refactor session management and access control for improved security and maintainability

account.php

@@ -1,10 +1,6 @@
 <?php
 
-ini_set('display_errors', 1);
+require_once __DIR__ . '/lib/bootstrap.php';
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
 
 if (empty($_SESSION['user_id']))
 {
@@ -123,9 +119,11 @@ include 'header.php';
                     Schnellaktionen
                 </h2>
                 <div class="account__quick-actions">
+                    <?php if (!empty($_SESSION['user_roles']) && in_array('ADMIN', $_SESSION['user_roles'], true)): ?>
                     <a href="productAdder.php" class="auth__submit account__action-link">
                         Produkt hinzufügen
                     </a>
+                    <?php endif; ?>
                     <a href="wunschliste.php" class="auth__submit account__action-link account__action-link--secondary">
                         Meine Wunschliste
                     </a>

lib/bootstrap.php

@@ -2,6 +2,7 @@
 // Zentraler Bootstrap: muss vor jeglicher HTML-Ausgabe inkludiert werden.
 // - startet die Session genau einmal
 // - setzt sinnvolle PHP-Error-Settings für die Entwicklung
+// - lädt die Rollen des eingeloggten Users bei jedem Request
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');
@@ -10,3 +11,28 @@ error_reporting(E_ALL);
 if (session_status() !== PHP_SESSION_ACTIVE) {
     session_start();
 }
+
+// Rollen bei jedem Request aus der DB aktualisieren
+if (!empty($_SESSION['user_id'])) {
+    $__bsConn = new mysqli('localhost', 'FSST', 'L9wUNZZ9Qkbt', 'FSST', 3306);
+    if (!$__bsConn->connect_error) {
+        $__bsStmt = $__bsConn->prepare(
+            'SELECT r.name FROM userRoles ur JOIN roles r ON r.roleID = ur.roleID WHERE ur.userID = ?'
+        );
+        if ($__bsStmt) {
+            $__bsUid = (int)$_SESSION['user_id'];
+            $__bsStmt->bind_param('i', $__bsUid);
+            $__bsStmt->execute();
+            $__bsResult = $__bsStmt->get_result();
+            $_SESSION['user_roles'] = [];
+            while ($__bsRow = $__bsResult->fetch_assoc()) {
+                $_SESSION['user_roles'][] = $__bsRow['name'];
+            }
+            $__bsStmt->close();
+        }
+        $__bsConn->close();
+    }
+} else {
+    $_SESSION['user_roles'] = [];
+}
+

login.php

@@ -1,11 +1,7 @@
 <?php
 // login.php
 
-ini_set('display_errors', 1);
+require_once __DIR__ . '/lib/bootstrap.php';
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
 
 // 1) DB-Verbindung (einmal)
 $servername = "localhost";

logout.php

@@ -1,5 +1,5 @@
 <?php
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 /* Alle Session-Variablen löschen */
 $_SESSION = [];

productAdder.php

@@ -1,10 +1,21 @@
 <?php
 // product_add.php
 
-ini_set('display_errors', 1);
+require_once __DIR__ . '/lib/bootstrap.php';
-error_reporting(E_ALL);
 
-session_start();
+/* =======================
+   0) Zugriffskontrolle – nur ADMIN
+   ======================= */
+if (empty($_SESSION['user_id']) || empty($_SESSION['user_roles']) || !in_array('ADMIN', $_SESSION['user_roles'], true)) {
+    http_response_code(403);
+    include 'header.php';
+    echo '<main class="auth"><section class="auth__grid"><div class="auth__card">';
+    echo '<h2 class="auth__title">Zugriff verweigert</h2>';
+    echo '<p>Du hast keine Berechtigung, Produkte hinzuzufügen.</p>';
+    echo '</div></section></main>';
+    include 'footer.php';
+    exit;
+}
 
 /* =======================
    1) Kategorie aus GET

productpage.php

@@ -1,11 +1,7 @@
 <?php
 // productpage.php
 
-ini_set('display_errors', 1);
+require_once __DIR__ . '/lib/bootstrap.php';
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
 
 // 1) DB-Verbindung (einmal)
 $servername = "localhost";

register.php

@@ -1,11 +1,7 @@
 <?php
 // register.php
 
-ini_set('display_errors', 1);
+require_once __DIR__ . '/lib/bootstrap.php';
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
 
 require_once __DIR__ . '/lib/strings.php';
 

upload.php

@@ -1,11 +1,6 @@
 <?php
 
-// Produktion: keine PHP-Fehler im Browser ausgeben (Logs bleiben serverseitig)
+require_once __DIR__ . '/lib/bootstrap.php';
-ini_set('display_errors', 0);
-ini_set('display_startup_errors', 0);
-error_reporting(E_ALL);
-
-session_start();
 
 if (empty($_SESSION['user_id']))
 {

wunschliste.php

@@ -1,11 +1,7 @@
 <?php
 // wunschliste.php
 
-ini_set('display_errors', 1);
+require_once __DIR__ . '/lib/bootstrap.php';
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
 
 // 1) DB-Verbindung (einmal)
 $servername = "localhost";