updating docs, unifying htaccess

default.htaccess → .htaccess

@@ -14,8 +14,8 @@ Options -Indexes
     # Block hidden files/folders except ACME challenge path.
     RewriteRule "(^|/)\.(?!well-known/)" - [F]
 
-    # Deny direct access to writable data files.
-    RewriteRule ^data/ - [F,L]
+    # Deny direct access to writable data directory (centralized, no data/.htaccess needed).
+    RewriteRule ^data(?:/|$) - [F,L]
 </IfModule>
 
 <IfModule mod_authz_core.c>

README.md

@@ -8,48 +8,37 @@
 
 ## 1) `.htaccess` aktivieren
 
-Im Projektordner liegt eine Vorlage unter `data/default.htaccess`.
+Im Projektordner liegt die zentrale Datei unter:
 
-Benenne sie um in:
+- `.htaccess`
 
-- `data/.htaccess`
+Ein separates `data/.htaccess` wird nicht mehr verwendet, da der Zugriff auf `/data` zentral in der Root-`.htaccess` gesperrt ist.
 
-Beispiel:
-
-```bash
-mv data/default.htaccess data/.htaccess
-```
-
-## 2) Globale Config und Admins im `config.php` einrichten
+## 2) Globale Config in `config.php` einrichten
 
 In `config.php` mindestens diese Werte anpassen:
 
 - `SITE_NAME`
 - `SITE_URL`
-- `ADMIN_EMAIL`
+- `ADMIN_EMAIL` (Fallback-Empfänger)
 - `FROM_EMAIL`
 - `FROM_NAME`
 - Optional: `ORDER_PREFIX`, `RESERVATION_EXPIRY_DAYS`
 - `ORDER_HISTORY_COOKIE_SECRET` (Pflicht für signierte Browser-Bestellhistorie)
 
-Passe `ADMIN_USERS` an:
+Konfigurations-Referenz mit Zweck und Laufzeitnutzung jeder Konstante:
+
+- `docs/CONFIG_REFERENCE.md`
 
-- Für jeden Admin einen Eintrag mit Benutzername und Passwort-Hash hinzufügen
-- Standard-Accounts/Hashes nach dem ersten Setup ersetzen
+## 3) Admins einrichten
 
-Beispielstruktur:
+Admin-Logins und Admin-Benachrichtigungs-E-Mails werden aus `data/admins.json` geladen (nicht aus `ADMIN_USERS` in `config.php`).
 
-```php
-define('ADMIN_USERS', [
-    'admin' => '...bcrypt-hash...',
-    'manager' => '...bcrypt-hash...'
-]);
-```
+Details:
 
-Generate the password: 
-https://www.onlinewebtoolkit.com/hash-generator using the crypt functionality.
+- `docs/ADMIN_SYSTEM.md`
 
-## 3) Browser-Bestellhistorie konfigurieren
+## 4) Browser-Bestellhistorie konfigurieren
 
 Für die Seite `Meine Bestellungen` wird eine signierte, browsergebundene Historie genutzt.
 

data/default.htaccess

@@ -1,8 +0,0 @@
-# Protect data directory from direct access
-<IfModule mod_authz_core.c>
-    Require all denied
-</IfModule>
-<IfModule !mod_authz_core.c>
-    Order deny,allow
-    Deny from all
-</IfModule>

docs/CONFIG_REFERENCE.md

@@ -0,0 +1,45 @@
+# Config Reference (`config.php`)
+
+This document explains what each config value is used for at runtime.
+
+## `ADMIN_EMAIL` (your specific question)
+
+`ADMIN_EMAIL` is the **fallback** recipient address for internal admin notifications.
+
+Primary recipients come from each admin account in `data/admins.json` (`email` field).
+The fallback is used only when no valid admin account email is available.
+
+Notification scope:
+
+- New reservation created (`sendReservationEmails()` in `includes/functions.php`)
+- New backorder created (`sendBackorderEmails()` in `includes/functions.php`)
+
+It is **not** used for customer login, admin login, password reset, or contact form logic.
+
+## Constant-by-constant reference
+
+| Constant | What it controls | Where it is used |
+|---|---|---|
+| `SITE_NAME` | Shop name shown in UI and email subjects/content | `includes/header.php`, `admin/login.php`, mail templates in `includes/functions.php` |
+| `SITE_URL` | Base path for links/assets (e.g. `/shop`) and order-history cookie path | `includes/header.php`, `includes/footer.php`, `admin/login.php`, `orders.php`, cookie path helper in `includes/functions.php` |
+| `DISCLAIMER_LINES` | Text lines shown on homepage disclaimer box | `index.php` |
+| `RESERVATION_EXPIRY_DAYS` | Number of days until a regular reservation expires | Reservation creation/conversion in `includes/functions.php` |
+| `ORDER_PREFIX` | Prefix for generated order IDs, format `PREFIX-YEAR-SEQ` | ID generation + validation in `includes/functions.php` |
+| `ORDER_HISTORY_COOKIE_NAME` | Cookie key name for browser-linked order history | `includes/functions.php` |
+| `ORDER_HISTORY_COOKIE_TTL_DAYS` | Retention time (days) for order-history cookie | `includes/functions.php` |
+| `ORDER_HISTORY_MAX_IDS` | Max remembered order IDs in history cookie | `includes/functions.php` |
+| `ORDER_HISTORY_COOKIE_SECRET` | HMAC signing secret for order-history cookie integrity | `includes/functions.php` |
+| `ADMIN_EMAIL` | Fallback recipient for admin notification emails when no valid per-admin email exists | `includes/functions.php` |
+| `FROM_EMAIL` | Sender + reply-to email in outgoing mails | `sendEmail()` in `includes/functions.php` |
+| `FROM_NAME` | Sender display name in outgoing mails | `sendEmail()` in `includes/functions.php` |
+| `DATA_DIR` | Base directory for JSON data files | Used to compose file constants in `config.php` |
+| `PRODUCTS_FILE` | Product data JSON path | Product read/write helpers in `includes/functions.php` |
+| `RESERVATIONS_FILE` | Reservation/backorder JSON path | Reservation read/write helpers in `includes/functions.php` |
+| `ADMINS_FILE` | Admin account JSON path | Admin account read/write helpers in `includes/functions.php` |
+
+## Important notes
+
+- `ORDER_HISTORY_COOKIE_SECRET` should be a long random value; changing it invalidates old browser history cookies.
+- `SITE_URL` should match the real subpath where the app is served. If wrong, links/assets/cookies may break.
+- In this codebase, admin login data is read from `data/admins.json` (`ADMINS_FILE`).  
+  The `ADMIN_USERS` block is currently a legacy reference in comments/sample config, not active runtime auth.