fix: harden admin access, repair ORM joins, and add migration/tests

app/routers/sessions.py

@@ -341,6 +341,7 @@ async def get_session(
 async def create_session(
     request: SessionCreateRequest,
     db: AsyncSession = Depends(get_db),
+    website_id: int = Depends(get_website_id_from_header),
 ) -> SessionResponse:
     """
     Create a new session.
@@ -355,10 +356,19 @@ async def create_session(
     Raises:
         HTTPException: If tryout not found or session already exists
     """
+    if request.website_id != website_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=(
+                "Website mismatch between payload and X-Website-ID header: "
+                f"{request.website_id} != {website_id}"
+            ),
+        )
+
     # Verify tryout exists
     tryout_result = await db.execute(
         select(Tryout).where(
-            Tryout.website_id == request.website_id,
+            Tryout.website_id == website_id,
             Tryout.tryout_id == request.tryout_id,
         )
     )
@@ -367,7 +377,7 @@ async def create_session(
     if tryout is None:
         raise HTTPException(
             status_code=status.HTTP_404_NOT_FOUND,
-            detail=f"Tryout {request.tryout_id} not found for website {request.website_id}",
+            detail=f"Tryout {request.tryout_id} not found for website {website_id}",
         )
 
     # Check if session already exists
@@ -386,7 +396,7 @@ async def create_session(
     session = Session(
         session_id=request.session_id,
         wp_user_id=request.wp_user_id,
-        website_id=request.website_id,
+        website_id=website_id,
         tryout_id=request.tryout_id,
         scoring_mode_used=request.scoring_mode,
         start_time=datetime.now(timezone.utc),