Merge pull request #412 from cachethq/admin-routes

Adds AdminFilter for protecting certain routes
2015-01-23 17:18:29 -06:00
parent 86d30b82e1 90c8551010
commit f1981683ed
9 changed files with 82 additions and 11 deletions
--- a/app/lang/de/errors.php
+++ b/app/lang/de/errors.php
@@ -6,5 +6,11 @@ return [
        'title'   => 'Die Seite konnte nicht gefunden werden!',
        'message' => 'Entschuldigung, aber die Seite konnte nicht gefunden werden. Überprüfen Sie die URL und versuchen Sie es erneut.',
        'link'    => 'Zurück zur Startseite',
-    ]
+    ],
+    'unauthorized' => [
+        'code'    => '401',
+        'title'   => 'Unauthorized',
+        'message' => 'Sorry, you need admin privileges to see this page.',
+        'link'    => 'Return to homepage',
+    ],
 ];
--- a/app/lang/en/errors.php
+++ b/app/lang/en/errors.php
@@ -6,5 +6,11 @@ return [
        'title'   => 'That page went missing!',
        'message' => 'Sorry, but the page you are looking for has not been found. Check the URL for errors and try again.',
        'link'    => 'Return to homepage',
-    ]
+    ],
+    'unauthorized' => [
+        'code'    => '401',
+        'title'   => 'Unauthorized',
+        'message' => 'Sorry, you need admin privileges to see this page.',
+        'link'    => 'Return to homepage',
+    ],
 ];
--- a/app/lang/fr/errors.php
+++ b/app/lang/fr/errors.php
@@ -6,5 +6,11 @@ return [
        'title'   => 'Cette page est manquante !',
        'message' => 'Désolé, mais la page que vous recherchez est introuvable. Vérifier l\'URL et essayez à nouveau.',
        'link'    => 'Retour à l\'accueil',
-    ]
+    ],
+    'unauthorized' => [
+        'code'    => '401',
+        'title'   => 'Unauthorized',
+        'message' => 'Sorry, you need admin privileges to see this page.',
+        'link'    => 'Return to homepage',
+    ],
 ];
--- a/app/routes/dashboard.php
+++ b/app/routes/dashboard.php
@@ -89,13 +89,16 @@ Route::group(['before' => 'auth', 'prefix' => 'dashboard', 'namespace' => 'Cache
            'as'   => 'dashboard.team',
            'uses' => 'DashTeamController@showTeamView',
        ]);
-        Route::get('add', [
-            'as'   => 'dashboard.team.add',
-            'uses' => 'DashTeamController@showAddTeamMemberView'
-        ]);
-        Route::get('{user}', 'DashTeamController@showTeamMemberView');
-        Route::post('add', 'DashTeamController@postAddUser');
-        Route::post('{user}', 'DashTeamController@postUpdateUser');
+
+        Route::group(['before' => 'admin'], function () {
+            Route::get('add', [
+                'as'   => 'dashboard.team.add',
+                'uses' => 'DashTeamController@showAddTeamMemberView'
+            ]);
+            Route::get('{user}', 'DashTeamController@showTeamMemberView');
+            Route::post('add', 'DashTeamController@postAddUser');
+            Route::post('{user}', 'DashTeamController@postUpdateUser');
+        });
    });

    // Settings
--- a/app/views/dashboard/team/index.blade.php
+++ b/app/views/dashboard/team/index.blade.php
@@ -8,9 +8,11 @@
        <span class="uppercase">
            <i class="icon icon ion-android-alert"></i> {{ trans('dashboard.team.team') }}
        </span>
+        @if(Auth::user()->isAdmin)
        <a class="btn btn-sm btn-success pull-right" href="{{ route('dashboard.team.add') }}">
            {{ trans('dashboard.team.add.title') }}
        </a>
+        @endif
        <div class="clearfix"></div>
    </div>
    <div class="content-wrapper header-fixed">
--- a/app/views/errors/401.blade.php
+++ b/app/views/errors/401.blade.php
@@ -0,0 +1,19 @@
+@extends('layout.error')
+
+@section('content')
+    <div class="middle-box text-center">
+        <div>
+            <img class="logo" height="65" src="{{ url('img/cachet-logo.svg') }}" alt="Cachet">
+        </div>
+        <h1>{{ trans('errors.unauthorized.code') }}</h1>
+        <h3>{{ trans('errors.unauthorized.title') }}</h3>
+
+        <div class="error-desc">
+            <p>{{ trans('errors.unauthorized.message') }}</p>
+            <br>
+            <p>
+                <a href="/" class="btn btn-default btn-lg">{{ trans('errors.unauthorized.link') }}</a>
+            </p>
+        </div>
+    </div>
+@stop
--- a/src/Http/Before/AdminFilter.php
+++ b/src/Http/Before/AdminFilter.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace CachetHQ\Cachet\Http\Before;
+
+use Illuminate\Http\Request;
+use Illuminate\Routing\Route;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Response;
+
+class AdminFilter
+{
+    /**
+     * Run the auth filter.
+     *
+     * We're verifying that the current user is logged in to Cachet and is an admin level.
+     *
+     * @param \Illuminate\Routing\Route $route
+     * @param \Illuminate\Http\Request  $request
+     *
+     * @return \Illuminate\Http\Response|null
+     */
+    public function filter(Route $route, Request $request)
+    {
+        if (!Auth::check() || (Auth::check() && !Auth::user()->isAdmin)) {
+            return Response::view('errors.401', ['pageTitle' => trans('errors.unauthorized.title')], 401);
+        }
+    }
+}
--- a/src/Models/User.php
+++ b/src/Models/User.php
@@ -133,7 +133,7 @@ class User extends Model implements UserInterface, RemindableInterface
     */
    public function getIsAdminAttribute()
    {
-        return (bool) $this->level;
+        return $this->level == 1;
    }

    /**
--- a/src/Providers/RoutingServiceProvider.php
+++ b/src/Providers/RoutingServiceProvider.php
@@ -36,6 +36,7 @@ class RoutingServiceProvider extends ServiceProvider
    protected function registerFilters()
    {
        // Laravel's before filters
+        $this->app->router->filter('admin', 'CachetHQ\Cachet\Http\Before\AdminFilter');
        $this->app->router->filter('auth', 'CachetHQ\Cachet\Http\Before\AuthFilter');
        $this->app->router->filter('guest', 'CachetHQ\Cachet\Http\Before\GuestFilter');
        $this->app->router->filter('csrf', 'CachetHQ\Cachet\Http\Before\CsrfFilter');