Files
2026-06-13 11:24:58 +07:00

68 lines
1.8 KiB
PHP

<?php
require_once __DIR__ . '/../config/session.php';
/**
* Shared response helper for all API endpoints
*/
header('Content-Type: application/json');
$allowedOrigin = getenv('CORS_ALLOWED_ORIGIN');
if ($allowedOrigin !== false && $allowedOrigin !== '') {
header('Access-Control-Allow-Origin: ' . $allowedOrigin);
header('Vary: Origin');
header('Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS');
header('Access-Control-Allow-Headers: Content-Type');
}
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { http_response_code(204); exit; }
function sendSuccess($data, string $message = 'OK', int $code = 200): void {
http_response_code($code);
echo json_encode(['status' => 'success', 'message' => $message, 'data' => $data]);
exit;
}
function sendError(string $message = 'Bad Request', int $code = 400): void {
http_response_code($code);
echo json_encode(['status' => 'error', 'message' => $message, 'data' => null]);
exit;
}
function getInput(): array {
return json_decode(file_get_contents('php://input'), true) ?? [];
}
function requireApiRole(string $role): void {
requireApiAnyRole([$role]);
}
function requireApiAnyRole(array $roles): void {
if (session_status() === PHP_SESSION_NONE) {
startAppSession();
}
if (!isset($_SESSION['user_id'], $_SESSION['role'])) {
sendError('Unauthorized', 401);
}
if (!in_array($_SESSION['role'], $roles, true)) {
sendError('Forbidden', 403);
}
}
/**
* Mutasi data (POST/PUT/DELETE) hanya untuk Operator.
* GET tetap terbuka sesuai kebutuhan endpoint.
*/
function requireOperatorForMutation(): void {
if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
requireApiAnyRole(['operator']);
}
}
/**
* Alias kompatibilitas lama.
*/
function requireAdminForMutation(): void {
requireOperatorForMutation();
}