From 7b004d8261666650788a1f24b9537265691451df Mon Sep 17 00:00:00 2001
From: Victor Quiroz Castro <victorhqc@gmail.com>
Date: Sat, 10 Aug 2019 12:02:19 +0200
Subject: [PATCH] Protect routes

---
 app/Http/Kernel.php               |  1 +
 app/Http/Middleware/OnlyAdmin.php | 28 ++++++++++++++++++++++++++++
 routes/web.php                    | 27 +++++++++++++++++++++------
 3 files changed, 50 insertions(+), 6 deletions(-)
 create mode 100644 app/Http/Middleware/OnlyAdmin.php

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 2bbb5a9..bad3640 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -56,6 +56,7 @@ class Kernel extends HttpKernel
         'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
         'can' => \Illuminate\Auth\Middleware\Authorize::class,
         'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
+        'only_admin' => \App\Http\Middleware\OnlyAdmin::class,
         'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
diff --git a/app/Http/Middleware/OnlyAdmin.php b/app/Http/Middleware/OnlyAdmin.php
new file mode 100644
index 0000000..3e663be
--- /dev/null
+++ b/app/Http/Middleware/OnlyAdmin.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class OnlyAdmin
+{
+    /**
+     * Si no es administrador, es redirigido a "/"
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $user = $request->user();
+        if (
+            !isset($user) ||
+            !$user->is_admin()
+        ) {
+            return redirect('products');
+        }
+
+        return $next($request);
+    }
+}
diff --git a/routes/web.php b/routes/web.php
index 1cb895f..0cb367e 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -9,21 +9,36 @@
 |
 */
 
-$router->get('/', 'ProductsController@showProducts')->name('products');
-$router->get('products', 'ProductsController@showProducts')->name('products');
-$router->get('add_product', 'ProductsController@showAddProduct')->name('add_product');
-$router->post('submit_product', 'ProductsController@submitProduct');
+$router
+    ->get('/', 'ProductsController@showProducts')
+    ->name('products');
+$router
+    ->get('products', 'ProductsController@showProducts')
+    ->name('products');
+
+$router
+    ->get('add_product', 'ProductsController@showAddProduct')
+    ->middleware('only_admin')
+    ->name('add_product');
+$router
+    ->post('submit_product', 'ProductsController@submitProduct')
+    ->middleware('only_admin');
 
 // Al tratarse de un request por un formulario debe usarse únicamente GET o POST.
 // Una aplicación de tipo REST debería utilizar el método DELETE. Nosotros utilizamos el método
 // POST para que al menos el usuario no pueda borrar un usuario accidentalmente al navegar a la
 // ruta manualmente.
-$router->post('remove_product', 'ProductsController@removeProduct');
+$router
+    ->post('remove_product', 'ProductsController@removeProduct')
+    ->middleware('only_admin');
 
 $router
     ->get('add_product_type', 'BrandAndProductTypeController@showAddProductType')
+    ->middleware('only_admin')
     ->name('add_product_type');
-$router->post('submit_product_type', 'BrandAndProductTypeController@submitProductType');
+$router
+    ->post('submit_product_type', 'BrandAndProductTypeController@submitProductType')
+    ->middleware('only_admin');
 
 /*
 |--------------------------------------------------------------------------