamond($diamond_id)
{
    if (is_admin()) {
        return true; // Admin can access all diamonds
    }

    if (is_client()) {
        return true; // Clients can access all available diamonds
    }

    if (is_customer()) {
        // Customers can only access diamonds shared with them via invite
        // This would require checking the invite_diamonds table (to be implemented)
        return false; // For now, deny customer access
    }

    return false;
}

/**
 * Get redirect URL based on user role after login
 * @return string
 */
function get_role_home_page()
{
    if (is_admin()) {
        return 'home.php'; // Admin dashboard
    } elseif (is_client()) {
        return 'client_dashboard.php'; // Client dashboard
    } elseif (is_customer()) {
        return 'home.php'; // Customer view (limited)
    }
    return 'home.php'; // Default
}

/**
 * Display flash message if exists
 * @param string $key Session key for the message (default: 'message')
 * @return string HTML for the message
 */
function get_flash_message($key = 'message')
{
    if (isset($_SESSION[$key])) {
        $message = $_SESSION[$key];
        $type = $_SESSION[$key . '_type'] ?? 'info';
        unset($_SESSION[$key]);
        unset($_SESSION[$key . '_type']);

        $color_map = [
            'success' => 'green',
            'error' => 'red',
            'warning' => 'yellow',
            'info' => 'blue'
        ];

        $color = $color_map[$type] ?? 'blue';

        return "<div class='mb-4 rounded-md bg-{$color}-50 border border-{$color}-200 px-4 py-3 text-{$color}-800' role='alert'>
                    <i class='fas fa-info-circle mr-2'></i>" . htmlspecialchars($message) . "
                </div>";
    }
    return '';
}

/**
 * Set flash message
 * @param string $message
 * @param string $type 'success', 'error', 'warning', 'info'
 * @param string $key Session key for the message (default: 'message')
 */
function set_flash_message($message, $type = 'info', $key = 'message')
{
    $_SESSION[$key] = $message;
    $_SESSION[$key . '_type'] = $type;
}

/**
 * Log activity (optional - for audit trail)
 * @param string $action
 * @param string $details
 * @param int|null $user_id
 */
function log_activity($action, $details = '', $user_id = null)
{
    global $conn;

    if ($user_id === null) {
        $user_id = get_user_id();
    }

    // Optional: Create activity_log table and insert records
    // For now, this is a placeholder
    error_log("Activity Log: User $user_id - $action - $details");
}

/**
 * Generate secure random token for invites
 * @param int $length Default 32 bytes (64 hex chars)
 * @return string
 */
function generate_secure_token($length = 32)
{
    return bin2hex(random_bytes($length));
}

/**
 * Validate token format
 * @param string $token
 * @return bool
 */
function is_valid_token($token)
{
    return preg_match('/^[a-f0-9]{64}$/i', $token);
}

/**
 * Format date for display
 * @param string $date
 * @param string $format
 * @return string
 */
function format_date($date, $format = 'M d, Y g:i A')
{
    return date($format, strtotime($date));
}

/**
 * Get system setting value
 * @param string $key
 * @param mixed $default
 * @return mixed
 */
function get_setting($key, $default = null)
{
    global $conn;

    $stmt = $conn->prepare("SELECT setting_value FROM system_settings WHERE setting_key = ?");
    if ($stmt) {
        $stmt->bind_param("s", $key);
        $stmt->execute();
        $result = $stmt->get_result();

        if ($result && $result->num_rows > 0) {
            $row = $result->fetch_assoc();
            return $row['setting_value'];
        }
        $stmt->close();
    }

    return $default;
}

/**
 * Get base URL for the application
 * @return string
 */
function get_base_url()
{
    $setting_url = get_setting('app_base_url');
    if ($setting_url) {
        return rtrim($setting_url, '/');
    }

    // Fallback: detect from server variables
    $protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
    $host = $_SERVER['HTTP_HOST'];
    $script_path = dirname($_SERVER['SCRIPT_NAME']);

    return $protocol . '://' . $host . $script_path;
}

/**
 * Check rate limit for invite creation
 * @param int $client_id
 * @return bool True if under limit, false if exceeded
 */
function check_invite_rate_limit($client_id)
{
    global $conn;

    $max_daily = intval(get_setting('invite_max_per_client_daily', 20));

    $stmt = $conn->prepare("SELECT COUNT(*) as count FROM invites 
                           WHERE client_id = ? 
                           AND DATE(created_at) = CURDATE()");
    if ($stmt) {
        $stmt->bind_param("i", $client_id);
        $stmt->execute();
        $result = $stmt->get_result();

        if ($result && $result->num_rows > 0) {
            $row = $result->fetch_assoc();
            $stmt->close();
            return intval($row['count']) < $max_daily;
        }
        $stmt->close();
    }

    return true; // Allow by default if check fails
}

/**
 * Sanitize output for HTML display
 * @param string $text
 * @return string
 */
function h($text)
{
    return htmlspecialchars($text ?? '', ENT_QUOTES, 'UTF-8');
}

?>