false, 'error' => 'Methode nicht erlaubt'], 405); } $auth = TaskCertAuthContext::fromGlobals(); if (!$auth->hasPermission('r-task-cert-admin')) { TaskCertResponse::json(['success' => false, 'error' => 'Keine Berechtigung'], 403); } $contentType = trim((string) ($_SERVER['CONTENT_TYPE'] ?? '')); $isJson = strpos($contentType, 'application/json') !== false; if ($isJson) { $rawBody = file_get_contents('php://input'); $body = json_decode($rawBody ?: '{}', true); if (!is_array($body)) { $body = []; } $csrfToken = trim((string) ($body['csrf_token'] ?? '')); if ($csrfToken !== '') { $_POST['csrf_token'] = $csrfToken; } TaskCertCsrf::assertValidFromRequest(true); $submissionId = (int) ($body['submission_id'] ?? 0); $decision = trim((string) ($body['decision'] ?? '')); $note = trim((string) ($body['note'] ?? '')); } else { TaskCertCsrf::assertValidFromRequest(true); $submissionId = TaskCertRequest::postInt('submission_id', 0); $decision = TaskCertRequest::postString('decision', ''); $note = TaskCertRequest::postString('note', ''); } if ($submissionId <= 0) { TaskCertResponse::json(['success' => false, 'error' => 'Ungültige submission_id'], 400); } if (!in_array($decision, ['approve', 'reject'], true)) { TaskCertResponse::json(['success' => false, 'error' => 'Ungültige decision'], 400); } try { $services = task_cert_services(); if ($decision === 'approve') { $services['approvalService']->approveSubmission($submissionId, $auth->contactId(), $note); } else { $services['approvalService']->rejectSubmission($submissionId, $auth->contactId(), $note); } TaskCertResponse::json([ 'success' => true, 'submission_id' => $submissionId, 'decision' => $decision, ]); } catch (Throwable $throwable) { TaskCertResponse::json([ 'success' => false, 'error' => $throwable->getMessage(), ], 400); }