flag (set by vendor.php). The actor is whichever side called us. // This matches the existing trust model: access to PDQ.php vs vendor.php IS the // only access control we have. Don't trust the actor value with anything you // wouldn't already trust the URL with. function current_actor(string $expected): string { if ($expected !== 'ICG') { throw new InvalidArgumentException("current_actor expects 'ICG'"); } return 'ICG'; } function current_actor_from_vendor(string $slug): array { $v = find_vendor_by_slug($slug); if (!$v) { http_response_code(404); echo "Unknown vendor: " . htmlspecialchars($slug); exit; } return $v; } // Resolve the actor for an AJAX endpoint based on POST/GET fields: // actor=ICG -> 'ICG' // v= -> vendor slug // Returns [actor_label, vendor_id_or_null]. function resolve_request_actor(): array { $params = $_SERVER['REQUEST_METHOD'] === 'POST' ? $_POST : $_GET; if (($params['actor'] ?? '') === 'ICG') { return ['ICG', null]; } if (!empty($params['v'])) { $v = find_vendor_by_slug($params['v']); if ($v) return [$v['slug'], (int) $v['id']]; } http_response_code(400); echo 'No actor specified'; exit; }