Restrict PluginController access to super admin only

app/Http/Kernel.php

@@ -46,13 +46,14 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $routeMiddleware = [
-        'csrf'     => \App\Http\Middleware\VerifyCsrfToken::class,
-        'auth'     => \App\Http\Middleware\CheckAuthenticated::class,
-        'verified' => \App\Http\Middleware\CheckUserVerified::class,
-        'guest'    => \App\Http\Middleware\RedirectIfAuthenticated::class,
-        'admin'    => \App\Http\Middleware\CheckAdministrator::class,
-        'player'   => \App\Http\Middleware\CheckPlayerExist::class,
-        'setup'    => \App\Http\Middleware\CheckInstallation::class,
-        'signed'   => \Illuminate\Routing\Middleware\ValidateSignature::class,
+        'csrf'        => \App\Http\Middleware\VerifyCsrfToken::class,
+        'auth'        => \App\Http\Middleware\CheckAuthenticated::class,
+        'verified'    => \App\Http\Middleware\CheckUserVerified::class,
+        'guest'       => \App\Http\Middleware\RedirectIfAuthenticated::class,
+        'admin'       => \App\Http\Middleware\CheckAdministrator::class,
+        'super-admin' => \App\Http\Middleware\CheckSuperAdmin::class,
+        'player'      => \App\Http\Middleware\CheckPlayerExist::class,
+        'setup'       => \App\Http\Middleware\CheckInstallation::class,
+        'signed'      => \Illuminate\Routing\Middleware\ValidateSignature::class,
     ];
 }

app/Http/Middleware/CheckSuperAdmin.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use App\Models\User;
+
+class CheckSuperAdmin
+{
+    public function handle($request, Closure $next)
+    {
+        if (auth()->user()->permission != User::SUPER_ADMIN) {
+            abort(403, trans('auth.check.super-admin'));
+        }
+
+        return $next($request);
+    }
+}

resources/lang/en/auth.yml

@@ -9,6 +9,7 @@ check:
   anonymous: Illegal access. Please log in first.
   verified: To access this page, you should verify your email address first.
   admin: Only admins are permitted to access this page.
+  super-admin: Only super admin is permitted to access this page.
   banned: You are banned on this site. Please contact the admin.
   token: Token expired. Please log in.
 

resources/lang/zh_CN/auth.yml

@@ -9,6 +9,7 @@ check:
   anonymous: 未授权的访问，请先登录
   verified: 你必须验证邮箱后才能访问此页面
   admin: 只有管理员才能访问此页面
+  super-admin: 只有超级管理员才能访问此页面
   banned: 你已被本站封禁，详情请联系站点管理员
   token: 登录状态已过期，请重新登录
 

routes/web.php

@@ -121,7 +121,7 @@ Route::group(['middleware' => ['auth', 'admin'], 'prefix' => 'admin'], function
     Route::post('/users',      'AdminController@userAjaxHandler');
     Route::post('/players',    'AdminController@playerAjaxHandler');
 
-    Route::group(['prefix' => 'plugins'], function () {
+    Route::group(['prefix' => 'plugins', 'middleware' => 'super-admin'], function () {
         Route::get ('/data',   'PluginController@getPluginData');
 
         Route::view('/manage', 'admin.plugins');
@@ -134,7 +134,7 @@ Route::group(['middleware' => ['auth', 'admin'], 'prefix' => 'admin'], function
         Route::post('/market/download', 'MarketController@download');
     });
 
-    Route::group(['prefix' => 'update'], function () {
+    Route::group(['prefix' => 'update', 'middleware' => 'super-admin'], function () {
         Route::any('',          'UpdateController@showUpdatePage');
         Route::get('/check',    'UpdateController@checkUpdates');
         Route::any('/download', 'UpdateController@download');

tests/MiddlewareTest.php

@@ -92,6 +92,19 @@ class MiddlewareTest extends TestCase
             ->assertSuccessful();
     }
 
+    public function testCheckSuperAdmin()
+    {
+        // Admin
+        $this->actAs('admin')
+            ->get('/admin/plugins/manage')
+            ->assertForbidden();
+
+        // Super admin
+        $this->actAs('superAdmin')
+            ->get('/admin/plugins/manage')
+            ->assertSuccessful();
+    }
+
     public function testCheckInstallation()
     {
         $this->get('/setup')->assertSee('Already installed');