false, 'error' => 'Authentication required']); exit; } // CSRF protection for write requests if (in_array($_SERVER['REQUEST_METHOD'], ['POST', 'PUT', 'DELETE'])) { require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php'; $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; if (!CsrfMiddleware::validateToken($csrfToken)) { http_response_code(403); header('Content-Type: application/json'); echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']); exit; } } header('Content-Type: application/json'); // Common variables $currentUser = $_SESSION['user']; $userId = $currentUser['user_id']; $isAdmin = $currentUser['is_admin'] ?? false; $conn = Database::getConnection();