Anpassung Ladezeit Impfen + Urlaubsplaner

zeiterfassung/deleteVacation.php

@@ -1,38 +1,34 @@
-<?php
-session_start();
-require_once('inc/config.inc.php');
-require_once('inc/functions.inc.php');
-
-$user = check_user();
-
-if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !isset($_POST['id'])) {
-    http_response_code(400);
-    die('Bad request');
-}
-
-$id = (int)$_POST['id'];
-$referer = $_POST['referer'] ?? 'urlaubsantrag.php';
-
-// Fetch vacation to verify ownership
-$stmt = $pdo->prepare("SELECT user_id, status FROM vacations WHERE id = ?");
-$stmt->execute([$id]);
-$vac = $stmt->fetch();
-
-if (!$vac) {
-    die('Urlaubseintrag nicht gefunden.');
-}
-
-$isAdmin = is_admin_user();
-
-if (!$isAdmin && $vac['user_id'] != $_SESSION['userid']) {
-    die('Zugriff verweigert.');
-}
-
-// Allow deletion for admins or owner
-$del = $pdo->prepare("DELETE FROM vacations WHERE id = ?");
-$del->execute([$id]);
-
-header('Location: ' . $referer);
-exit();
-
-?>
+<?php
+session_start();
+require_once('inc/config.inc.php');
+require_once('inc/functions.inc.php');
+
+$user = check_user();
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !isset($_POST['id'])) {
+    http_response_code(400);
+    die('Bad request');
+}
+
+$id = (int)$_POST['id'];
+$referer = $_POST['referer'] ?? 'urlaubsantrag.php';
+
+$stmt = $pdo->prepare("SELECT user_id, status FROM vacations WHERE id = ?");
+$stmt->execute([$id]);
+$vac = $stmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$vac) {
+    die('Urlaubseintrag nicht gefunden.');
+}
+
+$canManageTeamVacations = can_manage_team_vacations();
+if (!$canManageTeamVacations && (int)$vac['user_id'] !== (int)$_SESSION['userid']) {
+    die('Zugriff verweigert.');
+}
+
+$del = $pdo->prepare("DELETE FROM vacations WHERE id = ?");
+$del->execute([$id]);
+
+header('Location: ' . $referer);
+exit();
+?>