Tul xxx Tul

Viewing: auth.php

<?php
/**
 * Authentication and Authorization Helper
 * Provides session management and role-based access control
 */

/**
 * Internal helpers for multi-account context
 */
function _setActiveContext(string $ctx): void { $GLOBALS['_auth_context'] = $ctx; }
function _getActiveContext(): string { return $GLOBALS['_auth_context'] ?? 'auto'; }
function _getBucketForContext(string $ctx): string { return $ctx === 'client' ? 'client_user' : 'internal_user'; }

/**
 * Check if user is authenticated (any context)
 */
function isAuthenticated(): bool 
{
    return (
        (isset($_SESSION['internal_user']) && !empty($_SESSION['internal_user']['id']))
        || (isset($_SESSION['client_user']) && !empty($_SESSION['client_user']['id']))
        || (isset($_SESSION['user']) && !empty($_SESSION['user']['id'])) // backward compat
    );
}

/**
 * Get current authenticated user
 */
function getCurrentUser(): ?array 
{
    $ctx = _getActiveContext();
    if ($ctx === 'client' && !empty($_SESSION['client_user'])) { return $_SESSION['client_user']; }
    if ($ctx === 'internal' && !empty($_SESSION['internal_user'])) { return $_SESSION['internal_user']; }
    // Auto-detect: prefer internal if present, else client
    if (!empty($_SESSION['internal_user'])) { return $_SESSION['internal_user']; }
    if (!empty($_SESSION['client_user'])) { return $_SESSION['client_user']; }
    // Fallback (legacy)
    return $_SESSION['user'] ?? null;
}

/**
 * Get current user role
 */
function getCurrentUserRole(): string 
{
    $u = getCurrentUser();
    return $u['role'] ?? '';
}

/**
 * Check if current user has specific role
 */
function hasRole(string $role): bool 
{
    return getCurrentUserRole() === $role;
}

/**
 * Check if current user has any of the specified roles
 */
function hasAnyRole(array $roles): bool 
{
    $userRole = getCurrentUserRole();
    return in_array($userRole, $roles, true);
}

/**
 * Convert role code to display label
 * e.g., ADMIN -> ADMINISTRADOR
 */
function role_label(?string $role): string 
{
    $map = [
        'ADMIN' => 'ADMINISTRADOR',
        'CAJERO' => 'CAJERO',
        'LECTOR' => 'LECTOR',
        'CLIENTE' => 'CLIENTE',
    ];
    $key = strtoupper((string)$role);
    return $map[$key] ?? $key;
}

/**
 * Require authentication and optionally specific roles
 * Redirects to login if not authenticated or shows 403 if insufficient permissions
 */
function requireAuth(array $roles = []): void 
{
    // Decide context by roles requested
    $wantClient = in_array('CLIENTE', $roles, true);
    $wantInternal = array_intersect($roles, ['ADMIN','CAJERO','LECTOR']) ? true : false;

    if ($wantClient && !$wantInternal) {
        _setActiveContext('client');
        if (empty($_SESSION['client_user'])) { redirect('login'); }
        $_SESSION['user'] = $_SESSION['client_user']; // expose for legacy code in this request
    } elseif ($wantInternal && !$wantClient) {
        _setActiveContext('internal');
        if (empty($_SESSION['internal_user'])) { redirect('login'); }
        $_SESSION['user'] = $_SESSION['internal_user'];
    } else {
        // Mixed or unspecified roles: prefer internal if exists, else client
        if (!empty($_SESSION['internal_user'])) {
            _setActiveContext('internal');
            $_SESSION['user'] = $_SESSION['internal_user'];
        } elseif (!empty($_SESSION['client_user'])) {
            _setActiveContext('client');
            $_SESSION['user'] = $_SESSION['client_user'];
        } else {
            redirect('login');
        }
    }

    if (!empty($roles)) {
        $userRole = getCurrentUserRole();
        if (!in_array($userRole, $roles, true)) {
            http_response_code(403);
            showError403();
            exit;
        }
    }
}

/**
 * Check role permissions for specific actions
 */
function checkRole(array $allowedRoles): bool 
{
    if (!isAuthenticated()) {
        return false;
    }
    
    return hasAnyRole($allowedRoles);
}

/**
 * Show 403 Forbidden error page
 */
function showError403(): void 
{
    echo '<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>403 - Acceso Prohibido</title>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body class="bg-light">
    <div class="container mt-5">
        <div class="row justify-content-center">
            <div class="col-md-6">
                <div class="card">
                    <div class="card-body text-center">
                        <h1 class="text-danger">403</h1>
                        <h4>Acceso Prohibido</h4>
                        <p class="text-muted">No tienes permisos para acceder a esta página.</p>
                        <a href="' . BASE_URL . '" class="btn btn-primary">Volver al Inicio</a>
                    </div>
                </div>
            </div>
        </div>
    </div>
</body>
</html>';
}

/**
 * Redirect to appropriate dashboard based on user role
 */
function redirectToDashboard(): void 
{
    if (!isAuthenticated()) {
        redirect('login');
        return;
    }
    
    $role = getCurrentUserRole();
    switch ($role) {
        case 'CLIENTE':
            redirect('cliente.dashboard');
            break;
        case 'CAJERO':
            redirect('facturas.index');
            break;
        case 'LECTOR':
            redirect('lecturas.index');
            break;
        case 'ADMIN':
        default:
            redirect('dashboard');
            break;
    }
}

/**
 * Selective logout helper
 * type: 'cliente' | 'interno' | '' (all)
 */
function logoutContext(string $type = ''): void
{
    if ($type === 'cliente') {
        unset($_SESSION['client_user']);
    } elseif ($type === 'interno') {
        unset($_SESSION['internal_user']);
    } else {
        // Full logout
        $_SESSION = [];
        if (ini_get('session.use_cookies')) {
            $params = session_get_cookie_params();
            setcookie(session_name(), '', time() - 42000,
                $params['path'], $params['domain'], $params['secure'], $params['httponly']
            );
        }
        session_destroy();
    }
}

/**
 * Set flash message for next request
 */
function setFlashMessage(string $type, string $message): void 
{
    $_SESSION['flash_' . $type] = $message;
}

/**
 * Get and clear flash message
 */
function getFlashMessage(string $type): ?string 
{
    $key = 'flash_' . $type;
    $message = $_SESSION[$key] ?? null;
    if ($message) {
        unset($_SESSION[$key]);
    }
    return $message;
}

/**
 * Check if user has flash message
 */
function hasFlashMessage(string $type): bool 
{
    return isset($_SESSION['flash_' . $type]);
}
User / IP	: 216.73.216.159
Host / Server	: 45.84.207.204 / aircan.me
System	: Linux lt-bnk-web1726.main-hosting.eu 5.14.0-611.36.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Mar 3 11:23:52 EST 2026 x86_64