revoked access to website for coaches, added web-specific tokens
This commit is contained in:
29
common.php
29
common.php
@ -178,6 +178,35 @@ function require_role(array $allowed, array $tokenRecord): void {
|
||||
}
|
||||
}
|
||||
|
||||
/** Roles that may use the management website (not the mobile app). */
|
||||
function qdb_web_roles(): array {
|
||||
return ['admin', 'supervisor'];
|
||||
}
|
||||
|
||||
/** True when the request originates from the management website (see website/js/api.js). */
|
||||
function qdb_is_web_client_request(): bool {
|
||||
$h = $_SERVER['HTTP_X_QDB_CLIENT'] ?? '';
|
||||
return strtolower(trim($h)) === 'web';
|
||||
}
|
||||
|
||||
/** Reject coach sign-in from the website; coaches use the mobile app only. */
|
||||
function qdb_reject_coach_web_login(string $role): void {
|
||||
if ($role === 'coach' && qdb_is_web_client_request()) {
|
||||
json_error(
|
||||
'FORBIDDEN',
|
||||
'Coach accounts can only sign in through the mobile app.',
|
||||
403
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/** Valid bearer token plus admin/supervisor role (website API). */
|
||||
function require_valid_token_web(): array {
|
||||
$rec = require_valid_token();
|
||||
require_role(qdb_web_roles(), $rec);
|
||||
return $rec;
|
||||
}
|
||||
|
||||
/**
|
||||
* Build a SQL WHERE clause fragment that restricts client visibility by role.
|
||||
* Returns [string $clause, array $params].
|
||||
|
||||
Reference in New Issue
Block a user