revoked access to website for coaches, added web-specific tokens

This commit is contained in:
2026-05-26 15:49:19 +02:00
parent 7671c9f329
commit 2181d1731e
36 changed files with 129 additions and 41 deletions

View File

@ -178,6 +178,35 @@ function require_role(array $allowed, array $tokenRecord): void {
}
}
/** Roles that may use the management website (not the mobile app). */
function qdb_web_roles(): array {
return ['admin', 'supervisor'];
}
/** True when the request originates from the management website (see website/js/api.js). */
function qdb_is_web_client_request(): bool {
$h = $_SERVER['HTTP_X_QDB_CLIENT'] ?? '';
return strtolower(trim($h)) === 'web';
}
/** Reject coach sign-in from the website; coaches use the mobile app only. */
function qdb_reject_coach_web_login(string $role): void {
if ($role === 'coach' && qdb_is_web_client_request()) {
json_error(
'FORBIDDEN',
'Coach accounts can only sign in through the mobile app.',
403
);
}
}
/** Valid bearer token plus admin/supervisor role (website API). */
function require_valid_token_web(): array {
$rec = require_valid_token();
require_role(qdb_web_roles(), $rec);
return $rec;
}
/**
* Build a SQL WHERE clause fragment that restricts client visibility by role.
* Returns [string $clause, array $params].