Merge pull request #20 from victorhqc/feature/protect_routes

Protect routes
victorhqc · Aug 10, 2019 · acbde92 · acbde92
2 parents 0251883 + 7b004d8
commit acbde92
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 6 deletions.
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -56,6 +56,7 @@ class Kernel extends HttpKernel
         'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
         'can' => \Illuminate\Auth\Middleware\Authorize::class,
         'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
+        'only_admin' => \App\Http\Middleware\OnlyAdmin::class,
         'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,

diff --git a/app/Http/Middleware/OnlyAdmin.php b/app/Http/Middleware/OnlyAdmin.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class OnlyAdmin
+{
+    /**
+     * Si no es administrador, es redirigido a "/"
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $user = $request->user();
+        if (
+            !isset($user) ||
+            !$user->is_admin()
+        ) {
+            return redirect('products');
+        }
+
+        return $next($request);
+    }
+}
diff --git a/routes/web.php b/routes/web.php
@@ -9,21 +9,36 @@
 |
 */
 
-$router->get('/', 'ProductsController@showProducts')->name('products');
-$router->get('products', 'ProductsController@showProducts')->name('products');
-$router->get('add_product', 'ProductsController@showAddProduct')->name('add_product');
-$router->post('submit_product', 'ProductsController@submitProduct');
+$router
+    ->get('/', 'ProductsController@showProducts')
+    ->name('products');
+$router
+    ->get('products', 'ProductsController@showProducts')
+    ->name('products');
+
+$router
+    ->get('add_product', 'ProductsController@showAddProduct')
+    ->middleware('only_admin')
+    ->name('add_product');
+$router
+    ->post('submit_product', 'ProductsController@submitProduct')
+    ->middleware('only_admin');
 
 // Al tratarse de un request por un formulario debe usarse únicamente GET o POST.
 // Una aplicación de tipo REST debería utilizar el método DELETE. Nosotros utilizamos el método
 // POST para que al menos el usuario no pueda borrar un usuario accidentalmente al navegar a la
 // ruta manualmente.
-$router->post('remove_product', 'ProductsController@removeProduct');
+$router
+    ->post('remove_product', 'ProductsController@removeProduct')
+    ->middleware('only_admin');
 
 $router
     ->get('add_product_type', 'BrandAndProductTypeController@showAddProductType')
+    ->middleware('only_admin')
     ->name('add_product_type');
-$router->post('submit_product_type', 'BrandAndProductTypeController@submitProductType');
+$router
+    ->post('submit_product_type', 'BrandAndProductTypeController@submitProductType')
+    ->middleware('only_admin');
 
 /*
 |--------------------------------------------------------------------------