From 787ecde0ea07dfb7ecd80cb01f2cf195a756b7cc Mon Sep 17 00:00:00 2001
From: James Brooks <james@bluebaytravel.co.uk>
Date: Fri, 23 Jan 2015 08:31:00 +0000
Subject: [PATCH 1/2] Adds AdminFilter for protecting certain routes. Closes
 #411

---
 app/routes/dashboard.php                 | 17 ++++++++------
 app/views/dashboard/team/index.blade.php |  2 ++
 src/Http/Before/AdminFilter.php          | 28 ++++++++++++++++++++++++
 src/Providers/RoutingServiceProvider.php |  1 +
 4 files changed, 41 insertions(+), 7 deletions(-)
 create mode 100644 src/Http/Before/AdminFilter.php

diff --git a/app/routes/dashboard.php b/app/routes/dashboard.php
index 6c935283..e3d7a290 100644
--- a/app/routes/dashboard.php
+++ b/app/routes/dashboard.php
@@ -89,13 +89,16 @@ Route::group(['before' => 'auth', 'prefix' => 'dashboard', 'namespace' => 'Cache
             'as'   => 'dashboard.team',
             'uses' => 'DashTeamController@showTeamView',
         ]);
-        Route::get('add', [
-            'as'   => 'dashboard.team.add',
-            'uses' => 'DashTeamController@showAddTeamMemberView'
-        ]);
-        Route::get('{user}', 'DashTeamController@showTeamMemberView');
-        Route::post('add', 'DashTeamController@postAddUser');
-        Route::post('{user}', 'DashTeamController@postUpdateUser');
+
+        Route::group(['before' => 'admin'], function () {
+            Route::get('add', [
+                'as'   => 'dashboard.team.add',
+                'uses' => 'DashTeamController@showAddTeamMemberView'
+            ]);
+            Route::get('{user}', 'DashTeamController@showTeamMemberView');
+            Route::post('add', 'DashTeamController@postAddUser');
+            Route::post('{user}', 'DashTeamController@postUpdateUser');
+        });
     });
 
     // Settings
diff --git a/app/views/dashboard/team/index.blade.php b/app/views/dashboard/team/index.blade.php
index fad76115..44b40c6d 100644
--- a/app/views/dashboard/team/index.blade.php
+++ b/app/views/dashboard/team/index.blade.php
@@ -8,9 +8,11 @@
         <span class="uppercase">
             <i class="icon icon ion-android-alert"></i> {{ trans('dashboard.team.team') }}
         </span>
+        @if(Auth::user()->isAdmin)
         <a class="btn btn-sm btn-success pull-right" href="{{ route('dashboard.team.add') }}">
             {{ trans('dashboard.team.add.title') }}
         </a>
+        @endif
         <div class="clearfix"></div>
     </div>
     <div class="content-wrapper header-fixed">
diff --git a/src/Http/Before/AdminFilter.php b/src/Http/Before/AdminFilter.php
new file mode 100644
index 00000000..d1b5bed1
--- /dev/null
+++ b/src/Http/Before/AdminFilter.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace CachetHQ\Cachet\Http\Before;
+
+use Illuminate\Http\Request;
+use Illuminate\Routing\Route;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Response;
+
+class AdminFilter
+{
+    /**
+     * Run the auth filter.
+     *
+     * We're verifying that the current user is logged in to Cachet and is an admin level.
+     *
+     * @param \Illuminate\Routing\Route $route
+     * @param \Illuminate\Http\Request  $request
+     *
+     * @return \Illuminate\Http\Response|null
+     */
+    public function filter(Route $route, Request $request)
+    {
+        if (!Auth::check() || (Auth::check() && !Auth::user()->isAdmin)) {
+            return Response::make('Unauthorized', 401);
+        }
+    }
+}
diff --git a/src/Providers/RoutingServiceProvider.php b/src/Providers/RoutingServiceProvider.php
index 7b55e1cd..e15ca417 100644
--- a/src/Providers/RoutingServiceProvider.php
+++ b/src/Providers/RoutingServiceProvider.php
@@ -36,6 +36,7 @@ class RoutingServiceProvider extends ServiceProvider
     protected function registerFilters()
     {
         // Laravel's before filters
+        $this->app->router->filter('admin', 'CachetHQ\Cachet\Http\Before\AdminFilter');
         $this->app->router->filter('auth', 'CachetHQ\Cachet\Http\Before\AuthFilter');
         $this->app->router->filter('guest', 'CachetHQ\Cachet\Http\Before\GuestFilter');
         $this->app->router->filter('csrf', 'CachetHQ\Cachet\Http\Before\CsrfFilter');

From 90c8551010536a40386bae20af475066bd607c30 Mon Sep 17 00:00:00 2001
From: Joseph Cohen <joseph.cohen@dinkbit.com>
Date: Fri, 23 Jan 2015 17:06:46 -0600
Subject: [PATCH 2/2] Fix isAdmin and added 401 template

---
 app/lang/de/errors.php          |  8 +++++++-
 app/lang/en/errors.php          |  8 +++++++-
 app/lang/fr/errors.php          |  8 +++++++-
 app/views/errors/401.blade.php  | 19 +++++++++++++++++++
 src/Http/Before/AdminFilter.php |  2 +-
 src/Models/User.php             |  2 +-
 6 files changed, 42 insertions(+), 5 deletions(-)
 create mode 100644 app/views/errors/401.blade.php

diff --git a/app/lang/de/errors.php b/app/lang/de/errors.php
index 4243b9bb..ee9895b7 100644
--- a/app/lang/de/errors.php
+++ b/app/lang/de/errors.php
@@ -6,5 +6,11 @@ return [
         'title'   => 'Die Seite konnte nicht gefunden werden!',
         'message' => 'Entschuldigung, aber die Seite konnte nicht gefunden werden. Überprüfen Sie die URL und versuchen Sie es erneut.',
         'link'    => 'Zurück zur Startseite',
-    ]
+    ],
+    'unauthorized' => [
+        'code'    => '401',
+        'title'   => 'Unauthorized',
+        'message' => 'Sorry, you need admin privileges to see this page.',
+        'link'    => 'Return to homepage',
+    ],
 ];
diff --git a/app/lang/en/errors.php b/app/lang/en/errors.php
index 38ab0bfe..24eddf01 100644
--- a/app/lang/en/errors.php
+++ b/app/lang/en/errors.php
@@ -6,5 +6,11 @@ return [
         'title'   => 'That page went missing!',
         'message' => 'Sorry, but the page you are looking for has not been found. Check the URL for errors and try again.',
         'link'    => 'Return to homepage',
-    ]
+    ],
+    'unauthorized' => [
+        'code'    => '401',
+        'title'   => 'Unauthorized',
+        'message' => 'Sorry, you need admin privileges to see this page.',
+        'link'    => 'Return to homepage',
+    ],
 ];
diff --git a/app/lang/fr/errors.php b/app/lang/fr/errors.php
index dbe86279..1b5b79a4 100644
--- a/app/lang/fr/errors.php
+++ b/app/lang/fr/errors.php
@@ -6,5 +6,11 @@ return [
         'title'   => 'Cette page est manquante !',
         'message' => 'Désolé, mais la page que vous recherchez est introuvable. Vérifier l\'URL et essayez à nouveau.',
         'link'    => 'Retour à l\'accueil',
-    ]
+    ],
+    'unauthorized' => [
+        'code'    => '401',
+        'title'   => 'Unauthorized',
+        'message' => 'Sorry, you need admin privileges to see this page.',
+        'link'    => 'Return to homepage',
+    ],
 ];
diff --git a/app/views/errors/401.blade.php b/app/views/errors/401.blade.php
new file mode 100644
index 00000000..10f342bb
--- /dev/null
+++ b/app/views/errors/401.blade.php
@@ -0,0 +1,19 @@
+@extends('layout.error')
+
+@section('content')
+    <div class="middle-box text-center">
+        <div>
+            <img class="logo" height="65" src="{{ url('img/cachet-logo.svg') }}" alt="Cachet">
+        </div>
+        <h1>{{ trans('errors.unauthorized.code') }}</h1>
+        <h3>{{ trans('errors.unauthorized.title') }}</h3>
+
+        <div class="error-desc">
+            <p>{{ trans('errors.unauthorized.message') }}</p>
+            <br>
+            <p>
+                <a href="/" class="btn btn-default btn-lg">{{ trans('errors.unauthorized.link') }}</a>
+            </p>
+        </div>
+    </div>
+@stop
diff --git a/src/Http/Before/AdminFilter.php b/src/Http/Before/AdminFilter.php
index d1b5bed1..f033fe41 100644
--- a/src/Http/Before/AdminFilter.php
+++ b/src/Http/Before/AdminFilter.php
@@ -22,7 +22,7 @@ class AdminFilter
     public function filter(Route $route, Request $request)
     {
         if (!Auth::check() || (Auth::check() && !Auth::user()->isAdmin)) {
-            return Response::make('Unauthorized', 401);
+            return Response::view('errors.401', ['pageTitle' => trans('errors.unauthorized.title')], 401);
         }
     }
 }
diff --git a/src/Models/User.php b/src/Models/User.php
index 08fc5e95..35efe497 100644
--- a/src/Models/User.php
+++ b/src/Models/User.php
@@ -133,7 +133,7 @@ class User extends Model implements UserInterface, RemindableInterface
      */
     public function getIsAdminAttribute()
     {
-        return (bool) $this->level;
+        return $this->level == 1;
     }
 
     /**