WKVS/scripts/session_functions.php

<?php

function deleteSession() {
    $_SESSION = array();

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }

    session_destroy();
}

function ini_wkvs_session(bool $set_csrf = false, bool $regenerate = false) {

    if (session_status() === PHP_SESSION_NONE) {
        session_name('wkvs_cookie'); 

        session_set_cookie_params([
            'lifetime' => 0,
            'path' => '/',
            'domain' => '',
            'secure' => true,
            'httponly' => true,
            'samesite' => 'Lax',
        ]);

    
        session_start();
    }

    if ($regenerate) {
        session_regenerate_id(true);
    }
    if ($set_csrf && !isset($_SESSION['csrf_token'])) {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(64));
    }
}

function verify_csrf() {
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $token = $_POST['csrf_token'] ?? '';
        if (!hash_equals($_SESSION['csrf_token'], $token)) {
            http_response_code(403);
            die("Access Denied: Invalid CSRF Token.");
        }
    } else {
        http_response_code(403);
        die("Access Denied: Invalid Request Type.");
    }
}

$allowedUserTypes = ['trainer', 'kampfrichter', 'wk_leitung'];

function check_user_permission(string $type, bool $return = false) {
    global $allowedUserTypes;

    if (!in_array($type, $allowedUserTypes, true)) {
        if ($return) {
            return false;
        } else {
            http_response_code(403);
            die("Invalid User Type Configuration");
        }
    }

    $accessKey = "access_granted_{$type}";
    $idKey = "user_id_{$type}";

    $hasAccess = ($_SESSION[$accessKey] ?? false) === true;
    $hasValidId = isset($_SESSION[$idKey]) && intval($_SESSION[$idKey]) > 0;

    if (!$hasAccess || !$hasValidId) {
        if ($return) {
            return false;
        } else {
            http_response_code(403);
            die("Access Denied");
        }
    }

    if ($return) {
        return true;
    }
}

function check_multiple_allowed_permissions(array $types) {
    $authorized = false;
    
    foreach ($types as $type) {
        if (check_user_permission($type, true)) {
            $authorized = true;
            break; 
        }
    }

    if (!$authorized) {
        http_response_code(403);
        die("Access Denied");
    }
}