projectbased/app/Lib/Auth.php

<?php
namespace App\Lib;

use App\App;

final class Auth {
    public static function user(): ?array {
        $id = $_SESSION['uid'] ?? null;
        if (!$id) return null;
        $stmt = App::db()->prepare('SELECT id,email,display_name,is_admin,is_super_admin,r_index,created_at FROM users WHERE id=?');
        $stmt->execute([$id]);
        $u = $stmt->fetch();
        return $u ?: null;
    }

    public static function requireLogin(): array {
        $u = self::user();
        if (!$u) {
            header('Location: /?r=login');
            exit;
        }
        return $u;
    }

    public static function requireAdmin(): array {

        $u = self::requireLogin();
        if ((int)$u['is_admin'] !== 1) {
            http_response_code(403);
            echo "Forbidden";
            exit;
        }
        return $u;
    }

    public static function login(int $uid): void {
        $_SESSION['uid'] = $uid;
    }

    public static function logout(): void {
        unset($_SESSION['uid']);
    }


    public static function requireSuperAdmin(): array {
        $u = self::requireLogin();
        // Backwards compatible: if is_super_admin exists use it, else fall back to is_admin
        $isSuper = (int)($u['is_super_admin'] ?? 0);
        $isAdmin = (int)($u['is_admin'] ?? 0);
        if ($isSuper !== 1 && $isAdmin !== 1) {
            http_response_code(403);
            View::render('403', ['user'=>$u]);
            exit;
        }
        return $u;
    }
}